The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) today released a joint Cybersecurity Advisory that highlights recent campaigns targeting the Government of Albania in July and September of this year.
Attacks have been attributed to threat actors named "HomeLand Justice" and their modus operandi appears to be disruption (rendering services offline) and destruction (wiping of disk drives and ransomware style encryption). It was observed that the threat actors also maintained persistence for over a year before these attacks were carried out. Other observed attacks were the exfiltration of data such as email, credentials and lateral movement. The attacks have been attributed to the government of Iran.
What are the Technical Details of this Attack?
Per the Joint Advisory, the threat actors used CVE-2019-0604, which is a vulnerability in Microsoft SharePoint (public facing) to obtain initial access. The threat actor used several webshells to establish and maintain persistence. Persistence and lateral movement were then established after compromise for several months before campaign activity began.
Other observations were the usage of Remote Desktop Protocol (RDP), Server Message Block (SMB) and File Transfer Protocol (FTP) to maintain access. Once this was established, the attackers then moved on and compromised the targets Microsoft Exchange servers (further details are unknown) to create a rogue Exchange account to allow for further privilege escalation via the addition of an Organization Management role. Exfiltration and compromise of the Exchange server occurred over 6-8 months where roughly 20GB of data was exfiltrated. The attackers also leveraged VPN access, using compromised accounts, where Advanced port scanner, Mimikatz and LSASS tools were used. To cap off the campaign, the threat actors finally used a file cryptor via the victim's print server via RDP which would then propagate the file cryptor internally. This targeted specific file extensions, and after encryption, leaving a note behind. Furthering damage and adding insult to injury, hours after encryption took place, the threat actor will kick off another final devastating attack. The wiping of targeted disk drives.
Is this Attack Widespread?
No. Attacks are targeted and limited in scope.
Any Suggested Mitigation?
Due to the complexity and sophistication of the attack, FortiGuard Labs recommends that all AV and IPS signatures, (including but not limited to) the update and patching of all known vulnerabilities within an environment are addressed as soon as possible. Also, providing awareness and situational training for personnel to identify potential social engineering attacks via spearphishing, SMShing, and other social engineering attacks that could allow an adversary to establish initial access into a targeted environment is recommended.
What is the Status of Coverage?
For publically available samples, customers running the latest AV definitions are protected by the following signatures: