APT35, also known as Charming Kitten, and Phosphorus, is an Iranian state-sponsored cyber-espionage adversary that has been active since at least 2014.
APT35,也被称为迷人的小猫和磷,是伊朗国家资助的网络间谍对手,至少自2014年以来一直活跃。
Known for conducting long-term, resource-intensive operations to collect strategic intelligence, APT35’s motivations are believed to be closely tied to advancing Iran’s strategic interests and gathering intelligence on geopolitical rivals. The group has been linked to numerous cyber-espionage campaigns targeting intellectual property theft, government network compromises, and conducting reconnaissance for potential future attacks.
APT35以进行长期资源密集型行动以收集战略情报而闻名,据信其动机与推进伊朗的战略利益和收集地缘政治对手的情报密切相关。该组织与许多针对知识产权盗窃、政府网络入侵以及对未来潜在攻击进行侦察的网络间谍活动有关。
The adversary’s primary focus relies on government entities, academic institutions, and private organizations, with a particular emphasis on those based in the United States and the Middle East. Their targets included North American, Western European, and Middle Eastern military, diplomatic, and government personnel, as well as organizations within the media, energy, defense industrial base, engineering, business services, and telecommunications sectors.
对手的主要关注点依赖于政府实体、学术机构和私人组织,特别强调那些位于美国和中东的组织。他们的目标包括北美、西欧和中东的军事、外交和政府人员,以及媒体、能源、国防工业基地、工程、商业服务和电信部门的组织。
While spearphishing remains one of the most common methods of access for this adversary, APT35 has expanded its tactics to include using compromised accounts with harvested credentials, strategic web compromises, and password spray attacks against externally facing web applications.
虽然鱼叉式网络钓鱼仍然是该对手最常见的访问方法之一,但 APT35 已将其策略扩展到包括使用具有收集凭据的受感染帐户、战略性 Web 入侵和针对面向外部的 Web 应用程序的密码喷射攻击。
AttackIQ has released a new attack graph that aims to emulate activities observed by the politically and military-motivated state-sponsored Iranian-based adversary APT35, who are known to target multiple industries primarily in Europe, the Middle East, and North America.
AttackIQ发布了一个新的攻击图,旨在模拟出于政治和军事动机的国家支持的伊朗对手APT35观察到的活动,众所周知,APT35主要针对欧洲,中东和北美的多个行业。
Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
针对这些行为验证安全计划性能对于降低风险至关重要。通过在 AttackIQ 安全优化平台中使用这个新的攻击图,安全团队将能够:
- Evaluate the performance of security controls against a highly sophisticated, long-standing adversary.
评估针对高度复杂的长期对手的安全控制性能。 - Assess your security posture with respect to the Tactics, Techniques, and Procedures (TTPs) that APT35 has successfully employed.
根据APT35成功采用的策略,技术和程序(TTP)评估您的安全状况。 - Continuously validate detection and prevention channels against a highly sophisticated and espionage-motivated threat.
持续验证检测和预防渠道,以抵御高度复杂和出于间谍动机的威胁。
APT35 – 2021-12 – Microsoft Exchange ProxyShell Exploitation Ends in Reconnaissance Campaign
APT35 – 2021-12 – Microsoft 交易所代理壳牌漏洞利用以侦察活动结束
(Click for Larger)In December 2021, researchers observed APT35 successfully exploiting Microsoft Exchange ProxyShell vulnerabilities in order to gain initial access and execute code by deploying multiple web shells. During this activity, APT35 was observed exploiting 3 different vulnerabilities, namely CVE-2021-34473, CVE-2023-34523, and CVE-2021-31207.
2021 年 12 月,研究人员观察到 APT35 成功利用Microsoft Exchange ProxyShell 漏洞,以便通过部署多个 Web shell 来获得初始访问权限并执行代码。在此活动中,观察到 APT35 利用了 3 个不同的漏洞,即 CVE-2021-34473、CVE-2023-34523 和 CVE-2021-31207。
This activity, which occurred in two bursts within a 3-day time frame, began with the deployment of malicious web shells and the disabling of security services. Subsequently, the adversary established two methods of persistence, one being through scheduled tasks, and the second through the creation of local accounts, which were added to the “Remote Desktop Users” and “Local Administrators Users” groups.
此活动在 3 天内分两次突发发生,始于部署恶意 Web shell 和禁用安全服务。随后,攻击者建立了两种持久性方法,一种是通过计划任务,另一种是通过创建本地帐户,这些帐户被添加到“远程桌面用户”和“本地管理员用户”组中。
Once alternate ways for re-entry to the targeted host were established, the adversary used Windows native programs such as net and ipconfig to enumerate information pertaining to the environment. Then, it disabled Local Security Authority (LSA) protection, enabled WDigest authentication for access to plain text credentials later, dumped the Local Security Authority Subsystem Service (LSASS) process memory, and downloaded the results via the web shell.
一旦建立了重新进入目标主机的替代方法,攻击者就会使用 Windows 本机程序(如 net 和 ipconfig)来枚举与环境有关的信息。然后,它禁用了本地安全机构 (LSA) 保护,启用 WDigest 身份验证以便稍后访问纯文本凭据,转储本地安全机构子系统服务 (LSASS) 进程内存,并通过 Web shell 下载结果。
(Click for Larger)This attack graph begins immediately after the successful deployment of the web shell used by APT35 for command execution. At this stage, the adversary downloads and executes two files. The first, wininet.xml, is used to create a scheduled task, which is used to ensure the persistence of the second file, wininet.bat, a batch file used to iterate through the execution of an additional file used later in the infection chain.
此攻击图在成功部署 APT35 用于命令执行的 Web 外壳后立即开始。在此阶段,攻击者下载并执行两个文件。第一个 wininet.xml 用于创建计划任务,用于确保第二个文件 wininet.bat 的持久性,wininet 是一个批处理文件,用于循环执行感染链中稍后使用的其他文件。
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.
入口工具传输 (T1105):此方案下载到内存并在两个单独的方案中保存到磁盘,以测试网络和终结点控制及其阻止传递已知恶意内容的能力。
(Click for Larger)This stage of the attack begins with obtaining persistence by creating a scheduled task. Subsequently, APT35 will seek to modify Windows Defender preferences in order to disable its analysis and detection capabilities.
攻击的此阶段从通过创建计划任务来获取持久性开始。随后,APT35将寻求修改Windows Defender首选项,以禁用其分析和检测功能。
Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility.
计划任务/作业:计划任务 (T1053.005):此方案使用该 schtasks 实用程序创建新的计划任务。
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses PowerShell to set the DisableBehaviorMonitoring and SevereThreatDefaultAction registry keys that will disable Microsoft Defender, as well as use the Add-MpPreference cmdlet to add the C:\Windows path to the exclusion list in Microsoft Defender.
损害防御:禁用或修改工具 (T1562.001):此方案使用 PowerShell 设置 DisableBehaviorMonitoring SevereThreatDefaultAction 将禁用 Microsoft Defender 的注册表项,并使用 Add-MpPreference cmdlet 将 C:\Windows 路径添加到 Microsoft Defender 中的排除列表。
Modify Registry (T1112): This scenario modifies three registry values to disable Windows Defender from automatically acting against malicious files by modifying the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender registry key.
修改注册表 (T1112):此方案修改三个注册表值,以禁用 Windows Defender 通过修改 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender 注册表项自动对恶意文件执行操作。
(Click for Larger)At this stage, APT35 deploys dllhost.exe, a binary written in Golang used to discover information about the system domain through Windows Management Instrumentation (WMI). Next, the adversary deploys user.exe, a tool used to modify the DefaultAccount user, which is later added to the “Administrators” and “Remote Desktop Users” groups in order to establish a second persistence mechanism on the compromised system.
在此阶段,APT35 部署 dllhost.exe,这是一个用 Golang 编写的二进制文件,用于通过 Windows Management Instrumentation (WMI) 发现有关系统域的信息。接下来,攻击者部署 user.exe,这是一种用于修改 DefaultAccount 用户的工具,稍后会将其添加到“管理员”和“远程桌面用户”组中,以便在受感染的系统上建立第二个持久性机制。
System Information Discovery (T1082): This scenario uses a Windows Management Instrumentation Command (WMIC) to collect the domain name of the target system by executing wmic computersystem get domain.
系统信息发现 (T1082):此方案使用 Windows Management Instrumentation 命令 (WMIC) 通过执行 wmic computersystem get domain 来收集目标系统的域名。
Account Manipulation (T1098): The actors create and enable an account to enable persistence. This scenario adds the local DefaultAccount account to the Administrators and Remote Desktop Users group.
帐户操作 (T1098):参与者创建并启用帐户以启用持久性。此方案将本地 DefaultAccount 帐户添加到 和 Administrators Remote Desktop Users 组。
(Click for Larger)The next stage of the attack is focused on the discovery of the local environment with the adversary seeking to collect relevant system information. During this stage, the adversary obtains information such as hostname, network configuration, system owner and users, account discovery, and domain controller.
攻击的下一阶段侧重于发现本地环境,攻击者试图收集相关的系统信息。在此阶段,攻击者获取主机名、网络配置、系统所有者和用户、帐户发现和域控制器等信息。
System Information Discovery (T1082): The native hostname command is used to get the infected host’s computer name from the compromised system.
系统信息发现 (T1082):本机 hostname 命令用于从受感染的系统中获取受感染主机的计算机名称。
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, net use and netstat.
系统网络配置发现 (T1016):使用标准 Windows 实用程序(如 ipconfig 、 arp 、 route net use 和 netstat )收集资产的网络配置。
System Owner/User Discovery (T1033): This scenario executes the native query user and whoami commands to receive details of the running user account.
系统所有者/用户发现 (T1033):此方案执行本机 query user 和 whoami 命令以接收正在运行的用户帐户的详细信息。
Account Discovery: Local Account (T1087.001): The native net user command is executed to get a list of local accounts.
帐户发现:本地帐户 (T1087.001):执行本机 net user 命令以获取本地帐户的列表。
Command and Scripting Interpreter: PowerShell (T1059.001): This scenario executes the PowerShell cmdlet Get-WMIObject Win32_NTDomain to retrieve Domain Controller information.
命令和脚本解释器:PowerShell (T1059.001):此方案执行 PowerShell cmdlet Get-WMIObject Win32_NTDomain 以检索域控制器信息。
(Click for Larger)In the last stage of the attack, APT35 will seek to modify the Windows Firewall in order to allow remote RDP traffic. Next, it will disable Local Security Authority (LSA) protection and enable WDigest authentication, which enforces the storage of credentials in plaintext on future logins. Finally, APT35 will attempt to dump the Local Security Authority Subsystem Service (LSASS) process, which will then be exfiltrated via HTTP POST requests.
在攻击的最后阶段,APT35将寻求修改Windows防火墙以允许远程RDP流量。接下来,它将禁用本地安全机构 (LSA) 保护并启用 WDigest 身份验证,这将在将来登录时强制以纯文本形式存储凭据。最后,APT35 将尝试转储本地安全机构子系统服务 (LSASS) 进程,然后通过 HTTP POST 请求泄露该进程。
Impair Defenses: Disable or Modify System Firewall (T1562.004): Remote Desktop may not be enabled by default through the local system firewall. The threat actors can create new firewall rules to open up ports for local and remote access using the netsh advfirewall utility. This scenario opens local port 3389 for inbound access.
损害防御:禁用或修改系统防火墙 (T1562.004):默认情况下,可能无法通过本地系统防火墙启用远程桌面。威胁参与者可以创建新的防火墙规则,以使用该 netsh advfirewall 实用程序打开用于本地和远程访问的端口。此方案打开用于入站访问的本地端口 3389 。
Impair Defenses: (T1562): This set of scenarios disable the Local Security Authority (LSA) Protection and enable WDigest authentication, by modifying the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RunAsPPL and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential registry keys.
损害防御:(T1562):这组方案通过修改 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RunAsPPL 和 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential 注册表项来禁用本地安全机构 (LSA) 保护并启用 WDigest 身份验证。
OS Credential Dumping: LSASS Memory (T1003.001): Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk. This process contains a variety of credential materials and can passed to additional dumping tools to extract credentials.
操作系统凭据转储:LSASS 内存 (T1003.001):使用 with comsvcs.dll 调用 rundll32.exe 将 LSASS 进程内存转储到磁盘的 MiniDump 导出。此过程包含各种凭据材料,可以传递给其他转储工具以提取凭据。
Exfiltration Over C2 Channel (T1041): Files are sent to an AttackIQ controlled server using HTTP POST requests.
通过 C2 通道 (T1041) 泄露:使用请求将 HTTP POST 文件发送到 AttackIQ 控制的服务器。
Detection and Mitigation Opportunities
检测和缓解机会
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
由于威胁参与者使用了如此多的不同技术,因此很难知道在预防和检测评估中优先考虑哪种技术。AttackIQ 建议首先关注在我们的方案中模拟的以下技术,然后再转到其余技术。
1. OS Credential Dumping: LSASS Memory (001)
1. 操作系统凭据转储:LSASS 内存 ( 001)
APT35, as well as other adversaries, may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process, or from the Security Account Manager (SAM) database.
APT35 以及其他攻击者可能会尝试从本地安全机构子系统服务 (LSASS) 进程或安全帐户管理器 (SAM) 数据库中提取用户和凭据信息。
1a. Detection 1一.检波
Search for executions of procdump that attempt to access the LSASS process.
搜索尝试访问 LSASS 进程的 procdump 的执行。
Process Name == (procdump)Command Line CONTAINS (‘lsass’)
Search for executions of reg.exe attempting to save the SAM registry hive.
搜索 reg 的执行.exe尝试保存 SAM 注册表配置单元。
Process Name == (reg.exe)Command Line CONTAINS (‘reg save hklm\sam C:\WINDOWS\TEMP\sam’)
1b. Mitigation 1b. 缓解
MITRE ATT&CK recommends the following mitigation recommendations:
MITRE ATT&CK建议以下缓解建议:
- M1028 – Operating System Configuration
M1028 – 操作系统配置 - M1027 – Password Policies
M1027 – 密码策略 - M1026 – Privileged Account Management
M1026 – 特权帐户管理 - M1017 – User Training
M1017 – 用户培训 - M1040 – Behavior Prevention on Endpoint
M1040 – 终端上的行为预防 - M1043 – Credential Access Protection
M1043 – 凭据访问保护 - M1025 – Privileged Process Integrity
M1025 – 特权过程完整性
2. Exfiltration Over C2 Channel (T1041)
2. C2通道渗漏(T1041)
This attack results in the immediate exfiltration of sensitive data from the infected host. IDS/IPS and DLP solutions are well suited for detecting and preventing sensitive files from being sent to a suspicious external host.
此攻击会导致敏感数据立即从受感染的主机中泄露。IDS/IPS 和 DLP 解决方案非常适合检测和防止敏感文件发送到可疑的外部主机。
2a. Detection 2一.检波
The data is being exfiltrated without any throttling or additional encoding or encryption from the backdoor. All data is being sent via HTTP POSTs in plain text and therefore should be easier to detect using Data Loss Prevention controls.
数据正在外泄,没有任何限制或从后门进行额外的编码或加密。所有数据都通过 HTTP POST 以纯文本形式发送,因此应该更容易使用数据丢失防护控件进行检测。
Additionally, since these requests are not throttled, network traffic can be monitored for anomalous traffic flow patterns that can identify single systems, typically client assets that are sending out significant amounts of data.
此外,由于这些请求不受限制,因此可以监视网络流量的异常流量模式,这些模式可以识别单个系统,通常是发送大量数据的客户端资产。
2b. Mitigation 2b.缓解
MITRE ATT&CK has the following mitigation recommendations:
MITRE ATT&CK有以下缓解建议:
Wrap-up 总结
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against a highly prolific and sophisticated adversary. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
总之,此攻击图将评估安全和事件响应流程,并支持改善针对高产和复杂对手的安全控制状况。借助持续测试和使用这些攻击图生成的数据,您可以让团队专注于实现关键安全成果,调整安全控制措施,并努力提高针对已知危险威胁的总体安全计划有效性。
