On November 17, 2021, The US Cybersecurity & Infrastructure Security Agency (CISA) pushed an Alert entitled “Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities” which you need to pay attention to if you use Microsoft Exchange or Fortinet appliances. It highlights one Microsoft Exchange CVE (Common Vulnerability & Exposure), three Fortinet CVEs and a list of malicious and legitimate tools associated with this activity.
Threat Intelligence Update from McAfee Enterprise
A few hours later our Advanced Threat Research (ATR) team published a new campaign in MVISION Insights under the name “Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities”. Immediately after, MVISION Insights started to provide near real-time statistics on the prevalence of the tools associated to this threat campaign by country and by sector.
Figure 1. MVISION Insights Global prevalence statistics for this campaign on Nov 19, 2021
In this blog I want to show you how you can operationalize the data linked to this alert in MVISION Insights together with your investigation and protection capabilities to better protect your organization against this threat.
Tracking New Campaigns and Threat Profiles, Including This Alert
MVISION Insights combines Campaigns and Threat Profiles in the same list, and you can change the order from “Last Detected” to “Last Added” as shown below.
Figure 2. List of MVISION Insights campaigns last added, with a selection of this campaign
On the left of figure 2, a color code shows you the severity assigned by the McAfee ATR team (Medium for this campaign), in the middle you can see whether we have seen detections of the analysed IOCs in your country or in your sector
If you are a McAfee Endpoint Security or IPS customer, on the right of figure 2 you can see whether you have had any detection of these IOCs by your McAfee Endpoint Security or IPS, or whether Endpoint Security has found exposed devices, or devices with insufficient Endpoint Security protection
As shown in figure 2, you can also click the campaign’s preview to read a short description, and the labels given by MVISION Insights:
In this case, you can see that CISA suspects this campaign to be associated with an APT threat group. It includes Ransomware behaviors. The labels also highlight the use of hacking tools and vulnerabilities which you can then view in the Campaign details. Last September we hosted a webinar focused on threat intelligence and protection against hacking tools.
The campaign description highlights the usual use of “devices encrypted with the Microsoft Windows BitLocker encryption feature”.
The campaign’s details also provide links to other sources, such as the CISA alert in this case.
Figure 3. Original CISA Alert used for this campaign
Evaluating the Risk and Whether you Could be Exposed
Once you have identified campaigns which could potentially hit you, you can evaluate your risk and whether you could be exposed because you could have:
- Vulnerabilities listed
In figure 4, you can see that in this campaign there is 1 CVE for Microsoft Exchange, and 3 CVEs for Fortinet FortiOS
- Exposed devices
In figure 2, there are none
- Insufficient Endpoint Security protection
In Figure 2, there are none
- Vulnerabilities listed
Figure 4. List of Common Vulnerabilities and Exposures (CVEs) in this campaign’s details
If you are a McAfee Enterprise customer, the MVISION Insights Endpoint Security Posture checks whether you have enabled the necessary Endpoint Security features to have the best level of protection across your estate.
In the example below:
- 3 Endpoint Security devices have an insufficient AMcore content to detect all campaigns
- The warning sign shows that some devices have been excluded from this assessment by the MVISION Insights administrator
- 1 Endpoint Security device is missing Real Protect Client and Cloud
- 1 Endpoint Security device is missing Adaptive Threat Protection (ATP)
- 1 Endpoint Security device has an unresolved detection for a Medium Severity Campaign
As seen previously, this lab environment has sufficient protection to detect the “Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities” campaign IOCs. However, to have full Endpoint protection, GTI, On-Access scan, Exploit Prevention, Real Protect and ATP must be enabled.
Figure 5. McAfee Endpoint Security Detection across all MVISION Insights campaigns
Hunting for Detections and IOCs in Your Environment
If you are a McAfee Endpoint Security or IPS customer, the detections related to the campaign’s IOCs are automatically mapped by MVISION Insights as shown in Figure 6.
Figure 6: McAfee Endpoint Security Detection across all MVISION Insights campaigns
You can also use your Endpoint Detection and Response (EDR) or SIEM solution to search for the presence of IOCs. As you can see below in Figure 7, we have categorized the IOCs, and in this instance:
- 4 File Hashes have been analyzed by our Threat Research experts and 3 File Hashes have NOT been fully analyzed at this time
- 2 File Hashes are dual use, and therefore are non-Deterministic
- 5 File Hashes are partially unique (2 Malicious and 2 Probable Malicious)
If you are an MVISION EDR customer, you can automatically search for the presence of these IOCs across your estate from MVISION insights
Otherwise, you can export the IOCs and hunt them in your EDR, and SIEM, to examine the evidence of a potential compromise and escalate the case to a level2 or level3 analyst to run a full investigation.
Additionally, you can also use the MVISION APIs with a third-party Threat Intelligence Platform such as ThreatQ, ThreatConnect or MISP to orchestrate this threat hunting capability.
Figure 7: MVISION Insights IOCs for this campaign
You can also leverage the new Campaign Connections feature (Figure 8) to check whether these IOCs are also listed in other campaigns or threat profiles. Campaign collection uses graphs to connect all the MVISION campaigns, and threat profile data such as:
- MITRE techniques
- MITRE and McAfee Tools
- Threat actors and groups
- Prevalent countries and sectors
Figure 8: MVISION Insights Campaign connection using the IOCs of this campaign
Hunting TTPs in Your Environment
Beyond the IOCs, your Threat Analysts can also leverage the MITRE Techniques and Tools related to this campaign and documented in MVISION Insights.
Figure 9: MITRE Techniques and Tools observed in MVISION Insights for this campaign
For example, here you could use MVISION EDR to look for the presence of:
- Unusual Scheduled Tasks
- Unusual WinRAR archives
- Unusual local and domain account usage
- Mimikatz behavior
Then you can quarantine suspected devices before running a full remediation. You can also check that your Endpoint Security solution has credential theft protection capabilities such as ENS credential theft protection.
If your organization hosts Microsoft Exchange or Fortinet appliances you will need to apply the recommended patching and upgrade recommendations. If you find indicators of compromise you might want to increase the priority of the tickets, asking the Fortinet and Microsoft Exchange administrators to fix these CVEs due to these suspicious activities.
To better assess your risk and exposure against this campaign you should review your current capabilities to:
- Be informed about the latest relevant CISA alerts and other new campaigns and threat actors
- Hunt the IOCs, Tools and Techniques associated
- Identify Common Vulnerabilities and Exposures
- Review your level of Endpoint Protection against these threats
McAfee Enterprise offers Threat Intelligence, and Security Operations workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats; please reach out if you would like to schedule a workshop with your organization.