
US Federal Agencies Targeted by Kitten's
An APT group called Nemesis Kitten, which has ties to Iran, reportedly directed its attack towards an unidentified U.S. federal agency, with some suspicions suggesting the targeted entity was the U.S. Merit Systems Protections Board. The group infiltrated the agency's network and loaded cryptocurrency-mining software onto it.
Indicators of Compromise
Domains (2191)
http31.41.244.231AVAVAWAWDocumentsgo.ooherscan.iopwn.onlypirate.tophttporacle.zzhreceive.tops3f815s1.0.4.tar.gzpwn.oracleservice.tophttp185.191.32.198cf.shjira.letmaker.topbashgo.pwborg.wtfhttp195.2.79.26cf.shhttporacle.zzhreceive.tops3f815dd.shhttporacle.zzhreceive.tops3f815sp.tarhttp202.28.229.174kikhttp136.144.41.171xhttp62.204.41.71OfferOffer.ooletmaker.tophttporacle.zzhreceive.topb2f628b.shhttporacle.zzhreceive.tops3f815dc.sha.oracleservice.tophttp31.41.244.2310xMineRegAsm.go+2171 moreHashes (3296)
b3bb2131d7f2bfe9243462330662c17001644298bcba42f59ee3fd305af02b80276a10486fd066ddf3651102c4e190dbdb7103f16832321fb888abc21ab3466dd4baece803fdd54d2edfb5b901ffeeab21634ebd1d634430e57ff3b626a34d3aef058e6d6d3ae698ee34549d57710a8d4d2bd688c785ecfa4fd5c775940aafd9f93dc2830b326defdeaa76dab66702be84c58924d93936dab89e0953e39a665ca6d62294dbf4562e4086ee1bdc8aff8bc675dcfc5988caf198a2460bee232f153a0ff76fe46095c5abe6e57bd4b1bbc543bbb1b3394de4588362bfa57df84cc658b190cf67e5f10f06cdec4bd573b805aa549991ad7f39b98367c813c932a645141c4a0375998c1041be17abf8aa1ad84526c321882f800f32801071cf45a838dbf4ecc7c3d14ac20504ba717825d94be0eb836e346736ea828ba07c6ce670f3331c645c4ad939ad5b2133b14cdbb643386fddb95863142e049deaeb50ca031b296ef16929e97986a6e3208496067d12c546a68f1a04baab7fe7acc4bef0e8ba279e32c076fdd0f432520008155c50ba35063264dee842acc25ad85462c1f4b1d8ba5b3ebf407484a1551169c5cfdbbcf32df6b7d519e08310bd660302ca1cc6ef84eb8d226b727cae134765c285be5fd6a026d3747c47718106e87e6c0782cb5e35be9b858b2388ccc40e9492c300863218f4c812effbba9957a75b1bdb3a857866f4a7+3276 moreIPv4 (434)
185.191.32.198134.213.29.1431.41.244.23162.204.41.192195.2.79.26182.74.78.10178.62.32.2962.4.23.9762.204.41.71159.203.103.62116.202.102.795.206.227.244202.28.229.174136.144.41.17131.41.244.235218.76.246.69199.247.0.216193.70.30.9891.217.81.16251.255.171.23+414 moreCVEs (26)
CVE-2022-29464CVE-2017-5638CVE-2021-26084CVE-2022-22965CVE-2022-0543CVE-2022-1388CVE-2022-26134CVE-2021-44207CVE-2017-9841CVE-2021-3122CVE-2021-34523CVE-2021-34473CVE-2014-4114CVE-2021-27065CVE-2017-12149CVE-2021-31207CVE-2017-0199CVE-2021-26858CVE-2018-13379CVE-2021-4034+6 moreEmails (37)
[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]+17 moreAPT Groups
CHRYSENE
Iran, Islamic Republic of
DEV-0270
Iran, Islamic Republic of
Notes
<div>Charming Kitten, also known as APT35, is a cyberwarfare group believed to be sponsored by the Iranian government. The group has been active since at least 2011 and has been involved in various cyberattacks on companies and government agencies around the world. One area where Charming Kitten has been particularly active is in targeting US federal agencies, which has led to concerns about the group's capabilities and intentions.</div><div><br></div><div>Over the years, Charming Kitten has been linked to several cyberattacks on US federal agencies. For example, in 2017, the group was accused of being behind a massive cyberattack on the US Office of Personnel Management (OPM), which resulted in the theft of sensitive information about millions of government employees. The attack was believed to be one of the largest and most damaging cyberattacks in US history, and it led to concerns about the ability of foreign governments to launch sophisticated cyberattacks against US agencies.</div><div><br></div><div>More recently, Charming Kitten has been linked to a series of cyberattacks on US federal agencies in 2020. These attacks, which were believed to be part of an effort to interfere with the US presidential election, targeted several high-profile government agencies, including the US Department of Homeland Security (DHS), the US Department of State, and the US Treasury Department.</div><div><br></div><div>According to cybersecurity experts, the attacks were carried out using spear-phishing techniques, which involved sending emails that appeared to be from legitimate sources but were designed to trick recipients into providing login credentials or other sensitive information. Once the attackers had gained access to the targeted systems, they were able to steal data and carry out other malicious activities.</div><div><br></div><div>The attacks on US federal agencies have raised concerns about the ability of Charming Kitten to carry out sophisticated cyberattacks against US government agencies. The group is believed to have sophisticated capabilities, including the ability to conduct extensive reconnaissance on its targets, create convincing fake personas and social media profiles, and develop custom malware designed to evade detection by traditional security measures.</div><div><br></div><div>US federal agencies have responded to the threat posed by Charming Kitten by implementing a range of security measures designed to detect and mitigate cyberattacks. These measures include implementing multi-factor authentication, improving network segmentation and monitoring, and increasing staff training and awareness about the risks of spear-phishing attacks.</div>
Mitigation
<div><b>Mitigations</b></div><div><b><br></b></div><div>CISA and FBI recommend implementing the mitigations below and in Table 1 to improve your organization's cybersecurity posture on the basis of threat actor behaviors.</div><div><br></div><div><b>Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.</b></div><div><br></div><div><ul><li>If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat those VMware Horizon systems as compromised. Follow the pro-active incident response procedures outlined above prior to applying updates. If no compromise is detected, apply these updates as soon as possible.<br><br></li><ul><li>See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.<br><br></li><li>Note: Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.<br><br></li><li>If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible.<br><br></li><li>Prior to implementing any temporary solution, ensure appropriate backups have been completed.<br><br></li><li>Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details.</li></ul></ul></div><div><br></div><div><ul><li><b>Keep all software up to date</b> and prioritize patching known exploited vulnerabilities (KEVs).<br><br></li><li><b>Minimize the internet-facing attack surface</b> by hosting essential services on a segregated DMZ, ensuring strict network perimeter access controls, and not hosting internet-facing services that are not essential to business operations. Where possible, implement regularly updated web application firewalls (WAF) in front of public-facing services. WAFs can protect against web-based exploitation using signatures and heuristics that are likely to block or alert on malicious traffic.<br><br></li><li><b>Use best practices for identity and access management (IAM)</b> by implementing phishing resistant multifactor authentication (MFA), enforcing use of strong passwords, regularly auditing administrator accounts and permissions, and limiting user access through the principle of least privilege. Disable inactive accounts uniformly across the AD, MFA systems, etc.<br><br></li><ul><li>If using Windows 10 version 1607 or Windows Server 2016 or later, monitor or disable Windows DefaultAccount, also known as the Default System Managed Account (DSMA).<br><br></li></ul><li><b>Audit domain controllers to log </b>successful Kerberos Ticket Granting Service (TGS) requests and ensure the events are monitored for anomalous activity. </li></ul></div><div><br></div><div><ul><ul><li>Secure accounts.<br><br></li><li>Enforce the principle of least privilege. Administrator accounts should have the minimum permission necessary to complete their tasks.<br><br></li><li>Ensure there are unique and distinct administrative accounts for each set of administrative tasks.<br><br></li><li>Create non-privileged accounts for privileged users and ensure they use the non-privileged accounts for all non-privileged access (e.g., web browsing, email access).<br><br></li></ul><li><span style="color: var(--q-dark);"><b>Create a deny list of known compromised credentials</b> and prevent users from using known-compromised passwords.<br><br></span></li><li><b>Secure credentials by restricting where accounts and credentials can be used </b>and by using local device credential protection features. <br><br></li><ul><li>Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.<br><br></li><li>Ensure storage of clear text passwords in LSASS memory is disabled. Note: For Windows 8, this is enabled by default. For more information see Microsoft Security Advisory Update to Improve Credentials Protection and Management.<br><br></li><li>Consider disabling or limiting NTLM and WDigest Authentication.<br><br></li><li>Implement Credential Guard for Windows 10 and Server 2016 (refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).<br><br></li><li>Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ TGS and can be used to obtain hashed credentials that threat actors attempt to crack.<br><br></li></ul></ul></div><div><b>VALIDATE SECURITY CONTROLS</b></div><div><b><br></b></div><div>In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</div><div><br></div><div>To get started:</div><div><br></div><div><ol><li>Select an ATT&CK technique described in this advisory (see table 1).<br><br></li><li>Align your security technologies against the technique.<br><br></li><li>Test your technologies against the technique.<br><br></li><li>Analyze your detection and prevention technologies performance.<br><br></li><li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.<br><br></li><li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li></ol></div><div><br></div><div>CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</div>