Sicurezza – News ENG

News, Alert e Bollettini da Computer Emergency Response Team in lingua inglese

CERT (US-CERT)
  • Microsoft Releases December 2019 Security Updates
    by CISA on 10 Dicembre 2019 at 11:29 pm

    Original release date: December 10, 2019Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s December 2019 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

  • Google Releases Security Updates for Chrome
    by CISA on 10 Dicembre 2019 at 10:22 pm

    Original release date: December 10, 2019Google has released security updates for Chrome version 79.0.3945.79 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

  • Apple Releases Multiple Security Updates
    by CISA on 10 Dicembre 2019 at 10:05 pm

    Original release date: December 10, 2019 | Last revised: December 11, 2019Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: Xcode 11.3 watchOS 5.3.4 watchOS 6.1.1 tvOS 13.3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra Safari 13.0.4 iOS 12.4.4 iOS 13.3 and iPadOS 13.3 iTunes 12.10.3 for Windows iCloud for Windows 7.16 (includes AAS 8.2) This product is provided subject to this Notification and this Privacy & Use policy.

  • Intel Releases Security Updates
    by CISA on 10 Dicembre 2019 at 6:38 pm

    Original release date: December 10, 2019Intel has released security updates to address vulnerabilities in multiple products. An authenticated attacker with local access could exploit some of these vulnerabilities to gain escalation of privileges. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates and recommended mitigations: Linux Administrative Tools for Intel Network Adapters Advisory INTEL-SA-00237 FPGA SDK for OpenCL Advisory INTEL-SA-00284 Processors Voltage Settings Modification Advisory INTEL-SA-00289 Control Center-I Advisory INTEL-SA-00299 Quartus Prime Pro Edition Advisory INTEL-SA-00311 SCS Platform Discovery Utility Advisory INTEL-SA-00312 Unexpected Page Fault in Virtualized Environment Advisory INTEL-SA-00317 NUC Firmware Advisory INTEL-SA-00323 Rapid Storage Technology Advisory INTEL-SA-00324 For updates addressing low severity vulnerabilities, see the Intel technology blog. This product is provided subject to this Notification and this Privacy & Use policy.

  • Adobe Releases Security Updates
    by CISA on 10 Dicembre 2019 at 4:49 pm

    Original release date: December 10, 2019Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates. ColdFusion APSB19-58 Brackets APSB19-57 Photoshop CC APSB19-56 Acrobat and Reader APSB19-55 This product is provided subject to this Notification and this Privacy & Use policy.

  • Samba Releases Security Updates
    by CISA on 10 Dicembre 2019 at 4:43 pm

    Original release date: December 10, 2019The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit one of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcements for CVE-2019-14861 and CVE-2019-14870 and apply the necessary updates and workarounds. This product is provided subject to this Notification and this Privacy & Use policy.

  • VMware Releases Security Updates for ESXi and Horizon DaaS
    by CISA on 6 Dicembre 2019 at 3:56 pm

    Original release date: December 6, 2019VMware has released security updates to address a vulnerability in ESXi and Horizon DaaS. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2019-0022 and apply the necessary updates and workarounds. This product is provided subject to this Notification and this Privacy & Use policy.

  • ACSC Releases Fundamentals of Cross Domain Solutions
    by CISA on 5 Dicembre 2019 at 4:06 pm

    Original release date: December 5, 2019The Australian Cyber Security Centre (ACSC) has released a cybersecurity guide outlining the fundamentals of cross domain solution (CDS) technologies. This guidance provides cross domain security principles to enable organizations to share information securely across separated networks. The Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations with information sharing requirements to review ACSC’s Fundamentals of Cross Domain Solutions to learn how to plan, analyze, design, and implement CDS systems. This product is provided subject to this Notification and this Privacy & Use policy.

  • Microsoft Releases Security Advisory for Windows Hello for Business
    by CISA on 5 Dicembre 2019 at 4:02 pm

    Original release date: December 5, 2019Microsoft has released a Security Advisory to address an issue in Windows Hello for Business (WHfB). An attacker could exploit this issue on devices that were affected by CVE-2017-15361, also known as Return of Coppersmith’s Attack (ROCA), to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft Security Advisories ADV190026 and ADV170012 and apply the recommended mitigations. This product is provided subject to this Notification and this Privacy & Use policy.

  • NCSC-NZ Releases Cyber Governance Resource for Leaders
    by CISA on 5 Dicembre 2019 at 3:57 pm

    Original release date: December 5, 2019The New Zealand National Cyber Security Centre (NCSC-NZ) has released an article on a new cybersecurity governance resource to support public and private sector leaders in making decisions about their cybersecurity resilience and risk. NCSC-NZ developed this governance—a series of documents with practical advice and simple steps—following a cybersecurity resilience assessment of  New Zealand’s nationally significant organizations. The Cybersecurity and Infrastructure Security Agency (CISA) encourages senior leaders and security practitioners to review NCSC-NZ’s Charting Your Course: Cyber Security Governance and Cyber Security Resilience of New Zealand’s Nationally Significant Organisations 2017-2018 for more information. This product is provided subject to this Notification and this Privacy & Use policy.

  • AA19-339A: Dridex Malware
    by CISA on 5 Dicembre 2019 at 2:13 pm

    Original release date: December 5, 2019SummaryThis Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) to identify and share information with the financial services sector. Treasury and the Cybersecurity and Infrastructure Security Agency (CISA) are providing this report to inform the sector about the Dridex malware and variants. The report provides an overview of the malware, related activity, and a list of previously unreported indicators of compromise derived from information reported to FinCEN by private sector financial institutions. Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention. Treasury and CISA encourage network security specialists to incorporate these indicators into existing Dridex-related network defense capabilities and planning. For information regarding the malicious cyber actors responsible for the development and distribution of the Dridex malware, see the Treasury press release, Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware and the FBI press release, Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat” Malware. This Alert does not introduce a new regulatory interpretation, nor impose any new requirements on regulated entities. Except where noted, there is no indication that the actual owner of the email address was involved in the suspicious or malicious activity. If activity related to these indicators of compromise is detected, please notify appropriate law enforcement and the CIG. For a downloadable copy of IOCs, see: AA19-339A_WHITE.csv AA19-339A_WHITE.stix Technical DetailsThe Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes. According to industry reporting, the original version of Dridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. We expect actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers. Dridex-related Phishing Attributes Actors typically distribute Dridex malware through phishing e-mail spam campaigns. Phishing messages employ a combination of legitimate business names and domains, professional terminology, and language implying urgency to persuade victims to activate open attachments. Sender e-mail addresses can simulate individuals (name@domain.com), administrative (admin@domain.com, support@domain.com), or common “do not reply” local parts (noreply@domain.com). Subject and attachment titles can include typical terms such as “invoice”, “order”, “scan”, “receipt”, “debit note”, “itinerary”, and others. The e-mail messages vary widely. The e-mail body may contain no text at all, except to include attachments with names that are strings of numbers, apparently relying on the subject line and victim curiosity to coerce the opening of the malicious file. Where there is a message body, the body may specifically state that the contents of the e-mail underwent virus scanning or simply directs the victim toward the link or attachment. In other cases, the body may include a long, substantive message, providing multiple points of contact and context for the malicious attachment. Attachment and hyperlink names vary from random sets of numbers or imitation automatic filenames from scanners to filenames purporting to reference financial records. Attachments may or may not have direct references using the same file name or strings of numbers in the bodies of the e-mails. Example Links and Filenames (Note: link information is representative. Italicized statements are automatically generated by the cloud storage provider. # represents a random number.): Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider)[.]COM/S/(Cloud Account Value) /RECENT%20WIRE%20PAYMENT %######.SCR?(Cloud Provided Sequence) Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider) [.]COM/S/ Cloud Account Value/AUTOMATEDCLEARINGHOUSE%20 PAYMENT####.DOC? (Cloud Provided Sequence) Link: Malicious File: ID201NLD0012192016.DOC Attachments or eventual downloads can take a variety of formats. In some instances, malware downloaders are concealed in compressed files using the ZIP or RAR file formats.  Occasionally compressed files within compressed files (double zipped) are used. The compressed files can include extensible markup language (.xml), Microsoft Office (.doc, .xls), Visual Basic (.vbs), JavaScript (.jar), or portable document format (.pdf) files. Many of the files, rather than containing the actual malware, contain hidden or obfuscated macros. Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware. In other cases, macros launch scripts that extract executables imbedded in the document as opposed to downloading the payload. By default, software generally prevents execution of macros without user permission. Attached files, particularly .doc and .xls files, contain instructions on how a user should enable content and specifically macros, effectively using social engineering to facilitate the download. Malicious files sometimes even include screenshots of the necessary actions to enable macros. Malware Capabilities Dridex malware operates from multiple modules that may be downloaded together or following the initial download of a “loader” module. Modules include provisions for capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Through its history and development, Dridex has used several exploits and methods for execution, including modification of directory files, using system recovery to escalate privileges, and modification of firewall rules to facilitate peer-to-peer communication for extraction of data. Recent versions of Dridex exploit vulnerability CVE-2017-0199, which allows remote execution of code. This vulnerability is specific to Microsoft Office and WordPad. Microsoft released a patch in 2017. Once downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files.  The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information. Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as seen in newer versions. After stealing the login data, the attackers have the potential to facilitate fraudulent automated clearing house (ACH) and wire transfers, open fraudulent accounts, and potentially adapt victim accounts for other scams involving business e-mail compromise or money mule activity. The Dridex malware has evolved through several versions since its inception, partially to adapt to updated browsers. Although the characteristics described reflect some of the most recent configurations, actors continue to identify and exploit vulnerabilities in widely used software. Dridex Malware and Variants While Dridex is among the most prevalent sources of infection, previous variants and similar malware continue to represent a threat. Dridex is itself an improved variant of the Cridex and Bugat Trojans that preceded it, and it shares some of their codes. Although the previous variants’ theft activities operate in mostly the same way, the P2P communication aspects of Dridex improve its concealment and redundancy. Ransomware Actors distributing Dridex likely employ ransomware with similar configurations. Code for BitPaymer, also known as Friedex, includes numerous similarities to Dridex, despite its function as ransomware rather than data extraction. The two malwares use the same mechanics for several functions, and the authors compiled the codes at nearly the same time. The ransomware distributed through these malwares has targeted U.S. financial institutions and resulted in data and financial loss. Locky ransomware operates using the same delivery method for the downloader, with similar subject lines and attachments. Attackers also use the same botnets to deliver both Dridex and Locky ransomware, sometimes simultaneously. Variants of Locky include Zepto and Osiris. Locky ransomware and its variants have a wide footprint, with varying impact depending on victim IT policies and practices and network configurations. Dridex-related Activity Although the highest infection rates took place in late 2015 and early 2016, concurrent with Locky ransomware distribution, Dridex continues to impact numerous countries. The Dridex hackers appear to direct the majority of attacks at English-speaking countries. Cybersecurity industry reporting attributes Dridex, BitPaymer, and Locky campaigns, as well as other massive malware spam (malspam) campaigns to actors known alternately as Evil Corp or TA505. (Note: some cybersecurity industry reporting simply refers to the actors as “Dridex” or the “Dridex hackers.”) Actors distribute the malware via massive spam campaigns, sending up to millions of messages per day, although volume of messages varies widely. Indicators of Compromise The following indicators are associated with the activity described in this report: Indicator Type Indicator Value Associated Activity Email address info[@]antonioscognamiglio[.]it Dridex Email address info[@]golfprogroup[.]com Dridex Email address cariola72[@]teletu[.]it Dridex Email address faturamento[@]sudestecaminhoes[.]com.br Dridex Email address info[@]melvale[.]co.uk Dridex Email address fabianurquiza[@]correo.dalvear[.]com.ar Dridex Email address web1587p16[@]mail.flw-buero[.]at Dridex Email address bounce[@]bestvaluestore[.]org Dridex Email address farid[@]abc-telecom[.]az Dridex Email address bounce[@]bestvaluestore[.]org Dridex Email address admin[@]sevpazarlama[.]com Dridex Email address faturamento[@]sudestecaminhoes[.]com.br Dridex Email address pranab[@]pdrassocs[.]com Dridex Email address tom[@]blackburnpowerltd[.]co.uk Dridex Email address yportocarrero[@]elevenca[.]com Dridex Email address s.palani[@]itifsl.co[.]in Dridex Email address faber[@]imaba[.]nl Dridex Email address admin[@]belpay[.]by Dridex IP address 62[.]149[.]158[.]252 Dridex IP address 177[.]34[.]32[.]109 Dridex IP address 2[.]138[.]111[.]86 Dridex IP address 122[.]172[.]96[.]18 Dridex IP address 69[.]93[.]243[.]5 Dridex IP address 200[.]43[.]183[.]102 Dridex IP address 79[.]124[.]76[.]30 Dridex IP address 188[.]125[.]166[.]114 Dridex IP address 37[.]59[.]52[.]64 Dridex IP address 50[.]28[.]35[.]36 Dridex IP address 154[.]70[.]39[.]158 Dridex IP address 108[.]29[.]37[.]11 Dridex IP address 65[.]112[.]218[.]2 Dridex   MitigationsTreasury and CISA encourage users and organizations to: Contact law enforcement immediately report regarding any identified activity related to Dridex malware or its derivatives. Please see contact information for FBI and CISA at the end of this report. Incorporate the indicators of compromise identified in this report into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity. Note that the above list is not a comprehensive list of all indicators associated with this activity. Report suspicious activity, highlighting the presence of “Cyber Event Indicators.” Indicators of Compromise, such as suspicious e-mail addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious Activity Report (SAR) form. FinCEN welcomes voluntary SAR filing in circumstances where reporting is not required. Recommendations for All Organizations The following mitigation recommendations respond directly to Dridex TTPs: Ensuring systems are set by default to prevent execution of macros. Inform and educate employees on the appearance of phishing messages, especially those used by the hackers for distribution of malware in the past. Update intrusion detection and prevention systems frequently to ensure the latest variants of malware and downloaders are included. Conduct regular backup of data, ensuring backups are protected from potential ransomware attack. Exercise employees’ response to phishing messages and unauthorized intrusion. If there is any doubt about message validity, call and confirm the message with the sender using a number or e-mail address already on file. Treasury and CISA remind users and administrators to use the following best practices to strengthen the security posture of their organization’s systems: Maintain up-to-date antivirus signatures and engines. Keep operating system patches up-to-date. Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication. Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required. Enforce a strong password policy and require regular password changes. Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known. Enable a personal firewall on workstations, and configure it to deny unsolicited connection requests. Disable unnecessary services on agency workstations and servers. Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content. Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs). Scan all software downloaded from the Internet before executing. Maintain situational awareness of the latest threats. Implement appropriate access control lists. Exercise cybersecurity procedures and continuity of operations plans to enhance and maintain ability to respond during and following a cyber incident. The National Institute of Standards and Technology (NIST) has published additional information on malware incident prevention and handling in their Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops: https://www.nist.gov/publications/guide-malware-incident-prevention-and-handling-desktops-and-laptops Why Best Practices Matter The National Security Agency (NSA) recently published its Top Ten Cybersecurity Mitigation Strategies (This is the current website for Top 10 mitigation strategies: https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1). Aligned with the NIST Cybersecurity Framework, the Strategies offer a risk-based approach to mitigating exploitation techniques used by Advance Persistent Threat (APT) actors. The Strategies counter a broad range of exploitation techniques used by malicious cyber actors. NSA’s mitigations set priorities for enterprise organizations to minimize mission impact. The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a defense-in-depth security posture. The mitigation strategies are ranked by effectiveness against known APT tactics. Additional strategies and best practices will be required to mitigate the occurrence of new tactics. Update and Upgrade Software Immediately. Apply all available software updates, automate the process to the extent possible, and use an update service provided directly from the vendor. Automation is necessary because threat actors study patches and create exploits, often soon after a patch is released. These “N-day” exploits can be as damaging as a zero-day. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to assure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle. Defend Privileges and Accounts. Assign privileges based on risk exposure and as required to maintain operations. Use a Privileged Access Management (PAM) solution to automate credential management and fine-grained access control. Another way to manage privilege is through tiered administrative access in which each higher tier provides additional access, but is limited to fewer personnel. Create procedures to securely reset credentials (e.g., passwords, tokens, tickets). Privileged accounts and services must be controlled because threat actors continue to target administrator credentials to access high-value assets, and to move laterally through the network. Enforce Signed Software Execution Policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity. Application Whitelisting should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code. Exercise a System Recovery Plan. Create, review, and exercise a system recovery plan to ensure the restoration of data as part of a comprehensive disaster recovery strategy. The plan must protect critical data, configurations, and logs to ensure continuity of operations due to unexpected events. For additional protection, backups should be encrypted, stored offsite, offline when possible, and support complete recovery and reconstitution of systems and devices. Perform periodic testing and evaluate the backup plan. Update the plan as necessary to accommodate the ever-changing network environment. A recovery plan is a necessary mitigation for natural disasters as well as malicious threats including ransomware. Actively Manage Systems and Configurations. Take inventory of network devices and software. Remove unwanted, unneeded, or unexpected hardware and software from the network. Starting from a known baseline reduces the attack surface and establishes control of the operational environment. Thereafter, actively manage devices, applications, operating systems, and security configurations. Active enterprise management ensures that systems can adapt to dynamic threat environments while scaling and streamlining administrative operations. Continuously Hunt for Network Intrusions. Take proactive steps to detect, contain, and remove any malicious presence within the network. Enterprise organizations should assume that a compromise has taken place and use dedicated teams to continuously seek out, contain, and remove threat actors within the network. Passive detection mechanisms, such as logs, Security Information and Event Management (SIEM) products, Endpoint Detection and Response (EDR) solutions, and other data analytic capabilities are invaluable tools to find malicious or anomalous behaviors. Active pursuits should also include hunt operations and penetration testing using well documented incident response procedures to address any discovered breaches in security. Establishing proactive steps will transition the organization beyond basic detection methods, enabling real-time threat detection and remediation using a continuous monitoring and mitigation strategy. Leverage Modern Hardware Security Features. Use hardware security features like Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), and hardware virtualization. Schedule older devices for a hardware refresh. Modern hardware features increase the integrity of the boot process, provide system attestation, and support features for high-risk application containment. Using a modern operating system on outdated hardware results in a reduced ability to protect the system, critical data, and user credentials from threat actors. Segregate Networks Using Application-Aware Defenses. Segregate critical networks and services. Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection based on known-bad signatures is quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses. Integrate Threat Reputation Services. Leverage multi-sourced threat reputation services for files, DNS, URLs, IPs, and email addresses. Reputation services assist in the detection and prevention of malicious events and allow for rapid global responses to threats, a reduction of exposure from known threats, and provide access to a much larger threat analysis and tipping capability than an organization can provide on its own. Emerging threats, whether targeted or global campaigns, occur faster than most organizations can handle, resulting in poor coverage of new threats. Multi-source reputation and information sharing services can provide a more timely and effective security posture against dynamic threat actors. Transition to Multi-Factor Authentication. Prioritize protection for accounts with elevated privileges, remote access, and/or used on high value assets. Physical token-based authentication systems should be used to supplement knowledge-based factors such as passwords and PINs. Organizations should migrate away from single factor authentication, such as password-based systems, which are subject to poor user choices and susceptible to credential theft, forgery, and reuse across multiple systems.   Contact InformationReporting Suspected Malicious Activity To report an intrusion and request resources for incident response or technical assistance, contact CISA (CISAservicedesk@hq.dhs.gov or 888-282-0870), FBI through a local field office (https://www.fbi.gov/contact-us/field-offices), or FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937). Institutions should determine whether filing of a Suspicious Activity Report (“SAR”) is required under Bank Secrecy Act regulations.  In instances where filing is not required, institutions may file a SAR voluntarily to aid FinCEN and law enforcement efforts in protecting the financial sector.  Financial institutions are encouraged to provide relevant cyber-related information and indicators in their SAR reporting.  For questions regarding cyber SAR filing, please contact the FinCEN Resource Center (FRC@fincen.gov or 1-800-767-2825). Open-Source Reporting On Dridex The following represents an alphabetized selection of open-source reporting by U.S. government and industry sources on Dridex malware and its derivatives: “Dridex P2P Malware,” US-CERT Alert (TA15-286A), https://www.us-cert.gov/ncas/alerts/TA15-286A, 13 October 2015. “Dridex Threat Profile,” New Jersey Cybersecurity & Communications Integration Cell, https://www.cyber.nj.gov/threat-profiles/trojan-variants/dridex, accessed 15 April 2019. Alert Logic, “Dridex malware has evolved to Locky Ransomware,” No date, https://www.alertlogic.com/resources/threat-reports/dridex-malware-has-evolved-to-locky-ransomware/, accessed 11 March 2019. Avast Blog, “A closer look at the Locky ransomware,” 10 March 2016, https://blog.avast.com/a-closer-look-at-the-locky-ransomware, accessed 6 February 2019. Brett Stone-Gross, Ph.D., “Dridex (Bugat v5) Botnet Takeover Operation, Secureworks, 13 October 2015, https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation, accessed 6 February 2019. Brewster, Thomas, “Cops Knock Down Dridex Malware that Earned ‘Evil Corp’ Cybercriminals At Least $50 Million,” Forbes, 13 October 2015, https://www.forbes.com/sites/thomasbrewster/2015/10/13/dridex-botnet-takedown/#2b883f00415b. Chandler, Andy, “FBI announces Dridex gang indictment and praises Fox-IT,” Fox-IT, 13 October 2015, https://www.fox-it.com/en/about-fox-it/corporate/news/fbi-announces-dridex-gang-indictments-praises-fox/, accessed 7 February 2019. DHS CISA, “Alert (TA15-286A), Dridex P2P Malware,” https://www.us-cert.gov/ncas/alerts/TA15-286A, accessed 4 June 2019. Eduard Kovacs, “Dridex still active after takedown attempt,” Security Week, 19 October 2015, https://www.securityweek.com/dridex-still-active-after-takedown-attempt, accessed 11 March 2019. Geoff White, “How the Dridex Gang makes millions from bespoke ransomware,” Forbes, 26 September 2018, https://www.forbes.com/sites/geoffwhite/2018/09/26/how-the-dridex-gang-makes-millions-from-bespoke-ransomware/, accessed 11 March 2019. MS-ISAC, “Cybercrime Technical Desk Reference,” 31 August 2018, https://www.cisecurity.org/wp-content/uploads/2018/09/MS-ISAC-Cyber-Crime-Technical-Desk-Reference.pdf, accessed 6 February 2019. O’Brien, Dick. “Dridex: Tidal waves of spam pushing dangerous financial Trojan,” Symantec, February 2016, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf, accessed 4 February 2019. Poslušný, Michal, “FriedEx: BitPaymer ransomware the work of Dridex authors, welivesecurity by ESET, 26 January 2018, https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/, accessed 6 February 2019. Proofpoint, “Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day,” https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day, accessed 5 February 2019. Proofpoint, “High-Volume Dridex Banking Trojan Campaigns Return.” https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return, accessed 1 February 2019. Proofpoint, “Threat Actor Profile: TA505, From Dridex to GlobeImposter,” https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter, accessed 6 February 2019. Roland Dela Paz and Ran Mosessco. “New year, new look – Dridex via compromised FTP,” ForcePoint, 18 January 2018, https://blogs.forcepoint.com/blog/security-labs/new-year-new-look-dridex-compromised-ftp, accessed 4 February 2019. Sanghavi, Mithun. “DRIDEX and how to overcome it.” Symantec Official Blog, 30 March 2015, https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it, accessed 4 February 2019. Security Intelligence Blog, “URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader,” Trend Micro, 18 December 2018, https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/, accessed 6 February 2019. Talos Group, “Threat Spotlight: Spam Served With a Side of Dridex,” Cisco Blogs, 6 April 2015, https://blogs.cisco.com/security/talos/spam-dridex, accessed 4 February 2019.   Revisions December 5, 2019: Initial version December 5, 2019: Added links to Treasury and FBI press releases This product is provided subject to this Notification and this Privacy & Use policy.

  • AA19-290A: Microsoft Ending Support for Windows 7 and Windows Server 2008 R2
    by CISA on 17 Ottobre 2019 at 4:36 pm

    Original release date: October 17, 2019 | Last revised: October 18, 2019SummaryNote: This alert does not apply to federally certified voting systems running Windows 7. Microsoft will continue to provide free security updates to those systems through the 2020 election. See Microsoft’s article, Extending free Windows 7 security updates to voting systems, for more information. On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems.[1] After this date, these products will no longer receive free technical support, or software and security updates. Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2. Technical DetailsAll software products have a lifecycle. “End of support” refers to the date when the software vendor will no longer provide automatic fixes, updates, or online technical assistance. [2] For more information on end of support for Microsoft products see the Microsoft End of Support FAQ. Systems running Windows 7 and Windows Server 2008 R2 will continue to work at their current capacity even after support ends on January 14, 2020. However, using unsupported software may increase the likelihood of malware and other security threats. Mission and business functions supported by systems running Windows 7 and Windows Server 2008 R2 could experience negative consequences resulting from unpatched vulnerabilities and software bugs. These negative consequences could include the loss of confidentiality, integrity, and availability of data, system resources, and business assets. MitigationsThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and organizations to: Upgrade to a newer operating system. Identify affected devices to determine breadth of the problem and assess risk of not upgrading.  Establish and execute a plan to systematically migrate to currently supported operating systems or employ a cloud-based service.  Contact the operating system vendor to explore opportunities for fee-for-service maintenance, if unable to upgrade.    References [1] Microsoft End of Support FAQ [2] Microsoft Windows Lifecyle Fact Sheet [3] Microsoft Windows Upgrade and Migration Considerations [4] ComputerWorld: Leaving Windows 7? Here are Some non-Windows Options [5] CISA Analysis Report AR19-133A: Microsoft Office 365 Security Observations Revisions October 17, 2019: Initial version October 18, 2019: Added note This product is provided subject to this Notification and this Privacy & Use policy.

  • AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability
    by CISA on 17 Giugno 2019 at 1:37 pm

    Original release date: June 17, 2019SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions:Windows 2000Windows VistaWindows XPWindows 7Windows Server 2003Windows Server 2003 R2Windows Server 2008Windows Server 2008 R2An attacker can exploit this vulnerability to take control of an affected system.     Technical DetailsBlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.[1] After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful.BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.[2]CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep.MitigationsCISA encourages users and administrators review the Microsoft Security Advisory [3] and the Microsoft Customer Guidance for CVE-2019-0708 [4] and apply the appropriate mitigation measures as soon as possible:Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.For OSs that do not have patches or systems that cannot be patched, other mitigation steps can be used to help protect against BlueKeep:Upgrade end-of-life (EOL) OSs. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.  Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.References [1] Microsoft Security Advisory for CVE-2019-0708 [2] White House Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea [3] Microsoft Security Advisory for CVE-2019-0708 [4] Microsoft Customer Guidance for CVE-2019-0708 Revisions June 17, 2019: Initial version June 17, 2019: Revised technical details section. This product is provided subject to this Notification and this Privacy & Use policy.

  • AA19-122A: New Exploits for Unsecure SAP Systems
    by CISA on 2 Maggio 2019 at 10:54 pm

    Original release date: May 2, 2019 | Last revised: May 3, 2019SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [1]Technical DetailsA presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The presentation details the new exploit tools and reports on systems exposed to the internet.SAP Gateway ACLThe SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[2] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.SAP Router secinfoThe SAP router is a program that helps connect SAP systems with external networks. The default secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution.According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.SAP Message ServerSAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases.SignatureCISA worked with security researchers from Onapsis Inc.[3] to develop the following Snort signature that can be used to detect the exploits:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"10KBLAZE SAP Exploit execute attempt"; flow:established,to_server; content:"|06 cb 03|"; offset:4; depth:3; content:"SAPXPG_START_XPG"; nocase; distance:0; fast_pattern; content:"37D581E3889AF16DA00A000C290099D0001"; nocase; distance:0; content:"extprog"; nocase; distance:0; sid:1; rev:1;) MitigationsCISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation:Ensure a secure configuration of their SAP landscape.Restrict access to SAP Message Server.Review SAP Notes 1408081 and 821875. Restrict authorized hosts via ACL files on Gateways (gw/acl_mode and secinfo) and Message Servers (ms/acl_info).[4], [5]Review SAP Note 1421005. Split MS internal/public: rdisp/msserv=0 rdisp/msserv_internal=39NN. [6]Restrict access to Message Server internal port (tcp/39NN) to clients or the internet.Enable Secure Network Communications (SNC) for clients.Scan for exposed SAP components.Ensure that SAP components are not exposed to the internet.Remove or secure any exposed SAP components.References [1] Comae Technologies: Operation for Community Development and Empowerment (OPCDE) Cybersecurity Conference Materials [2] SAP: Gateway Access Control Lists [3] Onapsis Inc. website [4] SAP Note 1408081 [5] SAP Note 821875 [6] SAP Note 1421005 Revisions May 2, 2019: Initial version This product is provided subject to this Notification and this Privacy & Use policy.

  • AA19-024A: DNS Infrastructure Hijacking Campaign
    by CISA on 24 Gennaio 2019 at 8:01 pm

    Original release date: January 24, 2019 | Last revised: February 13, 2019SummaryThe National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:IOCs (.csv)IOCs (.stix)Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:107.161.23.204192.161.187.200209.141.38.71Technical DetailsUsing the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.MitigationsNCCIC recommends the following best practices to help safeguard networks against this threat:Update the passwords for all accounts that can change organizations’ DNS records.Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.Audit public DNS records to verify they are resolving to the intended location.Search for encryption certificates related to domains and revoke any fraudulently requested certificates.References Cisco Talos blog: DNSpionage Campaign Targets Middle East CERT-OPMD blog: [DNSPIONAGE] – Focus on internal actions FireEye blog: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale Crowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors Revisions January 24, 2019: Initial version February 6, 2019: Updated IOCs, added Crowdstrike blog February 13, 2019: Updated IOCs This product is provided subject to this Notification and this Privacy & Use policy.

  • AA18-337A: SamSam Ransomware
    by CISA on 3 Dicembre 2018 at 4:18 pm

    Original release date: December 3, 2018SummaryThe Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity.SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.Technical DetailsNCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list.MAR-10219351.r1.v2 – SamSam1MAR-10166283.r1.v1 – SamSam2MAR-10158513.r1.v1 – SamSam3MAR-10164494.r1.v1 – SamSam4For general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware.MitigationsDHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.Enable strong passwords and account lockout policies to defend against brute force attacks.Where possible, apply two-factor authentication.Regularly apply system and software updates.Maintain a good back-up strategy.Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.Ensure that third parties that require RDP access follow internal policies on remote access.Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.Restrict users' ability (permissions) to install and run unwanted software applications.Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.Additional information on malware incident prevention and handling can be found in Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, from the National Institute of Standards and Technology.[1]Contact InformationTo report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI’s Cyber Division via the following information:NCCICNCCICCustomerService@hq.dhs.gov888-282-0870FBI’s Cyber DivisionCyWatch@fbi.gov855-292-3937FBI through a local field officeFeedbackDHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback. References [1] NIST SP 800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops Revisions December 3, 2018: Initial version This product is provided subject to this Notification and this Privacy & Use policy.

  • TA18-331A: 3ve – Major Online Ad Fraud Operation
    by CISA on 27 Novembre 2018 at 5:09 pm

    Original release date: November 27, 2018Systems AffectedMicrosoft WindowsOverviewThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.DescriptionOnline advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. Boaxxe/Miuref MalwareBoaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.Kovter MalwareKovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.ImpactFor the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.Boaxxe/Miuref MalwareBoaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:%UserProfile%\AppData\Local\VirtualStore\lsass.aaa%UserProfile%\AppData\Local\Temp\<RANDOM>.exe%UserProfile%\AppData\Local\<Random eight-character folder name>\<original file name>.exeThe HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Above path to executable>\Kovter MalwareKovter malware is found mostly in the registry, but the following files may be found on the infected machine:%UserProfile\AppData\Local\Temp\<RANDOM> .exe/.bat%UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RANDOM>\<RANDOM FILENAME>.exe%UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.lnk%UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.batKovter is known to hide in the registry under:HKCU\SOFTWARE\<RANDOM>\<RANDOM>The customized CEF browser is dropped to:%UserProfile%\AppData\Local\<RANDOM>The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunThere are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:/?ptrackp=\d{5,8}/feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-]The following is a YARA rule for detecting Kovter:rule KovterUnpacked {  meta:    desc = "Encoded strings in unpacked Kovter samples."  strings:    $ = "7562@3B45E129B93"    $ = "@ouhKndCny"    $ = "@ouh@mmEdctffdsr"    $ = "@ouhSGQ"  condition:    all of them}SolutionIf you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.ESET Online ScannerF-SecureMalwarebytesMcAfeeMicrosoft Safety ScannerNorton Power EraserTrend Micro HouseCallReferences DOJ Press Release ewhitehats White Paper on Kovter Malware White Ops: THE HUNT FOR 3VE Google Security Blog: Industry collaboration leads to takedown of the “3ve” ad fraud operation Revisions November 27, 2018: Initial version This product is provided subject to this Notification and this Privacy & Use policy.

  • AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
    by CISA on 11 Ottobre 2018 at 3:19 pm

    Original release date: October 11, 2018SummaryThis report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:Remote Access Trojan: JBiFrostWebshell: China ChopperCredential Stealer: MimikatzLateral Movement Framework: PowerShell EmpireC2 Obfuscation and Exfiltration: HUC Packet TransmitterTo aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives.Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.How to Use This ReportThe tools detailed in this Activity Alert fall into five categories: Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators.This Activity Alert provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by threat actors. Measures to aid detection and limit the effectiveness of each tool are also described.The Activity Alert concludes with general advice for improving network defense practices.Technical DetailsRemote Access Trojan: JBiFrost First observed in May 2015, the JBiFrost RAT is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT from 2012.A RAT is a program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to install backdoors and key loggers, take screen shots, and exfiltrate data.Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programs and can mimic the behavior of legitimate applications.To prevent forensic analysis, RATs have been known to disable security measures (e.g., Task Manager) and network analysis tools (e.g., Wireshark) on the victim’s system.In UseJBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.Threat actors have repeatedly compromised servers in our countries with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information such as banking credentials, intellectual property, or PII.CapabilitiesJBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.JBiFrost RAT allows threat actors to pivot and move laterally across a network or install additional malicious software. It is primarily delivered through emails as an attachment, usually an invoice notice, request for quotation, remittance notice, shipment notification, payment notice, or with a link to a file hosting service.Past infections have exfiltrated intellectual property, banking credentials, and personally identifiable information (PII). Machines infected with JBiFrost RAT can also be used in botnets to carry out distributed denial-of-service attacks.ExamplesSince early 2018, we have observed an increase in JBiFrost RAT being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries.In early 2017, Adwind RAT was deployed via spoofed emails designed to look as if they originated from Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network services.Many other publicly available RATs, including variations of Gh0st RAT, have also been observed in use against a range of victims worldwide.Detection and ProtectionSome possible indications of a JBiFrost RAT infection can include, but are not limited to:Inability to restart the computer in safe mode,Inability to open the Windows Registry Editor or Task Manager,Significant increase in disk activity and/or network traffic,Connection attempts to known malicious Internet Protocol (IP) addresses, andCreation of new files and directories with obfuscated or random names.Protection is best afforded by ensuring systems and installed applications are all fully patched and updated. The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks. You should ensure that your organization is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently.Strict application whitelisting is recommended to prevent infections from occurring.The initial infection mechanism for RATs, including JBiFrost RAT, can be via phishing emails. You can help prevent JBiFrost RAT infections by stopping these phishing emails from reaching your users, helping users to identify and report phishing emails, and implementing security controls so that the malicious email does not compromise your device. The United Kingdom National Cyber Security Centre (UK NCSC) has published phishing guidance.Webshell: China Chopper China Chopper is a publicly available, well-documented webshell that has been in widespread use since 2012.Webshells are malicious scripts that are uploaded to a target host after an initial compromise and grant a threat actor remote administrative capability.Once this access is established, webshells can also be used to pivot to additional hosts within a network.In UseChina Chopper is extensively used by threat actors to remotely access compromised web servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device.As China Chopper is just 4 KB in size and has an easily modifiable payload, detection and mitigation are difficult for network defenders.CapabilitiesChina Chopper has two main components: the China Chopper client-side, which is run by the attacker, and the China Chopper server, which is installed on the victim web server but is also attacker-controlled.The webshell client can issue terminal commands and manage files on the victim server. Its MD5 hash is publicly available (originally posted on hxxp://www.maicaidao.com).The MD5 hash of the web client is shown in table 1 below.Table 1: China Chopper webshell client MD5 hashWebshell ClientMD5 Hashcaidao.exe5001ef50c7e869253a7c152a638eab8aThe webshell server is uploaded in plain text and can easily be changed by the attacker. This makes it harder to define a specific hash that can identify adversary activity. In summer 2018, threat actors were observed targeting public-facing web servers that were vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution.China Chopper was intended as the second-stage payload, delivered once servers had been compromised, allowing the threat actor remote access to the victim host. After successful exploitation of a vulnerability on the victim machine, the text-based China Chopper is placed on the victim web server. Once uploaded, the webshell server can be accessed by the threat actor at any time using the client application. Once successfully connected, the threat actor proceeds to manipulate files and data on the web server.China Chopper’s capabilities include uploading and downloading files to and from the victim using the file-retrieval tool wget to download files from the internet to the target; and editing, deleting, copying, renaming, and even changing the timestamp, of existing files.Detection and protectionThe most powerful defense against a webshell is to avoid the web server being compromised in the first place. Ensure that all the software running on public-facing web servers is up-to-date with security patches applied. Audit custom applications for common web vulnerabilities.[6]One attribute of China Chopper is that every action generates a hypertext transfer protocol (HTTP) POST. This can be noisy and is easily spotted if investigated by a network defender.While the China Chopper webshell server upload is plain text, commands issued by the client are Base64 encoded, although this is easily decodable.The adoption of Transport Layer Security (TLS) by web servers has resulted in web server traffic becoming encrypted, making detection of China Chopper activity using network-based tools more challenging.The most effective way to detect and mitigate China Chopper is on the host itself—specifically on public-facing web servers. There are simple ways to search for the presence of the web-shell using the command line on both Linux and Windows based operating systems.[7]To detect webshells more broadly, network defenders should focus on spotting either suspicious process execution on web servers (e.g., Hypertext Preprocessor [PHP] binaries spawning processes) and out-of-pattern outbound network connections from web servers. Typically, web servers make predictable connections to an internal network. Changes in those patterns may indicate the presence of a web shell. You can manage network permissions to prevent web-server processes from writing to directories where PHP can be executed, or from modifying existing files.We also recommend that you use web access logs as a source of monitoring, such as through traffic analytics. Unexpected pages or changes in traffic patterns can be early indicators.Credential Stealer: Mimikatz Developed in 2007, Mimikatz is mainly used by attackers to collect the credentials of other users, who are logged into a targeted Windows machine. It does this by accessing the credentials in memory within a Windows process called Local Security Authority Subsystem Service (LSASS).These credentials, either in plain text, or in hashed form, can be reused to give access to other machines on a network.Although it was not originally intended as a hacking tool, in recent years Mimikatz has been used by multiple actors for malicious purposes. Its use in compromises around the world has prompted organizations globally to re-evaluate their network defenses.Mimikatz is typically used by threat actors once access has been gained to a host and the threat actor wishes to move throughout the internal network. Its use can significantly undermine poorly configured network security.In UseMimikatz source code is publicly available, which means anyone can compile their own versions of the new tool and potentially develop new Mimikatz custom plug-ins and additional functionality.Our cyber authorities have observed widespread use of Mimikatz among threat actors, including organized crime and state-sponsored groups.Once a threat actor has gained local administrator privileges on a host, Mimikatz provides the ability to obtain the hashes and clear-text credentials of other users, enabling the threat actor to escalate privileges within a domain and perform many other post-exploitation and lateral movement tasks.For this reason, Mimikatz has been bundled into other penetration testing and exploitation suites, such as PowerShell Empire and Metasploit.CapabilitiesMimikatz is best known for its ability to retrieve clear text credentials and hashes from memory, but its full suite of capabilities is extensive.The tool can obtain Local Area Network Manager and NT LAN Manager hashes, certificates, and long-term keys on Windows XP (2003) through Windows 8.1 (2012r2). In addition, it can perform pass-the-hash or pass-the-ticket tasks and build Kerberos “golden tickets.”Many features of Mimikatz can be automated with scripts, such as PowerShell, allowing a threat actor to rapidly exploit and traverse a compromised network. Furthermore, when operating in memory through the freely available “Invoke-Mimikatz” PowerShell script, Mimikatz activity is very difficult to isolate and identify.ExamplesMimikatz has been used across multiple incidents by a broad range of threat actors for several years. In 2011, it was used by unknown threat actors to obtain administrator credentials from the Dutch certificate authority, DigiNotar. The rapid loss of trust in DigiNotar led to the company filing for bankruptcy within a month of this compromise.More recently, Mimikatz was used in conjunction with other malicious tools—in the NotPetya and BadRabbit ransomware attacks in 2017 to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid.In addition, a Microsoft research team identified use of Mimikatz during a sophisticated cyberattack targeting several high-profile technology and financial organizations. In combination with several other tools and exploited vulnerabilities, Mimikatz was used to dump and likely reuse system hashes.Detection and ProtectionUpdating Windows will help reduce the information available to a threat actor from the Mimikatz tool, as Microsoft seeks to improve the protection offered in each new Windows version.To prevent Mimikatz credential retrieval, network defenders should disable the storage of clear text passwords in LSASS memory. This is default behavior for Windows 8.1/Server 2012 R2 and later, but can be specified on older systems which have the relevant security patches installed.[8] Windows 10 and Windows Server 2016 systems can be protected by using newer security features, such as Credential Guard.Credential Guard will be enabled by default if:The hardware meets Microsoft’s Windows Hardware Compatibility Program Specifications and Policies for Windows Server 2016 and Windows Server Semi-Annual Branch; andThe server is not acting as a Domain Controller.You should verify that your physical and virtualized servers meet Microsoft’s minimum requirements for each release of Windows 10 and Windows Server.Password reuse across accounts, particularly administrator accounts, makes pass-the-hash attacks far simpler. You should set user policies within your organization that discourage password reuse, even across common level accounts on a network. The freely available Local Administrator Password Solution from Microsoft can allow easy management of local administrator passwords, preventing the need to set and store passwords manually.Network administrators should monitor and respond to unusual or unauthorized account creation or authentication to prevent Kerberos ticket exploitation, or network persistence and lateral movement. For Windows, tools such as Microsoft Advanced Threat Analytics and Azure Advanced Threat Protection can help with this.Network administrators should ensure that systems are patched and up-to-date. Numerous Mimikatz features are mitigated or significantly restricted by the latest system versions and updates. But no update is a perfect fix, as Mimikatz is continually evolving and new third-party modules are often developed.Most up-to-date antivirus tools will detect and isolate non-customized Mimikatz use and should therefore be used to detect these instances. But threat actors can sometimes circumvent antivirus systems by running Mimikatz in memory, or by slightly modifying the original code of the tool. Wherever Mimikatz is detected, you should perform a rigorous investigation, as it almost certainly indicates a threat actor is actively present in the network, rather than an automated process at work.Several of Mimikatz’s features rely on exploitation of administrator accounts. Therefore, you should ensure that administrator accounts are issued on an as-required basis only. Where administrative access is required, you should apply privileged access management principles.Since Mimikatz can only capture the accounts of those users logged into a compromised machine, privileged users (e.g., domain administrators) should avoid logging into machines with their privileged credentials. Detailed information on securing Active Directory is available from Microsoft.[9]Network defenders should audit the use of scripts, particularly PowerShell, and inspect logs to identify anomalies. This will aid in identifying Mimikatz or pass-the-hash abuse, as well as in providing some mitigation against attempts to bypass detection software.Lateral Movement Framework: PowerShell Empire PowerShell Empire is an example of a post-exploitation or lateral movement tool. It is designed to allow an attacker (or penetration tester) to move around a network after gaining initial access. Other examples of these tools include Cobalt Strike and Metasploit. PowerShell Empire can also be used to generate malicious documents and executables for social engineering access to networks.The PowerShell Empire framework was designed as a legitimate penetration testing tool in 2015. PowerShell Empire acts as a framework for continued exploitation once a threat actor has gained access to a system.The tool provides a threat actor with the ability to escalate privileges, harvest credentials, exfiltrate information, and move laterally across a network. These capabilities make it a powerful exploitation tool. Because it is built on a common legitimate application (PowerShell) and can operate almost entirely in memory, PowerShell Empire can be difficult to detect on a network using traditional antivirus tools.In UsePowerShell Empire has become increasingly popular among hostile state actors and organized criminals. In recent years we have seen it used in cyber incidents globally across a wide range of sectors.Initial exploitation methods vary between compromises, and threat actors can configure the PowerShell Empire uniquely for each scenario and target. This, in combination with the wide range of skill and intent within the PowerShell Empire user community, means that the ease of detection will vary. Nonetheless, having a greater understanding and awareness of this tool is a step forward in defending against its use by threat actors.CapabilitiesPowerShell Empire enables a threat actor to carry out a range of actions on a victim’s machine and implements the ability to run PowerShell scripts without needing powershell.exe to be present on the system Its communications are encrypted and its architecture is flexible.PowerShell Empire uses "modules" to perform more specific malicious actions. These modules provide the threat actor with a customizable range of options to pursue their goals on the victim’s systems. These goals include escalation of privileges, credential harvesting, host enumeration, keylogging, and the ability to move laterally across a network.PowerShell Empire’s ease of use, flexible configuration, and ability to evade detection make it a popular choice for threat actors of varying abilities.ExamplesDuring an incident in February 2018, a UK energy sector company was compromised by an unknown threat actor. This compromise was detected through PowerShell Empire beaconing activity using the tool’s default profile settings. Weak credentials on one of the victim’s administrator accounts are believed to have provided the threat actor with initial access to the network.In early 2018, an unknown threat actor used Winter Olympics-themed socially engineered emails and malicious attachments in a spear-phishing campaign targeting several South Korean organizations. This attack had an additional layer of sophistication, making use of Invoke-PSImage, a stenographic tool that will encode any PowerShell script into an image.In December 2017, APT19 targeted a multinational law firm with a phishing campaign. APT19 used obfuscated PowerShell macros embedded within Microsoft Word documents generated by PowerShell Empire.Our cybersecurity authorities are also aware of PowerShell Empire being used to target academia. In one reported instance, a threat actor attempted to use PowerShell Empire to gain persistence using a Windows Management Instrumentation event consumer. However, in this instance, the PowerShell Empire agent was unsuccessful in establishing network connections due to the HTTP connections being blocked by a local security appliance.Detection and ProtectionIdentifying malicious PowerShell activity can be difficult due to the prevalence of legitimate PowerShell activity on hosts and the increased use of PowerShell in maintaining a corporate environment.To identify potentially malicious scripts, PowerShell activity should be comprehensively logged. This should include script block logging and PowerShell transcripts.Older versions of PowerShell should be removed from environments to ensure that they cannot be used to circumvent additional logging and controls added in more recent versions of PowerShell. This page provides a good summary of PowerShell security practices.[10]The code integrity features in recent versions of Windows can be used to limit the functionality of PowerShell, preventing or hampering malicious PowerShell in the event of a successful intrusion.A combination of script code signing, application whitelisting, and constrained language mode will prevent or limit the effect of malicious PowerShell in the event of a successful intrusion. These controls will also impact legitimate PowerShell scripts and it is strongly advised that they be thoroughly tested before deployment.When organizations profile their PowerShell usage, they often find it is only used legitimately by a small number of technical staff. Establishing the extent of this legitimate activity will make it easier to monitor and investigate suspicious or unexpected PowerShell usage elsewhere on the network.C2 Obfuscation and Exfiltration: HUC Packet Transmitter Attackers will often want to disguise their location when compromising a target. To do this, they may use generic privacy tools (e.g., Tor) or more specific tools to obfuscate their location.HUC Packet Transmitter (HTran) is a proxy tool used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker’s communications with victim networks. The tool has been freely available on the internet since at least 2009.HTran facilitates TCP connections between the victim and a hop point controlled by a threat actor. Malicious threat actors can use this technique to redirect their packets through multiple compromised hosts running HTran to gain greater access to hosts in a network.In UseThe use of HTran has been regularly observed in compromises of both government and industry targets.A broad range of threat actors have been observed using HTran and other connection proxy tools toEvade intrusion and detection systems on a network,Blend in with common traffic or leverage domain trust relationships to bypass security controls,Obfuscate or hide C2 infrastructure or communications, andCreate peer-to-peer or meshed C2 infrastructure to evade detection and provide resilient connections to infrastructure.CapabilitiesHTran can run in several modes, each of which forwards traffic across a network by bridging two TCP sockets. They differ in terms of where the TCP sockets are initiated from, either locally or remotely. The three modes areServer (listen) – Both TCP sockets initiated remotely;Client (slave) – Both TCP sockets initiated locally; andProxy (tran) – One TCP socket initiated remotely, the other initiated locally, upon receipt of traffic from the first connection.HTran can inject itself into running processes and install a rootkit to hide network connections from the host operating system. Using these features also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network.ExamplesRecent investigations by our cybersecurity authorities have identified the use of HTran to maintain and obfuscate remote access to targeted environments.In one incident, the threat actor compromised externally-facing web servers running outdated and vulnerable web applications. This access enabled the upload of webshells, which were then used to deploy other tools, including HTran.HTran was installed into the ProgramData directory and other deployed tools were used to reconfigure the server to accept Remote Desktop Protocol (RDP) communications.The threat actor issued a command to start HTran as a client, initiating a connection to a server located on the internet over port 80, which forwards RDP traffic from the local interface.In this case, HTTP was chosen to blend in with other traffic that was expected to be seen originating from a web server to the internet. Other well-known ports used included:Port 53 – Domain Name SystemPort 443 - HTTP over TLS/Secure Sockets LayerPort 3306 - MySQLBy using HTran in this way, the threat actor was able to use RDP for several months without being detected.Detection and ProtectionAttackers need access to a machine to install and run HTran, so network defenders should apply security patches and use good access control to prevent attackers from installing malicious applications.Network monitoring and firewalls can help prevent and detect unauthorized connections from tools such as HTran.In some of the samples analyzed, the rootkit component of HTran only hides connection details when the proxy mode is used. When client mode is used, defenders can view details about the TCP connections being made.HTran also includes a debugging condition that is useful for network defenders. In the event that a destination becomes unavailable, HTran generates an error message using the following format:sprint(buffer, “[SERVER]connection to %s:%d error\r\n”, host, port2);This error message is relayed to the connecting client in the clear. Network defenders can monitor for this error message to potentially detect HTran instances active in their environments. MitigationsThere are several measures that will improve the overall cybersecurity of your organization and help protect it against the types of tools highlighted in this report. Network defenders are advised to seek further information using the links below.Protect your organization from malware.See NCCIC Guidance: https://www.us-cert.gov/ncas/tips/ST13-003.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-malware.Board toolkit: five question for your board’s agenda.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/board-toolkit-five-questions-your-boards-agenda.Use a strong password policy and multifactor authentication (also known as two-factor authentication or two-step authentication) to reduce the impact of password compromises.See NCCIC Guidance: https://www.us-cert.gov/ncas/tips/ST05-012.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services and https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa.Protect your devices and networks by keeping them up to date. Use the latest supported versions, apply security patches promptly, use antivirus and scan regularly to guard against known malware threats.See NCCIC Guidance: https://www.us-cert.gov/ncas/tips/ST04-006.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware.Prevent and detect lateral movement in your organization’s networks.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement.Implement architectural controls for network segregation.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/10-steps-network-security.Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets.See UK NCSC blog post: https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces.Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes.Review and refresh your incident management processes.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/10-steps-incident-management.  Update your systems and software. Ensure your operating system and productivity applications are up to date. Users with Microsoft Office 365 licensing can use “click to run” to keep their office applications seamlessly updated.Use modern systems and software. These have better security built-in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/obsolete-platforms-security-guidance. Manage bulk personal datasets properly.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/protecting-bulk-personal-data-introduction. Restrict intruders' ability to move freely around your systems and networks. Pay particular attention to potentially vulnerable entry points (e.g., third-party systems with onward access to your core network). During an incident, disable remote access from third-party systems until you are sure they are clean.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement and https://www.ncsc.gov.uk/guidance/assessing-supply-chain-security.Whitelist applications. If supported by your operating environment, consider whitelisting of permitted applications. This will help prevent malicious applications from running.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/eud-security-guidance-windows-10-1709#applicationwhitelistingsection. Manage macros carefully. Disable Microsoft Office macros, except in the specific applications where they are required.Only enable macros for users that need them day-to-day and use a recent and fully patched version of Office and the underlying platform, ideally configured in line with the UK NCSC’s End User Device Security Collection Guidance and UK NCSC’s Macro Security for Microsoft Office Guidance: https://www.ncsc.gov.uk/guidance/end-user-device-security and https://www.ncsc.gov.uk/guidance/macro-security-microsoft-office. Use antivirus. Keep any antivirus software up to date, and consider use of a cloud-backed antivirus product that can benefit from the economies of scale this brings. Ensure that antivirus programs are also capable of scanning Microsoft Office macros.See NCCIC Guidance: https://www.us-cert.gov/ncas/tips/ST04-005.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/macro-security-microsoft-office.Layer organization-wide phishing defenses. Detect and quarantine as many malicious email attachments and spam as possible, before they reach your end users. Multiple layers of defense will greatly cut the chances of a compromise.Treat people as your first line of defense. Tell personnel how to report suspected phishing emails, and ensure they feel confident to do so. Investigate their reports promptly and thoroughly. Never punish users for clicking phishing links or opening attachments.NCCIC encourages users and administrators to report phishing to phishing-report@us-cert.gov.See NCCIC Guidance: https://www.us-cert.gov/ncas/tips/ST04-014.See UK NCSC Guidance: https://www.ncsc.gov.uk/phishing. Deploy a host-based intrusion detection system. A variety of products are available, free and paid-for, to suit different needs and budgets.Defend your systems and networks against denial-of-service attacks.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/denial-service-dos-guidance-collection. Defend your organization from ransomware. Keep safe backups of important files, protect from malware, and do not pay the ransom– it may not get your data back.See NCCIC Guidance: https://www.us-cert.gov/Ransomware.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware and https://www.ncsc.gov.uk/guidance/backing-your-data.Make sure you are handling personal data appropriately and securely.See NCCIC Guidance: https://www.us-cert.gov/ncas/tips/ST04-013.See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes.  Further information: invest in preventing malware-based attacks across various scenarios. See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware.Additional Resources from International PartnersAustralian Cyber Security Centre (ACSC) Strategies - https://acsc.gov.au/infosec/mitigationstrategies.htmACSC Essential Eight - https://acsc.gov.au/publications/protect/essential-eight-explained.htmCanadian Centre for Cyber Security (CCCS) Top 10 Security Actions - https://cyber.gc.ca/en/top-10-it-security-actionsCCCS Cyber Hygiene - https://www.cse-cst.gc.ca/en/cyberhygiene-pratiques-cybersecuriteCERT New Zealand's Critical Controls 2018 - https://www.cert.govt.nz/it-specialists/critical-controls/CERT New Zealand’s Top 11 Cyber Security Tips for Your Business - https://www.cert.govt.nz/businesses-and-individuals/guides/cyber-security-your-business/top-11-cyber-security-tips-for-your-business/New Zealand National Cyber Security Centre (NZ NCSC) Resources - https://www.ncsc.govt.nz/resources/New Zealand Information Security Manual - https://www.gcsb.govt.nz/the-nz-information-security-manual/UK NCSC 10 Steps to Cyber Security - https://www.ncsc.gov.uk/guidance/10-steps-cyber-securityUK NCSC Board Toolkit: five questions for your board's agenda - https://www.ncsc.gov.uk/guidance/board-toolkit-five-questions-your-boards-agendaUK NCSC Cyber Security: Small Business Guide - https://www.ncsc.gov.uk/smallbusinessContact InformationNCCIC encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact NCCIC at1-888-282-0870 (From outside the United States: +1-703-235-8832)NCCICCustomerService@us-cert.gov (UNCLASS)us-cert@dhs.sgov.gov (SIPRNET)us-cert@dhs.ic.gov (JWICS)NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the NCCIC/US-CERT homepage at http://www.us-cert.gov/.FeedbackNCCIC strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback. References [1] Australian Cyber Security Centre (ACSC) [2] Canadian Centre for Cyber Security (CCCS) [3] New Zealand National Cyber Security Centre (NZ NCSC) [4] UK National Cyber Security Centre (UK NCSC) [5] US National Cybersecurity and Communications Integration Center [6] OWASP Top 10 Project [7] FireEye Report on China Chopper [8] Microsoft Security Advisory [9] Microsoft - Best Practices for Securing Active Directory [10] Digital Shadows - PowerShell Security Best Practices Revisions October, 11 2018: Initial version This product is provided subject to this Notification and this Privacy & Use policy.

  • TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers
    by CISA on 3 Ottobre 2018 at 11:47 am

    Original release date: October 3, 2018Systems AffectedNetwork SystemsOverviewThe National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents.DescriptionMSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.Note: NCCIC previously released information related to this activity in Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors published on April 27, 2017, which includes indicators of compromise, signatures, suggested detection methods, and recommended mitigation techniques.Technical DetailsAPTAPT actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks.Pre-installed system tools, such as command line scripts, are very common and used by system administrators for legitimate processes. Command line scripts are used to discover accounts and remote systems.PowerSploit is a repository of Microsoft PowerShell and Visual Basic scripts and uses system commands such as netsh. PowerSploit, originally developed as a legitimate penetration testing tool, is widely misused by APT actors. These scripts often cannot be blocked because they are legitimate tools, so APT actors can use them and remain undetected on victim networks. Although network defenders can generate log files, APT actors’ use of legitimate scripts makes it difficult to identify system anomalies and other malicious activity.When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration. APT actors have been observed using Robocopy—a Microsoft command line tool—to transfer exfiltrated and archived data from MSP client networks back through MSP network environments. Additionally, APT actors have been observed using legitimate PuTTY Secure Copy Client functions, allowing them to transfer stolen data securely and directly to third-party systems.ImpactA successful network intrusion can have severe impacts to the affected organization, particularly if the compromise becomes public. Possible impacts includeTemporary or permanent loss of sensitive or proprietary information,Disruption to regular operations,Financial losses to restore systems and files, andPotential harm to the organization’s reputation.SolutionDetectionOrganizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Properly configured logs enable rapid containment and appropriate response.ResponseAn organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability. An organization’s response capability should focus on being prepared to handle the most common attack vectors (e.g., spearphishing, malicious web content, credential theft). In general, organizations should prepare byEstablishing and periodically updating an incident response plan.Establishing written guidelines that prioritize incidents based on mission impact, so that an appropriate response can be initiated.Developing procedures and out-of-band lines of communication to handle incident reporting for internal and external relationships.Exercising incident response measures for various intrusion scenarios regularly, as part of a training regime.Committing to an effort that secures the endpoint and network infrastructure: prevention is less costly and more effective than reacting after an incident.MitigationManage Supply Chain RiskMSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP. Organizations should manage risk equally across their security, legal, and procurement groups. MSP clients should also refer to cloud security guidance from the National Institute of Standards and Technology to learn about MSP terms of service, architecture, security controls, and risks associated with cloud computing and data protection.[1] [2] [3]ArchitectureRestricting access to networks and systems is critical to containing an APT actor’s movement. Provided below are key items that organizations should implement and periodically audit to ensure their network environment’s physical and logical architecture limits an APT actor’s visibility and access.Virtual Private Network Connection RecommendationsUse a dedicated Virtual Private Network (VPN) for MSP connection. The organization’s local network should connect to the MSP via a dedicated VPN. The VPN should use certificate-based authentication and be hosted on its own device.Terminate VPN within a demilitarized zone (DMZ). The VPN should terminate within a DMZ that is isolated from the internal network. Physical systems used within the DMZ should not be used on or for the internal network.Restrict VPN traffic to and from MSP. Access to and from the VPN should be confined to only those networks and protocols needed for service. All other internal networks and protocols should be blocked. At a minimum, all failed attempts should be logged.Update VPN authentication certificates annually. Update the certificates used to establish the VPN connection no less than annually. Consider rotating VPN authentication certificates every six months.Ensure VPN connections are logged, centrally managed, and reviewed. All VPN connection attempts should be logged in a central location. Investigate connections using dedicated certificates to confirm they are legitimate.Network Architecture RecommendationsEnsure internet-facing networks reside on separate physical systems. All internet-accessible network zones (e.g., perimeter network, DMZ) should reside on their own physical systems, including the security devices used to protect the network environment.Separate internal networks by function, location, and risk profile. Internal networks should be segmented by function, location, and/or enterprise workgroup. All communication between networks should use Access Control Lists and security groups to implement restrictions.Use firewalls to protect server(s) and designated high-risk networks. Firewalls should reside at the perimeter of high-risk networks, including those hosting servers. Access to these networks should be properly restricted. Organizations should enable logging, using a centrally managed logging system.Configure and enable private Virtual Local Area Networks (VLANs). Enable private VLANs and group them according to system function or user workgroup.Implement host firewalls. In addition to the physical firewalls in place at network boundaries, hosts should also be equipped and configured with host-level firewalls to restrict communications from other workstations (this decreases workstation-to-workstation communication).Network Service Restriction RecommendationsOnly permit authorized network services outbound from the internal network. Restrict outbound network traffic to only well-known web browsing services (e.g., Transmission Control Protocol [TCP]/80, TCP/443). In addition, monitor outbound traffic to ensure the ports associated with encrypted traffic are not sending unencrypted traffic.Ensure internal and external Domain Name System (DNS) queries are performed by dedicated servers. All systems should leverage dedicated internal DNS servers for their queries. Ensure that DNS queries for external hosts using User Datagram Protocol (UDP)/53 are permitted for only these hosts and are filtered through a DNS reputation service, and that outbound UDP/53 network traffic by all other systems is denied. Ensure that TCP/53 is not permitted by any system within the network environment. All attempts to use TCP/53 and UDP/53 should be centrally logged and investigated.Restrict access to unauthorized public file shares. Access to public file shares that are not used by the organization—such as Dropbox, Google Drive, and OneDrive—should be denied. Attempts to access public file share sites should be centrally logged and investigated. Recommended additional action: monitor all egress traffic for possible exfiltration of data.Disable or block all network services that are not required at network boundary. Only those services needed to operate should be enabled and/or authorized at network boundaries. These services are typically limited to TCP/137, TCP/139, and TCP/445. Additional services may be needed, depending on the network environment, these should be tightly controlled to only send and receive from certain whitelisted Internet Protocol addresses, if possible.Authentication, Authorization, and AccountingCompromised account credentials continue to be the number one way threat actors are able to penetrate a network environment. The accounts organizations create for MSPs increase the risk of credential compromise, as MSP accounts typically require elevated access. It is important organizations’ adhere to best practices for password and permission management, as this can severely limit a threat actor’s ability to access and move laterally across a network. Provided below are key items organizations should implement and routinely audit to ensure these risks are mitigated.Account Configuration RecommendationsEnsure MSP accounts are not assigned to administrator groups. MSP accounts should not be assigned to the Enterprise Administrator (EA) or Domain Administrator (DA) groups.Restrict MSP accounts to only the systems they manage. Place systems in security groups and only grant MSP account access as required. Administrator access to these systems should be avoided when possible.Ensure MSP account passwords adhere to organizational policies. Organizational password policies should be applied to MSP accounts. These policies include complexity, life, lockout, and logging.Use service accounts for MSP agents and services. If an MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.Restrict MSP accounts by time and/or date. Set expiration dates reflecting the end of the contract on accounts used by MSPs when those accounts are created or renewed. Additionally, if MSP services are only required during business hours, time restrictions should also be enabled and set accordingly. Consider keeping MSP accounts disabled until they are needed and disabling them once the work is completed.Use a network architecture that includes account tiering. By using an account tiering structure, higher privileged accounts will never have access or be found on lower privileged layers of the network. This keeps EA and DA level accounts on the higher, more protected tiers of the network. Ensure that EA and DA accounts are removed from local administrator groups on workstations.Logging Configuration RecommendationsEnable logging on all network systems and devices and send logs to a central location. All network systems and devices should have their logging features enabled. Logs should be stored both locally and centrally to ensure they are preserved in the event of a network failure. Logs should also be backed up regularly and stored in a safe location.Ensure central log servers reside in an enclave separate from other servers and workstations. Log servers should be isolated from the internet and network environment to further protect them from compromise. The firewall at the internal network boundary should only permit necessary services (e.g., UDP/514).Configure local logs to store no less than seven days of log data. The default threshold for local logging is typically three days or a certain file size (e.g., 5 MB). Configure local logs to store no less than seven days of log data. Seven days of logs will cover the additional time in which problems may not be identified, such as holidays. In the event that only size thresholds are available, NCCIC recommends that this parameter be set to a large value (e.g., 512MB to1024MB) to ensure that events requiring a high amount of log data, such as brute force attacks, can be adequately captured.Configure central logs to store no less than one year of log data. Central log servers should store no less than a year’s worth of data prior to being rolled off. Consider increasing this capacity to two years, if possible.Install and properly configure a Security Information and Event Management (SIEM) appliance. Install a SIEM appliance within the log server enclave. Configure the SIEM appliance to alert on anomalous activity identified by specific events and on significant derivations from baselined activity.Enable PowerShell logging. Organizations that use Microsoft PowerShell should ensure it is upgraded the latest version (minimum version 5) to use the added security of advanced logging and to ensure these logs are being captured and analyzed. PowerShell’s features include advanced logging, interaction with application whitelisting (if using Microsoft’s AppLocker), constrained language mode, and advanced malicious detection with Antimalware Scan Interface. These features will help protect an organization’s network by limiting what scripts can be run, logging all executed commands, and scanning all scripts for known malicious behaviors.Establish and implement a log review process. Logs that go unanalyzed are useless. It is critical to network defense that organizations establish a regular cycle for reviewing logs and developing analytics to identify patterns.Operational ControlsBuilding a sound architecture supported by strong technical controls is only the first part to protecting a network environment. It is just as critical that organizations continuously monitor their systems, update configurations to reflect changes in their network environment, and maintain relationships with MSPs. Listed below are key operational controls organizations should incorporate for protection from threats.Operational Control RecommendationsCreate a baseline for system and network behavior. System, network, and account behavior should be baselined to make it easier to track anomalies within the collected logs. Without this baseline, network administrators will not be able to identify the “normal” behaviors for systems, network traffic, and accounts.Review network device configurations every six months. No less than every six months, review the active configurations of network devices for unauthorized settings (consider reviewing more frequently). Baseline configurations and their checksums should be stored in a secure location and be used to validate files.Review network environment Group Policy Objects (GPOs) every six months. No less than every six months, review GPOs for unauthorized settings (consider reviewing more frequently). Baseline configurations and their checksums should be stored in a secure location and be used to validate files.Continuously monitor and investigate SIEM appliance alerts. The SIEM appliance should be continuously monitored for alerts. All events should be investigated and documented for future reference.Periodically review SIEM alert thresholds. Review SIEM appliance alert thresholds no less than every three months. Thresholds should be updated to reflect changes, such as new systems, activity variations, and new or old services being used within the network environment.Review privileged account groups weekly. Review privileged account groups—such as DAs and EAs—no less than weekly to identify any unauthorized modifications. Consider implementing automated monitoring for these groups.Disable or remove inactive accounts. Periodically monitor accounts for activity and disable or remove accounts that have not been active within a certain period, not to exceed 30 days. Consider including account management into the employee onboarding and offboarding processes.Regularly update software and operating systems. Ensuring that operating systems and software is up-to-date is critical for taking advantage of a vendor’s latest security offerings. These offerings can include mitigating known vulnerabilities and offering new protections (e.g., credential protections, increased logging, forcing signed software).It is important to note that—while the recommendations provided in this TA aim at preventing the initial attack vectors and the spread of any malicious activity—there is no single solution to protecting and defending a network. NCCIC recommends network defenders use a defense-in-depth strategy to increase the odds of successfully identifying an intrusion, stopping malware, and disrupting threat actor activity. The goal is to make it as difficult as possible for an attacker to be successful and to force them to use methods that are easier to detect with higher operational costs.Report Unauthorized Network AccessContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937). References NIST Cloud Computing-Related Publications NIST SP 500-292: Cloud Computing Reference Architecture NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing Revisions October, 3 2018: Initial version This product is provided subject to this Notification and this Privacy & Use policy.

  • TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation
    by CISA on 3 Ottobre 2018 at 11:00 am

    Original release date: October 3, 2018Systems AffectedNetwork SystemsOverviewThis technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover.DescriptionAPT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access.ImpactAPT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth.SolutionRecommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response.Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives.Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks.APT TTPs and Corresponding MitigationsThe following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement.Table 1: APT TTPs and MitigationsAPT TTPsMitigationsPreparationAllocate operational infrastructure, such as Internet Protocol addresses (IPs).Gather target credentials to use for legitimate access.Protect:Educate users to never click unsolicited links or open unsolicited attachments in emails.Implement an awareness and training program.Detect:Leverage multi-sourced threat-reputation services for files, Domain Name System (DNS), Uniform Resource Locators (URLs), IPs, and email addresses.EngagementUse legitimate remote access, such as virtual private networks (VPNs) and Remote Desktop Protocol (RDP).Leverage a trusted relationship between networks.Protect:Enable strong spam filters to prevent phishing emails from reaching end users.Authenticate inbound email using Sender Policy Framework; Domain-Based Message Authentication, Reporting and Conformance; and DomainKeys Identified Mail to prevent email spoofing.Prevent external access via RDP sessions and require VPN access.Enforce multi-factor authentication and account-lockout policies to defend against brute force attacks.Detect:Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses.Scan all incoming and outgoing emails to detect threats and filter out executables.Audit all remote authentications from trusted networks or service providers for anomalous activity.Respond and Recover:Reset credentials, including system accounts.Transition to multifactor authentication and reduce use of password-based systems, which are susceptible to credential theft, forgery, and reuse across multiple systems.PresenceExecution and Internal Reconnaissance:Write to disk and execute malware and tools on hosts.Use interpreted scripts and run commands in shell to enumerate accounts, local network, operating system, software, and processes for internal reconnaissance.Map accessible networks and scan connected targets.Lateral Movement:Use remote services and log on remotely.Use legitimate credentials to move laterally onto hosts, domain controllers, and servers.Write to remote file shares, such as Windows administrative shares.Credential Access:Locate credentials, dump credentials, and crack passwords.Protect:Deploy an anti-malware solution, which also aims to prevent spyware and adware.Prevent the execution of unauthorized software, such as Mimikatz, by using application whitelisting.Deploy PowerShell mitigations and, in the more current versions of PowerShell, enable monitoring and security features.Prevent unauthorized external access via RDP sessions. Restrict workstations from communicating directly with other workstations.Separate administrative privileges between internal administrator accounts and accounts used by trusted service providers.Enable detailed session-auditing and session-logging.Detect:Audit all remote authentications from trusted networks or service providers.Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems.Log use of system administrator commands, such as net, ipconfig, and ping.Audit logs for suspicious behavior.Use whitelist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses.Respond and Recover:Reset credentials.Monitor accounts associated with a compromise for abnormal behaviors, including unusual connections to nonstandard resources or attempts to elevate privileges, enumerate, or execute unexpected programs or applications.EffectMaintain access to trusted networks while gathering data from victim networks.Compress and position data for future exfiltration in archives or in unconventional locations to avoid detection.Send over command and control channel using data-transfer tools (e.g., PuTTY secure copy client [PSCP], Robocopy).Protect:Prevent the execution of unauthorized software, such as PSCP and Robocopy.Detect:Monitor for use of archive and compression tools.Monitor egress traffic for anomalous behaviors, such as irregular outbound connections, malformed or abnormally large packets, or bursts of data to detect beaconing and exfiltration. Detailed Mitigation GuidanceManage Credentials and Control Privileged AccessCompromising the credentials of legitimate users automatically provides a threat actor access to the network resources available to those users and helps that threat actor move more covertly through the network. Adopting and enforcing a strong-password policy can reduce a threat actor’s ability to compromise legitimate accounts; transitioning to multifactor authentication solutions increases the difficulty even further. Additionally, monitoring user account logins—whether failed or successful—and deploying tools and services to detect illicit use of credentials can help network defenders identify potentially malicious activity.Threat actors regularly target privileged accounts because they not only grant increased access to high-value assets in the network, but also more easily enable lateral movement, and often provide mechanisms for the actors to hide their activities. Privileged access can be controlled by ensuring that only those users requiring elevated privileges are granted those accesses and, in accordance with the principle of least privilege, by restricting the use of those privileged accounts to instances where elevated privileges are required for specific tasks. It is also important to carefully manage and monitor local-administrator and MSP accounts because they inherently function with elevated privileges and are often ignored after initial configuration.A key way to control privileged accounts is to segregate and control administrator (admin) privileges. All administrative credentials should be tightly controlled, restricted to a function, or even limited to a specific amount of time. For example, only dedicated workstation administrator accounts should be able to administer workstations. Server accounts, such as general, Structured Query Language, or email admins, should not have administrative access to workstations. The only place domain administrator (DA) or enterprise administrator (EA) credentials should ever be used is on a domain controller. Both EA and DA accounts should be removed from the local-administrators group on all other devices. On UNIX devices, sudo (or root) access should be tightly restricted in the same manner. Employing a multifactor authentication solution for admin accounts adds another layer of security and can significantly reduce the impact of a password compromise because the threat actor needs the other factor—that is, a smartcard or a token—for authentication.Additionally, administrators should disable unencrypted remote-administrative protocols and services, which are often enabled by default. Protocols required for operations must be authorized, and the most secure version must be implemented. All other protocols must be disabled, particularly unencrypted remote-administrative protocols used to manage network infrastructure devices, such as Telnet, Hypertext Transfer Protocol, File Transfer Protocol, Trivial File Transfer Protocol, and Simple Network Management Protocol versions 1 and 2.Control Remote Access and Audit Remote LoginsControl legitimate remote access by trusted service providers. Similar to other administrative accounts, MSP accounts should be given the least privileges needed to operate. In addition, it is recommended that MSP accounts either be limited to work hours, when they can be monitored, or disabled until work needs to be done. MSP accounts should also be held to the same or higher levels of security for credential use, such as multifactor authentication or more complex passwords subject to shorter expiration timeframes.Establish a baseline on the network. Network administrators should work with network owners or MSPs to establish what normal baseline behavior and traffic look like on the network. It is also advisable to discuss what accesses are needed when the network is not being actively managed. This will allow local network personnel to know what acceptable cross-network or MSP traffic looks like in terms of ports, protocols, and credential use.Monitor system event logs for anomalous activity. Network logs should be captured to help detect and identify anomalous and potentially malicious activity. In addition to the application whitelisting logs, administrators should ensure that other critical event logs are being captured and stored, such as service installation, account usage, pass-the-hash detection, and RDP detection logs. Event logs can help identify the use of tools like Mimikatz and the anomalous use of legitimate credentials or hashes. Baselining is critical for effective event log analysis, especially in the cases of MSP account behavior.Control Microsoft RDP. Adversaries with valid credentials can use RDP to move laterally and access information on other, more sensitive systems. These techniques can help protect against the malicious use of RDP:Assess the need to have RDP enabled on systems and, if required, limit connections to specific, trusted hosts.Verify that cloud environments adhere to best practices, as defined by the cloud service provider. After the cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose.Place any system with an open RDP port behind a firewall and require users to communicate via a VPN through a firewall.Perform regular checks to ensure RDP port 3389 is not open to the public internet. Enforce strong-password and account-lockout policies to defend against brute force attacks.Enable the restricted-administrator option available in Windows 8.1 and Server 2012 R2 to ensure that reusable credentials are neither sent in plaintext during authentication nor cached.Restrict Secure Shell (SSH) trusts. It is important that SSH trusts be carefully managed and secured because improperly configured and overly permissive trusts can provide adversaries with initial access opportunities and the means for lateral movement within a network. Access lists should be configured to limit which users are able to log in via SSH, and root login via SSH should be disabled. Additionally, the system should be configured to only allow connections from specific workstations, preferably administrative workstations used only for the purpose of administering systems.Report Unauthorized Network AccessContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937). Revisions October, 3 2018: Initial version This product is provided subject to this Notification and this Privacy & Use policy.

News (DARKReading, The Hacker News, Threatpost)