9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.4 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques _
This joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)—provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.
Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.
The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.
As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.
Click here for an interactive heat map of this activity (current as of November 17, 2020). Hovering the cursor over the map reveals the number and type of entities the Russian APT has targeted in each region. These totals include compromises, scanning, or other reconnaissance activity executed from the Russian APT actor infrastructure.
Note: CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email [email protected]. To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.
Note: the heat map has interactive features that may not work in your web browser. For best use, please download and save this catalog.
The FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses 213.74.101[.]65
, 213.74.139[.]196
, and 212.252.30[.]170
to connect to victim web servers (Exploit Public Facing Application [T1190]).
The actor is using 213.74.101[.]65
and 213.74.139[.]196
to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (Brute Force [T1110]; Exploit Public Facing Application [T1190]). The APT actor also hosted malicious domains, including possible aviation sector target columbusairports.microsoftonline[.]host
, which resolved to 108.177.235[.]92
and [cityname].westus2.cloudapp.azure.com
; these domains are U.S. registered and are likely SLTT government targets (_Drive-By Compromise _[T1189]).
The APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug (CVE-2019-19781) and a Microsoft Exchange remote code execution flaw (CVE-2020-0688).
The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence [TA0003]).
Between early February and mid-September, these APT actors used 213.74.101[.]65
, 212.252.30[.]170
, 5.196.167[.]184
, 37.139.7[.]16
, 149.56.20[.]55
, 91.227.68[.]97
, and 5.45.119[.]124
to target U.S. SLTT government networks. Successful authentications—including the compromise of Microsoft Office 365 (O365) accounts—have been observed on at least one victim network (Valid Accounts [T1078]).
The APT actor used the following IP addresses and domains to carry out its objectives:
213.74.101[.]65
213.74.139[.]196
212.252.30[.]170
5.196.167[.]184
37.139.7[.]16
149.56.20[.]55
91.227.68[.]97
138.201.186[.]43
5.45.119[.]124
193.37.212[.]43
146.0.77[.]60
51.159.28[.]101
columbusairports.microsoftonline[.]host
microsoftonline[.]host
email.microsoftonline[.]services
microsoftonline[.]services
cityname[.]westus2.cloudapp.azure.com
IP address 51.159.28[.]101
appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address 51.159.28[.]101
(although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).
Organizations should check available logs for traffic to/from IP address 51.159.28[.]101
for indications of credential-harvesting activity. As the APT actors likely have—or will—establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.
Refer to AA20-296A.stix for a downloadable copy of IOCs.
Proper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.
Table 1: Patch information for CVEs
Vulnerability | Vulnerable Products | Patch Information |
---|---|---|
CVE-2019-19781 |
|
Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0
Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3
Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0
Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5
| Microsoft Security Advisory for CVE-2020-0688
CVE-2019-10149 |
Exim versions 4.87–4.91
| Exim page for CVE-2019-10149
CVE-2018-13379 |
FortiOS 6.0: 6.0.0 to 6.0.4
FortiOS 5.6: 5.6.3 to 5.6.7
FortiOS 5.4: 5.4.6 to 5.4.12
| Fortinet Security Advisory: FG-IR-18-384
CVE-2020-1472 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
|
Microsoft Security Advisory for CVE-2020-1472
PROGRAMFILES
, PROGRAMFILES(X86)
, and WINDOWS
folders. All other locations should be disallowed unless an exception is granted.For accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT “Golden Tickets” may be required, and Microsoft has released specialized guidance for this. Such a reset should be performed very carefully if needed.
If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise—as well as in Azure-hosted—AD instances.
Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.
It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.
(krbtgt
) password;[1] this must be completed before any additional actions (a second reset will take place in step 5)krbtgt
reset to propagate to all domain controllers (time may vary)1. User accounts (forced reset with no legacy password reuse)
2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])
3. Service accounts
4. Directory Services Restore Mode (DSRM) account
5. Domain Controller machine account
6. Application passwords
krbtgt
password againkrbtgt
reset to propagate to all domain controllers (time may vary)The following accounts should be reset:
Implement the following recommendations to secure your organization’s VPNs:
Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].
DISCLAIMER
This information is provided “as is” for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.
The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.
[1] Microsoft: AD Forest Recovery - Resetting the krbtgt password
October 22, 2020: Initial Version|November 17, 2020: Added U.S. Heat Map of Activity|December 1, 2020: Added “current as of” date to U.S. Heat Map of Activity
www.fbi.gov/contact-us/field
attack.mitre.org/versions/v7/
attack.mitre.org/versions/v7/tactics/TA0001/
attack.mitre.org/versions/v7/tactics/TA0003/
attack.mitre.org/versions/v7/tactics/TA0004/
attack.mitre.org/versions/v7/tactics/TA0008/
attack.mitre.org/versions/v7/techniques/T1078
attack.mitre.org/versions/v7/techniques/T1078
attack.mitre.org/versions/v7/techniques/T1110
attack.mitre.org/versions/v7/techniques/T1133
attack.mitre.org/versions/v7/techniques/T1189
attack.mitre.org/versions/v7/techniques/T1190/
attack.mitre.org/versions/v7/techniques/T1190/
docs.microsoft.com/en-us/azure-advanced-threat-protection/domain-dominance-alerts
docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password
docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password
indd.adobe.com/view/64463245-3411-49f9-b203-1c7cb8f16769
nvd.nist.gov/vuln/detail/CVE-2018-13379
nvd.nist.gov/vuln/detail/CVE-2018-13379
nvd.nist.gov/vuln/detail/CVE-2018-13379%20
nvd.nist.gov/vuln/detail/CVE-2019-10149
nvd.nist.gov/vuln/detail/CVE-2019-10149
nvd.nist.gov/vuln/detail/CVE-2019-10149
nvd.nist.gov/vuln/detail/CVE-2019-19781
nvd.nist.gov/vuln/detail/CVE-2019-19781
nvd.nist.gov/vuln/detail/CVE-2019-19781
nvd.nist.gov/vuln/detail/CVE-2020-0688
nvd.nist.gov/vuln/detail/CVE-2020-0688
nvd.nist.gov/vuln/detail/CVE-2020-0688
nvd.nist.gov/vuln/detail/CVE-2020-1472
nvd.nist.gov/vuln/detail/CVE-2020-1472
nvd.nist.gov/vuln/detail/CVE-2020-1472
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
twitter.com/CISAgov
twitter.com/intent/tweet?text=Russian%20State-Sponsored%20Advanced%20Persistent%20Threat%20Actor%20Compromises%20U.S.%20Government%20Targets+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a
us-cert.cisa.gov/ncas/alerts/aa20-283a
us-cert.cisa.gov/ncas/alerts/aa20-283a
us-cert.cisa.gov/ncas/alerts/TA15-314A
us-cert.cisa.gov/ncas/alerts/TA15-314A%20
us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688
us-cert.cisa.gov/ncas/tips/ST04-002
us-cert.cisa.gov/ncas/tips/ST04-006
us-cert.cisa.gov/ncas/tips/ST04-006
us-cert.cisa.gov/ncas/tips/ST05-012
us-cert.cisa.gov/ncas/tips/ST18-001
us-cert/cisa.gov/ncas/alerts/aa20-031a
us-cert/cisa.gov/ncas/bulletins/SB19-161
www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/
www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/
www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/
www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.exim.org/static/doc/security/CVE-2019-10149.txt
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a&title=Russian%20State-Sponsored%20Advanced%20Persistent%20Threat%20Actor%20Compromises%20U.S.%20Government%20Targets
www.fortiguard.com/psirt/FG-IR-18-384
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a
www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Russian%20State-Sponsored%20Advanced%20Persistent%20Threat%20Actor%20Compromises%20U.S.%20Government%20Targets&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.4 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%