1. HUNCERT
  2. Hírolvasó
  3. Sources
  4. US CERT: Technical Security Alerts

US CERT: Technical Security Alerts

Subscribe to US CERT: Technical Security Alerts hírcsatorna
Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
Webcím: https://us-cert.cisa.gov/
Frissítve: 1 óra 40 perc
2021. szeptember 22.

AA21-265A: Conti Ransomware

Original release date: September 22, 2021
Summary

Immediate Actions You Can Take Now to Protect Against Conti Ransomware
• Use multi-factor authentication.
• Segment and segregate networks and functions.
• Update your operating system and software.

Note: This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment. 

To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

Click here for a PDF version of this report.

Click here for indicators of compromise (IOCs) in STIX format.

Technical Details

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack. 

Conti actors often gain initial access [TA0001] to networks through:

  • Spearphishing campaigns using tailored emails that contain malicious attachments [T1566.001] or malicious links [T1566.002];
    • Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware. [1],[2],[3]
  • Stolen or weak Remote Desktop Protocol (RDP) credentials [T1078].[4]
  • Phone calls;
  • Fake software promoted via search engine optimization;
  • Other malware distribution networks (e.g., ZLoader); and
  • Common vulnerabilities in external assets.

In the execution phase [TA0002], actors run a getuid payload before using a more aggressive payload to reduce the risk of triggering antivirus engines. CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force [T1110] routers, cameras, and network-attached storage devices with web interfaces. Additionally, actors use Kerberos attacks [T1558.003] to attempt to get the Admin hash to conduct brute force attacks.

Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence [TA0003] on victim networks.[5] The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges [TA0004] within a domain and perform other post-exploitation and lateral movement tasks [TA0008]. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks.

According to a recently leaked threat actor “playbook,” [6] Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges [TA0004] and move laterally [TA0008] across a victim’s network:

  • 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities; [7]
  • "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler [8] service; and
  • "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems.[9]

Artifacts leaked with the playbook identify four Cobalt Strike server Internet Protocol (IP) addresses Conti actors previously used to communicate with their command and control (C2) server.

  • 162.244.80[.]235
  • 85.93.88[.]165
  • 185.141.63[.]120
  • 82.118.21[.]1

CISA and FBI have observed Conti actors using different Cobalt Strike server IP addresses unique to different victims.

Conti actors often use the open-source Rclone command line program for data exfiltration [TA0010]. After the actors steal and encrypt the victim's sensitive data [T1486], they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with public release of the data if the ransom is not paid.

MITRE ATT&CK Techniques

Conti ransomware uses the ATT&CK techniques listed in table 1.

Table 1: Conti ATT&CK techniques for enterprise Initial Access Technique Title ID Use Valid Accounts T1078 Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials.  Phishing: Spearphishing Attachment  T1566.001 Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware. Phishing: Spearphishing Link  T1566.002 Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails. Execution Technique Title ID Use Command and Scripting Interpreter: Windows Command Shell  T1059.003 Conti ransomware can utilize command line options to allow an attacker control over how it scans and encrypts files. Native Application Programming Interface (API)  T1106 Conti ransomware has used API calls during execution. Persistence Technique Title ID Use Valid Accounts T1078 Conti actors have been observed gaining unauthorized access to victim networks through stolen RDP credentials.  External Remote Services T1133 Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as virtual private networks (VPNs), Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally. Privilege Escalation Technique Title ID Use Process Injection: Dynamic-link Library Injection T1055.001 Conti ransomware has loaded an encrypted dynamic-link library (DLL) into memory and then executes it.  Defense Evasion Technique Title ID Use Obfuscated Files or Information  T1027 Conti ransomware has encrypted DLLs and used obfuscation to hide Windows API calls. Process Injection: Dynamic-link Library Injection T1055.001 Conti ransomware has loaded an encrypted DLL into memory and then executes it. Deobfuscate/Decode Files or Information  T1140 Conti ransomware has decrypted its payload using a hardcoded AES-256 key. Credential Access Technique Title ID Use Brute Force T1110 Conti actors use legitimate tools to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 Conti actors use Kerberos attacks to attempt to get the Admin hash. System Network Configuration Discovery  T1016 Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems. System Network Connections Discovery  T1049 Conti ransomware can enumerate routine network connections from a compromised host. Process Discovery T1057 Conti ransomware can enumerate through all open processes to search for any that have the string sql in their process name. File and Directory Discovery  T1083 Conti ransomware can discover files on a local system. Network Share Discovery T1135 Conti ransomware can enumerate remote open server message block (SMB) network shares using NetShareEnum(). Lateral Movement Technique Title ID Use Remote Services: SMB/Windows Admin Shares  T1021.002 Conti ransomware can spread via SMB and encrypts files on different hosts, potentially compromising an entire network. Taint Shared Content T1080 Conti ransomware can spread itself by infecting other remote machines via network shared drives. Impact Technique Title ID Use Data Encrypted for Impact T1486 Conti ransomware can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti ransomware can use "Windows Restart Manager" to ensure files are unlocked and open for encryption. Service Stop T1489 Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop. Inhibit System Recovery T1490 Conti ransomware can delete Windows Volume Shadow Copies using vssadmin. Mitigations

CISA, FBI, and NSA recommend that network defenders apply the following mitigations to reduce the risk of compromise by Conti ransomware attacks.

Use multi-factor authentication. Implement network segmentation and filter traffic.
  • Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. 
  • Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users.
  • Implement a URL blocklist and/or allowlist to prevent users from accessing malicious websites.
Scan for vulnerabilities and keep software updated. 
  • Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures. 
  • Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system. 
Remove unnecessary applications and apply controls.
  • Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications—such as remote monitoring and management software and remote desktop software applications—to aid in the malicious exploitation of an organization’s enterprise. 
  • Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software.
  • Implement application allowlisting, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs.
  • Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  • See the joint Alert, Publicly Available Tools Seen in Cyber Incidents Worldwide—developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom—for guidance on detection and protection against malicious use of publicly available tools.
Implement endpoint and detection response tools. 
  • Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors. 
Limit access to resources over the network, especially by restricting RDP. 
  • After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
Secure user accounts.
  • Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
  • Regularly audit logs to ensure new accounts are legitimate users.

Review CISA’s APTs Targeting IT Service Provider Customers guidance for additional mitigations specific to IT Service Providers and their customers.

Use the Ransomware Response Checklist in case of infection.

If a ransomware incident occurs at your organization, CISA, FBI, and NSA recommend the following actions:

CISA, FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.

Additional Resources Free Cyber Hygiene Services

CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.

StopRansomware.gov 

The StopRansomware.gov webpage is an interagency resource that provides guidance on ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:

Rewards for Justice Reporting

The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.

References Revisions
  • September 22, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2021. szeptember 16.

AA21-259A: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus

Original release date: September 16, 2021
Summary

This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise for  referenced threat actor tactics and for techniques.

This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution.

CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes CVE-2021-40539. FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations ensure ADSelfService Plus is not directly accessible from the internet.

The FBI, CISA, and CGCYBER have reports of malicious cyber actors using exploits against CVE-2021-40539 to gain access [T1190] to ManageEngine ADSelfService Plus, as early as August 2021. The actors have been observed using various tactics, techniques, and procedures (TTPs), including:

  • Frequently writing webshells [T1505.003] to disk for initial persistence
  • Obfuscating and Deobfuscating/Decoding Files or Information  [T1027 and T1140]
  • Conducting further operations to dump user credentials [T1003]
  • Living off the land by only using signed Windows binaries for follow-on actions [T1218]
  • Adding/deleting user accounts as needed [T1136]
  • Stealing copies of the Active Directory database (NTDS.dit) [T1003.003] or registry hives
  • Using Windows Management Instrumentation (WMI) for remote execution [T1047]
  • Deleting files to remove indicators from the host [T1070.004]
  • Discovering domain accounts with the net Windows command [1087.002]
  • Using Windows utilities to collect and archive files for exfiltration [T1560.001]
  • Using custom symmetric encryption for command and control (C2) [T1573.001]

The FBI, CISA, and CGCYBER are proactively investigating and responding to this malicious cyber activity.

  • FBI is leveraging specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies.
  • CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
  • CGCYBER has deployable elements that provide cyber capability to marine transportation system critical infrastructure in proactive defense or response to incidents.

Sharing technical and/or qualitative information with the FBI, CISA, and CGCYBER helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask and hold accountable, those conducting malicious cyber activities. See the Contact section below for details.

Click here for a PDF version of this report.

Technical Details

Successful compromise of ManageEngine ADSelfService Plus, via exploitation of CVE-2021-40539, allows the attacker to upload a .zip file containing a JavaServer Pages (JSP) webshell masquerading as an x509 certificate: service.cer. Subsequent requests are then made to different API endpoints to further exploit the victim's system.

After the initial exploitation, the JSP webshell is accessible at /help/admin-guide/Reports/ReportGenerate.jsp. The attacker then attempts to move laterally using Windows Management Instrumentation (WMI), gain access to a domain controller, dump NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, continues the compromised access.

Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell.

Targeted Sectors

APT cyber actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors—including transportation, IT, manufacturing, communications, logistics, and finance. Illicitly obtained access and information may disrupt company operations and subvert U.S. research in multiple sectors.

Indicators of Compromise

Hashes:

068d1b3813489e41116867729504c40019ff2b1fe32aab4716d429780e666324
49a6f77d380512b274baff4f78783f54cb962e2a8a5e238a453058a351fcfbba

File paths:

C:\ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports\ReportGenerate.jsp
C:\ManageEngine\ADSelfService Plus\webapps\adssp\html\promotion\adap.jsp
C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\help
C:\ManageEngine\ADSelfService Plus\jre\bin\SelfSe~1.key (filename varies with an epoch timestamp of creation, extension may vary as well)
C:\ManageEngine\ADSelfService Plus\webapps\adssp\Certificates\SelfService.csr
C:\ManageEngine\ADSelfService Plus\bin\service.cer
C:\Users\Public\custom.txt
C:\Users\Public\custom.bat
C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\help (including subdirectories and contained files)

Webshell URL Paths:

/help/admin-guide/Reports/ReportGenerate.jsp

/html/promotion/adap.jsp

Check log files located at C:\ManageEngine\ADSelfService Plus\logs for evidence of successful exploitation of the ADSelfService Plus vulnerability:

  • In access* logs:
    • /help/admin-guide/Reports/ReportGenerate.jsp
    • /ServletApi/../RestApi/LogonCustomization
    • /ServletApi/../RestAPI/Connection
  • In serverOut_* logs:
    • Keystore will be created for "admin"
    • The status of keystore creation is Upload!
  • In adslog* logs:
    • Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig

TTPs:

  • WMI for lateral movement and remote code execution (wmic.exe)
  • Using plaintext credentials acquired from compromised ADSelfService Plus host
  • Using pg_dump.exe to dump ManageEngine databases
  • Dumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives
  • Exfiltration through webshells
  • Post-exploitation activity conducted with compromised U.S. infrastructure
  • Deleting specific, filtered log lines

Yara Rules:

rule ReportGenerate_jsp {
   strings:
      $s1 = "decrypt(fpath)"
      $s2 = "decrypt(fcontext)"
      $s3 = "decrypt(commandEnc)"
      $s4 = "upload failed!"
      $s5 = "sevck"
      $s6 = "newid"
   condition:
      filesize < 15KB and 4 of them
}

 

rule EncryptJSP {
   strings:
      $s1 = "AEScrypt"
      $s2 = "AES/CBC/PKCS5Padding"
      $s3 = "SecretKeySpec"
      $s4 = "FileOutputStream"
      $s5 = "getParameter"
      $s6 = "new ProcessBuilder"
      $s7 = "new BufferedReader"
      $s8 = "readLine()"
   condition:
      filesize < 15KB and 6 of them
} Mitigations

Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately.

Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes CVE-2021-40539. FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations ensure ADSelfService Plus is not directly accessible from the internet.

Additionally, FBI, CISA, and CGCYBER strongly recommend domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the NTDS.dit file was compromised.

Actions for Affected Organizations

Immediately report as an incident to CISA or the FBI (refer to Contact Information section below) the existence of any of the following:

  • Identification of indicators of compromise as outlined above.
  • Presence of webshell code on compromised ManageEngine ADSelfService Plus servers.
  • Unauthorized access to or use of accounts.
  • Evidence of lateral movement by malicious actors with access to compromised systems.
  • Other indicators of unauthorized access or compromise.
Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

  • To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
  • To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.
  • To report cyber incidents to the Coast Guard pursuant to 33 CFR Subchapter H, Part 101.305 please contact the USCG National Response Center (NRC) Phone: 1-800-424-8802, email: NRC@uscg.mil.
Revisions
  • September 16, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2021. augusztus 31.

AA21-243A: Ransomware Awareness for Holidays and Weekends

Original release date: August 31, 2021
Summary

Immediate Actions You Can Take Now to Protect Against Ransomware
• Make an offline backup of your data.
• Do not click on suspicious links.
• If you use RDP, secure and monitor it.
Update your OS and software.
• Use strong passwords.
Use multi-factor authentication.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.

Click here for a PDF copy of this report.

Threat Overview Recent Holiday Targeting

Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.

  • In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
  • In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
  • In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.
Ransomware Trends

The FBI's Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime—a record number—from the American public in 2020, with reported losses exceeding $4.1 billion. This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.This number includes only those victims who have provided information to IC3.  The following ransomware variants have been the most frequently reported to FBI in attacks over the last month.

  • Conti
  • PYSA
  • LockBit
  • RansomEXX/Defray777
  • Zeppelin
  • Crysis/Dharma/Phobos

The destructive impact of ransomware continues to evolve beyond encryption of IT assets. Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom. (See CISA’s Fact Sheet: Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches.) Malicious actors have also added tactics, such as encrypting or deleting system backups—making restoration and recovery more difficult or infeasible for impacted organizations.

Although cyber criminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints. Additional common means of initial infection include deployment of precursor or dropper malware; exploitation of software or operating system vulnerabilities; exploitation of managed service providers with access to customer networks; and the use of valid, stolen credentials, such as those purchased on the dark web. Precursor malware enables cyber actors to conduct reconnaissance on victim networks, steal credentials, escalate privileges, exfiltrate information, move laterally on the victim network, and obfuscate command-and-control communications. Cyber actors use this access to: 

  • Evaluate a victim’s ability to pay a ransom.
  • Evaluate a victim’s incentive to pay a ransom to: 
    • Regain access to their data and/or 
    • Avoid having their sensitive or proprietary data publicly leaked.
  • Gather information for follow-on attacks before deploying ransomware on the victim network.
Threat Hunting

The FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems. 

  • Understand the IT environment’s routine activity and architecture by establishing a baseline. By implementing a behavior-based analytics approach, an organization can better assess user, endpoint, and network activity patterns. This approach can help an organization remain alert on deviations from normal activity and detect anomalies. Understanding when users log in to the network—and from what location—can assist in identifying anomalies. Understanding the baseline environment—including the normal internal and external traffic—can also help in detecting anomalies. Suspicious traffic patterns are usually the first indicators of a network incident but cannot be detected without establishing a baseline for the corporate network.
  • Review data logs. Understand what standard performance looks like in comparison to suspicious or anomalous activity. Things to look for include:
    • Numerous failed file modifications,
    • Increased CPU and disk activity,
    • Inability to access certain files, and
    • Unusual network communications.
  • Employ intrusion prevention systems and automated security alerting systems—such as security information event management software, intrusion detection systems, and endpoint detection and response.
  • Deploy honeytokens and alert on their usage to detect lateral movement.

Indicators of suspicious activity that threat hunters should look for include:

  • Unusual inbound and outbound network traffic,
  • Compromise of administrator privileges or escalation of the permissions on an account,
  • Theft of login and password credentials,
  • Substantial increase in database read volume,
  • Geographical irregularities in access and log in patterns,
  • Attempted user activity during anomalous logon times, 
  • Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and
  • Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.

See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. Also review the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide.

Cyber Hygiene Services

CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors. 

Ransomware Best Practices

The FBI and CISA strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. Payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities. Regardless of whether you or your organization decide to pay the ransom, the FBI and CISA urge you to report ransomware incidents to CISA, a local FBI field office, or by filing a report with IC3 at IC3.gov. Doing so provides the U.S. Government with critical information needed to help victims, track ransomware attackers, hold attackers accountable under U.S. law, and share information to prevent future attacks.

Information Requested

Upon receiving an incident report, the FBI or CISA may seek forensic artifacts, to the extent that affected entities determine such information can be legally shared, including: 

  • Recovered executable file(s),
  • Live memory (RAM) capture,
  • Images of infected systems,
  • Malware samples, and
  • Ransom note.
Recommended Mitigations

The FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends.FBI and CISA highly recommend IT security personnel subscribe to CISA cybersecurity publications (https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED)—and regularly visit the FBI Internet Crime Complaint Center (https://www.ic3.gov/)—for the latest alerts.  Additionally, the FBI and CISA recommend identifying IT security employees to be available and "on call" during these times, in the event of a ransomware attack. The FBI and CISA also suggest applying the following network best practices to reduce the risk and impact of compromise.

Make an offline backup of your data.
  • Make and maintain offline, encrypted backups of data and regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.
  • Review your organization's backup schedule to take into account the risk of a possible disruption to backup processes during weekends or holidays.
Do not click on suspicious links.
  • Implement a user training program and phishing exercises to raise awareness among users about the risks involved in visiting malicious websites or opening malicious attachments and to reinforce the appropriate user response to phishing and spearphishing emails.
If you use RDP—or other potentially risky services—secure and monitor.
  • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA. If RDP must be available externally, it should be authenticated via VPN.
  • Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts, log RDP login attempts, and disable unused remote access/RDP ports.
  • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 
  • Disable or block Server Message Block (SMB) protocol outbound and remove or disable outdated versions of SMB. Threat actors use SMB to propagate malware across organizations.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Open document readers in protected viewing modes to help prevent active content from running.
Update your OS and software; scan for vulnerabilities.
  • Upgrade software and operating systems that are no longer supported by vendors to currently supported versions. Regularly patch and update software to the latest available versions. Prioritize timely patching of internet-facing servers—as well as software processing internet data, such as web browsers, browser plugins, and document readers—for known vulnerabilities. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which network assets and zones should participate in the patch management program.
  • Automatically update antivirus and anti-malware solutions and conduct regular virus and malware scans.
  • Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices. (See the Cyber Hygiene Services section above for more information on CISA’s free services.)
Use strong passwords.
  • Ensure strong passwords and challenge responses. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
Use multi-factor authentication.
  • Require multi-factor authentication (MFA) for all services to the extent possible, particularly for remote access, virtual private networks, and accounts that access critical systems. 
Secure your network(s): implement segmentation, filter traffic, and scan ports.
  • Implement network segmentation with multiple layers, with the most critical communications occurring in the most secure and reliable layer.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
  • Scan network for open and listening ports and close those that are unnecessary.
  • For companies with employees working remotely, secure home networks—including computing, entertainment, and Internet of Things devices—to prevent a cyberattack; use separate devices for separate activities; and do not exchange home and work content. 
Secure your user accounts.
  • Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
  • Regularly audit logs to ensure new accounts are legitimate users.
Have an incident response plan.
  • Create, maintain, and exercise a basic cyber incident response plan that:
    • Includes procedures for response and notification in a ransomware incident and
    • Plans for the possibility of critical systems being inaccessible for a period of time.

Note: for help with developing your plan, review available incident response guidance, such as the Public Power Cyber Incident Response Playbook and the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide.

If your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.

  • Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.
  • Turn off other computers and devices. Power off and segregate (i.e., remove from the network) the infected computer(s). Power off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering off and segregating infected computers from computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
  • Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.
Additional Resources

For additional resources related to the prevention and mitigation of ransomware, go to https://www.stopransomware.gov as well as the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Stopransomware.gov is the U.S. Government’s new, official one-stop location for resources to tackle ransomware more effectively. Additional resources include:

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.

Revisions
  • August 31, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2021. augusztus 17.

AA21-229A: BadAlloc Vulnerability Affecting BlackBerry QNX RTOS

Original release date: August 17, 2021
Summary

On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries.[1] A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.[2] BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems,  increasing risk to the Nation’s critical functions. Note: at this time, CISA is not aware of active exploitation of this vulnerability.

CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible. Refer to the Mitigations section for more information about patching.

Technical Details

CVE-2021-22156 is an integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products. Exploitation of this vulnerability could lead to a denial-of-service condition or arbitrary code execution in affected devices. To exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation. An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet.[3]

CVE-2021-22156 is part of a collection of integer overflow vulnerabilities, known as BadAlloc, which affect a wide range of industries using Internet of Things (IoT), and operational technology (OT)/industrial control systems (ICS) devices. See CISA ICS Advisory ICSA-21-119-04 and Microsoft’s BadAlloc blog post for more information.

All BlackBerry programs with dependency on the C runtime library are affected by this vulnerability (see table 1 for a list of affected BlackBerry QNX products). Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions.

Table 1: Affected BlackBerry QNX Products [4] Product Affected Version  QNX SDP  6.5.0SP1, 6.5.0,  6.4.1, 6.4.0  QNX Momentics Development Suite  6.3.2  QNX Momentics 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0  QNX Realtime Platform  6.1.0a, 6.1.0, 6.0.0a, 6.0.0  QNX Cross Development Kit  6.0.0, 6.1.0  QNX Development Kit (Self-hosted)  6.0.0, 6.1.0  QNX Neutrino RTOS Safe Kernel  1.0  QNX Neutrino RTOS Certified Plus  1.0  QNX Neutrino RTOS for Medical Devices  1.0, 1.1  QNX OS for Automotive Safety  1.0  QNX OS for Safety  1.0, 1.0.1  QNX Neutrino Secure Kernel  6.4.0, 6.5.0  QNX CAR Development Platform  2.0RR

 

Mitigations

CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible.

  • Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.
  • Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches.
  • End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer's recommended mitigation measures until the patch can be applied.
    • Note: installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory.
Resources References Revisions
  • Initial version: August 17, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

2021. július 28.

AA21-209A: Top Routinely Exploited Vulnerabilities

Original release date: July 28, 2021
Summary

This Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). 

This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.  

Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. 

Click here for a PDF version of this report.

Technical DetailsKey Findings

In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.

Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management.

CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020. 

Table 1:Top Routinely Exploited CVEs in 2020

Vendor

CVE

Type

Citrix

CVE-2019-19781

arbitrary code execution

Pulse

CVE 2019-11510

arbitrary file reading

Fortinet

CVE 2018-13379

path traversal

F5- Big IP

CVE 2020-5902

remote code execution (RCE)

MobileIron

CVE 2020-15505

RCE

Microsoft

CVE-2017-11882

RCE

Atlassian

CVE-2019-11580

RCE

Drupal

CVE-2018-7600

RCE

Telerik

CVE 2019-18935

RCE

Microsoft

CVE-2019-0604

RCE

Microsoft

CVE-2020-0787

elevation of privilege

Netlogon

CVE-2020-1472

elevation of privilege

 

In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.

CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. 

Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans. See the Contact Information section below for how to reach CISA to report an incident or request technical assistance.

2020 CVEs

CISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020: CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-5902, CVE-2020-15505, CVE-2020-0688, CVE-2019-3396, CVE-2017-11882, CVE-2019-11580, CVE-2018-7600, CVE 2019-18935, CVE-2019-0604, CVE-2020-0787, CVE-2020-1472.[1][2][3] Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to U.S. Government technical analysis.CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix’s Application Delivery Controller (ADC)—a load balancing application for web, application, and database servers widely use throughout the United States.[4][5] Nation-state and criminal cyber actors most likely favor using this vulnerability because it is easy to exploit, Citrix servers are widespread, and exploitation enables the actors to perform unauthorized RCE on a target system.[6

Identified as emerging targets in early 2020,[7] unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379[8][9], in VPN services[10][11] to compromise an array of organizations, including those involved in COVID-19 vaccine development.[12][13]

The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed. Nation-state APTs also commonly exploited CVE-2020-15505 and CVE-2020-5902.[14][15][16][17]

2021 CVEs

In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited. 

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 
    • See CISA’s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities.
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
    • See CISA’s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
    • See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.
  • VMware: CVE-2021-21985
    • See CISA’s Current Activity: Unpatched VMware vCenter Software for more information and guidance. 
  • Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 
    • See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations. 
Mitigations and Indicators of Compromise

One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible. 

Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580) in its reported operations. A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. 

Additionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.

Tables 2–14 provide more details about, and specific mitigations for, each of the top exploited CVEs in 2020. 

Note: The lists of associated malware corresponding to each CVE below are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE.
 

Table 2: CVE-2019-19781 Vulnerability Details

Citrix Netscaler Directory Traversal (CVE-2019-19781)

Vulnerability Description
Citrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal. 

CVSS 3.02 

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

The lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal). In this instance, Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request (POST https://$TARGET/vpn/../vpn/portal/scripts/newbm.pl), allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g., curl, wget, Invoke-WebRequest) and gain unauthorized access to the OS. 

Multiple malware campaigns, including NOTROBIN, have taken advantage of this vulnerability.

Fix

Patch Available

Recommended Mitigations

  • Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781
  • If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).

Detection Methods

Vulnerable Technologies and Versions
Citrix ADC and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0

References and Additional Guidance

 

Table 3: CVE 2019-11510 Vulnerability Details

Pulse Secure Connect VPN (CVE 2019-11510)

Vulnerability Description
Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. 

CVSS 3.0

Critical
 

Vulnerability Discussion, IOCs, and Malware Campaigns
Improper access controls allow a directory traversal that an attacker can exploit to read the contents of system files. For example, the attacker could use a string such as https://sslvpn.insecure-org.com/dana-na/../dana/html5/acc/guacmole/../../../../../../etc/passwd?/dana/html5/guacamole/ to obtain the local password file from the system. The attacker can also obtain admin session data and replay session tokens in the browser. Once compromised, an attacker can run arbitrary scripts on any host that connects to the VPN. This could lead to anyone connecting to the VPN as a potential target to compromise.  

Multiple malware campaigns have taken advantage of this vulnerability, most notably REvil/Sodinokibi ransomware.

Fix

Patch Available
 

Recommended Mitigations
  • Upgrade to the latest Pulse Secure VPN.
  • Stay alert to any scheduled tasks or unknown files/executables. 
  • Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system files.
Detection Methods
  • CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisagov/check-your-pulse.
  • Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019-11510.nse #1708.

Vulnerable Technologies and Versions
Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 are vulnerable.

References

 

Table 4: CVE 2018-13379 Vulnerability Details

Fortinet FortioOS Secure Socket Layer VPN (CVE 2018-13379)

Vulnerability Description
Fortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the sslvpn_websession file. An attacker is then able to exact clear-text usernames and passwords. 

CVSS 3.0

Critical
 

Vulnerability Discussion, IOCs, and Malware Campaigns
Weakness in user access controls and web application directory structure allows attackers to read system files without authentication. Attackers are able to perform a HTTP GET request http://$SSLVPNTARGET?lang=/../../../..//////////dev/cmdb/sslvpn_websession. This results the server responding with unprintable/hex characters alongside cleartext credential information. 

Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo). 

Fix

Patch Available
 

Recommended Mitigations
  • Upgrade to the latest Fortinet SSL VPN. 
  • Monitor for alerts to any unscheduled tasks or unknown files/executables.  
  • Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read the sslvpn_websessions file. 
Detection Methods
  • Nmap developed a script that can be used with the port scanning engine: Fortinet SSL VPN CVE-2018-13379 vuln scanner #1709.

Vulnerable Technologies and Versions
Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable.

References

 

Table 5: CVE-2020-5902 Vulnerability Details

F5 Big IP Traffic Management User Interface (CVE-2020-5902)

Vulnerability Description
The Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages. 

CVSS 3.0
Critical

Vulnerability Discussion, IOCs, and Malware Campaigns
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. 

Fix
Upgrade to Secure Versions Available
 

Recommended Mitigations
Download and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.

  • Address unauthenticated and authenticated attackers on self IPs by blocking all access.
  • Address unauthenticated attackers on management interface by restricting access. 
Detection Methods

Vulnerable Technologies and Versions
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT) 15.1.0, 15.0.0-15.0.1, 14.1.0-14.1.2, 13.1.0-13.1.3, 12.1.0-12.1.5, and 11.6.1-11.6.5 are vulnerable.

References

 

Table 6: CVE-2020-15505 Vulnerability Details

MobileIron Core & Connector (CVE-2020-15505)

Vulnerability Description

MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.

Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.

Fix

Patch Available

Recommended Mitigations

  • Download and install a fixed software version of the software from a vendor approved resource.

Detection Methods

  • None. Manually check your software version to see if it is susceptible to this vulnerability. 

Vulnerable Technologies and Versions

MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0; Sentry versions 9.7.2 and earlier and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier are vulnerable.

References

 

Table 7: CVE-2020-0688 Vulnerability Details

Microsoft Exchange Memory Corruption (CVE-2020-0688)

Vulnerability Description

An RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

CVSS 3.0

High

Vulnerability Discussion, IOCs, and Malware Campaigns
CVE-2020-0688 exists in the Microsoft Exchange Server when the server fails to properly create unique keys at install time. An authenticated user with knowledge of the validation key and a mailbox may pass arbitrary objects for deserialization by the web application that runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install. 

A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.

Fix

Patch Available

Recommended Mitigations

  • Download and install a fixed software version of the software from a vendor approved resource.

Detection Methods

Vulnerable Technologies and Versions

Microsoft Exchange Server 2019 Cumulative Update 3 and 4, 2016 Cumulative Update 14 and 15, 2013 Cumulative Update 23, and 2010 Service Pack 3 Update Rollup 30 are vulnerable.

References

 

Table 8: CVE-2019-3396 Vulnerability Details

Microsoft Office Memory Corruption (CVE 2017-11882)

Vulnerability Description

Atlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.

CVSS

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

Confluence Server and Data Center versions released before June 18, 2018, are vulnerable to this issue. A remote attacker is able to exploit a server-side request forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. A successful attack is able to exploit this issue to achieve server-side template injection, path traversal, and RCE on vulnerable systems.

Multiple malware campaigns have taken advantage of this vulnerability; the most notable being GandCrab ransomware.

Fix

Patch Available

Recommended Mitigations

  • Download and install a fixed software version of the software from a vendor-approved resource.

Detection Methods

Vulnerable Technologies and Versions

All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are vulnerable.

References

 

Table 9: CVE 2017-11882 Vulnerability Details

Microsoft Office Memory Corruption (CVE 2017-11882)

Vulnerability Description

Microsoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the "Microsoft Office Memory Corruption Vulnerability." 

Cyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.

CVSS 3.0

High

Vulnerability Discussion, IOCs, and Malware Campaigns

Microsoft Equation Editor, a component of Microsoft Office, contains a stack buffer overflow vulnerability that enables RCE on a vulnerable system. The component was compiled on November 9, 2000. Without any further recompilation, it was used in all currently supported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as its own process and can accept commands from other processes.

Data execution prevention (DEP) and address space layout randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker commands.

Multiple cyber espionage campaigns have taken advantage of this vulnerability. CISA has noted CVE-2017-11882 being exploited to deliver LokiBot malware.

Fix

Patch Available

Recommended Mitigations

Detection Methods

  • Microsoft Defender Antivirus, Windows Defender, Microsoft Security Essentials, and the Microsoft Safety Scanner will all detect and patch this vulnerability.

Vulnerable Technologies and Versions

  • Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 are vulnerable.

References

 

Table 10: CVE 2019-11580 Vulnerability Details

Atlassian Crowd and Crowd Data Center Remote Code Execution (CVE 2019-11580)

Vulnerability Description

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits RCE on systems running a vulnerable version of Crowd or Crowd Data Center.

Fix

Patch Available

Recommended Mitigations

  • Atlassian recommends customers running a version of Crowd below version 3.3.0 to upgrade to version 3.2.8. For customers running a version above or equal to 3.3.0, Atlassian recommends upgrading to the latest version.
  • Released Crowd and Crowd Data Center version 3.4.4 contains a fix for this issue and is available at https://www.atlassian.com/software/crowd/download.
  • Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 contain a fix for this issue and are available at https://www.atlassian.com/software/crowd/download-archive.

Detection Methods

Vulnerable Technologies and Versions

All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

References

 

Table 11: CVE 2018-7600 Vulnerability Details

Drupal Core Multiple Remote Code Execution (CVE 2018-7600)

Vulnerability Description

Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

An RCE vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Failed exploit attempts may result in a denial-of-service condition. A remote user can send specially crafted data to trigger a flaw in the processing of renderable arrays in the Form Application Programming Interface, or API, and cause the target system to render the user-supplied data and execute arbitrary code on the target system.

Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining.

Fix

Patch Available

Recommended Mitigations

  • Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1.

Detection Methods

Vulnerable Technologies and Versions

  • Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are affected.

References

 

Table 12: CVE 2019-18935 Vulnerability Details

Telerik UI for ASP.NET AJAX Insecure Deserialization (CVE 2019-18935)

Vulnerability Description

Telerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to  remote code execution attacks on affected web servers due to a deserialization vulnerability.

CVS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

The Telerik UI does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. A vulnerable HTTP POST parameter rauPostData makes use of a vulnerable function/object AsyncUploadHandler. The object/function uses the JavaScriptSerializer.Deserialize() method, which not not properly sanitize the serialized data during the deserialization process. This issue is attacked by:

  1. Determining the vulnerable function is available/registered:  http://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau,
  2. Determining if the version running is vulnerable by querying the UI, and
  3. Creating an object (e.g., malicious mixed-mode DLL with native OS commands or Reverse Shell) and uploading the object via rauPostData parameter along with the proper encryption key.

There were two malware campaigns associated with this vulnerability:

  • Netwalker Ransomware and
  • Blue Mockbird Monero Cryptocurrency-mining.

Fix

Patch Available

Recommended Mitigations

  • Update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later).

Detection Methods

  • ACSC has an example PowerShell script that can be used to identify vulnerable Telerik UI DLLs on Windows web server hosts.
  • Vulnerable hosts should be reviewed for evidence of exploitation. Indicators of exploitation can be found in IIS HTTP request logs and within the Application Windows event log. Details of the above PowerShell script and exploitation detection recommendations are available in ACSC Advisory 2020-004.
  • Exploitation of this and previous Telerik UI vulnerabilities commonly resulted in the installation of web shell malware. NSA provides guidance on detecting and preventing web shell malware.

Vulnerable Technologies and Versions

Telerik UI for ASP.NET AJAX versions prior to R1 2020 (2020.1.114) are affected.

References

 

Table 13: CVE-2019-0604 Vulnerability Details

Microsoft SharePoint Remote Code Execution (CVE-2019-0604)

Vulnerability Description

A vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

This vulnerability was typically exploited to install webshell malware to vulnerable hosts. A webshell could be placed in any location served by the associated Internet Information Services (IIS) web server and did not require authentication. These web shells would commonly be installed in the Layouts folder within the Microsoft SharePoint installation directory, for example:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\<version_number>\Template\Layouts

The xmlSerializer.Deserialize() method does not adequately sanitize user input that is received from the PickerEnitity/ValidateEnity (picker.aspx) functions in the serialized XML payloads. Once the serialized XML payload is deserialized, the XML code is evaulated for relevant XML commands and stings. A user can attack .Net based XML parsers with XMLNS payloads using the <system:string> tag and embedding malicious operating system commands. 

The exploit was used in malware phishing and the WickrMe/Hello Ransomware campaigns.

Fix

Patch Available

Recommended Mitigations

  • Upgrade on-premise installations of Microsoft Sharepoint to the latest available version (Microsoft SharePoint 2019) and patch level.
  • On-premise Microsoft SharePoint installations with a requirement to be accessed by internet-based remote staff should be moved behind an appropriate authentication mechanism such as a VPN, if possible.

Detection Methods

  • The patch level of on-premise Microsoft SharePoint installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft SharePoint security advisory.
  • Vulnerable SharePoint servers should be reviewed for evidence of attempted exploitation. ACSC Advisory 2019-125 contains advice on reviewing IIS HTTP request logs for evidence of potential exploitation.
  • NSA provides guidance on detecting and preventing web shell malware.

Vulnerable Technologies and Versions

At the time of the vulnerability release, the following Microsoft SharePoint versions were affected: Microsoft Sharepoint 2019, Microsoft SharePoint 2016, Microsoft SharePoint 2013 SP1, and Microsoft SharePoint 2010 SP2.

References

 

Table 14: CVE-2020-0787 Vulnerability Details

Windows Background Intelligent Transfer Service Elevation of Privilege (CVE-2020-0787)

Vulnerability Description

The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.

CVSS 3.0

High

Vulnerability Discussion, IOCs, and Malware Campaigns

To exploit this vulnerability, an actor would first need to have the ability to execute arbitrary code on a vulnerable Windows host.

Actors exploiting this vulnerability commonly used the proof of concept code released by the security researcher who discovered the vulnerability. If an actor left the proof of concept exploit’s working directories unchanged, then the presence of the following folders could be used as an indicator of exploitation:

C:\Users\<username>\AppData\Local\Temp\workspace
C:\Users\<username>\AppData\Local\Temp\workspace\mountpoint
C:\Users\<username>\AppData\Local\Temp\workspace\bait

The exploit was used in Maze and Egregor ransomware campaigns.

Fix

Patch Available

Recommended Mitigations

  • Apply the security updates as recommended in the Microsoft Netlogon security advisory.

Detection Methods

  • The patch level of all Microsoft Windows installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft BITS security advisory.

Vulnerable Technologies and Versions

Windows 7 for 32-bit and x64-based Systems Service Pack 1, 8.1 for 32-bit and x64-based systems, RT 8.1, 10 for 32-bit and x64-based Systems, 10 1607 for 32-bit and x64-based Systems, 10 1709 for 32-bit and x64-based and ARM64-based Systems, 10 1803 for 32-bit and ARM64-based and x64-based Systems, 10 1809 for 32-bit and ARM64-based and x64-based Systems, 10 1903 for 32-bit and ARM64-based and x64-based Systems, 10 1909 for 32-bit, and ARM64-based and x64-based Systems are vulnerable.

Windows Server 2008 R2 for x64-based Systems Service Pack 1, 2008 R2 for x64-based Systems Service Pack 1 (Server Core Installation), 2008 for 32-bit Systems Service Pack 2, 2008 for 32-bit Systems Service Pack 2 (Server Core Installation), 2012, 2012 (Server Core Installation), 2012 R2, 2012 R2 (Server Core Installation), 2016, 2016 (Server Core Installation), 2019, 2019 (Server Core Installation), 1803 (Server Core Installation), 1903 (Server Core Installation), and 1909 (Server Core Installation) are also vulnerable.

References

 

Table 15: CVE-2020-1472 Vulnerability Details

Netlogon Elevation of Privilege (CVE-2020-1472)

Vulnerability Description

The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

To exploit this vulnerability, an actor would first need to have an existing presence on an internal network with network connectivity to a vulnerable Domain Controller, assuming that Domain Controllers are not exposed to the internet.

The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

Threat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks.

A nation-state APT group has been observed exploiting this vulnerability.[18]

Fix

Patch Available

Recommended Mitigations

  • Apply the security updates as recommended in the Microsoft Netlogon security advisory.

Detection Methods

  • The patch level of Domain Controllers should be reviewed for the presence of relevant security updates as outlined in the Microsoft Netlogon security advisory.
  • Reviewing and monitoring Windows Event Logs can identify potential exploitation attempts. However, further investigation would still be required to eliminate legitimate activity. Further information on these event logs is available in the ACSC 2020-016 Advisory.

Vulnerable Technologies and Versions

At the time of the vulnerability release, the following Microsoft Windows Server versions were vulnerable: all versions of Windows Server 2019; all versions of Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; and Windows Server versions 1909/1903/1809.

References

 

For additional general best practices for mitigating cyber threats, see the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity and ACSC’s Essential Eight mitigation strategies.

Additional Resources Free Cybersecurity Services

CISA offers several free cyber hygiene vulnerability scanning and web application services to help U.S. federal agencies, state and local governments, critical infrastructure, and private organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. For more information about CISA’s free services, or to sign up, email vulnerability_info@cisa.dhs.gov.

Cyber Essentials

CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Cyber.gov.au 

ACSC’s website provides advice and information about how to protect individuals and families, small- and medium-sized businesses, large organizations and infrastructure, and government organizations from cyber threats.

ACSC Partnership Program

The ACSC Partnership Program enables Australian organizations and individuals to engage with ACSC and fellow partners, drawing on collective understanding, experience, skills, and capability to lift cyber resilience across the Australian economy.

Australian organizations, including government and those in the private sector as well individuals, are welcome to sign up at Become an ACSC partner to join.

NCSC 10 Steps

The NCSC offers 10 Steps to Cyber Security, providing detailed guidance on how medium and large organizations can manage their security.

On vulnerabilities specifically, the NCSC has guidance to organizations on establishing an effective vulnerability management process, focusing on the management of widely available software and hardware.

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.

References Revisions
  • Initial Version: July 28, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

2021. július 20.

AA21-201A: Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013

Original release date: July 20, 2021
Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

Note: CISA released technical information, including indicators of compromise (IOCs), provided in this advisory in 2012 to affected organizations and stakeholders.

This Joint Cybersecurity Advisory—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)—provides information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies.

CISA and the FBI provided incident response and remediation support to a number of victims of this activity. Overall, the U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 8 had an unknown depth of intrusion.

The U.S. Government has attributed this activity to Chinese state-sponsored actors. CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.

This advisory provides information on this campaign, including tactics, techniques, and procedures (TTPs) and IOCs. The TTPs remain relevant to help network defenders protect against intrusions. The IOCs are provided for historical awareness.

CISA and the FBI urge owners and operators of Energy Sector and other critical infrastructure (CI) networks to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this advisory, which include implementing network segmentation between IT and industrial control system (ICS)/operational technology (OT) networks. These mitigations will improve a CI entity’s defensive cyber posture and functional resilience by reducing the risk of compromise or severe operational degradation if the system is compromised by malicious cyber actors, including but not limited to actors associated with the campaign described in this advisory.

For more information on Chinese malicious cyber activity, see us-cert.cisa.gov/china.

Click here for a PDF version of this report.

Technical Details

In April 2012, CISA received reports about targeted attacks directed at multiple ONG pipeline sites; CISA (via a predecessor organization) and FBI provided incident response and remediation support to a number of victims from 2012 to 2013. CISA and FBI’s analysis of the malware and threat actor techniques identified that this activity was related to a spearphishing campaign. The U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted in this campaign. Of the 23 known targeted entities, 13 were confirmed compromises, 3 were near misses, and 8 had an unknown depth of intrusion.

Threat Actor Activity

The spearphishing activity appears to have started in late December 2011. From December 9, 2011, through at least February 29, 2012, ONG organizations received spearphishing emails [T1566.002] specifically targeting their employees. The emails were at constructed with a high level of sophistication to convince employees to view malicious files [T1204.002]. Note: see the appendix for a table of the MITRE ATT&CK tactics and techniques observed in this campaign.

In addition to spearphishing, CISA and the FBI were made aware of social engineering attempts by malicious actors believed to be associated with this campaign. The apparent goal was to gain sensitive information from asset owners [T1598]. One asset owner reported that individuals in their network engineering department, including managers, received multiple phone calls requesting information about their recent network security practices. Other employees in other departments were not targeted. The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset. The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices. He inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems. The caller was blocking his caller ID and when the targeted organization tried to return the call, they reached a number that was not in service.

During the investigation of these compromises, CISA and FBI personnel discovered that Chinese state-sponsored actors specifically collected [TA0009] and exfiltrated [TA0010] ICS-related information. The Chinese state-sponsored actors searched document repositories [T1213] for the following data types:

  • Document searches: “SCAD*”
  • Personnel lists
  • Usernames/passwords
  • Dial-up access information
  • System manuals

Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. Though designed for legitimate business purposes, these systems have the potential to be manipulated by malicious cyber actors if unmitigated. With this access, the Chinese state-sponsored actors could have impersonated legitimate system operators to conduct unauthorized operations. According to the evidence obtained by CISA and FBI, the Chinese state-sponsored actors made no attempts to modify the pipeline operations of systems they accessed. Note: there was a significant number of cases where log data was not available, and the depth of intrusion and persistent impacts were unable to be determined; at least 8 of 23 cases (35 percent) identified in the campaign were assessed as having an unknown depth of intrusion due to the lack of log data.

CISA and FBI assess that during these intrusions, China was successful in accessing the supervisory control and data acquisition (SCADA) networks at several U.S. natural gas pipeline companies.

Chinese actors also gained information specific to dial-up access, including phone numbers, usernames, and passwords [T1120]. Dial-up modems continue to be prevalent in the Energy Sector, providing direct access into the ICS environment with little or no security and no monitoring, which makes them an optimal vector for hold-at-risk operations. The exfiltrated data provided the capabilities for the Chinese cyber actors to access ONG operational systems at a level where they could potentially conduct unauthorized operations.

Exfiltrated Information and Assessed Motives

The Chinese actors specifically targeted information that pertained to access of ICSs. Searches were made for terms involving “SCAD*,” and the actors exfiltrated documents, including personnel lists, usernames and passwords, dial-up access information, remote terminal unit (RTU) sites, and systems manuals. The Chinese actors also exfiltrated information pertaining to ICS permission groups and compromised jump points between corporate and ICS networks. The totality of this information would allow the actors to access ICS networks via multiple channels and would provide sufficient access to allow them to remotely perform unauthorized operations on the pipeline with physical consequences.

CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access. One victim organization set up a honeypot that contained decoy documents with content that appeared to be SCADA-related data and sensitive organizational information. According to this organization, the SCADA-related decoy content was exfiltrated within 15 minutes of the time it was made available in the honeypot. Other sensitive decoy information, including financial and business-related information, was ignored.

CISA and FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.

Indicators of Compromise

Table 1 lists indicators related to this spearphishing and intrusion campaign as of May 7, 2012, which are provided in this alert for historical completeness.

Table 1: IOCs from Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013

Type Indicator Filename Malware MD5:84873fae9cdecb84452fff9cca171004  ntshrui.dll   Malicious email content, including any attachments and/or message body fpso.bigish[.]net   Malware MD5:e12ce62cf7de42581c2fe1d7f36d521c  ntshrui.dll  

User agent string

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)   User agent string Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)   Named pipe ssnp   Possible command and control (C2) domain

<xxx>.arrowservice[.]net

Where xxx is the targeted company name abbreviation

  Malware MD5:7361a1f33d48802d061605f34bf08fb0   spoolsvd.exe Malware 5e6a033fa01739d9b517a468bd812162 AdobeUpdater.exe Malware e62afe2273986240746203f9d55496db ins.exe Malware ed92d1242c0017668b93a72865b0876b px.exe Malware 6818a9aef22c0c2084293c82935e84fe gh.exe Malware fcbbfadc992e265c351e54598a6f6dfb fslist.exe Malware 05476307f4beb3c0d9099270c504f055 u.exe Malware 54db65a27472c9f3126df5bf91a773ea slm.exe Malware a46a7045c0a3350c5a4c919fff2831a0 niu.exe Malware 60456fe206a87f5422b214369af4260e ccApp1.exe Malware d6eaadcbcf9ea9192db1bd5bb7462bf8 ntshrui.dll Malware 52294de74a80beb1e579e5bca7c7248a moonclient2.exe Malware e62afe2273986240746203f9d55496db inn.exe Malware 5e6a033fa01739d9b517a468bd812162 kkk.exe Malware 4a8854363044e4d66bf34a0cd331d93d inn.exe Malware 124ad1778c65a83208dbefcec7706dc6 AcroRD32.exe Malware 17199ddac616938f383a0339f416c890 iass.dll Malicious email sender address “(name of victim company official)@yahoo.com”   Malicious email content, including any attachments and/or message body “If not read this paper, pay attention.”   Malicious email hyperlinked probable malware The hyperlink indicated a “.zip” file and contained the words “quality specifications” in reference to a particular component or product unique to the victim U.S. corporation.   Malicious email signature block Contained the name, title, phone number, and corporate email address of an actual victim company official.   Malicious attachment name   Project-seems-clear-for-takeoff.zip Possible C2 domain <xxx>.arrowservice[dot]net
Where <xxx> may be the full name of the targeted company   Possible C2 domain <xxx>.federalres[.]org   Possible C2 domain <xxx>.businessconsults[.]net
Where <xxx> may be the targeted company name abbreviation or full name   Possible C2 domain idahoanad[dot]org   Possible C2 domain energyreview.strangled[.]net   Possible C2 domain blackcake[.]net    Possible C2 domain infosupports[.]com   Malware 7caf4dbf53ff1dcd5bd5be92462b2995 iTunesHelper.exe  Malware 99b58e416c5e8e0bcdcd39ba417a08ed Solarworldsummary.exe Malware f0a00cfd891059b70af96b807e9f9ab8 smss.exe Malware ea1b46fab56e7f12c4c2e36cce63d593 AcroRD32.exe Malicious email content, including any attachments and/or message body  3d28651bb2d16eeaa6a35099c886fbaa Election_2012_Analysis.pdf Possible C2 domain balancefitstudio[.]com   Possible C2 domain res.federalres[.]org   Possible C2 domain 18center[.]com   Possible C2 domain milk.crabdance[.]com   Possible C2 domain bargainblog[.com[.]au   Possible C2 domain etrace-it[.]com   Possible C2 domain picture.wintersline[.]com   Possible C2 domain wish.happyforever[.]com   Possible C2 domain mitchellsrus[.]com   Possible C2 domain un.linuxd[.]org   Malicious email content, including any attachments and/or message body    How_Can_Steelmakers_Compete_for_Growth_in_the_Steel_Sector_in_2012.zip Malicious email content, including any attachments and/or message body    (Company Name)_Summary.zip Malicious email content, including any attachments and/or message body  f5369e59a1ddca9b97ede327e98d8ffe Solarworldsummary.zip Malicious email content, including any attachments and/or message body    (Company Name)_to_Sell_RNGMS_to_(Company Name).zip Malicious email content, including any attachments and/or message body    Gift-Winter.zip Malicious email content, including any attachments and/or message body    Happy_New_Year.zip Malicious email content, including any attachments and/or message body    Debt_Crisis_Hits_US.zip Malicious email content, including any attachments and/or message body    01-12-RATEALERT.zip Malicious email content, including any attachments and/or message body  fni.itgamezone[.]net  

 

Mitigations

CISA and the FBI urge Energy Sector and other CI owners and operators to apply the following mitigations to implement a layered, defense-in-depth cyber posture. By implementing a layered approach, administrators will enhance the defensive cyber posture of their OT/ICS networks, reducing the risk of compromise or severe operational degradation if their system is compromised by malicious cyber actors.

  • Harden the IT/corporate network to reduce the risk of initial compromise.
    • Update all software, including operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system.
    • Replace all end-of-life software and hardware devices.
    • Restrict and manage remote access software. Remote access tools are a common method for threat actors to gain initial access and persistence on target networks.
      • Manage and restrict users and groups who are permitted to access remote capabilities. Permissions should be limited to users that require the capability to complete their duties.
      • Require multi-factor authentication (MFA) for remote access.
      • Limit access to resources over networks, especially by restricting Remote Desktop Protocol (RDP). If RDP is operationally necessary, restrict the originating sources and require MFA.
    • Enable strong spam filters to prevent phishing emails from reaching end users.
    • Implement unauthorized execution prevention by:
      • Disabling macro scrips from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
      • Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common malware locations, such as temporary folders supporting popular internet browsers.
    • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.
    • Set antivirus/antimalware programs to regularly scan IT network assets using up-to-date signatures.
  • Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised.
    • Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology (NIST) Special Publication 800-82: Guide to ICS Security.
    • Use one-way communication diodes to prevent external access, whenever possible.
    • Set up demilitarized zones (DMZs) to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
    • Employ reliable network security protocols and services where feasible.
    • Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access.
  • Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally.
    • Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and filter routers and switches.
    • Implement network monitoring at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services).
    • Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).
    • Configure security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
  • Implement the following additional ICS environment best practices:
    • Update all software. Use a risk-based assessment strategy to determine which ICS network and assets and zones should participate in the patch management program.
      • Test all patches in off-line text environments before implementation.
    • Implement application allowlisting on human machine interfaces.
    • Harden field devices, including tablets and smartphones.
    • Replace all end-of-life software and hardware devices.
    • Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).
    • Restrict and manage remote access software. Require MFA for remote access to ICS networks.
    • Configure encryption and security for ICS protocols.
    • Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
    • Do not allow vendors to connect their devices to the ICS network. Use of a compromised device could introduce malware. 
    • Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies. 
    • Ensure robust physical security is in place to prevent unauthorized personal from accessing controlled spaces that house ICS equipment.
    • Regularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be taken offline.
    • Manage the supply chain by adjusting the ICS procurement process to weigh cybersecurity heavily as part of the scoring and evaluation methodology. Additionally, establish contractual agreements for all outsourced services that ensure proper incident handling and reporting, security of interconnections, and remote access specifications and processes.
  • Implement the following additional best practices:
    • Implement IP geo-blocking, as appropriate.
    • Implement regular, frequent data backup procedures on both the IT and ICS networks. Data backup procedures should address the following best practices:
      • Ensure backups are regularly tested.
      • Store backups separately, i.e., backups should be isolated from network connections that could enable spread of malware or lateral movement.
      • Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt.
      • Retain backup hardware to rebuild systems in the even rebuilding the primary system is not preferred.
    • Implement a user training program to train employees to recognize spearphishing attempts, discourage users from visiting malicious websites or opening malicious attachments, and re-enforce appropriate user response to spearphishing emails.
APPENDIX: Tactics and Techniques

Table 2 provides a summary of the MITRE ATT&CK tactics and techniques observed in this campaign.

Table 2: Observed MITRE ATT&CK tactics and techniques

Tactic Technique Reconnaissance [TA0043] Phishing for Information [T1598] Initial Access [TA0001] Phishing: Spearphishing Link [T1566.002] Execution [TA0002] User Execution: Malicious File [T1204.002] Discovery [TA0007] Peripheral Device Discovery [T1120] Collection [TA0009] Information from Document Repositories [T1213] Exfiltration  [TA0010]   Revisions
  • Initial Version: July 20, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

2021. július 19.

AA21-200B: Chinese State-Sponsored Cyber Operations: Observed TTPs

Original release date: July 19, 2021
Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques and the D3FEND framework for referenced defensive tactics and techniques.

The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China’s long-term economic and military development objectives.

This Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.

To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization.

Click here for a PDF version of this report.

Technical DetailsTrends in Chinese State-Sponsored Cyber Operations

NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:

  • Acquisition of Infrastructure and Capabilities. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community’s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.

  • Exploitation of Public Vulnerabilities. Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:

  • Encrypted Multi-Hop Proxies. Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.

Observed Tactics and Techniques

Chinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable JSON file is also available on the NSA Cybersecurity GitHub page.

Refer to Appendix A: Chinese State-Sponsored Cyber Actors’ Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.

Figure 1: Example of tactics and techniques used in various cyber operations.

 

Mitigations

NSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:

  • Patch systems and equipment promptly and diligently. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.
    Note: for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.

  • Enhance monitoring of network traffic, email, and endpoint systems. Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.
  • Use protection capabilities to stop malicious activity. Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.▪
Resources

Refer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ for previous reporting on Chinese state-sponsored malicious cyber activity.

Disclaimer of Endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.

Trademark Recognition

MITRE and ATT&CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE Corporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered trademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are registered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a registered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered trademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered trademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc.

APPENDIX A: Chinese State-Sponsored Cyber Actors’ Observed Procedures

Note: D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.

Tactics: Reconnaissance [TA0043]    

Table 1: Chinese state-sponsored cyber actors’ Reconnaissance TTPs with detection and mitigation recommendations

Threat Actor
Technique / Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Active Scanning [T1595

Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization’s fully qualified domain name, IP address space, and open ports to target or exploit.

Minimize the amount and sensitivity of data available to external parties, for example: 

  • Scrub user email addresses and contact lists from public websites, which can be used for social engineering, 

  • Share only necessary data and information with third parties, and 

  • Monitor and limit third-party access to the network. 

Active scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.

Detect: 

  • Network Traffic Analysis

    • Connection Attempt Analysis [D3-CAA]

Isolate: 

  • Network Isolation

    • Inbound Traffic Filtering [D3-ITF]

Gather Victim Network Information [T1590]

 

Tactics: Resource Development [TA0042]

Table II: Chinese state-sponsored cyber actors’ Resource Development TTPs with detection and mitigation recommendations

Threat Actor
Technique / Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Acquire Infrastructure [T1583]

 

Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.

 

Adversary activities occurring outside the organization’s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.

 

N/A

Stage Capabilities [T1608]

Obtain Capabilities [T1588]: 

Chinese state-sponsored cyber actors have been observed using Cobalt Strike® and tools from GitHub® on victim networks. 

Organizations may be able to identify malicious use of Cobalt Strike by:

  • Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. 

  • Looking for the default Cobalt Strike TLS certificate. 

  • Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.

  • Review the traffic destination domain, which may be malicious and an indicator of compromise.

  • Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.

  • Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.

 

N/A Tactics: Initial Access [TA0001]

Table III: Chinese state-sponsored cyber actors’ Initial Access TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Detection and Mitigation Recommendations

Drive By Compromise [T1189]

Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.

  • Ensure all browsers and plugins are kept up to date.
  • Use modern browsers with security features turned on.
  • Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript®, restrict browser extensions, etc.
  • Use adblockers to help prevent malicious code served through advertisements from executing. 
  • Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. 
  • Use browser sandboxes or remote virtual environments to mitigate browser exploitation.
  • Use security applications that look for behavior used during exploitation, such as Windows Defender® Exploit Guard (WDEG).

Detect: 

  • Identifier Analysis
  • File Analysis
    • Dynamic Analysis [D3-DA]

Isolate: 

  • Execution Isolation
    • Hardware-based Process Isolation [D3-HBPI]
    • Executable Allowlisting [D3-EAL]
  • Network Isolation

Exploit Public-Facing Application [T1190]

Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[1] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources.
Chinese state-sponsored cyber actors have also been observed:

  • Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange® Outlook Web Access (OWA®) and plant webshells.

  • Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.

  • Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.

Review previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.

Additional mitigations include:

  • Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.
  • Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).
  • Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.
  • Disable protocols using weak authentication.
  • Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [Embracing a Zero Trust Security Model].
  • When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).
  • Use automated tools to audit access logs for security concerns.
  • Where possible, enforce MFA for password resets.
  • Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.

Harden:

  • Application Hardening [D3-AH]
  • Platform Hardening

Detect:

  • File Analysis [D3-FA
  • Network Traffic Analysis
    • Client-server Payload Profiling [D3-CSPP]
  • Process Analysis 
    • Process Spawn Analysis
    • Process Lineage Analysis [D3-PLA]

Isolate: 

  • Network Isolation
    • Inbound Traffic Filtering [D3-ITF]

Phishing [T1566]: 

Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. 
These compromise attempts use the cyber actors’ dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment. 

  • Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.
  • Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.
  • Block uncommon file types in emails that are not needed by general users (.exe, .jar,.vbs)
  • Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.
  • Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
  • Prevent users from clicking on malicious links by stripping hyperlinks or implementing "URL defanging" at the Email Security Gateway or other email security tools.
  • Add external sender banners to emails to alert users that the email came from an external sender.

Harden: 

  • Message Hardening
    • Message Authentication [D3-MAN]
    • Transfer Agent Authentication [D3-TAAN]

Detect: 

  • File Analysis
    • Dynamic Analysis [D3-DA]
  • Identifier Analysis
  • Message Analysis
    • Sender MTA Reputation Analysis [D3-SMRA]
    • Sender Reputation Analysis [D3-SRA]
       

External Remote Services [T1133]

Chinese state-sponsored cyber actors have been observed:

  • Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.

  • Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).

  • Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including net, asp, apsx, php, japx, and cfm. 

Note: refer to the references listed above in Exploit Public-Facing Application [T1190] for information on CVEs known to be exploited by malicious Chinese cyber actors.


Note: this technique also applies to Persistence [TA0003].

  • Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.
  • Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.
  • Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).
  • Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.
  • Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.
  • Review and verify all connections between customer systems, service provider systems, and other client enclaves.

Harden:

Detect:

  • Network Traffic Analysis
    • Connection Attempt Analysis [D3-CAA]
  • Platform Monitoring [D3-PM]
  • Process Analysis
    • Process Spawn Analysis [D3-SPA
      • Process Lineage Analysis [D3-PLA]

Valid Accounts [T1078]:

Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.

Note: this technique also applies to Persistence [TA0003], Privilege Escalation [TA0004], and Defense Evasion [TA0005].

  • Adhere to best practices for password and permission management.
  • Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage 
  • Do not store credentials or sensitive data in plaintext.
  • Change all default usernames and passwords.
  • Routinely update and secure applications using Secure Shell (SSH). 
  • Update SSH keys regularly and keep private keys secure.
  • Routinely audit privileged accounts to identify malicious use.

Harden: 

  • Credential Hardening
    • Multi-factor Authentication [D3-MFA]

Detect:

  • User Behavior Analysis [D3-UBA]
    • Authentication Event Thresholding [D3-ANET
    • Job Function Access Pattern Analysis [D3-JFAPA]
Tactics: Execution [TA0002]

Table IV: Chinese state-sponsored cyber actors’ Execution TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Command and Scripting Interpreter [T1059]: 

Chinese state-sponsored cyber actors have been observed:

  • Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).

  • Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. 

  • Employing Python scripts to exploit vulnerable servers.

  • Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux® servers in the victim network.

PowerShell

  • Turn on PowerShell logging. (Note: this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)

  • Push Powershell logs into a security information and event management (SIEM) tool.

  • Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.

  • Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.

  • Remove PowerShell if it is not necessary for operations. 

  • Restrict which commands can be used.

Windows Command Shell

  • Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. 

  • Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. 

  • Monitor for and investigate other unusual or suspicious scripting behavior. 

Unix

  • Use application controls to prevent execution.

  • Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. 

  • If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. 

Python

  • Audit inventory systems for unauthorized Python installations.

  • Blocklist Python where not required.

  • Prevent users from installing Python where not required.

JavaScript

  • Turn off or restrict access to unneeded scripting components.

  • Blocklist scripting where appropriate.

  • For malicious code served up through ads, adblockers can help prevent that code from executing.

Network Device Command Line Interface (CLI)

  • Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.

  • Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.

  • Ensure least privilege principles are applied to user accounts and groups.

Harden: 

  • Platform Hardening [D3-PH]

Detect: 

  • Process Analysis

    • Script Execution Analysis [D3-SEA]

Isolate:

  • Execution Isolation

    • Executable Allowlisting [D3-EAL]

Scheduled Task/Job [T1053]

Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as schtask or crontab to create and schedule tasks that enumerate victim devices and networks.


Note: this technique also applies to Persistence [TA0003] and Privilege Escalation [TA0004].

•    Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity.
•    Configure event logging for scheduled task creation and monitor process execution from svchost.exe (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in %systemroot%\System32\Tasks that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities—such as PowerShell or Windows Management Instrumentation (WMI)—that do not conform to typical administrator or user actions. 

Detect: 

  • Platform Monitoring
    • Operating System Monitoring [D3-OSM]
      • Scheduled Job Analysis [D3-SJA]
      • System Daemon Monitoring [D3-SDM]
      • System File Analysis [D3-SFA]

Isolate: 

  • Execution Isolation
    • Executable Allowlisting [D3-EAL]

User Execution [T1204]

Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment.

  • Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.
  • Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  • Use a domain reputation service to detect and block suspicious or malicious domains.
  • Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
  • Ensure all browsers and plugins are kept up to date.
  • Use modern browsers with security features turned on.
  • Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.

Detect: 

  • File Analysis
  • Identifier Analysis
  • Network Traffic Analysis

Isolate: 

  • Execution Isolation
    • Hardware-based Process Isolation [D3-HBPI]
    • Executable Allowlisting [D3-EAL]
  • Network Isolation
Tactics: Persistence [TA0003]

Table V: Chinese state-sponsored cyber actors’ Persistence TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Hijack Execution Flow [T1574]: 

Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. 

Note: this technique also applies to Privilege Escalation [TA0004] and Defense Evasion [TA0005].

  • Disallow loading of remote DLLs.
  • Enable safe DLL search mode.
  • Implement tools for detecting search order hijacking opportunities.
  • Use application allowlisting to block unknown DLLs.
  • Monitor the file system for created, moved, and renamed DLLs.
  • Monitor for changes in system DLLs not associated with updates or patches.
  • Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).

Detect: 

  • Platform Monitoring
    • Operating System Monitoring
      • Service Binary Verification [D3-SBV]
  • Process Analysis
    • File Access Pattern Analysis [D3-FAPA]

Isolate: 

  • Execution Isolation
    • Executable Allowlisting [D3-EAL]

Modify Authentication Process [T1556]

  • Domain Controller Authentication [T1556.001]

Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network.
Note: this technique also applies to Defense Evasion [TA0005] and Credential Access [TA0006].

  • Monitor for policy changes to authentication mechanisms used by the domain controller. 
  • Monitor for modifications to functions exported from authentication DLLs (such as cryptdll.dll and samsrv.dll).
  • Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. 
  • Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). 
  • Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
  • Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.

Detect: 

  • Process Analysis [D3-PA]
  • User Behavior Analysis
    • Authentication Event Thresholding [D3-ANET]
    • User Geolocation Logon Pattern Analysis [D3-UGLPA]  

Server Software Component [T1505]: 

Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. 

  • Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.
  • Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.
  • Perform integrity checks on critical servers to identify and investigate unexpected changes.
  • Have application developers sign their code using digital signatures to verify their identity.
  • Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.
  • Implement a least-privilege policy on web servers to reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.
  • If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
  • Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.
  • Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.
  • Establish, and backup offline, a “known good” version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.
  • Employ user input validation to restrict exploitation of vulnerabilities.
  • Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.
  • Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.

Detect: 

  • Network Traffic Analysis
    • Client-server Payload Profiling [D3-CSPP]
    • Per Host Download-Upload Ratio Analysis [D3-PHDURA]
  • Process Analysis 
    • Process Spawn Analysis
      • Process Lineage Analysis [D3-PLA]

Isolate:

  • Network Isolation
    • Inbound Traffic Filtering [D3-ITF]

Create or Modify System Process [T1543]:

Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.

Note: this technique also applies to Privilege Escalation [TA0004].

  • Only allow authorized administrators to make service changes and modify service configurations. 
  • Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.
  • Monitor WMI and PowerShell for service modifications.
Detect:
  • Process Analysis 
    • Process Spawn Analysis [D3-PSA]
Tactics: Privilege Escalation [TA0004]

Table VI: Chinese state-sponsored cyber actors’ Privilege Escalation TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Domain Policy Modification [T1484]

Chinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.

Note: this technique also applies to Defense Evasion [TA0005].

  • Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.
  • Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.
  • Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.

Detect:

  • Network Traffic Analysis
    • Administrative Network Activity Analysis [D3-ANAA]
  • Platform Monitoring
    • Operating System Monitoring
      • System File Analysis [D3-SFA]

Process Injection [T1055]: 

Chinese state-sponsored cyber actors have been observed:

  • Injecting into the rundll32.exe process to hide usage of Mimikatz, as well as injecting into a running legitimate explorer.exe process for lateral movement.
  • Using shellcode that injects implants into newly created instances of the Service Host process (svchost)

Note: this technique also applies to Defense Evasion [TA0005].
 

  • Use endpoint protection software to block process injection based on behavior of the injection process.
  • Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.
  • Monitor for suspicious sequences of Windows API calls such as CreateRemoteThread, VirtualAllocEx, or WriteProcessMemory and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.
  • To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.
  • Execution Isolation
    • Hardware-based Process Isolation [D3-HBPI]
    • Mandatory Access Control [D3-MAC]
Tactics: Defense Evasion [TA0005]

Table VII: Chinese state-sponsored cyber actors’ Defensive Evasion TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Deobfuscate/Decode Files or Information [T1140]

Chinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.

  • Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.
  • Consider blocking, disabling, or monitoring use of 7-Zip.

Detect: 

  • Process Analysis 
    • Process Spawn Analysis [D3-PSA]

Isolate: 

  • Execution Isolation
    • Executable Denylisting [D3-EDL]

Hide Artifacts [T1564]

Chinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.

  • Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.
  • Monitor event and authentication logs for records of hidden artifacts being used.
  • Monitor the file system and shell commands for hidden attribute usage.

Detect: 

  • Process Analysis
    • File Access Pattern Analysis [D3-FAPA

Isolate:

  • Execution Isolation
    • Executable Allowlisting [D3-EAL]

Indicator Removal from Host [T1070]

Chinese state-sponsored cyber actors have been observed deleting files using rm or del commands.
Several files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.

  • Make the environment variables associated with command history read only to ensure that the history is preserved.
  • Recognize timestomping by monitoring the contents of important directories and the attributes of the files. 
  • Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.
  • Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.
  • Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.

Detect: 

  • Platform Monitoring
    • Operating System Monitoring
      • System File Analysis [D3-SFA]
  • Process Analysis
    • File Access Pattern Analysis [D3-FAPA

Isolate:

  • Execution Isolation
    • Executable Allowlisting [D3-EAL]

Obfuscated Files or Information [T1027]

Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.

Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.

Detect:

  • Process Analysis
    • File Access Pattern Analysis [D3-FAPA]

Signed Binary Proxy Execution [T1218]

Chinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as Rundll32, as a proxy to execute malicious payloads.

Monitor processes for the execution of known proxy binaries (e.g., rundll32.exe) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.

Detect:

  • Process Analysis

    • File Access Pattern Analysis [D3-FAPA]

    • Process Spawn Analysis [D3-PSA

Tactics: Credential Access [TA0006]

Table VIII: Chinese state-sponsored cyber actors’ Credential Access TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Exploitation for Credential Access [T1212]

Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.

  • Update and patch software regularly.

  • Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.

Harden: 

  • Platform Hardening

    • Software Update [D3-SU]

  • Credential Hardening

    • Multi-factor Authentication [D3-MFA]

OS Credential Dumping [T1003]
•    LSASS Memory [T1003.001]
•    NTDS [T1003.003]

Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (NDST.DIT) for credential dumping.

  • Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NDST.DIT.

  • Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

  • Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.

  • Consider disabling or restricting NTLM. 

  • Consider disabling WDigest authentication. 

  • Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).

  • Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. 

  • Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.

Harden:

  • Credential Hardening [D3-CH]

Detect: 

  • Process Analysis

    • File Access Pattern Analysis [D3-FAPA]

    • System Call Analysis [D3-SCA]

Isolate: 

  • Execution Isolation

    • Hardware-based Process Isolation [D3-HBPI]

    • Mandatory Access Control [D3-MAC]

Tactics: Discovery [TA0007]

Table IX: Chinese state-sponsored cyber actors’ Discovery TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

File and Directory Discovery [T1083]

Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.

Detect: 

  • User Behavior Analysis

    • Job Function Access Pattern Analysis [D3-JFAPA]

  • Process Analysis 

    • Database Query String Analysis [D3-DQSA]

    • File Access Pattern Analysis [D3-FAPA]

    • Process Spawn Analysis [D3-PSA]

Permission Group Discovery [T1069]

Chinese state-sponsored cyber actors have been observed using commands, including net group and net localgroup, to enumerate the different user groups on the target network. 

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Detect: 

  • Process Analysis 

  • Process Spawn Analysis [D3-PSA]

    • System Call Analysis [D3-SCA]

  • User Behavior Analysis [D3-UBA]  

Process Discovery [T1057]

Chinese state-sponsored cyber actors have been observed using commands, including tasklist, jobs, ps, or taskmgr, to reveal the running processes on victim devices.

Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. 

Detect: 

  • Process Analysis 

    • Process Spawn Analysis [D3-PSA]

    • System Call Analysis [D3-SCA]

  • User Behavior Analysis [D3-UBA]

Network Service Scanning [T1046]

Chinese state-sponsored cyber actors have been observed using Nbtscan and nmap to scan and enumerate target network information.

•    Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation.
•    Use network intrusion detection and prevention systems to detect and prevent remote service scans such as Nbtscan or nmap.
•    Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.

Detect: 

  • Network Traffic Analysis

    • Connection Attempt Analysis [D3-CAA]

Isolate:

  • Network Isolation

    • Inbound Traffic Filtering [D3-ITF]

Remote System Discovery [T1018]

Chinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including ping, net group, and net user to enumerate target network information.

Monitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.

Detect: 

  • Process Analysis 

    • Process Spawn Analysis [D3-PSA]

  • User Behavior Analysis

    • Job Function Access Pattern Analysis [D3-JFAPA]

Tactics: Lateral Movement [TA0008]

Table X: Chinese state-sponsored cyber actors’ Lateral Movement TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Exploitation of Remote Services [T1210]

Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.

Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.

Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.

Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.

  • Disable or remove unnecessary services.

  • Minimize permissions and access for service accounts.

  • Perform vulnerability scanning and update software regularly.

  • Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.

Detect: 

  • Network Traffic Analysis

    • Remote Terminal Session Detection [D3-RTSD

  • User Behavior Analysis [D3-UBA]

Isolate:

  • Execution Isolation

    • Mandatory Access Control [D3-MAC]

Tactics: Collection [TA0009]

Table XI: Chinese state-sponsored cyber actors’ Collection TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Archive Collected Data [T1560]

Chinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.

  • Scan systems to identify unauthorized archival utilities or methods unusual for the environment.

  • Monitor command-line arguments for known archival utilities that are not common in the organization's environment.

Detect: 

  • Process Analysis 

    • File Access Pattern Analysis [D3-FAPA]

    • Process Spawn Analysis [D3-PSA]

Isolate:

  • Execution Isolation

    • Executable Denylisting [D3-EDL]

Clipboard Data [T1115]

Chinese state-sponsored cyber actors used RDP and execute rdpclip.exe to exfiltrate information from the clipboard.

  • Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of pbcopy/pbpaste (Linux) or clip.exe (Windows) run by general users through command line).

  • If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.

Detect:

  • Network Traffic Analysis

    • Remote Terminal Session Detection  [D3-RTSD]

Isolate:

  • Network Isolation

    • Inbound Traffic Filtering [D3-ITF]

    • Outbound Traffic Filtering [D3-OTF

Data Staged [T1074]

Chinese state-sponsored cyber actors have been observed using the mv command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.

Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

Detect: 

  • Process Analysis

    • File Access Pattern Analysis [D3-FAPA]

Email Collection [T1114]

Chinese state-sponsored cyber actors have been observed using the New-MailboxExportRequest PowerShell cmdlet to export target email boxes.

  • Audit email auto-forwarding rules for suspicious or unrecognized rulesets.

  • Encrypt email using public key cryptography, where feasible.

  • Use MFA on public-facing mail servers.

Harden:

  • Credential Hardening

    • Multi-factor Authentication [D3-MFA]

  • Message Hardening

Detect: 

  • Process Analysis [D3-PA]

Tactics: Command and Control [TA0011]

Table XII: Chinese state-sponsored cyber actors’ Command and Control TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
  Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Application Layer Protocol [T1071]

Chinese state-sponsored cyber actors have been observed:

  • Using commercial cloud storage services for command and control.

  • Using malware implants that use the Dropbox® API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive® API.

Use network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.

Detect: 

  • Network Traffic Analysis

    • Client-server Payload Profiling [D3-CSPP]

    • File Carving [D3-FC]

Isolate: 

  • Network Isolation

Ingress Tool Transfer [T1105]

Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.

  • Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. 

  • Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.

  • Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.

Isolate:

  • Network Isolation

    • Inbound Traffic Filtering [D3-ITF]

Non-Standard Port [T1571]

Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. 

  • Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.

  • Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.

  • Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.

Detect:  

  • Network Traffic Analysis

    • Client-server Payload Profiling [D3-CSPP]

    • Protocol Metadata Anomaly Detection [D3-PMAD]

Isolate:

  • Network Isolation

    • Inbound Traffic Filtering [D3-ITF]

    • Outbound Traffic Filtering [D3-OTF]

Protocol Tunneling [T1572]

Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and dns2tcp.exe to conceal C2 traffic with existing network activity. 

  • Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.

  • Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.

  • Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) 

Detect: 

  • Network Traffic Analysis

    • Protocol Metadata Anomaly Detection [D3-PMAD]

Proxy [T1090]: 

Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.

Monitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.

  • Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.

  • Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.

Detect: 

  • Network Traffic Analysis

    • Protocol Metadata Anomaly Detection [D3-PMAD]

    • Relay Pattern Analysis [D3-RPA]

Isolate: 

  • Network Isolation

    • Outbound Traffic Filtering [D3-OTF]

Appendix B: MITRE ATT&CK Framework 

Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors (Click here for the downloadable JSON file.) 

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.

Media Inquiries / Press Desk:
•    NSA Media Relations, 443-634-0721, MediaRelations@nsa.gov
•    CISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov
•    FBI National Press Office, 202-324-3691, npo@fbi.gov

References Revisions
  • July 19, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2021. július 19.

AA21-200A: Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department

Original release date: July 19, 2021
Summary

This Joint Cybersecurity Advisory was written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide information on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. This advisory provides APT40’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.

APT40—aka BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper—is located in Haikou, Hainan Province, People’s Republic of China (PRC), and has been active since at least 2009. APT40 has targeted governmental organizations, companies, and universities in a wide range of industries—including biomedical, robotics, and maritime research—across the United States, Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China’s Belt and Road Initiative.

On July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors for their illicit computer network exploitation (CNE) activities via front company Hainan Xiandun Technology Development Company (Hainan Xiandun). Hainan Xiandun employee Wu Shurong cooperated with and carried out orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence officers Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin to conduct CNE. Wu’s CNE activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments. These MSS-affiliated actors targeted victims in the following industries: academia, aerospace/aviation, biomedical, defense industrial base, education, government, healthcare, manufacturing, maritime, research institutes, and transportation (rail and shipping).

Click here for a PDF version of this report.

Technical Details

This Joint Cybersecurity Advisory uses the MITRE ATT&CK® framework, version 9. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques.

APT40 [G0065] has used a variety of tactics and techniques and a large library of custom and open-source malware—much of which is shared with multiple other suspected Chinese groups—to establish initial access via user and administrator credentials, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. Table 1 provides details on these tactics and techniques. Note: see the appendix for a list of the domains, file names, and malware MD5 hash values used to facilitate this activity.

Table 1: APT40 ATT&CK Tactics and Techniques

Tactics Activities and Techniques  Reconnaissance [TA0043]
 and
 Resource Development [TA0042]
  • Gathered victim identity information [T1589] by collecting compromised credentials [T1589.001
  • Acquire infrastructure [T1583] to establish domains that impersonate legitimate entities [T1583.001], aka ‘typosquatting’, to use in watering hole attacks and as command and control (C2) [TA0011] infrastructure
  • Establish new [T1585.002] and compromise existing [T1586.002] email and social media accounts [1585.001] to conduct social engineering attacks
 Initial Access [TA0001]
  • External remote services (e.g., virtual private network [VPN] services) [T1133]
  • Spearphishing emails with malicious attachments [T1566.001] and links [T1566.002]
  • Drive-by compromises [T1189] and exploitation of public-facing applications [T1190]
  • Access to valid [T1078], compromised administrative [T1078.001] accounts
 Execution [TA0002]  
  • Command and scripting interpreters [T1059] such as PowerShell [T1059.001]
  • Exploitation of software vulnerabilities in client applications to execute code [T1203] using lure documents that dropped malware exploiting various Common Vulnerabilities and Exposures (CVEs)
  • User execution [T1204] of malicious files [T1204.002] and links [T1566.002] attached to spearphishing emails [T1566.001]
 Persistence [TA0003],
 Privilege Escalation [TA0004],
 Credential Access [TA0006],
 Discovery [TA0007],
 and
 Lateral Movement [TA0008]

APT40 has used a combination of tool frameworks and malware to establish persistence, escalate privileges, map, and move laterally on victim networks. Additionally, APT40 conducted internal spearphishing attacks [T1534].

  • BADFLICK/Greencrash
  • China Chopper [S0020]
  • Cobalt Strike [S0154]
  • Derusbi/PHOTO [S0021]
  • Gh0stRAT [S0032]
  • GreenRAT
  • jjdoor/Transporter
  • jumpkick
  • Murkytop (mt.exe) [S0233]
  • NanHaiShu [S0228]
  • Orz/AirBreak [S0229]
  • PowerShell Empire [S0363]
  • PowerSploit [S0194]
  • Server software component: Web Shell [TA1505.003]
 Defense Evasion [TA0005],
 Command and Control [TA0011],
 Collection [TA0009],
 and
 Exfiltration [TA0010]  
  • Use of steganography [T1027.003] to hide stolen data inside other files stored on GitHub
  • Protocol impersonation [T1001.003] by using Application Programming Interface (API) keys for Dropbox accounts in commands to upload stolen data to make it appear that the activity was a legitimate use of the Dropbox service
  • Protocol tunneling [T1572] and multi-hop proxies [T1090.003], including the use of Tor [S0183]
  • Use of domain typosquatting for C2 infrastructure [T1583.001]
  • Archive [T1560], encrypt [T1532], and stage collected data  locally [T1074.001] and remotely [T1074.002] for exfiltration
  • Exfiltration over C2 channel [T1041]
MitigationsNetwork Defense-in-Depth

Proper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk. The following guidance may assist organizations in developing network defense procedures.

Patch and Vulnerability Management
  • Install vendor-provided and verified patches on all systems for critical vulnerabilities, prioritizing timely patching of internet-connected servers and software processing internet data—such as web browsers, browser plugins, and document readers.
  • Ensure proper migrating steps or compensating controls are implemented for vulnerabilities that cannot be patched in a timely manner.
  • Maintain up-to-date antivirus signatures and engines.
  • Routinely audit configuration and patch management programs to ensure the ability to track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect resources and information systems.
  • Review the articles in the References section for more information on Chinese APT exploitation of common vulnerabilities.
Protect Credentials
  • Strengthen credential requirements, regularly change passwords, and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Do not reuse passwords for multiple accounts. 
  • Audit all remote authentications from trusted networks or service providers.
  • Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems.
  • Log use of system administrator commands such as net, ipconfig, and ping.
  • Enforce principle of least privilege.
Network Hygiene and Monitoring
  • Actively scan and monitor internet-accessible applications for unauthorized access, modification, and anomalous activities. 
  • Actively monitor server disk use and audit for significant changes.
  • Log Domain Name Service (DNS) queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for C2 over DNS.
  • Develop and monitor the network and system baselines to allow for the identification of anomalous activity. Audit logs for suspicious behavior.
  • Identify and suspend access of users exhibiting unusual activity.
  • Use allowlist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.
  • Leverage multi-sourced threat-reputation services for files, DNS, URLs, IP addresses, and email addresses.
  • Network device management interfaces—such as Telnet, Secure Shell (SSH), Winbox, and HTTP—should be turned off for wide area network (WAN) interfaces and secured with strong passwords and encryption when enabled.
  • When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data. 
APPENDIX: APT40 Indicators of Compromise

APT40 used the following domains, file names, and malware MD5 hash values to facilitate the CNE activity outlined in this CSA between 2009 through 2018.

 

Domains airbusocean[.]com https://pastebin[.]com/vfb5mbbu pacifichydrologic[.]org cargillnotice[.]com huntingtomingalls[.]com philippinenewss[.]com ccidmeekparry[.]info indiadigest[.]in philstarnotice[.]com ccvzvhjhdf[.]website jack-newnb[.]com porndec143.chickenkiller[.]com cdigroups[.]com kAty197.chickenkiller[.]com santaclarasystem[.]us checkecc[.]com louisdreyfu[.]com scsnewstoday[.]com chemscalere[.]com mail2.ignorelist[.]com secbkav[.]com cnnzapmeta[.]com masterroot[.]pw Soure7788.chickenkiller[.]com corycs[.]com microsql-update[.]info tccoll[.]com deltektimes[.]com mihybb[.]com teledynegroup[.]com Engaction[.]com mlcdailynews[.]com teledyneinstrument[.]com ens-smithjonathan.rhcloud[.]com movyaction[.]net testdomain2019.chickenkiller[.]com fishgatesite.wordpress[.]com msusanode[.]com thestar[.]live goo2k88yyh2.chickenkiller[.]com newbb-news[.]com thrivedataview[.]com gttdoskip[.]com nfmybb[.]com thyssemkrupp[.]com http://gkimertds.wordpress[.]com/feed/ nmw4xhipveaca7hm[.]onion.link/en_US/all.js thyssenkrupp-marinesystems[.]org http://stackoverflow[.]com/users/3627469/angle-swift nobug[.]uk.to togetno992.mooo[.]com http://stackoverflow[.]com/users/3804206/swiftr-angle notesof992.wordpress[.]com tojenner97.chickenkiller[.]com http://stackoverflow[.]com/users/3863346/gkimertdssdads onlinenewspapers[.]club trafficeco[.]com vser.mooo[.]com onlineobl[.]com transupdate[.]com https://pastebin[.]com/p1mktQpD oyukg43t[.]website troubledate[.]com ultrasocial[.]info wsmcoff[.]com xbug.uk[.]to usdagroup[.]com www.yorkshire-espana-sa[.]com/english/servicios/ yootypes[.]com   https://github[.]com/slotz/sharp-loader/commit/f9de338fb474fd970a7375030642d04179b9245d    

MD5 Malware Hashes  

01234c0e41fc23bb5e1946f69e6c6221

018d3c34a296edd32e1b39b7276dcf7f

019b68e26df8750e2f9f580b150b7293

01fa52a4f9268948b6c508fef0377299

022bd2040ec0476d8eb80d1d9dc5cc92

039d9ca446e79f2f4310dc7dcc60ec55

043f6cdca33ce68b1ebe0fd79e4685af

04918772a2a6ccd049e42be16bcbee39

04dc4ca70f788b10f496a404c4903ac6

060067666435370e0289d4add7a07c3b

062c759d04106e46e027bbe3b93f33ef

07083008885d2d0b31b137e896c7266c

079068181a728d0d603fe72ebfc7e910

0803f8c5ee4a152f2108e64c1e7f0233

09143a14272a29c56ff32df160dfdb30

0985f757b1b51533b6c5cf9b1467f388

09aab083fb399527f8ff3065f7796443

0b7bb3e23a1be2f26b9adf7004fc6b52

0b9a614a2bbc64c1f32b95988e5a3359

0bbe092a2120b1be699387be16b5f8fb

0bbe769505ca3db6016da400539f77aa

0c3c00c01f4c4bad92b5ba56bd5a9598

0c4fa4dfbe0b07d3425fea3efe60be1c

0ca936a564508a1f9c91cb7943e07c30

0d69eefede612493afd16a7541415b95

0da08b4bfe84eacc9a1d9642046c3b3c

0dd7f10fdf60fc36d81558e0c4930984

0e01ec14c25f9732cc47cf6344107672

10191b6ce29b4e2bddb9e57d99e6c471

105757d1499f3790e69fb1a41e372fd9

207e3c538231eb0fd805c1fc137a7b46

20e52d2d1742f3a3caafbac07a8aa99a

226042db47bdd3677bd16609d18930bd

22823fed979903f8dfe3b5d28537eb47

2366918da9a484735ec3a9808296aab8

239a22c0431620dc937bc36476e5e245

2499390148fc99a0f38148655d8059e7

24dbcd8e8e478a35943a05c7adfc87cc

25a06ab7675e8f9e231368d328d95344

25b79ba11f4a22c962fea4a13856da7f

25fc4713290000cdf01d3e7a0cea7cef

2639805ae43e60c8f04955f0fe18391c

270df5aab66c4088f8c9de29ef1524b9

280e5a3b9671db31cf003935c34f8cf9

28366de82d9c4441f82b84246369ad3b

28628f709a23d5c02c91d6445e961645

28c6f235946fd694d2634c7a2f24c1ba

29c1b4ec0bc4e224af2d82c443cce415

2b8a06d1de446db3bbbd712cdb2a70ce

2bf998d954a88b12dbec1ee96b072cb9

2c408385acdb04f0679167223d70192b

2c9737c6922b6ca67bf12729dcf038f9

2dd9aab33fcdd039d3a860f2c399d1b1

2de0e31fda6bc801c86645b37ee6f955

2e5b59c62e6e2f3b180db9453968d817

2ee7168c0cc6e0df13d0f658626474bb

2eee367a6273ce89381d85babeae1576

2f0a52ce4f445c6e656ecebbcaceade5

2f9995bc34452c789005841bc1d8da09

30701b1d1e28107f8bd8a15fcc723110

31a72e3bf5b1d33368202614ffd075db

3389dae361af79b04c9c8e7057f60cc6

33d18e29b4ecc0f14c20c46448523fc8

46e80d49764a4e0807e67101d4c60720

480f3a13998069821e51cda3934cc978

48101bbdd897877cc62b8704a293a436

48548309036005b16544e5f3788561dc

4a23e0f2c6f926a41b28d574cbc6ac30

4ab825dc6dabf9b261ab1cf959bfc15d

4b18b1b56b468c7c782700dd02d621f4

4b93159610aaadbaaf7f60bea69f21a4

4beb3f7fd46d73f00c16b4cc6453dcdb

4dd6eab0fa77adb41b7bd265cfb32013

4e79e2cade96e41931f3f681cc49b60a

4ef1c48197092e0f3dea0e7a9030edc8

503f8dc2235f96242063b52440c5c229

50527c728506a95b657ec4097f819be6

5064dc5915a46bfa472b043be9d0f52f

513f559bf98e54236c1d4379e489b4bc

51e21a697aec4cc01e57264b8bfaf978

51f31ed78cec9dbe853d2805b219e6e7

52b0f7d77192fe6f08b03f0d4ea48e46

53ceeaf0a67239b3bc4b533731fd84af

56a9ff904b78644dee6ef5b27985f441

56b18ba219c8868a5a7b354d60429368

56d6d3aa1297c62c6b0f84e5339a6c22

57849bb3949b73e2cd309900adafc853

5826e0bd3cd907cb24c1c392b42152ca

5875dfe9a15dd558ef51f269dcc407b5

58e7fd4530a212b05481f004e82f7bc1

5957ef4b609ab309ea2f17f03eb78b2d

5984955cbc41b1172ae3a688ab0246c5

59ce71ffb298a5748c3115bc834335bf

5a8d488819f2072caed31ead6aeaf2fc

5acac898428f6d20f6f085d79d86db9c

5b2cddac9ebd7b0cd3f3d3ac15026ffb

6f6d12da9e5cf8b4a7f26e53cc8e9fbd

700d2582ccb35713b7d1272aa7cfc598

70206725df8da51f26d6362e21d8fadb

70e0052d1a2828c3da5ae3c90bc969ea

7204c1f6f1f4698ac99c6350f4611391

72a7fd2b3d1b829a9f01db312fdd1cd7

7327993142260cee445b846a12cf4e85

7525bc47e2828464ce07fa8a0db6844f

76adaa87f429111646a27c2e60bda61e

76c5dca8dc9b1241b8c9a376abab0cc5

782202b09f72b3cfdc93ffb096ca27de

7836c4a36cc66d4bcbd84abb25857d21

78a0af31a5c7e4aee0f9acde74547207

7969dc3c87a3d5e672b05ff2fe93f710

7a09bf329b0b311cc552405a38747445

7a63ea3f49a96fa0b53a84e59f005019

7b3f959ab775032a3ca317ebb52189c4

7b710f9731ad3d6e265ae67df2758d50

7bd10b5c8de94e195b7da7b64af1f229

7c036ba51a3818ddc8d51cf5a6673da4

7c49efe027e489134ec317d54de42def

7d63f39fb0100a51ba6d8553ef4f34de

7ef6802fc9652d880a1f3eaf944ce4a3

7f7d726ea2ed049ab3980e5e5cb278a3

7fe679c2450c5572a45772a96b15fcb1

83076104ae977d850d1e015704e5730a

8361b151c51a7ad032ad20cecf7316f4

838ceb02081ac27de43da56bec20fc76

84865f8f1a2255561175ab12d090da7c

8520062de440b75f65217ff2509120f7

85862c262c087dd4470bb3b055ef8ea5

85e5b11d79a7570c73d3aa96e5a4e84d

85ecef9ca15e25835a9300a85f9bcd2a

9d3fd2ff608e79101b09db9e361ea845

9d5206f692577d583b93f1c3378a7a90

9e592d0918c029aa49635f03947026e8

9f847b3618b31ef05aebd81332067bd8

9fdd77dc358843af3d7b3f796580c29d

a025881cd4ae65fab39081f897dc04fd

a0e3561633bdf674b294094ffa06a362

a13715be3d6cbd92ed830a654d086305

a2256f050d865c4335161f823b681c24

a26e600652c33dd054731b4693bf5b01

a2c66a75211e05b20b86dd90ba534792

a2cb95be941b94f5488eab6c2eec7805

a320510258668504ed0140e7b58ee31e

a34db95c0fcb78d9c5452f81254224eb

a3c0151e0b6289376f383630a8014722

a42a91354d605165d2c1283b6b330539

a4711b8414445d211826b4da3f39de0a

a4a70ce528f64521c3cd98dce841f6f3

a5ac89845910862cfef708b20acd0e44

a67fcb5dcfc9e3cfbfd7890e65d4f808

a68bf5fce22e7f1d6f999b7a580ae477

a6b9bbb87eb08168fc92271f69fa5825

a6cab9f2e928d71ed8ecf2c28f03a9a2

a7e4f42ad70ddd380281985302573491

a83b1aed22de71baee82e426842eeb48

a91dca76278cf4f4155eb1b0fc427727

a96dca187c3c001cad13440c3f7e77e8

aa73e7056443f1dd02480a22b48bdd46

aaafb1eeee552b0b676a5c6297cfc426

ab662cee6419327de86897029a619aeb

ab8f72562d02156273618d1f3746855c

abdb86d8b58b7394be841e0a4da9bec7

ace585625de8b3942cc3974cf476f8de

beea0da01409b73be94b8a3ef01c4503

befc121916f9df7363fead1c8554df9a

bf250a8c0c9a820cd1a21e3425acfe37

bfb0dcd9ef6ac6e016a8a5314d4ef637

bff56d7e963ea28176b0bcb60033635d

c05e5bc5adb803b8a53cff7f95621c73

c0ad63a680fbdc75d54b270cbedb4739

c0d9f3a67a8df0ed737ceb9e15bacc47

c112456341a1c5519e7039ce0ba960fa

c161f10fccecec67c589cdd24a05f880

c183e7319f07ccc591954068e15095db

c2e023b46024873573db658d7977e216

c380675a29f47dba0b1401c7f8e149dc

c3996bf709cad38d58907da523992e3b

c583ae5235ddea207ac11fff4af82d9b

c71f125fb385fed2561f3870b4593f18

c75a2b191da91114ceea80638bc54030

c78ee46ffbe5dd76d84fb6a74bf21474

c79b27fe1440b11a99a5611c9d6c6a78

c808d2ed8bb6b2e3c06c907a01b73d06

c8930a4fd33dcf18923d5cf0835272bd

c8940976a63366f39cfcdc099701093b

c89e8f0bc93d472a4f863a5fa7037286

c8a850a027fa4a3cdae7f87cc1c71ba0

cab21cb7ba1c45a926b96a38b0bdaaef

cbe63b9c0c9ac6e8c0f5b357df737c5e

cbfc1587f89f15a62f049e9e16cccf68

cd049c2b76c73510ae70610fd1042267

cd058dd28822c72360bc9950a6c56c45

cd427b4afea8032c77e907917608148a

cd81267e9c82d24a9f40739fa6bf1772

cdc22f7913eb93d77d629e59ac2dc46a

cdc585a1fd677da07163875cd0807402

e0b7e6c17339945bba43b8992a143485

e119a70f50132ae3afba3995fdf1aca6

e1512a0bf924c5a2b258ec24e593645a

e195d22652b01a98259818cfbab98d33

e1ab3358b5356adefaffbc15bc43a3f9

e1b840bbf5b54aeb19e6396cab8f4c6a

e26a29c0fc11cfb92936ab3374730b79

e284c25c50ba59d07a4fa947dc1a914a

e3867f6e964a29134c9ea2b63713f786

e3eb703ef415659f711b6bc5604e131e

e498718fd286aca7bb78858f4636f2db

e4d2c63a73a0f1c6b5e60bde81ac0289

e5478fb5e8d56334d19d43cae7f9224a

e5f7efcee5b15cf95a070a5cd05dbda9

e6348ee5beb9c581eeeaf4e076c5d631

e637f47c4f17c01a68539fcfcc4bc44f

e63fbc864b7911be296c8ee0798f6527

e68f9b39caf116fb108ccb5c9c4ce709

e6a757114c0940b6d63c6a5925ade27f

e6adc73df12092012f8cd246ba619f90

e8881037f684190d5f6cc26aab93d40f

e890fa6fd8a98fec7812d60f65bf1762

e8bc927ee0ae288609e1c37665a3314e

e8e73156316df88dee28214fb203658b

e957c36c9d69d6a8256b6ddf7f806f56

e9ce9b35e2386bf442e22a49243a647e

eadcae9ecba1097571c8d08e9b1c1a9c

eb06648b43d34f20fc1c40e509521e99

eb5e5db77540516e6400a7912ad0ef0d

eb5e999753f5ea094d59bdae0c66901c

eb5ee94048730b321e35394a0fb10a5d

eb64867dc48f757f0afe05dbf605b72d

eb88f415336f0dccedfc93405330c561

fae03ff044d6bb488e1a6f1c6428c510

fc2142bd72bd520338f776146903be67

fc9b8262905a80cc5381d520813d556d

fccd3de1df131f9d74949d69426c24af

fcd912fd7ed80e2cdf905873c6ced4ad

ff804e266a83974775814870cc49b66b

11166f8319c08c70fc886433a7dac92d

1223302912ec70c7c8350268a13ad226

139e071dd83304cdcfd5280022a0f958

13c93dc9186258d6c335b16dc7bb3c8c

14e2b0e47887c3bfbddb3b66012cb6e8

15437cfedfc067370915864feec47678

15e1816280d6c2932ff082329d0b1c76

166694d13ac463ea1c2bed64fbbb7207

16a344cd612cca4f0944ba688609e3ac

16c0011ea01c4690d5e76d7b10917537

1734a2b176a12eba8b74b8ca00ef1074

18144e860d353600bbd2e917aed21fde

1815c3a7a4a6d95f9298abb5855a3701

181a5b55b7987b62b5236965f473ba3b

18c26c5800e9e2482f1507c96804023e

1932ce50b7b6c88014cf082228486e5c

1af78c50aca90ee3d6c3497848ac5705

1b44fb4aaff71b1f96cd049a9461eaf5

1bb8f32e6e0e089d6a9c10737cf19683

1c35a87f61953baace605fff1a2d0921

1c945a6b0deccc6cd2f63c31f255d0ec

1cb216777039fe6a8464fc6a214c3c86

1d3a10846819a07eef66deefcc33459a

1dd6c80b4ea5d83aff4480dcbbef520c

1e91f0f52994617651e9b4a449af551a

1eb568559e335b3ed78588e5d99f9058

1ef9c42efe6e9a08b7ebb16913fa0228

1f2befede815fcf65c463bf875fcf497

1f9bdc0435ff0914605f01db8ca77a65

1ffd883095ff3279b31650ca3a50ad3c

34521c0f78d92a9d95e4f3ff15b516db

34681367cbcc3933f0f4b36481bde44e

34aa195c604d0725d7dd2aa4cc4efe28

354b95e858bcaced369ecbfdec327e2b

35f456afbe67951b3312f3b35d84ff0a

3647d11c155d414239943c8c23f6e8ec

37578c69c515f1d0d49769930fba25ce

375cbb0a88111d786c33510bff258a21

37b9b4ed979bd2cf818e2783499bfb5e

3810a18650dbacecd10d257312e92f61

3975740f65c2fa392247c60df70b1d6d

3a4ec0d0843769a937b5dadbe8ea56b1

3ab6bf23d5d244bc6d32d2626bd11c08

3bf8bb90d71d21233a80b0ec96321e90

3c2fe2dbdf09cfa869344fdb53307cb2

3c3d453ecf8cc7858795caece63e7299

3cbb46065f3e1dccbd707c340f38ce6b

3cf9dc0fdc2a6ab9b6f6265dc66b0157

3e89c56056e5525bf4d9e52b28fbbca7

3eb6f85ac046a96204096ab65bbd3e7e

3f50eedf4755b52aa7a7b740bd21daa6

3fefa55daeb167931975c22df3eca20a

4012acd80613aaa693a5d6cd4e7239ba

40528e368d323db0ac5c3f5e1efe4889

407c1ea99677615b80b2ffa2ed81d513

417949c717f78dc9e55ca81a5f7ade3e

4260e71d89f622c6a3359c5556b3aad7

429c10429a2ebb5f161e04159a59cf5b

4315975499cdc50098dbdb5b8aa4a199

44fa9c5df4ae20c50313aae02ba8fb95

4519b5d443a048a8599144900c4e1f28

45eb058edde4e5755a5ea1aff3ce3db7

460dc00ce690efacb5db8273c80e2b23

5b3050df93629f2f6cb3801ed19963c5

5b37ac4d642b96c4bf185c9584c0257a

5b3e945cd32a380f09ea98746f570758

5b72df8f6c110ae1d603354fcd8fe104

5c6f5cd81b099014718056e86b510fa2

5d63a3a02df2beda9d81f53abbd8264a

5d9c3cb239fa24bed2781bcf2898f153

5e353d1d17720c0f7c93f763e3565b3f

5f1c7f267fbe12210d3c80944f840332

5f393838220a6bf0cd9fd59c7cf97f5b

5f771966ef530ee0c2b42ef5cc46ad3a

6034ff91b376d653dc30f79664915b4e

603935efa89d93ea39b4b4d4a52ec529

607ea06890a6eedd723f629133576f20

60b2ce5ef4a076d1fa8675b584c27987

60cff7381b8fb64602816f9e5858930b

614909c72fa811ae41ea3d9b70122cee

6372d578e881abf76a4ec61e7a28da7d

63bf28f5dc6925a94c8b4e033a95be10

646cbeb4233948560ac50de555ea85ca

64db8e54d9a2daaa6d9cf156a8b73c18

675fe822243dfd1c3ace2a071d0aa6dd

67dbecfb5e0f2f729e57d0f1eda82c67

685cbba8cf2584a3378d82dec65aa0bb

693a4c2fcaa67fb87e62f150fb65e00e

6ad33ab8b9ff3f02964a8aab2a40ebb5

6b540be7ac7159104b0ffa536747f1bf

6b7276e4aa7a1e50735d2f6923b40de4

6b930be55ed4bf8e16b30eadc3873dfd

6c67f275d50f6bfee4848de6d4911931

6c9cfada134ede220b75087c7698ebf2

6e843ef4856336fe3ef4ed27a4c792b1

6e97bf1b7c44edc66622b43e81105779

86e50d6dc28283dbd295079252787577

870fbad5b9a54cb6720c122d1fa321ec

88b3b94574ba1eeb711a66eb04021eed

8956a045306b672d3cc852419a72c4b0

8a9ac1b3ef2bf63c2ddfadbbbfd456b5

8b3b96327fbddebefe727ac2edad5714

8baa499b3e2f081ff47f8cf06a5e7809

8bc20fcd09adb7ea86dda2c57477633b

8be0c21b6ee56d0f68e0d90f7d0a26d7

8c80dd97c37525927c1e549cb59bcbf3

8d2416d9f6926fb0dc12ab5dafef691d

8d74922b2b31354ce588cefac71d9a9b

8e8fb7632c3a7e96cf0ea5299d564018

8ee6c9e1adb71b2623d5e7aa45df5f4d

8efaa987959ef95179a0f5be05c10faf

8fbf53f77c98daba277dae7661b86f02

8fc825df73977eeffaaa1587565f7505

90a3e3a2049c6eb9e39d113d9451a83f

932d355d9f2df2e8d8449d85454fc983

9450980a4413dfdbc60a62b257a7b019

947892152b8419a2dfe498be5063c1da

94d42ff06a588587131c2cd8a9b2fe96

95c15b7961e2d6fad96defa7ff2c6272

96ba4bf00d8b4acee9f550286610dcc7

97004f1962e2aed917dc2be5c908278f

972077c1bb73ca78b7cad4ac6d56c669

991ebcd03ace627093acc860fae739b5

99949240bc4eae33cac4bbb93b72349d

9a0a8048d53dedc763992fff32584741

9a0e3e80cd7c21812de81224f646715e

9a61ed5721cf4586abd1d49e0da55350

9b26999182ea0c2b2cac91919697289e

9c656ce22c93ca31c81ff8378a0a91ee

ace620a0cc2684347e372f7e40e245d5

ad3b9e45192ec7c8085c3588cacb9c58

adb4f6ecb67732b7567486f0cee6e525

afa03ddb9fc64a795aadb6516c3bc268

b0269263ce024fc9de19f8f30bd51188

b04e895827c24070eb7082611ab79676

b059c9946ff67c62c074d6d15f356f6e

b07299a907a4732d14da32b417c08af3

b1dadfcf459f8447b9ec44d8767da36d

b2f1d2fefe9287f3261223b4b8219d03

b36f3e12cb88499f8795b8740ae67057

b4204f08c1a29fd4434e28b6219bfbc6

b4878c233d7f776a407f55a27b5effbc

b6c12d88eeb910784d75a5e4df954001

b7ab5c6926f738dbe8d3a05cb4a1b4f5

b80dcd50e27b85d9a44fc4f55ff0a728

b8a61b1fda80f95a7dcdb0137bc89f67

b9642c1b3dbcccc9d84371b3163d43e0

b9647f389978f588d977ef6ef863938f

b977bed98ae869a9bb9bf725215ef8e5

b9b627c470de997c01fdef4511029219

ba629216db6cf7c0c720054b0c9a13f3

badf0957c668d9f186fb218485d0d0f6

bb165b815e09fe95fa9282bce850528d

bbfb478770a911cf055b8dfd8dcb36e4

bc4c189e590053d2cf97569c495c9610

bc9089c39bcdb1c3ef2e5bd25c77ed68

bd42303e7c38486df2899b0ccf3ce8f7

bd452dc2f9490a44bcff8478d875af4b

bd6031dd85a578edf0bf1560caf36e02

bd63832e090819ea531d1a030fb04e9b

be39ff1ec88a1429939c411113b26c02

be88741844bf7c47f81271270abe82dc

ce26e91fc13ccb1be4b6bf6f55165410

ce449d7cb0a11b53b0513dde3bd57b1c

ceba742bccb23304cf05d6c565dc53f8

cebe44b8a9a2d6e15a03d40d9e98e0ed

cf946bc0faecb2dc8e8edc9e6ce2858f

d09fcd9fa9ed43c9f28bcd4bd4487d22

d0b5c11ee5df0d78bdde3fdc45eaf21d

d0d8243943053256bc1196e45fbf92d2

d0efc042ba4a6b207cf8f5b6760799d8

d20d01038e6ea10a9dcc72a88db5e048

d31596fe58ca278be1bb46e2a0203b34

d3df8c426572a85f3afa46e4cd2b66cd

d59a77a8da7bec1f4bad7054a41b3232

d76b1c624e9227131a2791957955dddc

d79477c9c688a8623930f4235c7228f6

d8a483d21504e73f0ba4b30bc01125d3

da46994fee26782605842005aabcd2fe

daa232882b74d60443dfec8742401808

dab45ac39e34cfee60dcb005c3d5a668

dbc583d6d5ec8f7f0c702b209af975e2

dbe92b105f474efc4a0540673da0eb9c

dbee8be5265a9879b61853cd9c0e4759

dc15ca49b39d1d17b22ec7580d32d905

dc386102060f7df285e9498f320f10e0

dd43cd0eddbb6f7cb69b1f469c37ec35

dd4e0f997e0b2cc9df28dca63ded6816

ddbdc6a3801906de598531b5b2dac02a

dde4ff4e41f86426051f15da48667f5f

ddecce92a712327c4068fabf0e1a7ff1

de608439f2bcc097b001d352b427bb68

deeb9b4789ac002aa8b834da76e70d74

df6475642f1fe122df3d7292217f1cff

e011784958e7a00ec99b8f2320e92bf4

ec4cdc752c2ecd0d9f97491cc646a269

edb648f6c3c2431b5b6788037c1cd8ef

ee3e297abd0a5b943dce46f33f3d56fb

ee4862bc4916fc22f219e1120bea734a

ef14448bf97f49a2322d4c79e64bb60b

ef2738889e9d041826d5c938a256bc45

ef6fcdd1b55adf8ad6bcdf3d93fd109e

efb5499492f08c1f10fecdeb703514d5

f0098aab593b65d980061a2df3a35c21

f073de9c169c8fcb2de5b811bff51cee

f0881d5a7f75389deba3eff3f4df09ac

f172ad4e906d97ed8f071896fc6789dc

f2b6bffa2c22420c0b1c848b673055ed

f446d8808a14649bddcc412f9e754890

f4dbe32f3505bc17364e2b125f8dd6df

f4dd628f6c0bc2472d29c796ee38bf46

f4e67343e13c37449ada7335b9c53dd1

f53e332b0a6dbe8d8d3177e93b70cb1e

f5ae03de0ad60f5b17b82f2cd68402fe

f5ce889a1fa751b8fd726994cdb8f97e

f5fdbfce1a5d2c000c266f4cd180a78d

f7202dea71cc638e0c2dbeb92c2ce279

f7cef381c4ee3704fc8216f00f87552a

f7ffbbbc68aadcbfbace55c58b6da0a7

f8b91554d221fe8ef4a4040e9516f919

f906571d719828f0f4b6212fc2aa7705

f9155052a43832061357c23de873ff9f

f9abacc459e5d50d8582e8c660752c4e

f9f608407d551f49d632bd6bd5bd7a56

f9fc9359dc5d1d0ac754b12efb795f79

fa27742b87747e64c8cb0d54aa70ef98

fa3c8d91ef4a8b245033ddb9aa3054a2

fad93907d5587eb9e0d8ebc78a5e19c2
 

 

 

 

 

 

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov.

References Revisions
  • July 19, 2021: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Főbb riasztási források

35

ECHO Network

25

Arista Security Advisories

14

AusCERT - Security Bulletins

33

CERT/CC

9

Cisco Security Advisories

34

Drupal contrib security advisories

20

Drupal core security advisories

32

Huawei Security Bulletin

2

HUP - titkosítás, biztonság

28

Juniper Security Advisories

13

Kaspersky

30

Linux security Advisories

8

Microsoft Sercurity Response Center

22

NVD: all CVE

23

NVD: fully analised CVE

10

SANS

26

seclist.org

29

Ubuntu Secutity Notices

21

US CERT: Current Activity

5

US CERT: Security Bulletins

6

US CERT: Technical Security Alerts