US CERT: Technical Security Alerts

Original release date: December 2, 2021
Summary

This joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations.

This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus—IT help desk software with asset management.

CVE-2021-44077, which Zoho rated critical, is an unauthenticated remote code execution (RCE) vulnerability affecting all ServiceDesk Plus versions up to, and including, version 11305. This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability. Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. 

The Zoho update that patched this vulnerability was released on September 16, 2021, along with a security advisory. Additionally, an email advisory was sent to all ServiceDesk Plus customers with additional information. Zoho released a subsequent security advisory on November 22, 2021, and advised customers to patch immediately.

The FBI and CISA are aware of reports of malicious cyber actors likely using exploits against CVE-2021-44077 to gain access [T1190] to ManageEngine ServiceDesk Plus, as early as late October 2021. The actors have been observed using various tactics, techniques and procedures (TTPs), including:

• Writing webshells [T1505.003] to disk for initial persistence
• Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140]
• Conducting further operations to dump user credentials [T1003]
• Living off the land by only using signed Windows binaries for follow-on actions [T1218]
• Adding/deleting user accounts as needed [T1136]
• Stealing copies of the Active Directory database (NTDS.dit) [T1003.003] or registry hives
• Using Windows Management Instrumentation (WMI) for remote execution [T1047]
• Deleting files to remove indicators from the host [T1070.004]
• Discovering domain accounts with the net Windows command [T1087.002]
• Using Windows utilities to collect and archive files for exfiltration [T1560.001]
• Using custom symmetric encryption for command and control (C2) [T1573.001]

The FBI and CISA are proactively investigating this malicious cyber activity:

• The FBI leverages specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. 
• CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors. 

Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims, while working to unmask and hold accountable those conducting malicious cyber activities.

A STIX file will be provided when available.

For a downloadable pdf of this CSA, click here. 

Technical Details

Compromise of the affected systems involves exploitation of CVE-2021-44077 in ServiceDesk Plus, allowing the attacker to:

1. Achieve an unrestricted file upload through a POST request to the ServiceDesk REST API URL and upload an executable file, C:\ManageEngine\Servicedesk\bin\msiexec.exe, with a SHA256 hash of ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7. This executable file serves as a dropper and contains an embedded, encoded Godzilla JAR file.
2. Gain execution for the dropper through a second POST request to a different REST API URL, which will then decode the embedded Godzilla JAR file and drop it to the filepath C:\ManageEngine\ServiceDesk\lib\tomcat\tomcat-postgres.jar with a SHA256 hash of 67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015.

Confirming a successful compromise of ManageEngine ServiceDesk Plus may be difficult—the attackers are known to run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell.

Targeted Industries 

APT cyber actors have targeted Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries.

Indicators of Compromise  Hashes Webshell:

67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015
068D1B3813489E41116867729504C40019FF2B1FE32AAB4716D429780E666324
759bd8bd7a71a903a26ac8d5914e5b0093b96de61bf5085592be6cc96880e088
262cf67af22d37b5af2dc71d07a00ef02dc74f71380c72875ae1b29a3a5aa23d
a44a5e8e65266611d5845d88b43c9e4a9d84fe074fd18f48b50fb837fa6e429d
ce310ab611895db1767877bd1f635ee3c4350d6e17ea28f8d100313f62b87382
75574959bbdad4b4ac7b16906cd8f1fd855d2a7df8e63905ab18540e2d6f1600
5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb

Dropper:

ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7

Implant:

009d23d85c1933715c3edcccb46438690a66eebbcccb690a7b27c9483ad9d0ac 
083bdabbb87f01477f9cf61e78d19123b8099d04c93ef7ad4beb19f4a228589a
342e85a97212bb833803e06621170c67f6620f08cc220cf2d8d44dff7f4b1fa3

NGLite Backdoor:

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f
3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd
5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755
3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d
342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae
7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72

KDC Sponge:

3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090
b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665
e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c

Malicious IIS Module:

bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da

Renamed WinRAR:

d0c3d7003b7f5b4a3bd74a41709cfecfabea1f94b47e1162142de76aa7a063c7

Renamed csvde:

7d2780cd9acc516b6817e9a51b8e2889f2dec455295ac6e6d65a6191abadebff

Network Indicators

POST requests sent to the following URLs:

/RestAPI/ImportTechnicians?step=1

Domains:

seed.nkn[.]org

Note: the domain seed.nkn[.]org is a New Kind of Network (NKN) domain that provides legitimate peer to peer networking services utilizing blockchain technology for decentralization. It is possible to have false positive hits in a corporate network environment and it should be considered suspicious to see any software-initiated contacts to this domain or any subdomain.

Log File Analysis

• Check serverOut*.txt log files under C:\ManageEngine\ServiceDesk\logs\ for suspicious log entries matching the following format:
  • [<time>]|[<date>]|[com.adventnet.servicedesk.setup.action.ImportTechniciansAction]|[INFO]|[62]: fileName is : msiexec.exe]

Filepaths

C:\ManageEngine\ServiceDesk\bin\msiexec.exe
C:\ManageEngine\ServiceDesk\lib\tomcat\tomcat-postgres.jar
C:\Windows\Temp\ScriptModule.dll
C:\ManageEngine\ServiceDesk\bin\ScriptModule.dll
C:\Windows\system32\ME_ADAudit.exe
c:\Users\[username]\AppData\Roaming\ADManager\ME_ADManager.exe
%ALLUSERPROFILE%\Microsoft\Windows\Caches\system.dat
C:\ProgramData\Microsoft\Crypto\RSA\key.dat
c:\windows\temp\ccc.exe

Tactics, Techniques, and Procedures

• Using WMI for lateral movement and remote code execution (in particular, wmic.exe)
• Using plaintext credentials for lateral movement
• Using pg_dump.exe to dump ManageEngine databases
• Dumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives
• Active credential harvesting through LSASS (KDC Sponge)
• Exfiltrating through webshells
• Conducting exploitation activity often through other compromised U.S. infrastructure
• Dropping multiple webshells and/or implants to maintain persistence
• Using renamed versions of WinRAR, csvde, and other legitimate third-party tools for reconnaissance and exfiltration

Yara Rules rule ReportGenerate_jsp {
   strings:
      $s1 = "decrypt(fpath)"
      $s2 = "decrypt(fcontext)"
      $s3 = "decrypt(commandEnc)"
      $s4 = "upload failed!"
      $s5 = "sevck"
      $s6 = "newid"
   condition:
      filesize < 15KB and 4 of them
}

 

rule EncryptJSP {
   strings:
      $s1 = "AEScrypt"
      $s2 = "AES/CBC/PKCS5Padding"
      $s3 = "SecretKeySpec"
      $s4 = "FileOutputStream"
      $s5 = "getParameter"
      $s6 = "new ProcessBuilder"
      $s7 = "new BufferedReader"
      $s8 = "readLine()"
   condition:
      filesize < 15KB and 6 of them
}

 

rule ZimbraImplant {
    strings:
        $u1 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
        $u2 = "Content-Type: application/soap+xml; charset=UTF-8"
        $u3 = "/service/soap"
        $u4 = "Good Luck :::)"
        $s1 = "zimBR"
        $s2 = "log10"
        $s3 = "mymain"
        $s4 = "urn:zimbraAccount"
        $s5 = "/service/upload?fmt=extended,raw"
        $s6 = "<query>(in:\"inbox\" or in:\"junk\") is:unread</query>"
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 2MB and 1 of ($u*) and 3 of ($s*)
}

 

rule GodzillaDropper {
    strings:
        $s1 = "UEsDBAoAAAAAAI8UXFM" // base64 encoded PK/ZIP header
        $s2 = "../lib/tomcat/tomcat-postgres.jar"
        $s3 = "RunAsManager.exe"
        $s4 = "ServiceDesk"
        $s5 = "C:\\Users\\pwn\\documents\\visual studio 2015\\Projects\\payloaddll"
        $s6 = "CreateMutexA"
        $s7 = "cplusplus_me"
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 350KB and 4 of them
}

 

rule GodzillaJAR {
    strings:
        $s1 = "org/apache/tomcat/SSLFilter.class"
        $s2 = "META-INF/services/javax.servlet.ServletContainerInitializer"
        $s3 = "org/apache/tomcat/MainFilterInitializer.class"
    condition:
        uint32(0) == 0x04034B50 and filesize < 50KB and all of them
}

 

rule APT_NGLite {
    strings:
        $s1 = "/mnt/hgfs/CrossC2-2.2"
        $s2 = "WHATswrongwithU"
        $s3 = "//seed.nkn.org:"
        $s4 = "Preylistener"
        $s5 = "preyid"
        $s6 = "Www-Authenticate"
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 15MB and 4 of them
}

 

rule KDCSponge {
    strings:
        $k1 = "kdcsvc.dll"
        $k2 = "kdccli.dll"
        $k3 = "kdcsvs.dll"
        $f1 = "KerbHashPasswordEx3"
        $f2 = "KerbFreeKey"
        $f3 = "KdcVerifyEncryptedTimeStamp"
        $s1 = "download//symbols//%S//%S//%S" wide
        $s2 = "KDC Service"
        $s3 = "\\system.dat"
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 1MB and 1 of ($k*) and 1 of ($f*) and 1 of ($s*) MitigationsCompromise Mitigations

Organizations that identify any activity related to ManageEngine ServiceDesk Plus indicators of compromise within their networks should take action immediately. 

Zoho ManageEngine ServiceDesk Plus build 11306, or higher, fixes CVE-2021-44077. ManageEngine initially released a patch for this vulnerability on September 16, 2021. A subsequent security advisory was released on November 22, 2021, and advised customers to patch immediately. Additional information can be found in the Zoho security advisory released on November 22, 2021.

In addition, Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide.

FBI and CISA also strongly recommend domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised. 

Note: Implementing these password resets should not be taken as a comprehensive mitigation in response to this threat; additional steps may be necessary to regain administrative control of your network. Refer to your specific products mitigation guidance for details. 

Actions for Affected Organizations

Immediately report as an incident to CISA or the FBI (refer to Contact information section below) the existence of any of the following:

• Identification of indicators of compromise as outlined above.
• Presence of webshell code on compromised ServiceDesk Plus servers.
• Unauthorized access to or use of accounts.
• Evidence of lateral movement by malicious actors with access to compromised systems.
• Other indicators of unauthorized access or compromise.

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. 

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

• The FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov) or a local field office
• CISA (888-282-0870 or Central@cisa.dhs.gov).

Revisions

• December 2, 2021: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: November 17, 2021
Summary

Actions to Take Today to Protect Against Iranian State-Sponsored Malicious Cyber Activity
• Immediately patch software affected by the following vulnerabilities: CVE-2021-34473, 2018-13379, 2020-12812, and 2019-5591.
• Implement multi-factor authentication.
• Use strong, unique passwords.

Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

This advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity.

The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.

For more information on Iranian government-sponsored malicious cyber activity, see us-cert.cisa.gov/Iran.

Click here for a PDF version of this report.

Technical DetailsThreat Actor Activity

Since at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.

• In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591. The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. Note: for previous FBI and CISA reporting on this activity, refer to Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks.
• In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username elie to further enable malicious activity. Note: for previous FBI reporting on this activity, refer to FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity.
• In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20—which FBI and CISA judge are associated with Iranian government cyber activity—to further enable malicious activity against the hospital’s network. The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity.
• As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability—CVE-2021-34473—to gain initial access to systems in advance of follow-on operations.

ACSC considers that this APT group has also used the same Microsoft Exchange vulnerability (CVE-2021-34473) in Australia.

MITRE ATT&CK Tactics and Techniques

FBI, CISA, ACSC, and NCSC assess the following tactics and techniques are associated with this activity.

Resource Development [TA0042]

The APT actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum.

• Mimikatz for credential theft [TA0006]
• WinPEAS for privilege escalation [TA0004]
• SharpWMI (Windows Management Instrumentation)
• WinRAR for archiving collected data [TA0009, T1560.001]
• FileZilla for transferring files [TA0010]

Initial Access [TA0001]

The Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) [T1190].

Execution [TA0002]

The Iranian government-sponsored APT actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:

• SynchronizeTimeZone
• GoogleChangeManagement
• MicrosoftOutLookUpdater
• MicrosoftOutLookUpdateSchedule

Persistence [TA0003]

The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:

• Support
• Help
• elie
• WADGUtilityAccount

Exfiltration [TA0010]

The FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443.

Impact [TA0040]

The APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information. 

• sar_addr@protonmail[.]com
• WeAreHere@secmail[.]pro
• nosterrmann@mail[.]com
• nosterrmann@protonmail[.]com 

Detection

The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks. 

• Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. Note: refer to Appendix A for IOCs.
• Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. 
• Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. 
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is expected to perform).
• Review antivirus logs for indications they were unexpectedly turned off.
• Look for WinRAR and FileZilla in unexpected locations. 

Note: for additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom. 

Mitigations

The FBI, CISA, ACSC, and NCSC urge network defenders to apply the following mitigations to reduce the risk of compromise by this threat.

Patch and Update Systems

• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. 
• Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

Evaluate and Update Blocklists and Allowlists

• Regularly evaluate and update blocklists and allowlists.
• If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution blocklist. Any attempts to install or run this program and its associated files should be prevented.

Implement and Enforce Backup and Restoration Policies and Procedures

• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible or modification or deletion from the system where the data resides. 
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud). 

Implement Network Segmentation

• Implement network segmentation to restrict adversary’s lateral movement. 

Secure User Accounts

• Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties. 
• Require administrator credentials to install software. 

Implement Multi-Factor Authentication

• Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems. 

Use Strong Passwords

• Require all accounts with password logins to have strong, unique passwords.

Secure and Monitor RDP and other Potentially Risky Services

• If you use RDP, restrict it to limit access to resources over internal networks.
• Disable unused remote access/RDP ports.
• Monitor remote access/RDP logs. 

Use Antivirus Programs

• Install and regularly update antivirus and anti-malware software on all hosts. 

Secure Remote Access

• Only use secure networks and avoid using public Wi-Fi networks. 
• Consider installing and using a VPN for remote access.

Reduce Risk of Phishing

• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails

Resources

• For more information on Iranian government-sponsored malicious cyber activity, see us-cert.cisa.gov/Iran. 
• For information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
• The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
• CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
• The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
• ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at cyber.gov.au and via 1300 292 371 (1300 CYBER1).

Appendix A: Indicators of Compromise

IP addresses and executables files are listed below.

IP Addresses

• 91.214.124[.]143 
• 162.55.137[.]20 
• 154.16.192[.]70

Executable Files 

Executable files observed in this activity are identified in table 1.

Table 1: Executable Files 

Filename: MicrosoftOutLookUpdater[.]exe    MD5: 1444884faed804667d8c2bfa0d63ab13   SHA-1: 95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A   SHA-256: c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624   SHA-512: 6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF   Filename: MicrosoftOutlookUpdater.bat   MD5: 6735be6deea16d03cb628b553d71fe91   SHA-1 95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A   SHA-256 C51FE5073BD493C7E8D83365AACE3F9911437A0F2AE80042BA01EA46B55D2624   SHA-512 6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF   Filename: MicrosoftOutlookUpdater.xml   MD5: AA40C49E309959FA04B7E5AC111BB770   SHA-1 F1D90E10E6E3654654E0A677763C9767C913F8F0   SHA-256 5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6   SHA-512 E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E   Filename: GoogleChangeManagement.xml   MD5: AF2D86042602CBBDCC7F1E8EFA6423F9   SHA-1 CDCD97F946B78831A9B88B0A5CD785288DC603C1   SHA-256 4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D   SHA-512 6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971   Filename: Connector3.exe   MD5: e64064f76e59dea46a0768993697ef2f   Filename: Audio.exe or frpc.exe   MD5: b90f05b5e705e0b0cb47f51b985f84db   SHA-1 5bd0690247dc1e446916800af169270f100d089b   SHA-256: 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa   Vhash: 017067555d5d15541az28!z   Authentihash: ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee   Imphash: 93a138801d9601e4c36e6274c8b9d111   SSDEEP: 98304:MeOuFco2Aate8mjOaFEKC8KZ1F4ANWyJXf/X+g4:MeHFV2AatevjOaDC8KZ1xNWy93U   Note:

Identical to “frpc.exe” available at:

https://github[.]com/fatedier/frp/releases/download/v0.34.3/frp_0.34.3_windows_amd64.zip

  Filename: Frps.exe   MD5: 26f330dadcdd717ef575aa5bfcdbe76a   SHA-1 c4160aa55d092cf916a98f3b3ee8b940f2755053   SHA-256: d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a   Vhash: 017057555d6d141az25!z   Authentihash: 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea   Imphash: 91802a615b3a5c4bcc05bc5f66a5b219   SSDEEP: 196608:/qTLyGAlLrOt8enYfrhkhBnfY0NIPvoOQiE:GLHiLrSfY5voO   Note:

Identical to “frps.exe” available at: 

https://github[.]com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_windows_amd64.zip

 

 

 

APPENDIX B: MITRE ATT&CK TACTICS AND TECHNIQUES

Table 2 identifies MITRE ATT&CK Tactics and techniques observed in this activity.

Table 2: Observed Tactics and Techniques

Tactic Technique Resource Development [TA0042]

Obtain Capabilities: Malware [T1588.001]

Obtain Capabilities: Tool [T1588.002]

Initial Access [TA0001]

Exploit Public-Facing Application [T1190]

Execution [TA0002]

Scheduled Task/Job: Scheduled Task [T1053.005]

Persistence [TA0003]

Create Account: Local Account [T1136.001]

Create Account: Domain Account [T1136.002] Privilege Escalation [TA0004]  

Credential Access [TA0006]

  Collection [TA0009]

Archive Collected Data: Archive via Utility [T1560.001]

Exfiltration [TA0010]   Impact [TA0040] Data Encrypted for Impact [T1486] Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Australian organizations can visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Revisions

• Initial Version: November 17, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 18, 2021
Summary

Actions You Can Take Now to Protect Against BlackMatter Ransomware
• Implement and enforce backup and restoration policies and procedures.
• Use strong, unique passwords.
• Use multi-factor authentication.
• Implement network segmentation and traversal monitoring.

Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This joint Cybersecurity Advisory was developed by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) to provide information on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.

This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.

Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.

Click here for a PDF version of this report.

Technical DetailsOverview

First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows  the ransomware's developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

Tactics, Techniques, and Procedures

This advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA-256: 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d. (Note: click here to see the sample’s page on VirusTotal.)

The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.

BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.

Table 1 maps BlackMatter’s capabilities to the MITRE ATT&CK for Enterprise framework, based on the analyzed variant and trusted third-party reporting.

Table 1: Black Matter Actors and Ransomware TTPs

Tactic

Technique 

Procedure 

Persistence [TA0003]

External Remote Services [T1133]

BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks. 

Credential Access [TA0006]

OS Credential Dumping: LSASS Memory [T1003.001]

BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.

Discovery [TA0007]

Remote System Discovery [T1018]

BlackMatter leverages LDAP and SMB protocol to discover all hosts in the AD.

Process Discovery [T1057]

BlackMatter uses NtQuerySystemInformation to enumerate running processes.

System Service Discovery [T1007]

BlackMatter uses EnumServicesStatusExW to enumerate running services on the network.

Lateral Movement [TA0008]

Remote Services: SMB/Windows Admin Shares [T1021.002]

BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON.

Exfiltration [TA0010]

Exfiltration Over Web Service [T1567]

BlackMatter attempts to exfiltrate data for extortion.

Impact [TA0040]

Data Encrypted for Impact [T1486]

BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.

Disk Wipe [T1561]

BlackMatter may wipe backup systems.

Detection Signatures

The following Snort signatures may be used for detecting network activity associated with BlackMatter activity.

Intrusion Detection System Rule:

alert tcp any any -> any 445 ( msg:"BlackMatter remote encryption attempt";  content:"|01 00 00 00 00 00 05 00 01 00|";  content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; detection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111; )

Inline Intrusion Prevention System Rule:

alert tcp any any -> any 445 ( msg:"BlackMatter remote encryption attempt";  content:"|01 00 00 00 00 00 05 00 01 00|";  content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; priority:1; sid:10000001; )

rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout 86400

Mitigations

CISA, the FBI, and NSA urge network defenders, especially for critical infrastructure organizations, to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:

Implement Detection Signatures

• Implement the detection signatures identified above. These signatures will identify and block placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24 hours. 

Use Strong Passwords

• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts.) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account. 

Implement Multi-Factor Authentication

• Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.

Patch and Update Systems

• Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

Limit Access to Resources over the Network

• Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
• Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator machines. 

Implement Network Segmentation and Traversal Monitoring

Adversaries use system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions.

• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. 
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. 

Use Admin Disabling Tools to Support Identity and Privileged Access Management

If BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected. Given that there has been an observed increase in ransomware attacks during non-business hours, especially holidays and weekends, CISA, the FBI, and NSA recommend organizations:

• Implement time-based access for accounts set at the admin-level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion. 
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. 

Implement and Enforce Backup and Restoration Policies and Procedures

• Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom demand.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure. 

CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise.

• Disable the storage of clear text passwords in LSASS memory.
• Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
• Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA). 
• Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to crack.
  • Set a strong password policy for service accounts.
  • Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous activity.  

Refer to the CISA-Multi-State information and Sharing Center (MS-ISAC) Joint Ransomware Guide for general mitigations to prepare for and reduce the risk of compromise by ransomware attacks. 

Note: critical infrastructure organizations with industrial control systems/operational technology networks should review joint CISA-FBI Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more mitigations, including mitigations to reduce the risk of severe business or functional degradation should their entity fall victim to a ransomware attack. 

Responding to Ransomware Attacks

If a ransomware incident occurs at your organization, CISA, the FBI, and NSA recommend:

• Following the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
• Scanning backups. If possible, scan backup data with an antivirus program to check that it is free of malware.
• Reporting incidents immediately to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service at a U.S. Secret Service Field Office. 
• Applying incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Note: CISA, the FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.

Resources

• For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
• CISA’s Ransomware Readiness Assessment (RRA) is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident. 
• CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.

Contact Information

Victims of ransomware should report it immediately to CISA at us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.

This document was developed by CISA, the FBI, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

Note: the information you have accessed is being provided “as is” for informational purposes only. CISA, the FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA, the FBI, or NSA.

Revisions

• October 18, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 14, 2021
Summary

Immediate Actions WWS Facilities Can Take Now to Protect Against Malicious Cyber Activity
• Do not click on suspicious links.
• If you use RDP, secure and monitor it.
• Use strong passwords.
• Use multi-factor authentication.

Note: This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity—by both known and unknown actors—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.

To secure WWS facilities—including Department of Defense (DoD) water treatment facilities in the United States and abroad—against the TTPs listed below, CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.

Click here for a PDF version of this report.

Technical DetailsThreat Overview Tactics, Techniques, and Procedures

WWS facilities may be vulnerable to the following common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks, systems, and devices.

• Spearphishing personnel to deliver malicious payloads, including ransomware [T1566].
  •  Spearphishing is one of the most prevalent techniques used for initial access to IT networks. Personnel and their potential lack of cyber awareness are a vulnerability within an organization. Personnel may open malicious attachments or links to execute malicious payloads contained in emails from threat actors that have successfully bypassed email filtering controls.
  • When organizations integrate IT with OT systems, attackers can gain access—either purposefully or inadvertently—to OT assets after the IT network has been compromised through spearphishing and other techniques.
  • Exploitation of internet-connected services and applications that enable remote access to WWS networks [T1210].
    • For example, threat actors can exploit a Remote Desktop Protocol (RDP) that is insecurely connected to the internet to infect a network with ransomware. If the RDP is used for process control equipment, the attacker could also compromise WWS operations. Note: the increased use of remote operations due to the COVID-19 pandemic has likely increased the prevalence of weaknesses associated with remote access.
• Exploitation of unsupported or outdated operating systems and software.
  • Threat actors likely seek to take advantage of perceived weaknesses among organizations that either do not have—or choose not to prioritize—resources for IT/OT infrastructure modernization. WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair (e.g., pipes) rather than IT/OT infrastructure.
  • The fact that WWS facilities are inconsistently resourced municipal systems—not all of which have the resources to employ consistently high cybersecurity standards—may contribute to the use of unsupported or outdated operating systems and software.
• Exploitation of control system devices with vulnerable firmware versions.
  • WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data [T0827].

WWS Sector Cyber Intrusions

Cyber intrusions targeting U.S. WWS facilities highlight vulnerabilities associated with the following threats:

• Insider threats, from current or former employees who maintain improperly active credentials
• Ransomware attacks

WWS Sector cyber intrusions from 2019 to early 2021 include:

• In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
• In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
• In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
• In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
• In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.

Mitigations

The FBI, CISA, EPA, and NSA recommend WWS facilities—including DoD water treatment facilities in the United States and abroad—use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.

WWS Monitoring

Personnel responsible for monitoring WWS should check for the following suspicious activities and indicators, which may be indicative of threat actor activity:

• Inability of WWS facility personnel to access SCADA system controls at any time, either entirely or in part;
• Unfamiliar data windows or system alerts appearing on SCADA system controls and facility data screens that could indicate a ransomware attack;
• Detection by SCADA system controls, or by water treatment personnel, of abnormal operating parameters—such as unusually high chemical addition rates—used in the safe and proper treatment of drinking water;
• Access of SCADA systems by unauthorized individuals or groups, e.g., former employees and current employees not authorized/assigned to operate SCADA systems and controls.
• Access of SCADA systems at unusual times, which may indicate that a legitimate user’s credentials have been compromised
• Unexplained SCADA system restarts.
• Unchanging parameter values that normally fluctuate.

Remote Access Mitigations

Note: The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels. 

• Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.
• Utilize blocklisting and allowlisting to limit remote access to users with a verified business and/or operational need.
• Ensure that all remote access technologies have logging enabled and regularly audit these logs to identify instances of unauthorized access.
• Utilize manual start and stop features in place of always activated unattended access to reduce the time remote access services are running.
• Audit networks for systems using remote access services.
  • Close unneeded network ports associated with remote access services (e.g., RDP – Transmission Control Protocol [TCP] Port 3389).
• When configuring access control for a host, utilize custom settings to limit the access a remote party can attempt to acquire.

Network Mitigations

• Implement and ensure robust network segmentation between IT and OT networks to limit the ability of malicious cyber actors to pivot to the OT network after compromising the IT network.
  • Implement demilitarized zones (DMZs), firewalls, jump servers, and one-way communication diodes to prevent unregulated communication between the IT and OT networks.
• Develop/update network maps to ensure a full accounting of all equipment that is connected to the network.
  • Remove any equipment from networks that is not required to conduct operations to reduce the attack surface malicious actors can exploit.  

Planning and Operational Mitigations

• Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and threats to safety.
  • The plan should also consider third parties with legitimate need for OT network access, including engineers and vendors.
  • Review, test, and update the emergency response plan on an annual basis to ensure accuracy.
• Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications.
• Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Utilize resources such as the Environment Protection Agency’s (EPA) Cybersecurity Incident Action Checklist as well as the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

Safety System Mitigations

• Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor.
  • Examples of cyber-physical safety system controls include:
    • Size of the chemical feed pump
    • Gearing on valves
    • Pressure switches, etc.
  • These types of controls benefit WWS Sector facilities—especially smaller facilities with limited cybersecurity capability—because they enable facility staff to assess systems from a worst-case scenario and determine protective solutions. Enabling cyber-physical safety systems allows operators to take physical steps to limit the damage, for example, by preventing cyber actors, who have gained control of a sodium hydroxide pump, from raising the pH to dangerous levels.

Additional Mitigations

• Foster an organizational culture of cyber readiness. See the CISA Cyber Essentials along with the items listed in the Resources section below for guidance.  
• Update software, including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.
• Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.  
• Implement regular data backup procedures on both the IT and OT networks.
  • Regularly test backups.
  • Ensure backups are not connected to the network to prevent the potential spread of ransomware to the backups.
• When possible, enable OT device authentication, utilize the encrypted version of OT protocols, and encrypt all wireless communications to ensure the confidentiality and authenticity of process control data in transit.
• Employ user account management to:
  • Remove, disable, or rename any default system accounts wherever possible.
  • Implement account lockout policies to reduce risk from brute-force attacks.
  • Monitor the creation of administrator-level accounts by third-party vendors with robust and privileged account management policies and procedures.
  • Implement a user account policy that includes set durations for deactivation and removal of accounts after employees leave the organization or after accounts reach a defined period of inactivity.
• Implement data execution prevention controls, such as application allowlisting and software restriction policies that prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers.
• Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of users exhibiting unusual activity.

FBI, CISA, EPA, and NSA would like to thank Dragos as well as the WaterISAC for their contributions to this advisory.

Resources Cyber Hygiene Services

CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors. 

Rewards for Justice Reporting

The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.

StopRansomware.gov 

The StopRansomware.gov webpage is an interagency resource that provides guidance on ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:

• CISA and MS-ISAC: Joint Ransomware Guide
• CISA Insights: Ransomware Outbreak
• CISA Webinar: Combating Ransomware

Additional Resources

For additional resources that can assist in preventing and mitigating this activity, see:

• FBI-CISA-EPA-MS-ISAC Joint CSA: Compromise of U.S. Water Treatment Facility
• WaterISAC: 15 Cybersecurity Fundamentals for Water and Wastewater Utilities
• American Water Works Association: Cybersecurity Guidance and Assessment Tool
• EPA: Cybersecurithttps://www.cisa.gov/publication/insider-threat-mitigation-resourcesy Incident Action Checklist
• EPA: Cybersecurity Best Practices for the Water Sector
• EPA: Supporting Cybersecurity Measures with the Clean Water and Drinking Water State Revolving Funds
• CISA: Cyber Risks & Resources for the Water and Wastewater Systems Sector infographic
• CISA: Critical ICS Cybersecurity Performance Goals and Objectives
• CISA Fact Sheet: Rising Ransomware Threat to Operational Technology Assets
• CISA-MS-ISAC: Joint Ransomware Guide
• NSA CSA: Stop Malicious Cyber Activity Against Connected OT
• CISA: Insider Threat Mitigation Resources
• NIST: Special Publication (SP) 800-167, Guide to Application Whitelisting
• NIST: SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security (Section 6.2.1)

Disclaimer of Endorsement 

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
 

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov.

Revisions

• Initial Version: October 14, 2021

This product is provided subject to this Notification and this Privacy & Use policy.