US CERT: Technical Security Alerts
AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
Summary
This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.
This Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:
- Compromising or bypassing federated identity solutions;
- Using forged authentication tokens to move laterally to Microsoft cloud environments; and
- Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.
This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a CISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.
Note: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the threat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives.
Technical DetailsFrequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Supernova).[1] However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.
CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation [TA0004] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud environments (Lateral Movement [TA0008]).
The threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (Lateral Movement [TA0008]) through trust boundaries, evade defenses and detection (Defense Evasion [TA0005]), and steal sensitive data (Collection [TA0009]).
This level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering.
MitigationsDetectionGuidance on identifying affected SolarWinds software is well documented.[2] However—once an organization identifies a compromise via SolarWinds Orion products or other threat actor TTPs—identifying follow-on activity for on-premises networks requires fine-tuned network and host-based forensics.
The nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors. Microsoft's O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides premium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate TTPs specific to the Solorigate activity.[3]
Detection ToolsCISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA.
There are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity.[4] Publicly available PowerShell tools that network defenders can use to investigate M365 and Microsoft Azure include:
- CISA's Sparrow,
- Open-source utility Hawk, and
- CrowdStrike's Azure Reporting Tool (CRT).
Additionally, Microsoft's Office 365 Management API and Graph API provide an open interface for ingesting telemetry and evaluating service configurations for signs of anomalous activity and intrusion.
Note: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a Microsoft premium service that provides comprehensive analysis tools, including custom detections for the activity indicated.
General Guidance on Using Detection Tools- Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of dormant applications.
- Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships added to the Azure Active Directory.
- Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new token validation time periods with high values and investigate whether it was a legitimate change or an attempt to gain persistence by a threat actor.
CISA created Sparrow to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.
CISA advises Sparrow users to take the following actions.
- Use Sparrow to detect any recent domain authentication or federation modifications.
- Domain and federation modification operations are uncommon and should be investigated.
- Examine logs for new and modified credentials applied to applications and service principals; delineate for the credential type. Sparrow can be used to detect the modification of service principals and application credentials.
- Create a timeline for all credential changes, focusing on recent wholesale changes.
- Review the “top actors” for activity in the environment and the number of credential modifications performed.
- Monitor changes in application and service principal credentials.
- Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph, and Azure AD Graph.
- Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role.
- Use Sparrow to detect OAuth consent and users’ consent to applications, which is useful for interpreting changes in adversary TTPs.
- Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the unified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a potential indicator for forged SAML tokens.
- Note that this TTP has not been the subject of significant published security research but may indicate an unusual usage of a token, such as guest access for external partners to M365 resources.
- Review the PowerShell logs that Sparrow exports.
- Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions.
- Review PowerShell usage for users with PowerShell in the environment.
- Use Sparrow to check the Graph API application permissions of all service principals and applications in M365/Azure AD.
- Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy https://graph.windows.net/ or https://graph.microsoft.com). Graph is used frequently as part of these TTPs, often to access and manipulate mailbox resources.
- Review Sparrow’s listed tenant’s Azure AD domains, to see if the domains have been modified.
- For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application identification (ID) was used for accessing users’ mailboxes. Use Sparrow to query for a specific application ID using the app id investigation capability, which will check to see if it is accessing mail or file items.
- The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients.
- By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items have been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some situations where the message was not necessarily read interactively (e.g., bind or sync).[5]
- The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious applications that require additional analysis.
- Check for changes to applications with regards to the accessing of resources such as mail or file items.
Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.
Hawk users should review login details for administrator accounts and take the following steps.
- Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins).
- Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or expected purposes.
- PowerShell logging does not reveal the exact cmdlet that was run on the tenant.
- Look for users with unusual sign-in locations, dates, and times.
- Check permissions of service principals and applications in M365/Azure AD.
- Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and see if it is accessing mail or file items.
- Review mailbox rules and recent mailbox rule changes.
CrowdStrike's Azure Reporting Tool (CRT) can help network defenders analyze their Microsoft Azure AD and M365 environment to help organizations analyze permissions in their AzureAD tenant and service configuration. This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.
Detection Tool Distinctions- Sparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks.
- CRT focuses on the tenant’s Azure AD permissions and Exchange Online configuration settings instead of the unified audit log, which gives it a different output from Sparrow or Hawk.
- CRT returns the same broad scope of application/delegated permissions for service principals and applications as Hawk.
- As part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph API, which is common to the recent attacks.
- CRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing Azure AD domains.
- Among the items network defenders can use CRT to review are delegated permissions and application permissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects with KeyCredentials.
Microsoft breaks the threat actor’s recent activity into four primary stages, which are described below along with associated detection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises identity solution, such as ADFS.[6]
Note: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has compromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the SolarWinds Orion vulnerability).
Stage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider
These attacks (often referred to as “Golden Security Assertion Markup Language” attacks) can be analyzed using a combination of cloud-based and standard on-premises techniques.[7] For example, network defenders can use OAuth claims for specific principals made at the Azure AD level and compare them to the on-premises identity.
Export sign-in logs from the Azure AD portal and look at the Authentication Method field.
Note: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel, this is the only way to get these logs, which are critical for this effort.
Detection Method 1: Correlating service provider login events with corresponding authentication events in Active Directory Federation Services (ADFS) and Domain Controllers
Using SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769, 1200, and 1202 in the domain.
Detection Method 2: Identifying certificate export events in ADFS
Look for:
- The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500.
- Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a certificate extraction technique.
- Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name \microsoft##wid\tsql\query (exclude processes regularly making this pipe connection on the machine).
- Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event).
Detection Method 3: Customizing SAML response to identify irregular access
This method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify irregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements for each service provider to monitor and detect any anomalous requests.[8]
Detection Method 4: Detecting malicious ADFS trust modification
A threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate and private key as part of a standard Golden SAML attack.[9]
Network defenders should look for:
- Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event.)
- Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property Value references an unfamiliar domain.
- Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the federation trust environment that would indicate new ADFS sources.
Stage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as AzureAD (establishing a foothold)
After the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by reviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants).
The threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged AzureAD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).
Network defenders should take the following steps.
- Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials.
- Look for unusual application usage, such as dormant or forgotten applications being used again.
- Audit the assignment of credentials to applications that allow non-interactive sign-in by the application.
- Look for unexpected trust relationships that have been added to AzureAD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.).[10]
- Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP addresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations.
- Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global Admins). Look for unusual sign-in locations, dates, and times.
- Review new token validation time periods with high values and investigate whether the changes are legitimate or a threat actor’s attempts to gain persistence.
Stage 3: Acquiring an OAuth access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application
In some cases, the threat actor has been observed adding permissions to existing applications or service principals. Additionally the actor has been seen establishing new applications or service principals briefly and using them to add permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a credential to another service principal, and then deleting it).[11]
Network defenders should use Sparrow to:
- Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates, and times.
- Create a timeline for all credential changes.
- Monitor changes in application credentials (the script will export into csv named AppUpdate_Operations_Export).
- Detect service principal credentials change and service principal change (e.g., if an actor adds new permissions or expands existing permissions).
- Export and view this activity via the ServicePrincipal_Operations_Export.
- Record OAuth consent and consent to applications
- Export and view this record via the Consent_Operations_Export file.
- Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft Graph, and Azure AD Graph.
- Review Microsoft Graph API permissions granted to service principals.
- Export and view this activity via the ApplicationGraphPermissions csv file.
- Note: Hawk can also return the full list of service principal permissions for further investigation.
- Review top actors and the amount of credential modifications performed.
- Monitor changes in application credentials.
- Identify manipulation of custom or third-party applications.
- Network defenders should review the catalog of custom or third-party vendors with applications in the Microsoft tenant and perform the above interrogation principles on those applications and trusts.
- Review modifications to federation trust settings.
- Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor.
- The script detects the escalation of privileges, including the addition of Service Principals (SP) to privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export.
- Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor.
Stage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications).
Network defenders should:
- In MailItemsAccessed operations, found within the Unified Audit Log (UAL), review the application ID used (requires G5 or E5 license for this specific detail).
- Query the specific application ID, using the Sparrow script’s app ID investigation capability to interrogate mail and file items accessed for that applicationID (Use the application ID utility for any other suspicious apps that require additional analysis.).
- Check the permissions of an application in M365/AzureAD using Sparrow.
- Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions.
- Network defenders will see the IP address that Graph API uses.
- Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint.
- Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is challenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in portal.
The existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in traditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities of on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL.
Service principal logging is available using the Azure Portal via the "Service Principal Sign-ins" feature. Enable settings in the Azure Portal (see “Diagnostic Setting”) to ingest logs into Sentinel or a third-party security information and event management (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other features, such as a log analytics workspace, storage account, or event hub.[12] These logs must be downloaded manually if not ingested by one of the methods listed in the Detection Methods section.
Global Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security posture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as Microsoft Defender for O365 and Azure Sentinel. According to CrowdStrike, "There was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible."[13]
Documentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML token forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as part of core Microsoft documentation sources.
The use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in Microsoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing license that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that this license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the moment of integration but does not provide retroactive visibility on previous events or historical context.
A properly configured SIEM can provide:
- Longer term storage of log data.
- Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers), endpoint detection and response data, and identity provider information.
- Ability to query use of application connectors in Azure.
Built-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&CK framework and easy-to-understand dashboards.[14] However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged.
Contact InformationCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at
- 1-888-282-0870 (From outside the United States: +1-703-235-8832)
- central@cisa.dhs.gov (UNCLASS)
- us-cert@dhs.sgov.gov (SIPRNET)
- us-cert@dhs.ic.gov (JWICS)
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.
ResourcesAzure Active Directory Workbook to Assess Solorigate Risk: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718
Volexity - Dark Halo Leverages SolarWinds Compromise to Breach Organizations: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
How to Find Activity with Sentinel: https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/
Third-Party Walkthrough of the Attack: https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/
National Security Agency Advisory on Detecting Abuse of Authentication Mechanisms: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF
Microsoft 365 App for Splunk: https://splunkbase.splunk.com/app/3786/
CISA Remediation Guidance: https://us-cert.cisa.gov/ncas/alerts/aa20-352a
FeedbackCISA strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.cisa.gov/forms/feedback.
References- [1] ZDNet: A Second Hacking Group has Targeted SolarWinds Systems
- [2] CISA: Supply Chain Compromise
- [3] Microsoft SolarWinds Post-Compromise Hunting with Azure Sentinel
- [4] Microsoft Solorigate Resource Center
- [5] Advanced Audit in Microsoft 365
- [6] Microsoft: Understanding “Solorigate’s” Identity IOCs
- [7] Detection and Hunting of Golden SAML Attack:
- [8] Ibid
- [9] Ibid
- [10] Microsoft: AADServicePrincipalSignInLogs
- [11] Microsoft: Understanding “Solorigate’s” Identity IOCs
- [12] Azure Active Directory Sign-in Activity Reports
- [13] CrowdStrike: CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
- [14] Microsoft 365 App for Splunk
- Initial version: January 8, 2021
This product is provided subject to this Notification and this Privacy & Use policy.
AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
AA20-345A: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
AA20-336A: Advanced Persistent Threat Actors Targeting U.S. Think Tanks
AA20-304A: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data
Summary
This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.
This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). CISA and the FBI are aware of an Iranian advanced persistent threat (APT) actor targeting U.S. state websites—to include election websites. CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. This disinformation (hereinafter, “the propaganda video”) was in the form of a video purporting to misattribute the activity to a U.S. domestic actor and implies that individuals could cast fraudulent ballots, even from overseas. https://www.odni.gov/index.php/newsroom/press-releases/item/2162-dni-john-ratcliffe-s-remarks-at-press-conference-on-election-security. (Reference FBI FLASH message ME-000138-TT, disseminated October 29, 2020). Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election.
Click here for a PDF version of this report.
Technical DetailsAnalysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner (Active Scanning: Vulnerability Scanning [T1595.002]). Acunetix is a widely used and legitimate web scanner, which has been used by threat actors for nefarious purposes. Organizations that do not regularly use Acunetix should monitor their logs for any activity from the program that originates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior.
Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020 (Exploit Public-Facing Application [T1190]). This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites.
CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records. A review of the records that were copied and obtained reveals the information was used in the propaganda video.
CISA and FBI analysis of identified activity against state websites, including state election websites, referenced in this product cannot all be fully attributed to this Iranian APT actor. FBI analysis of the Iranian APT actor’s activity has identified targeting of U.S. elections’ infrastructure (Compromise Infrastructure [T1584]) within a similar timeframe, use of IP addresses and IP ranges – including numerous virtual private network (VPN) service exit nodes – which correlate to this Iran APT actor (Gather Victim Host Information [T1592)]), and other investigative information.
ReconnaissanceThe FBI has information indicating this Iran-based actor attempted to access PDF documents from state voter sites using advanced open-source queries (Search Open Websites and Domains [T1539]). The actor demonstrated interest in PDFs hosted on URLs with the words “vote” or “voter” and “registration.” The FBI identified queries of URLs for election-related sites.
The FBI also has information indicating the actor researched the following information in a suspected attempt to further their efforts to survey and exploit state election websites.
- YOURLS exploit
- Bypassing ModSecurity Web Application Firewall
- Detecting Web Application Firewalls
- SQLmap tool
CISA’s analysis identified the scanning of multiple entities by the Acunetix Web Vulnerability scanning platform between September 20 and September 28, 2020 (Active Scanning: Vulnerability Scanning [T1595.002]).
The actor used the scanner to attempt SQL injection into various fields in /registration/registration/details with status codes 404 or 500:
/registration/registration/details?addresscity=-1 or 3*2<(0+5+513-513) -- &addressstreet1=xxxxx&btnbeginregistration=begin voter registration&btnnextelectionworkerinfo=next&btnnextpersonalinfo=next&btnnextresdetails=next&btnnextvoterinformation=next&btnsubmit=submit&chkageverno=on&chkageveryes=on&chkcitizenno=on&chkcitizenyes=on&chkdisabledvoter=on&chkelectionworker=on&chkresprivate=1&chkstatecancel=on&dlnumber=1&dob=xxxx/x/x&email=sample@email.tst&firstname=xxxxx&gender=radio&hdnaddresscity=&hdngender=&last4ssn=xxxxx&lastname=xxxxxinjjeuee&mailaddresscountry=sample@xxx.xxx&mailaddressline1=sample@email.tst&mailaddressline2=sample@xxx.xxx&mailaddressline3=sample@xxx.xxx&mailaddressstate=aa&mailaddresszip=sample@xxxx.xxx&mailaddresszipex=sample@xxx.xxx&middlename=xxxxx&overseas=1&partycode=a&phoneno1=xxx-xxx-xxxx&phoneno2=xxx-xxx-xxxx&radio=consent&statecancelcity=xxxxxxx&statecancelcountry=usa&statecancelstate=XXaa&statecancelzip=xxxxx&statecancelzipext=xxxxx&suffixname=esq&txtmailaddresscity=sample@xxx.xxx
RequestsThe actor used the following requests associated with this scanning activity.
2020-09-26 13:12:56 x.x.x.x GET /x/x v[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 0
2020-09-26 13:13:19 X.X.x.x GET /x/x voterid[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 1375
2020-09-26 13:13:18 .X.x.x GET /x/x voterid=;print(md5(acunetix_wvs_security_test)); 443 - X.X.x.x
User Agents ObservedCISA and FBI have observed the following user agents associated with this scanning activity.
Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0
Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4
Mozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.8.1.17)+Gecko/20080922+Ubuntu/7.10+(gutsy)+Firefox/2.0.0.17
Exfiltration Obtaining Voter Registration DataFollowing the review of web server access logs, CISA analysts, in coordination with the FBI, found instances of the cURL and FDM User Agents sending GET requests to a web resource associated with voter registration data. The activity occurred between September 29 and October 17, 2020. Suspected scripted activity submitted several hundred thousand queries iterating through voter identification values, and retrieving results with varying levels of success [Gather Victim Identity Information (T1589)]. A sample of the records identified by the FBI reveals they match information in the aforementioned propaganda video.
Requests
The actor used the following requests.
2020-10-17 13:07:51 x.x.x.x GET /x/x voterid=XXXX1 443 - x.x.x.x curl/7.55.1 - 200 0 0 1406
2020-10-17 13:07:55 x.x.x.x GET /x/x voterid=XXXX2 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390
2020-10-17 13:07:58 x.x.x.x GET /x/x voterid=XXXX3 443 - x.x.x.x curl/7.55.1 - 200 0 0 1625
2020-10-17 13:08:00 x.x.x.x GET /x/x voterid=XXXX4 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390
Note: incrementing voterid values in cs_uri_query field
User AgentsCISA and FBI have observed the following user agents.
FDM+3.x
curl/7.55.1
Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0
Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4
See figure 1 below for a timeline of the actor’s malicious activity.
Figure 1: Overview of malicious activity
MitigationsDetection Acunetix ScanningOrganizations can identify Acunetix scanning activity by using the following keywords while performing log analysis.
- $acunetix
- acunetix_wvs_security_test
For a downloadable copy of IOCs, see AA20-304A.stix.
Disclaimer: Many of the IP addresses included below likely correspond to publicly available VPN services, which can be used by individuals all over the world. Although this creates the potential for false positives, any activity listed should warrant further investigation. The actor likely uses various IP addresses and VPN services.
The following IPs have been associated with this activity.
- 102.129.239[.]185 (Acunetix Scanning)
- 143.244.38[.]60 (Acunetix Scanning and cURL requests)
- 45.139.49[.]228 (Acunetix Scanning)
- 156.146.54[.]90 (Acunetix Scanning)
- 109.202.111[.]236 (cURL requests)
- 185.77.248[.]17 (cURL requests)
- 217.138.211[.]249 (cURL requests)
- 217.146.82[.]207 (cURL requests)
- 37.235.103[.]85 (cURL requests)
- 37.235.98[.]64 (cURL requests)
- 70.32.5[.]96 (cURL requests)
- 70.32.6[.]20 (cURL requests)
- 70.32.6[.]8 (cURL requests)
- 70.32.6[.]97 (cURL requests)
- 70.32.6[.]98 (cURL requests)
- 77.243.191[.]21 (cURL requests and FDM+3.x (Free Download Manager v3) enumeration/iteration)
- 92.223.89[.]73 (cURL requests)
CISA and the FBI are aware the following IOCs have been used by this Iran-based actor. These IP addresses facilitated the mass dissemination of voter intimidation email messages on October 20, 2020.
- 195.181.170[.]244 (Observed September 30 and October 20, 2020)
- 102.129.239[.]185 (Observed September 30, 2020)
- 104.206.13[.]27 (Observed September 30, 2020)
- 154.16.93[.]125 (Observed September 30, 2020)
- 185.191.207[.]169 (Observed September 30, 2020)
- 185.191.207[.]52 (Observed September 30, 2020)
- 194.127.172[.]98 (Observed September 30, 2020)
- 194.35.233[.]83 (Observed September 30, 2020)
- 198.147.23[.]147 (Observed September 30, 2020)
- 198.16.66[.]139(Observed September 30, 2020)
- 212.102.45[.]3 (Observed September 30, 2020)
- 212.102.45[.]58 (Observed September 30, 2020)
- 31.168.98[.]73 (Observed September 30, 2020)
- 37.120.204[.]156 (Observed September 30, 2020)
- 5.160.253[.]50 (Observed September 30, 2020)
- 5.253.204[.]74 (Observed September 30, 2020)
- 64.44.81[.]68 (Observed September 30, 2020)
- 84.17.45[.]218 (Observed September 30, 2020)
- 89.187.182[.]106 (Observed September 30, 2020)
- 89.187.182[.]111 (Observed September 30, 2020)
- 89.34.98[.]114 (Observed September 30, 2020)
- 89.44.201[.]211 (Observed September 30, 2020)
The following list provides recommended self-protection mitigation strategies against cyber techniques used by advanced persistent threat actors:
- Validate input as a method of sanitizing untrusted input submitted by web application users. Validating input can significantly reduce the probability of successful exploitation by providing protection against security flaws in web applications. The types of attacks possibly prevented include SQL injection, Cross Site Scripting (XSS), and command injection.
- Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable unnecessary services and install available patches for the services in use. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
- Verify all cloud-based virtual machine instances with a public IP, and avoid using open RDP ports, unless there is a valid need. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
- Enable strong password requirements and account lockout policies to defend against brute-force attacks.
- Apply multi-factor authentication, when possible.
- Maintain a good information back-up strategy by routinely backing up all critical data and system configuration information on a separate device. Store the backups offline, verify their integrity, and verify the restoration process.
- Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
- When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.
- Ensure third parties that require RDP access follow internal remote access policies.
- Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
- Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as a VPNs. However, recognize the security of VPNs matches the security of the connected devices.
- Use security features provided by social media platforms; use strong passwords, change passwords frequently, and use a different password for each social media account.
- See CISA’s Tip on Best Practices for Securing Election Systems for more information.
Keep applications and systems updated and patched
Apply all available software updates and patches and automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed of threat actors to create new exploits following the release of a patch. These “N-day” exploits can be as damaging as zero-day exploits. Ensure the authenticity and integrity of vendor updates by using signed updates delivered over protected links. Without the rapid and thorough application of patches, threat actors can operate inside a defender’s patch cycle. NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies" https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf Additionally, use tools (e.g., the OWASP Dependency-Check Project tool https://owasp.org/www-project-dependency-check/) to identify the publicly known vulnerabilities in third-party libraries depended upon by the application.
Scan web applications for SQL injection and other common web vulnerabilities
Implement a plan to scan public-facing web servers for common web vulnerabilities (e.g., SQL injection, cross-site scripting) by using a commercial web application vulnerability scanner in combination with a source code scanner. https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm Fixing or patching vulnerabilities after they are identified is especially crucial for networks hosting older web applications. As sites get older, more vulnerabilities are discovered and exposed.
Deploy a web application firewall
Deploy a web application firewall (WAF) to prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.
Deploy techniques to protect against web shells
Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware. NSA & ASD "CyberSecurity Information: Detect and Prevent Web Shell Malware" https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.
Use multi-factor authentication for administrator accounts
Prioritize protection for accounts with elevated privileges, remote access, or used on high-value assets. https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs). NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies" https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.
Remediate critical web application security risks
First, identify and remediate critical web application security risks. Next, move on to other less critical vulnerabilities. Follow available guidance on securing web applications. NSA “Building Web Applications – Security for Developers” https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm https://owasp.org/www-project-top-ten/ https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
How do I respond to unauthorized access to election-related systems? Implement your security incident response and business continuity planIt may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.
Contact CISA or law enforcement immediatelyTo report an intrusion and to request incident response resources or technical assistance, contact CISA (Central@cisa.gov or 888-282-0870) or the FBI through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).
Resources- CISA Tip: Best Practices for Securing Election Systems
- CISA Tip: Securing Voter Registration Data
- CISA Tip: Website Security
- CISA Tip: Avoiding Social Engineering and Phishing Attacks
- CISA Tip: Securing Network Infrastructure Devices
- Joint Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity
- CISA Insights: Actions to Counter Email-Based Attacks on Election-related Entities
- FBI and CISA Public Service Announcement (PSA): Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters
- FBI and CISA PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections
- FBI and CISA PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting
- FBI and CISA PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections
- FBI and CISA PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting
- FBI and CISA PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Result
Revisions
- October 30, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Summary
This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.
This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.
CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.
Click here for a PDF version of this report.
Key Findings- CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
- These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
Since 2016, the cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. What began as a banking trojan and descendant of Dyre malware, now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk. In early 2019, the FBI began to observe new Trickbot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.
Anchor_DNS is a backdoor that allows victim machines to communicate with command and control (C2) servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.
After successful execution of the malware, Trickbot copies itself as an executable file with a 12-character (includes .exe), randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.
- C:\Windows\
- C:\Windows\SysWOW64\
- C:\Users\[Username]\AppData\Roaming\
The malware may also drop a file named anchorDiag.txt in one of the directories listed above.
Prior to initiating communications with the C2 server, the malware uses an infection marker of Global\fde345tyhoVGYHUJKIOuy, typically found in the running memory of the victim machine.
Part of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded GUID. The GUID is composed of /GroupID/ClientID/ with the following naming convention:
/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/.
The malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.
[random_folder_name_in_%APPDATA%_excluding_Microsoft]
autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876).
After successful execution, Anchor_DNS further deploys malicious batch scripts (.bat) using PowerShell commands.
The malware deploys self-deletion techniques by executing the following commands.
- cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
- cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"
The following domains found in outbound DNS records are associated with Anchor_DNS.
- kostunivo[.]com
- chishir[.]com
- mangoclone[.]com
- onixcellent[.]com
This malware used the following legitimate domains to test internet connectivity.
- ipecho[.]net
- api[.]ipify[.]org
- checkip[.]amazonaws[.]com
- ip[.]anysrc[.]net
- wtfismyip[.]com
- ipinfo[.]io
- icanhazip[.]com
- myexternalip[.]com
The Anchor_DNS malware historically used the following C2 servers.
- 23[.]95[.]97[.]59
- 51[.]254[.]25[.]115
- 193[.]183[.]98[.]66
- 91[.]217[.]137[.]37
- 87[.]98[.]175[.]85
Typically Ryuk has been deployed as a payload from banking Trojans such as Trickbot. (See the United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally, on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, the files have .ryuk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.
While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.
Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.
Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.
In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The RyukReadMe file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.
The victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.
Initial testing indicates that the RyukReadMe file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the RyukReadMe file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.
According to MITRE, Ryuk uses the ATT&CK techniques listed in table 1.
Table 1: Ryuk ATT&CK techniques
Technique Use System Network Configuration Discovery [T1016] Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol entries.Masquerading: Match Legitimate Name or Location [T1036.005]
Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public. Process Injection [T1055] Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread. Process Discovery [T1057] Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes. Command and Scripting Interpreter: Windows Command Shell [T1059.003] Ryuk has used cmd.exe to create a Registry entry to establish persistence. File and Directory Discovery [T1083] Ryuk has called GetLogicalDrives to enumerate all mounted drives, and GetDriveTypeW to determine the drive type. Native API [T1106] Ryuk has used multiple native APIs including ShellExecuteW to run executables; GetWindowsDirectoryW to create folders; and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection. Access Token Manipulation [T1134] Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege. Data Encrypted for Impact [T1486] Ryuk has used a combination of symmetric and asymmetric encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory. Service Stop [T1489] Ryuk has called kill.bat for stopping services, disabling services and killing processes. Inhibit System Recovery [T1490] Ryuk has used vssadmin Delete Shadows /all /quiet to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1047.001] Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Impair Defenses: Disable or Modify Tools [T1562.001] Ryuk has stopped services related to anti-virus. MitigationsFor a downloadable copy of IOCs, see AA20-302A.stix.
Plans and PoliciesCISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.
Network Best Practices- Patch operating systems, software, and firmware as soon as manufacturers release updates.
- Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
- Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
- Use multi-factor authentication where possible.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Audit logs to ensure new accounts are legitimate.
- Scan for open or listening ports and mediate those that are not needed.
- Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
- Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
- Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:
- Regularly back up data, air gap, and password protect backup copies offline.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
- Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.
System administrators who have indicators of a Trickbot network compromise should immediately take steps to back up and secure sensitive or proprietary data. Trickbot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a Trickbot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of Anchor_DNS, and maintain and provide relevant logs.
GENERAL RANSOMWARE MITIGATIONS — HPH SECTORThis section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)'s Joint Ransomware Guide, which can be found at https://www.cisa.gov/publication/ransomware-guide.
CISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.
Ransomware Prevention Join and Engage with Cybersecurity OrganizationsCISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:
- Join a healthcare information sharing organization, H-ISAC:
- Health Information Sharing and Analysis Center (H-ISAC): https://h-isac.org/membership-account/join-h-isac/
- Sector-based ISACs - National Council of ISACs: https://www.nationalisacs.org/member-isacs
- Information Sharing and Analysis Organization (ISAO) Standards Organization: https://www.isao.org/information-sharing-groups/
- Engage with CISA and FBI, as well as HHS—through the HHS Health Sector Cybersecurity Coordination Center (HC3)—to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises.
Engaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.
Follow Ransomware Best PracticesRefer to the best practices and references below to help manage the risk posed by ransomware and support your organization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.
- It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.
- Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.
- Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
- Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred.
- Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.
- Ensure all backup hardware is properly patched.
- In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.
- Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
- Review available incident response guidance, such as CISA’s Technical Approaches to Uncovering and Remediating Malicious Activity https://us-cert.cisa.gov/ncas/alerts/aa20-245a.
- Help your organization better organize around cyber incident response.
- Develop a cyber incident response plan.
- The Ransomware Response Checklist, available in the CISA and MS-ISAC Joint Ransomware Guide, serves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption plans.
- Review and implement as applicable MITRE’s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook (https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf).
- Develop a risk management plan that maps critical health services and care to the necessary information systems; this will ensure that the incident response plan will contain the proper triage procedures.
- Plan for the possibility of critical information systems being inaccessible for an extended period of time. This should include but not be limited to the following:
- Print and properly store/protect hard copies of digital information that would be required for critical patient healthcare.
- Plan for and periodically train staff to handle the re-routing of incoming/existing patients in an expedient manner if information systems were to abruptly and unexpectedly become unavailable.
- Coordinate the potential for surge support with other healthcare facilities in the greater local area. This should include organizational leadership periodically meeting and collaborating with counterparts in the greater local area to create/update plans for their facilities to both abruptly send and receive a significant amount of critical patients for immediate care. This may include the opportunity to re-route healthcare employees (and possibly some equipment) to provide care along with additional patients.
- Consider the development of a second, air-gapped communications network that can provide a minimum standard of backup support for hospital operations if the primary network becomes unavailable if/when needed.
- Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.
- Legacy devices should be identified and inventoried with highest priority and given special consideration during a ransomware event.
- See CISA and MS-ISAC's Joint Ransomware Guide for infection vectors including internet-facing vulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and managed service providers.
- HHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at http://www.hhs.gov/hc3.
- The Food and Drug Administration provides multiple guidance documents regarding the hardening of healthcare and specifically medical devices found here: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.
- See CISA and MS-ISAC's Joint Ransomware Guide for additional in-depth hardening guidance.
- Information sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of best practices and network defense information regarding ransomware trends and variants as well as malware that is a precursor to ransomware.
- Policy-oriented or technical assessments help organizations understand how they can improve their defenses to avoid ransomware infection: https://www.cisa.gov/cyber-resource-hub.
- Assessments include Vulnerability Scanning and Phishing Campaign Assessment.
- Cyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware incident scenario.
- CISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to manage cyber risk.
- Contacts:
- SLTT organizations: CyberLiaison_SLTT@cisa.dhs.gov
- Private sector organizations: CyberLiaison_Industry@cisa.dhs.gov
- Ransomware: What It Is and What to Do About It (CISA): General ransomware guidance for organizational leadership and more in-depth information for CISOs and technical staff: https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_ Document-FINAL.pdf
- Ransomware (CISA): Introduction to ransomware, notable links to CISA products on protecting networks, specific ransomware threats, and other resources: https://www.us-cert.cisa.gov/Ransomware
- HHS/HC3: Ransomware that impacts HPH is tracked by the HC3 and can be found at www.hhs.gov/hc3
- Security Primer – Ransomware (MS-ISAC): Outlines opportunistic and strategic ransomware campaigns, common infection vectors, and best practice recommendations: https://www.cisecurity.org/white-papers/security-primer-ransomware/
- Ransomware: Facts, Threats, and Countermeasures (MS- ISAC): Facts about ransomware, infection vectors, ransomware capabilities, and how to mitigate the risk of ransomware infection: https://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/
- HHS Ransomware Fact Sheet: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
- NIST Securing Data Integrity White Paper: https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft
Remember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.
Should your organization be a victim of ransomware, CISA strongly recommends responding by using the Ransomware Response Checklist located in CISA and MS-ISAC's Joint Ransomware Guide, which contains steps for detection and analysis as well as containment and eradication.
Consider the Need For Extended Identification or Analysis- If extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in any of the following information that your organization determines it can legally share:
- Recovered executable file
- Copies of the readme file – DO NOT REMOVE the file or decryption may not be possible
- Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
- Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
- Malware samples
- Names of any other malware identified on your system
- Encrypted file samples
- Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)
- Any PowerShell scripts found having executed on the systems
- Any user accounts created in Active Directory or machines added to the network during the exploitation
- Email addresses used by the attackers and any associated phishing emails
- A copy of the ransom note
- Ransom amount and whether or not the ransom was paid
- Bitcoin wallets used by the attackers
- Bitcoin wallets used to pay the ransom (if applicable)
- Copies of any communications with attackers
Upon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no cost to support your organization in understanding the root cause of an incident, even in the event additional remote assistance is not requested.
- CISA – Advanced Malware Analysis Center: https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf
- Remote Assistance – Request via Central@cisa.gov
CISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use should your organization become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.
- State and Local Response Contacts
- IT/IT Security Team – Centralized Cyber Incident Reporting
- State and Local Law Enforcement
- Fusion Center
- Managed/Security Service Providers
- Cyber Insurance
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.
Additionally, see the CISA and MS-ISAC's Joint Ransomware Guide for information on contacting—and what to expect from contacting—federal asset response contacts and federal threat response contacts.
DISCLAIMERThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see https://cisa.gov/tlp.
References- CISA Emergency Services Sector Continuity Planning Suite
- CISA MS-ISAC Joint Ransomware Guide
- CISA Tip: Avoiding Social Engineering and Phishing Attacks
- FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations"
- Health Industry Cybersecurity Tactical Crisis Response
- Health Industry Cybersecurity Practices (HICP)
- HHS - Ransomware Spotlight Webinar
- HHS - Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
- HHS - Ransomware Briefing
- HHS - Aggressive Ransomware Impacts
- HHS - Ransomware Fact Sheet
- HHS - Cyber Attack Checklist
- HHS - Cyber-Attack Response Infographic
- NIST - Data Integrity Publication
- NIST - Guide for Cybersecurity Event Recovery
- NIST - Identifying and Protecting Assets Against Ransomware and Other Destructive Events
- NIST - Detecting and Responding to Ransomware and Other Destructive Events
- NIST - Recovering from Ransomware and Other Destructive Events
- October 28, 2020: Initial version
This product is provided subject to this Notification and this Privacy & Use policy.
AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky
Summary
This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.
This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.cisa.gov/northkorea.
This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.
Click here for a PDF version of this report.
Key FindingsThis advisory’s key findings are:
- The Kimsuky APT group has most likely been operating since 2012.
- Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
- Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.[1],[2]
- Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[3]
- Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
- Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
- Kimsuky specifically targets:
- CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.
Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access [TA0001] to victim networks.[9],[10],[11] Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic (Phishing: Spearphishing Attachment [T1566.001]).[12],[13]
- The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]
- Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link.
- Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line “Skype Interview requests of [Redacted TV Show] in Seoul,” and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.
- After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.
- Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[15],[16],[17]
Kimsuky’s other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (Phishing: Spearphising Link [T1566.002], Drive-by Compromise [T1189], Man-in-the-Browser [T1185]).[18]
ExecutionAfter obtaining initial access, Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution [TA0002].
- BabyShark is Visual Basic Script (VBS)-based malware.
- First, the compromised host system uses the native Microsoft Windows utility, mshta.exe, to download and execute an HTML application (HTA) file from a remote system (Signed Binary Proxy Execution: Mshta [T1218.005]).
- The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.
- The script maintains Persistence [TA0003] by creating a Registry key that runs on startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]).
- It then collects system information (System Information Discovery [T1082]), sends it to the operator’s command control (C2) servers, and awaits further commands.[19],[20],[21],[22]
- Open-source reporting indicates BabyShark is delivered via an email message containing a link or an attachment (see Initial Access section for more information) (Phishing: Spearphising Link [T1566.002], Phishing: Spearphishing Attachment [T1566.001]). Kimsuky tailors email phishing messages to match its targets’ interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.[23]
- Kimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target’s memory (Command and Scripting Interpreter: PowerShell [T1059.001]). PowerShell commands/scripts can be executed without invoking powershell.exe through HTA files or mshta.exe.[24],[25],[26],[27]
Kimsuky has demonstrated the ability to establish Persistence [TA0003] through using malicious browser extensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.
- In 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers (Man-in-the-Browser [T1185]). The extension’s reviews gave it a five-star rating, however the text of the reviews applied to other extensions or was negative. The reviews were likely left by compromised Google+ accounts.[28]
- Kimsuky may install a new service that can execute at startup by using utilities to interact with services or by directly modifying the Registry keys (Boot or Logon Autostart Execution [T1547]). The service name may be disguised with the name from a related operating system function or by masquerading as benign software. Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution.[29],[30]
- During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a tool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules (Remote Services: Remote Desktop Protocol [T1021.001]).[31]
- Kimsuky uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP) documents (.hwp files) in the Registry (Event Triggered Execution: Change Default File Association [T1546.001]). Kimsuky manipulates the default Registry setting to open a malicious program instead of the legitimate HWP program (HWP is a Korean word processor). The malware will read and email the content from HWP documents before the legitimate HWP program ultimately opens the document.[32] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly.[33]
- Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download, and delete files and directories on the compromised domains (Server Software Component: Web Shell [T1505.003]). The actor often adds “Dinosaur” references within the modified web shell codes.[34]
Kimsuky uses well-known methods for Privilege Escalation [TA0004]. These methods include placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe.
- Kimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into explorer.exe (Process Injection [T1055]). This malicious code decrypts its spying library—a collection of keystroke logging and remote control access tools and remote control download and execution tools—from resources, regardless of the victim’s operating system. It then saves the decrypted file to a disk with a random but hardcoded name (e.g., dfe8b437dd7c417a6d.tmp) in the user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.[35]
- Before the injection takes place, the malware sets the necessary privileges (see figure 1). The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within explorer.exe (Process Injection [T1055]).[36]
Figure 1: Privileges set for the injection [37]
Defense EvasionKimsuky uses well-known and widely available methods for Defense Evasion [TA0005] within a network. These methods include disabling security tools, deleting files, and using Metasploit.[38],[39]
- Kimsuky’s malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see figure 2). This disables the Windows system firewall and turns off the Windows Security Center service, which prevents the service from alerting the user about the disabled firewall (see figure 2) (Impair Defenses: Disable or Modify System Firewall [T1562.004]).[40]
Figure 2: Disabled firewall values in the Registry [41]
- Kimsuky has used a keylogger that deletes exfiltrated data on disk after it is transmitted to its C2 server (Indicator Removal on Host: File Deletion [T1070.004]).[42]
- Kimsuky has used mshta.exe, which is a utility that executes Microsoft HTAs. It can be used for proxy execution of malicious .hta files and JavaScript or VBS through a trusted windows utility (Signed Binary Proxy Execution: Mshta [T1218.005]). It can also be used to bypass application allow listing solutions (Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002]).[43],[44]
- Win7Elevate—which was noted above—is also used to evade traditional security measures. Win7Elevatve is a part of the Metasploit framework open-source code and is used to inject malicious code into explorer.exe (Process Injection [T1055]). The malicious code decrypts its spying library from resources, saves the decrypted file to disk with a random but hardcoded name in the victim's temporary folder, and loads the file as a library.[45],[46],[47]
Kimsuky uses legitimate tools and network sniffers to harvest credentials from web browsers, files, and keyloggers (Credential Access [TA0006]).
- Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. Kimsuky uses ProcDump, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit (CPU) utilization (OS Credential Dumping [T1003]). ProcDump monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware.[48]
- According to open-source security researchers, Kimsuky abuses a Chrome extension to steal passwords and cookies from browsers (Man-in-the-Browser [T1185]).[49],[50] The spearphishing email directs a victim to a phishing site, where the victim is shown a benign PDF document but is not able to view it. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js, from a separate site (see figure 3).[51]
Figure 3: JavaScript file, named jQuery.js [52]
- Kimsuky also uses a PowerShell based keylogger, named MECHANICAL, and a network sniffing tool, named Nirsoft SniffPass (Input Capture: Keylogging [T1056.001], Network Sniffing [T1040]). MECHANICAL logs keystrokes to %userprofile%\appdata\roaming\apach.{txt,log} and is also a "cryptojacker," which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols.[53]
- Kimsuky used actor-modified versions of PHProxy, an open-source web proxy written in PHP, to examine web traffic between the victim and the website accessed by the victims and to collect any credentials entered by the victim.[54]
Kimsuky enumerates system information and the file structure for victims’ computers and networks (Discovery [TA0007]). Kimsuky appears to rely on using the victim’s operating system command prompt to enumerate the file structure and system information (File and Directory Discovery [T1083]). The information is directed to C:\WINDOWS\msdatl3.inc, read by malware, and likely emailed to the malware’s command server.[55]
CollectionKimsuky collects data from the victim system through its HWP document malware and its keylogger (Collection [TA0009]). The HWP document malware changes the default program association in the Registry to open HWP documents (Event Triggered Execution: Change Default File Association [T1546.001]). When a user opens an HWP file, the Registry key change triggers the execution of malware that opens the HWP document and then sends a copy of the HWP document to an account under the adversary’s control. The malware then allows the user to open the file as normal without any indication to the user that anything has occurred. The keylogger intercepts keystrokes and writes them to C:\Program Files\Common Files\System\Ole DB\msolui80.inc and records the active window name where the user pressed keys (Input Capture: Keylogging [T1056.001]). There is another keylogger variant that logs keystrokes into C:\WINDOWS\setup.log.[56]
Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (Command and Scripting Interpreter: Python [T1059.006]). The Python program downloads various implants based on C2 options specified after the filedown.php (see figure 4).
Figure 4: Python Script targeting MacOS [57]
Command and ControlKimsuky has used a modified TeamViewer client, version 5.0.9104, for Command and Control [TA0011] (Remote Access Software [T1219]). During the initial infection, the service “Remote Access Service” is created and adjusted to execute C:\Windows\System32\vcmon.exe at system startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]). Every time vcmon.exe is executed, it disables the firewall by zeroing out Registry values (Impair Defenses: Disable or Modify System Firewall [T1562.004]). The program then modifies the TeamViewer Registry settings by changing the TeamViewer strings in TeamViewer components. The launcher then configures several Registry values, including SecurityPasswordAES, that control how the remote access tool will work. The SecurityPasswordAES Registry value represents a hash of the password used by a remote user to connect to TeamViewer Client (Use Alternate Authentication Material: Pass the Hash [T1550.002]). This way, the attackers set a pre-shared authentication value to have access to the TeamViewer Client. The attacker will then execute the TeamViewer client netsvcs.exe.[58]
Kimsuky has been using a consistent format. In the URL used recently—express.php?op=1—there appears to be an option range from 1 to 3.[59]
ExfiltrationOpen-source reporting from cybersecurity companies describes two different methods Kimsuky has used to exfiltrate stolen data: via email or through an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer (Exfiltration [TA0010]).
There was no indication that the actor destroyed computers during the observed exfiltrations, suggesting Kimsuky’s intention is to steal information, not to disrupt computer networks. Kimsuky’s preferred method for sending or receiving exfiltrated information is through email, with their malware on the victim machine encrypting the data before sending it to a C2 server (Archive Collected Data [T1560]). Kimsuky also sets up auto-forward rules within a victim’s email account (Email Collection: Email Forwarding Rule [T1114.003]).
Kimsuky also uses an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer to exfiltrate stolen data. The data is sent RSA-encrypted (Encrypted Channel: Symmetric Cryptography [T1573.001]). Kimsuky’s malware constructs an 1120-bit public key and uses it to encrypt the 117-bytes buffer. The resulting data file is saved in C:\Program Files\Common Files\System\Ole DB\ (Data Staged: Local Data Staging [T1074.001]).[60]
MitigationsIndicators of CompromiseKimsuky has used the domains listed in table 1 to carry out its objectives:
For a downloadable copy of IOCs, see AA20-301A.stix.
Table 1: Domains used by Kimsuky
login.bignaver.com
nytimes.onekma.com
webuserinfo.com
member.navier.pe.hu
nid.naver.onektx.com
pro-navor.com
cloudnaver.com
read.tongilmoney.com
naver.pw
resetprofile.com
nid.naver.unicrefia.com
daurn.org
servicenidnaver.com
mail.unifsc.com
naver.com.de
account.daurn.pe.hu
member.daum.unikortv.com
ns.onekorea.me
login.daum.unikortv.com
securetymail.com
riaver.site
account.daum.unikortv.com
help-navers.com
mailsnaver.com
daum.unikortv.com
beyondparallel.sslport.work
cloudmail.cloud
member.daum.uniex.krcomment.poulsen.work
helpnaver.com
jonga.ml
impression.poulsen.work
view-naver.com
myaccounts.gmail.kr-infos.com
statement.poulsen.work
view-hanmail.net
naver.hol.es
demand.poulsen.work
login.daum.net-accounts.info
dept-dr.lab.hol.es
sankei.sslport.work
read-hanmail.net
Daurn.pe.hu
sts.desk-top.work
net.tm.ro
Bigfile.pe.hu
hogy.desk-top.work
daum.net.pl
Cdaum.pe.hu
kooo.gq
usernaver.com
eastsea.or.kr
tiosuaking.com
naver.com.ec
myaccount.nkaac.net
help.unikoreas.kr
naver.com.mx
naver.koreagov.com
resultview.com
naver.com.se
naver.onegov.com
account.daum.unikftc.kr
naver.com.cm
member-authorize.com
ww-naver.com
nid.naver.com.se
naver.unibok.kr
vilene.desk-top.work
csnaver.com
nid.naver.unibok.kr
amberalexander.ghtdev.com
nidnaver.email
read-naver.com
nidnaver.net
cooper.center
dubai-1.com
coinone.co.in
nidlogin.naver.corper.be
amberalexander.ghtdev.com
naver.com.pl
nid.naver.corper.be
gloole.net
naver.cx
naverdns.co
smtper.org
smtper.cz
naver.co.in
login.daum.kcrct.ml
myetherwallet.com.mx
downloadman06.com
login.outlook.kcrct.ml
myetherwallet.co.in
loadmanager07.com
top.naver.onekda.com
com-download.work
com-option.work
com-sslnet.work
com-vps.work
com-ssl.work
desk-top.work
intemet.work
jp-ssl.work
org-vip.work
sslport.work
sslserver.work
ssltop.work
taplist.work
vpstop.work
webmain.work
preview.manage.org-view.work
intranet.ohchr.account-protect.work
Table 2: Redacted domains used by Kimsuky
[REDACTED]/home/dwn.php?van=101
[REDACTED]/home/dwn.php?v%20an=101
[REDACTED]/home/dwn.php?van=102
[REDACTED]/home/up.php?id=NQDPDE
[REDACTED]/test/Update.php?wShell=201
Contact Information
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.
DISCLAIMERThis information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.
The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.
References- [1] Netscout: Stolen Pencil Campaign Targets Academia
- [2] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [3] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [4] Netscout: Stolen Pencil Campaign Targets Academia
- [5] MITRE ATT&CK: Groups – Kimsuky
- [6] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities
- [7] MITRE ATT&CK: Groups – Kimsuky
- [8] CrowdStrike: 2020 Global Threat Report
- [9] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure
- [10] PwC: Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2
- [11] CrowdStrike: 2020 Global Threat Report
- [12] Netscout: Stolen Pencil Campaign Targets Academia
- [13] MITRE ATT&CK: Groups – Kimsuky
- ">[14] Private Sector Partner
- [15] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [16] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure
- [17] cyberscoop: North Korea could accelerate commercial espionage to meet Kim’s economic deadline
- [18] MITRE ATT&CK: Groups – Kimsuky
- [19] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [20] MITRE ATT&CK: Groups – Kimsuky
- [21] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks
- [22] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks
- [23] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [24] MITRE ATT&CK: Groups – Kimsuky
- [25] Palo Alto Networks Unit 42: BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
- [26] McAfee: What is mshta, how can it be used and how to protect against it
- [27] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks
- [28] Netscout: Stolen Pencil Campaign Targets Academia
- [29] MITRE ATT&CK: Groups – Kimsuky
- [30] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks
- [31] Netscout: Stolen Pencil Campaign Targets Academia
- [32] Securelist: The “Kimsuky” Operation: A North Korean APT?
- ">[33] Private Sector Partner
- ">[34] Private Sector Partner
- [35] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [36] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs
- [37] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs
- [38] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [39] MITRE ATT&CK: Groups – Kimsuky
- [40] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [41] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [42] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [43] MITRE ATT&CK: Groups – Kimsuky
- [44] McAfee: What is mshta, how can it be used and how to protect against it
- [45] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities
- [46] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [47] MITRE ATT&CK: Groups – Kimsuky
- [48] Detecting credential theft through memory access modelling with Microsoft Defender ATP
- [49] MITRE ATT&CK: Groups – Kimsuky
- [50] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims
- [51] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims
- [52] Netscout: Stolen Pencil Campaign Targets Academia
- [53] Netscout: Stolen Pencil Campaign Targets Academia
- ">[54] Private Sector Partner
- [55] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [56] Securelist: The “Kimsuky” Operation: A North Korean APT?
- ">[57] Private Sector Partner
- [58] Securelist: The “Kimsuky” Operation: A North Korean APT?
- ">[59] Private Sector Partner
- [60] Securelist: The “Kimsuky” Operation: A North Korean APT?
- October 27, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
AA20-296B: Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.
The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.
The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.
Click here for a PDF version of this report.
Technical DetailsThese actors have conducted a significant number of intrusions against U.S.-based networks since August 2019. The actors leveraged several Common Vulnerabilities and Exposures (CVEs)—notably CVE-2020-5902 and CVE-2017-9248—pertaining to virtual private networks (VPNs) and content management systems (CMSs).
- CVE-2020-5902 affects F5 VPNs. Remote attackers could exploit this vulnerability to execute arbitrary code. [1].
- CVE-2017-9248 affects Telerik UI. Attackers could exploit this vulnerability in web applications using Telerik UI for ASP.NET AJAX to conduct cross-site scripting (XSS) attacks.[2]
Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. These activities could render these systems temporarily inaccessible to the public or election officials, which could slow, but would not prevent, voting or the reporting of results.
- A DDoS attack could slow or render election-related public-facing websites inaccessible by flooding the internet-accessible server with requests; this would prevent users from accessing online resources, such as voting information or non-official voting results. In the past, cyber actors have falsely claimed DDoS attacks have compromised the integrity of voting systems in an effort to mislead the public that their attack would prevent a voter from casting a ballot or change votes already cast.
- A SQL injection involves a threat actor inserting malicious code into the entry field of an application, causing that code to execute if entries have not been sanitized. SQL injections are among the most dangerous and common exploits affecting websites. A SQL injection into a media company’s CMS could enable a cyber actor access to network systems to manipulate content or falsify news reports prior to publication.
- Spear-phishing messages may not be easily detectible. These emails often ask victims to fill out forms or verify information through links embedded in the email. APT actors use spear phishing to gain access to information—often credentials, such as passwords—and to identify follow-on victims. A malicious cyber actor could use compromised email access to spread disinformation to the victims’ contacts or collect information sent to or from the compromised account.
- Public-facing website defacements typically involve a cyber threat actor compromising the website or its associated CMS, allowing the actor to upload images to the site’s landing page. In situations where such public-facing websites relate to elections (e.g., the website of a county board of elections), defacements could cast doubt on the security and legitimacy of the websites’ information. If cyber actors were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised..
- Disinformation campaigns involve malign actions taken by foreign governments or actors designed to sow discord, manipulate public discourse, or discredit the electoral system. Malicious actors often use social media as well as fictitious and spoofed media sites for these campaigns. Based on their corporate policies, social media companies have worked to counter these actors’ use of their platforms to promote fictitious news stories by removing the news stories, and in many instances, closing the accounts related to the malicious activity. However, these adversaries will continue their attempts to create fictitious accounts that promote divisive storylines to sow discord, even after the election.
The following recommended mitigations list includes self-protection strategies against the cyber techniques used by the APT actors:
- Validate input—input validation is a method of sanitizing untrusted input provided by web application users. Implementing input validation can protect against security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly prevented include SQL injection, XSS, and command injection.
- Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
- Verify all cloud-based virtual machine instances with a public IP; do not have open RDP ports, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall, and require users to use a VPN to access it through the firewall.
- Enable strong password requirements and account lockout policies to defend against brute-force attacks.
- Apply multi-factor authentication, when possible.
- Apply system and software updates regularly, particularly if you are deploying products affected by CVE-2020-5902 and CVE-2017-9248.
- For patch information on CVE-2020-5902, refer to F5 Security Advisory K52145254.
- For patch information on CVE-2017-9248, refer to Progress Telerik details for CVE-2017-9248.
- Maintain a good information back-up strategy that involves routinely backing up all critical data and system configuration information on a separate device. Store the backups offline; verify their integrity and restoration process.
- Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days, and review them regularly to detect intrusion attempts.
- When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.
- Ensure third parties that require RDP access are required to follow internal policies on remote access.
- Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
- Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.
- Be aware of unsolicited contact on social media from any individual you do not know.
- Be aware of attempts to pass links or files via social media from anyone you do not know.
- Be aware of unsolicited requests to share a file via online services.
- Be aware of email messages conveying suspicious alerts or other online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts.
- Be suspicious of emails purporting to be from legitimate online services (e.g., the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, the email originates from an IP address not attributable to the provider/company).
- Be suspicious of unsolicited email messages that contain shortened links (e.g., via tinyurl, bit.ly).
- Use security features provided by social media platforms, use strong passwords, change passwords frequently, and use a different password for each social media account.
- See CISA’s Tip on Best Practices for Securing Election Systems for more information.
Apply all available software updates and patches; automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed at which threat actors create exploits after a patch is released. These “N-day” exploits can be as damaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.[3] In addition to updating the application, use tools (e.g., the OWASP Dependency-Check Project tool[4]) to identify publicly known vulnerabilities in third-party libraries that the application depends on.
Scan web applications for SQL injection and other common web vulnerabilitiesImplement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site scripting, etc.); use a commercial web application vulnerability scanner in combination with a source code scanner.[5] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks that host older web applications; as sites get older, more vulnerabilities are discovered and exposed.
Deploy a web application firewallDeploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.
Deploy techniques to protect against web shellsPatch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware.[6] Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.
Use multi-factor authentication for administrator accountsPrioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.[7] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs).[8] Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.
Remediate critical web application security risksFirst, identify and remedite critical web application security risks first; then, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.[9],[10],[11]
How do I respond to unauthorized access to election-related systems? Implement your security incident response and business continuity planIt may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.
Contact CISA or law enforcement immediatelyTo report an intrusion and to request incident response resources or technical assistance, contact CISA (Central@cisa.dhs.gov or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).
Resources- CISA Tip: Best Practices for Securing Election Systems
- CISA Tip: Securing Voter Registration Data
- CISA Tip: Website Security
- CISA Tip: Avoiding Social Engineering and Phishing Attacks
- CISA Tip: Securing Network Infrastructure Devices
- CISA Activity Alert: Technical Approaches to Uncovering and Remediating Malicious Activity
- CISA Insights: Actions to Counter Email-Based Attacks On Election-related Entities
- FBI and CISA Public Service Announcement (PSA): Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters
- FBI and CISA PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections
- FBI and CISA PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting
- FBI and CISA PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections
- FBI and CISA PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting
- FBI and CISA PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.
References- [1] F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902
- [2] Progress Telerik details for CVE-2017-9248
- [3] NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies
- [4] OWASP Dependency-Check
- [5] NSA "Defending Against the Exploitation of SQL Vulnerabilities to Compromise a Network"
- [6] NSA & ASD "CyberSecurity Information: Detect and Prevent Web Shell Malware"
- [7] CISA: Identifying and Protecting High Value Assets: A Closer Look at Governance Needs for HVAs:
- [8] NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies"
- [9] NSA “Building Web Applications – Security for Developers”:
- [10] OWASP Top Ten
- [11] 2020 CWE Top 25 Most Dangerous Software Weaknesses
- October 22, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
AA20-296A: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets
Summary
This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques
This joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)—provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.
Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.
The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
- Sensitive network configurations and passwords.
- Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
- IT instructions, such as requesting password resets.
- Vendors and purchasing information.
- Printing access badges.
To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.
As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.
Technical DetailsThe FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses 213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to victim web servers (Exploit Public Facing Application [T1190]).
The actor is using 213.74.101[.]65 and 213.74.139[.]196 to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (Brute Force [T1110]; Exploit Public Facing Application [T1190]). The APT actor also hosted malicious domains, including possible aviation sector target columbusairports.microsoftonline[.]host, which resolved to 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; these domains are U.S. registered and are likely SLTT government targets (Drive-By Compromise [T1189]).
The APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug (CVE-2019-19781) and a Microsoft Exchange remote code execution flaw (CVE-2020-0688).
The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence [TA0003]).
Between early February and mid-September, these APT actors used 213.74.101[.]65, 212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55, 91.227.68[.]97, and 5.45.119[.]124 to target U.S. SLTT government networks. Successful authentications—including the compromise of Microsoft Office 365 (O365) accounts—have been observed on at least one victim network (Valid Accounts [T1078]).
MitigationsIndicators of CompromiseThe APT actor used the following IP addresses and domains to carry out its objectives:
- 213.74.101[.]65
- 213.74.139[.]196
- 212.252.30[.]170
- 5.196.167[.]184
- 37.139.7[.]16
- 149.56.20[.]55
- 91.227.68[.]97
- 138.201.186[.]43
- 5.45.119[.]124
- 193.37.212[.]43
- 146.0.77[.]60
- 51.159.28[.]101
- columbusairports.microsoftonline[.]host
- microsoftonline[.]host
- email.microsoftonline[.]services
- microsoftonline[.]services
- cityname[.]westus2.cloudapp.azure.com
IP address 51.159.28[.]101 appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address 51.159.28[.]101 (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).
Organizations should check available logs for traffic to/from IP address 51.159.28[.]101 for indications of credential-harvesting activity. As the APT actors likely have—or will—establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.
Refer to AA20-296A.stix for a downloadable copy of IOCs.
Network Defense-in-DepthProper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.
- Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.
Table 1: Patch information for CVEs
Vulnerability Vulnerable Products Patch Information CVE-2019-19781- Citrix Application Delivery Controller
- Citrix Gateway
- Citrix SDWAN WANOP
Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0
Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3
Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0
Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5
CVE-2020-0688- Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 14
- Microsoft Exchange Server 2016 Cumulative Update 15
- Microsoft Exchange Server 2019 Cumulative Update 3
- Microsoft Exchange Server 2019 Cumulative Update 4
Microsoft Security Advisory for CVE-2020-0688 CVE-2019-10149
- Exim versions 4.87–4.91
- FortiOS 6.0: 6.0.0 to 6.0.4
- FortiOS 5.6: 5.6.3 to 5.6.7
- FortiOS 5.4: 5.4.6 to 5.4.12
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
- Windows Server, version 2004 (Server Core installation)
Microsoft Security Advisory for CVE-2020-1472
- Follow Microsoft’s guidance on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.
- If appropriate for your organization’s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on SMB Security Best Practices for more information.
- Implement the prevention, detection, and mitigation strategies outlined in:
- CISA Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.
- National Security Agency Cybersecurity Information Sheet U/OO/134094-20 – Detect and Prevent Web Shells Malware.
- Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.
- Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.
- Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and WINDOWS folders. All other locations should be disallowed unless an exception is granted.
- Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.
For accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT “Golden Tickets” may be required, and Microsoft has released specialized guidance for this. Such a reset should be performed very carefully if needed.
If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise—as well as in Azure-hosted—AD instances.
Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.
It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.
- Create a temporary administrator account, and use this account only for all administrative actions
- Reset the Kerberos Ticket Granting Ticket (krbtgt) password;[1] this must be completed before any additional actions (a second reset will take place in step 5)
- Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
- Reset all account passwords (passwords should be 15 characters or more and randomly assigned):
- User accounts (forced reset with no legacy password reuse)
- Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])
- Service accounts
- Directory Services Restore Mode (DSRM) account
- Domain Controller machine account
- Application passwords
- Reset the krbtgt password again
- Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
- Reboot domain controllers
- Reboot all endpoints
The following accounts should be reset:
- AD Kerberos Authentication Master (2x)
- All Active Directory Accounts
- All Active Directory Admin Accounts
- All Active Directory Service Accounts
- All Active Directory User Accounts
- DSRM Account on Domain Controllers
- Non-AD Privileged Application Accounts
- Non-AD Unprivileged Application Accounts
- Non-Windows Privileged Accounts
- Non-Windows User Accounts
- Windows Computer Accounts
- Windows Local Admin
Implement the following recommendations to secure your organization’s VPNs:
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Software Updates and Securing Network Infrastructure Devices. Wherever possible, enable automatic updates.
- Implement MFA on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.
Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:
- Audit configuration and patch management programs.
- Monitor network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).
- Implement MFA, especially for privileged accounts.
- Use separate administrative accounts on separate administration workstations.
- Keep software up to date. Enable automatic updates, if available.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.
Resources- APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations – https://us-cert.cisa.gov/ncas/alerts/aa20-283a
- CISA Activity Alert CVE-2019-19781 – https://us-cert/cisa.gov/ncas/alerts/aa20-031a
- CISA Vulnerability Bulletin – https://us-cert/cisa.gov/ncas/bulletins/SB19-161
- CISA Current Activity – https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688
- Citrix Directory Traversal Bug (CVE-2019-19781) – https://nvd.nist.gov/vuln/detail/CVE-2019-19781
- Microsoft Exchange remote code execution flaw (CVE-2020-0688) – https://nvd.nist.gov/vuln/detail/CVE-2020-0688
- CVE-2018-13379 – https://nvd.nist.gov/vuln/detail/CVE-2018-13379
- CVE-2020-1472 – https://nvd.nist.gov/vuln/detail/CVE-2020-1472
- CVE 2019-10149 – https://nvd.nist.gov/vuln/detail/CVE-2019-10149
- NCCIC/USCERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance – https://us-cert.cisa.gov/ncas/alerts/TA15-314A
- NCCIC/US-CERT publication on SMB Security Best Practices – https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.
The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.
References Revisions- October 22, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
Summary
This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
Note: the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.
This joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI).
CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.
This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.
CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.
Some common tactics, techniques, and procedures used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical CVE-2020-1472 Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding. CISA recommends network staff and administrators review internet-facing infrastructure for vulnerabilities, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510, Citrix NetScaler CVE-2020-19781, and Palo Alto Networks CVE-2020-2021 (this list is not considered exhaustive).
After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities.
Click here for a PDF version of this report.
Technical DetailsInitial AccessAPT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (Exploit Public-Facing Application [T1190], External Remote Services [T1133]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability CVE-2018-13379; however, other vulnerabilities, listed below, have been observed (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive).
- Citrix NetScaler CVE-2020-19781
- MobileIron CVE-2020-15505
- Pulse Secure CVE-2019-11510
- Palo Alto Networks CVE-2020-2021
- F5 BIG-IP CVE-2020-5902
CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.
MobileIron Core & Connector Vulnerability CVE-2020-15505CVE-202-15505 is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.
Privilege EscalationPost initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain Valid Account [T1078] credentials from AD servers.
Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472CVE-2020-1472 is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory. This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (Valid Accounts: Domain Accounts [T1078.002]). Malicious actors can leverage this vulnerability to compromise other devices on the network (Lateral Movement [TA0008]).
PersistenceOnce system access has been achieved, the APT actors use abuse of legitimate credentials (Valid Account [T1078]) to log in via VPN or Remote Access Services [T1133] to maintain persistence.
MitigationsOrganizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an “assume breach” mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.
Keep Systems Up to DatePatch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.
Table 1: Patch information for exploited CVEs
Vulnerability Vulnerable Products Patch Information CVE-2018-13379- FortiOS 6.0
- FortiOS 5.6
- FortiOS 5.4
- Citrix Application Delivery Controller
- Citrix Gateway
- Citrix SDWAN WANOP
- Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0
- Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3
- Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0
- Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5
- Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)
- Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15
- Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15
- MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0
- Sentry versions 9.7.2 and earlier, and 9.8.0;
- Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier
- Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1
- PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
- Windows Server, version 2004 (Server Core installation)
If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure hosted AD instances.
Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.
It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.
- Create a temporary administrator account, and use this account only for all administrative actions
- Reset the Kerberos Ticket Granting Ticket (krbtgt) password; this must be completed before any additional actions and a second reset will take place in step 5
- Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
- Reset all account passwords (passwords should be 15 characters or more and randomly assigned):
- User accounts (forced reset with no legacy password reuse)
- Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])
- Service accounts
- Directory Services Restore Mode (DSRM) account
- Domain Controller machine account
- Application passwords
- Reset the krbtgt password again
- Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
- Reboot domain controllers
- Reboot all endpoints
The following accounts should be reset:
- AD Kerberos Authentication Master (2x)
- All Active Directory Accounts
- All Active Directory Admin Accounts
- All Active Directory Service Accounts
- All Active Directory User Accounts
- DSRM Account on Domain Controllers
- Non-AD Privileged Application Accounts
- Non-AD Unprivileged Application Accounts
- Non-Windows Privileged Accounts
- Non-Windows User Accounts
- Windows Computer Accounts
- Windows Local Admin
Implement the following recommendations to secure your organization’s VPNs:
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices. Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.
- Implement multi-factor authentication (MFA) on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.
Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. How to protect your organization against VPN vulnerabilities:
- Audit configuration and patch management programs.
- Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
- Implement MFA, especially for privileged accounts.
- Use separate administrative accounts on separate administration workstations.
- Keep software up to date. Enable automatic updates, if available.
To secure your organization’s Netlogon channel connections:
- Update all Domain Controllers and Read Only Domain Controllers. On August 11, 2020, Microsoft released software updates to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).
- Monitor for new events, and address non-compliant devices that are using vulnerable Netlogon secure channel connections.
- Block public access to potentially vulnerable ports, such as 445 (SMB) and 135 (RPC).
To protect your organization against this CVE, follow advice from Microsoft, including:
- Update your domain controllers with an update released August 11, 2020 or later.
- Find which devices are making vulnerable connections by monitoring event logs.
- Address non-compliant devices making vulnerable connections.
- Enable enforcement mode to address CVE-2020-1472 in your environment.
- Collect and remove for further analysis:
- Relevant artifacts, logs, and data
- Implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
- Consider soliciting incident response support from a third-party IT security organization to:
- Provide subject matter expertise and technical support to the incident response,
- Ensure that the actor is eradicated from the network, and
- Avoid residual issues that could result in follow-up compromises once the incident is closed
- CISA VPN-Related Guidance
- CISA Infographic: Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&CK FRAMEWORK
- National Security Agency InfoSheet: Configuring IPsec Virtual Private Networks
- CISA Joint Advisory: AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity
- CISA Activity Alert: AA20-073A: Enterprise VPN Security
- CISA Activity Alert: AA20-031A: Detecting Citrix CVE-2019-19781
- CISA Activity Alert: AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability
- Cybersecurity Alerts and Advisories: Subscriptions to CISA Alerts and MS-ISAC Advisories
Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.
For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:
- CISA (888-282-0870 or Central@cisa.dhs.gov), or
- The FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov) or a local field office
The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.
Revisions
- October 9, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
AA20-280A: Emotet Malware
Summary
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC).
Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.
To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.
Technical DetailsEmotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (Brute Force: Password Guessing [T1110.001], Valid Accounts: Local Accounts [T1078.003], Remote Services: SMB/Windows Admin Shares [T1021.002]).
Emotet is difficult to combat because of its “worm-like” features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.
Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. Possible command and control network traffic involved HTTP POST requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string (Application Layer Protocol: Web Protocols [T1071.001]).
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR
Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (Exploitation of Remote Services [T1210]). Figure 1 lays out Emotet’s use of enterprise techniques.
Figure 1: MITRE ATT&CK enterprise techniques used by Emotet
Timeline of ActivityThe following timeline identifies key Emotet activity observed in 2020.
- February: Cybercriminals targeted non-U.S. countries using COVID-19-themed phishing emails to lure victims to download Emotet.[1]
- July: Researchers spotted emails with previously used Emotet URLs, particularly those used in the February campaign, targeting U.S. businesses with COVID-19-themed lures.[2]
- August:
- Security researchers observed a 1,000 percent increase in downloads of the Emotet loader. Following this change, antivirus software firms adjusted their detection heuristics to compensate, leading to decreases in observed loader downloads.[3]
- Proofpoint researchers noted mostly minimal changes in most tactics and tools previously used with Emotet. Significant changes included:
- Emotet delivering Qbot affiliate partner01 as the primary payload and
- The Emotet mail sending module’s ability to deliver benign and malicious attachments.[4]
- CISA and MS-ISAC observed increased attacks in the United States, particularly cyber actors using Emotet to target state and local governments.
- September:
- Cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands. Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.[5],[6],[7],[8]
- Security researchers from Microsoft identified a pivot in tactics from the Emotet campaign. The new tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass email security gateways. These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to “view” the documents—an action which actually enables the delivery of malware.[9]
- Palo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack technique involves stealing an existing email chain from an infected host to reply to the chain—using a spoofed identity—and attaching a malicious document to trick recipients into opening the file.[10]
According to MITRE, Emotet uses the ATT&CK techniques listed in table 1.
Table 1: Common exploit tools
Technique
UseOS Credential Dumping: LSASS Memory [T1003.001]
Emotet has been observed dropping password grabber modules including Mimikatz.
Remote Services: SMB/Windows Admin Shares [T1021.002]
Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.
Obfuscated Files or Information [T1027]
Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, cmd.exe arguments, and PowerShell scripts.
Obfuscated Files or Information: Software Packing [T1027.002]
Emotet has used custom packers to protect its payloads.
Network Sniffing [T1040]
Emotet has been observed to hook network APIs to monitor network traffic.
Exfiltration Over C2 Channel [T1041]
Emotet has been seen exfiltrating system information stored within cookies sent within a HTTP GET request back to its command and control (C2) servers.
Windows Management Instrumentation [T1047]
Emotet has used WMI to execute powershell.exe.
Process Injection: Dynamic-link Library Injection [T1055.001]
Emotet has been observed injecting in to Explorer.exe and other processes.
Process Discovery [T1057]
Emotet has been observed enumerating local processes.
Command and Scripting Interpreter: PowerShell [T1059.001]
Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.
Command and Scripting Interpreter: Windows Command Shell [T1059.003]
Emotet has used cmd.exe to run a PowerShell script.
Command and Scripting Interpreter: Visual Basic [T1059.005]
Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.
Valid Accounts: Local Accounts [T1078.003]
Emotet can brute force a local admin password, then use it to facilitate lateral movement.
Account Discovery: Email Account [T1087.003]
Emotet has been observed leveraging a module that can scrape email addresses from Outlook.
Brute Force: Password Guessing [T1110.001]
Emotet has been observed using a hard-coded list of passwords to brute force user accounts.
Email Collection: Local Email Collection [T1114.001]
Emotet has been observed leveraging a module that scrapes email data from Outlook.
User Execution: Malicious Link [T1204.001]
Emotet has relied upon users clicking on a malicious link delivered through spearphishing.
User Execution: Malicious File [T1204.002]
Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.
Exploitation of Remote Services [T1210]
Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.
Create or Modify System Process: Windows Service [T1543.003]
Emotet has been observed creating new services to maintain persistence.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]
Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.
Scheduled Task/Job: Scheduled Task [T1053.005]
Emotet has maintained persistence through a scheduled task.
Unsecured Credentials: Credentials In Files [T1552.001]
Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.
Credentials from Password Stores: Credentials from Web Browsers [T1555.003]
Emotet has been observed dropping browser password grabber modules.
Archive Collected Data [T1560]
Emotet has been observed encrypting the data it collects before sending it to the C2 server.
Phishing: Spearphishing Attachment [T1566.001]
Emotet has been delivered by phishing emails containing attachments.
Phishing: Spearphishing Link [T1566.002]
Emotet has been delivered by phishing emails containing links.
Non-Standard Port [T1571]
Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/Hypertext Transfer Protocol Secure.
Encrypted Channel: Asymmetric Cryptography [T1573.002]
Emotet is known to use RSA keys for encrypting C2 traffic.
Detection SignaturesMS-ISAC developed the following Snort signature for use in detecting network activity associated with Emotet activity.
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; http_client_body; content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)
CISA developed the following Snort signatures for use in detecting network activity associated with Emotet activity. Note: Uniform Resource Identifiers should contain a random length alphabetical multiple directory string, and activity will likely be over ports 80, 8080, or 443.
alert tcp any any -> any $HTTP_PORTS (msg:"EMOTET:HTTP URI GET contains '/wp-content/###/'"; sid:00000000; rev:1; flow:established,to_server; content:"/wp-content/"; http_uri; content:"/"; http_uri; distance:0; within:4; content:"GET"; nocase; http_method; urilen:<17; classtype:http-uri; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; metadata:service http;)
alert tcp any any -> any $HTTP_PORTS (msg:"EMOTET:HTTP URI GET contains '/wp-admin/###/'"; sid:00000000; rev:1; flow:established,to_server; content:"/wp-admin/"; http_uri; content:"/"; http_uri; distance:0; within:4; content:"GET"; nocase; http_method; urilen:<15; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; classtype:http-uri; metadata:service http;)
MitigationsCISA and MS-ISAC recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.
- Block email attachments commonly associated with malware (e.g.,.dll and .exe).
- Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
- Implement Group Policy Object and firewall rules.
- Implement an antivirus program and a formalized patch management process.
- Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
- Adhere to the principle of least privilege.
- Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
- Segment and segregate networks and functions.
- Limit unnecessary lateral communications.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Enforce multi-factor authentication.
- Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
- Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to suspicious or risky sites.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
- Scan all software downloaded from the internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate access control lists.
- Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.
- See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures.
- See the joint CISA and MS-ISAC Ransomware Guide on how to be proactive and prevent ransomware attacks from happening and for a detailed approach on how to respond to an attack and best resolve the cyber incident.
For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.
Resources- MS-ISAC Security Event Primer – Emotet
- CISA Alert TA18-201A – Emotet Malware
- MITRE ATT&CK – Emotet
- MITRE ATT&CK for Enterprise
- [1] Bleeping Computer: Emotet Malware Strikes U.S. Businesses with COVID-19 Spam
- [2] IBID
- [3] Security Lab: Emotet Update Increases Downloads
- [4] Proofpoint: A Comprehensive Look at Emotet’s Summer 2020 Return
- [5] ZDNet: France, Japan, New Zealand Warn of Sudden Strike in Emotet Attacks
- [6] Bleeping Computer: France Warns of Emotet Attacking Companies, Administration
- [7] ESET: Emotet Strikes Quebec’s Department of Justice: An ESET Analysis
- [8] ZDNet: Microsoft, Italy, and the Netherlands Warn of Increased Emotet Activity
- [9] Bleeping Computer: Emotet Double Blunder: Fake ‘Windows 10 Mobile’ and Outdated Messages
- [10] Palo Alto Networks: Case Study: Emotet Thread Hijacking, an Email Attack Technique
- October 6, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.