Une étude menée pendant l’été par Opinium pour Kaspersky révèle que 92 % des Français seraient prêts à changer tout ou partie de leur apparence physique grâce aux avancées de l’augmentation humaine, c’est-à-dire l’amélioration des capacités humaines grâce aux sciences et aux technologies.
The post Devenir un cyborg, c’est possible : Deux Français sur 3 prêts à devenir « un être humain augmenté » first appeared on UnderNews.
Immediately after revealing criminal charges against 5 Chinese and 2 Malaysian hackers, the United States government yesterday also made two separate announcements charging two Iranian and two Russian hackers and added them to the FBI’s most-wanted list.
The two Russian nationals—Danil Potekhin and Dmitrii Karasavidi—are accused of stealing $16.8 million worth of cryptocurrencies in a series of
Source de l’article sur The Hacker News
The US Department of Justice (DoJ) on Tuesday indicted two hackers for their alleged involvement in defacing several websites in the country following the assassination of Iranian major general Qasem Soleimani earlier this January. Behzad Mohammadzadeh (aka Mrb3hz4d), 19, and Marwan Abusrour (aka Mrwn007), 25, have been charged with conspiracy to commit intentional damage to a protected
Source de l’article sur The Hacker News
Original release date: September 15, 2020
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.
This Advisory provides the threat actor’s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.
Click here for a PDF version of this report.
CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.
After gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.
CISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.
Table 1 illustrates some of the common tools this threat actor has used.
Table 1: Common exploit tools
|
Tool |
Detail |
|---|---|
|
ChunkyTuna web shell |
ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. |
|
Tiny web shell |
Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. |
|
China Chopper web shell |
China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. |
| FRPC | FRPC is a modified version of the open-source FRP tool. It allows a system—inside a router or firewall providing Network Address Translation—to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. |
| Chisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. |
| ngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. |
| Nmap | Nmap is used for vulnerability scanning and network discovery. |
| Angry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. |
| Drupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. |
Notable means of detecting this threat actor:
The following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.
/netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php
/netscaler/ns_gui/vpn/images/vpn_ns_gui.php
/var/vpn/themes/imgs/tiny.php
/var/vpn/themes/imgs/debug.php
/var/vpn/themes/imgs/include.php
/var/vpn/themes/imgs/whatfile
/var/nstmp/chisel
As indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.
Table 2: Initial access techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| Exploit Public-Facing Application | The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902. |
After gaining initial access, the threat actor began executing scripts, as shown in table 3.
Table 3: Execution techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| Command and Scripting Interpreter: PowerShell | A PowerShell script (keethief and kee.ps1) was used to access KeePass data. |
|
| Command and Scripting Interpreter: Windows Command Shell | cmd.exe was launched via sticky keys that was likely used as a password changing mechanism. |
CISA observed the threat actor using the techniques identified in table 4 to establish persistence.
Table 4: Persistence techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| Scheduled Task/Job: Cron | The threat actor loaded a series of scripts to cron and ran them for various purposes (mainly to access NetScaler web forms). |
|
| Scheduled Task/Job: Scheduled Task | The threat actor installed and used FRPC (frpc.exe) on both NetScaler and internal devices. The task was named lpupdate and the binary was named svchost, which was the reverse proxy. The threat actor executed this command daily. |
|
| Server Software Component: Web Shell | The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna. | |
| Event Triggered Execution: Accessibility Features | The threat actor used sticky keys (sethc.exe) to launch cmd.exe. |
CISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.
CISA observed the threat actor using the techniques identified in table 5 to evade detection.
Table 5: Defensive evasion techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| Obfuscated Files or Information: Software Packing | The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection. | |
| Obfuscated Files or Information: Compile After Delivery | The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection. | |
| Masquerading: Masquerade Task or Service | The threat actor used FRPC (frpc.exe) daily as reverse proxy, tunneling RDP over TLS. The FRPC (frpc.exe) task name was lpupdate and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok. |
|
| Masquerading: Match Legitimate Name or Location | The FRPC (frpc.exe) binary name was svchost, and the configuration file was dllhost.dll, attempting to masquerade as a legitimate Dynamic Link Library. |
|
| Indicator Removal on Host: File Deletion | To minimize their footprint, the threat actor ran ./httpd-nscache_clean every 30 minutes, which cleaned up files on the NetScaler device. |
CISA observed the threat actor using the techniques identified in table 6 to further their credential access.
Table 6: Credential access techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| OS Credential Dumping: LSASS Memory | The threat actor used procdump to dump process memory from the Local Security Authority Subsystem Service (LSASS). |
|
| OS Credential Dumping: Windows NT Directory Services (NTDS) | The threat actor used Volume Shadow Copy to access credential information from the NTDS file. | |
| Unsecured Credentials: Credentials in Files | The threat actor accessed files containing valid credentials. | |
| Credentials from Password Stores | The threat actor accessed a KeePass database multiple times and used kee.ps1 PowerShell script. |
|
| Steal or Forge Kerberos Tickets | The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account. |
CISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.
Table 7: Discovery techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| Remote System Discovery | The threat actor used Angry IP Scanner to detect remote systems. | |
| File and Directory Discovery | The threat actor used WizTree to obtain network files and directory listings. | |
| Account Discovery | The threat actor accessed ntuser.dat and UserClass.dat and used Softerra LDAP Browser to browse documentation for service accounts. |
|
| Browser Bookmark Discovery | The threat actor used Google Chrome bookmarks to find internal resources and assets. |
CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.
Table 8: Lateral movement techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| Remote Services | The threat actor used RDP with valid account credentials for lateral movement in the environment. | |
| Remote Services: Remote Desktop Protocol | The threat actor used RDP to log in and then conduct lateral movement. | |
| Remote Services: SMB/Windows Admin Shares | The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares. | |
| Remote Services: SSH | The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. | |
| Remote Services: Virtual Network Computing (VNC) | The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool. | |
| Remote Service Session Hijacking: RDP Hijacking | The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment. |
CISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.
Table 9: Collection techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| Data from Local System | The threat actor searched local system sources to accessed sensitive documents. | |
| Data from Network Shared Drive | The threat actor searched network shares to access sensitive documents. | |
| Data from Information Repositories | The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information. | |
| Data from Cloud Storage Object | The threat actor obtained files from the victim cloud storage instances. | |
| Archive Collected Data: Archive via Utility | The threat actor used 7-Zip to archive data. |
CISA observed the threat actor using the techniques identified in table 10 for command and control (C2).
Table 10: Command and control techniques
|
ID |
Technique/Sub-Technique |
Context |
|---|---|---|
| Application Layer Protocol: Web Protocols | The threat actor used various web mechanisms and protocols, including the web shells listed in table 1. | |
| Ingress Tool Transfer | The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes. | |
| Protocol Tunneling | The threat actor used FRPC.exe to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling. |
CISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.
CISA and FBI recommend implementing the following recommendations.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at central@cisa.dhs.gov.
CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781
CISA Alert AA20-073A: Enterprise VPN Security
CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
CISA Security Tip: Securing Network Infrastructure Devices
This product is provided subject to this Notification and this Privacy & Use policy.
L’authentification multifacteur (MFA) est rapidement devenue une sécurité indispensable pour les applications cloud pendant la pandémie mondiale de Covid-19. Avec l’accélération du télétravail, la demande d’applications basées sur le cloud, telles que les plateformes de messagerie et de collaboration a explosé.
The post De nouvelles vulnérabilités permettent de contourner l’authentification multifacteur de Microsoft 365 first appeared on UnderNews.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new advisory on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. « CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information
Source de l’article sur The Hacker News
Le 11 août 2020, Microsoft a publié un avis de sécurité concernant la correction d’une vulnérabilité affectant le protocole Netlogon Remote Protocol.
Le CERT-FR a émis un avis le 12 août 2020 ainsi que des bulletins informant de la situation. Cette vulnérabilité, …
Source de l’article sur CERT-FR
Dashlane annonce aujourd’hui la sortie d’un nouveau tableau de bord d’analyse des mots de passe pour ses clients professionnels. Unique en son genre, cet outil d’analyse confère aux administrateurs plus de visibilité que jamais sur la sécurité des mots de passe employés, ainsi que la possibilité de suivre son évolution dans le temps.
The post Dashlane lance un nouveau tableau de bord avec l’historique de sécurité des mots de passe pour les entreprises first appeared on UnderNews.
Depuis l’avènement de la nouvelle technologie, on peut accéder à Internet de n’importe quel endroit à n’importe quel moment de la journée. Grâce à cela, les grands groupes ont dû virtualiser ses services et ses prestations. Afin de faciliter les transactions, le bitcoin joue un rôle très important. Ont-ils été affectés par la pandémie de coronavirus ? Nous allons le voir ensemble dans les lignes qui suivent.
The post Le bitcoin et cryptos réussissent le stress test du coronavirus first appeared on UnderNews.
Original release date: September 14, 2020
The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these—and other threat actors with varying degrees of skill—routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).
Click here for a PDF version of this report.
Through the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.
According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years.[1] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[2]
According to the indictment,
To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins.” The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders.
The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.
In the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK® Framework TTPs.
Target Selection [TA0014] is a critical part of cyber operations. While cyber threat actors’ motivations and intents are often unknown, they often make their selections based on the target network’s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[3][4][5]
These information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.
While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.
CISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (Technical Information Gathering [TA0015]).
Table 1: Technical information gathering techniques observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
Determine Approach/Attack Vector |
The threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. |
|
|
Acquire Open Source Intelligence (OSINT) Data Sets and Information |
CISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. |
|
|
Conduct Active Scanning |
CISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. |
CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[6]
Additionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.
Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months
|
Vulnerability |
Observations |
|---|---|
|
CVE-2020-5902: F5 Big-IP Vulnerability |
CISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5’s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[7] |
|
CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances |
CISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[8] |
|
CVE-2019-11510: Pulse Secure VPN Servers |
CISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[9] |
|
CVE-2020-0688: Microsoft Exchange Server |
CISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. |
Additionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (Technical Weakness Identification [TA0018]).
Table 3: Technical weakness identification techniques observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
Analyze Architecture and Configuration Posture |
CISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. |
|
|
Research Relevant Vulnerabilities |
CISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. |
CISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (Build Capabilities [TA0024]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.
Table 4: Build capabilities observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
C2 Protocol Development |
CISA observed beaconing from a Federal Government entity to the threat actors’ C2 server. |
|
|
Buy Domain Name |
CISA has observed the use of domains purchased by the threat actors. |
|
|
Acquire and / or use of 3rd Party Infrastructure |
CISA has observed the threat actors using virtual private servers to conduct cyber operations. |
|
|
Obtain/Re-use Payloads |
CISA has observed the threat actors use and reuse existing capabilities. |
|
|
Build or Acquire Exploit |
CISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. |
CISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[10][11] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.
During incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.
Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors
|
Tool |
Observations |
|---|---|
|
CISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. |
|
|
CISA has observed the actors successfully deploying China Chopper against organizations’ networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. |
|
|
CISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[12] |
The following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.
In the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.
CISA has observed the threat actors using the Initial Access [TA0001] techniques identified in table 6.
Table 6: Initial access techniques observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
User Execution: Malicious Link |
CISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent |
|
|
Phishing: Spearphishing Link |
CISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. |
|
|
Exploit Public-Facing Application |
CISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. |
Cyber threat actors can continue to successfully launch these types of low-complexity attacks—as long as misconfigurations in operational environments and immature patch management programs remain in place—by taking advantage of common vulnerabilities and using readily available exploits and information.
CISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.
CISA has observed Chinese MSS-affiliated actors using the Execution [TA0002] technique identified in table 7.
Table 7: Execution technique observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
Software Deployment Tools |
CISA observed activity from a Federal Government IP address beaconing out to the threat actors’ C2 server, which is usually an indication of compromise. |
Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.
CISA has observed Chinese MSS-affiliated actors using the Credential Access [TA0006] techniques highlighted in table 8.
Table 8: Credential access techniques observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
Operating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory |
CISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. |
|
|
Brute Force: Credential Stuffing |
CISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. |
As with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable—there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (Discovery [TA0007]).
Table 9: Discovery technique observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
Network Service Scanning |
CISA has observed suspicious network scanning activity for various ports at Federal Government entities. |
Within weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the Collection [TA0009] technique listed in table 10.
Table 10: Collection technique observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
Email Collection |
CISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. |
CISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, “The Onion Router” (Tor) is often used by cyber threat actors for anonymity and C2. Actor’s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.
CISA has observed Chinese MSS-affiliated actors using the Command and Control [TA0011] techniques listed in table 11.
Table 11: Command and control techniques observed by CISA
|
MITRE ID |
Name |
Observation |
|---|---|---|
|
Proxy: External Proxy |
CISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. |
|
|
Proxy: Multi-hop Proxy |
CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. |
|
|
Encrypted Channel: Asymmetric Cryptography |
CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. |
CISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.
CISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see CISA Alert: Top 10 Routinely Exploited Vulnerabilities.
Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors
|
Vulnerability |
Vulnerable Products |
Patch Information |
|---|---|---|
|
||
|
|
|
|
||
|
CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at central@cisa.dhs.gov.
This product is provided subject to this Notification and this Privacy & Use policy.
