SUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion
URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Initial Access
Royal actors gain initial access to victim networks in a number of ways including:
- Phishing. According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails [T1566].
- According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising [T1566.002].[2]
- Remote Desktop Protocol (RDP). The second most common vector Royal actors use (in 13.3% of incidents) for initial access is RDP compromise.
- Public-facing applications. FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190].
- Brokers. Reports from trusted third-party sources indicate that Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.
Command and Control
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel
, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.
Lateral Movement and Persistence
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec
has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].
Exfiltration
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Encryption
Before starting the encryption process, Royal actors:
- Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [T1486].[1]
- Use Windows Volume Shadow Copy service (
vssadmin.exe
) to delete shadow copies to prevent system recovery.[1]
FBI has found numerous batch (.bat
) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].
Malicious files have been found in victim networks in the following directories:
C:Temp
C:UsersAppDataRoaming
C:Users
C:ProgramData
Indicators of Compromise (IOC)
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
Table 1: Royal Ransomware Associated Files, Hashes, and IP addresses as of January 2023
IOC
|
Description
|
.royal
|
Encrypted file extension
|
README.TXT
|
Ransom note
|
Malicious IP
|
Last Activity
|
102.157.44[.]105
|
November 2022
|
105.158.118[.]241
|
November 2022
|
105.69.155[.]85
|
November 2022
|
113.169.187[.]159
|
November 2022
|
134.35.9[.]209
|
November 2022
|
139.195.43[.]166
|
November 2022
|
139.60.161[.]213
|
November 2022
|
148.213.109[.]165
|
November 2022
|
163.182.177[.]80
|
November 2022
|
181.141.3[.]126
|
November 2022
|
181.164.194[.]228
|
November 2022
|
185.143.223[.]69
|
November 2022
|
186.64.67[.]6
|
November 2022
|
186.86.212[.]138
|
November 2022
|
190.193.180[.]228
|
November 2022
|
196.70.77[.]11
|
November 2022
|
197.11.134[.]255
|
November 2022
|
197.158.89[.]85
|
November 2022
|
197.204.247[.]7
|
November 2022
|
197.207.181[.]147
|
November 2022
|
197.207.218[.]27
|
November 2022
|
197.94.67[.]207
|
November 2022
|
23.111.114[.]52
|
November 2022
|
41.100.55[.]97
|
November 2022
|
41.107.77[.]67
|
November 2022
|
41.109.11[.]80
|
November 2022
|
41.251.121[.]35
|
November 2022
|
41.97.65[.]51
|
November 2022
|
42.189.12[.]36
|
November 2022
|
45.227.251[.]167
|
November 2022
|
5.44.42[.]20
|
November 2022
|
61.166.221[.]46
|
November 2022
|
68.83.169[.]91
|
November 2022
|
81.184.181[.]215
|
November 2022
|
82.12.196[.]197
|
November 2022
|
98.143.70[.]147
|
November 2022
|
140.82.48[.]158
|
December 2022
|
147.135.36[.]162
|
December 2022
|
147.135.11[.]223
|
December 2022
|
152.89.247[.]50
|
December 2022
|
172.64.80[.]1
|
December 2022
|
179.43.167[.]10
|
December 2022
|
185.7.214[.]218
|
December 2022
|
193.149.176[.]157
|
December 2022
|
193.235.146[.]104
|
December 2022
|
209.141.36[.]116
|
December 2022
|
45.61.136[.]47
|
December 2022
|
45.8.158[.]104
|
December 2022
|
5.181.234[.]58
|
December 2022
|
5.188.86[.]195
|
December 2022
|
77.73.133[.]84
|
December 2022
|
89.108.65[.]136
|
December 2022
|
94.232.41[.]105
|
December 2022
|
47.87.229[.]39
|
January 2023
|
Malicious Domain
|
Last Observed
|
ciborkumari[.]xyz
|
October 2022
|
sombrat[.]com
|
October 2022
|
gororama[.]com
|
November 2022
|
softeruplive[.]com
|
November 2022
|
altocloudzone[.]live
|
December 2022
|
ciborkumari[.]xyz
|
December 2022
|
myappearinc[.]com
|
December 2022
|
parkerpublic[.]com
|
December 2022
|
pastebin.mozilla[.]org/Z54Vudf9/raw
|
December 2022
|
tumbleproperty[.]com
|
December 2022
|
myappearinc[.]com/acquire/draft/c7lh0s5jv
|
January 2023
|
Table 2: Tools used by Royal operators
Tool
|
SHA256
|
AV tamper
|
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
|
TCP/UDP Tunnel over HTTP (Chisel)
|
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
|
Ursnif/Gozi
|
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
|
Exfil
|
B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
|
Remote Access (AnyDesk)
|
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
|
PowerShell Toolkit Downloader
|
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
|
PsExec (Microsoft Sysinternals)
|
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
|
Keep Host Unlocked (Don’t Sleep)
|
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
|
Ransomware Executable
|
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
|
Windows Command Line (NirCmd)
|
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
|
System Management (NSudo)
|
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
|
Batch Scripts
|
|
Filename
|
Hash Value
|
2.bat
|
585b05b290d241a249af93b1896a9474128da969
|
3.bat
|
41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
|
4.bat
|
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
|
8.bat
|
c96154690f60a8e1f2271242e458029014ffe30a
|
kl.bat
|
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
|
gp.bat
|
82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
|
r.bat
|
74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
|
runanddelete.bat
|
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE
|
MITRE ATT&CK TECHNIQUES
See table 3 for all referenced threat actor tactics and techniques included in this advisory.
Table 3: Royal Actors ATT&CK Techniques for Enterprise
Initial Access
|
|
|
Technique Title
|
ID
|
Use
|
Exploit Public Facing Application
|
T1190
|
The actors gain initial access through public-facing applications.
|
Phishing: Spear phishing Attachment
|
T1566.001
|
The actors gain initial access through malicious PDF attachments sent via email.
|
Phishing: Spearphishing Link
|
T1566.002
|
The actors gain initial access using malvertising links via emails and public-facing sites.
|
External Remote Services
|
T1133
|
The actors gain initial access through a variety of RMM software.
|
Command and Control
|
|
|
Technique Title
|
ID
|
Use
|
Ingress Tool Transfer
|
T1105
|
The actors used C2 infrastructure to download multiple tools.
|
Protocol Tunneling
|
T1572
|
The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
|
Privilege Escalation
|
|
|
Technique Title
|
ID
|
Use
|
Valid Accounts: Domain Accounts
|
T1078.002
|
The actors used encrypted files to create new admin user accounts.
|
Defense Evasion
|
|
|
Technique Title
|
ID
|
Use
|
Impair Defenses: Disable or Modify Tools
|
T1562.001
|
The actors deactivated antivirus protocols.
|
Domain Policy Modification: Group Policy Modification
|
T1484.001
|
The actors modified Group Policy Objects to subvert antivirus protocols.
|
Indicator Removal: Clear Windows Event Logs
|
T1070.001
|
The actors deleted shadow files and system and security logs after exfiltration.
|
Remote Desktop Protocol
|
T1021.001
|
The actors used valid accounts to move laterally through the domain controller using RDP.
|
Automated Collection
|
T1119
|
The actors used registry keys to auto-extract and collect files.
|
Impact
|
|
|
Technique Title
|
ID
|
Use
|
Data Encrypted for Impact
|
T1486
|
The actors encrypted data to determine which files were being used or blocked by other applications.
|
MITIGATIONS
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies [CPG 3.4].
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 1.4].
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords.
- Implement multiple failed login attempt account lockouts [CPG 1.1].
- Disable password hints.
- Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password patterns cyber criminals can easily decipher.
- Require administrator credentials to install software.
- Require multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
- Segment networks [CPG 8.1]. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic [CPG 5.1], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
- Install, regularly update, and enable real time detection for antivirus software on all hosts.
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
- Disable unused ports.
- Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
- Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].
RESOURCES
REPORTING
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
REFERENCES
[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads – Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile – Royal | Cyber.gov.au
ACKNOWLEDGEMENTS
Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
Source de l’article sur us-cert.gov
#StopRansomware: Royal Ransomware
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a
.onion
URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Initial Access
Royal actors gain initial access to victim networks in a number of ways including:
Command and Control
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using
Chisel
, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.Lateral Movement and Persistence
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool
PsExec
has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].Exfiltration
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Encryption
Before starting the encryption process, Royal actors:
vssadmin.exe
) to delete shadow copies to prevent system recovery.[1]FBI has found numerous batch (
.bat
) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].Malicious files have been found in victim networks in the following directories:
C:Temp
C:UsersAppDataRoaming
C:Users
C:ProgramData
Indicators of Compromise (IOC)
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
IOC
Description
.royal
Encrypted file extension
README.TXT
Ransom note
Malicious IP
Last Activity
102.157.44[.]105
November 2022
105.158.118[.]241
November 2022
105.69.155[.]85
November 2022
113.169.187[.]159
November 2022
134.35.9[.]209
November 2022
139.195.43[.]166
November 2022
139.60.161[.]213
November 2022
148.213.109[.]165
November 2022
163.182.177[.]80
November 2022
181.141.3[.]126
November 2022
181.164.194[.]228
November 2022
185.143.223[.]69
November 2022
186.64.67[.]6
November 2022
186.86.212[.]138
November 2022
190.193.180[.]228
November 2022
196.70.77[.]11
November 2022
197.11.134[.]255
November 2022
197.158.89[.]85
November 2022
197.204.247[.]7
November 2022
197.207.181[.]147
November 2022
197.207.218[.]27
November 2022
197.94.67[.]207
November 2022
23.111.114[.]52
November 2022
41.100.55[.]97
November 2022
41.107.77[.]67
November 2022
41.109.11[.]80
November 2022
41.251.121[.]35
November 2022
41.97.65[.]51
November 2022
42.189.12[.]36
November 2022
45.227.251[.]167
November 2022
5.44.42[.]20
November 2022
61.166.221[.]46
November 2022
68.83.169[.]91
November 2022
81.184.181[.]215
November 2022
82.12.196[.]197
November 2022
98.143.70[.]147
November 2022
140.82.48[.]158
December 2022
147.135.36[.]162
December 2022
147.135.11[.]223
December 2022
152.89.247[.]50
December 2022
179.43.167[.]10
December 2022
185.7.214[.]218
December 2022
193.149.176[.]157
December 2022
193.235.146[.]104
December 2022
209.141.36[.]116
December 2022
45.61.136[.]47
December 2022
45.8.158[.]104
December 2022
5.181.234[.]58
December 2022
5.188.86[.]195
December 2022
77.73.133[.]84
December 2022
89.108.65[.]136
December 2022
94.232.41[.]105
December 2022
47.87.229[.]39
January 2023
Malicious Domain
Last Observed
ciborkumari[.]xyz
October 2022
sombrat[.]com
October 2022
gororama[.]com
November 2022
softeruplive[.]com
November 2022
altocloudzone[.]live
December 2022
ciborkumari[.]xyz
December 2022
myappearinc[.]com
December 2022
parkerpublic[.]com
December 2022
pastebin.mozilla[.]org/Z54Vudf9/raw
December 2022
tumbleproperty[.]com
December 2022
myappearinc[.]com/acquire/draft/c7lh0s5jv
January 2023
Tool
SHA256
AV tamper
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
TCP/UDP Tunnel over HTTP (Chisel)
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
Ursnif/Gozi
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
Exfil
B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Remote Access (AnyDesk)
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
PowerShell Toolkit Downloader
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
PsExec (Microsoft Sysinternals)
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
Keep Host Unlocked (Don’t Sleep)
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
Ransomware Executable
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
Windows Command Line (NirCmd)
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
System Management (NSudo)
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Batch Scripts
Filename
Hash Value
2.bat
585b05b290d241a249af93b1896a9474128da969
3.bat
41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
4.bat
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
8.bat
c96154690f60a8e1f2271242e458029014ffe30a
kl.bat
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
gp.bat
82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
r.bat
74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
runanddelete.bat
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE
MITRE ATT&CK TECHNIQUES
See table 3 for all referenced threat actor tactics and techniques included in this advisory.
Initial Access
Technique Title
ID
Use
Exploit Public Facing Application
T1190
The actors gain initial access through public-facing applications.
Phishing: Spear phishing Attachment
T1566.001
The actors gain initial access through malicious PDF attachments sent via email.
Phishing: Spearphishing Link
T1566.002
The actors gain initial access using malvertising links via emails and public-facing sites.
External Remote Services
T1133
The actors gain initial access through a variety of RMM software.
Command and Control
Technique Title
ID
Use
Ingress Tool Transfer
T1105
The actors used C2 infrastructure to download multiple tools.
Protocol Tunneling
T1572
The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
Privilege Escalation
Technique Title
ID
Use
Valid Accounts: Domain Accounts
T1078.002
The actors used encrypted files to create new admin user accounts.
Defense Evasion
Technique Title
ID
Use
Impair Defenses: Disable or Modify Tools
T1562.001
The actors deactivated antivirus protocols.
Domain Policy Modification: Group Policy Modification
T1484.001
The actors modified Group Policy Objects to subvert antivirus protocols.
Indicator Removal: Clear Windows Event Logs
T1070.001
The actors deleted shadow files and system and security logs after exfiltration.
Remote Desktop Protocol
T1021.001
The actors used valid accounts to move laterally through the domain controller using RDP.
Automated Collection
T1119
The actors used registry keys to auto-extract and collect files.
Impact
Technique Title
ID
Use
Data Encrypted for Impact
T1486
The actors encrypted data to determine which files were being used or blocked by other applications.
MITIGATIONS
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
RESOURCES
REPORTING
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
REFERENCES
[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads – Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile – Royal | Cyber.gov.au
ACKNOWLEDGEMENTS
Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
Source de l’article sur us-cert.gov
SUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a
.onion
URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Initial Access
Royal actors gain initial access to victim networks in a number of ways including:
Command and Control
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using
Chisel
, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.Lateral Movement and Persistence
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool
PsExec
has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].Exfiltration
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Encryption
Before starting the encryption process, Royal actors:
vssadmin.exe
) to delete shadow copies to prevent system recovery.[1]FBI has found numerous batch (
.bat
) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].Malicious files have been found in victim networks in the following directories:
C:Temp
C:UsersAppDataRoaming
C:Users
C:ProgramData
Indicators of Compromise (IOC)
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
IOC
Description
.royal
Encrypted file extension
README.TXT
Ransom note
Malicious IP
Last Activity
102.157.44[.]105
November 2022
105.158.118[.]241
November 2022
105.69.155[.]85
November 2022
113.169.187[.]159
November 2022
134.35.9[.]209
November 2022
139.195.43[.]166
November 2022
139.60.161[.]213
November 2022
148.213.109[.]165
November 2022
163.182.177[.]80
November 2022
181.141.3[.]126
November 2022
181.164.194[.]228
November 2022
185.143.223[.]69
November 2022
186.64.67[.]6
November 2022
186.86.212[.]138
November 2022
190.193.180[.]228
November 2022
196.70.77[.]11
November 2022
197.11.134[.]255
November 2022
197.158.89[.]85
November 2022
197.204.247[.]7
November 2022
197.207.181[.]147
November 2022
197.207.218[.]27
November 2022
197.94.67[.]207
November 2022
23.111.114[.]52
November 2022
41.100.55[.]97
November 2022
41.107.77[.]67
November 2022
41.109.11[.]80
November 2022
41.251.121[.]35
November 2022
41.97.65[.]51
November 2022
42.189.12[.]36
November 2022
45.227.251[.]167
November 2022
5.44.42[.]20
November 2022
61.166.221[.]46
November 2022
68.83.169[.]91
November 2022
81.184.181[.]215
November 2022
82.12.196[.]197
November 2022
98.143.70[.]147
November 2022
140.82.48[.]158
December 2022
147.135.36[.]162
December 2022
147.135.11[.]223
December 2022
152.89.247[.]50
December 2022
172.64.80[.]1
December 2022
179.43.167[.]10
December 2022
185.7.214[.]218
December 2022
193.149.176[.]157
December 2022
193.235.146[.]104
December 2022
209.141.36[.]116
December 2022
45.61.136[.]47
December 2022
45.8.158[.]104
December 2022
5.181.234[.]58
December 2022
5.188.86[.]195
December 2022
77.73.133[.]84
December 2022
89.108.65[.]136
December 2022
94.232.41[.]105
December 2022
47.87.229[.]39
January 2023
Malicious Domain
Last Observed
ciborkumari[.]xyz
October 2022
sombrat[.]com
October 2022
gororama[.]com
November 2022
softeruplive[.]com
November 2022
altocloudzone[.]live
December 2022
ciborkumari[.]xyz
December 2022
myappearinc[.]com
December 2022
parkerpublic[.]com
December 2022
pastebin.mozilla[.]org/Z54Vudf9/raw
December 2022
tumbleproperty[.]com
December 2022
myappearinc[.]com/acquire/draft/c7lh0s5jv
January 2023
Tool
SHA256
AV tamper
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
TCP/UDP Tunnel over HTTP (Chisel)
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
Ursnif/Gozi
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
Exfil
B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Remote Access (AnyDesk)
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
PowerShell Toolkit Downloader
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
PsExec (Microsoft Sysinternals)
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
Keep Host Unlocked (Don’t Sleep)
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
Ransomware Executable
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
Windows Command Line (NirCmd)
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
System Management (NSudo)
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Batch Scripts
Filename
Hash Value
2.bat
585b05b290d241a249af93b1896a9474128da969
3.bat
41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
4.bat
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
8.bat
c96154690f60a8e1f2271242e458029014ffe30a
kl.bat
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
gp.bat
82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
r.bat
74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
runanddelete.bat
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE
MITRE ATT&CK TECHNIQUES
See table 3 for all referenced threat actor tactics and techniques included in this advisory.
Initial Access
Technique Title
ID
Use
Exploit Public Facing Application
T1190
The actors gain initial access through public-facing applications.
Phishing: Spear phishing Attachment
T1566.001
The actors gain initial access through malicious PDF attachments sent via email.
Phishing: Spearphishing Link
T1566.002
The actors gain initial access using malvertising links via emails and public-facing sites.
External Remote Services
T1133
The actors gain initial access through a variety of RMM software.
Command and Control
Technique Title
ID
Use
Ingress Tool Transfer
T1105
The actors used C2 infrastructure to download multiple tools.
Protocol Tunneling
T1572
The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
Privilege Escalation
Technique Title
ID
Use
Valid Accounts: Domain Accounts
T1078.002
The actors used encrypted files to create new admin user accounts.
Defense Evasion
Technique Title
ID
Use
Impair Defenses: Disable or Modify Tools
T1562.001
The actors deactivated antivirus protocols.
Domain Policy Modification: Group Policy Modification
T1484.001
The actors modified Group Policy Objects to subvert antivirus protocols.
Indicator Removal: Clear Windows Event Logs
T1070.001
The actors deleted shadow files and system and security logs after exfiltration.
Remote Desktop Protocol
T1021.001
The actors used valid accounts to move laterally through the domain controller using RDP.
Automated Collection
T1119
The actors used registry keys to auto-extract and collect files.
Impact
Technique Title
ID
Use
Data Encrypted for Impact
T1486
The actors encrypted data to determine which files were being used or blocked by other applications.
MITIGATIONS
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
RESOURCES
REPORTING
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
REFERENCES
[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads – Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile – Royal | Cyber.gov.au
ACKNOWLEDGEMENTS
Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.
Source de l’article sur us-cert.gov
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSUMMARY
Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
For additional information on state-sponsored DPRK malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.
Download the PDF version of this report: pdf, 661 kb.
For a downloadable copy of IOCs, see
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.
Observable TTPs
The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:
Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].
The actors spread malware by leveraging two domains:
xpopup.pe[.]kr
andxpopup.com
.xpopup.pe[.]kr
is registered to IP address115.68.95[.]128
andxpopup[.]com
is registered to IP address119.205.197[.]111
. Related file names and hashes are listed in table 1.MITIGATIONS
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
The authoring agencies urge HPH organizations to:
In addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for and mitigate ransomware incidents:
If a ransomware incident occurs at your organization:
RESOURCES
Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link:
https://www.stairwell.com/news/threat-research-report-maui-ransomware/
REQUEST FOR INFORMATION
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.
Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information above.
ACKNOWLEDGEMENTS
NSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.
Disclaimer of endorsement
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Trademark recognition
Microsoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and Apache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark of Octagon Systems.
Purpose
This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Appendix A: CVE Details
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Apply patches provided by vendor and perform required system updates.
See vendors’ Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability.
There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please check https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Apply all appropriate vendor updates
Upgrade to:
System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions.
Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions.
Sonicwall Sma 200 Firmware 10.2.0.8-37Sv
Sonicwall Sma 200 Firmware 10.2.1.1-19Sv
Sonicwall Sma 200 Firmware 10.2.1.2-24Sv
Sonicwall Sma 210 Firmware 10.2.0.8-37Sv
Sonicwall Sma 210 Firmware 10.2.1.1-19Sv
Sonicwall Sma 210 Firmware 10.2.1.2-24Sv
Sonicwall Sma 410 Firmware 10.2.0.8-37Sv
Sonicwall Sma 410 Firmware 10.2.1.1-19Sv
Sonicwall Sma 410 Firmware 10.2.1.2-24Sv
Sonicwall Sma 400 Firmware 10.2.0.8-37Sv
Sonicwall Sma 400 Firmware 10.2.1.1-19Sv
Sonicwall Sma 400 Firmware 10.2.1.2-24Sv
Sonicwall Sma 500V Firmware 10.2.0.8-37Sv
Sonicwall Sma 500V Firmware 10.2.1.1-19Sv
Sonicwall Sma 500V Firmware 10.2.1.2-24Sv
The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on the target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the api.php script and resides on the TNAS device appliances’ operating system where users manage storage, backup data, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. This may result in complete compromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire unauthenticated remote code execution with highest privileges.
Install relevant vendor patches. This vulnerability was patched in TOS version 4.2.30
TOS v 4.2.29
Appendix B: Indicators of Compromise (IOCs)
The IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom malware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other tools—that enable subsequent deployment of ransomware. For additional Maui IOCs, see joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
Table 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber actors, including tools that drop Maui ransomware files.
Table 3 lists MD5 and SHA256 hashes are associated with Maui Ransomware files.
Table 4 lists MD5 and SHA256 hashes associated with H0lyGh0st Ransomware files.
Df0c7bb88e3c67d849d78d13cee30671b39b300e0cda5550280350775d5762d8
* from Microsoft blog post on h0lygh0st
CONTACT INFORMATION
NSA Client Requirements / General Cybersecurity Inquiries: CybersecurityReports@nsa.gov
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
To report incidents and anomalous activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Media Inquiries / Press Desk:
Source de l’article sur us-cert.gov
ESXiArgs Ransomware Virtual Machine Recovery Guidance
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationSummary
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.
CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to:
If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.
Download the PDF version of this report:
Note: CISA and FBI will update this CSA as more information becomes available.
Technical Details
Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1]
ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is:
vmdk
,vmx
,vmxf
,vmsd
,vmsn
,vswp
,vmss
,nvram
,vmem
.Recovery Guidance
CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2]
Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.
/tmp/recover.sh
.For example, with
wget
:wget -O /tmp/recover.sh
https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.
chmod +x /tmp/recover.sh
ls
to view the files.ls /vmfs/volumes/datastore1
. For instance, if the folder is calledexample
, runcd /vmfs/volumes/datastore1/example
.ls
. Note the name of the VM (via naming convention:[name].vmdk
)./tmp/recover.sh [name]
, where[name]
is the name of the VM determined previously./tmp/recover.sh [name] thin
.cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html
.cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html
.reboot
command). After a few minutes, you should be able to navigate to the web interface.Unregister
(see figure 1).Figure 1: Unregistering the virtual machine.
Create / Register VM
(see figure 2).Register an existing virtual machine
(see figure 2).Figure 2: Registering the virtual machine, selecting machine to register.
Click
Select one or more virtual machines, a datastore or a directory
to navigate to the folder of the VM you restored. Select thevmx
file in the folder (see figure 3).Figure 3: Registering the virtual machine, finalizing registration.
Select
Next
andFinish
. You should now be able to use the VM as normal.Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
Additional Incident Response
The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:
If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.
Additional resources for recovering
.vmdk
files can be found on a third-party researcher’s website.[2]Mitigations
Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
CISA and FBI recommend all organizations:
In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.
Preparing for Ransomware
Mitigating and Preventing Ransomware
Responding to Ransomware Incidents
If a ransomware incident occurs at your organization:
Note: CISA and FBI strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
Resources
See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.
Acknowledgements
CISA and FBI would like to thank VMware for their contributions to this CSA.
References
Revisions
Source de l’article sur us-cert.gov
Event Sourcing vs Database: What’s Next?
Actualités, Méthodes et organisation des process ITEvent sourcing and databases have been the go-to solutions for data storage, but what’s the next step? Let’s explore the pros and cons of each and see what the future holds.
## Understanding Event Sourcing and Its Popularity
I am an excited scientist who has made a sensational discovery about event sourcing and its potential to outgrow databases. Event sourcing is a powerful tool that is being adopted by many large organizations as their database architectural design. It has the capability to scale up and serve the needs of the modern data industry.
Event sourcing is a process of storing data in an event log, which is an append-only store. This means that all changes to the data are recorded as a sequence of events. This makes it easier to track changes over time and allows for easy replication of data. Event sourcing also allows for easy scalability, as the data can be replicated across multiple servers.
The popularity of event sourcing is growing rapidly, as it offers many advantages over traditional databases. Event sourcing allows for faster data retrieval, as it stores data in an append-only store. This makes it easier to query and analyze data over time. It also allows for better scalability, as the data can be replicated across multiple servers. Additionally, event sourcing is more secure than traditional databases, as it is append-only and does not allow for any changes to be made to the data.
So, is event sourcing going to outgrow databases? It is hard to say for sure, but the advantages offered by event sourcing make it a strong contender for replacing traditional databases. Event sourcing allows for faster data retrieval, better scalability, and improved security. As more organizations begin to adopt event sourcing, it is likely that it will become the preferred choice for many applications.
Source de l’article sur DZONE
Expérience développeur: les métriques les plus importantes
ActualitésDécouvrez quelles sont les métriques les plus importantes pour un développeur afin d’améliorer son expérience.
## Developer Experience (DevEx or DX)
Le développeur expérience. Si vous fournissez des API ou des produits axés sur les API, vous entendez probablement souvent ce terme. Après tout, vous avez besoin de développeurs pour qu’une API réussisse – et s’ils n’ont pas une excellente expérience, ils passeront à autre chose.
Qu’est-ce que l’expérience du développeur?
L’expérience du développeur (DevEx ou DX) est une extension de l’expérience utilisateur (UX) où l’accent est mis sur les utilisateurs touchés par le côté technique des choses – par exemple, les outils, les langages et les flux de travail. Mais DevEx va bien au-delà de «UX pour les développeurs»: cela signifie s’assurer que les développeurs peuvent facilement comprendre et exploiter une API pour leurs propres applications et cas d’utilisation. Une excellente DevEx se produit lorsque vous communiquez avec vos utilisateurs développeurs, en comprenant et en répondant directement à leurs besoins. Si vous pouvez gagner les développeurs, vous pouvez construire un grand et prospère écosystème autour de vos produits.
Le code est le cœur de l’expérience du développeur. C’est la partie la plus importante de DevEx, car c’est ce qui permet aux développeurs de créer des applications qui exploitent votre API. Les bons outils de codage sont essentiels pour donner aux développeurs une expérience cohérente et agréable. Les outils doivent être faciles à apprendre et à utiliser, et doivent offrir des fonctionnalités intuitives. Les bons outils de codage peuvent aider les développeurs à créer rapidement des applications robustes et fiables qui tirent parti de votre API.
Enfin, une bonne expérience du développeur nécessite une documentation complète et précise. La documentation doit être claire et concise, et doit fournir aux développeurs toutes les informations dont ils ont besoin pour comprendre et utiliser votre API. La documentation doit également inclure des exemples clairs et des tutoriels pour aider les développeurs à comprendre comment votre API fonctionne et à créer rapidement des applications qui en tirent parti. Une bonne documentation peut faire toute la différence entre un développeur qui comprend votre API et un développeur qui abandonne.
En résumé, l’expérience du développeur est essentielle pour le succès d’une API. Pour offrir une expérience exceptionnelle aux développeurs, vous devez mettre l’accent sur le codage, fournir des outils intuitifs et faciles à utiliser, et fournir une documentation complète et précise. Si vous pouvez offrir une expérience exceptionnelle aux développeurs, vous pouvez construire un grand écosystème autour de votre produit et réussir à long terme. En tant que scientifique enthousiaste qui vient de faire une sensationnelle découverte, je suis convaincu que l’expérience du développeur est la clé du succès d’une API.
Source de l’article sur DZONE
Microsoft Azure is a cloud computing platform and infrastructure
ActualitésMicrosoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. It provides a range of cloud services, including compute, storage, analytics, networking, and identity management. Azure is designed to help organizations of all sizes quickly and cost-effectively develop, deploy, and manage applications and services in the cloud.
Azure offers a wide range of services that can be used to build, deploy, and manage applications and services in the cloud. These include compute, storage, analytics, networking, and identity management. Compute services provide access to virtual machines, containers, and serverless computing resources. Storage services provide access to object storage, file storage, and databases. Analytics services provide access to data analysis tools such as machine learning, data warehousing, and big data processing. Networking services provide access to virtual networks, DNS, load balancing, and traffic management. Identity management services provide access to authentication and authorization services.
Azure also provides a range of tools and services that can be used to manage applications and services in the cloud. These include Azure Resource Manager (ARM), which provides a unified way to deploy, manage, and monitor resources in the cloud; Azure Automation, which provides a way to automate tasks; and Azure Monitor, which provides a way to monitor the performance of applications and services in the cloud. Additionally, Azure provides a range of security features such as encryption, identity management, and access control. These features help ensure that applications and services are secure and compliant with industry standards.
In conclusion, Microsoft Azure is a powerful cloud computing platform and infrastructure that provides a wide range of services for building, deploying, and managing applications and services in the cloud. It offers a range of compute, storage, analytics, networking, and identity management services that can be used to quickly and cost-effectively develop, deploy, and manage applications and services in the cloud. Additionally, it provides a range of tools and services for managing applications and services in the cloud as well as a range of security features for ensuring that applications and services are secure and compliant with industry standards.
Intro to Context
Actualités, Méthodes et organisation des process ITual Advertising
Contextual advertising is a powerful tool for businesses to reach their target audience with relevant, targeted ads. Learn how it works and its potential to drive sales!
## The Full Context: A Software Project’s Aura
I am an excited scientist who has made a sensational discovery: coding is the key to unlocking The Full Context. By coding, I mean writing code that is both readable and maintainable. It’s not just about writing code that works; it’s about writing code that is easy to understand and modify.
Coding is the foundation of The Full Context. It is the language that allows us to communicate our ideas, our intentions, and our decisions to the software. It is the bridge between the project’s stakeholders and the software itself. Without coding, there would be no way to effectively communicate the project’s requirements to the software.
Coding is also the key to unlocking the potential of The Full Context. By writing code that is both readable and maintainable, we can ensure that the project’s requirements are accurately represented in the software. We can also ensure that future changes and modifications can be made quickly and easily. This allows us to keep up with the ever-changing requirements of the project, while still maintaining a high level of quality.
The Full Context is a powerful tool that can be used to create amazing software projects. But without coding, it would remain just a concept, never fully realized. By coding, we can unlock its potential and create projects that are both powerful and maintainable. This is why coding is so important; it is the key to unlocking The Full Context and creating amazing software projects.
Source de l’article sur DZONE
MICROSOFT AZURE : Cloud platform
ActualitésMicrosoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. It provides software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) and supports many different programming languages, tools, and frameworks, including both Microsoft-specific and third-party software and systems.
Azure provides a comprehensive set of cloud services that enable organizations to build, deploy, and manage applications across a global network of Microsoft-managed data centers. It offers a wide range of services, including virtual machines, storage, databases, networking, analytics, and more. It also provides tools for developing and managing applications, such as Visual Studio, Azure DevOps, and Azure Machine Learning.
Azure enables organizations to quickly and easily deploy applications and services to the cloud. It provides a secure, reliable, and cost-effective platform for running applications in the cloud. It also provides a range of services for managing and monitoring applications and services, including Azure Monitor, Azure Security Center, and Azure Automation. Additionally, it offers advanced analytics capabilities with Azure Machine Learning and Azure Cognitive Services.
In addition to providing cloud services, Azure also offers a range of tools for developing and managing applications. It provides a range of development tools such as Visual Studio Code, Visual Studio Team Services, and Azure DevOps. It also provides a range of services for managing applications such as Azure Resource Manager, Azure Automation, and Azure Monitor. Additionally, it provides a range of services for monitoring applications such as Azure Application Insights and Azure Security Center.
Azure also provides a range of services for storing data in the cloud. It offers a range of storage services such as Azure Blob Storage, Azure Files, Azure Queue Storage, and Azure Table Storage. It also provides a range of database services such as Azure SQL Database and Azure Cosmos DB. Additionally, it provides a range of services for managing data such as Azure Data Factory and Azure Data Lake.
Overall, Microsoft Azure is an incredibly powerful cloud computing platform that enables organizations to quickly and easily deploy applications and services to the cloud. It provides a secure, reliable, and cost-effective platform for running applications in the cloud. It also provides a range of tools for developing and managing applications as well as services for storing data in the cloud. With its comprehensive set of cloud services and tools, Microsoft Azure is an essential platform for any organization looking to take advantage of the power of the cloud.
Secure Admin Access to Apache APISIX
Actualités, Méthodes et organisation des process ITSecure your APIs with Apache APISIX – the open source, high-performance API gateway that provides secure admin access.
Securing Your Apache APISIX Admin Access
I am an excited scientist who has made a sensational discovery: data security can be improved by protecting your Apache APISIX admin access. This is a critical component of your infrastructure, as it is responsible for routing traffic to the right places. If an attacker were to gain access to this, they could potentially redirect traffic to their own infrastructure, leading to data theft or financial losses.
To ensure the security of your data, it is essential to protect your Apache APISIX admin access. Here are a few ways to do this:
First, you should enable authentication for the admin API. This will require users to enter a username and password before they can access the API. You can also use two-factor authentication for additional security. Additionally, you should limit the IP addresses that are allowed to access the admin API. This will ensure that only trusted IP addresses can access the API and prevent unauthorized access.
Second, you should use TLS encryption for all communication with the admin API. This will ensure that all data is encrypted in transit and protect it from interception. Additionally, you should use a strong cipher suite to ensure that the data is encrypted with a strong algorithm.
Finally, you should monitor all activity on the admin API. This will allow you to detect any suspicious activity and take action quickly. You should also use logging to track all requests and responses to the admin API. This will allow you to review any suspicious activity and take action if necessary.
In conclusion, protecting your Apache APISIX admin access is essential for ensuring the security of your data. By following the steps outlined above, you can ensure that your data is safe and secure. With these measures in place, you can rest assured that your data is protected from unauthorized access and theft.
Source de l’article sur DZONE