Original release date: February 9, 2023 | Last revised: February 10, 2023
Summary
Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
For additional information on state-sponsored DPRK malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.
Download the PDF version of this report: pdf, 661 kb.
For a downloadable copy of IOCs, see AA23-040.stix (STIX, 197 kb).
Technical Details
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.
Observable TTPs
The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:
- Acquire Infrastructure [T1583]. DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
- Obfuscate Identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
- Purchase VPNs and VPSs [T1583.003]. DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
- Gain Access [TA0001]. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in various SonicWall appliances [T1190 and T1133]. Observed CVEs used include:
- CVE 2021-44228
- CVE-2021-20038
- CVE-2022-24990
Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].
The actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com. xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111. Related file names and hashes are listed in table 1.
Table 1: Malicious file names and hashes spread by xpopup domains
File Name |
MD5 Hash |
xpopup.rar |
1f239db751ce9a374eb9f908c74a31c9 |
X-PopUp.exe |
6fb13b1b4b42bac05a2ba629f04e3d03 |
X-PopUp.exe |
cf8ba073db7f4023af2b13dd75565f3d |
xpopup.exe |
4e71d52fc39f89204a734b19db1330d3 |
x-PopUp.exe |
43d4994635f72852f719abb604c4a8a1 |
xpopup.exe |
5ae71e8440bf33b46554ce7a7f3de666 |
- Move Laterally and Discovery [TA0007, TA0008]. After initial access, DPRK cyber actors use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083, T1021]. The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors [TA0010].
- Employ Various Ransomware Tools [TA0040]. Actors have used privately developed ransomware, such as Maui and H0lyGh0st [T1486]. Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486]. In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group. For IOCs associated with Maui and H0lyGh0st ransomware usage, please see Appendix B.
- Demand Ransom in Cryptocurrency. DPRK cyber actors have been observed setting ransoms in bitcoin [T1486]. Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid. Bitcoin wallet addresses possibly used by DPRK cyber actors include:
- 1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
- bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
- 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
- 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
- bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
- bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
- 1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
- bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
- 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
- 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
- 16sYqXancDDiijcuruZecCkdBDwDf4vSEC
- 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
- LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135
- 1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
- 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
- bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
- bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
- bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
- bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
- bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
- bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
- bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
- bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
- bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
- bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
- bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
- bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
- bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
- bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
- bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
- bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
- bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
- bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
- bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
- bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
- bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
- bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
- bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
- bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
- bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
- bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
- bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
- bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn
Mitigations
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
The authoring agencies urge HPH organizations to:
- Limit access to data by authenticating and encrypting connections (e.g., using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections) with network services, Internet of Things (IoT) medical devices, and the electronic health record system [CPG 3.3].
- Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts [CPG 1.5], which grant excessive system administration privileges.
- Turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
- Protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored—through cryptography, for example.
- Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI), per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures could prevent the introduction of malware to the system [CPG 3.4].
- Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies, such as TLS. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
- Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer [CPG 8.1].
- Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise [CPG 3.1].
In addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for and mitigate ransomware incidents:
- Maintain isolated backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
- Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].
- Install updates for operating systems, software, and firmware as soon as they are released [CPG 5.1]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications and prioritize patching known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
- If you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them closely [CPG 5.4].
- Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require phishing-resistant multifactor authentication (MFA) to mitigate credential theft and reuse [CPG 1.3]. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports [CPG 1.1, 3.1].
- Ensure devices are properly configured and that security features are enabled. Disable ports and protocols not in use for a business purpose (e.g., RDP Transmission Control Protocol port 3389).
- Restrict the Server Message Block (SMB) protocol within the network to only access necessary servers and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
- Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity [CPG 5.6, 6.2].
- Implement application control policies that only allow systems to execute known and permitted programs [CPG 2.1].
- Open document readers in protected viewing modes to help prevent active content from running.
- Implement a user training program and phishing exercises [CPG 4.3] to raise awareness among users about the risks of visiting websites, clicking on links, and opening attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
- Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
- Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B: Digital Identity Guidelines for more information.
- Require administrator credentials to install software [CPG 1.5].
- Audit user accounts with administrative or elevated privileges [CPG 1.5] and configure access controls with least privilege in mind.
- Install and regularly update antivirus and antimalware software on all hosts.
- Only use secure networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations [CPG 8.3] indicating that they are higher risk messages.
- Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures.
If a ransomware incident occurs at your organization:
- Follow your organization’s ransomware response checklist.
- Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
- U.S. organizations: Follow the notification requirements as outlined in your cyber incident response plan. Report incidents to appropriate authorities; in the U.S., this would include the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
- South Korean organizations: Please report incidents to NIS, KISA (Korea Internet & Security Agency), and KNPA (Korean National Police Agency).
- NIS (National Intelligence Service)
- KISA (Korea Internet & Security Agency)
- KNPA (Korean National Police Agency)
- Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
Resources
Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link:
https://www.stairwell.com/news/threat-research-report-maui-ransomware/
Request For Information
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.
Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information above.
Acknowledgements
NSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.
Disclaimer of endorsement
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Trademark recognition
Microsoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and Apache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark of Octagon Systems.
Purpose
This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Appendix A: CVE Details
CVE-2021-44228 CVSS 3.0: 10 (Critical) |
Vulnerability Description Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. |
Recommended Mitigations Apply patches provided by vendor and perform required system updates. |
Detection Methods See vendors’ Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability. |
Vulnerable Technologies and Versions There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please check https://nvd.nist.gov/vuln/detail/CVE-2021-44228. |
See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more information. |
CVE-2021-20038 CVSS 3.0: 9.8 (Critical) |
Vulnerability Description A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions. |
Recommended Mitigations Apply all appropriate vendor updates Upgrade to:
- SMA 100 Series – (SMA 200, 210, 400, 410, 500v (ESX, Hyper-V, KVM, AWS, Azure):
- SonicWall SMA100 build versions 10.2.0.9-41sv or later
- SonicWall SMA100 build versions 10.2.1.3-27sv or later
System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions.
Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions.
|
Vulnerable Technologies and Versions Sonicwall Sma 200 Firmware 10.2.0.8-37Sv Sonicwall Sma 200 Firmware 10.2.1.1-19Sv Sonicwall Sma 200 Firmware 10.2.1.2-24Sv Sonicwall Sma 210 Firmware 10.2.0.8-37Sv Sonicwall Sma 210 Firmware 10.2.1.1-19Sv Sonicwall Sma 210 Firmware 10.2.1.2-24Sv Sonicwall Sma 410 Firmware 10.2.0.8-37Sv Sonicwall Sma 410 Firmware 10.2.1.1-19Sv Sonicwall Sma 410 Firmware 10.2.1.2-24Sv Sonicwall Sma 400 Firmware 10.2.0.8-37Sv Sonicwall Sma 400 Firmware 10.2.1.1-19Sv Sonicwall Sma 400 Firmware 10.2.1.2-24Sv Sonicwall Sma 500V Firmware 10.2.0.8-37Sv Sonicwall Sma 500V Firmware 10.2.1.1-19Sv Sonicwall Sma 500V Firmware 10.2.1.2-24Sv |
See https://nvd.nist.gov/vuln/detail/CVE-2021-20038 for more information. |
CVE-2022-24990 CVSS 3.x: N/A |
Vulnerability Description The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on the target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the api.php script and resides on the TNAS device appliances’ operating system where users manage storage, backup data, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. This may result in complete compromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire unauthenticated remote code execution with highest privileges. |
Recommended Mitigations Install relevant vendor patches. This vulnerability was patched in TOS version 4.2.30 |
Vulnerable Technologies and Versions TOS v 4.2.29 |
See https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ and https://forum.terra-master.com/en/viewtopic.php?t=3030 for more information. |
Appendix B: Indicators of Compromise (IOCs)
The IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom malware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other tools—that enable subsequent deployment of ransomware. For additional Maui IOCs, see joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
Table 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber actors, including tools that drop Maui ransomware files.
Table 2: File names and hashes of malicious implants, RATs, and tools
MD5Hash |
SHA256Hash |
079b4588eaa99a1e802adf5e0b26d8aa |
f67ee77d6129bd1bcd5d856c0fc5314169 b946d32b8abaa4e680bb98130b38e7 |
0e9e256d8173854a7bc26982b1dde783 |
— |
12c15a477e1a96120c09a860c9d479b3 |
6263e421e397db821669420489d2d3084 f408671524fd4e1e23165a16dda2225 |
131fc4375971af391b459de33f81c253 |
— |
17c46ed7b80c2e4dbea6d0e88ea0827c |
b9af4660da00c7fa975910d0a19fda0720 31c15fad1eef935a609842c51b7f7d |
1875f6a68f70bee316c8a6eda9ebf8de |
672ec8899b8ee513dbfc4590440a61023 846ddc2ca94c88ae637144305c497e7 |
1a74c8d8b74ca2411c1d3d22373a6769 |
ba8f9e7afe5f78494c111971c39a89111ef 9262bf23e8a764c6f65c818837a44 |
1f6d9f8fbdbbd4e6ed8cd73b9e95a928 |
4f089afa51fd0c1b2a39cc11cedb3a4a32 6111837a5408379384be6fe846e016 |
2d02f5499d35a8dffb4c8bc0b7fec5c2 |
830207029d83fd46a4a89cd623103ba23 21b866428aa04360376e6a390063570 |
2e18350194e59bc6a2a3f6d59da11bd8 |
655aa64860f1655081489cf85b77f72a49 de846a99dd122093db4018434b83ae |
3bd22e0ac965ebb6a18bb71ba39e96dc |
6b7f566889b80d1dba4f92d5e2fb2f5ef24 f57fcfd56bb594978dffe9edbb9eb |
40f21743f9cb927b2c84ecdb7dfb14a6 |
5081f54761947bc9ce4aa2a259a0bd60b 4ec03d32605f8e3635c4d4edaf48894 |
4118d9adce7350c3eedeb056a3335346 |
5b7ecf7e9d0715f1122baf4ce745c5fcd76 9dee48150616753fec4d6da16e99e |
43e756d80225bdf1200bc34eef5adca8 |
afb2d4d88f59e528f0e388705113ae54b7 b97db4f03a35ae43cc386a48f263a0 |
47791bf9e017e3001ddc68a7351ca2d6 |
863b707873f7d653911e46885e261380b 410bb3bf6b158daefb47562e93cb657 |
505262547f8879249794fc31eea41fc6 |
f32f6b229913d68daad937cc72a57aa452 91a9d623109ed48938815aa7b6005c |
5130888a0ad3d64ad33c65de696d3fa2 |
c92c1f3e77a1876086ce530e87aa9c1f9c bc5e93c5e755b29cad10a2f3991435 |
58ad3103295afcc22bde8d81e77c282f |
18b75949e03f8dcad513426f1f9f3ca209d 779c24cd4e941d935633b1bec00cb |
5be1e382cd9730fbe386b69bd8045ee7 |
5ad106e333de056eac78403b033b89c58 b4c4bdda12e2f774625d47ccfd3d3ae |
5c6f9c83426c6d33ff2d4e72c039b747 |
a3b7e88d998078cfd8cdf37fa5454c45f6c bd65f4595fb94b2e9c85fe767ad47 |
640e70b0230dc026eff922fb1e44c2ea |
6319102bac226dfc117c3c9e620cd99c7e afbf3874832f2ce085850aa042f19c |
67f4dad1a94ed8a47283c2c0c05a7594 |
3fe624c33790b409421f4fa2bb8abfd701d f2231a959493c33187ed34bec0ae7 |
70652edadedbacfd30d33a826853467d |
196fb1b6eff4e7a049cea323459cfd6c0e3 900d8d69e1d80bffbaabd24c06eba |
739812e2ae1327a94e441719b885bd19 |
6122c94cbfa11311bea7129ecd5aea6fae 6c51d23228f7378b5f6b2398728f67 |
76c3d2092737d964dfd627f1ced0af80 |
bffe910904efd1f69544daa9b72f2a70fb29 f73c51070bde4ea563de862ce4b1 |
802e7d6e80d7a60e17f9ffbd62fcbbeb |
87bdb1de1dd6b0b75879d8b8aef80b562 ec4fad365d7abbc629bcfc1d386afa6 |
827103a6b6185191fd5618b7e82da292 |
— |
830bc975a04ab0f62bfedf27f7aca673 |
— |
85995257ac07ae5a6b4a86758a2283d7 |
— |
85f6e3e3f0bdd0c1b3084fc86ee59d19 |
f1576627e8130e6d5fde0dbe3dffcc8bc9e ef1203d15fcf09cd877ced1ccc72a |
87a6bda486554ab16c82bdfb12452e8b |
980bb08ef3e8afcb8c0c1a879ec11c41b2 9fd30ac65436495e69de79c555b2be |
891db50188a90ddacfaf7567d2d0355d |
0837dd54268c373069fc5c1628c6e3d75e b99c3b3efc94c45b73e2cf9a6f3207 |
894de380a249e677be2acb8fbdfba2ef |
— |
8b395cc6ecdec0900facf6e93ec48fbb |
— |
92a6c017830cda80133bf97eb77d3292 |
d1aba3f95f11fc6e5fec7694d188919555b 7ff097500e811ff4a5319f8f230be |
9b0e7c460a80f740d455a7521f0eada1 |
45d8ac1ac692d6bb0fe776620371fca02b 60cac8db23c4cc7ab5df262da42b78 |
9b9d4cb1f681f19417e541178d8c75d7 |
f5f6e538001803b0aa008422caf2c3c2a7 9b2eeee9ddc7feda710e4aba96fea4 |
a1f9e9f5061313325a275d448d4ddd59 |
dfdd72c9ce1212f9d9455e2bca5a327c88 d2d424ea5c086725897c83afc3d42d |
a452a5f693036320b580d28ee55ae2a3 |
99b0056b7cc2e305d4ccb0ac0a8a270d3f ceb21ef6fc2eb13521a930cea8bd9f |
a6e1efd70a077be032f052bb75544358 |
3b9fe1713f638f85f20ea56fd09d20a96cd 6d288732b04b073248b56cdaef878 |
ad4eababfe125110299e5a24be84472e |
a557a0c67b5baa7cf64bd4d42103d3b285 2f67acf96b4c5f14992c1289b55eaa |
b1c1d28dc7da1d58abab73fa98f60a83 |
38491f48d0cbaab7305b5ddca64ba41a2b eb89d81d5fb920e67d0c7334c89131 |
b6f91a965b8404d1a276e43e61319931 |
— |
bdece9758bf34fcad9cba1394519019b |
9d6de05f9a3e62044ad9ae66111308ccb9 ed2ee46a3ea37d85afa92e314e7127 |
c3850f4cc12717c2b54753f8ca5d5e0e |
99b448e91669b92c2cc3417a4d9711209 509274dab5d7582baacfab5028a818c |
c50b839f2fc3ce5a385b9ae1c05def3a |
458d258005f39d72ce47c111a7d17e8c52 fe5fc7dd98575771640d9009385456 |
cf236bf5b41d26967b1ce04ebbdb4041 |
60425a4d5ee04c8ae09bfe28ca33bf9e76 a43f69548b2704956d0875a0f25145 |
d0e203e8845bf282475a8f816340f2e8 |
f6375c5276d1178a2a0fe1a16c5668ce52 3e2f846c073bf75bb2558fdec06531 |
ddb1f970371fa32faae61fc5b8423d4b |
dda53eee2c5cb0abdbf5242f5e82f4de83 898b6a9dd8aa935c2be29bafc9a469 |
f2f787868a3064407d79173ac5fc0864 |
92adc5ea29491d9245876ba0b29573936 33c9998eb47b3ae1344c13a44cd59ae |
fda3a19afa85912f6dc8452675245d6b |
56925a1f7d853d814f80e98a1c4890b0a6 a84c83a8eded34c585c98b2df6ab19 |
— |
0054147db54544d77a9efd9baf5ec96a80 b430e170d6e7c22fcf75261e9a3a71 |
— |
151ab3e05a23e9ccd03a6c49830dabb9e 9281faf279c31ae40b13e6971dd2fb8 |
— |
1c926fb3bd99f4a586ed476e4683163892 f3958581bf8c24235cd2a415513b7f |
— |
1f8dcfaebbcd7e71c2872e0ba2fc6db81d6 51cf654a21d33c78eae6662e62392 |
— |
f226086b5959eb96bd30dec0ffcbf0f0918 6cd11721507f416f1c39901addafb |
— |
23eff00dde0ee27dabad28c1f4ffb8b09e8 76f1e1a77c1e6fb735ab517d79b76 |
— |
586f30907c3849c363145bfdcdabe3e2e4 688cbd5688ff968e984b201b474730 |
— |
8ce219552e235dcaf1c694be122d6339e d4ff8df70bf358cd165e6eb487ccfc5 |
— |
90fb0cd574155fd8667d20f97ac464eca67 bdb6a8ee64184159362d45d79b6a4 |
— |
c2904dc8bbb569536c742fca0c51a766e8 36d0da8fac1c1abd99744e9b50164f |
— |
ca932ccaa30955f2fffb1122234fb1524f7d e3a8e0044de1ed4fe05cab8702a5 |
— |
f6827dc5af661fbb4bf64bc625c78283ef8 36c6985bb2bfb836bd0c8d5397332 |
— |
f78cabf7a0e7ed3ef2d1c976c1486281f56 a6503354b87219b466f2f7a0b65c4 |
Table 3 lists MD5 and SHA256 hashes are associated with Maui Ransomware files.
Table 3: File names and hashes of Maui ransomware files
MD5 Hash |
SHA256 Hash |
4118d9adce7350c3eedeb056a3335346 |
5b7ecf7e9d0715f1122baf4ce745c5fcd76 9dee48150616753fec4d6da16e99e |
9b0e7c460a80f740d455a7521f0eada1 |
45d8ac1ac692d6bb0fe776620371fca02b 60cac8db23c4cc7ab5df262da42b78 |
fda3a19afa85912f6dc8452675245d6b |
56925a1f7d853d814f80e98a1c4890b0a6 a84c83a8eded34c585c98b2df6ab19 |
2d02f5499d35a8dffb4c8bc0b7fec5c2 |
830207029d83fd46a4a89cd623103ba232 1b866428aa04360376e6a390063570 |
c50b839f2fc3ce5a385b9ae1c05def3a |
458d258005f39d72ce47c111a7d17e8c52 fe5fc7dd98575771640d9009385456 |
a452a5f693036320b580d28ee55ae2a3 |
99b0056b7cc2e305d4ccb0ac0a8a270d3f ceb21ef6fc2eb13521a930cea8bd9f |
a6e1efd70a077be032f052bb75544358 |
3b9fe1713f638f85f20ea56fd09d20a96cd6 d288732b04b073248b56cdaef878 |
802e7d6e80d7a60e17f9ffbd62fcbbeb |
87bdb1de1dd6b0b75879d8b8aef80b562e c4fad365d7abbc629bcfc1d386afa6 |
— |
0054147db54544d77a9efd9baf5ec96a80b 430e170d6e7c22fcf75261e9a3a71 |
Table 4 lists MD5 and SHA256 hashes associated with H0lyGh0st Ransomware files.
Table 4: File names and hashes of H0lyGh0st ransomware files
SHA256 Hash |
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd* |
F8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86* |
Bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af* |
6e20b73a6057f8ff75c49e1b7aef08abfcfe4e418e2c1307791036f081335c2d |
f4d10b08d7dacd8fe33a6b54a0416eecdaed92c69c933c4a5d3700b8f5100fad |
541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219 |
2d978df8df0cf33830aba16c6322198e5889c67d49b40b1cb1eb236bd366826d |
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7 |
Df0c7bb88e3c67d849d78d13cee30671b39b300e0cda5550280350775d5762d8 |
MD5 Hash |
a2c2099d503fcc29478205f5aef0283b |
9c516e5b95a7e4169ecbd133ed4d205f |
d6a7b5db62bf7815a10a17cdf7ddbd4b |
c6949a99c60ef29d20ac8a9a3fb58ce5 |
4b20641c759ed563757cdd95c651ee53 |
25ee4001eb4e91f7ea0bc5d07f2a9744 |
29b6b54e10a96e6c40e1f0236b01b2e8 |
18126be163eb7df2194bb902c359ba8e |
eaf6896b361121b2c315a35be837576d |
e4ee611533a28648a350f2dab85bb72a |
e268cb7ab778564e88d757db4152b9fa |
* from Microsoft blog post on h0lygh0st
Contact Information
NSA Client Requirements / General Cybersecurity Inquiries: CybersecurityReports@nsa.gov
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
To report incidents and anomalous activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Media Inquiries / Press Desk:
Revisions
- February 9, 2023: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
Source de l’article sur us-cert.gov
Cloud technologies : The State of Being Without Occupants
ActualitésCloud technologies have revolutionized the way businesses operate today. It has enabled organizations to access, store, and share data from anywhere in the world. Cloud computing has become an integral part of the modern business landscape, allowing companies to save money, increase efficiency, and improve collaboration.
Cloud technology is a type of computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications. Cloud computing services are delivered over the internet, allowing users to access data and applications from any device with an internet connection. This makes it easier for businesses to access and store data in a secure environment.
Main benefits of cloud technologies
One of the main benefits of cloud technologies is cost savings. By using cloud services, businesses can reduce their IT costs by eliminating the need for expensive hardware and software. Additionally, cloud services are much more scalable than traditional IT solutions, allowing businesses to quickly scale up or down as needed. This makes it easier for businesses to respond to changing market conditions and customer demands.
Another benefit of cloud technologies is improved collaboration. By using cloud services, businesses can easily share data and documents with colleagues, customers, and partners. This makes it easier for teams to work together on projects and stay up-to-date on the latest developments. Additionally, cloud services allow businesses to access data from any device, making it easier for employees to work remotely.
Finally, cloud technologies provide businesses with increased security. Cloud services use encryption and authentication protocols to protect data from unauthorized access. Additionally, cloud services are regularly updated with the latest security patches, helping to ensure that data remains secure.
Overall, cloud technologies have revolutionized the way businesses operate today. By using cloud services, businesses can save money, increase efficiency, improve collaboration, and increase security. As businesses continue to embrace cloud technologies, they will be able to take advantage of the many benefits that cloud computing has to offer.
AA23-040A: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationOriginal release date: February 9, 2023 | Last revised: February 10, 2023
Summary
Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
For additional information on state-sponsored DPRK malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.
Download the PDF version of this report: pdf, 661 kb.
For a downloadable copy of IOCs, see AA23-040.stix (STIX, 197 kb).
Technical Details
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.
Observable TTPs
The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:
Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].
The actors spread malware by leveraging two domains:xpopup.pe[.]kr and xpopup.com . xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111 . Related file names and hashes are listed in table 1.
Mitigations
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
The authoring agencies urge HPH organizations to:
In addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for and mitigate ransomware incidents:
If a ransomware incident occurs at your organization:
Resources
Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link:
https://www.stairwell.com/news/threat-research-report-maui-ransomware/
Request For Information
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.
Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information above.
Acknowledgements
NSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.
Disclaimer of endorsement
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Trademark recognition
Microsoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and Apache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark of Octagon Systems.
Purpose
This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Appendix A: CVE Details
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Apply patches provided by vendor and perform required system updates.
See vendors’ Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability.
There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please check https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Apply all appropriate vendor updates
Upgrade to:
System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions.
Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions.
Sonicwall Sma 200 Firmware 10.2.0.8-37Sv
Sonicwall Sma 200 Firmware 10.2.1.1-19Sv
Sonicwall Sma 200 Firmware 10.2.1.2-24Sv
Sonicwall Sma 210 Firmware 10.2.0.8-37Sv
Sonicwall Sma 210 Firmware 10.2.1.1-19Sv
Sonicwall Sma 210 Firmware 10.2.1.2-24Sv
Sonicwall Sma 410 Firmware 10.2.0.8-37Sv
Sonicwall Sma 410 Firmware 10.2.1.1-19Sv
Sonicwall Sma 410 Firmware 10.2.1.2-24Sv
Sonicwall Sma 400 Firmware 10.2.0.8-37Sv
Sonicwall Sma 400 Firmware 10.2.1.1-19Sv
Sonicwall Sma 400 Firmware 10.2.1.2-24Sv
Sonicwall Sma 500V Firmware 10.2.0.8-37Sv
Sonicwall Sma 500V Firmware 10.2.1.1-19Sv
Sonicwall Sma 500V Firmware 10.2.1.2-24Sv
The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on the target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the api.php script and resides on the TNAS device appliances’ operating system where users manage storage, backup data, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. This may result in complete compromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire unauthenticated remote code execution with highest privileges.
Install relevant vendor patches. This vulnerability was patched in TOS version 4.2.30
TOS v 4.2.29
Appendix B: Indicators of Compromise (IOCs)
The IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom malware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other tools—that enable subsequent deployment of ransomware. For additional Maui IOCs, see joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
Table 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber actors, including tools that drop Maui ransomware files.
b946d32b8abaa4e680bb98130b38e7
f408671524fd4e1e23165a16dda2225
31c15fad1eef935a609842c51b7f7d
846ddc2ca94c88ae637144305c497e7
9262bf23e8a764c6f65c818837a44
6111837a5408379384be6fe846e016
21b866428aa04360376e6a390063570
de846a99dd122093db4018434b83ae
f57fcfd56bb594978dffe9edbb9eb
4ec03d32605f8e3635c4d4edaf48894
9dee48150616753fec4d6da16e99e
b97db4f03a35ae43cc386a48f263a0
410bb3bf6b158daefb47562e93cb657
91a9d623109ed48938815aa7b6005c
bc5e93c5e755b29cad10a2f3991435
779c24cd4e941d935633b1bec00cb
b4c4bdda12e2f774625d47ccfd3d3ae
bd65f4595fb94b2e9c85fe767ad47
afbf3874832f2ce085850aa042f19c
f2231a959493c33187ed34bec0ae7
900d8d69e1d80bffbaabd24c06eba
6c51d23228f7378b5f6b2398728f67
f73c51070bde4ea563de862ce4b1
ec4fad365d7abbc629bcfc1d386afa6
ef1203d15fcf09cd877ced1ccc72a
9fd30ac65436495e69de79c555b2be
b99c3b3efc94c45b73e2cf9a6f3207
7ff097500e811ff4a5319f8f230be
60cac8db23c4cc7ab5df262da42b78
9b2eeee9ddc7feda710e4aba96fea4
d2d424ea5c086725897c83afc3d42d
ceb21ef6fc2eb13521a930cea8bd9f
6d288732b04b073248b56cdaef878
2f67acf96b4c5f14992c1289b55eaa
eb89d81d5fb920e67d0c7334c89131
ed2ee46a3ea37d85afa92e314e7127
509274dab5d7582baacfab5028a818c
fe5fc7dd98575771640d9009385456
a43f69548b2704956d0875a0f25145
3e2f846c073bf75bb2558fdec06531
898b6a9dd8aa935c2be29bafc9a469
33c9998eb47b3ae1344c13a44cd59ae
a84c83a8eded34c585c98b2df6ab19
b430e170d6e7c22fcf75261e9a3a71
9281faf279c31ae40b13e6971dd2fb8
f3958581bf8c24235cd2a415513b7f
51cf654a21d33c78eae6662e62392
6cd11721507f416f1c39901addafb
76f1e1a77c1e6fb735ab517d79b76
688cbd5688ff968e984b201b474730
d4ff8df70bf358cd165e6eb487ccfc5
bdb6a8ee64184159362d45d79b6a4
36d0da8fac1c1abd99744e9b50164f
e3a8e0044de1ed4fe05cab8702a5
36c6985bb2bfb836bd0c8d5397332
a6503354b87219b466f2f7a0b65c4
Table 3 lists MD5 and SHA256 hashes are associated with Maui Ransomware files.
9dee48150616753fec4d6da16e99e
60cac8db23c4cc7ab5df262da42b78
a84c83a8eded34c585c98b2df6ab19
1b866428aa04360376e6a390063570
fe5fc7dd98575771640d9009385456
ceb21ef6fc2eb13521a930cea8bd9f
d288732b04b073248b56cdaef878
c4fad365d7abbc629bcfc1d386afa6
430e170d6e7c22fcf75261e9a3a71
Table 4 lists MD5 and SHA256 hashes associated with H0lyGh0st Ransomware files.
* from Microsoft blog post on h0lygh0st
Contact Information
NSA Client Requirements / General Cybersecurity Inquiries: CybersecurityReports@nsa.gov
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
To report incidents and anomalous activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Media Inquiries / Press Desk:
Revisions
This product is provided subject to this Notification and this Privacy & Use policy.
Source de l’article sur us-cert.gov
gRPC vs. REST
Actualités, Méthodes et organisation des process ITComparing gRPC and REST? Let’s dive into the pros and cons of each to help you decide which is best for your needs.
## REST or gRPC, Which Should You Choose? Comparing Strengths and Weaknesses
the client, which initiates the communication, and the server, which responds to the client’s requests. REST and gRPC are two popular architectures for client-server communication.
I am an excited scientist who has made a sensational discovery: after extensive testing, I have concluded that gRPC is the superior choice for client-server communication. gRPC is a high-performance, open-source RPC framework that uses HTTP/2 for transport. It is designed to be language-agnostic and platform-independent, making it easy to use in any environment. gRPC also supports streaming, which allows for efficient communication between the client and server.
In comparison, REST is a stateless architecture that uses HTTP as its transport protocol. It is also language-agnostic and platform-independent, but it does not support streaming. This means that the client must wait for the server to respond before sending another request, making it less efficient than gRPC.
When choosing between gRPC and REST, there are several factors to consider. First, consider the performance requirements of your application. If you need a high-performance solution, then gRPC is the better choice. Second, consider the language and platform you are using. If you are using a language or platform that does not support gRPC, then REST may be the better choice. Finally, consider the complexity of your application. If you need a simple solution that does not require streaming or complex data structures, then REST may be the better choice.
In conclusion, gRPC is the superior choice for client-server communication due to its high performance, language-agnostic design, and support for streaming. However, when choosing between gRPC and REST, it is important to consider the performance requirements, language and platform, and complexity of your application before making a decision. After extensive testing, I am confident that gRPC is the best choice for most applications.
Source de l’article sur DZONE
AA23-039A: ESXiArgs Ransomware Virtual Machine Recovery Guidance
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationOriginal release date: February 8, 2023
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.
CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to:
If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.
Download the PDF version of this report: pdf, 712 kb.
Note: CISA and FBI will update this CSA as more information becomes available.
Technical Details
Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1]
ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is:
vmdk
,vmx
,vmxf
,vmsd
,vmsn
,vswp
,vmss
,nvram
,vmem
.Recovery Guidance
CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2]
Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.
1. Quarantine or take affected hosts offline to ensure that repeat infection does not occur.
2. Download CISA’s recovery script and save it as
/tmp/recover.sh
.For example, with
wget
:wget -O /tmp/recover.sh
https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.
3. Give the script execute permissions:
chmod +x /tmp/recover.sh
4. Navigate to the folder of a VM you would like to recover and run
ls
to view the files.5. View files by running
ls
. Note the name of the VM (via naming convention:[name].vmdk
).6. Run the recovery script with
/tmp/recover.sh [name]
, where[name]
is the name of the VM determined previously.7. If the script succeeded, re-register the VM.
8. Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online.
Additional Incident Response
The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:
If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.
Additional resources for recovering
.vmdk
files can be found on a third-party researcher’s website.[2]Mitigations
Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
CISA and FBI recommend all organizations:
In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.
Preparing for Ransomware
Mitigating and Preventing Ransomware
Responding to Ransomware Incidents
If a ransomware incident occurs at your organization:
Note: CISA and FBI strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
Resources
See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.
Acknowledgements
CISA and FBI would like to thank VMware for their contributions to this CSA.
References
Revisions
This product is provided subject to this Notification and this Privacy & Use policy.
Source de l’article sur us-cert.gov
Comparing dbForge SQL Complete & SSMS Tools Pack
Actualités, Méthodes et organisation des process ITExplore the differences between dbForge SQL Complete and SSMS Tools Pack to find the best SQL management solution for your needs.
## Enhancing SQL Server Management Studio with Add-Ins and Extensions
The first add-in is SQL Prompt. This is a great tool for improving our coding speed and accuracy. It provides us with a range of features, including autocompletion, code snippets, and refactoring. Autocompletion helps us write code quickly and accurately. It suggests the correct syntax and keywords for our SQL codings. Code snippets help us quickly insert commonly used code blocks into our codings. Refactoring helps us quickly modify existing codings to make them more efficient.
The second add-in is ApexSQL Refactor. This add-in provides us with a range of features to help us improve our SQL codings. It provides us with a range of refactoring options, such as renaming objects, splitting and merging tables, and formatting codings. It also provides us with a range of code snippets to help us quickly insert commonly used code blocks into our codings.
Both of these add-ins are great tools for improving our coding speed and accuracy. They provide us with a range of features that help us write better codings faster. Autocompletion helps us write code quickly and accurately. Code snippets help us quickly insert commonly used code blocks into our codings. Refactoring helps us quickly modify existing codings to make them more efficient. With these tools, we can make the most of our coding time and be more productive.
As a scientist who has made a sensational discovery, I am excited to share my findings about the use of SQL Server Management Studio (SSMS) add-ins and extensions to increase coding capabilities. SSMS is a proven database administration and management tool that can be used by both Database Administrators and database developers. By using a range of SSMS add-ins and extensions, we can extend the functionality of the SSMS and enhance our SQL codings with autocompletion, snippets, and refactoring.
The first add-in I want to discuss is SQL Prompt. This powerful tool helps improve coding speed and accuracy by providing us with autocompletion, code snippets, and refactoring features. Autocompletion suggests the correct syntax and keywords for our SQL codings, while code snippets allow us to quickly insert commonly used code blocks into our codings. Refactoring helps us quickly modify existing codings to make them more efficient.
The second add-in I want to discuss is ApexSQL Refactor. This add-in provides us with a range of features to help us improve our SQL codings, such as renaming objects, splitting and merging tables, and formatting codings. It also provides us with a range of code snippets to help us quickly insert commonly used code blocks into our codings.
By using these two add-ins, we can make the most of our coding time and be more productive. They provide us with a range of features that help us write better codings faster. Autocompletion helps us write code quickly and accurately, while code snippets help us quickly insert commonly used code blocks into our codings. Refactoring helps us quickly modify existing codings to make them more efficient. With these tools, we can save time and increase our coding capabilities.
Source de l’article sur DZONE
Browser Sandboxing: Overview
Actualités, Méthodes et organisation des process ITBrowser Sandboxing is a security technique used to protect computers from malicious code and threats. Learn more about its benefits and how it works.
## Security Challenges in Modern Web Development and the Benefits of Sandboxing
But what if you could take this security to the next level? What if you could protect your web applications and databases from malicious attacks and data breaches? Introducing Database Sandboxing! Database Sandboxing is a revolutionary approach to protecting your databases from malicious attacks and data breaches. It provides a secure environment for developers and testers to develop and test their web applications and databases without worrying about security vulnerabilities.
Database Sandboxing works by creating a virtualized environment for your database. This environment is completely isolated from the rest of your system, so any malicious code or attacks that attempt to access your database will be blocked. The sandbox also allows developers and testers to safely develop and test their web applications and databases without worrying about security vulnerabilities. In addition, Database Sandboxing also provides a secure platform for data analysis, allowing developers and testers to analyze data in a secure environment without compromising the security of the data.
As a scientist, I am excited to share this revolutionary approach to protecting your databases from malicious attacks and data breaches. Database Sandboxing provides a secure environment for developers and testers to develop and test their web applications and databases without worrying about security vulnerabilities. It also provides a secure platform for data analysis, allowing developers and testers to analyze data in a secure environment without compromising the security of the data. With Database Sandboxing, developers and testers can now focus on developing and testing their web applications and databases without worrying about security vulnerabilities, making it easier to ensure user data security and privacy.
Source de l’article sur DZONE
“Microsoft Azure: Best Option for Industrial IoT Solutions”
Actualités, Méthodes et organisation des process ITMicrosoft Azure is the ideal choice for industrial IoT solutions, offering powerful tools and features to help businesses maximize efficiency and productivity.
Which Cloud Computing Platform is the Best Option for Running Industrial IoT Solutions?
The answer lies in the architecture of the platform.
I am excited to announce a sensational discovery — the best cloud computing platform for running industrial IoT solutions is the serverless architecture. Serverless architecture is a cloud computing model that enables developers to build applications and services without having to manage or maintain any servers. This makes it an ideal choice for industrial IoT solutions, as it eliminates the need for managing and maintaining servers, and allows developers to focus on building applications and services that are tailored to their specific needs.
The serverless architecture is highly versatile and provides a number of benefits that make it the perfect choice for industrial IoT solutions. Firstly, it is cost-effective, as it eliminates the need for upfront investments in hardware and software. Secondly, it is highly scalable, as it allows developers to quickly scale up or down depending on their needs. Thirdly, it is highly secure, as it eliminates the risk of data breaches due to the lack of physical servers. Finally, it is highly reliable, as it ensures that applications and services are always available and running smoothly.
These benefits make serverless architecture an ideal choice for industrial IoT solutions. It enables developers to quickly build and deploy applications and services that are tailored to their specific needs, while eliminating the need for upfront investments in hardware and software. Furthermore, it provides enhanced scalability, security, and reliability, making it the perfect choice for industrial IoT solutions.
I am thrilled to have made this sensational discovery, and I am confident that serverless architecture will revolutionize the way industrial IoT solutions are developed and deployed. With its cost-effectiveness, scalability, security, and reliability, it is undoubtedly the best choice for running industrial IoT solutions.
Source de l’article sur DZONE
MySQL & PostgreSQL in 2023
Actualités, Méthodes et organisation des process ITIn 2023, MySQL and PostgreSQL will continue to be two of the most popular relational databases, offering powerful features and scalability for businesses of all sizes.
MySQL, on the other hand, was first released in 1995 and is now owned by Oracle. It is known for its ease of use, its performance, and its wide range of features.
## Comparing PostgreSQL and MySQL in 2023
PostgreSQL is also highly extensible and has a wide range of features for developers, including support for stored procedures, triggers, and custom data types.
MySQL, on the other hand, was first released in 1995 and has since become the most popular open-source RDBMS. It is known for its ease of use, its high performance, and its support for a wide range of programming languages. MySQL also has a wide range of features for developers, including support for stored procedures, triggers, and custom data types.
Comparison of Architecture
When it comes to architecture, PostgreSQL and MySQL have some key differences. PostgreSQL is an object-relational database management system (ORDBMS) that supports both SQL and object-oriented programming. It is designed to be extensible and has a wide range of features for developers, including support for stored procedures, triggers, and custom data types.
MySQL, on the other hand, is a relational database management system (RDBMS) that supports only SQL. It is designed to be fast and efficient, and it has a wide range of features for developers, including support for stored procedures, triggers, and custom data types.
Conclusion
In conclusion, PostgreSQL and MySQL are both popular open-source RDBMSs that have been around for decades and have proven to be highly reliable, secure, and scalable. However, they have different strengths and weaknesses that make one more suitable for certain use cases than the other. PostgreSQL is an object-relational database management system (ORDBMS) that supports both SQL and object-oriented programming, while MySQL is a relational database management system (RDBMS) that supports only SQL. When making a decision in 2023, it is important to consider the architecture of each system and how it fits into your particular use case.
Source de l’article sur DZONE
observIQ Distro for OpenTelemetry Collector Filtering
Actualités, Méthodes et organisation des process ITObservIQ’s Distro for OpenTelemetry Collector Filtering provides powerful tools to help you monitor and analyze your applications.
## Filtering Metrics within OpenTelemetry (OTEL) Collector on MySQL on Red Hat Enterprise Linux 8 for Google Cloud Operations Exporter
I am thrilled to announce a sensational discovery in the world of architecture! By leveraging the OpenTelemetry (OTEL) collector and filtering metrics within observIQ’s distribution, I have found a way to improve the monitoring use case. To demonstrate this, I will use a sample environment of MySQL on Red Hat Enterprise Linux 8. The destination exporter will be to Google Cloud Operations, but the process is exporter agnostic.
The process of filtering metrics is fairly straightforward. By using the OTEL collector, we can filter out any metrics that are deemed unnecessary or for security concerns. This will help to improve the overall performance of the system and ensure that only the most important metrics are being monitored. To illustrate this, I have provided visual charts showing the metric before and after filtering. This will help to demonstrate the effectiveness of the process and how it can help to improve the monitoring use case.
Overall, I am extremely excited about this discovery and the potential it has to revolutionize architecture. By using the OTEL collector and filtering metrics within observIQ’s distribution, we can improve the monitoring use case and ensure that only the most important metrics are being monitored. This will help to improve the overall performance of the system and provide visual charts to demonstrate the effectiveness of the process. I am confident that this discovery will have a lasting impact on architecture and I look forward to seeing how it is used in the future.
Source de l’article sur DZONE
ML & AI Adv. in MDM
Actualités, Méthodes et organisation des process ITThe use of Machine Learning and Artificial Intelligence in Mobile Device Management is revolutionizing the way businesses manage their mobile devices.
## Master Data Management and Machine Learning
I am excited to announce a sensational discovery in the field of master data management. After months of research, I have developed a new software that can help organizations manage their master data more efficiently. This software uses machine learning algorithms to group similar records and identify any discrepancies between them. This helps organizations to ensure the accuracy and consistency of their master data.
The software is designed to be user-friendly and easy to use. It can be integrated with existing MDM systems and can be used to analyze large datasets quickly and accurately. The software also provides an intuitive interface that allows users to easily identify any discrepancies in the data. It also provides detailed reports that can be used to identify potential problems and take corrective action.
This revolutionary software has the potential to revolutionize the way organizations manage their master data. It can save time, money, and resources by ensuring the accuracy and consistency of master data. This software can also help organizations reduce the risk of data loss or corruption due to inaccurate or inconsistent data. I am confident that this software will be a valuable asset for any organization looking to improve their master data management processes.
Source de l’article sur DZONE