Original release date: February 17, 2021

Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.

These cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone. It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea—the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts. As highlighted in FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks and Guidance on the North Korean Cyber Threat, North Korea’s state-sponsored cyber actors are targeting cryptocurrency exchanges and accounts to steal and launder hundreds of millions of dollars in cryptocurrency.[1][2][3] The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.cisa.gov/northkorea.

The U.S. Government has identified malware and indicators of compromise (IOCs) used by the North Korean government to facilitate cryptocurrency thefts; the cybersecurity community refers to this activity as “AppleJeus.” This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. In addition to infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.

Refer to the following Malware Analysis Reports (MARs) for full technical details of AppleJeus malware and associated IOCs.

• MAR-10322463-1.v1: AppleJeus – Celas Trade Pro
• MAR-10322463-2.v1: AppleJeus – JMT Trading
• MAR-10322463-3.v1: AppleJeus – Union Crypto
• MAR-10322463-4.v1: AppleJeus – Kupay Wallet
• MAR-10322463-5.v1: AppleJeus – CoinGoTrade
• MAR-10322463-6.v1: AppleJeus – Dorusio
• MAR-10322463-7.v1: AppleJeus – Ants2Whale

Click here for a PDF version of this report.

Technical Details

The North Korean government has used multiple versions of AppleJeus since the malware was initially discovered in 2018. This section outlines seven of the versions below. The MARs listed above provide further technical details of these versions. Initially, HIDDEN COBRA actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus; however, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques, to get users to download the malware.

Targeted Nations

HIDDEN COBRA actors have targeted institutions with AppleJeus malware in several sectors, including energy, finance, government, industry, technology, and telecommunications. Since January 2020, the threat actors have targeted these sectors in the following countries: Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Estonia, Germany, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malta, the Netherlands, New Zealand, Poland, Russia, Saudi Arabia, Singapore, Slovenia, South Korea, Spain, Sweden, Turkey, the United Kingdom, Ukraine, and the United States (figure 1).

 
Figure 1: Countries targeted with AppleJeus by HIDDEN COBRA threat actors since 2020

AppleJeus Versions Note

The version numbers used for headings in this document correspond to the order the AppleJeus campaigns were identified in open source or through other investigative means. These versions may or may not be in the correct order to develop or deploy the AppleJeus campaigns.

AppleJeus Version 1: Celas Trade Pro

Introduction and Infrastructure

In August 2018, open-source reporting disclosed information about a trojanized version of a legitimate cryptocurrency trading application on an undisclosed victim’s computer. The malicious program, known as Celas Trade Pro, was a modified version of the benign Q.T. Bitcoin Trader application. This incident led to the victim company being infected with a Remote Administration Tool (RAT) known as FALLCHILL, which was attributed to North Korea (HIDDEN COBRA) by the U.S. Government. FALLCHILL is a fully functional RAT with multiple commands that the adversary can issue from a command and control (C2) server to infected systems via various proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware (Develop Capabilities: Malware [T1587.001]). Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.[4]

Further research revealed that a phishing email from a Celas LLC company (Phishing: Spearphishing Link [T1566.002]) recommended the trojanized cryptocurrency trading application to victims. The email provided a link to the Celas’ website, celasllc[.]com (Acquire Infrastructure: Domain [T1583.001]), where the victim could download a Windows or macOS version of the trojanized application.

The celasllc[.]com domain resolved to the following Internet Protocol (IP) addresses from May 29, 2018, to January 23, 2021.

• 45.199.63[.]220
• 107.187.66[.]103
• 145.249.106[.]19
• 175.29.32[.]160
• 185.142.236[.]213
• 185.181.104[.]82
• 198.251.83[.]27
• 208.91.197[.]46
• 209.99.64[.]18

The celasllc[.]com domain had a valid Sectigo (previously known as Comodo) Secure Sockets Layer (SSL) certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Celas Trade Pro Application Analysis

Windows Program

The Windows version of the malicious Celas Trade Pro application is an MSI Installer (.msi). The MSI Installer installation package comprises a software component and an application programming interface (API) that Microsoft uses for the installation, maintenance, and removal of software. The installer looks legitimate and is signed by a valid Sectigo certificate that was purchased by the same user as the SSL certificate for celasllc[.]com (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002]).

Once permission is granted, the threat actor is able to run the program with elevated privileges (Abuse Elevation Control Mechanism [T1548]) and MSI executes the following actions.

• Installs CelasTradePro.exe in folder C:Program Files (x86)CelasTradePro
• Installs Updater.exe in folder C:Program Files (x86)CelasTradePro
• Runs Updater.exe with the CheckUpdate parameters

The CelasTradePro.exe program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.

The Updater.exe program has the same program icon as CelasTradePro.exe. When run, it checks for the CheckUpdate parameter, collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (Exfiltration Over C2 Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer that has a disk image format that Apple commonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). It has very similar functionality to the Windows version. The installer executes the following actions.

• Installs CelasTradePro in folder /Applications/CelasTradePro.app/Contents/MacOS/
• Installs Updater in folder /Applications/CelasTradePro.app/Contents/MacOS
• Executes a postinstall script
  • Moves .com.celastradepro.plist to folder LaunchDaemons
  • Runs Updater with the CheckUpdate parameter

CelasTradePro asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.

Updater checks for the CheckUpdate parameter and, when found, it collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). This process helps the adversary obtain persistence on a victim’s network.

The postinstall script is a sequence of instructions that runs after successfully installing an application (Command and Scripting Interpreter: AppleScript [T1059.002]). This script moves property list (plist) file .com.celastradepro.plist from the installer package to the LaunchDaemons folder (Scheduled Task/Job: Launchd [T1053.004]). The leading “.” makes it unlisted in the Finder app or default Terminal directory listing (Hide Artifacts: Hidden Files and Directories [T1564.001]). Once in the folder, this property list (plist) file will launch the Updater program with the CheckUpdate parameter on system load as Root for every user. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches the Updater program with the CheckUpdate parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

After a cybersecurity company published a report detailing the above programs and their malicious extras, the website was no longer accessible. Since this site was the C2 server, the payload cannot be confirmed. The cybersecurity company that published the report states the payload was an encrypted and obfuscated binary (Obfuscated Files or Information [T1027]), which eventually drops FALLCHILL onto the machine and installs it as a service (Create or Modify System Process: Windows Service [T1543.003]). FALLCHILL malware uses an RC4 encryption algorithm with a 16-byte key to protect its communications (Encrypted Channel: Symmetric Cryptography [T1573.001]). The key employed in these versions has also been used in a previous version of FALLCHILL.[5][6]

For more details on AppleJeus Version 1: Celas Trade Pro, see MAR-10322463-1.v1.

AppleJeus Version 2: JMT Trading

Introduction and Infrastructure

In October 2019, a cybersecurity company identified a new version of the AppleJeus malware—JMT Trading—thanks to its many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which a legitimate-looking company, called JMT Trading, marketed and distributed on their website, jmttrading[.]org (Acquire Infrastructure: Domain [T1583.001]). This website contained a “Download from GitHub” button, which linked to JMT Trading’s GitHub page (Acquire Infrastructure: Web Services [T1583.006]), where Windows and macOS X versions of the JMT Trader application were available for download (Develop Capabilities: Malware [T1587.001]). The GitHub page also included .zip and tar.gz files containing the source code.

The jmttrading[.]org domain resolved to the following IP addresses from October 15, 2016, to January 22, 2021.

• 45.33.2[.]79
• 45.33.23[.]183
• 45.56.79[.]23
• 45.79.19[.]196
• 96.126.123[.]244
• 146.112.61[.]107
• 184.168.221[.]40
• 184.168.221[.]57
• 198.187.29[.]20
• 198.54.117[.]197
• 198.54.117[.]198
• 198.54.117[.]199
• 198.54.117[.]200
• 198.58.118[.]167

The jmttrading[.]org domain had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence. The current SSL certificate was issued by Let’s Encrypt.

JMT Trading Application Analysis

Windows Program

The Windows version of the malicious cryptocurrency application is an MSI Installer. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for jmttrading[.]org (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002]).

Once permission is granted, the MSI executes the following actions.

• Installs JMTTrader.exe in folder C:Program Files (x86)JMTTrader
• Installs CrashReporter.exe in folder C:Users<username>AppDataRoamingJMTTrader
• Runs CrashReporter.exe with the Maintain parameter

The JMTTrader.exe program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to CelasTradePro.exe and the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.

The program CrashReporter.exe is heavily obfuscated with the ADVObfuscation library, renamed “snowman” (Obfuscated Files or Information [T1027]). When run, it checks for the Maintain parameter and collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). The program also creates a scheduled SYSTEM task, named JMTCrashReporter, which runs CrashReporter.exe with the Maintain parameter at any user’s login (Scheduled Task/Job: Scheduled Task [T1053.005]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

• Installs JMTTrader in folder /Applications/JMTTrader.app/Contents/MacOS/
• Installs .CrashReporter in folder /Applications/JMTTrader.app/Contents/Resources/
  • Note: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing.
• Executes a postinstall script
  • Moves .com.jmttrading.plist to folder LaunchDaemons
  • Changes the file permissions on the plist
  • Runs CrashReporter with the Maintain parameter
  • Moves .CrashReporter to folder /Library/JMTTrader/CrashReporter
  • Makes .CrashReporter executable

The JMTTrader program asks for the user’s exchange and loads a legitimate-looking cryptocurrency trading platform—very similar to CelasTradePro and the benign Q.T. Bitcoin Trader—that exhibits no signs of malicious activity.

The CrashReporter program checks for the Maintain parameter and is not obfuscated. This lack of obfuscation makes it easier to determine the program’s functionality in detail. When it finds the Maintain parameter, it collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]).

The postinstall script has similar functionality to the one used by CelasTradePro, but it has a few additional features (Command and Scripting Interpreter: AppleScript [T1059.002]). It moves the property list (plist) file .com.jmttrading.plist from the Installer package to the LaunchDaemons folder (Scheduled Task/Job: Launchd [T1053.004]), but also changes the file permissions on the plist file. Once in the folder, this property list (plist) file will launch the CrashReporter program with the Maintain parameter on system load as Root for every user. Also, the postinstall script moves the .CrashReporter program to a new location /Library/JMTTrader/CrashReporter and makes it executable. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CrashReporter with the Maintain parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

Soon after the cybersecurity company tweeted about JMT Trader on October 11, 2019, the files on GitHub were updated to clean, non-malicious installers. Then on October 13, 2019, a different cybersecurity company published an article detailing the macOS X JMT Trader, and soon after, the C2 beastgoc[.]com website went offline. There is not a confirmed sample of the payload to analyze at this point.

For more details on AppleJeus Version 2: JMT Trading, see MAR-10322463-2.v1.

AppleJeus Version 3: Union Crypto

Introduction and Infrastructure

In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. Again, the malware was in the form of a cryptocurrency trading application, which was marketed and distributed by a legitimate-looking company, called Union Crypto, on their website, unioncrypto[.]vip (Acquire Infrastructure: Domain [T1583.001]). Although this website is no longer available, a cybersecurity researcher discovered a download link, https://www.unioncrypto[.]vip/download/W6c2dq8By7luMhCmya2v97YeN, recorded on VirusTotal for the macOS X version of UnionCryptoTrader. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a “Telegram Downloads” folder on an unnamed victim.[7]

The unioncrypto[.]vip domain resolved to the following IP addresses from June 5, 2019, to July 15, 2020.

• 104.168.167[.]16
• 198.54.117[.]197
• 198.54.117[.]198
• 198.54.117[.]199
• 198.54.117[.]200

The domain unioncrypto[.]vip had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Union Crypto Trader Application Analysis

Windows Program

The Windows version of the malicious cryptocurrency application is a Windows executable (.exe) (User Execution: Malicious File [T1204.002]), which acts as an installer that extracts a temporary MSI Installer.

The Windows program executes the following actions.

• Extracts UnionCryptoTrader.msi to folder C:Users<username>AppDataLocalTemp{82E4B719-90F74BD1-9CF1-56CD777E0C42}
• Runs UnionCryptoUpdater.msi
  • Installs UnionCryptoTrader.exe in folder C:Program FilesUnionCryptoTrader
  • Installs UnionCryptoUpdater.exe in folder C:Users<username>AppDataLocalUnionCryptoTrader
• Deletes UnionCryptoUpdater.msi
• Runs UnionCryptoUpdater.exe

The program UnionCryptoTrader.exe loads a legitimate-looking cryptocurrency arbitrage application—defined as “the simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms to take advantage of differing prices for the same asset”—which exhibits no signs of malicious activity. This application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.[8]

The program UnionCryptoUpdater.exe first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it “Automatically installs updates for Union Crypto Trader.” When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in a string that is MD5 hashed and stored in the auth_signature variable before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

• Installs UnionCryptoTrader in folder /Applications/UnionCryptoTrader.app/Contents/MacOS/
• Installs .unioncryptoupdater in folder /Applications/UnionCryptoTrader.app/Contents/Resources/
  • Note: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing
• Executes a postinstall script
  • Moves .vip.unioncrypto.plist to folder LaunchDaemons
  • Changes the file permissions on the plist to Root
  • Runs unioncryptoupdater
  • Moves .unioncryptoupdater to folder /Library/UnionCrypto/unioncryptoupdater
  • Makes .unioncryptoupdater executable

The UnionCryptoTrader program loads a legitimate-looking cryptocurrency arbitrage application, which exhibits no signs of malicious activity. The application is very similar to another cryptocurrency arbitrage application known as Blackbird Bitcoin Arbitrage.

The .unioncryptoupdater program is signed ad-hoc, meaning it is not signed with a valid code-signing identity. When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in a string that is MD5 hashed and stored in the auth_signature variable before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]).

The postinstall script has similar functionality to the one used by JMT Trading (Command and Scripting Interpreter: AppleScript [T1059.002]). It moves the property list (plist) file .vip.unioncrypto.plist from the Installer package to the LaunchDaemons folder (Scheduled Task/Job: Launchd [T1053.004]), but also changes the file permissions on the plist file to Root. Once in the folder, this property list (plist) file will launch the .unioncryptoupdater on system load as Root for every user. The postinstall script moves the .unioncryptoupdater program to a new location /Library/UnionCrypto/unioncryptoupdater and makes it executable. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches .unioncryptoupdater and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

The payload for the Windows malware is a Windows Dynamic-Link-Library. UnionCryptoUpdater.exe does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware.

The macOS X malware’s payload could not be downloaded, as the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the macOS X payload. The macOS X payload is likely similar in functionality to the Windows stage 2 detailed above.

For more details on AppleJeus Version 3: Union Crypto, see MAR-10322463-3.v1.

Commonalities between Celas Trade Pro, JMT Trading, and Union Crypto

Hardcoded Values

In each AppleJeus version, there are hardcoded values used for encryption or to create a signature when combined with the time (table 1).

Table 1: AppleJeus hardcoded values and uses

The Union Crypto Trader and Celas LLC (XOR) values are 16 bytes in length. For JMT Trader, the first 16 bytes of the Windows and macOS X values are identical, and the additional bytes are in a time format for the Windows sample. The structure of a 16-byte value combined with the time is also used in Union Crypto Trader to create the auth_signature.

As mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples.

Open-Source Cryptocurrency Applications

All three AppleJeus samples are bundled with modified copies of legitimate cryptocurrency applications and can be used as originally designed to trade cryptocurrency. Both Celas LLC and JMT Trader modified the same cryptocurrency application, Q.T. Bitcoin Trader; Union Crypto Trader modified the Blackbird Bitcoin Arbitrage application.

Postinstall Scripts, Property List Files, and LaunchDaemons

The macOS X samples of all three AppleJeus versions contain postinstall scripts with similar logic. The Celas LLC postinstall script only moves the plist file to a new location and launches Updater with the CheckUpdate parameter in the background. The JMT Trader and Union Crypto Trader also perform these actions and have identical functionality. The additional actions performed by both postinstall scripts are to change the file permissions on the plist, make a new directory in the /Library folder, move CrashReporter or UnionCryptoUpdater to the newly created folder, and make them executable.

The plist files for all three AppleJeus files have identical functionality. They only differ in the files’ names and one default comment that was not removed from the Celas LLC plist. As the logic and functionality of the postinstall scripts and plist files are almost identical, the LaunchDaemons created also function the same.

They will all launch the secondary executable as Root on system load for every user.

AppleJeus Version 4: Kupay Wallet

Introduction and Infrastructure

On March 13, 2020, a new version of the AppleJeus malware was identified. The malware was marketed and distributed by a legitimate-looking company, called Kupay Wallet, on their website kupaywallet[.]com (Acquire Infrastructure: Domain [T1583.001]).

The domain www.kupaywallet[.]com resolved to IP address 104.200.67[.]96 from March 20, 2020, to January 16, 2021. CrownCloud US, LLC controlled the IP address (autonomous system number [ASN] 8100), and is located in New York, NY.

The domain www.kupaywallet[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Kupay Wallet Application Analysis

Windows Program

The Windows version of the malicious cryptocurrency application is an MSI Installer. The MSI executes the following actions.

• Installs Kupay.exe in folder C:Program Files (x86)Kupay
• Installs KupayUpgrade.exe in folder C:Users<username>AppDataRoamingKupaySupport
• Runs KupayUpgrade.exe

The program Kupay.exe loads a legitimate-looking cryptocurrency wallet platform, which exhibits no signs of malicious activity and is very similar to an open-source platform known as Copay, distributed by Atlanta-based company BitPay.

The program KupayUpgrade.exe first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it is an “Automatic Kupay Upgrade.” When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

• Installs Kupay in folder /Applications/Kupay.app/Contents/MacOS/
• Installs kupay_upgrade in folder /Applications/Kupay.app/Contents/MacOS/
• Executes a postinstall script
  • Creates KupayDaemon folder in /Library/Application Support folder
  • Moves kupay_upgrade to the new folder
  • Moves com.kupay.pkg.wallet.plist to folder /Library/LaunchDaemons/
  • Runs the command launchctl load to load the plist without a restart
  • Runs kupay_upgrade in the background

Kupay is likely a copy of an open-source cryptocurrency wallet application, loads a legitimate-looking wallet program (fully functional), and its functionality is identical to the Windows Kupay.exe program.

The kupay_upgrade program calls its function CheckUpdate (which contains most of the logic functionality of the malware) and sends a POST to the C2 server with a connection named “Kupay Wallet 9.0.1 (Check Update Osx)” (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder /private/tmp/kupay_update with permissions set by the command chmod 700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059]). Stage 2 is then launched, and the malware, kupay_upgrade, returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]).

The postinstall script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter: AppleScript [T1059.002]). It creates the KupayDaemon folder in /Library/Application Support folder and then moves kupay_upgrade to the new folder. It moves the property list (plist) file com.kupay.pkg.wallet.plist from the Installer package to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd [T1053.004]). The script runs the command launchctl load to load the plist without a restart (Command and Scripting Interpreter [T1059]). But, since the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches kupay_upgrade and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

The Windows malware’s payload could not be downloaded since the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.

The stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc.

For more details on AppleJeus Version 4: Kupay Wallet, see MAR-10322463-4.v1.

AppleJeus Version 5: CoinGoTrade

Introduction and Infrastructure

In early 2020, another version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called CoinGoTrade on their website coingotrade[.]com (Acquire Infrastructure: Domain [T1583.001]).

The domain CoinGoTrade[.]com resolved to IP address 198.54.114[.]175 from February 28, 2020, to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for Dorusio[.]com and Ants2Whale[.]com.

The domain CoinGoTrade[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

CoinGoTrade Application Analysis

Windows Program

The Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will execute the following actions.

• Installs CoinGoTrade.exe in folder C:Program Files (x86)CoinGoTrade
• Installs CoinGoTradeUpdate.exe in folder C:Users<username>AppDataRoamingCoinGoTradeSupport
• Runs CoinGoTradeUpdate.exe

CoinGoTrade.exe loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.

CoinGoTradeUpdate.exe first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it is an “Automatic CoinGoTrade Upgrade.” When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

• Installs CoinGoTrade in folder /Applications/CoinGoTrade.app/Contents/MacOS/
• Installs CoinGoTradeUpgradeDaemon in folder /Applications/CoinGoTrade.app/Contents/MacOS/
• Executes a postinstall script
  • Creates CoinGoTradeService folder in /Library/Application Support folder
  • Moves CoinGoTradeUpgradeDaemon to the new folder
  • Moves com.coingotrade.pkg.product.plist to folder /Library/LaunchDaemons/
  • Runs CoinGoTradeUpgradeDaemon in the background

The CoinGoTrade program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking, fully functional wallet program).

The CoinGoTradeUpgradeDaemon program calls its function CheckUpdate (which contains most of the logic functionality of the malware) and sends a POST to the C2 server with a connection named “CoinGoTrade 1.0 (Check Update Osx)” (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder /private/tmp/updatecoingotrade with permissions set by the command chmod 700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059]). Stage 2 is then launched, and the malware, CoinGoTradeUpgradeDaemon, returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]).

The postinstall script has similar functionality to the other scripts (Command and Scripting Interpreter: AppleScript [T1059.002]) and installs CoinGoTrade and CoinGoTradeUpgradeDaemon in folder /Applications/CoinGoTrade.app/Contents/MacOS/. It moves the property list (plist) file com.coingotrade.pkg.product.plist to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd [T1053.004]). Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CoinGoTradeUpgradeDaemon and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

The Windows malware’s payload could not be downloaded because the C2 server is no longer accessible. Additionally, none of the open-source reporting for this sample contained copies of the payload. The Windows payload is likely similar in functionality to the macOS X stage 2 detailed below.

The stage 2 payload for the macOS X malware was no longer available from the specified download URL. Still, a file was submitted to VirusTotal by the same user on the same date as the macOS X CoinGoTradeUpgradeDaemon. These clues suggest that the submitted file may be related to the macOS X version of the malware and the downloaded payload.

The file prtspool is a 64-bit Mach-O executable with a large variety of features that have all been confirmed as functionality. The file has three C2 URLs hardcoded into the file and communicates to these with HTTP POST multipart-form data boundary string. Like other HIDDEN COBRA malware, prtspool uses format strings to store data collected about the system and sends it to the C2s.

For more details on AppleJeus Version 5: CoinGoTrade, see MAR-10322463-5.v1.

AppleJeus Version 6: Dorusio

Introduction and Infrastructure

In March 2020, an additional version of the AppleJeus malware was identified. This time the malware was marketed and distributed by a legitimate-looking company called Dorusio on their website, dorusio[.]com (Acquire Infrastructure: Domain [T1583.001]). Researchers collected samples for Windows and macOS X versions of the Dorusio Wallet (Develop Capabilities: Malware [T1587.001]). As of at least early 2020, the actual download links result in 404 errors. The download page has release notes with version revisions claiming to start with version 1.0.0, released on April 15, 2019.

The domain dorusio[.]com resolved to IP address 198.54.115[.]51 from March 30, 2020 to January 23, 2021. The IP address is controlled by NameCheap Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for CoinGoTrade[.]com and Ants2Whale[.]com.

The domain dorusio[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Dorusio Application Analysis

Windows Program

The Windows version of the malicious application is an MSI Installer. The installer appears to be legitimate and will install the following two programs.

• Installs Dorusio.exe in folder C:Program Files (x86)Dorusio
• Installs DorusioUpgrade.exe in folder C:Users<username>AppDataRoamingDorusioSupport
• Runs DorusioUpgrade.exe

The program, Dorusio.exe, loads a legitimate-looking cryptocurrency wallet platform with no signs of malicious activity and is a copy of an open-source cryptocurrency application.

The program DorusioUpgrade.exe first installs itself as a service (Create or Modify System Process: Windows Service [T1543.003]), which will automatically start when any user logs on (Boot or Logon Autostart Execution [T1547]). The service is installed with a description stating it “Automatic Dorusio Upgrade.” When launched, it collects the victim’s host information (System Owner/User Discovery [T1033]), combines the information in strings before exfiltration, and sends it to a C2 website (Exfiltration Over C2 Channel [T1041]).

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

• Installs Dorusio in folder /Applications/Dorusio.app/Contents/MacOS/
• Installs Dorusio_upgrade in folder /Applications/Dorusio.app/Contents/MacOS/
• Executes a postinstall script
  • Creates DorusioDaemon folder in /Library/Application Support folder
  • Moves Dorusio_upgrade to the new folder
  • Moves com.dorusio.pkg.wallet.plist to folder /Library/LaunchDaemons/
  • Runs Dorusio_upgrade in the background

The Dorusio program is likely a copy of an open-source cryptocurrency wallet application and loads a legitimate-looking wallet program (fully functional). Aside from the Dorusio logo and two new services, the wallet appears to be the same as the Kupay Wallet. This application seems to be a modification of the open-source cryptocurrency wallet Copay distributed by Atlanta-based company BitPay.

The Dorusio_upgrade program calls its function CheckUpdate (which contains most of the logic functionality of the malware) and sends a POST to the C2 server with a connection named “Dorusio Wallet 2.1.0 (Check Update Osx)” (Application Layer Protocol: Web Protocols [T1071.001]). If the C2 server returns a file, it is decoded and written to the victim’s folder /private/tmp/Dorusio_update with permissions set by the command chmod 700 (only the user can read, write, and execute) (Command and Scripting Interpreter [T1059]). Stage 2 is then launched, and the malware, Dorusio_upgrade, returns to sleeping and checking in with the C2 server at predetermined intervals (Application Layer Protocol: Web Protocols [T1071.001]).

The postinstall script has similar functionality to other AppleJeus scripts (Command and Scripting Interpreter: AppleScript [T1059.002]). It creates the DorusioDaemon folder in /Library/Application Support folder and then moves Dorusio_upgrade to the new folder. It moves the property list (plist) file com.dorusio.pkg.wallet.plist from the Installer package to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd [T1053.004]). Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches Dorusio_upgrade and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004]).

Payload

Neither the payload for the Windows nor macOS X malware could be downloaded; the C2 server is no longer accessible. The payloads are likely similar in functionality to the macOS X stage 2 from CoinGoTrade and Kupay Wallet, or the Windows stage 2 from Union Crypto.

For more details on AppleJeus Version 6: Dorusio, see MAR-10322463-6.v1.

AppleJeus 4, 5, and 6 Installation Conflictions

If a user attempts to install the Kupay Wallet, CoinGoTrade, and Dorusio applications on the same system, they will encounter installation conflicts.

If Kupay Wallet is already installed on a system and the user tries to install CoinGoTrade or Dorusio:

• Pop-up windows appear, stating a more recent version of the program is already installed.

If CoinGoTrade is already installed on a system and the user attempts to install Kupay Wallet:

• Kupay.exe will be installed in the C:Program Files (x86)CoinGoTrade folder.
• All CoinGoTrade files will be deleted.
• The folders and files contained in the C:Users<username>AppDataRoamingCoinGoTradeSupport will remain installed.
• KupayUpgrade.exe is installed in the new folder C:Users<username>AppDataRoamingKupaySupport.

If Dorusio is already installed on a system and the user attempts to install Kupay Wallet:

• Kupay.exe will be installed in the C:Program Files (x86)Dorusio folder.
• All Dorusio.exe files will be deleted.
• The folders and files contained in C:Users<username>AppDataRoamingDorusioSupport will remain installed.
• KupayUpgrade.exe is installed in the new folder C:Users<username>AppDataRoamingKupaySupport.

AppleJeus Version 7: Ants2Whale

Introduction and Infrastructure

In late 2020, a new version of AppleJeus was identified called “Ants2Whale.” The site for this version of AppleJeus is ants2whale[.]com (Acquire Infrastructure: Domain [T1583.001]). The website shows a legitimate-looking cryptocurrency company and application. The website contains multiple spelling and grammar mistakes indicating the creator may not have English as a first language. The website states that to download Ants2Whale, a user must contact the administrator, as their product is a “premium package” (Develop Capabilities: Malware [T1587.001]).

The domain ants2whale[.]com resolved to IP address 198.54.114[.]237 from September 23, 2020, to January 22, 2021. The IP address is controlled by NameCheap, Inc. (ASN 22612) and is located in Atlanta, GA. This IP address is in the same ASN for CoinGoTrade[.]com and Dorusio[.]com.

The domain ants2whale[.]com had a valid Sectigo SSL certificate (Obtain Capabilities: Digital Certificates [T1588.004]). The SSL certificate was “Domain Control Validated,” a weak security verification level that does not require validation of the owner’s identity or the actual business’s existence.

Ants2Whale Application Analysis

Windows Program

As of late 2020, the Windows program was not available on VirusTotal. It is likely very similar to the macOS X version detailed below.

macOS X Program

The macOS version of the malicious application is a DMG Installer. The installer looks legitimate and has very similar functionality to the Windows version, but it does not have a digital certificate and will warn the user of that before installation. The installer executes the following actions.

• Installs Ants2Whale in folder /Applications/Ants2whale.app/Contents/MacOS/Ants2whale
• Installs Ants2WhaleHelper in folder /Library/Application Support/Ants2WhaleSupport/
• Executes a postinstall script
  • Moves com.Ants2whale.pkg.wallet.plist to folder /Library/LaunchDaemons/
  • Runs Ants2WhaleHelper in the background

The Ants2Whale and Ants2WhaleHelper programs and the postinstall script function almost identically to previous versions of AppleJeus and will not be discussed in depth in this advisory.

For more details on AppleJeus Version 7: Ants2Whale, see MAR-10322463-7.v1.

ATT&CK Profile

Figure 2 and table 2 provide summaries of the MITRE ATT&CK techniques observed.

Figure 2: MITRE ATT&CK enterprise techniques used by AppleJeus

Table 2: MITRE ATT&CK techniques observed

Mitigations

Compromise Mitigations

Organizations that identify AppleJeus malware within their networks should take immediate action. Initial actions should include the following steps.

• Contact the FBI, CISA, or Treasury immediately regarding any identified activity related to AppleJeus. (Refer to the Contact Information section below.)
• Initiate your organization’s incident response plan.
• Generate new keys for wallets, and/or move to new wallets.
• Introduce a two-factor authentication solution as an extra layer of verification.  
• Use hardware wallets, which keep the private keys in a separate, secured storage area.
• To move funds out off a compromised wallet:
  • Do not use the malware listed in this advisory to transfer funds, and  
  • Form all transactions offline and then broadcast them to the network all at once in a short online session, ideally prior to the attacker accessing them.
• Remove impacted hosts from network.
• Assume the threat actors have moved laterally within the network and downloaded additional malware.
• Change all passwords to any accounts associated with impacted hosts.
• Reimage impacted host(s).  
• Install anti-virus software to run daily deep scans of the host.
• Ensure your anti-virus software is setup to download the latest signatures daily.
• Install a Host Based Intrusion Detection (HIDS)-based software and keep it up to date.
• Ensure all software and hardware is up to date, and all patches have been installed.
• Ensure network-based firewall is installed and/or up to date.
• Ensure the firewall’s firmware is up to date.

Pro-Active Mitigations

Consider the following recommendations for defense against AppleJeus malware and related activity.

Cryptocurrency Users

• Verify source of cryptocurrency-related applications.
• Use multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage.
• Use custodial accounts with multi-factor authentication mechanisms for both user and device verification.
• Patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency.
• Consider having a dedicated device for cryptocurrency management.

Financial Service Companies

• Verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks at https://ithandbook.ffiec.gov, especially those related to information security.
• Report suspicious cyber and financial activities. For more information on mandatory and voluntary reporting of cyber events via suspicious activity reports, see the Financial Crimes Enforcement Network (FinCEN) Advisory FIN-2016-A005: Advisory to Financial Institutions on Cyber- Events and Cyber-Enabled Crime at https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf and FinCEN’s Section 314(b) Fact Sheet at https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf.

Cryptocurrency Businesses

• Verify compliance with the Cryptocurrency Security Standard at http://cryptoconsortium.github.io/CCSS/.

All Organizations

• Incorporate IOCs identified in CISA’s Malware Analysis Reports on https://us-cert.cisa.gov/northkorea into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.
• See table 3 below, which provides a summary of preventative ATT&CK mitigations based on observed techniques.

Table 3: MITRE ATT&CK mitigations based on observed techniques

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

• The FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov) or a local field office,
• CISA (888-282-0870 or Central@cisa.dhs.gov), or
• Treasury Office of Cybersecurity and Critical Infrastructure Protection (Treasury OCCIP) (202-622-3000 or OCCIP-Coord@treasury.gov).

References

• [1] CISA Alert AA20-239A: FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks
• [2] Department of the Treasury Press Release: Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group
• [3] Department of Justice Press Release: Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack
• [4] CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
• [5] CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
• [6] MITRE ATT&CK Software: FALLCHILL
• [7] SecureList: Operation AppleJeus Sequel
• [8] GitHub: Blackbird Bitcoin Arbitrage

Revisions

• February 17, 2021: Initial Version

Source de l’article sur us-cert.gov

Original release date: January 8, 2021

Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.

This Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:

• Compromising or bypassing federated identity solutions;
• Using forged authentication tokens to move laterally to Microsoft cloud environments; and
• Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.

This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a CISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.

Note: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the threat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives.

Technical Details

Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst).[1] However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.

CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation [TA0004] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud environments (Lateral Movement [TA0008]).

The threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (Lateral Movement [TA0008]) through trust boundaries, evade defenses and detection (Defense Evasion [TA0005]), and steal sensitive data (Collection [TA0009]).

This level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering.

Mitigations

Detection

Guidance on identifying affected SolarWinds software is well documented.[2] However—once an organization identifies a compromise via SolarWinds Orion products or other threat actor TTPs—identifying follow-on activity for on-premises networks requires fine-tuned network and host-based forensics.

The nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors. Microsoft’s O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides premium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate TTPs specific to the Solorigate activity.[3]

Detection Tools

CISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA.

There are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity.[4] Publicly available PowerShell tools that network defenders can use to investigate M365 and Microsoft Azure include:

• CISA’s Sparrow,
• Open-source utility Hawk, and
• CrowdStrike’s Azure Reporting Tool (CRT).

Additionally, Microsoft’s Office 365 Management API and Graph API provide an open interface for ingesting telemetry and evaluating service configurations for signs of anomalous activity and intrusion.

Note: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a Microsoft premium service that provides comprehensive analysis tools, including custom detections for the activity indicated.

General Guidance on Using Detection Tools

1. Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of dormant applications.
2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships added to the Azure Active Directory.
3. Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new token validation time periods with high values and investigate whether it was a legitimate change or an attempt to gain persistence by a threat actor.

Sparrow

CISA created Sparrow to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.

CISA advises Sparrow users to take the following actions.

1. Use Sparrow to detect any recent domain authentication or federation modifications.
   1. Domain and federation modification operations are uncommon and should be investigated.
2. Examine logs for new and modified credentials applied to applications and service principals; delineate for the credential type. Sparrow can be used to detect the modification of service principals and application credentials.
   1. Create a timeline for all credential changes, focusing on recent wholesale changes.
   2. Review the “top actors” for activity in the environment and the number of credential modifications performed.
   3. Monitor changes in application and service principal credentials.
   4. Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph, and Azure AD Graph.
3. Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role.
4. Use Sparrow to detect OAuth consent and users’ consent to applications, which is useful for interpreting changes in adversary TTPs.
5. Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the unified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a potential indicator for forged SAML tokens.
   1. Note that this TTP has not been the subject of significant published security research but may indicate an unusual usage of a token, such as guest access for external partners to M365 resources.
6. Review the PowerShell logs that Sparrow exports.
   1. Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions.
   2. Review PowerShell usage for users with PowerShell in the environment.
7. Use Sparrow to check the Graph API application permissions of all service principals and applications in M365/Azure AD.
   1. Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy https://graph.windows.net/ or https://graph.microsoft.com). Graph is used frequently as part of these TTPs, often to access and manipulate mailbox resources.
8. Review Sparrow’s listed tenant’s Azure AD domains, to see if the domains have been modified.
9. For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application identification (ID) was used for accessing users’ mailboxes. Use Sparrow to query for a specific application ID using the app id investigation capability, which will check to see if it is accessing mail or file items.
   1. The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients.
   2. By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items have been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some situations where the message was not necessarily read interactively (e.g., bind or sync).[5]
   3. The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious applications that require additional analysis.
   4. Check for changes to applications with regards to the accessing of resources such as mail or file items.

Hawk

Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.

Hawk users should review login details for administrator accounts and take the following steps.

1.  Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins).
2. Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or expected purposes.
   1. PowerShell logging does not reveal the exact cmdlet that was run on the tenant.
3. Look for users with unusual sign-in locations, dates, and times.
4. Check permissions of service principals and applications in M365/Azure AD.
5. Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and see if it is accessing mail or file items.
6. Review mailbox rules and recent mailbox rule changes.

CrowdStrike Azure Reporting Tool

CrowdStrike’s Azure Reporting Tool (CRT) can help network defenders analyze their Microsoft Azure AD and M365 environment to help organizations analyze permissions in their Azure AD tenant and service configuration. This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.

Detection Tool Distinctions

• Sparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks.
• CRT focuses on the tenant’s Azure AD permissions and Exchange Online configuration settings instead of the unified audit log, which gives it a different output from Sparrow or Hawk.
• CRT returns the same broad scope of application/delegated permissions for service principals and applications as Hawk.
• As part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph API, which is common to the recent attacks.
• CRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing Azure AD domains.
• Among the items network defenders can use CRT to review are delegated permissions and application permissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects with KeyCredentials.

Detection Methods

Microsoft breaks the threat actor’s recent activity into four primary stages, which are described below along with associated detection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises identity solution, such as ADFS.[6]

Note: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has compromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the SolarWinds Orion vulnerability).

Stage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider

These attacks (often referred to as “Golden Security Assertion Markup Language” attacks) can be analyzed using a combination of cloud-based and standard on-premises techniques.[7] For example, network defenders can use OAuth claims for specific principals made at the Azure AD level and compare them to the on-premises identity.

Export sign-in logs from the Azure AD portal and look at the Authentication Method field.

Note: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel, this is the only way to get these logs, which are critical for this effort.

Detection Method 1: Correlating service provider login events with corresponding authentication events in Active Directory Federation Services (ADFS) and Domain Controllers

Using SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769, 1200, and 1202 in the domain.

Detection Method 2: Identifying certificate export events in ADFS

Look for:

1. The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500.
2. Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a certificate extraction technique.
3. Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name microsoft##widtsqlquery (exclude processes regularly making this pipe connection on the machine).
4. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event).

Detection Method 3: Customizing SAML response to identify irregular access

This method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify irregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements for each service provider to monitor and detect any anomalous requests.[8]

Detection Method 4: Detecting malicious ADFS trust modification

A threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate and private key as part of a standard Golden SAML attack.[9]
Network defenders should look for:

1. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event.)
   1. Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property Value references an unfamiliar domain.
2. Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the federation trust environment that would indicate new ADFS sources.

Stage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as Azure AD (establishing a foothold)

After the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by reviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants).

The threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged Azure AD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).

Network defenders should take the following steps.

1. Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials.
   1. Look for unusual application usage, such as dormant or forgotten applications being used again.
   2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application.
2. Look for unexpected trust relationships that have been added to Azure AD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.).[10]
3. Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP addresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations.
4. Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global Admins). Look for unusual sign-in locations, dates, and times.
5. Review new token validation time periods with high values and investigate whether the changes are legitimate or a threat actor’s attempts to gain persistence.

Stage 3: Acquiring an OAuth access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application

In some cases, the threat actor has been observed adding permissions to existing applications or service principals. Additionally the actor has been seen establishing new applications or service principals briefly and using them to add permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a credential to another service principal, and then deleting it).[11]

Network defenders should use Sparrow to:

1. Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates, and times.
2. Create a timeline for all credential changes.
3. Monitor changes in application credentials (the script will export into csv named AppUpdate_Operations_Export).
4. Detect service principal credentials change and service principal change (e.g., if an actor adds new permissions or expands existing permissions).
   1. Export and view this activity via the ServicePrincipal_Operations_Export.
5. Record OAuth consent and consent to applications
   1. Export and view this record via the Consent_Operations_Export file.
6. Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft Graph, and Azure AD Graph.
   1. Review Microsoft Graph API permissions granted to service principals.
   2. Export and view this activity via the ApplicationGraphPermissions csv file.
      1. Note: Hawk can also return the full list of service principal permissions for further investigation.
   3. Review top actors and the amount of credential modifications performed.
   4. Monitor changes in application credentials.
7. Identify manipulation of custom or third-party applications.
   1. Network defenders should review the catalog of custom or third-party vendors with applications in the Microsoft tenant and perform the above interrogation principles on those applications and trusts.
8. Review modifications to federation trust settings.
   1. Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor.
      1. The script detects the escalation of privileges, including the addition of Service Principals (SP) to privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export.

Stage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications).

Network defenders should:

1. In MailItemsAccessed operations, found within the Unified Audit Log (UAL), review the application ID used (requires G5 or E5 license for this specific detail).
2. Query the specific application ID, using the Sparrow script’s app ID investigation capability to interrogate mail and file items accessed for that applicationID (Use the application ID utility for any other suspicious apps that require additional analysis.).
3. Check the permissions of an application in M365/Azure AD using Sparrow.
   1. Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions.
   2. Network defenders will see the IP address that Graph API uses.
   3. Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint.
4. Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is challenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in portal.

Microsoft Telemetry Nuances

The existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in traditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities of on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL.

Service principal logging is available using the Azure Portal via the « Service Principal Sign-ins » feature. Enable settings in the Azure Portal (see “Diagnostic Setting”) to ingest logs into Sentinel or a third-party security information and event management (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other features, such as a log analytics workspace, storage account, or event hub.[12] These logs must be downloaded manually if not ingested by one of the methods listed in the Detection Methods section.

Global Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security posture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as Microsoft Defender for O365 and Azure Sentinel. According to CrowdStrike, « There was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible. »[13]

Documentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML token forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as part of core Microsoft documentation sources.

The use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in Microsoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing license that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that this license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the moment of integration but does not provide retroactive visibility on previous events or historical context.

A properly configured SIEM can provide:

1. Longer term storage of log data.
2. Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers), endpoint detection and response data, and identity provider information.
3. Ability to query use of application connectors in Azure.

Built-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&CK framework and easy-to-understand dashboards.[14] However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged.

Contact Information

CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at

• 1-888-282-0870 (From outside the United States: +1-703-235-8832)
• central@cisa.dhs.gov (UNCLASS)
• us-cert@dhs.sgov.gov (SIPRNET)
• us-cert@dhs.ic.gov (JWICS)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.

Resources

Azure Active Directory Workbook to Assess Solorigate Risk: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718

Volexity – Dark Halo Leverages SolarWinds Compromise to Breach Organizations: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

How to Find Activity with Sentinel: https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/

Third-Party Walkthrough of the Attack: https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/

National Security Agency Advisory on Detecting Abuse of Authentication Mechanisms: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF

Microsoft 365 App for Splunk: https://splunkbase.splunk.com/app/3786/

CISA Remediation Guidance: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Feedback

CISA strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.cisa.gov/forms/feedback.

References

• [1] ZDNet: A Second Hacking Group has Targeted SolarWinds Systems
• [2] CISA: Supply Chain Compromise
• [3] Microsoft SolarWinds Post-Compromise Hunting with Azure Sentinel
• [4] Microsoft Solorigate Resource Center
• [5] Advanced Audit in Microsoft 365
• [6] Microsoft: Understanding “Solorigate’s” Identity IOCs
• [7] Detection and Hunting of Golden SAML Attack:
• [8] Ibid
• [9] Ibid
• [10] Microsoft: AADServicePrincipalSignInLogs
• [11] Microsoft: Understanding “Solorigate’s” Identity IOCs
• [12] Azure Active Directory Sign-in Activity Reports
• [13] CrowdStrike: CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
• [14] Microsoft 365 App for Splunk

Revisions

• Initial version: January 8, 2021

Source de l’article sur us-cert.gov

Original release date: December 1, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/versions/v7/techniques/enterprise/">ATT&amp;CK for Enterprise</a> for all referenced threat actor tactics and techniques.</em></p> <p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[<a href="https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/">1</a>] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.</p> <p>APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.</p> <p>Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><h4>ATT&amp;CK Profile</h4> <p>CISA created the following MITRE ATT&amp;CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.</p> <ul> <li><em><strong>Initial Access</strong></em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0001">TA0001</a>] <ul> <li><i>Valid Accounts </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/">T1078</a>]</li> <li><i>Valid Accounts: Cloud Accounts </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/004/">T1078.004</a>]</li> <li><i>External Remote Services </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1133/">T1133</a>]</li> <li><i>Drive-by Compromise</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1189">T1189</a>]</li> <li><i>Exploit Public-Facing Application</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1190">T1190</a>] <ul> <li><i>Supply Chain Compromise: Compromise Software Supply Chain</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1195/002">T1195.002</a>]</li> <li><i>Trusted Relationship</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1199">T1199</a>]</li> <li><i>Phishing: Spearphishing Attachment</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001">T1566.001</a>]</li> <li><i>Phishing: Spearphishing Link</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002">T1566.002</a>]</li> <li><i>Phishing: Spearphishing via Service</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/003">T1566.003</a>]</li> </ul> </li> </ul> </li> <li><i><em><strong>Execution</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0002">TA0002</a>] <ul> <li><i>Windows Management Instrumentation </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1047">T1047</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005">T1053.005</a>]</li> <li><i>Command and Scripting Interpreter: PowerShell </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/001">T1059.001</a>]</li> <li><i>Command and Scripting Interpreter: Windows Command Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/003">T1059.003</a>]</li> <li><i>Command and Scripting Interpreter: Unix Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/004">T1059.004</a>]</li> <li><i>Command and Scripting Interpreter: Visual Basic </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/005">T1059.005</a>]</li> <li><i>Command and Scripting Interpreter: Python </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/006">T1059.006</a>]</li> <li><i>Native API </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1106">T1106</a>]</li> <li><i>Exploitation for Client Execution</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1203">T1203</a>]</li> <li><i>User Execution: Malicious Link </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1204/001">T1204.001</a>]</li> <li><i>User Execution: Malicious File</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1204/002">T1204.002</a>]</li> <li><i>Inter-Process Communication: Dynamic Data Exchange </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1559/002/">T1559.002</a>]</li> <li><i>System Services: Service Execution </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1569/002">T1569.002</a>]</li> </ul> </li> <li><i><em><strong>Persistence</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0003">TA0003</a>] <ul> <li><i>Boot or Logon Initialization Scripts: Logon Script (Windows)</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1037/001">T1037.001</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005">T1053.005</a>]</li> <li><i>Account Manipulation: Exchange Email Delegate Permissions </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1098/002">T1098.002</a>]</li> <li><i>Create Account: Local Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1136/001">T1136.001</a>]</li> <li><i>Office Application Startup: Office Test </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1137/002">T1137.002</a>]</li> <li><i>Office Application Startup: Outlook Home Page</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1137/004">T1137.004</a>]</li> <li><i>Browser Extensions</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1176">T1176</a>]</li> <li><i>BITS Jobs</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1197/">T1197</a>]</li> <li><i>Server Software Component: Web Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1505/003">T1505.003</a>]</li> <li><i>Pre-OS Boot: Bootkit</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1542/003/">T1542.003</a>]</li> <li><i>Create or Modify System Process: Windows Service</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1543/003">T1543.003</a>]</li> <li><i>Event Triggered Execution: Change Default File Association</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/001">T1546.001</a>]</li> <li><i>Event Triggered Execution: Windows Management Instrumentation Event Subscription </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1546/003">T1546.003</a>]</li> <li><i>Event Triggered Execution: Accessibility Features</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008">T1546.008</a>]</li> <li><i>Event Triggered Execution: Component Object Model Hijacking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/015">T1546.015</a>]</li> <li><i>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001">T1547.001</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/009">T1547.009</a>]</li> </ul> </li> <li><i><em><strong>Privilege Escalation</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0004">TA0004</a>] <ul> <li><i>Process Injection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055">T1055</a>]</li> <li><i>Process Injection: Process Hollowing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/012">T1055.012</a>]</li> <li><i>Exploitation for Privilege Escalation</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1068">T1068</a>]</li> <li><i>Access Token Manipulation: Token Impersonation/Theft</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1134/001">T1134.001</a>]</li> <li><i>Event Triggered Execution: Accessibility Features </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008">T1546.008</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/009">T1547.009</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]</li> <li><i>Hijack Execution Flow: DLL Side-Loading</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1574/002">T1574.002</a>]</li> </ul> </li> <li><i><em><strong>Defense Evasion</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0005">TA0005</a>] <ul> <li><i>Rootkit</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1014">T1014</a>]</li> <li><i>Obfuscated Files or Information: Binary Padding </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/001">T1027.001</a>]</li> <li><i>Obfuscated Files or Information: Software Packing </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/002">T1027.002</a>]</li> <li><i>Obfuscated Files or Information: Steganography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/003">T1027.003</a>]</li> <li><i>Obfuscated Files or Information: Indicator Removal from Tools</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/005">T1027.005</a>]</li> <li><i>Masquerading: Match Legitimate Name or Location</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1036/005">T1036.005</a>]</li> <li><i>Indicator Removal on Host: Clear Windows Event Logs</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/001">T1070.001</a>]</li> <li><i>Indicator Removal on Host: Clear Command History</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/003">1070.003</a>]</li> <li><i>Indicator Removal on Host: File Deletion</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/004">T1070.004</a>]</li> <li><i>Indicator Removal on Host: Timestomp</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/006">T1070.006</a>]</li> <li><i>Modify Registry</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1112">T1112</a>]</li> <li><i>Deobfuscate/Decode Files or Information </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1140">T1140</a>]</li> <li><i>Exploitation for Defense Evasion</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1211">T1211</a>]</li> <li><i>Signed Binary Proxy Execution: Compiled HTML File</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/001">T1218.001</a>]</li> <li><i><em>Signed Binary Proxy Execution: Mshta</em></i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/005">T1218.005</a>]</li> <li><i>Signed Binary Proxy Execution:<em> Rundll32 </em></i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1218/011">T1218.011</a>]</li> <li><i>Template Injection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1221">T1221</a>]</li> <li><i>Execution Guardrails: Environmental Keying</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1480/001">T1480.001</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]</li> <li><i>Use Alternate Authentication Material: Application Access Token</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1550/001">T1550.001</a>]</li> <li><i>Subvert Trust Controls: Code Signing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1553/002">T1553.002</a>]</li> <li><i>Impair Defenses: Disable or Modify Tools</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/001">T1562.001</a>]</li> <li><i>Impair Defenses: Disable or Modify System Firewall</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/004">T1562.004</a>]</li> <li><i>Hide Artifacts: Hidden Files and Directories </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1564/001">T1564.001</a>]</li> <li><i>Hide Artifacts: Hidden Window</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1564/003">T1564.003</a>]</li> </ul> </li> <li><i><em><strong>Credential Access</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0006">TA0006</a>] <ul> <li><i>OS Credential Dumping: LSASS Memory</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/001">T1003.001</a>]</li> <li><i>OS Credential Dumping: Security Account Manager </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1003/002">T1003.002</a>]</li> <li><i>OS Credential Dumping: NTDS</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/003">T1003.003</a>]</li> <li><i>OS Credential Dumping: LSA Secrets</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/004">T1003.004</a>]</li> <li><i>OS Credential Dumping: Cached Domain Credentials</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/005">T1003.005</a>]</li> <li><i>Network Sniffing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040">T1040</a>]</li> <li><i>Input Capture: Keylogging</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1056/001">T1056.001</a>]</li> <li><i>Brute Force: Password Cracking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/002">T1110.002</a>]<i>Brute Force: Password Spraying</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/003">T1110.003</a>]</li> <li><i>Forced Authentication</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1187">T1187</a>]</li> <li><i>Steal Application Access Token</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1528">T1528</a>]</li> <li><i>Unsecured Credentials: Credentials in Files</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/001">T1552.001</a>]</li> <li><i>Unsecured Credentials: Group Policy Preferences</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/006">T1552.006</a>]</li> <li><i>Credentials from Password Stores: Credentials from Web Browsers</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/003">T1555.003</a>]</li> </ul> </li> <li><i><em><strong>Discovery</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0007">TA0007</a>] <ul> <li><i>System Service Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1007">T1007</a>]</li> <li><i>Query Registry</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1012">T1012</a>]</li> <li><i>System Network Configuration Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1016">T1016</a>]</li> <li><i>Remote System Discovery </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1018">T1018</a>]</li> <li><i>System Owner/User Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1033">T1033</a>]</li> <li><i>Network Sniffing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040">T1040</a>]</li> <li><i>Network Service Scanning</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1046">T1046</a>]</li> <li><i>System Network Connections Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1049">T1049</a>]</li> <li><i>Process Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1057">T1057</a>]</li> <li><i>Permission Groups Discovery: Local Groups</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1069/001">T1069.001</a>]</li> <li><i>Permission Groups Discovery: Domain Groups</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1069/002">T1069.002</a>]</li> <li><i>System Information Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1082">T1082</a>]</li> <li><i>File and Directory Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1083">T1083</a>]</li> <li><i>Account Discovery: Local Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1087/001">T1087.001</a>]</li> <li><i>Account Discovery: Domain Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1087/002">T1087.002</a>]</li> <li><i>Peripheral Device Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1120">T1120</a>]</li> <li><i>Network Share Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1135">T1135</a>]</li> <li><i>Password Policy Discovery </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1201/">T1201</a>]</li> <li><i>Software Discovery: Security Software Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1518/001">T1518.001</a>]</li> </ul> </li> <li><i><em><strong>Lateral Movement </strong></em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0008">TA0008</a>] <ul> <li><i>Remote Services: Remote Desktop Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1021/001">T1021.001</a>]</li> <li><i>Remote Services: SSH </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1021/004">T1021.004</a>]</li> <li><i>Taint Shared Content </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1080/">T1080</a>]</li> <li><i>Replication Through Removable Media </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1091">T1091</a>]</li> <li><i>Exploitation of Remote Services</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1210">T1210</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Hash </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1550/002">T1550.002</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Ticket</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1550/003">T1550.003</a>]</li> </ul> </li> <li><i><em><strong>Collection</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0009">TA0009</a>] <ul> <li><i>Data from Local System</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1005">T1005</a>]</li> <li><i>Data from Removable Media</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1025">T1025</a>]</li> <li><i>Data Staged: Local Data Staging</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1074/001">T1074.001</a>]</li> <li><i>Screen Capture</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1113">T1113</a>]</li> <li><i>Email Collection: Local Email Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/001">T1114.001</a>]</li> <li><i>Email Collection: Remote Email Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/002">T1114.002</a>]</li> <li><i>Automated Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1119">T1119</a>]</li> <li><i>Audio Capture</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1123">T1123</a>]</li> <li><i>Data from Information Repositories: SharePoint </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1213/002">T1213.002</a>]</li> <li><i>Archive Collected Data: Archive via Utility</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560/001">T1560.001</a>]</li> <li><i>Archive Collected Data: Archive via Custom Method</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560/003">T1560.003</a>]</li> </ul> </li> <li><i><em><strong>Command and Control</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0011">TA0011</a>] <ul> <li><i>Data Obfuscation: Junk Data</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1001/001/">T1001.001</a>]</li> <li><i>Fallback Channels</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1008">T1008</a>]</li> <li><i>Application Layer Protocol: Web Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/001">T1071.001</a>]</li> <li><i>Application Layer Protocol: File Transfer Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/002">T1071.002</a>]</li> <li><i>Application Layer Protocol: Mail Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/003">T1071.003</a>]</li> <li><i>Application Layer Protocol: DNS</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/004">T1071.004</a>]</li> <li><i>Proxy: External Proxy</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/002">T1090.002</a>]</li> <li><i>Proxy: Multi-hop Proxy</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/003">T1090.003</a>]</li> <li><i>Proxy: Domain Fronting</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/004">T1090.004</a>]</li> <li><i>Communication Through Removable Media</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1092">T1092</a>]</li> <li><i>Non-Application Layer Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1095">T1095</a>]</li> <li><i>Web Service: Dead Drop Resolver</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1102/001">T1102.001</a>]</li> <li><i>Web Service: Bidirectional Communication</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1102/002">T1102.002</a>]</li> <li><i>Multi-Stage Channels</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1104">T1104</a>]</li> <li><i>Ingress Tool Transfer</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1105">T1105</a>]</li> <li><i>Data Encoding: Standard Encoding</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1132/001">T1132.001</a>]</li> <li><i>Remote Access Software</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1219">T1219</a>]</li> <li><i>Dynamic Resolution: Domain Generation Algorithms</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1568/002">T1568.002</a>]</li> <li><i>Non-Standard Port</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1571">T1571</a>]</li> <li><i>Protocol Tunneling</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1572">T1572</a>]</li> <li><i>Encrypted Channel: Symmetric Cryptography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/001">T1573.001</a>]</li> <li><i>Encrypted Channel: Asymmetric Cryptography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/002">T1573.002</a>]</li> </ul> </li> <li><i><em><strong><span style="display: none;">&nbsp;</span>Exfiltration</strong> </em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0010">TA0010</a>] <ul> <li><i>Exfiltration Over C2 Channel</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1041">T1041</a>]</li> <li><i>Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1048/003">T1048.003</a>]</li> </ul> </li> <li><i><em><strong>Impact </strong></em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0040">TA0040</a>] <ul> <li><i>Data Encrypted for Impact</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1486">T1486</a>]</li> <li><i>Resource Hijacking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1496">T1496</a>]</li> <li><i>System Shutdown/Reboot</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1529">T1529</a>]</li> <li><i>Disk Wipe: Disk Structure Wipe</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1561/002">T1561.002</a>]</li> </ul> </li> </ul> <h3>Mitigations</h3><p>CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.</p> <h4>Leaders</h4> <ul> <li>Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.</li> </ul> <h4>Users/Staff</h4> <ul> <li>Log off remote connections when not in use.</li> <li>Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).</li> <li>Use different passwords for corporate and personal accounts.</li> <li>Install antivirus software on personal devices to automatically scan and quarantine suspicious files.</li> <li>Employ strong multi-factor authentication for personal accounts, if available.</li> <li>Exercise caution when: <ul> <li>Opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href="https://www.us-cert.gov/ncas/tips/ST04-010">Using Caution with Email Attachments</a>.</li> <li>Using removable media (e.g., USB thumb drives, external drives, CDs).</li> </ul> </li> </ul> <h4>IT Staff/Cybersecurity Personnel</h4> <ul> <li>Segment and segregate networks and functions.</li> <li>Change the default username and password of applications and appliances.</li> <li>Employ strong multi-factor authentication for corporate accounts.</li> <li>Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.</li> <li>Apply encryption to data at rest and data in transit.</li> <li>Use email security appliances to scan and remove malicious email attachments or links.</li> <li>Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.</li> <li>Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-183a">Defending Against Malicious Cyber Activity Originating from Tor</a> for mitigation options and additional information.</li> <li>Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a">Top 10 Routinely Exploited Vulnerabilities</a> and other CISA alerts that identify vulnerabilities exploited by foreign attackers.</li> <li>Implement an antivirus program and a formalized patch management process.</li> <li>Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).</li> <li>Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</li> <li>Implement Group Policy Object and firewall rules.</li> <li>Implement filters at the email gateway and block suspicious IP addresses at the firewall.</li> <li>Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.</li> <li>Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.</li> <li>Implement a Domain-Based Message Authentication, Reporting &amp; Conformance (DMARC) validation system.</li> <li>Disable or block unnecessary remote services.</li> <li>Limit access to remote services through centrally managed concentrators.</li> <li>Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.</li> <li>Limit unnecessary lateral communications.</li> <li>Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li> <li>Ensure applications do not store sensitive data or credentials insecurely.</li> <li>Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</li> <li>Disable unnecessary services on agency workstations and servers.</li> <li>Scan for and remove suspicious email attachments; ensure any scanned attachment is its "true file type" (i.e., the extension matches the file header).</li> <li>Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.</li> <li>Visit the MITRE ATT&amp;CK techniques and tactics pages linked in the ATT&amp;CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.</li> </ul> <h3>Contact Information</h3><p>Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="http://www.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at <a href="https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.gov">Central@cisa.gov</a>.</p> <h3>References</h3> <ul> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-120a">CISA Alert: Microsoft Office 365 Security Recommendations</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity</a></li> <li><a href="https://www.cisa.gov/telework">CISA Webpage: Telework Guidance</a></li> <li><a href="https://www.cisa.gov/vpn-related-guidance">CISA Webpage: VPN-Related Guidance</a></li> <li><a href="http://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf">FBI Private Industry Notification: PIN 20200409-001</a></li> </ul> <h3>References</h3> <ul> <li><a href="https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/">[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks</a></li> </ul> <h3>Revisions</h3> <ul> <li>Initial Version: December 1, 2020</li> </ul> <hr /> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
Source de l’article sur us-cert.gov