Original release date: October 30, 2020

Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). CISA and the FBI are aware of an Iranian advanced persistent threat (APT) actor targeting U.S. state websites—to include election websites. CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. This disinformation (hereinafter, “the propaganda video”) was in the form of a video purporting to misattribute the activity to a U.S. domestic actor and implies that individuals could cast fraudulent ballots, even from overseas. https://www.odni.gov/index.php/newsroom/press-releases/item/2162-dni-john-ratcliffe-s-remarks-at-press-conference-on-election-security.  (Reference FBI FLASH message ME-000138-TT, disseminated October 29, 2020). Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election.

Click here for a PDF version of this report.

Technical Details

Analysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner (Active Scanning: Vulnerability Scanning [T1595.002]). Acunetix is a widely used and legitimate web scanner, which has been used by threat actors for nefarious purposes. Organizations that do not regularly use Acunetix should monitor their logs for any activity from the program that originates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior. 

Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020 (Exploit Public-Facing Application [T1190]). This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites. 

CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records. A review of the records that were copied and obtained reveals the information was used in the propaganda video. 

CISA and FBI analysis of identified activity against state websites, including state election websites, referenced in this product cannot all be fully attributed to this Iranian APT actor. FBI analysis of the Iranian APT actor’s activity has identified targeting of U.S. elections’ infrastructure (Compromise Infrastructure [T1584]) within a similar timeframe, use of IP addresses and IP ranges – including numerous virtual private network (VPN) service exit nodes – which correlate to this Iran APT actor (Gather Victim Host Information [T1592)]), and other investigative information. 

Reconnaissance

The FBI has information indicating this Iran-based actor attempted to access PDF documents from state voter sites using advanced open-source queries (Search Open Websites and Domains [T1539]). The actor demonstrated interest in PDFs hosted on URLs with the words “vote” or “voter” and “registration.” The FBI identified queries of URLs for election-related sites. 

The FBI also has information indicating the actor researched  the following information in a suspected attempt to further their efforts to survey and exploit state election websites.

• YOURLS exploit
• Bypassing ModSecurity Web Application Firewall
• Detecting Web Application Firewalls
• SQLmap tool

Acunetix Scanning

CISA’s analysis identified the scanning of multiple entities by the Acunetix Web Vulnerability scanning platform between September 20 and September 28, 2020 (Active Scanning: Vulnerability Scanning [T1595.002]). 

The actor used the scanner to attempt SQL injection into various fields in /registration/registration/details with status codes 404 or 500:

/registration/registration/details?addresscity=-1 or 3*2<(0+5+513-513) -- &addressstreet1=xxxxx&btnbeginregistration=begin voter registration&btnnextelectionworkerinfo=next&btnnextpersonalinfo=next&btnnextresdetails=next&btnnextvoterinformation=next&btnsubmit=submit&chkageverno=on&chkageveryes=on&chkcitizenno=on&chkcitizenyes=on&chkdisabledvoter=on&chkelectionworker=on&chkresprivate=1&chkstatecancel=on&dlnumber=1&dob=xxxx/x/x&email=sample@email.tst&firstname=xxxxx&gender=radio&hdnaddresscity=&hdngender=&last4ssn=xxxxx&lastname=xxxxxinjjeuee&mailaddresscountry=sample@xxx.xxx&mailaddressline1=sample@email.tst&mailaddressline2=sample@xxx.xxx&mailaddressline3=sample@xxx.xxx&mailaddressstate=aa&mailaddresszip=sample@xxxx.xxx&mailaddresszipex=sample@xxx.xxx&middlename=xxxxx&overseas=1&partycode=a&phoneno1=xxx-xxx-xxxx&phoneno2=xxx-xxx-xxxx&radio=consent&statecancelcity=xxxxxxx&statecancelcountry=usa&statecancelstate=XXaa&statecancelzip=xxxxx&statecancelzipext=xxxxx&suffixname=esq&txtmailaddresscity=sample@xxx.xxx

Requests

The actor used the following requests associated with this scanning activity.

2020-09-26 13:12:56 x.x.x.x GET /x/x v[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 0

2020-09-26 13:13:19 X.X.x.x GET /x/x voterid[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 1375

2020-09-26 13:13:18 .X.x.x GET /x/x voterid=;print(md5(acunetix_wvs_security_test)); 443 - X.X.x.x 

User Agents Observed

CISA and FBI have observed the following user agents associated with this scanning activity.

Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0 

Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4 

Mozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.8.1.17)+Gecko/20080922+Ubuntu/7.10+(gutsy)+Firefox/2.0.0.17

Exfiltration

Obtaining Voter Registration Data

Following the review of web server access logs, CISA analysts, in coordination with the FBI, found instances of the cURL and FDM User Agents sending GET requests to a web resource associated with voter registration data. The activity occurred between September 29 and October 17, 2020. Suspected scripted activity submitted several hundred thousand queries iterating through voter identification values, and retrieving results with varying levels of success [Gather Victim Identity Information (T1589)]. A sample of the records identified by the FBI reveals they match information in the aforementioned propaganda video.
Requests

The actor used the following requests.

2020-10-17 13:07:51 x.x.x.x GET /x/x voterid=XXXX1 443 - x.x.x.x curl/7.55.1 - 200 0 0 1406

2020-10-17 13:07:55 x.x.x.x GET /x/x voterid=XXXX2 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390

2020-10-17 13:07:58 x.x.x.x GET /x/x voterid=XXXX3 443 - x.x.x.x curl/7.55.1 - 200 0 0 1625

2020-10-17 13:08:00 x.x.x.x GET /x/x voterid=XXXX4 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390

Note: incrementing voterid values in cs_uri_query field

User Agents

CISA and FBI have observed the following user agents.

FDM+3.x

curl/7.55.1

Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0 
Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4

See figure 1 below for a timeline of the actor’s malicious activity.

Figure 1: Overview of malicious activity

Mitigations

Detection

Acunetix Scanning

Organizations can identify Acunetix scanning activity by using the following keywords while performing log analysis.

• $acunetix
• acunetix_wvs_security_test

Indicators of Compromise

For a downloadable copy of IOCs, see AA20-304A.stix.

Disclaimer: Many of the IP addresses included below likely correspond to publicly available VPN services, which can be used by individuals all over the world. Although this creates the potential for false positives, any activity listed should warrant further investigation. The actor likely uses various IP addresses and VPN services.

The following IPs have been associated with this activity.

• 102.129.239[.]185 (Acunetix Scanning)
• 143.244.38[.]60 (Acunetix Scanning and cURL requests)
• 45.139.49[.]228 (Acunetix Scanning)
• 156.146.54[.]90 (Acunetix Scanning)
• 109.202.111[.]236 (cURL requests)
• 185.77.248[.]17 (cURL requests)
• 217.138.211[.]249 (cURL requests)
• 217.146.82[.]207 (cURL requests)
• 37.235.103[.]85 (cURL requests)
• 37.235.98[.]64 (cURL requests)
• 70.32.5[.]96 (cURL requests)
• 70.32.6[.]20 (cURL requests)
• 70.32.6[.]8 (cURL requests)
• 70.32.6[.]97 (cURL requests)
• 70.32.6[.]98 (cURL requests)
• 77.243.191[.]21 (cURL requests and FDM+3.x (Free Download Manager v3) enumeration/iteration)
• 92.223.89[.]73 (cURL requests)

CISA and the FBI are aware the following IOCs have been used by this Iran-based actor. These IP addresses facilitated the mass dissemination of voter intimidation email messages on October 20, 2020.

• 195.181.170[.]244 (Observed September 30 and October 20, 2020)
• 102.129.239[.]185 (Observed September 30, 2020)
• 104.206.13[.]27 (Observed September 30, 2020)
• 154.16.93[.]125 (Observed September 30, 2020)
• 185.191.207[.]169 (Observed September 30, 2020)
• 185.191.207[.]52 (Observed September 30, 2020)
• 194.127.172[.]98 (Observed September 30, 2020)
• 194.35.233[.]83 (Observed September 30, 2020)
• 198.147.23[.]147 (Observed September 30, 2020)
• 198.16.66[.]139(Observed September 30, 2020)
• 212.102.45[.]3 (Observed September 30, 2020)
• 212.102.45[.]58 (Observed September 30, 2020)
• 31.168.98[.]73 (Observed September 30, 2020)
• 37.120.204[.]156 (Observed September 30, 2020)
• 5.160.253[.]50 (Observed September 30, 2020)
• 5.253.204[.]74 (Observed September 30, 2020)
• 64.44.81[.]68 (Observed September 30, 2020)
• 84.17.45[.]218 (Observed September 30, 2020)
• 89.187.182[.]106 (Observed September 30, 2020)
• 89.187.182[.]111 (Observed September 30, 2020)
• 89.34.98[.]114 (Observed September 30, 2020)
• 89.44.201[.]211 (Observed September 30, 2020)

Recommendations

The following list provides recommended self-protection mitigation strategies against cyber techniques used by advanced persistent threat actors: 

• Validate input as a method of sanitizing untrusted input submitted by web application users. Validating input can significantly reduce the probability of successful exploitation by providing protection against security flaws in web applications. The types of attacks possibly prevented include SQL injection, Cross Site Scripting (XSS), and command injection.
• Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable unnecessary services and install available patches for the services in use. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
• Verify all cloud-based virtual machine instances with a public IP, and avoid using open RDP ports, unless there is a valid need. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
• Enable strong password requirements and account lockout policies to defend against brute-force attacks.
• Apply multi-factor authentication, when possible.
• Maintain a good information back-up strategy by routinely backing up all critical data and system configuration information on a separate device. Store the backups offline, verify their integrity, and verify the restoration process.
• Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
• When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
• Ensure third parties that require RDP access follow internal remote access policies.
• Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
• Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as a VPNs. However, recognize the security of VPNs matches the security of the connected devices.
• Use security features provided by social media platforms; use strong passwords, change passwords frequently, and use a different password for each social media account. 
• See CISA’s Tip on Best Practices for Securing Election Systems for more information. 

General Mitigations

Keep applications and systems updated and patched

Apply all available software updates and patches and automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed of threat actors to create new exploits following the release of  a patch. These “N-day” exploits can be as damaging as zero-day exploits. Ensure the authenticity and integrity of vendor updates by using signed updates delivered over protected links. Without the rapid and thorough application of patches, threat actors can operate inside a defender’s patch cycle. NSA « NSA’S Top Ten Cybersecurity Mitigation Strategies » https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf Additionally, use tools (e.g., the OWASP Dependency-Check Project tool https://owasp.org/www-project-dependency-check/) to identify the publicly known vulnerabilities in third-party libraries depended upon by the application.

Scan web applications for SQL injection and other common web vulnerabilities

Implement a plan to scan public-facing web servers for common web vulnerabilities (e.g., SQL injection, cross-site scripting) by using a commercial web application vulnerability scanner in combination with a source code scanner. https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm Fixing or patching vulnerabilities after they are identified is especially crucial for networks hosting older web applications. As sites get older, more vulnerabilities are discovered and exposed.

Deploy a web application firewall  

Deploy a web application firewall (WAF) to prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools. 

Deploy techniques to protect against web shells

Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware. NSA & ASD « CyberSecurity Information: Detect and Prevent Web Shell Malware » https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools. 

Use multi-factor authentication for administrator accounts

Prioritize protection for accounts with elevated privileges, remote access, or used on high-value assets. https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs). NSA « NSA’S Top Ten Cybersecurity Mitigation Strategies » https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.

Remediate critical web application security risks

First, identify and remediate critical web application security risks. Next, move on to other less critical vulnerabilities. Follow available guidance on securing web applications. NSA “Building Web Applications – Security for Developers” https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm https://owasp.org/www-project-top-ten/ https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html

How do I respond to unauthorized access to election-related systems?

Implement your security incident response and business continuity plan

It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact CISA or law enforcement immediately 

To report an intrusion and to request incident response resources or technical assistance, contact CISA (Central@cisa.gov or 888-282-0870) or the FBI through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).

Resources

• CISA Tip: Best Practices for Securing Election Systems
• CISA Tip: Securing Voter Registration Data 
• CISA Tip: Website Security 
• CISA Tip: Avoiding Social Engineering and Phishing Attacks
• CISA Tip: Securing Network Infrastructure Devices 
• Joint Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity
• CISA Insights: Actions to Counter Email-Based Attacks on Election-related Entities 
• FBI and CISA Public Service Announcement (PSA): Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters
• FBI and CISA PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections 
• FBI and CISA PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting 
• FBI and CISA PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections
• FBI and CISA PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting 
• FBI and CISA PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Result

Revisions

• October 30, 2020: Initial Version

Source de l’article sur us-cert.gov

Original release date: October 28, 2020 | Last revised: October 29, 2020

Summary

This advisory was updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection.

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

Click here for a PDF version of this report.

Key Findings

• CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
• These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.

Technical Details

Threat Details

The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.

TrickBot

What began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.

In early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created anchor_dns, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.

anchor_dns is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. anchor_dns uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string anchor_dns can be found in the DNS request traffic.

TrickBot Indicators of Compromise

After successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

• C:Windows
• C:WindowsSysWOW64
• C:Users[Username]AppDataRoaming

Once the executable is running and successful in establishing communication with C2s, the executable places appropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction set), to the infected host’s %APPDATA% or %PROGRAMDATA% directory, such as %AppDataRoamingwinapp. Some commonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to the module filename, e.g., importDll32 or importDll64):

• Systeminfo
• importDll
• outlookDll
• injectDll with a directory (ex. injectDLL64_configs) containing configuration files:
  • dinj
  • sinj
  • dpost
• mailsearcher with a directory (ex. mailsearcher64_configs) containing configuration file:
  • mailconf
• networkDll with a directory (ex. networkDll64_configs) containing configuration file:
  • dpost
• wormDll
• tabDll
• shareDll

Filename client_id or data or FAQ with the assigned bot ID of the compromised system is created in the malware directory. Filename group_tag or Readme.md containing the TrickBot campaign IDs is created in the malware directory.

The malware may also drop a file named anchorDiag.txt in one of the directories listed above.

Part of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded GUID. The GUID is composed of /GroupID/ClientID/ with the following naming convention:

/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/.

The malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.

[random_folder_name_in_%APPDATA%_excluding_Microsoft]

autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876).

After successful execution, anchor_dns further deploys malicious batch scripts (.bat) using PowerShell commands.

The malware deploys self-deletion techniques by executing the following commands.

• cmd.exe /c timeout 3 && del C:Users[username][malware_sample]
• cmd.exe /C PowerShell "Start-Sleep 3; Remove-Item C:Users[username][malware_sample_location]"

The following domains found in outbound DNS records are associated with anchor_dns.

• kostunivo[.]com
• chishir[.]com
• mangoclone[.]com
• onixcellent[.]com

This malware used the following legitimate domains to test internet connectivity.

• ipecho[.]net
• api[.]ipify[.]org
• checkip[.]amazonaws[.]com
• ip[.]anysrc[.]net
• wtfismyip[.]com
• ipinfo[.]io
• icanhazip[.]com
• myexternalip[.]com
• ident[.]me

Currently, there is an open-source tracker for TrickBot C2 servers located at https://feodotracker.abuse.ch/browse/trickbot/.

The anchor_dns malware historically used the following C2 servers.

• 23[.]95[.]97[.]59
• 51[.]254[.]25[.]115
• 193[.]183[.]98[.]66
• 91[.]217[.]137[.]37
• 87[.]98[.]175[.]85

TrickBot YARA Rules

BazarLoader/BazarBackdoor

Beginning in approximately early 2020, actors believed to be associated with TrickBot began using BazarLoader and BazarBackdoor to infect victim networks. The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure. Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.

Deployment of the BazarLoader malware typically comes from phishing email and contains the following:

• Phishing emails are typically delivered by commercial mass email delivery services. Email received by a victim will contain a link to an actor-controlled Google Drive document or other free online filehosting solutions, typically purporting to be a PDF file.
• This document usually references a failure to create a preview of the document and contains a link to a URL hosting a malware payload in the form of a misnamed or multiple extension file.
• Emails can appear as routine, legitimate business correspondence about customer complaints, hiring decision, or other important tasks that require the attention of the recipient.  
• Some email communications have included the recipient’s name or employer name in the subject line and/or email body.

Through phishing emails linking users to Google Documents, actors used the below identified file names to install BazarLoader:

• Report-Review26-10.exe
• Review_Report15-10.exe
• Document_Print.exe
• Report10-13.exe
• Text_Report.exe

Bazar activity can be identified by searching the system startup folders and Userinit values under the HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon registry key:

%APPDATA%MicrosoftWindowsStart MenuProgramsStartupadobe.lnk

For a comprehensive list of indicators of compromise regarding the BazarLocker and other malware, see https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html.

Indicators

In addition to TrickBot and BazarLoader, threat actors are using malware, such as KEGTAP, BEERBOT, SINGLEMALT, and others as they continue to change tactics, techniques, and procedures in their highly dynamic campaign. The following C2 servers are known to be associated with this malicious activity.

• 45[.]148[.]10[.]92
• 170[.]238[.]117[.]187
• 177[.]74[.]232[.]124
• 185[.]68[.]93[.]17
• 203[.]176[.]135[.]102
• 96[.]9[.]73[.]73
• 96[.]9[.]77[.]142
• 37[.]187[.]3[.]176
• 45[.]89[.]127[.]92
• 62[.]108[.]35[.]103
• 91[.]200[.]103[.]242
• 103[.]84[.]238[.]3
• 36[.]89[.]106[.]69
• 103[.]76[.]169[.]213
• 36[.]91[.]87[.]227
• 105[.]163[.]17[.]83
• 185[.]117[.]73[.]163
• 5[.]2[.]78[.]118
• 185[.]90[.]61[.]69
• 185[.]90[.]61[.]62
• 86[.]104[.]194[.]30
• 31[.]131[.]21[.]184
• 46[.]28[.]64[.]8
• 104[.]161[.]32[.]111
• 107[.]172[.]140[.]171
• 131[.]153[.]22[.]148
• 195[.]123[.]240[.]219
• 195[.]123[.]242[.]119
• 195[.]123[.]242[.]120
• 51[.]81[.]113[.]25
• 74[.]222[.]14[.]27

Ryuk Ransomware

Typically Ryuk has been deployed as a payload from banking Trojans such as TrickBot. (See the United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally, on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, the files have .ryk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.

While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.

Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.

Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.

In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The RyukReadMe file placed on the system after encryption provides either one or two email  addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.

The victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.

Initial testing indicates that the RyukReadMe file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the RyukReadMe file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.

According to MITRE, Ryuk uses the ATT&CK techniques listed in table 1.

Table 1: Ryuk ATT&CK techniques

Mitigations

For a downloadable copy of IOCs, see AA20-302A.stix. For additional IOCs detailing this activity, see https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456.

Plans and Policies

CISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.

Network Best Practices

• Patch operating systems, software, and firmware as soon as manufacturers release updates.
• Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
• Use multi-factor authentication where possible.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Audit logs to ensure new accounts are legitimate.
• Scan for open or listening ports and mediate those that are not needed.
• Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
• Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
• Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

• Regularly back up data, air gap, and password protect backup copies offline.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices

• Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
• Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

Recommended Mitigation Measures

System administrators who have indicators of a TrickBot network compromise should immediately take steps to back up and secure sensitive or proprietary data. TrickBot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a TrickBot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of Anchor_DNS, and maintain and provide relevant logs.

GENERAL RANSOMWARE MITIGATIONS — HPH SECTOR

This section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)’s Joint Ransomware Guide, which can be found at https://www.cisa.gov/publication/ransomware-guide.

CISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.

Ransomware Prevention

Join and Engage with Cybersecurity Organizations

CISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:

• Join a healthcare information sharing organization, H-ISAC:
  • Health Information Sharing and Analysis Center (H-ISAC): https://h-isac.org/membership-account/join-h-isac/
  • Sector-based ISACs – National Council of ISACs: https://www.nationalisacs.org/member-isacs
  • Information Sharing and Analysis Organization (ISAO) Standards Organization: https://www.isao.org/information-sharing-groups/
• Engage with CISA and FBI, as well as HHS—through the HHS Health Sector Cybersecurity Coordination Center (HC3)—to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises.
  • CISA: cisa.gov, https://us-cert.cisa.gov/mailing-lists-and-feeds, central@cisa.gov  
  • FBI: ic3.gov, www.fbi.gov/contact-us/field, CyWatch@fbi.gov
  • HHS/HC3: http://www.hhs.gov/hc3, HC3@HHS.gov

Engaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.

Follow Ransomware Best Practices

Refer to the best practices and references below to help manage the risk posed by ransomware and support your organization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.

• It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.
  • Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.
  • Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
  • Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred.
    • Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.
    • Ensure all backup hardware is properly patched.
• In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.
• Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
  • Review available incident response guidance, such as CISA’s Technical Approaches to Uncovering and Remediating Malicious Activity https://us-cert.cisa.gov/ncas/alerts/aa20-245a.
• Help your organization better organize around cyber incident response.
• Develop a cyber incident response plan.
• The Ransomware Response Checklist, available in the CISA and MS-ISAC Joint Ransomware Guide, serves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption plans.
• Review and implement as applicable MITRE’s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook (https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf).
• Develop a risk management plan that maps critical health services and care to the necessary information systems; this will ensure that the incident response plan will contain the proper triage procedures.
• Plan for the possibility of critical information systems being inaccessible for an extended period of time. This should include but not be limited to the following:
  • Print and properly store/protect hard copies of digital information that would be required for critical patient healthcare.
  • Plan for and periodically train staff to handle the re-routing of incoming/existing patients in an expedient manner if information systems were to abruptly and unexpectedly become unavailable.
  • Coordinate the potential for surge support with other healthcare facilities in the greater local area. This should include organizational leadership periodically meeting and collaborating with counterparts in the greater local area to create/update plans for their facilities to both abruptly send and receive a significant amount of critical patients for immediate care. This may include the opportunity to re-route healthcare employees (and possibly some equipment) to provide care along with additional patients.
• Consider the development of a second, air-gapped communications network that can provide a minimum standard of backup support for hospital operations if the primary network becomes unavailable if/when needed.
• Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.
• Legacy devices should be identified and inventoried with highest priority and given special consideration during a ransomware event.
• See CISA and MS-ISAC’s Joint Ransomware Guide for infection vectors including internet-facing vulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and managed service providers.
• HHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at http://www.hhs.gov/hc3.

Hardening Guidance

• The Food and Drug Administration provides multiple guidance documents regarding the hardening of healthcare and specifically medical devices found here: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.
• See CISA and MS-ISAC’s Joint Ransomware Guide for additional in-depth hardening guidance.

Contact CISA for These No-Cost Resources

• Information sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of best practices and network defense information regarding ransomware trends and variants as well as malware that is a precursor to ransomware.
• Policy-oriented or technical assessments help organizations understand how they can improve their defenses to avoid ransomware infection: https://www.cisa.gov/cyber-resource-hub.
  • Assessments include Vulnerability Scanning and Phishing Campaign Assessment.
• Cyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware incident scenario.
• CISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to manage cyber risk.
• Contacts:
  • SLTT organizations: CyberLiaison_SLTT@cisa.dhs.gov
  • Private sector organizations: CyberLiaison_Industry@cisa.dhs.gov

Ransomware Quick References

• Ransomware: What It Is and What to Do About It (CISA): General ransomware guidance for organizational leadership and more in-depth information for CISOs and technical staff: https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_ Document-FINAL.pdf
• Ransomware (CISA): Introduction to ransomware, notable links to CISA products on protecting networks, specific ransomware threats, and other resources: https://www.us-cert.cisa.gov/Ransomware  
• HHS/HC3: Ransomware that impacts HPH is tracked by the HC3 and can be found at www.hhs.gov/hc3
• Security Primer – Ransomware (MS-ISAC): Outlines opportunistic and strategic ransomware campaigns, common infection vectors, and best practice recommendations: https://www.cisecurity.org/white-papers/security-primer-ransomware/
• Ransomware: Facts, Threats, and Countermeasures (MS- ISAC): Facts about ransomware, infection vectors, ransomware capabilities, and how to mitigate the risk of ransomware infection: https://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/
• HHS Ransomware Fact Sheet: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
• NIST Securing Data Integrity White Paper: https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft

Ransomware Response Checklist

Remember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.

Should your organization be a victim of ransomware, CISA strongly recommends responding by using the Ransomware Response Checklist located in CISA and MS-ISAC’s Joint Ransomware Guide, which contains steps for detection and analysis as well as containment and eradication.

Consider the Need For Extended Identification or Analysis

If extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in any of the following information that your organization determines it can legally share:

• Recovered executable file
• Copies of the readme file – DO NOT REMOVE the file or decryption may not be possible
• Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
• Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
• Malware samples
• Names of any other malware identified on your system
• Encrypted file samples
• Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)
• Any PowerShell scripts found having executed on the systems
• Any user accounts created in Active Directory or machines added to the network during the exploitation
• Email addresses used by the attackers and any associated phishing emails
• A copy of the ransom note
• Ransom amount and whether or not the ransom was paid
• Bitcoin wallets used by the attackers
• Bitcoin wallets used to pay the ransom (if applicable)
• Copies of any communications with attackers

Upon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no cost to support your organization in understanding the root cause of an incident, even in the event additional remote assistance is not requested.

• CISA – Advanced Malware Analysis Center: https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf
• Remote Assistance – Request via Central@cisa.gov

Contact Information

CISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use should your organization become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.

• State and Local Response Contacts
• IT/IT Security Team – Centralized Cyber Incident Reporting
• State and Local Law Enforcement
• Fusion Center        
• Managed/Security Service Providers
• Cyber Insurance       

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.

Additionally, see CISA and MS-ISAC’s Joint Ransomware Guide for information on contacting—and what to expect from contacting—federal asset response and federal threat response contacts.

Disclaimer

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see https://cisa.gov/tlp.

References

• CISA Emergency Services Sector Continuity Planning Suite
• CISA MS-ISAC Joint Ransomware Guide
• CISA Tip: Avoiding Social Engineering and Phishing Attacks
• FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations »
• Health Industry Cybersecurity Tactical Crisis Response
• Health Industry Cybersecurity Practices (HICP)
• HHS – Ransomware Spotlight Webinar
• HHS – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
• HHS – Ransomware Briefing
• HHS – Aggressive Ransomware Impacts
• HHS – Ransomware Fact Sheet
• HHS – Cyber Attack Checklist
• HHS – Cyber-Attack Response Infographic
• NIST – Data Integrity Publication
• NIST – Guide for Cybersecurity Event Recovery
• NIST – Identifying and Protecting Assets Against Ransomware and Other Destructive Events
• NIST – Detecting and Responding to Ransomware and Other Destructive Events
• NIST – Recovering from Ransomware and Other Destructive Events
• Github List of IOCs

Revisions

• October 28, 2020: Initial version
• October 29, 2020: Updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection

Source de l’article sur us-cert.gov

Original release date: October 22, 2020

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.

The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.

The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. 

Click here for a PDF version of this report.

Technical Details

These actors have conducted a significant number of intrusions against U.S.-based networks since August 2019. The actors leveraged several Common Vulnerabilities and Exposures (CVEs)—notably CVE-2020-5902 and CVE-2017-9248—pertaining to virtual private networks (VPNs) and content management systems (CMSs). 

• CVE-2020-5902 affects F5 VPNs. Remote attackers could exploit this vulnerability to execute arbitrary code. [1].
• CVE-2017-9248 affects Telerik UI. Attackers could exploit this vulnerability in web applications using Telerik UI for ASP.NET AJAX to conduct cross-site scripting (XSS) attacks.[2]

Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. These activities could render these systems temporarily inaccessible to the public or election officials, which could slow, but would not prevent, voting or the reporting of results.

• A DDoS attack could slow or render election-related public-facing websites inaccessible by flooding the internet-accessible server with requests; this would prevent users from accessing online resources, such as voting information or non-official voting results. In the past, cyber actors have falsely claimed DDoS attacks have compromised the integrity of voting systems in an effort to mislead the public that their attack would prevent a voter from casting a ballot or change votes already cast.
• A SQL injection involves a threat actor inserting malicious code into the entry field of an application, causing that code to execute if entries have not been sanitized. SQL injections are among the most dangerous and common exploits affecting websites. A SQL injection into a media company’s CMS could enable a cyber actor access to network systems to manipulate content or falsify news reports prior to publication.
• Spear-phishing messages may not be easily detectible. These emails often ask victims to fill out forms or verify information through links embedded in the email. APT actors use spear phishing to gain access to information—often credentials, such as passwords—and to identify follow-on victims. A malicious cyber actor could use compromised email access to spread disinformation to the victims’ contacts or collect information sent to or from the compromised account.
• Public-facing website defacements typically involve a cyber threat actor compromising the website or its associated CMS, allowing the actor to upload images to the site’s landing page. In situations where such public-facing websites relate to elections (e.g., the website of a county board of elections), defacements could cast doubt on the security and legitimacy of the websites’ information. If cyber actors were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised..
• Disinformation campaigns involve malign actions taken by foreign governments or actors designed to sow discord, manipulate public discourse, or discredit the electoral system. Malicious actors often use social media as well as fictitious and spoofed media sites for these campaigns. Based on their corporate policies, social media companies have worked to counter these actors’ use of their platforms to promote fictitious news stories by removing the news stories, and in many instances, closing the accounts related to the malicious activity. However, these adversaries will continue their attempts to create fictitious accounts that promote divisive storylines to sow discord, even after the election.

Mitigations

The following recommended mitigations list includes self-protection strategies against the cyber techniques used by the APT actors:

• Validate input—input validation is a method of sanitizing untrusted input provided by web application users. Implementing input validation can protect against security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly prevented include SQL injection, XSS, and command injection.
• Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
• Verify all cloud-based virtual machine instances with a public IP; do not have open RDP ports, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall, and require users to use a VPN to access it through the firewall.
• Enable strong password requirements and account lockout policies to defend against brute-force attacks.
• Apply multi-factor authentication, when possible.
• Apply system and software updates regularly, particularly if you are deploying products affected by CVE-2020-5902 and CVE-2017-9248.
  • For patch information on CVE-2020-5902, refer to F5 Security Advisory K52145254.
  • For patch information on CVE-2017-9248, refer to Progress Telerik details for CVE-2017-9248.
• Maintain a good information back-up strategy that involves routinely backing up all critical data and system configuration information on a separate device. Store the backups offline; verify their integrity and restoration process.
• Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days, and review them regularly to detect intrusion attempts.
• When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
• Ensure third parties that require RDP access are required to follow internal policies on remote access.
• Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
• Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.
• Be aware of unsolicited contact on social media from any individual you do not know.
• Be aware of attempts to pass links or files via social media from anyone you do not know.
• Be aware of unsolicited requests to share a file via online services.
• Be aware of email messages conveying suspicious alerts or other online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts.
• Be suspicious of emails purporting to be from legitimate online services (e.g., the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, the email originates from an IP address not attributable to the provider/company).
• Be suspicious of unsolicited email messages that contain shortened links (e.g., via tinyurl, bit.ly).
• Use security features provided by social media platforms, use strong passwords, change passwords frequently, and use a different password for each social media account.
• See CISA’s Tip on Best Practices for Securing Election Systems for more information.

General Mitigations

Keep applications and systems updated and patched

Apply all available software updates and patches; automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed at which threat actors create exploits after a patch is released. These “N-day” exploits can be as damaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.[3] In addition to updating the application, use tools (e.g., the OWASP Dependency-Check Project tool[4]) to identify publicly known vulnerabilities in third-party libraries that the application depends on.

Scan web applications for SQL injection and other common web vulnerabilities

Implement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site scripting, etc.); use a commercial web application vulnerability scanner in combination with a source code scanner.[5] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks that host older web applications; as sites get older, more vulnerabilities are discovered and exposed.

Deploy a web application firewall 

Deploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.

Deploy techniques to protect against web shells

Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware.[6] Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.

Use multi-factor authentication for administrator accounts

Prioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.[7] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs).[8] Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.

Remediate critical web application security risks

First, identify and remedite critical web application security risks first; then, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.[9],[10],[11]

How do I respond to unauthorized access to election-related systems?

Implement your security incident response and business continuity plan

It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact CISA or law enforcement immediately

To report an intrusion and to request incident response resources or technical assistance, contact CISA (Central@cisa.dhs.gov or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).

Resources

• CISA Tip: Best Practices for Securing Election Systems
• CISA Tip: Securing Voter Registration Data
• CISA Tip: Website Security
• CISA Tip: Avoiding Social Engineering and Phishing Attacks
• CISA Tip: Securing Network Infrastructure Devices
• CISA Activity Alert: Technical Approaches to Uncovering and Remediating Malicious Activity
• CISA Insights: Actions to Counter Email-Based Attacks On Election-related Entities
• FBI and CISA Public Service Announcement (PSA): Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters
• FBI and CISA PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections
• FBI and CISA PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting
• FBI and CISA PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections
• FBI and CISA PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting
• FBI and CISA PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results
   

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

References

• [1] F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902
• [2] Progress Telerik details for CVE-2017-9248
• [3] NSA « NSA’S Top Ten Cybersecurity Mitigation Strategies
• [4] OWASP Dependency-Check
• [5] NSA « Defending Against the Exploitation of SQL Vulnerabilities to Compromise a Network »
• [6] NSA & ASD « CyberSecurity Information: Detect and Prevent Web Shell Malware »
• [7] CISA: Identifying and Protecting High Value Assets: A Closer Look at Governance Needs for HVAs:
• [8] NSA « NSA’S Top Ten Cybersecurity Mitigation Strategies »
• [9] NSA “Building Web Applications – Security for Developers”:
• [10] OWASP Top Ten
• [11] 2020 CWE Top 25 Most Dangerous Software Weaknesses

Revisions

• October 22, 2020: Initial Version

Source de l’article sur us-cert.gov

Original release date: October 9, 2020

Summary

This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

Note: the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.

This joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). 

CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. 

This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.

CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.

Some common tactics, techniques, and procedures used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical CVE-2020-1472 Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding. CISA recommends network staff and administrators review internet-facing infrastructure for vulnerabilities, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510,  Citrix NetScaler CVE-2019-19781, and Palo Alto Networks CVE-2020-2021 (this list is not considered exhaustive).

After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities.

Click here for a PDF version of this report.

Technical Details

Initial Access

APT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (Exploit Public-Facing Application [T1190], External Remote Services [T1133]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability CVE-2018-13379; however, other vulnerabilities, listed below, have been observed (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive).

• Citrix NetScaler CVE-2019-19781
• MobileIron CVE-2020-15505
• Pulse Secure CVE-2019-11510
• Palo Alto Networks CVE-2020-2021
• F5 BIG-IP CVE-2020-5902

FortiGuard ForitOS SSL VPN CVE-2018-13379

CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.

MobileIron Core & Connector Vulnerability CVE-2020-15505

CVE-202-15505 is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.

Privilege Escalation

Post initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain Valid Account [T1078] credentials from AD servers.

Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472

CVE-2020-1472 is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory. This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (Valid Accounts: Domain Accounts [T1078.002]). Malicious actors can leverage this vulnerability to compromise other devices on the network (Lateral Movement [TA0008]).

Persistence

Once system access has been achieved, the APT actors use abuse of legitimate credentials (Valid Account [T1078]) to log in via VPN or Remote Access Services [T1133] to maintain persistence.

Mitigations

Organizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an “assume breach” mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.

Keep Systems Up to Date

Patch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.

Table 1: Patch information for exploited CVEs

Comprehensive Account Resets

If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure hosted AD instances.

Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.

It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.

1. Create a temporary administrator account, and use this account only for all administrative actions
2. Reset the Kerberos Ticket Granting Ticket (krbtgt) password; this must be completed before any additional actions and a second reset will take place in step 5
3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned):
   1. User accounts (forced reset with no legacy password reuse)
   2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])
   3. Service accounts
   4. Directory Services Restore Mode (DSRM) account
   5. Domain Controller machine account
   6. Application passwords
5. Reset the krbtgt password again
6. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
7. Reboot domain controllers
8. Reboot all endpoints

The following accounts should be reset:

• AD Kerberos Authentication Master (2x)
• All Active Directory Accounts
• All Active Directory Admin Accounts
• All Active Directory Service Accounts
• All Active Directory User Accounts
• DSRM Account on Domain Controllers
• Non-AD Privileged Application Accounts
• Non-AD Unprivileged Application Accounts
• Non-Windows Privileged Accounts
• Non-Windows User Accounts
• Windows Computer Accounts
• Windows Local Admin

VPN Vulnerabilities

Implement the following recommendations to secure your organization’s VPNs:

• Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices. Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.
• Implement multi-factor authentication (MFA) on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.

Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. How to protect your organization against VPN vulnerabilities:

• Audit configuration and patch management programs.
• Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
• Implement MFA, especially for privileged accounts.
• Use separate administrative accounts on separate administration workstations.
• Keep software up to date. Enable automatic updates, if available.  

To secure your organization’s Netlogon channel connections:

• Update all Domain Controllers and Read Only Domain Controllers. On August 11, 2020, Microsoft released software updates to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).
• Monitor for new events, and address non-compliant devices that are using vulnerable Netlogon secure channel connections.
• Block public access to potentially vulnerable ports, such as 445 (SMB) and 135 (RPC).

To protect your organization against this CVE, follow advice from Microsoft, including:

• Update your domain controllers with an update released August 11, 2020 or later.
• Find which devices are making vulnerable connections by monitoring event logs.
• Address non-compliant devices making vulnerable connections.
• Enable enforcement mode to address CVE-2020-1472 in your environment.

How to uncover and mitigate malicious activity

• Collect and remove for further analysis:
  • Relevant artifacts, logs, and data
• Implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
• Consider soliciting incident response support from a third-party IT security organization to:
  • Provide subject matter expertise and technical support to the incident response,
  • Ensure that the actor is eradicated from the network, and
  • Avoid residual issues that could result in follow-up compromises once the incident is closed

Resources

• CISA VPN-Related Guidance
• CISA Infographic: Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&CK FRAMEWORK
• National Security Agency InfoSheet: Configuring IPsec Virtual Private Networks
• CISA Joint Advisory: AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity
• CISA Activity Alert: AA20-073A: Enterprise VPN Security
• CISA Activity Alert: AA20-031A: Detecting Citrix CVE-2019-19781
• CISA Activity Alert: AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability
• Cybersecurity Alerts and Advisories: Subscriptions to CISA Alerts and MS-ISAC Advisories

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

• CISA (888-282-0870 or Central@cisa.dhs.gov), or
• The FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov) or a local field office

Revisions

• October 9, 2020: Initial Version

Source de l’article sur us-cert.gov