Phishing kits are not new, they are plenty in the wild, and my honeypot collects many samples daily. Usually, a phishing kit will collect credentials and send them to a compromised server (WordPress is generally an excellent target to host this kind of malicious code). Later, I found many kits that (ab)use online services to receive data submitted via HTTP forms[1].
Old Backdoor, New Obfuscation, (Sat, Mar 18th)
When you’re hunting, sometimes you feel lucky because you spotted something that looks brand new, but sometimes it’s not new or… the code has been changed to bypass existing detections. Here is a perfect example. A few months ago, Juniper discovered[1] a backdoor targeting VMWare ESXi servers, more precisely, the OpenSLP service (%%cve:2019-5544%% and %%cve:2020-3992%%).
AWS Chatbot Now Integrates With Microsoft Teams
I am pleased to announce that, starting today, you can use AWS Chatbot to troubleshoot and operate your AWS resources from Microsoft Teams.
Communicating and collaborating on IT operation tasks through chat channels is known as ChatOps. It allows you to centralize the management of infrastructure and applications, as well as to automate and streamline your workflows. It helps to provide a more interactive and collaborative experience, as you can communicate and work with your colleagues in real time through a familiar chat interface to get the job done.
We launched AWS Chatbot in 2020 with Amazon Chime and Slack integrations. Since then, the landscape of chat platforms has evolved rapidly, and many of you are now using Microsoft Teams.
AWS Chatbot Benefits
When using AWS Chatbot for Microsoft Teams or other chat platforms, you receive notifications from AWS services directly in your chat channels, and you can take action on your infrastructure by typing commands without having to switch to another tool.
Typically you want to receive alerts about your system health, your budget, any new security threat or risk, or the status of your CI/CD pipelines. Sending a message to the chat channel is as simple as sending a message on an Amazon Simple Notification Service (Amazon SNS) topic. Thanks to the native integration between Amazon CloudWatch alarms and SNS, alarms are automatically delivered to your chat channels with no additional configuration step required. Similarly, thanks to the integration between Amazon EventBridge and SNS, any system or service that emits events to EventBridge can send information to your chat channels.
But ChatOps is more than the ability to spot problems as they arise. AWS Chatbot allows you to receive predefined CloudWatch dashboards interactively and retrieve Logs Insights logs to troubleshoot issues directly from the chat thread. You can also directly type in the chat channel most AWS Command Line Interface (AWS CLI) commands to retrieve additional telemetry data or resource information or to run runbooks to remediate the issues.
Typing and remembering long commands is difficult. With AWS Chatbot, you can define your own aliases to reference frequently used commands and their parameters. It reduces the number of steps to complete a task. Aliases are flexible and can contain one or more custom parameters injected at the time of the query.
And because chat channels are designed for conversation, you can also ask questions in natural language and have AWS Chatbot answer you with relevant extracts from the AWS documentation or support articles. Natural language understanding also allows you to make queries such as “show me my ec2 instances in eu-west-3.”
Let’s Configure the Integration Between AWS Chatbot and Microsoft Teams
Getting started is a two-step process. First, I configure my team in Microsoft Teams. As a Teams administrator, I add the AWS Chatbot application to the team, and I take note of the URL of the channel I want to use for receiving notifications and operating AWS resources from Microsoft Teams channels.
Second, I register Microsoft Teams channels in AWS Chatbot. I also assign IAM permissions on what channel members can do in this channel and associate SNS topics to receive notifications. I may configure AWS Chatbot with the AWS Management Console, an AWS CloudFormation template, or the AWS Cloud Development Kit (AWS CDK). For this demo, I choose to use the console.
I open the Management Console and navigate to the AWS Chatbot section. On the top right side of the screen, in the Configure a chat client box, I select Microsoft Teams and then Configure client.
I enter the Microsoft Teams channel URL I noted in the Teams app.
At this stage, Chatbot redirects my browser to Microsoft Teams for authentication. If I am already authenticated, I will be redirected back to the AWS console immediately. Otherwise, I enter my Microsoft Teams credentials and one-time password and wait to be redirected.
At this stage, my Microsoft Teams team is registered with AWS Chatbot and ready to add Microsoft Teams channels. I select Configure new channel.
There are four sections to enter the details of the configuration. In the first section, I enter a Configuration name for my channel. Optionally, I also define the Logging details. In the second section, I paste—again—the Microsoft Teams Channel URL.
In the third section, I configure the Permissions. I can choose between the same set of permissions for all Microsoft Teams users in my team, or I can set User-level roles permission to enable user-specific permissions in the channel. In this demo, I select Channel role, and I assign an IAM role to the channel. The role defines the permissions shared by all users in the channel. For example, I can assign a role that allows users to access configuration data from Amazon EC2 but not from Amazon S3. Under Channel role, I select Use an existing IAM role. Under Existing role, I select a role I created for my 2019 re:Invent talk about ChatOps: chatbot-demo
. This role gives read-only access to all AWS services, but I could also assign other roles that would allow Chatbot users to take actions on their AWS resources.
To mitigate the risk that another person in your team accidentally grants more than the necessary privileges to the channel or user-level roles, you might also include Channel guardrail policies. These are the maximum permissions your users might have when using the channel. At runtime, the actual permissions are the intersection of the channel or user-level policies and the guardrail policies. Guardrail policies act like a boundary that channel users will never escape. The concept is similar to permission boundaries for IAM entities or service control policies (SCP) for AWS Organizations. In this example, I attach the ReadOnlyAccess managed policy.
The fourth and last section allows you to specify the SNS topic that will be the source for notifications sent to your team’s channel. Your applications or AWS services, such as CloudWatch alarms, can send messages to this topic, and AWS Chatbot will relay all messages to the configured Microsoft Teams channel. Thanks to the integration between Amazon EventBridge and SNS, any application able to send a message to EventBridge is able to send a message to Microsoft Teams.
For this demo, I select an existing SNS topic: alarmme
in the us-east-1
Region. You can configure multiple SNS topics to receive alarms from various Regions. I then select Configure.
Let’s Test the Integration
That’s it. Now I am ready to test my setup.
On the AWS Chatbot configuration page, I first select the Send test message. I also have an alarm defined when my estimated billing goes over $500. On the CloudWatch section of the Management Console, I configure the alarm to post a message on the SNS topic shared with Microsoft Teams.
Within seconds, I receive the test message and the alarm message on the Microsoft Teams channel.
Then I type a command to understand where the billing alarm comes from. I want to understand how many EC2 instances are running.
On the chat client channel, I type @aws
to select Chatbot as the destination, then the rest of the CLI command, as I would do in a terminal: ec2 describe-instances --region us-east-1 --filters "Name=architecture,Values=arm64_mac" --query "Reservations[].Instances[].InstanceId"
Chatbot answers within seconds.
I can create aliases for commands I frequently use. Aliases may have placeholder parameters that I can give at runtime, such as the Region name for example.
I create an alias to get the list of my macOS instance IDs with the command: aws alias create mac ec2 describe-instances --region $region --filters "Name=architecture,Values=arm64_mac" --query "Reservations[].Instances[].InstanceId"
Now, I can type @aws alias run mac us-east-1
as a shortcut to get the same result as above. I can also manage my aliases with the @aws alias list
, @aws alias get
, and @aws alias delete
commands.
I don’t know about you, but for me it is hard to remember commands. When I use the terminal, I rely on auto-complete to remind me of various commands and their options. AWS Chatbot offers similar command completion and guides me to collect missing parameters.
When using AWS Chatbot, I can also ask questions using natural English language. It can help to find answers from the AWS docs and from support articles by typing questions such as @aws how can I tag my EC2 instances?
or @aws how do I configure Lambda concurrency setting?
It can also find resources in my account when AWS Resource Explorer is activated. For example, I asked the bot: @aws what are the tags for my ec2 resources?
and @aws what Regions do I have Lambda service?
And I received these responses.
Thanks to AWS Chatbot, I realized that I had a rogue Lambda function left in
ca-central-1
. I used the AWS console to delete it.
Available Now
You can start to use AWS Chatbot with Microsoft Teams today. AWS Chatbot for Microsoft Teams is available to download from Microsoft Teams app at no additional cost. AWS Chatbot is available in all public AWS Regions, at no additional charge. You pay for the underlying resources that you use. You might incur charges from your chat client.
Get started today and configure your first integration with Microsoft Teams.
Simple Shellcode Dissection, (Thu, Mar 16th)
Amazon Linux 2023, a Cloud-Optimized Linux Distribution with Long-Term Support
I am excited to announce the general availability of Amazon Linux 2023 (AL2023). AWS has provided you with a cloud-optimized Linux distribution since 2010. This is the third generation of our Amazon Linux distributions.
Every generation of Amazon Linux distribution is secured, optimized for the cloud, and receives long-term AWS support. We built Amazon Linux 2023 on these principles, and we go even further. Deploying your workloads on Amazon Linux 2023 gives you three major benefits: a high-security standard, a predictable lifecycle, and a consistent update experience.
Let’s look at security first. Amazon Linux 2023 includes preconfigured security policies that make it easy for you to implement common industry guidelines. You can configure these policies at launch time or run time.
For example, you can configure the system crypto policy to enforce system-wide usage of a specific set of cipher suites, TLS versions, or acceptable parameters in certificates and key exchanges. Also, the Linux kernel has many hardening features enabled by default.
Amazon Linux 2023 makes it easier to plan and manage the operating system lifecycle. New Amazon Linux major versions will be available every two years. Major releases include new features and improvements in security and performance across the stack. The improvements might include major changes to the kernel, toolchain, GLib C, OpenSSL, and any other system libraries and utilities.
During those two years, a major release will receive an update every three months. These updates include security updates, bug fixes, and new features and packages. Each minor version is a cumulative list of updates that includes security and bug fixes in addition to new features and packages. These releases might include the latest language runtimes such as Python or Java. They might also include other popular software packages such as Ansible and Docker. In addition to these quarterly updates, security updates will be provided as soon as they are available.
Each major version, including 2023, will come with five years of long-term support. After the initial two-year period, each major version enters a three-year maintenance period. During the maintenance period, it will continue to receive security bug fixes and patches as soon as they are available. This support commitment gives you the stability you need to manage long project lifecycles.
The following diagram illustrates the lifecycle of Amazon Linux distributions:
Last—and this policy is by far my favorite—Amazon Linux provides you with deterministic updates through versioned repositories, a flexible and consistent update mechanism. The distribution locks to a specific version of the Amazon Linux package repository, giving you control over how and when you absorb updates. By default, and in contrast with Amazon Linux 2, a dnf update
command will not update your installed packages (dnf
is the successor to yum
). This helps to ensure that you are using the same package versions across your fleet. All Amazon Elastic Compute Cloud (Amazon EC2) instances launched from an Amazon Machine Image (AMI) will have the same version of packages. Deterministic updates also promote usage of immutable infrastructure, where no infrastructure is updated after deployment. When an update is required, you update your infrastructure as code scripts and redeploy a new infrastructure. Of course, if you really want to update your distribution in place, you can point dnf
to an updated package repository and update your machine as you do today. But did I tell you this is not a good practice for production workloads? I’ll share more technical details later in this blog post.
How to Get Started
Getting started with Amazon Linux 2023 is no different than with other Linux distributions. You can use the EC2 run-instances
API, the AWS Command Line Interface (AWS CLI), or the AWS Management Console, and one of the four Amazon Linux 2023 AMIs that we provide. We support two machine architectures (x86_64 and Arm) and two sizes (standard and minimal). Minimal AMIs contain the most basic tools and utilities to start the OS. The standard version comes with the most commonly used applications and tools installed.
To retrieve the latest AMI ID for a specific Region, you can use AWS Systems Manager get-parameter
API and query the /aws/service/ami-amazon-linux-latest/<alias>
parameter.
Be sure to replace <alias>
with one of the four aliases available:
- For arm64 architecture (standard AMI):
al2023-ami-kernel-default-arm64
- For arm64 architecture (minimal AMI):
al2023-ami-minimal-kernel-default-arm64
- For x86_64 architecture (standard AMI):
al2023-ami-kernel-default-x86_64
- For x86_64 architecture (minimal AMI):
al2023-ami-minimal-kernel-default-x86_64
For example, to search for the latest Arm64 full distribution AMI ID, I open a terminal and enter:
~ aws ssm get-parameters --region us-east-2 --names /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-arm64
{
"Parameters": [
{
"Name": "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-arm64",
"Type": "String",
"Value": "ami-02f9b41a7af31dded",
"Version": 1,
"LastModifiedDate": "2023-02-24T22:54:56.940000+01:00",
"ARN": "arn:aws:ssm:us-east-2::parameter/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-arm64",
"DataType": "text"
}
],
"InvalidParameters": []
}
To launch an instance, I use the run-instances
API. Notice how I use Systems Manager resolution to dynamically lookup the AMI ID from the CLI.
➜ aws ec2 run-instances
--image-id resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-arm64
--key-name my_ssh_key_name
--instance-type c6g.medium
--region us-east-2
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-02f9b41a7af31dded",
"InstanceId": "i-0740fe8e23f903bd2",
"InstanceType": "c6g.medium",
"KeyName": "my_ssh_key_name",
"LaunchTime": "2023-02-28T14:12:34+00:00",
...(redacted for brevity)
}
When the instance is launched, and if the associated security group allows SSH (TCP 22) connections, I can connect to the machine:
~ ssh ec2-user@3.145.19.213
Warning: Permanently added '3.145.19.213' (ED25519) to the list of known hosts.
, #_
~_ ####_ Amazon Linux 2023
~~ _##### Preview
~~ ###|
~~ #/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Tue Feb 28 14:14:44 2023 from 81.49.148.9
[ec2-user@ip-172-31-9-76 ~]$ uname -a
Linux ip-172-31-9-76.us-east-2.compute.internal 6.1.12-19.43.amzn2023.aarch64 #1 SMP Thu Feb 23 23:37:18 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
We also distribute Amazon Linux 2023 as Docker images. The Amazon Linux 2023 container image is built from the same software components that are included in the Amazon Linux 2023 AMI. The container image is available for use in any environment as a base image for Docker workloads. If you’re using Amazon Linux for applications in EC2, you can containerize your applications with the Amazon Linux container image.
These images are available from Amazon Elastic Container Registry (Amazon ECR) and from Docker Hub. Here is a quick demo to start a Docker container using Amazon Linux 2023 from Elastic Container Registry.
$ aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
Login Succeeded
~ docker run --rm -it public.ecr.aws/amazonlinux/amazonlinux:2023 /bin/bash
Unable to find image 'public.ecr.aws/amazonlinux/amazonlinux:2023' locally
2023: Pulling from amazonlinux/amazonlinux
b4265814d5cf: Pull complete
Digest: sha256:bbd7a578cff9d2aeaaedf75eb66d99176311b8e3930c0430a22e0a2d6c47d823
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023
bash-5.2# uname -a
Linux 9d5b45e9f895 5.15.49-linuxkit #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
bash-5.2# exit
When pulling from Docker Hub, you can use this command to pull the image: docker pull amazonlinux:2023
.
What Are the Main Differences Compared to Amazon Linux 2?
Amazon Linux 2023 has some differences compared to Amazon Linux 2. The documentation explains these differences in detail. The two differences I would like to focus on are dnf
and the package management policies.
AL2023 comes with Fedora’s dnf
, the successor to yum
. But don’t worry, dnf
provides similar commands as yum
to search, install, or remove packages. Where you used to run the commands yum list
or yum install httpd
, you may now run dnf list
or dnf install httpd
. For convenience, we create a symlink for /usr/bin/yum
, so you can run your scripts unmodified.
$ which yum
/usr/bin/yum
$ ls -al /usr/bin/yum
lrwxrwxrwx. 1 root root 5 Jun 19 18:06 /usr/bin/yum -> dnf-3
The biggest difference, in my opinion, is the deterministic updates through versioned repositories. By default, the software repository is locked to the AMI version. This means that a dnf update
command will not return any new packages to install. Versioned repositories give you the assurance that all machines started from the same AMI ID are identical. Your infrastructure will not deviate from the baseline.
$ sudo dnf update
Last metadata expiration check: 0:14:10 ago on Tue Feb 28 14:12:50 2023.
Dependencies resolved.
Nothing to do.
Complete!
Yes, but what if you want to update a machine? You have two options to update an existing machine. The cleanest one for your production environment is to create duplicate infrastructure based on new AMIs. As I mentioned earlier, we publish updates for every security fix and a consolidated update every three months for two years after the initial release. Each update is provided as a set of AMIs and their corresponding software repository.
For smaller infrastructure, such as test or development machines, you might choose to update the operating system or individual packages in place as well. This is a three-step process:
- first, list the available updated software repositories;
- second, point
dnf
to a specific software repository; - and third, update your packages.
To show you how it works, I purposely launched an EC2 instance with an “old” version of Amazon Linux 2023 from February 2023. I first run dnf check-release-update
to list the available updated software repositories.
$ dnf check-release-update
WARNING:
A newer release of "Amazon Linux" is available.
Available Versions:
Version 2023.0.20230308:
Run the following command to upgrade to 2023.0.20230308:
dnf upgrade --releasever=2023.0.20230308
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes.html
Then, I might either update the full distribution using dnf upgrade --releasever=2023.0.20230308
or point dnf
to the updated repository to select individual packages.
$ dnf check-update --releasever=2023.0.20230308
Amazon Linux 2023 repository 28 MB/s | 11 MB 00:00
Amazon Linux 2023 Kernel Livepatch repository 1.2 kB/s | 243 B 00:00
amazon-linux-repo-s3.noarch 2023.0.20230308-0.amzn2023 amazonlinux
binutils.aarch64 2.39-6.amzn2023.0.5 amazonlinux
ca-certificates.noarch 2023.2.60-1.0.amzn2023.0.1 amazonlinux
(redacted for brevity)
util-linux-core.aarch64 2.37.4-1.amzn2022.0.1 amazonlinux
Finally, I might run a dnf update <package_name>
command to update a specific package.
This might look like overkill for a simple machine, but when managing enterprise infrastructure or large-scale fleets of instances, this facilitates the management of your fleet by ensuring that all instances run the same version of software packages. It also means that the AMI ID is now something that you can fully run through your CI/CD pipelines for deployment and that you have a way to roll AMI versions forward and backward according to your schedule.
Where is Fedora?
When looking for a base to serve as a starting point for Amazon Linux 2023, Fedora was the best choice. We found that Fedora’s core tenets (Freedom, Friends, Features, First) resonate well with our vision for Amazon Linux. However, Amazon Linux focuses on a long-term, stable OS for the cloud, which is a notable different release cycle and lifecycle than Fedora. Amazon Linux 2023 provides updated versions of open-source software, a larger variety of packages, and frequent releases.
Amazon Linux 2023 isn’t directly comparable to any specific Fedora release. The Amazon Linux 2023 GA version includes components from Fedora 34, 35, and 36. Some of the components are the same as the components in Fedora, and some are modified. Other components more closely resemble the components in CentOS Stream 9 or were developed independently. The Amazon Linux kernel, on its side, is sourced from the long-term support options that are on kernel.org, chosen independently from the kernel provided by Fedora.
Like every good citizen in the open-source community, we give back and contribute our changes to upstream distributions and sources for the benefit of the entire community. Amazon Linux 2023 itself is open source. The source code for all RPM packages that are used to build the binaries that we ship are available through the SRPM yum repository (sudo dnf install -y 'dnf-command(download)' && dnf download --source bash
)
One More Thing: Amazon EBS Gp3 Volumes
Amazon Linux 2023 AMIs use gp3 volumes by default.
Gp3 is the latest generation general-purpose solid-state drive (SSD) volume for Amazon Elastic Block Store (Amazon EBS). Gp3 provides 20 percent lower storage costs compared to gp2. Gp3 volumes deliver a baseline performance of 3,000 IOPS and 125MB/s at any volume size. What I particularly like about gp3 volumes is that I can now provision performance independently of capacity. When using gp3 volumes, I can now increase IOPS and throughput without incurring charges for extra capacity that I don’t actually need.
With the availability of gp3-backed AL2023 AMIs, this is the first time a gp3-backed Amazon Linux AMI is available. Gp3-backed AMIs have been a common customer request since gp3 was launched in 2020. It is now available by default.
Price and Availability
Amazon Linux 2023 is provided at no additional charge. Standard Amazon EC2 and AWS charges apply for running EC2 instances and other services. This distribution includes full support for five years. When deploying on AWS, our support engineers will provide technical support according to the terms and conditions of your AWS Support plan. AMIs are available in all AWS Regions.
Amazon Linux is the most used Linux distribution on AWS, with hundreds of thousands of customers using Amazon Linux 2. Dozens of Independent Software Vendors (ISVs) and hardware partners are supporting Amazon Linux 2023 today. You can adopt this new version with the confidence that the partner tools you rely on are likely to be supported. We are excited about this release, which brings you an even higher level of security, a predictable release lifecycle, and a consistent update experience.
Now go build and deploy your workload on Amazon Linux 2023 today.
#StopRansomware: LockBit 3.0
SUMMARY
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
- Prioritize remediating known exploited vulnerabilities.
- Train users to recognize and report phishing attempts.
- Enable and enforce phishing- resistant multifactor authentication.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK for Enterprise.
CAPABILITIES
LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.
LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [T1480.001]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.
LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected [T1614.001], LockBit 3.0 will stop execution without infecting the system.
INITIAL ACCESS
Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190].
EXECUTION AND INFECTION PROCESS
During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [TA0004]. LockBit 3.0 performs functions such as:
- Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices [T1082]
- Terminating processes and services [T1489]
- Launching commands [TA0002]
- Enabling automatic logon for persistence and privilege escalation [T1547]
- Deleting log files, files in the recycle bin folder, and shadow copies residing on disk [T1485], [T1490]
LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions.
After files are encrypted, LockBit 3.0 drops a ransom note with the new filename .README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding [T1491.001]. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server [T1027].
Once completed, LockBit 3.0 may delete itself from the disk [T1070.004] as well as any Group Policy updates that were made, depending on which options were set at compilation time.
EXFILTRATION
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well [T1567] (see Table 1).
File Sharing Site |
---|
https://www.premiumize[.]com |
https://anonfiles[.]com |
https://www.sendspace[.]com |
https://fex[.]net |
https://transfer[.]sh |
https://send.exploit[.]in |
LEVERAGING FREEWARE AND OPEN-SOURCE TOOLS
LockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed. See Table 2 for a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations:
Tool | Description | MITRE ATT&CK ID |
---|---|---|
Chocolatey | Command-line package manager for Windows. | T1072 |
FileZilla | Cross-platform File Transfer Protocol (FTP) application. | T1071.002 |
Impacket | Collection of Python classes for working with network protocols. | S0357 |
MEGA Ltd MegaSync | Cloud-based synchronization tool. | T1567.002 |
Microsoft Sysinternals ProcDump | Generates crash dumps. Commonly used to dump the contents of Local Security Authority Subsystem Service, LSASS.exe. | T1003.001 |
Microsoft Sysinternals PsExec | Execute a command-line process on a remote machine. | S0029 |
Mimikatz | Extracts credentials from system. | S0002 |
Ngrok | Legitimate remote-access tool abused to bypass victim network protections. | S0508 |
PuTTY Link (Plink) | Can be used to automate Secure Shell (SSH) actions on Windows. | T1572 |
Rclone | Command-line program to manage cloud storage files | S1040 |
SoftPerfect Network Scanner | Performs network scans. | T1046 |
Splashtop | Remote-desktop software. | T1021.001 |
WinSCP | SSH File Transfer Protocol client for Windows. | T1048 |
Indicators of Compromise (IOCs)
The IOCs and malware characteristics outlined below were derived from field analysis. The following samples are current as of March 2023.
LockBit 3.0 Black Icon

LockBit 3.0 Wallpaper

LockBit Command Line Parameters
LockBit Parameters | Description |
---|---|
-del |
Self-delete. |
-gdel |
Remove LockBit 3.0 group policy changes. |
-gspd |
Spread laterally via group policy. |
-pass (32 character value) |
(Required) Password used to launch LockBit 3.0. |
-path (File or path) |
Only encrypts provided file or folder. |
-psex |
Spread laterally via admin shares. |
-safe |
Reboot host into Safe Mode. |
-wall |
Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note. |
Mutual Exclusion Object (Mutex) Created
When executed, LockBit 3.0 will create the mutex, Global,
and check to see if this mutex has already been created to avoid running more than one instance of the ransomware.
UAC Bypass via Elevated COM Interface
LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. C:WindowsSystem32dllhost.exe is spawned with high integrity with the command line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC.
For example, %SYSTEM32%dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7}.
Volume Shadow Copy Deletion
LockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete Volume Shadow Copies. LockBit 3.0 uses select * from Win32_ShadowCopy to query for Volume Shadow copies, Win32_ShadowCopy.ID to obtain the ID of the shadow copy, and DeleteInstance to delete any shadow copies.
Registry Artifacts
LockBit 3.0 Icon
Registry Key | Value | Data |
---|---|---|
HKCR. |
(Default) |
|
HKCRDefaultIcon |
(Default) |
C:ProgramData.ico |
LockBit 3.0 Wallpaper
Registry Key | Value | Data |
---|---|---|
HKCUControl PanelDesktopWallPaper |
(Default) |
C:ProgramData.bmp |
Disable Privacy Settings Experience
Registry Key | Value | Data |
---|---|---|
SOFTWAREPoliciesMicrosoftWin dowsOOBE |
DisablePrivacyE xperience |
0 |
Enable Automatic Logon
Registry Key | Value | Data |
---|---|---|
SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon |
AutoAdminLogon |
1 |
|
DefaultUserName |
|
|
DefaultDomainNa me |
|
|
DefaultPassword |
|
Disable and Clear Windows Event Logs
Registry Key | Value | Data |
---|---|---|
HKLMSOFTWAREMicrosoftWindows CurrentVersionWINEVTChannels * |
Enabled |
0 |
HKLMSOFTWAREMicrosoftWindows CurrentVersionWINEVTChannels * ChannelAccess |
ChannelAccess |
AO:BAG:SYD:(A;;0x1;; ;SY)(A;;0x5;;;BA)(A; ;0x1;;;LA) |
Ransom Locations
LockBit 3.0 File Path Locations |
---|
ADMIN$Temp.exe |
%SystemRoot%Temp.exe |
sysvolscripts.exe (Domain Controller) |
Safe Mode Launch Commands
LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection. Depending upon the host operating system, the following command is launched to reboot the system to Safe Mode with Networking:
Operating System | Safe Mode with Networking command |
---|---|
Vista and newer |
bcdedit /set {current} safeboot network |
Pre-Vista |
bootcfg /raw /a /safeboot:network /id 1 |
Operating System | Disable Safe mode reboot |
---|---|
Vista and newer |
bcdedit /deletevalue {current} safeboot |
Pre-Vista |
bootcfg /raw /fastdetect /id 1 |
Group Policy Artifacts
The following are Group Policy Extensible Markup Language (XML) files identified after a LockBit 3.0 infection:
NetworkShares.xml |
---|
<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" |
Services.xml stops and disables services on the Active Directory (AD) hosts.
Services.xml |
---|
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
|
Registry.pol
The following registry configuration changes values for the Group Policy refresh time, disable SmartScreen, and disable Windows Defender.
Registry Key | Registry Value | Value type | Data |
---|---|---|---|
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeDC |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeOffsetDC |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh Time |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeOffset |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
EnableSmartScreen |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
**del.ShellSmartSc reenLevel |
REG_S Z |
|
HKLMSOFTWAREPoliciesMicrosoftWindow s Defender |
DisableAntiSpyware |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s Defender |
DisableRoutinelyTa kingAction |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderReal-Time Protection |
DisableRealtimeMon itoring |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderReal-Time Protection |
DisableBehaviorMon itoring |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderSpynet |
SubmitSamplesConse nt |
REG_D WORD |
2 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderSpynet |
SpynetReporting |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sFirewallDomainProfile |
EnableFirewall |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sFirewallStandardProfile |
EnableFirewall |
REG_D WORD |
0 |
Force GPUpdate
Once new group policies are added, a PowerShell command using Group Policy update (GPUpdate) applies the new group policy changes to all computers on the AD domain.
Force GPUpdate Powershell Command |
---|
powershell Get-ADComputer -filter * -Searchbase ‘%s’ | Foreach-Object { Invoke- GPUpdate -computer $_.name -force -RandomDelayInMinutes 0} |
Services Killed
vss | sql | svc$ |
memtas | mepocs | msexchange |
sophos | veeam | backup |
GxVss | GxBlr | GxFWD |
GxCVD | GxCIMgr |
Processes Killed
sql | oracle | ocssd |
dbsnmp | synctime | agntsvc |
isqlplussvc | xfssvccon | mydesktopservice |
ocautoupds | encsvc | firefox |
tbirdconfig | mydesktopqos | ocomm |
dbeng50 | sqbcoreservice | excel |
infopath | msaccess | mspu |
onenote | outlook | powerpnt |
steam | thebat | thunderbird |
visio | winword | wordpad |
notepad |
LockBit 3.0 Ransom Note
~~~ LockBit 3.0 the world’s fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don’t pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don’t hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.
Network Connections
If configured, Lockbit 3.0 will send two HTTP POST requests to one of the C2servers. Information about the victim host and bot are encrypted with an Advanced Encryption Standard (AES) key and encoded in Base64.
Example of HTTP POST request POST /?7F6Da=u5a0TdP0&Aojq=&NtN1W=OuoaovMvrVJSmPNaA5&fckp9=FCYyT6b7kdyeEXywS8I8 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate, br Content-Type: text/plain User-Agent: Safari/537.36 Host: Connection: Keep-Alive LIWy=RJ51lB5GM&a4OuN=&LoSyE3=8SZ1hdlhzld4&DHnd99T=rTx9xGlInO6X0zWW&2D6=Bokz&T1guL=MtRZsFCRMKyBmfmqI& 6SF3g=JPDt9lfJIQ&wQadZP= Xni=AboZOXwUw&2rQnM4=94L&0b=ZfKv7c&NO1d=M2kJlyus&AgbDTb=xwSpba&8sr=EndL4n0HVZjxPR& m4ZhTTH=sBVnPY&xZDiygN=cU1pAwKEztU&=5q55aFIAfTVQWTEm&4sXwVWcyhy=l68FrIdBESIvfCkvYl Example of information found in encrypted data { "bot_version":"X", "bot_id":"X", "bot_company":"X", "host_hostname":"X", "host_user":"X", "host_os":"X", "host_domain":"X", "host_arch":"X", "host_lang":"X", "disks_info":[ { "disk_name":"X", "disk_size":"XXXX", "free_size":"XXXXX" } |
User Agent Strings
Mozilla/5.0 (Windows NT 6.1) |
AppleWebKit/587.38 (KHTML, like Gecko) |
Chrome/91.0.4472.77 |
Safari/537.36 | Edge/91.0.864.37 | Firefox/89.0 |
Gecko/20100101 |
MITRE ATT&CK TECHNIQUES
See Table 3 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.
Initial Access | ||
---|---|---|
Technique Title | ID | Use |
Valid Accounts | T1078 | LockBit 3.0 actors obtain and abuse credentials of existing accounts as a means of gaining initial access. |
Exploit External Remote Services | T1133 | LockBit 3.0 actors exploit RDP to gain access to victim networks. |
Drive-by Compromise | T1189 | LockBit 3.0 actors gain access to a system through a user visiting a website over the normal course of browsing. |
Exploit Public-Facing Application | T1190 | LockBit 3.0 actors exploit vulnerabilities in internet-facing systems to gain access to victims’ systems. |
Phishing | T1566 | LockBit 3.0 actors use phishing and spearphishing to gain access to victims’ networks. |
Execution | ||
Technique Title | ID | Use |
Execution | TA0002 | LockBit 3.0 launches commands during its execution. |
Software Deployment Tools | T1072 | LockBit 3.0 uses Chocolatey, a command- line package manager for Windows. |
Persistence | ||
Technique Title | ID | Use |
Valid Accounts | T1078 | LockBit 3.0 uses a compromised user account to maintain persistence on the target network. |
Boot or Logo Autostart Execution | T1547 | LockBit 3.0 enables automatic logon for persistence. |
Privilege Escalation | ||
Technique Title | ID | Use |
Privilege Escalation | TA0004 | Lockbit 3.0 will attempt to escalate to the required privileges if current account privileges are insufficient. |
Boot or Logo Autostart Execution | T1547 | LockBit 3.0 enables automatic logon for privilege escalation. |
Defense Evasion | ||
Technique Title | ID | Use |
Obfuscated Files or Information | T1027 | LockBit 3.0 will send encrypted host and bot information to its C2 servers. |
Indicator Removal: File Deletion | T1070.004 | LockBit 3.0 will delete itself from the disk. |
Execution Guardrails: Environmental Keying | T1480.001 | LockBit 3.0 will only decrypt the main component or continue to decrypt and/or decompress data if the correct password is entered. |
Credential Access | ||
Technique Title | ID | Use |
OS Credential Dumping: LSASS Memory | T1003.001 | LockBit 3.0 uses Microsoft Sysinternals ProDump to dump the contents of LSASS.exe. |
Discovery | ||
Technique Title | ID | Use |
Network Service Discovery | T1046 | LockBit 3.0 uses SoftPerfect Network Scanner to scan target networks. |
System Information Discovery | T1082 | LockBit 3.0 will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. |
System Location Discovery: System Language Discovery | T1614.001 | LockBit 3.0 will not infect machines with language settings that match a defined exclusion list. |
Lateral Movement | ||
Technique Title | ID | Use |
Remote Services: Remote Desktop Protocol | T1021.001 | LockBit 3.0 uses Splashtop remote- desktop software to facilitate lateral movement. |
Command and Control | ||
Technique Title | ID | Use |
Application Layer Protocol: File Transfer Protocols | T1071.002 | LockBit 3.0 uses FileZilla for C2. |
Protocol Tunnel | T1572 | LockBit 3.0 uses Plink to automate SSH actions on Windows. |
Exfiltration | ||
Technique Title | ID | Use |
Exfiltration | TA0010 | LockBit 3.0 uses Stealbit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network. |
Exfiltration Over Web Service | T1567 | LockBit 3.0 uses publicly available file sharing services to exfiltrate a target’s data. |
Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | LockBit 3.0 actors use (1) rclone, an open source command line cloud storage manager to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration. |
Impact | ||
Technique Title | ID | Use |
Data Destruction | T1485 | LockBit 3.0 deletes log files and empties the recycle bin. |
Data Encrypted for Impact | T1486 | LockBit 3.0 encrypts data on target systems to interrupt availability to system and network resources. |
Service Stop | T1489 | LockBit 3.0 terminates processes and services. |
Inhibit System Recovery | T1490 | LockBit 3.0 deletes volume shadow copies residing on disk. |
Defacement: Internal Defacement | T1491.001 | LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively. |
MITIGATIONS
The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies [CPG 3.4].
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 1.4]
- Store passwords in hashed format using industry-recognized password managers
- Add password user “salts” to shared login credentials
- Avoid reusing passwords
- Implement multiple failed login attempt account lockouts [CPG 1.1]
- Disable password “hints”
- Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software
- Require phishing-resistant multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
- Segment networks [CPG 8.1] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 5.1]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
- Install, regularly update, and enable real time detection for antivirus software on all hosts.
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
- Disable unused ports.
- Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
- Disable hyperlinks in received emails.
- Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (see Table 3).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
- Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
- Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.
REPORTING
The FBI is seeking any information that can be legally shared, including:
- Boundary logs showing communication to and from foreign IP addresses
- Sample ransom note
- Communications with LockBit 3.0 actors
- Bitcoin wallet information
- Decryptor files
- Benign sample of an encrypted file
The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at report@cisa.gov. State, local, tribal, and territorial (SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.
Infocon: green
IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th)
In the last couple of weeks, I’ve noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS) – an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception. In fact, it seems to have been used to host phishing pages since at least the beginning of 2022[1].
Microsoft March 2023 Patch Tuesday, (Tue, Mar 14th)
Celebrate Amazon S3’s 17th birthday at AWS Pi Day 2023
AWS Pi Day 2023 is live today starting at 13:00 PDT; join us on the AWS on Air channel on Twitch.
On this day 17 years ago, we launched a very simple object storage service. It allowed developers to create, list, and delete private storage spaces (known as buckets), upload and download files, and manage their access permissions. The service was available only through a REST and SOAP API. It was designed to provide highly durable data storage with 99.999999999 percent data durability (that’s 11 nines!).
Fast forward to 2023, Amazon Simple Storage Service (Amazon S3) holds more than 280 trillion objects and averages over 100 million requests per second. To protect data integrity, Amazon S3 performs over four billion checksum computations per second. Over the years, we added many capabilities, such as a range of storage classes, to store your colder data cost effectively. Every day, you restore on average more than 1 petabyte from the S3 Glacier Flexible Retrieval and S3 Glacier Deep Archive storage classes. Since launch, you have saved $1 billion from using Amazon S3 Intelligent-Tiering. In 2015, we added the possibility of replicating your data across Regions. Every week, Amazon S3 Replication moves more than 100 petabytes of data. Amazon S3 is also at the core of hundreds of thousands of data lakes. It also has become a critical component of a growing ecosystem of serverless applications. Every day, Amazon S3 sends over 125 billion event notifications to serverless applications. Altogether, Amazon S3 is helping people around the world securely store and extract value from their data.
To celebrate Amazon S3‘s birthday AWS is hosting the AWS Pi Day event for the third consecutive year. This live online event starts at 13:00 PDT today (March 14, 2023) on the AWS On Air channel on Twitch and will feature four hours of fresh educational content from AWS experts. We will discuss not only Amazon S3 best practices, we will also dive into the latest innovations across AWS data services, from storage to analytics and AI/ML. Tune in to learn how to get the most out of your data by making it more secure, available, accessible, and connected, and to help you respond to rapid growth and changing demand. You will also learn how to optimize your data costs, automate your cost savings, eliminate operational complexity, and get new insights from your data. Have a look at the full agenda on the registration page.
At AWS, we innovate on your behalf. During the last few weeks, we announced a 99.99 percent SLA for Amazon MemoryDB for Redis, enhanced I/O multiplexing for Amazon ElastiCache for Redis, and encryption by default for new objects on Amazon S3.
But we are not stopping there, and today we take the occasion of this celebration to announce seven new capabilities across our data services.
Mountpoint for Amazon S3 (alpha release): an open-source file client for Amazon S3
Mountpoint for Amazon S3 is an open-source file client for Amazon S3 that you can install on your compute instance. It translates local file storage API calls to REST API calls on objects in Amazon S3. When using Mountpoint for Amazon S3, data lake applications that access objects using file APIs can achieve high single-instance transfer rates, saving on compute costs.
You can get started with Mountpoint for Amazon S3 by mounting an Amazon S3 bucket at a local mount point on your compute instance. Once mounted, applications read objects as files available locally. Mountpoint for Amazon S3 supports sequential and random read operations on existing S3 objects. It is available to download for Linux operating systems as an alpha release and is not yet intended for production workloads. Instead, we want to collect your feedback early and incorporate your input into the design and implementation. To get started, visit the Mountpoint for Amazon S3 GitHub repo, read the technical launch blog, and share your feedback.
Now Generally Available: AWS Data Exchange for Amazon S3
AWS Data Exchange for Amazon S3 enables you to easily find, subscribe to, and use third-party data files for faster time to insight, storage cost optimization, simplified data licensing management, and more. Data Exchange subscribers can directly use files from data providers’ Amazon S3 buckets for their analysis with AWS services without needing to create or manage copies to their account. Data providers can license in-place access to data hosted in their Amazon S3 buckets.
To learn more about how data providers can simplify and scale access management to multiple data subscribers, you can read this blog.
Amazon S3 Multi-Region Access Points now support replicated datasets that span multiple AWS accounts
We launched Amazon S3 Multi-Region Access Points in September 2021. We added failover control in November 2022. Amazon S3 Multi-Region Access Points now support datasets that are replicated across multiple AWS accounts. Cross-account Multi-Region Access Points simplify object storage access for applications that span both AWS Regions and accounts, avoiding the need for complex request routing logic in your application. They provide a single global endpoint for your multi-Region applications and dynamically route S3 requests based on policies that you define. This helps you to easily implement multi-Region resilience, latency-based routing, and active/passive failover, even when your data is stored in multiple AWS accounts.
You can learn more about S3 Multi-Region Access Points on the Amazon S3 FAQs.
Aliases for S3 Object Lambda Access Points as CloudFront origin
Amazon S3 Object Lambda, launched in March 2021, lets you add your own code to S3 GET, HEAD, and LIST API requests to modify data as it is returned to an application. With today’s launch of aliases for S3 Object Lambda Access Points any application that requires an S3 bucket name can easily present different views of data depending on the requester. You can now use an S3 Object Lambda Access Point alias as an origin for your Amazon CloudFront distribution to modify the data requested. For example, you can dynamically transform an image depending on the device that a user is visiting from, such as a desktop or a smartphone.
If you want to learn more, my colleague Danilo wrote a blog post with more details and code examples.
Simplify private connectivity from on-premises networks
Amazon Virtual Private Cloud (Amazon VPC) interface endpoints for Amazon S3 now offer private DNS options that can help you more easily route Amazon S3 requests to the lowest-cost endpoint in your VPC. With private DNS for Amazon S3, your on-premises applications can use AWS PrivateLink to access Amazon S3 over an interface endpoint, while requests from your in-VPC applications access Amazon S3 using gateway endpoints. Routing requests like this helps you take advantage of the lowest-cost private network path without having to make code or configuration changes to your clients.
You can learn more on the AWS PrivateLink for Amazon S3 documentation.
Local Amazon S3 Replication on Outposts
Amazon S3 on Outposts now supports S3 replication on Outposts. This extends S3’s fully managed approach to replication to S3 on Outposts buckets. It helps you meet your data residency and data redundancy requirements. With local S3 Replication on Outposts, you can create and configure replication rules to automatically replicate your S3 objects to another Outpost or to another bucket on the same Outpost. During replication, your S3 on Outposts objects are always sent over your local gateway, and objects do not travel back to the AWS Region. S3 Replication on Outposts provides an easy and flexible way to automatically replicate data within a specific data perimeter to address your data redundancy and compliance requirements.
Amazon OpenSearch Security Analytics
The new Amazon OpenSearch Service’s security analytics capability enables your Security Operations (SecOps) teams to detect potential threats quickly while having the tools to help with security investigations on historical data—all with lower data storage costs. Like many other advanced capabilities of Amazon OpenSearch Service, there is no additional charge for security analytics.
You can learn more about Amazon OpenSearch security analytics by reading this blog post.
Join Us Online Today
You will learn more about these launches and about AWS data services in general. We have also prepared some live demos. We designed the AWS Pi Day event for system administrators, engineers, developers, and architects. Our sessions will bring you the latest and greatest information on storage, security, backup, archiving, training and certification, and more.
And to dive deeper, get Pi Day started early by attending AWS Innovate: Data and AI/ML Edition to learn about cutting-edge machine learning tools, strategies for building future-proof applications, and making data-driven decisions for your organization. Don’t miss Swami Sivasubramanian‘s keynote, starting at 9:00 PDT.
Join us today on the AWS Pi Day live stream. Kevin Miller, VP and GM of Amazon S3, will kick off the event with a keynote at 13:00 PDT.
See you there!