Tweet VMware Skyline releases new Proactive Findings every month. Findings are prioritized by trending issues in VMware Support, issues raised through post escalation review, security vulnerabilities, and issues raised from VMware engineering, and customers. For the month of April, we released 21 new Findings. Of these, there are 18 Findings based on trending issues, 1 … Continued
The post Skyline Advisor Pro Proactive Findings – April Edition appeared first on VMware Support Insider.
Original release date: April 27, 2022
This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.
The cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.
Click here for a PDF version of this report.
Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.
To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also routinely exploited in 2020 or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.
Table 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities observed malicious actors routinely exploiting in 2021, which include:
Three of the top 15 routinely exploited vulnerabilities were also routinely exploited in 2020: CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.
Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021
|
CVE |
Vulnerability Name |
Vendor and Product |
Type |
|
Log4Shell |
Apache Log4j |
Remote code execution (RCE) |
|
|
|
Zoho ManageEngine AD SelfService Plus |
RCE |
|
|
ProxyShell |
Microsoft Exchange Server |
Elevation of privilege |
|
|
ProxyShell |
Microsoft Exchange Server |
RCE |
|
|
ProxyShell |
Microsoft Exchange Server |
Security feature bypass |
|
|
ProxyLogon |
Microsoft Exchange Server |
RCE |
|
|
ProxyLogon |
Microsoft Exchange Server |
RCE |
|
|
ProxyLogon |
Microsoft Exchange Server |
RCE |
|
|
ProxyLogon |
Microsoft Exchange Server |
RCE |
|
|
|
|
Atlassian Confluence Server and Data Center |
Arbitrary code execution |
|
|
VMware vSphere Client |
RCE |
|
|
ZeroLogon |
Microsoft Netlogon Remote Protocol (MS-NRPC) |
Elevation of privilege |
|
|
|
Microsoft Exchange Server |
RCE |
|
|
|
Pulse Secure Pulse Connect Secure |
Arbitrary file reading |
|
|
|
Fortinet FortiOS and FortiProxy |
Path traversal |
In addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities identified vulnerabilities, listed in table 2, that were also routinely exploited by malicious cyber actors in 2021.
These vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. Three of these vulnerabilities were also routinely exploited in 2020: CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.
Table 2: Additional Routinely Exploited Vulnerabilities in 2021
|
CVE |
Vendor and Product |
Type |
|
Sitecore XP |
RCE |
|
|
ForgeRock OpenAM server |
RCE |
|
|
Accellion FTA |
OS command execution |
|
|
Accellion FTA |
Server-side request forgery |
|
|
Accellion FTA |
OS command execution |
|
|
Accellion FTA |
SQL injection |
|
|
VMware vCenter Server |
RCE |
|
|
SonicWall Secure Mobile Access (SMA) |
RCE |
|
|
Microsoft MSHTML |
RCE |
|
|
Microsoft Windows Print Spooler |
RCE |
|
|
Sudo |
Privilege escalation |
|
|
Checkbox Survey |
Remote arbitrary code execution |
|
|
Pulse Secure Pulse Connect Secure |
Remote arbitrary code execution |
|
|
SonicWall SSLVPN SMA100 |
Improper SQL command neutralization, allowing for credential access |
|
|
Windows Print Spooler |
RCE |
|
|
QNAP QTS and QuTS hero |
Remote arbitrary code execution |
|
|
Citrix Application Delivery Controller (ADC) and Gateway |
Arbitrary code execution |
|
|
Progress Telerik UI for ASP.NET AJAX |
Code execution |
|
|
Cisco IOS Software and IOS XE Software |
Remote arbitrary code execution |
|
|
Microsoft Office |
RCE |
|
|
Microsoft Office |
RCE |
Note: see CISA Capacity Enhancement Guide – Implementing Strong Authentication and ACSC guidance on Implementing Multi-Factor Authentication for more information on hardening authentication systems.
The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, NSA, ACSC, CCCS, NZ NCSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
This document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
[1] CISA’s Apache Log4j Vulnerability Guidance
U.S. organizations: all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: April 20, 2022
Actions critical infrastructure organizations should implement to immediately protect against Russian state-sponsored and criminal cyber threats:
• Patch all systems. Prioritize patching known exploited vulnerabilities.
• Enforce multifactor authentication.
• Secure and monitor Remote Desktop Protocol and other risky services.
• Provide end-user awareness and training.
The cybersecurity authorities of the United States[1][2][3], Australia[4], Canada[5], New Zealand[6], and the United Kingdom[7][8] are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.
Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations.
Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people. Some groups have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.
This advisory updates joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, which provides an overview of Russian state-sponsored cyber operations and commonly observed tactics, techniques, and procedures (TTPs). This CSA—coauthored by U.S., Australian, Canadian, New Zealand, and UK cyber authorities with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC)—provides an overview of Russian state-sponsored advanced persistent threat (APT) groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity. Refer to the Mitigations section of this advisory for recommended hardening actions.
For more information on Russian state-sponsored cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the heightened cyber threat to critical infrastructure organizations, see the following resources:
Click here for a PDF version of this report.
Russian state-sponsored cyber actors have demonstrated capabilities to compromise IT networks; develop mechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from IT and operational technology (OT) networks; and disrupt critical industrial control systems (ICS)/OT functions by deploying destructive malware.
Historical operations have included deployment of destructive malware—including BlackEnergy and NotPetya—against Ukrainian government and critical infrastructure organizations. Recent Russian state-sponsored cyber operations have included DDoS attacks against Ukrainian organizations. Note: for more information on Russian state-sponsored cyber activity, including known TTPs, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.
Cyber threat actors from the following Russian government and military organizations have conducted malicious cyber operations against IT and/or OT networks:
Overview: FSB, the KGB’s successor agency, has conducted malicious cyber operations targeting the Energy Sector, including UK and U.S. energy companies, U.S. aviation organizations, U.S. government and military personnel, private organizations, cybersecurity companies, and journalists. FSB has been known to task criminal hackers for espionage-focused cyber activity; these same hackers have separately been responsible for disruptive ransomware and phishing campaigns.
Industry reporting identifies three intrusion sets associated with the FSB, but the U.S. and UK governments have only formally attributed one of these sets—known as BERSERK BEAR—to FSB.
The U.S. and UK governments assess that this APT group is almost certainly FSB’s Center 16, or Military Unit 71330, and that FSB’s Center 16 has conducted cyber operations against critical IT systems and infrastructure in Europe, the Americas, and Asia.
Resources: for more information on BERSERK BEAR, see the MITRE ATT&CK® webpage on Dragonfly.
High-Profile Activity: in 2017, FSB employees, including one employee in the FSB Center for Information Security (also known as Unit 64829 and Center 18), were indicted by the U.S. Department of Justice (DOJ) for accessing email accounts of U.S. government and military personnel, private organizations, and cybersecurity companies, as well as email accounts of journalists critical of the Russian government.[9] More recently, in 2021, FSB Center 16 officers were indicted by the U.S. DOJ for their involvement in a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. One of the victims was a U.S. nuclear power plant.[10]
Resources: for more information on FSB, see:
Overview: SVR has operated an APT group since at least 2008 that has targeted multiple critical infrastructure organizations. SVR cyber threat actors have used a range of initial exploitation techniques that vary in sophistication coupled with stealthy intrusion tradecraft within compromised networks. SVR cyber actors’ novel tooling and techniques include:
High-Profile Activity: the U.S. Government, the Government of Canada, and the UK Government assess that SVR cyber threat actors were responsible for the SolarWinds Orion supply chain compromise and the associated campaign that affected U.S. government agencies, critical infrastructure entities, and private sector organizations.[12][13][14]
Also known as: APT29, COZY BEAR, CozyDuke, Dark Halo, The Dukes, NOBELIUM, and NobleBaron, StellarParticle, UNC2452, YTTRIUM [15]
Resources: for more information on SVR, see:
For more information on the SolarWinds Orion supply chain compromise, see:
Overview: GTsSS, or Unit 26165, is an APT group that has operated since at least 2004 and primarily targets government organizations, travel and hospitality entities, research institutions, and non-governmental organizations, in addition to other critical infrastructure organizations.
According to industry reporting, GTsSS cyber actors frequently collect credentials to gain initial access to target organizations. GTsSS actors have collected victim credentials by sending spearphishing emails that appear to be legitimate security alerts from the victim’s email provider and include hyperlinks leading to spoofed popular webmail services’ logon pages. GTsSS actors have also registered domains to conduct credential harvesting operations. These domains mimic popular international social media platforms and masquerade as tourism- and sports-related entities and music and video streaming services.
High-Profile Activity: the U.S. Government assesses that GTsSS cyber actors have deployed Drovorub malware against victim devices as part of their cyber espionage operations.[16] The U.S. Government and UK Government assess that GTsSS actors used a Kubernetes® cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.[17]
Also known as: APT28, FANCY BEAR, Group 74, IRON TWILIGHT, PawnStorm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, and Tsar Team [18]
Resources: for more information on GTsSS, see the MITRE ATT&CK webpage on APT28.
Overview: GTsST, or Unit 74455, is an APT group that has operated since at least 2009 and has targeted a variety of critical infrastructure organizations, including those in the Energy, Transportation Systems, and Financial Services Sectors. According to industry reporting, GTsST also has an extensive history of conducting cyber espionage as well as destructive and disruptive operations against NATO member states, Western government and military organizations, and critical infrastructure-related organizations, including in the Energy Sector.
The primary distinguishing characteristic of the group is its operations use techniques aimed at causing disruptive or destructive effects at targeted organizations using DDoS attacks or wiper malware. The group’s destructive operations have also leveraged wiper malware that mimics ransomware or hacktivism and can result in collateral effects to organizations beyond the primary intended targets. Some of their disruptive operations have shown disregard or ignorance of potential secondary or tertiary effects.
High-Profile Activity: the malicious activity below has been previously attributed to GTsST by the U.S. Government and the UK Government.[19][20]
The U.S. Government, the Government of Canada, and UK Government have also attributed the October 2019 large-scale, disruptive cyber operations against a range of Georgian web hosting providers to GTsST. This activity resulted in websites—including sites belonging to the Georgian government, courts, non-government organizations (NGOs), media, and businesses—being defaced and interrupted the service of several national broadcasters.[21]22][23]
Also known as: ELECTRUM, IRON VIKING, Quedagh, the Sandworm Team, Telebots, VOODOO BEAR [24]
Resources: for more information on GTsST, see the MITRE ATT&CK webpage on Sandworm Team.
Overview: TsNIIKhM, as described on their webpage, is a research organization under Russia’s Ministry of Defense (MOD). Actors associated with TsNIIKhM have developed destructive ICS malware.
High-Profile Activity: TsNIIKhM has been sanctioned by the U.S. Department of the Treasury for connections to the destructive Triton malware (also called HatMan and TRISIS); TsNIIKhM has been sanctioned by the UK Foreign, Commonwealth, and Development Office (FCDO) for a 2017 incident that involved safety override controls (with Triton malware) in a foreign oil refinery.[25][26] In 2021, the U.S. DOJ indicted a TsNIIKhM Applied Development Center (ADC) employee for conducting computer intrusions against U.S. Energy Sector organizations. The indicted employee also accessed the systems of a foreign oil refinery and deployed Triton malware.[27] Triton is a custom-built malware designed to manipulate safety instrumented systems within ICS controllers, disabling the safety alarms that prevent dangerous conditions.
Also known as: Temp.Veles, XENOTIME [28]
Resources: for more information on TsNIIKhM, see the MITRE ATT&CK webpage on TEMP.Veles. For more information on Triton, see:
In addition to the APT groups identified in the Russian State-Sponsored Cyber Operations section, industry reporting identifies two intrusion sets—PRIMITIVE BEAR and VENOMOUS BEAR—as state-sponsored APT groups, but U.S., Australian, Canadian, New Zealand, and UK cyber authorities have not attributed these groups to the Russian government.
Resources: for more information on PRIMITIVE BEAR, see the MITRE ATT&CK webpage on the Gamaredon Group.
Resources: for more information on VENOMOUS BEAR, see the MITRE ATT&CK webpage on Turla.
Cybercrime groups are typically financially motivated cyber actors that seek to exploit human or security vulnerabilities to enable direct theft of money (e.g., by obtaining bank login information) or by extorting money from victims. These groups pose consistent threats to critical infrastructure organizations globally.
Since Russia’s invasion of Ukraine in February 2022, some cybercrime groups have independently publicly pledged support for the Russian government or the Russian people and/or threatened to conduct cyber operations to retaliate against perceived attacks against Russia or materiel support for Ukraine. These Russian-aligned cybercrime groups likely pose a threat to critical infrastructure organizations primarily through:
Based on industry and open-source reporting, U.S., Australian, Canadian, New Zealand, and UK cyber authorities assess multiple Russian-aligned cybercrime groups pose a threat to critical infrastructure organizations. These groups include:
Note: although some cybercrime groups may conduct cyber operations in support of the Russian government, U.S., Australian, Canadian, New Zealand, and UK cyber authorities assess that cyber criminals will most likely continue to operate primarily based on financial motivations, which may include targeting government and critical infrastructure organizations.
Overview: the CoomingProject is a criminal group that extorts money from victims by exposing or threatening to expose leaked data. Their data leak site was launched in August 2021.[31] The CoomingProject stated they would support the Russian Government in response to perceived cyberattacks against Russia.[32]
Overview: according to open-source reporting, Killnet released a video pledging support to Russia.[33]
Victims: Killnet claimed credit for carrying out a DDoS attack against a U.S. airport in March 2022 in response to U.S. materiel support for Ukraine.[34]
Overview: MUMMY SPIDER is a cybercrime group that creates, distributes, and operates the Emotet botnet. Emotet is advanced, modular malware that originated as a banking trojan (malware designed to steal information from banking systems but that may also be used to drop additional malware and ransomware). Today Emotet primarily functions as a downloader and distribution service for other cybercrime groups. Emotet has been used to deploy WIZARD SPIDER’s TrickBot, which is often a precursor to ransomware delivery. Emotet has worm-like features that enable rapid spreading in an infected network.
Victims: according to open sources, Emotet has been used to target industries worldwide, including financial, e-commerce, healthcare, academia, government, and technology organizations’ networks.
Also known as: Gold Crestwood, TA542, TEMP.Mixmaster, UNC3443
Resources: for more information on Emotet, see joint Alert Emotet Malware. For more information on TrickBot, see joint CSA TrickBot Malware.
Overview: SALTY SPIDER is a cybercrime group that develops and operates the Sality botnet. Sality is a polymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.[35]
Victims: according to industry reporting, in February 2022, SALTY SPIDER conducted DDoS attacks against Ukrainian web forums used to discuss events relating to Russia’s military offensive against the city of Kharkiv.
Also known as: Sality
Overview: SCULLY SPIDER is a cybercrime group that operates using a malware-as-a-service model; SCULLY SPIDER maintains command and control infrastructure and sells access to their malware and infrastructure to affiliates, who distribute their own malware.[36][37] SCULLY SPIDER develops and operates the DanaBot botnet, which originated primarily as a banking Trojan but expanded beyond banking in 2021 and has since been used to facilitate access for other types of malware, including TrickBot, DoppelDridex, and Zloader. Like Emotet, Danabot effectively functions as an initial access vector for other malware, which can result in ransomware deployment.
According to industry reporting, recent DDoS activity by the DanaBot botnet suggests SCULLY SPIDER has operated in support of Russia’s military offensive in Ukraine.
Victims: SCULLY SPIDER affiliates have primarily targeted organizations in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.[38] According to industry reporting, in March 2022, Danabot was used in DDoS attacks against multiple Ukrainian government organizations.
Also known as: Gold Opera
Overview: SMOKEY SPIDER is a cybercrime group that develops Smoke Loader (also known as Smoke Bot), a malicious bot that is used to upload other malware. Smoke Loader has been available since at least 2011, and operates as a malware distribution service for a number of different payloads, including—but not limited to—DanaBot, TrickBot, and Qakbot.
Victims: according to industry reporting, Smoke Loader was observed in March 2022 distributing DanaBot payloads that were subsequently used in DDoS attacks against Ukrainian targets.
Resources: for more information on Smoke Loader, see the MITRE ATT&CK webpage on Smoke Loader.
Overview: WIZARD SPIDER is a cybercrime group that develops TrickBot malware and Conti ransomware. Historically, the group has paid a wage to the ransomware deployers (referred to as affiliates), some of whom may then receive a share of the proceeds from a successful ransomware attack. In addition to TrickBot, notable initial access and persistence vectors for affiliated actors include Emotet, Cobalt Strike, spearphishing, and stolen or weak Remote Desktop Protocol (RDP) credentials.
After obtaining access, WIZARD SPIDER affiliated actors have relied on various publicly available and otherwise legitimate tools to facilitate earlier stages of the attack lifecycle before deploying Conti ransomware.
WIZARD SPIDER pledged support to the Russian government and threatened critical infrastructure organizations of countries perceived to carry out cyberattacks or war against the Russian government.[39] They later revised this pledge and threatened to retaliate against perceived attacks against the Russian people.[40]
Victims: Conti victim organizations span across multiple industries, including construction and engineering, legal and professional services, manufacturing, and retail. In addition, WIZARD SPIDER affiliates have deployed Conti ransomware against U.S. healthcare and first responder networks.
Also known as: UNC2727, Gold Ulrick
Resources: for more information on Conti, see joint CSA Conti Ransomware. For more information on TrickBot, see joint CSA TrickBot Malware.
Overview: XakNet is a Russian-language cyber group that has been active as early as March 2022. According to open-source reporting, the XakNet Team threatened to target Ukrainian organizations in response to perceived DDoS or other attacks against Russia.[41] According to reporting from industry, on March 31, 2022, XakNet released a statement stating they would work “exclusively for the good of [Russia].” According to industry reporting, the XakNet Team may be working with or associated with Killnet actors, who claimed credit for the DDoS attacks against a U.S. airport (see the Killnet section).
Victims: according to industry reporting, in late March 2022, the XakNet Team leaked email contents of a Ukrainian government official. The leak was accompanied by a political statement criticizing the Ukrainian government, suggesting the leak was politically motivated.
U.S., Australian, Canadian, New Zealand, and UK cyber authorities urge critical infrastructure organizations to prepare for and mitigate potential cyber threats by immediately (1) updating software, (2) enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, and (4) providing end-user awareness and training.
As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks.
To further prepare for and mitigate cyber threats from Russian state-sponsored or criminal actors, U.S., Australian, Canadian, New Zealand, and UK cyber authorities encourage critical infrastructure organizations to implement the recommendations listed below.
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge network defenders of critical infrastructure organizations to exercise due diligence in identifying indicators of malicious activity. Organizations detecting potential APT or ransomware activity in their IT or OT networks should:
For additional guidance on responding to a ransomware incident, see the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for guidance on hunting or investigating a network, and for common mistakes in incident handling.
Additionally, CISA, the FBI, and NSA encourage U.S. critical infrastructure owners and operators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response.
Note: U.S., Australian, Canadian, New Zealand, and UK cyber authorities strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom does not guarantee that a victim’s files will be recovered.
The information you have accessed or received is being provided “as is” for informational purposes only. CISA, NSA, FBI, ACSC, CCCS, NZ NCSC, NCSC-UK, and the UK National Crime Agency (NCA) do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
MITRE and ATT&CK are registered trademarks of The MITRE Corporation. Kubernetes is a registered trademark of The Linux Foundation.
This document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
[1] Cybersecurity and Infrastructure Security Agency
[2] Federal Bureau of Investigation
[3] National Security Agency
[4] Australian Cyber Security Centre
[5] Canadian Centre for Cyber Security
[6] New Zealand’s National Cyber Security Centre
[7] United Kingdom’s National Cyber Security Centre
[8] United Kingdom’s National Crime Agency
[9] U.S. DOJ Press Release: U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts
[10] U.S. DOJ Press Release: Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide
[11] CrowdStrike Blog: Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
[12] U.S. White House Statement: FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian
[13] Government of Canada Statement on SolarWinds Cyber Compromise
[14] UK Government Press Release: Russia: UK and US expose global campaign of malign activity by Russian intelligence services
[15] MITRE ATT&CK: APT29
[16] Joint CSA Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
[17] Joint CSA Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments
[18] MITRE ATT&CK APT28
[19] Joint CSA New Sandworm Malware Cyclops Blink Replaces VPNFilter
[20] UK Government Press Release: UK condemns Russia’s GRU over Georgia cyber-attacks
[21] U.S. Department of State, Press Statement: The United States Condemns Russian Cyber Attack Against the Country of Georgia
[22] Government of Canada CSE Statement on Malicious Russian Cyber Activity Targeting Georgia
[23] UK Government Press Release: UK condemns Russia’s GRU over Georgia cyber-attacks
[24] MITRE ATT&CK The Sandworm Team
[25] U.S. Department of the Treasury Press Release: Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
[26] UK Government Press Release: UK exposes Russian spy agency behind cyber incident
[27] U.S. DOJ Press Release: Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide
[28] MITRE ATT&CK TEMP.Veles
[29] NSA and NCSC-UK Cybersecurity Advisory Turla Group Exploits Iranian APT To Expand Coverage Of Victims
[30] CrowdStrike Adversary Profile: VENEMOUS BEAR
[31] KELA Cybersecurity Intelligence Center: Ain’t No Actor Trustworthy Enough: The importance of validating sources
[32] Twitter: Valery Marchive Status, Feb. 25, 2022 1:41 PM
[33] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides
[34] Twitter: CyberKnow Status, March 29, 2022, 7:54 AM
[35] CrowdStrike Blog: Who is Salty Spider (Sality)?
[36] Proofpoint Blog: New Year, New Version of DanaBot
[37] Zscaler Blog: Spike in DanaBot Malware Activity
[38] Proofpoint Blog: New Year, New Version of DanaBot
[39] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides
[40] TechTarget: Conti ransomware gang backs Russia, threatens US
[41] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides
The U.S., Australian, Canadian, New Zealand, and UK cyber authorities would like to thank CrowdStrike, Google, LookingGlass Cyber, Mandiant, Microsoft, and Secureworks for their contributions to this CSA.
U.S. organizations: to report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov. Australian organizations: visit cyber.gov.au/acsc/report or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to ncscincidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: April 18, 2022
Actions to take today to mitigate cyber threats to cryptocurrency:
• Patch all systems.
• Prioritize patching known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Use multifactor authentication.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. For more information on North Korean state-sponsored malicious cyber activity, visit https://www.us-cert.cisa.gov/northkorea.
The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.
The U.S. government previously published an advisory about North Korean state-sponsored cyber actors using AppleJeus malware to steal cryptocurrency: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. The U.S. government has also previously published advisories about North Korean state-sponsored cyber actors stealing money from banks using custom malware:
This advisory provides information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to stakeholders in the blockchain technology and cryptocurrency industry to help them identify and mitigate cyber threats against cryptocurrency.
Click here for a PDF version of this report.
The U.S. government has identified a group of North Korean state-sponsored malicious cyber actors using tactics similar to the previously identified Lazarus Group (see AppleJeus: Analysis of North Korea’s Cryptocurrency Malware). The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency. As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.
Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as “TraderTraitor.”
The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications (see figure 1).
Figure 1: Screenshot of CryptAIS website
The JavaScript code providing the core functions of the software is bundled with Webpack. Within the code is a function that purports to be an “update,” with a name such as UpdateCheckSync(), that downloads and executes a malicious payload (see figure 2).
The update function makes an HTTP POST request to a PHP script hosted on the TraderTraitor project’s domain at either the endpoint /update/ or /oath/checkupdate.php. In recent variants, the server’s response is parsed as a JSON document with a key-value pair, where the key is used as an AES 256 encryption key in Cipher Block Chaining (CBC) or Counter (CTR) mode to decrypt the value. The decrypted data is written as a file to the system’s temporary directory, as provided by the os.tmpdir() method of Node.js, and executed using the child_process.exec() method of Node.js, which spawns a shell as a child process of the current Electron application. The text “Update Finished” is then logged to the shell for the user to see.
Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads (see North Korean Remote Access Tool: COPPERHEDGE). Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion.
Figure 2: Screenshot depicting the UpdateCheckSync() and supporting functions bundled within 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18 associated with DAFOM
DAFOM
DAFOM purports to be a “cryptocurrency portfolio application.” A Mach-O binary packaged within the Electron application was signed by an Apple digital signature issued for the Apple Developer Team W58CYKFH67. The certificate associated with Apple Developer Team W58CYKFH67 has been revoked. A metadata file packaged in the DAFOM application provided the URL hxxps://github[.]com/dafomdev for bug reports. As of April 2022, this page was unavailable.
dafom[.]dev
Information as of February 2022:
IP Address: 45.14.227[.]58
Registrar: NameCheap, Inc.
Created: February 7, 2022
Expires: February 7, 2023
60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18
Tags: dropper macos
Name: DAFOM-1.0.0.dmg
Size: 87.91 MB (92182575 bytes)
MD5: c2ea5011a91cd59d0396eb4fa8da7d21
SHA-1: b2d9ca7b6d1bbbe4864ea11dfca343b7e15597d8
SHA-256: 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18
ssdeep: 1572864:LGLBnolF9kPEiKOabR2QEs1B1/LuUQrbecE6Xwijkca/pzpfaLtIP:LGVnoT9kPZK9tVEwBxWbecR5Faxzpf0M
TokenAIS
TokenAIS purports to help “build a portfolio of AI-based trading” for cryptocurrencies. Mach-O binaries packaged within the Electron application contained an Apple digital signature issued for the Apple Developer Team RN4BTXA4SA. The certificate associated with Apple Developer Team RN4BTXA4SA has been revoked. The application requires users to “register” an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a Node.js function called UpdateCheckSync() located in a file named update.js, which is bundled in a file called renderer.prod.js, which is in an archive called app.asar. This function passes the email address that the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CBC mode with the hardcoded initialization vector (IV) !@34QWer%^78TYui and a key provided in the response, then writes the decrypted data to a file and executes it in a new shell.
tokenais[.]com
Information as of January 2022:
IP Address: 199.188.103[.]115
Registrar: NameCheap, Inc.
Created: January 27, 2022
Expires: January 27, 2023
5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03
Tags: dropper macos
Name: TokenAIS.app.zip
Size: 118.00 MB (123728267 bytes)
MD5: 930f6f729e5c4d5fb52189338e549e5e
SHA-1: 8e67006585e49f51db96604487138e688df732d3
SHA-256: 5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03
ssdeep: 3145728:aMFJlKVvw4+zLruAsHrmo5Vvw4+zLruAsHrmob0dC/E:aUlKtw4+/r2HNtw4+/r2HnMCM
CryptAIS
CryptAIS uses the same language as TokenAIS to advertise that it “helps build a portfolio of AI-based trading.” It is distributed as an Apple Disk Image (DMG) file that is digitally signed by an Apple digital signature issued for the Apple Developer Team CMHD64V5R8. The certificate associated with Apple Developer Team CMHD64V5R8 has been revoked. The application requires users to “register” an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a Node.js function called UpdateCheckSync() located in a file named update.js, which is bundled in a file called renderer.prod.js, which is in an archive called app.asar. This function passes the email address that the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CTR mode and a key provided in the response, then writes the decrypted data to a file and executes it in a new shell.
cryptais[.]com
Information as of August 2021:
IP Address: 82.102.31.14
Registrar: NameCheap, Inc.
Created: August 2, 2021
Expires: August 2, 2022
f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b
Tags: dropper macos
Name: CryptAIS[.]dmg
Size: 80.36 MB (84259810 bytes)
MD5: 4e5ebbecd22c939f0edf1d16d68e8490
SHA-1: f1606d4d374d7e2ba756bdd4df9b780748f6dc98
SHA-256: f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b
ssdeep: 1572864:jx9QOwiLDCUrJXsKMoGTwiCcKFI8jmrvGqjL2hX6QklBmrZgkZjMz+dPSpR0Xcpk:F9QOTPCUrdsKEw3coIg2Or6XBmrZgkZw
AlticGO
AlticGO was observed packaged as Nullsoft Scriptable Install System (NSIS) Windows executables that extracted an Electron application packaged for Windows. These executables contain a simpler version of TraderTraitor code in a function exported as UpdateCheckSync() located in a file named update.js, which is bundled in renderer.prod.js, which is in the app.asar archive. The function calls an external function located in a file node_modules/request/index.js bundled in renderer.prod.js to make an HTTP request to hxxps://www.alticgo[.]com/update/. One AlticGO sample, e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad, instead contacts hxxps://www.esilet[.]com/update/ (see below for more information about Esilet). Some image resources bundled with the application included the CreAI Deck logo (see below for more information about CreAI Deck). The response is written to disk and executed in a new shell using the child_process.exec() method in Node.js. Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a payload.
alticgo[.]com
Information as of August 2020:
IP Address: 108.170.55[.]202
Registrar: NetEarth One Inc.
Created: August 8, 2020
Expires: August 8, 2021
765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819
Tags: dropper peexe nsis
Name: AlticGO.exe
Size: 43.54 MB (45656474 bytes)
MD5: 1c7d0ae1c4d2c0b70f75eab856327956
SHA-1: f3263451f8988a9b02268f0fb6893f7c41b906d9
SHA-256: 765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819
ssdeep: 786432:optZmVDkD1mZ1FggTqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yVPUXi7:opzKDginspAU6JXnJ46X+eC6cySihWVX
Compilation timestamp: 2018-12-15 22:26:14 UTC
e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad
Tags: dropper peexe nsis
Name: AlticGO_R.exe
Size: 44.58 MB (46745505 bytes)
MD5: 855b2f4c910602f895ee3c94118e979a
SHA-1: ff17bd5abe9f4939918f27afbe0072c18df6db37
SHA-256: e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad
ssdeep: 786432:LptZmVDkD1mQIiXUBkRbWGtqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yH:LpzKDgzRpWGwpAU6JXnJ46X+eC6cySiI
Compilation timestamp: 2020-02-12 16:15:17 UTC
8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925
Tags: dropper peexe nsis
Name: AlticGO.exe
Size: 44.58 MB (46745644 bytes)
MD5: 9a6307362e3331459d350a201ad66cd9
SHA-1: 3f2c1e60b5fac4cf1013e3e1fc688be490d71a84
SHA-256: 8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925
ssdeep: 786432:AptZmVDkD1mjPNDeuxOTKQqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yV7:ApzKDgqPxeuLpAU6JXnJ46X+eC6cySiG
Compilation timestamp: 2020-02-12 16:15:17 UTC
Esilet
Esilet claims to offer live cryptocurrency prices and price predictions. It contains a simpler version of TraderTraitor code in a function exported as UpdateCheckSync() located in a file named update.js, which is bundled in renderer.prod.js, which is in the app.asar archive. The function calls an external function located in a file node_modules/request/index.js bundled in renderer.prod.js to make an HTTP request to hxxps://www.esilet[.]com/update/. The response is written to disk and executed in a new shell using the child_process.exec() method in Node.js. Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a payload. Esilet has been observed delivering payloads of at least two different macOS variants of Manuscrypt, 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa and dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156.
Figure 3: Screenshot of the UpdateCheckSync() function in Esilet
esilet[.]com
Information as of June 2020:
IP Address: 104.168.98[.]156
Registrar: NameSilo, LLC
Created: June 12, 2020
Expires: June 12, 2021
greenvideo[.]nl
Likely legitimate but compromised. Information as of April 2022:
IP Address: 62.84.240[.]140
Registrar: Flexwebhosting
Created: February 26, 2018
Expires: Unknown
dafnefonseca[.]com
Likely legitimate but compromised. Information as of June 2020:
IP Address: 151.101.64[.]119
Registrar: PublicDomainRegistry Created: August 27, 2019
Expires: August 27, 2022
haciendadeclarevot[.]com
Likely legitimate but compromised. Information as of June 2020:
IP Address: 185.66.41[.]17
Registrar: cdmon, 10DENCEHISPAHARD, S.L.
Created: March 2, 2005
Expires: March 2, 2023
sche-eg[.]org
Likely legitimate but compromised. Information as of June 2020:
IP Address: 160.153.235[.]20
Registrar: GoDaddy.com, LLC
Created: June 1, 2019
Expires: June 1, 2022
www.vinoymas[.]ch
Likely legitimate but compromised. Information as of June 2020:
IP Address: 46.16.62[.]238
Registrar: cdmon, 10DENCEHISPAHARD, S.L.
Created: January 24, 2010
Expires: Unknown
infodigitalnew[.]com
Likely legitimate but compromised. Information as of June 2020:
IP Address: 107.154.160[.]132
Registrar: PublicDomainRegistry
Created: June 20, 2020
Expires: June 20, 2022
9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
Tags: dropper macos
Name: Esilet.dmg
Size: 77.90 MB (81688694 bytes) MD5: 53d9af8829a9c7f6f177178885901c01
SHA-1: ae9f4e39c576555faadee136c6c3b2d358ad90b9 SHA-256: 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
ssdeep: 1572864:lffyoUnp5xmHVUTd+GgNPjFvp4YEbRU7h8cvjmUAm4Du73X0unpXkU:lfqHBmHo+BPj9CYEshLqcuAX0I0
9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa
Tags: trojan macho
Name: Esilet-tmpzpsb3
Size: 510.37 KB (522620 bytes)
MD5: 1ca31319721740ecb79f4b9ee74cd9b0
SHA-1: 41f855b54bf3db621b340b7c59722fb493ba39a5 SHA-256: 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa
ssdeep: 6144:wAulcT94T94T97zDj1I/BkjhkbjZ8bZ87ZMSj71obV/7NobNo7NZTb7hMT5ETZ8I:wDskT1UBg2lirFbpR9mJGpmN C2 Endpoints:
dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
Tags: trojan macho
Name: Esilet-tmpg7lpp Size: 38.24 KB (39156 bytes)
MD5: 9578c2be6437dcc8517e78a5de1fa975
SHA-1: d2a77c31c3e169bec655068e96cf4e7fc52e77b8
SHA-256: dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
ssdeep: 384:sdaWs0fDTmKnY4FPk6hTyQUitnI/kmCgr7lUryESll4yg9RpEwrUifJ8ttJOdy:sdayCkY4Fei9mhy/L9RBrny6y
C2 Endpoints:
hxxps://sche-eg[.]org/plugins/top.phphxxps://www.vinoymas[.]ch/wp-content/plugins/top.phphxxps://infodigitalnew[.]com/wp-content/plugins/top.php
CreAI Deck
CreAI Deck claims to be a platform for “artificial intelligence and deep learning.” No droppers for it were identified, but the filenames of the below samples, win32.bin and darwin64.bin, match the naming conventions used by other versions of TraderTraitor when downloading a payload. Both are samples of Manuscrypt that contact hxxps://aideck[.]net/board.php for C2 using HTTP POST requests with multipart/form-data Content-Types.
creaideck[.]com
Information as of March 2020:
IP Address: 38.132.124[.]161
Registrar: NameCheap, Inc.
Created: March 9, 2020
Expires: March 9, 2021
aideck[.]net
Information as of June 2020:
IP Address: 89.45.4[.]151
Registrar: NameCheap, Inc.
Created: June 22, 2020
Expires: June 22, 2021
867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36
Tags: trojan peexe
Name: win32.bin
Size: 2.10 MB (2198684 bytes)
MD5: 5d43baf1c9e9e3a939e5defd8f8fbd8d
SHA-1: d5ff73c043f3bb75dd749636307500b60a436550 SHA-256: 867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36
ssdeep: 24576:y3SY+/2M3BMr7cdgSLBjbr4nzzy95VV7cEXV:ESZ2ESrHSV3D95oA
Compilation timestamp: 2020-06-23 06:06:35 UTC
89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957
Tags: trojan macho
Name: darwin64.bin
Size: 6.44 MB (6757832 bytes)
MD5: 8397ea747d2ab50da4f876a36d673272
SHA-1: 48a6d5141e25b6c63ad8da20b954b56afe589031
SHA-256: 89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957
ssdeep: 49152:KIH1kEh7zIXlDYwVhb26hRKtRwwfs62sRAdNhEJNDvOL3OXl5zpF+FqBNihzTvff:KIH1kEhI1LOJtm2spB
North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets. The U.S. government recommends implementing mitigations to protect critical infrastructure organizations as well as financial sector organizations in the blockchain technology and cryptocurrency industry.
All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
The information in this advisory is provided “as is” for informational purposes only. The FBI, CISA, and Treasury do not provide any warranties of any kind regarding this information or endorse any commercial product or service, including any subjects of analysis.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: April 13, 2022
Actions to Take Today to Protect ICS/SCADA Devices:
• Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
• Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
• Leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors.
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices.
Click here for a PDF version of this report.
APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:
The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.
The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.
In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.
The APT actors’ tool for Schneider Electric devices has modules that interact via normal management protocols and Modbus (TCP 502). Modules may allow cyber actors to:
Refer to the appendix for tactics, techniques, and procedures (TTPs) associated with this tool.
The APT actors’ tool for OMRON devices has modules that can interact by:
Additionally, the OMRON modules can upload an agent that allows a cyber actor to connect and initiate commands—such as file manipulation, packet captures, and code execution—via HTTP and/or Hypertext Transfer Protocol Secure (HTTPS).
Refer to the appendix for TTPs associated with this tool.
The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.
Refer to the appendix for TTPs associated with this tool.
Note: these mitigations are provided to enable network defenders to begin efforts to protect systems and devices from new capabilities. They have not been verified against every environment and should be tested prior to implementing.
DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:
For additional information on securing OT devices, see
The information in this report is being provided “as is” for informational purposes only. DOE, CISA, NSA, and the FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the DOE, CISA, NSA, or the FBI, and this guidance shall not be used for advertising or product endorsement purposes.
The DOE, CISA, NSA, and the FBI would like to thank Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric for their contributions to this joint CSA.
See tables 1 through 3 for TTPs associated with the cyber actors’ tools described in this CSA mapped to the MITRE ATT&CK for ICS framework. See the ATT&CK for ICS framework for all referenced threat actor tactics and techniques.
Table 1: APT Tool for Schneider Electric ICS TTPs
| Tactic | Technique |
|---|---|
| Execution | Command-Line Interface [T0807] |
| Scripting [T0853] | |
| Persistence | Modify Program [T0889] |
| System Firmware [T0857] | |
| Valid Accounts [T0859] | |
| Discovery | Remote System Discovery [T0846] |
| Remote System Information Discovery [T0888] | |
| Lateral Movement | Default Credentials [T0812] |
| Program Download [T0843] | |
| Valid Accounts [T0859] | |
| Collection | |
| Monitor Process State [T0801] | |
| Program Upload [T0845] | |
| Monitor Process State [T0801] | |
| Command and Control | Commonly Used Port [T0885] |
| Standard Application Layer Protocol [T0869] | |
| Inhibit Response Function | Block Reporting Message [T0804] |
| Block Command Message [T0803] | |
| Denial of Service [T0814] | |
| Data Destruction [T0809] | |
| Device Restart/Shutdown [T0816] | |
| System Firmware [T0857] | |
| Impair Process Control | Modify Parameter [T0836] |
| Unauthorized Command Message [T0855] | |
| Impact | Denial of Control [T0813] |
| Denial of View [T0815] | |
| Loss of Availability [T0826] | |
| Loss of Control [T0827] | |
| Loss of Productivity and Revenue [T0828] | |
| Manipulation of Control [T0831] | |
| Theft of Operational Information [T0882] |
Table 2: APT Tool for OMRON ICS TTPs
| Tactic | Technique |
|---|---|
| Initial Access | Remote Services [T0886] |
| Execution | Command-Line Interface [T0807] |
| Scripting [T0853] | |
| Change Operating Mode [T0858] | |
| Modify Controller Tasking [T0821] | |
| Native API [T0834] | |
| Persistence | Modify Program [T0889] |
| Valid Accounts [T0859] | |
| Evasion | Change Operating Mode [T0858] |
| Discovery | Network Sniffing [T0842] |
| Remote System Discovery [T0846] | |
| Remote System Information Discovery [T0888] | |
| Lateral Movement | Default Credentials [T0812] |
| Lateral Tool Transfer [T0867] | |
| Program Download [T0843] | |
| Remote Services [T0886] | |
| Valid Accounts [T0859] | |
| Collection | Detect Operating Mode [T0868] |
| Monitor Process State [T0801] | |
| Program Upload [T0845] | |
| Command and Control | Commonly Used Port [T0885] |
| Standard Application Layer Protocol [T0869] | |
| Inhibit Response Function | Service Stop [T0881] |
| Impair Process Control | Modify Parameter [T0836] |
| Unauthorized Command Message [T0855] | |
| Impact | Damage to Property [T0879] |
| Loss of Safety [T0837] | |
| Manipulation of Control [T0831] | |
| Theft of Operational Information [T0882] |
Table 3: APT Tool for OPC UA ICS TTPs
| Tactic | Technique |
|---|---|
| Execution | Command-Line Interface [T0807] |
| Scripting [T0853] | |
| Persistence | Valid Accounts [T0859] |
| Discovery | Remote System Discovery [T0846] |
| Remote System Information Discovery [T0888] | |
| Lateral Movement | Valid Accounts [T0859] |
| Collection | Monitor Process State [T0801] |
| Point & Tag Identification [T0861] | |
| Command and Control | Commonly Used Port [T0885] |
| Standard Application Layer Protocol [T0869] | |
| Impact | Manipulation of View [T0832] |
| Theft of Operational Information [T0882] |
All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.
This product is provided subject to this Notification and this Privacy & Use policy.