Tweet VMware Skyline Advisor Pro releases new Proactive Findings every month. Findings are prioritized by trending issues in VMware Support, issues raised through post escalation review, security vulnerabilities, and issues raised from VMware engineering, and customers. For the month of June, we released 41 new Findings. Of these, there are 37 Findings based on trending … Continued
The post Skyline Advisor Pro Proactive Findings – June Edition appeared first on VMware Support Insider.
Original release date: June 30, 2022
Actions to take today to mitigate cyber threats from ransomware:
• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.
Download the PDF version of this report: pdf, 633 kb
MedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations [T1133]. Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email—as initial intrusion vectors [T1566].
MedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection [T1059.001]. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol.
MedusaLocker then:
LanmanWorkstation service, which allows registry edits to take effect. svhost.exe or svhostt.exe) to the %APPDATA%Roaming directory and scheduling a task to run the ransomware every 15 minutes. MedusaLocker actors place a ransom note into every folder containing a file with the victim’s encrypted data. The note outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email address at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors.
| Encrypted File Extensions | |||
|---|---|---|---|
| .1btc | .matlock20 | .marlock02 | .readinstructions |
| .bec | .mylock | .jpz.nz | .marlock11 |
| .cn | .NET1 | .key1 | .fileslocked |
| .datalock | .NZ | .lock | .lockfilesUS |
| .deadfilesgr | .tyco | .lockdata7 | .rs |
| .faratak | .uslockhh | .lockfiles | .tyco |
| .fileslock | .zoomzoom | .perfection | .uslockhh |
| .marlock13 | n.exe | .Readinstruction | .marlock08 |
| .marlock25 | nt_lock20 | .READINSTRUCTION | |
| .marlock6 | .marlock01 | .ReadInstructions | |
| Ransom Note File Names | |
|---|---|
| how_to_ recover_data.html | how_to_recover_data.html.marlock01 |
| instructions.html | READINSTRUCTION.html |
| !!!HOW_TO_DECRYPT!!! | How_to_recovery.txt |
| readinstructions.html | readme_to_recover_files |
| recovery_instructions.html | HOW_TO_RECOVER_DATA.html |
| recovery_instruction.html | |
| Payment Wallets |
|---|
| 14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc |
| 1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq |
| 18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42 |
| 1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5 |
| 1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP |
| 1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC |
| 184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf |
| 14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev |
| bc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj |
| bc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q |
| bc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm |
| 1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM |
| 1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf |
| 1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw |
| 1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV |
| 1nycdn9ebxht4tpspu4ehpjz9ghxlzipll |
| 12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF |
| 1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED |
| 1PormUgPR72yv2FRKSVY27U4ekWMKobWjg |
| 14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak |
| 1PopeZ4LNLanisswLndAJB1QntTF8hpLsD |
| Email Addresses | |
|---|---|
| willyhill1960@tutanota[.]com | unlockfile@cock[.]li |
| zlo@keem[.]ne | unlockmeplease@airmail[.]cc |
| zlo@keemail[.]me | unlockmeplease@protonmail[.]com |
| zlo@tfwno[.]gf | willyhill1960@protonmail[.]com |
| support@ypsotecs[.]com | support@imfoodst[.]com |
| Email Addresses | |
|---|---|
| traceytevin@protonmail[.]com | support@itwgset[.]com |
| unlock_file@aol[.]com | support@novibmaker[.]com |
| unlock_file@outlook[.]com | support@securycasts[.]com |
| support@exoprints[.]com | rewmiller-1974@protonmail[.]com |
| support@exorints[.]com | rpd@keemail[.]me |
| support@fanbridges[.]com | soterissylla@wyseil[.]com |
| support@faneridges[.]com | support@careersill[.]com |
| perfection@bestkoronavirus[.]com | karloskolorado@tutanota[.]com |
| pool1256@tutanota[.]com | kevynchaz@protonmail[.]com |
| rapid@aaathats3as[.]com | korona@bestkoronavirus[.]com |
| rescuer@tutanota[.]com | lockPerfection@gmail[.]com |
| ithelp01@decorous[.]cyou | lockperfection@gmail[.]com |
| ithelp01@wholeness[.]business | mulierfagus@rdhos[.]com |
| ithelp02@decorous[.]cyou | [rescuer]@cock[.]li |
| ithelp02@wholness[.]business | 107btc@protonmail[.]com |
| ithelpresotre@outlook[.]com | 33btc@protonmail[.]com |
| cmd@jitjat[.]org | 777decoder777@protonmail[.]com |
| coronaviryz@gmail[.]com | 777decoder777@tfwno[.]gf |
| dec_helper@dremno[.]com | andrewmiller-1974@protonmail[.]com |
| dec_helper@excic[.]com | angelomartin-1980@protonmail[.]com |
| dec_restore@prontonmail[.]com | ballioverus@quocor[.]com |
| dec_restore1@outlook[.]com | beacon@jitjat[.]org |
| bitcoin@sitesoutheat[.]com | beacon@msgsafe[.]io |
| briansalgado@protonmail[.]com | best666decoder@tutanota[.]com |
| bugervongir@outlook[.]com | bitcoin@mobtouches[.]com |
| best666decoder@protonmail[.]com | encrypt2020@outlook[.]com |
| decoder83540@cock[.]li | fast-help@inbox[.]lv |
| decra2019@gmail[.]com | fuc_ktheworld1448@outlook[.]com |
| diniaminius@winrof[.]com | fucktheworld1448@cock[.]li |
| dirhelp@keemail[.]me | gartaganisstuffback@gmail[.]com |
| Email Addresses | |
|---|---|
| emaila.elaich@iav.ac[.]ma | gavingonzalez@protonmail[.]com |
| emd@jitjat[.]org | gsupp@onionmail[.]org |
| encrypt2020@cock[.]li | gsupp@techmail[.]info |
| best666decoder@protonmail[.]com | helper@atacdi[.]com |
| ithelp@decorous[.]cyou | helper@buildingwin[.]com |
| ithelp@decorous[.]cyoum | helprestore@outlook[.]com |
| ithelp@wholeness[.]business | helptorestore@outlook[.]com |
| TOR Addresses |
|---|
| http://gvlay6u4g53rxdi5.onion/6-iSm1B1Ehljh8HYuXGym4Xyu1WdwsR2Av-6tXiw1BImsqoLh7pd207Rl6XYoln7sId |
| http://gvlay6u4g53rxdi5.onion/8-grp514hncgblilsjtd32hg6jtbyhlocr5pqjswxfgf2oragnl3pqno6fkqcimqin |
| http://gvlay6y4g53rxdi5.onion/21-8P4ZLCsMETPaLw9MkSlXJsNZWdHe0rxjt-XmBgZLWlm5ULGFCOJFuVdEymmxysofwu |
| http://gvlay6u4g53rxdi5.onion/2l-8P4ZLCsMTPaLw9MkSlXJsNZWdHeOrxjtE9lck1MuXPYo29daQys6gomZZXUImN7Z |
| http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-DcaE9HeHywqSHvdcIwOndCS4PuWASX8g |
| http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-kB4rQXGKyxGiLyw7YDsMKSBjyfdwcyxo |
| http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-bET6JbB9vEMZ7qYBPqUMCxOQExFx4iOi |
| http://gvlay6u4g53rxdi5. onion/8-MO0Q7O97Hgxvm1YbD7OMnimImZJXEWaG-RbH4TvdwVTGQB3X6VOUOP3lgO6YOJEOW |
| http://gvlay6u4g53rxdi5.onion/8-gRp514hncgb1i1sjtD32hG6jTbUh1ocR-Uola2Fo30KTJvZX0otYZgTh5txmKwUNe |
| http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-OWQwD1w1Td7hY7IGUUjxmHMoFSQW6blg |
| http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-uGHwkkWCoUtBbZWN50sSS4Ds8RABkrKy |
| http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-Tj3PRnQlpHc9OftRVDGAWUulvE80yZbc |
| http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-tDQRZCAUe4164X532j9Ky16IBN9StWTH |
| http://gvlay6u4g53rxdi5.onion/21-wIq5kK9gGKiTmyups1U6fABj1VnXIYRB-I5xek6PG2EbWlPC7C1rXfsqJBlWlFFfY |
| qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion |
| http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion/leakdata/paigesmusic-leakdata-closed-part1 |
Disclaimer: Many of these observed IP addresses are several years old and have been historically linked to MedusaLocker ransomware. We recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.
| IP Address | Last Observed |
|---|---|
| 195.123.246.138 | Nov-2021 |
| 138.124.186.221 | Nov-2021 |
| 159.223.0.9 | Nov-2021 |
| 45.146.164.141 | Nov-2021 |
| 185.220.101.35 | Nov-2021 |
| 185.220.100.249 | Sep-2021 |
| 50.80.219.149 | Sep-2021 |
| 185.220.101.146 | Sep-2021 |
| 185.220.101.252 | Sep-2021 |
| 179.60.150.97 | Sep-2021 |
| 84.38.189.52 | Sep-2021 |
| 94.232.43.63 | Jul-2021 |
| 108.11.30.103 | Apr-2021 |
| 194.61.55.94 | Apr-2021 |
| 198.50.233.202 | Apr-2021 |
| 40.92.90.105 | Jan-2021 |
| 188.68.216.23 | Dec-2020 |
| 87.251.75.71 | Dec-2020 |
| 196.240.57.20 | Oct-2020 |
| 198.0.198.5 | Aug-2020 |
| 194.5.220.122 | Mar-2020 |
| 194.5.250.124 | Mar-2020 |
| 194.5.220.124 | Mar-2020 |
| 104.210.72.161 | Nov-2019 |
MedusaLocker actors use the ATT&CK techniques listed in Table 1.
Table 1: MedusaLocker Actors ATT&CK Techniques for Enterprise
| Initial Access | ||
|---|---|---|
| Technique Title | ID | Use |
| External Remote Services | T1133 | MedusaLocker actors gained access to victim devices through vulnerable RDP configurations. |
| Phishing | T1566 | MedusaLocker actors used phishing and spearphishing to obtain access to victims’ networks. |
| Execution | ||
| Technique Title | ID | Use |
| Command and Scripting Interpreter: PowerShell |
T1059.001 |
MedusaLocker actors may abuse PowerShell commands and scripts for execution. |
| Defense Evasion | ||
| Technique Title | ID | Use |
| Impair Defenses: Safe Mode Boot |
T1562.009 |
MedusaLocker actors may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. |
| Impact | ||
| Technique Title | ID | Use |
| Data Encrypted for Impact | T1486 | MedusaLocker actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. |
| Inhibit System Recovery | T1490 | MedusaLocker actors may deny access to operating systems containing features that can help fix corrupted systems, such as backup catalog, volume shadow copies, and automatic repair. |
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To report incidents and anomalous activity or to request incident response resources or technical assistance related to this threat, contact CISA at report@cisa.gov.
This product is provided subject to this Notification and this Privacy & Use policy.
Yes Virginia, languages other than PowerShell do exist.
I was working with a partner group here at Microsoft and they explained that they wanted to parse PowerShell scripts from Python.
Their natural approach was to invoke the PowerShell executable and construct a command-line that did what they needed.
I thought there might be a better way as creating a new PowerShell process each time is expensive, so I started doing a bit of research to see something could be done.
I’ve been aware of IronPython (Python that tightly integrates .NET) for a long time, and
we met with Jim Hugunin shortly after he arrived at Microsoft and PowerShell was just getting underway,
but the group is using cPython so I went hunting for Python modules that host .NET and found the pythonnet module.
The pythonnet package gives Python developers extremely easy access to the dotnet runtime from Python.
I thought this package might be the key for accessing PowerShell,
after some investigation I found that it has exactly what I needed to host PowerShell in a Python script.
I needed to figure out a way to load the PowerShell engine.
First, there are a couple of requirements to make this all work.
Dotnet has to be available, as does PowerShell and pythonnet provides a way to specify where to look for dotnet.
Setting the environment variable DOTNET_ROOT to the install location,
enables pythonnet a way find the assemblies and other support files to host .NET.
import os
os.environ["DOTNET_ROOT"] = "/root/.dotnet"Now that we know where dotnet is, we need to load up the CLR and set up the runtime configuration.
The runtime configuration describes various aspects of how we’ll run.
We can create a very simple pspython.runtimeconfig.json
{
"runtimeOptions": {
"tfm": "net6.0",
"framework": {
"name": "Microsoft.NETCore.App",
"version": "6.0.0"
}
}
}The combination of the DOTNET_ROOT and the runtime configuration enables
loading the CLR with the get_coreclr and set_runtime functions.
# load up the clr
from clr_loader import get_coreclr
from pythonnet import set_runtime
rt = get_coreclr("/root/pspython.runtimeconfig.json")
set_runtime(rt)Now that we have the CLR loaded, we need to load the PowerShell engine.
This was a little non-obvious.
Initially, I just attempted to load System.Management.Automation.dll but that failed
due to a strong name validation error.
However, If I loaded Microsoft.Management.Infrastructure.dll first, I can avoid that error.
I’m not yet sure about why I need to load this assembly first, that’s still something
I need to determine.
import clr
import sys
import System
from System import Environment
from System import Reflection
psHome = r'/opt/microsoft/powershell/7/'
mmi = psHome + r'Microsoft.Management.Infrastructure.dll'
clr.AddReference(mmi)
from Microsoft.Management.Infrastructure import *
full_filename = psHome + r'System.Management.Automation.dll'
clr.AddReference(full_filename)
from System.Management.Automation import *
from System.Management.Automation.Language import Parser
Eventually I would like to make the locations of dotnet and PSHOME configurable,
but for the moment, I have what I need.
Now that the PowerShell engine is available to me,
I created a couple of helper functions to make handling the results easier from Python.
I also created a PowerShell object (PowerShell.Create()) that I will use in some of my functions.
ps = PowerShell.Create()
def PsRunScript(script):
ps.Commands.Clear()
ps.Commands.AddScript(script)
result = ps.Invoke()
rlist = []
for r in result:
rlist.append(r)
return rlist
class ParseResult:
def __init__(self, scriptDefinition, tupleResult):
self.ScriptDefinition = scriptDefinition
self.Ast = tupleResult[0]
self.Tokens = tupleResult[1]
self.Errors = tupleResult[2]
def PrintAst(self):
print(self.ast.Extent.Text)
def PrintErrors(self):
for e in self.Errors:
print(str(e))
def PrintTokens(self):
for t in self.Tokens:
print(str(t))
def FindAst(self, astname):
Func = getattr(System, "Func`2")
func = Func[System.Management.Automation.Language.Ast, bool](lambda a : type(a).__name__ == astname)
asts = self.Ast.FindAll(func, True)
return asts
def ParseScript(scriptDefinition):
token = None
error = None
# this returns a tuple of ast, tokens, and errors rather than the c# out parameter
ast = Parser.ParseInput(scriptDefinition, token, error)
# ParseResult will bundle the 3 parts into something more easily consumed.
pr = ParseResult(scriptDefinition, ast)
return pr
def ParseFile(filePath):
token = None
error = None
# this returns a tuple of ast, tokens, and errors rather than the c# out parameter
ast = Parser.ParseFile(filePath, token, error)
# ParseResult will bundle the 3 parts into something more easily consumed.
pr = ParseResult(filePath, ast)
return pr
def PrintResults(result):
for r in result:
print(r)I really wanted to mimic the PowerShell AST methods with some more friendly Python functions.
To create the FindAst() function, I needed to combine the delegate in c# with the lambda feature in Python.
Normally, in PowerShell, this would look like:
$ast.FindAll({$args[0] -is [System.Management.Automation.Language.CommandAst]}, $true)But I thought from a Python script, it would easier to use the name of the type.
You still need to know the name of the type,
but bing is great for that sort of thing.
As I said, I don’t really know the Python language,
so I expect there are better ways to handle the Collection[PSObject] that Invoke() returns.
I found that I had to iterate over the result no matter what, so I built it into the convenience function.
Anyone with suggestions is more than welcome to improve this.
Now that we have the base module together, we can write some pretty simple Python to
execute our PowerShell scripts.
Invoking a PowerShell script is now as easy as:
#!/usr/bin/python3
from pspython import *
scriptDefinition = 'Get-ChildItem'
print(f"Run the script: '{scriptDefinition}")
result = PsRunScript(scriptDefinition)
PrintResults(result)/root/__pycache__
/root/dotnet-install.sh
/root/get-pip.py
/root/grr.py
/root/hosted.runtimeconfig.json
/root/pspar.py
/root/pspython.py
/root/psrun.pyYou’ll notice that the output is not formatted by PowerShell.
This is because Python is just taking the .NET objects and (essentially) calling ToString() on them.
It’s also possible to retrieve objects and then manage formatting via PowerShell.
This example retrieves objects via Get-ChildItem,
selects those files that start with “ps” in Python,
and then creates a string result in table format.
scriptDefinition = 'Get-ChildItem'
result = list(filter(lambda r: r.BaseObject.Name.startswith('ps'), PsRunScript(scriptDefinition)))
ps.Commands.Clear()
ps.Commands.AddCommand("Out-String").AddParameter("Stream", True).AddParameter("InputObject", result)
strResult = ps.Invoke()
# print results
PrintResults(strResult) Directory: /root
UnixMode User Group LastWriteTime Size Name
-------- ---- ----- ------------- ---- ----
-rwxr-xr-x root dialout 6/17/2022 01:30 1117 pspar.py
-rwxr-xr-x root dialout 6/16/2022 18:55 2474 pspython.py
-rwxr-xr-x root dialout 6/16/2022 21:43 684 psrun.pyWe can also call static methods on PowerShell types.
Those of you that noticed in my module there are a couple of language related functions.
The ParseScript and ParseFile functions allow us to call the PowerShell language parser
enabling some very interesting scenarios.
Imagine I wanted to determine what commands a script is calling.
The PowerShell AST makes that a breeze, but first we have to use the parser.
In PowerShell, that would be done like this:
$tokens = $errors = $null
$AST = [System.Management.Automation.Language.Parser]::ParseFile("myscript.ps1", [ref]$tokens, [ref]$errors)The resulting AST is stored in $AST, the tokens in $tokens, and the errors in $errors.
With this Python module, I encapsulate that into the Python function ParseFile,
which returns an object containing all three of those results in a single element.
I also created a couple of helper functions to print the tokens and errors more easily.
Additionally, I created a function that allows me to look for any type of AST (or sub AST)
in any arbitrary AST.
parseResult = ParseFile(scriptFile)
commandAst = parseResult.FindAst("CommandAst")
commands = set()
for c in commandAst:
commandName = c.GetCommandName()
# sometimes CommandName is null, don't include those
if commandName != None:
commands.add(c.GetCommandName().lower())
PrintResults(sorted(commands))Note that there is a check for commandName not being null.
This is because when & $commandName is used, the command name cannot be
determined via static analysis since the command name is determined at run-time.
First, you have to have dotnet installed (via the install-dotnet),
as well as a full installation of PowerShell.
pythonnet doesn’t run on all versions of Python,
I’ve tested it only on Python 3.8 and Python 3.9 on Ubuntu20.04.
As of the time I wrote this, I couldn’t get it to run on Python 3.10.
There’s more info on pythonnet at the pythonnet web-site.
Also, this is a hosted instance of PowerShell.
Some things, like progress, and verbose, and errors may act a bit differently than you
would see from pwsh.exe.
Over time, I will probably add additional helper functions to retrieve more runtime information
from the engine instance.
If you would like to pitch in, I’m happy to take Pull Requests or to simply understand your use cases integrating PowerShell and Python.
I’ve wrapped all of this up and added a Dockerfile (running on Ubuntu 20.04) on
github.
To create the docker image, just run
Docker build --tag pspython:demo .
from the root of the repository.
The post Hosting PowerShell in a Python script appeared first on PowerShell Team.
Original release date: June 23, 2022
Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
• Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.
This CSA provides the suspected APT actors’ tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). The information is derived from two related incident response engagements and malware analysis of samples discovered on the victims’ networks.
CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA.
See the list below to download copies of IOCs:
Download the pdf version of this report: [pdf, 483 kb]
Note: this advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix A for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques.
Log4Shell is a remote code execution vulnerability affecting the Apache® Log4j library and a variety of products using Log4j, such as consumer and enterprise services, websites, applications, and other products, including certain versions of VMware Horizon and UAG. The vulnerability enables malicious cyber actors to submit a specially crafted request to a vulnerable system, causing the system to execute arbitrary code. The request allows the malicious actors to take full control of the affected system. (For more information on Log4Shell, see CISA’s Apache Log4j Vulnerability Guidance webpage and VMware advisory VMSA-2021-0028.13.)
VMware made fixes available in December 2021 and confirmed exploitation in the wild on December 10, 2021.[1] Since December 2021, multiple cyber threat actor groups have exploited [T1190] Log4Shell on unpatched, public-facing VMware Horizon and UAG servers to obtain initial access [TA0001] to networks.
After obtaining access, some actors implanted loader malware on compromised systems with embedded executables enabling remote C2. These actors connected to known malicious IP address 104.223.34[.]198.[2] This IP address uses a self-signed certificate CN: WIN-P9NRMH5G6M8. In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim’s network.
The sections below provide information CISA and CGCYBER obtained during incident response activities at two related confirmed compromises.
CGCYBER conducted a proactive threat-hunting engagement at an organization (Victim 1) compromised by actors exploiting Log4Shell in VMware Horizon. After obtaining access, threat actors uploaded malware, hmsvc.exe, to a compromised system. During malware installation, connections to IP address 104.223.34[.]198 were observed.
CISA and CGCYBER analyzed a sample of hmsvc.exe from the confirmed compromise. hmsvc.exe masquerades as a legitimate Microsoft® Windows® service (SysInternals LogonSessions software) [T1036.004] and appears to be a modified version of SysInternals LogonSessions software embedded with malicious packed code. When discovered, the analyzed sample of hmsvc.exe was running as NT AUTHORITYSYSTEM, the highest privilege level on a Windows system. It is unknown how the actors elevated privileges.
hmsvc.exe is a Windows loader containing an embedded executable, 658_dump_64.exe. The embedded executable is a remote access tool that provides an array of C2 capabilities, including the ability to log keystrokes [T1056.001], upload and execute additional payloads [T1105], and provide graphical user interface (GUI) access over a target Windows system’s desktop. The malware can function as a C2 tunneling proxy [T1090], allowing a remote operator to pivot to other systems and move further into a network.
When first executed, hmsvc.exe creates the Scheduled Task [T1053.005], C:WindowsSystem32TasksLocal Session Updater, which executes malware every hour. When executed, two randomly named *.tmp files are written to the disk at the location C:Users<USER>AppDataLocalTemp and the embedded executable attempts to connect to hard-coded C2 server 192.95.20[.]8 over port 4443, a non-standard port [TT571]. The executable’s inbound and outbound communications are encrypted with a 128-bit key [T1573.001].
For more information on hmsvc.exe, including IOCs and detection signatures, see MAR-10382254-1.
From late April through May 2022, CISA conducted an onsite incident response engagement at an organization (Victim 2) where CISA observed bi-directional traffic between the organization and suspected APT IP address 104.223.34[.]198. During incident response, CISA determined Victim 2 was compromised by multiple threat actor groups.
The threat actors using IP 104.223.34[.]198 gained initial access to Victim 2’s production environment in late January 2022, or earlier. These actors likely obtained access by exploiting Log4Shell in an unpatched VMware Horizon server. On or around January 30, likely shortly after the threat actors gained access, CISA observed the actors using PowerShell scripts [T1059.001] to callout to 109.248.150[.]13 via Hypertext Transfer Protocol (HTTP) [T1071.001] to retrieve additional PowerShell scripts. Around the same period, CISA observed the actors attempt to download [T1105] and execute a malicious file from 109.248.150[.]13. The activity started from IP address 104.155.149[.]103, which appears to be part of the actors’ C2 [TA0011] infrastructure.
After gaining initial access to the VMware Horizon server, the threat actors moved laterally [TA0008] via Remote Desktop Protocol (RDP) [T1021.001] to multiple other hosts in the production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. The threat actors also moved laterally via RDP to the organization’s disaster recovery network. The threat actors gained credentials [TA0006] for multiple accounts, including administrator accounts. It is unknown how these credentials were acquired.
After moving laterally to other production environment hosts and servers, the actors implanted loader malware on compromised servers containing executables enabling remote C2. The threat actors used compromised administrator accounts to run the loader malware. The loader malware appears to be modified versions of SysInternals LogonSessions, Du, or PsPing software. The embedded executables belong to the same malware family, are similar in design and functionality to 658_dump_64.exe, and provide C2 capabilities to a remote operator. These C2 capabilities include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The embedded executables can also function as a proxy.
CISA found the following loader malware:
SvcEdge.exe is a malicious Windows loader containing encrypted executable f7_dump_64.exe. When executed, SvcEdge.exe decrypts and loads f7_dump_64.exe into memory. During runtime, f7_dump_64.exe connects to hard-coded C2 server 134.119.177[.]107 over port 443. odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory. The executable attempts communication with the remote C2 address 134.119.177[.]107. praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address 162.245.190[.]203.fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address 155.94.211[.]207.winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. The executable attempts communication with hard-coded C2 address 185.136.163[.]104. winds.exe has complex obfuscation, hindering the analysis of its code structures. The executable’s inbound and outbound communications are encrypted with an XOR key [T1573.001].For more information on these malware samples, including IOCs and detection signatures, see MAR-10382580-1.
Additionally, CISA identified a Java® Server Pages (JSP) application (error_401.js) functioning as a malicious webshell [T505.003] and a malicious Dynamic Link Library (DLL) file:
error_401.jsp is a webshell designed to parse data and commands from incoming HTTP requests, providing a remote operator C2 capabilities over compromised Linux and Windows systems. error_401.jsp allows actors to retrieve files from the target system, upload files to the target system, and execute commands on the target system. rtelnet is used to execute commands on the target system. Commands and data sent are encrypted via RC4 [T1573.001]. For more information on error_401.jsp, including IOCs, see [MAR-10382580 2].newdev.dll ran as a service in the profile of a known compromised user on a mail relay server. The malware had path: C:Users<user>AppDataRoamingnewdev.dll. The DLL may be the same newdev.dll attributed to the APT actors in open-source reporting; however, CISA was unable to recover the file for analysis. Threat actors collected [TA0009] and likely exfiltrated [TA0010] data from Victim 2’s production environment. For a three week period, the security management and certificate servers communicated with the foreign IP address 92.222.241[.]76. During this same period, the security management server sent more than 130 gigabytes (GB) of data to foreign IP address 92.222.241[.]76, indicating the actors likely exfiltrated data from the production environment. CISA also found .rar files containing sensitive law enforcement investigation data [T1560.001] under a known compromised administrator account.
Note: the second threat actor group had access to the organization’s test and production environments, and on or around April 13, 2022, leveraged CVE-2022-22954 to implant the Dingo J-spy webshell. According to trusted third-party reporting, multiple large organizations have been targeted by cyber actors leveraging CVE-2022-22954 and CVE-2022-22960. For more information on exploitation of CVE-2022-22954 and CVE-2022-22960, see CISA CSA Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control.
If administrators discover system compromise, CISA and CGCYBER recommend:
CISA and CGCYBER recommend organizations install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details. Additionally, CISA and CGCYBER recommend organizations:
Recipients of this report are encouraged to contribute any additional information related to this threat.
[1] VMware Security Advisory VMSA-2021-0028.13
[2] Fortinet’s blog New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
See MAR-10382580-1 and MAR-10382254-1 and Table 1 for IOCs. See the list below to download copies of these IOCs:
Table 1: Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| IP Address | 104.223.34[.]198 |
IP address closely associated with the installation of malware on victims. |
92.222.241[.]76 |
Victim 2 servers communicated with this IP address and sent data to it during a three-week period. | |
109.248.150[.]13 |
Actors attempting to download and execute a malicious file from this address. | |
104.155.149[.]103 |
Appears to be a part of the actors’ C2 infrastructure. | |
| Network Port | 192.95.20[.]8:80 |
Same description as IP 192.95.20[.]8, but includes the specific destination port of 80, which was identified in logs and during malware analysis. |
1389 |
This was the most common destination port for Log4Shell exploitation outbound connections. Multiple unique destination addresses were used for Log4Shell callback. | |
104.223.34[.]198:443 |
IP address closely associated to the installation of malware on victims with the specific destination port of 443. | |
| Scheduled Task | C:WindowsSystem32TasksLocal Session Update |
Scheduled task created by hmsvc.exe to execute the program hourly. |
| File Path | C:WindowsTemplnk{4_RANDOM_CHARS}.tmp |
File created by hmsvc.exe with a random four-character filename. |
C:WindowsTemplnk<4_RANDOM_NUMS_CHAR S>.tmp |
File created by hmsvc.exe with a random four-character filename. |
See Table 2 for the threat actors’ tactics and techniques identified in this CSA. See the MITRE ATT&CK for Enterprise framework, version 11, for all referenced threat actor tactics and techniques.
Table 2: Tactics and Techniques
| Tactic | Technique |
|---|---|
| Initial Access [TA0001] | Exploit Public-Facing Application [T1190] |
|
Execution [TA0002] |
Command and Scripting Interpreter: PowerShell [T1059.001] |
| Scheduled Task/Job: Scheduled Task [T1053.005] | |
| Persistence [TA0003] | Server Software Component: Web Shell [T1505.003] |
| Defense Evasion [TA0005] | Masquerading: Masquerade Task or Service [T1036.004] |
| Credential Access [TA0006] | |
| Lateral Movement [TA0008] | Remote Services: Remote Desktop Protocol [T1021.001] |
| Collection [TA0009] | Archive Collected Data: Archive via Utility [T1560.001] |
| Input Capture: Keylogging [T1056.001] | |
| Command and Control [TA0011] | Application Layer Protocol: Web Protocols [T1071.001] |
| Encrypted Channel: Symmetric Cryptography [1573.001] | |
| Ingress Tool Transfer [T1105] | |
| Non-Standard Port [T1571] | |
| Proxy [T1090] |
© 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
CISA and CGCYBER would like to thank VMware and Secureworks for their contributions to this CSA.
This product is provided subject to this Notification and this Privacy & Use policy.
Tweet In most cases, you don’t need to make any changes to your Skyline Collector. For some environments, you have a mandate to ensure that all syslog are sent to a centralized repository for audit analysis. It doesn’t matter if that centralized syslog server is a VMware Log Insight, Splunk, or ELK. Here are the … Continued
The post Skyline Collector – Send Syslog Data to Centralized Log Host appeared first on VMware Support Insider.
Tweet In the previous blog entries, I have shown how to get (a) get list of findings and (b) how to get the details (affected objects) using curl. You can find that blog here. Now I want to show the same information. This time, I am using Powershell/Powercli for our fellow Windows-based administrators. To get … Continued
The post Skyline Insights API – How To Get List and Details with PowerCLI appeared first on VMware Support Insider.
Original release date: June 7, 2022
Best Practices
• Apply patches as soon as possible
• Disable unnecessary ports and protocols
• Replace end-of-life infrastructure
• Implement a centralized patch management system
This joint Cybersecurity Advisory describes the ways in which People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—associated with network devices routinely exploited by the cyber actors since 2020.
This joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).
Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program.
NSA, CISA, and the FBI urge U.S. and allied governments, CI, and private industry organizations to apply the recommendations listed in the Mitigations section and Appendix A: Vulnerabilities to increase their defensive posture and reduce the risk of PRC state-sponsored malicious cyber actors affecting their critical networks.
For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage.
Click here for PDF.
PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.
Since 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services [T1133] or public facing applications [T1190]—without using their own distinctive or identifying malware—so long as the actors acted before victim organizations updated their systems.
PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.
These cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.
NSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.
Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors
| Vendor CVE Vulnerability Type | ||
|---|---|---|
| Cisco | CVE-2018-0171 | Remote Code Execution |
| CVE-2019-15271 | RCE | |
| CVE-2019-1652 | RCE | |
| Citrix | CVE-2019-19781 | RCE |
| DrayTek | CVE-2020-8515 | RCE |
| D-Link | CVE-2019-16920 | RCE |
| Fortinet | CVE-2018-13382 | Authentication Bypass |
| MikroTik | CVE-2018-14847 | Authentication Bypass |
| Netgear | CVE-2017-6862 | RCE |
| Pulse | CVE-2019-11510 | Authentication Bypass |
| CVE-2021-22893 | RCE | |
| QNAP | CVE-2019-7192 | Privilege Elevation |
| CVE-2019-7193 | Remote Inject | |
| CVE-2019-7194 | XML Routing Detour Attack | |
| CVE-2019-7195 | XML Routing Detour Attack | |
| Zyxel | CVE-2020-29583 | Authentication Bypass |
PRC state-sponsored cyber actors frequently utilize open-source tools for reconnaissance and vulnerability scanning. The actors have utilized open-source router specific software frameworks, RouterSploit and RouterScan [T1595.002], to identify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows for the scanning of IP addresses for vulnerabilities. These tools enable exploitation of SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.
Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [T1078] and utilized SQL commands to dump the credentials [T1555], which contained both cleartext and hashed passwords for user and administrative accounts.
Having gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [T1119]. These scripts targeted Cisco and Juniper routers and saved the output of the executed commands, including the current configuration of each router. After successfully capturing the command output, these configurations were exfiltrated off network to the actor’s infrastructure [TA0010]. The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network.
Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route [T1599], capture [T1020.001], and exfiltrate traffic out of the network to actor-controlled infrastructure.
While other manufacturers likely have similar commands, the cyber actors executed the following commands on a Juniper router to perform initial tunnel configuration for eventual exfiltration out of the network:
After establishing the tunnel, the cyber actors configured the local interface on the device and updated the routing table to route traffic to actor-controlled infrastructure.
PRC state-sponsored cyber actors then configured port mirroring to copy all traffic to the local interface, which was subsequently forwarded through the tunnel out of the network to actor-controlled infrastructure.
Having completed their configuration changes, the cyber actors often modified and/or removed local log files to destroy evidence of their activity to further obfuscate their presence and evade detection.
PRC state-sponsored cyber actors also utilized command line utility programs like PuTTY Link (Plink) to establish SSH tunnels [T1572] between internal hosts and leased virtual private server (VPS) infrastructure. These actors often conducted system network configuration discovery [T1016.001] on these host networks by sending hypertext transfer protocol (HTTP) requests to C2 infrastructure in order to illuminate the external public IP address.
NSA, CISA, and the FBI urge organizations to apply the following recommendations as well as the mitigation and detection recommendations in Appendix A, which are tailored to observed tactics and techniques. While some vulnerabilities have specific additional mitigations below, the following mitigations generally apply:
Refer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/cybersecurity-guidance for previous reporting on People’s Republic of China state-sponsored malicious cyber activity.
U.S. government and critical infrastructure organizations, should consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
U.S. Defense Industrial Base (DIB) organizations, should consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email dib_defense@cyber.nsa.gov.
To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov. To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch at 855-292-3937 or by email at CyWatch@fbi.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
Media Inquiries / Press Desk:
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
This advisory was developed by NSA, CISA, and the FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Table 2: Information on Cisco CVE-2018-0171
| Cisco CVE-2018-0171 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, causing an indefinite loop on the affected device that triggers a watchdog crash. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions The vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or IOS XE software and have the smart install client feature enabled. Only smart install client switches are affected by this vulnerability described in this advisory. |
|
References http://www.securityfocus.com/bid/103538 |
Table 3: Information on Cisco CVE-2019-15271
| Cisco CVE-2019-15271 CVSS 3.0: 8.8 (High) |
|---|
|
Vulnerability Description A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects the following Cisco Small Business RV Series Routers if they are running a firmware release earlier than 4.2.3.10:
|
|
References https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x |
Table 4: Information on Cisco CVE-2019-1652
| Cisco CVE-2019-1652 CVSS 3.0: 7.2 (High) |
|---|
|
Vulnerability Description A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases 1.4.2.15 through 1.4.2.20. |
|
References http://www.securityfocus.com/bid/106728 |
Table 5: Information on Citrix CVE-2019-19781
| Citrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions The vulnerability affects the following Citrix product versions on all supported platforms:
|
|
References |
Table 6: Information on DrayTek CVE-2020-8515
| DrayTek CVE-2020-8515 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1. |
Recommended Mitigations
|
Detection Methods
|
Vulnerable Technologies and Versions
|
|
References https://draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/ |
Table 7: Information on D-Link CVE-2019-16920
| D-Link CVE-2019-16920 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a “PingTest” device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. |
Recommended Mitigations
|
Detection Methods
|
Vulnerable Technologies and Versions
|
|
References https://www.kb.cert.org/vuls/id/766427 |
Table 8: Information on Fortinet CVE-2018-13382
| Fortinet CVE-2018-13382 CVSS 3.0: 7.5 (High) |
|---|
|
Vulnerability Description An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects the following products:
FortiOS products are vulnerable only if the SSL VPN service (web-mode or tunnel-mode) is enabled and users with local authentication. |
|
References https://fortiguard.com/psirt/FG-IR-18-389 |
Table 9: Information on Mikrotik CVE-2018-14847
| Mikrotik CVE-2018-14847 CVSS 3.0: 9.1 (Critical) |
|---|
|
Vulnerability Description MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affected the following MikroTik products:
|
|
References https://blog.mikrotik.com/security/winbox-vulnerability.html |
Table 10: Information on Netgear CVE-2017-6862
| Netgear CVE-2017-6862 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices before 1.0.0.42 allow authentication bypass and remote code execution via a buffer overflow that uses a parameter in the administration webapp. The NETGEAR ID is PSV-2016-0261. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects the following products:
|
|
References https://kb.netgear.com/000038542/Security-Advisory-for-Unauthenticated-Remote-Code-Execution-on-Some-Routers-PSV-2016-0261 |
Table 11: Information on Pulse CVE-2019-11510
| Pulse CVE-2019-11510 CVSS 3.0: 10 (Critical) |
|---|
|
Vulnerability Description In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. |
Recommended Mitigations
|
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects the following Pulse Connect Secure products:
|
|
References https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ |
Table 12: Information on Pulse CVE-2021-22893
| Pulse CVE-2021-22893 CVSS 3.0: 10 (Critical) |
|---|
|
Vulnerability Description Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects Pulse Connect Secure 9.0R3/9.1R1 and higher. |
|
References https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ |
Table 13: Information on QNAP CVE-2019-7192
| QNAP CVE-2019-7192 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions. |
|
Recommended Mitigations Update Photo Station to versions:
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier. |
|
References https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 |
Table 14: Information on QNAP CVE- 2019-7193
| QNAP CVE-2019-7193 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions. |
|
Recommended Mitigations Update QTS to versions:
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects QNAP QTS 4.3.6 and 4.4.1 or earlier. |
|
References https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 |
Table 15: Information on QNAP CVE-2019-7194
| QNAP CVE-2019-7194 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions. |
|
Recommended Mitigations Update Photo Station to versions:
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier. |
|
References https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 |
Table 16: Information on QNAP CVE-2019-7195
| QNAP CVE-2019-7195 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions. |
|
Recommended Mitigations Update Photo Station to versions:
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier. |
|
References https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 |
Table 17: Information on Zyxel CVE-2020-29583
| Zyxel CVE-2020-29583 CVSS 3.0: 9.8 (Critical) |
|---|
|
Vulnerability Description Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the SSH server or web interface with admin privileges. |
Recommended Mitigations
|
Detection Methods
|
|
Vulnerable Technologies and Versions This vulnerability affects the following technologies and versions:
|
|
References http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf |
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: June 1, 2022
Actions to take today to mitigate cyber threats from ransomware:
• Prioritize patching known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enforce multifactor authentication.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims’ employees, business partners, and clients [T1591.002] with harassing emails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred.
Prior to January 5, 2022, Karakurt operated a leaks and auction website found at https://karakurt[.]group. The domain and IP address originally hosting the website went offline in the spring 2022. The website is no longer accessible on the open internet, but has been reported to be located elsewhere in the deep web and on the dark web. As of May 2022, the website contained several terabytes of data purported to belong to victims across North America and Europe, along with several “press releases” naming victims who had not paid or cooperated, and instructions for participating in victim data “auctions.”
Download the PDF version of this report (pdf, 569kb).
Karakurt does not appear to target any specific sectors, industries, or types of victims. During reconnaissance [TA0043], Karakurt actors appear to obtain access to victim devices primarily:
Common intrusion vulnerabilities exploited for initial access [TA001] in Karakurt events include the following:
Upon developing or obtaining access to a compromised system, Karakurt actors deploy Cobalt Strike beacons to enumerate a network [T1083], install Mimikatz to pull plain-text credentials [T1078], use AnyDesk to obtain persistent remote control [T1219], and utilize additional situation-dependent tools to elevate privileges and move laterally within a network.
Karakurt actors then compress (typically with 7zip) and exfiltrate large sums of data—and, in many cases, entire network-connected shared drives in volumes exceeding 1 terabyte (TB)—using open source applications and File Transfer Protocol (FTP) services [T1048], such as Filezilla, and cloud storage services including rclone and Mega.nz [T1567.002].
Following the exfiltration of data, Karakurt actors present the victim with ransom notes by way of “readme.txt” files, via emails sent to victim employees over the compromised email networks, and emails sent to victim employees from external email accounts. The ransom notes reveal the victim has been hacked by the “Karakurt Team” and threaten public release or auction of the stolen data. The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted.
Karakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business partners, and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the actors to prevent the dissemination of victim data. These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records.
Victims who negotiate with Karakurt actors receive a “proof of life,” such as screenshots showing file trees of allegedly stolen data or, in some cases, actual copies of stolen files. Upon reaching an agreement on the price of the stolen data with the victims, Karakurt actors provided a Bitcoin address—usually a new, previously unused address—to which ransom payments could be made. Upon receiving the ransom, Karakurt actors provide some form of alleged proof of deletion of the stolen files, such as a screen recording of the files being deleted, a deletion log, or credentials for a victim to log into a storage server and delete the files themselves.
Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid. Note: the U.S. government strongly discourages the payment of any ransom to Karakurt threat actors, or any cyber criminals promising to delete stolen files in exchange for payments.
In some cases, Karakurt actors have conducted extortion against victims previously attacked by other ransomware variants. In such cases, Karakurt actors likely purchased or otherwise obtained previously stolen data. Karakurt actors have also targeted victims at the same time these victims were under attack by other ransomware actors. In such cases, victims received ransom notes from multiple ransomware variants simultaneously, suggesting Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor.
Karakurt actors have also exaggerated the degree to which a victim had been compromised and the value of data stolen. For example, in some instances, Karakurt actors claimed to steal volumes of data far beyond the storage capacity of compromised systems or claimed to steal data that did not belong to the victim.
| mark.hubert1986@gmail.com; karakurtlair@gmail.com; personal.information.reveal@gmail.com; ripidelfun1986@protonmail.com; gapreappballye1979@protonmail.com; confedicial.datas.download@protonmail.com; armada.mitchell94@protonmail.com |
| Protonmail email accounts in the following formats: victimname_treasure@protonmail.com victimname_jewels@protonmail.com victimname_files@protonmail.com |
| Tools | |
|---|---|
| Onion site | https://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead.onion |
| Tools | Rclone.exe;; AnyDesk.exe; Mimikatz |
| Ngrok | SSH tunnel application SHA256 – 3e625e20d7f00b6d5121bb0a71cfa61f92d658bcd61af2cf5397e0ae28f4ba56 |
| DDLs masquerading as legitimate Microsoft binaries to System32 | Mscxxx.dll: SHA1 – c33129a680e907e5f49bcbab4227c0b02e191770 Msuxxx.dll: SHA1 – 030394b7a2642fe962a7705dcc832d2c08d006f5 |
| Msxsl.exe | Legitimate Microsoft Command Line XSL Transformation Utility SHA1 – 8B516E7BE14172E49085C4234C9A53C6EB490A45 |
| dllhosts.exe | Rclone SHA1 – fdb92fac37232790839163a3cae5f37372db7235 |
| rclone.conf | Rclone configuration file |
| filter.txt | Rclone file extension filter file |
| c.bat | UNKNOWN |
| 3.bat | UNKNOWN |
| Potential malicious document | SHA1 – 0E50B289C99A35F4AD884B6A3FFB76DE4B6EBC14 |
.
| Tools | |
|---|---|
| Potential malicious document | SHA1 – 7E654C02E75EC78E8307DBDF95E15529AAAB5DFF |
| Malicious text file | SHA1 – 4D7F4BB3A23EAB33A3A28473292D44C5965DDC95 |
| Malicious text file | SHA1 – 10326C2B20D278080AA0CA563FC3E454A85BB32F |
| Cobalt Strike hashes |
|---|
| SHA256 – 563BC09180FD4BB601380659E922C3F7198306E0CAEBE99CD1D88CD2C3FD5C1B |
| SHA256 – 5E2B2EBF3D57EE58CADA875B8FBCE536EDCBBF59ACC439081635C88789C67ACA |
| SHA256 – 712733C12EA3B6B7A1BCC032CC02FD7EC9160F5129D9034BF9248B27EC057BD2 |
| SHA256 – 563BC09180FD4BB601380659E922C3F7198306E0CAEBE99CD1D88CD2C3FD5C1B |
| SHA256 – 5E2B2EBF3D57EE58CADA875B8FBCE536EDCBBF59ACC439081635C88789C67ACA |
| SHA256 – 712733C12EA3B6B7A1BCC032CC02FD7EC9160F5129D9034BF9248B27EC057BD2 |
| SHA1 – 86366bb7646dcd1a02700ed4be4272cbff5887af |
| Ransom note text sample: | |
|---|---|
|
|
Here’s the deal We breached your internal network and took control over all of your systems. |
|
2. |
We analyzed and located each piece of more-or-less important files while spending weeks inside. |
|
3. |
We exfiltrated anything we wanted (xxx GB (including Private & Confidential information, Intellectual Property, Customer Information and most important Your TRADE SECRETS) |
| Ransom note text sample: | |
|---|---|
|
FAQ: |
Who the hell are you? |
| Who the hell are you? | |
| Payment Wallets: |
|---|
| bc1qfp3ym02dx7m94td4rdaxy08cwyhdamefwqk9hp |
| bc1qw77uss7stz7y7kkzz7qz9gt7xk7tfet8k30xax |
| bc1q8ff3lrudpdkuvm3ehq6e27nczm393q9f4ydlgt |
| bc1qenjstexazw07gugftfz76gh9r4zkhhvc9eeh47 |
| bc1qxfqe0l04cy4qgjx55j4qkkm937yh8sutwhlp4c |
| bc1qw77uss7stz7y7kkzz7qz9gt7xk7tfet8k30xax |
| bc1qrtq27tn34pvxaxje4j33g3qzgte0hkwshtq7sq |
| bc1q25km8usscsra6w2falmtt7wxyga8tnwd5s870g |
| bc1qta70dm5clfcxp4deqycxjf8l3h4uymzg7g6hn5 |
| bc1qrkcjtdjccpy8t4hcna0v9asyktwyg2fgdmc9al |
| bc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8 |
| bc1q6s0k4l8q9wf3p9wrywf92czrxaf9uvscyqp0fu |
| bc1qj7aksdmgrnvf4hwjcm5336wg8pcmpegvhzfmhw |
| bc1qq427hlxpl7agmvffteflrnasxpu7wznjsu02nc |
| bc1qz9a0nyrqstqdlr64qu8jat03jx5smxfultwpm0 |
| bc1qq9ryhutrprmehapvksmefcr97z2sk3kdycpqtr |
| bc1qa5v6amyey48dely2zq0g5c6se2keffvnjqm8ms |
| bc1qx9eu6k3yhtve9n6jtnagza8l2509y7uudwe9f6 |
| bc1qtm6gs5p4nr0y5vugc93wr0vqf2a0q3sjyxw03w |
| bc1qta70dm5clfcxp4deqycxjf8l3h4uymzg7g6hn5 |
| bc1qx9eu6k3yhtve9n6jtnagza8l2509y7uudwe9f6 |
| bc1qqp73up3xff6jz267n7vm22kd4p952y0mhcd9c8 |
| bc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8 |
Karakurt actors use the ATT&CK techniques listed in table 1.
Table 1: Karakurt actors ATT&CK techniques for enterprise
| Reconnaissance | ||
|---|---|---|
| Technique Title | ID | Use |
| Gather Victim Identify Information: Credentials | T1589.001 | Karakurt actors have purchased stolen login credentials. |
| Gather Victim Identity Information: Email Addresses | Karakurt actors have purchased stolen login credentials including email addresses. | |
| Gather Victim Org Information: Business Relationships | T1591.002 | Karakurt actors have leveraged victims’ relationships with business partners. |
| Initial Access | ||
| Technique Title | ID | Use |
| Exploit Public-Facing Applications | T1190 | Karakurt actors have exploited the Log4j “Log4Shell” Apache Logging Service vulnerability and vulnerabilities in outdated firewall appliances for gaining access to victims’ networks. |
| External Remote Services | T1133 | Karakurt actors have exploited vulnerabilities in outdated VPN appliances for gaining access to victims’ networks. |
| Phishing | T1566 | Karakurt actors have used phishing and spearphishing to obtain access to victims’ networks. |
| Phishing – Spearphishing Attachment | T1566.001 | Karakurt actors have sent malicious macros as email attachments to gain initial access. |
| Valid Accounts | T1078 | Karakurt actors have purchased stolen credentials, including VPN and RDP credentials, to gain access to victims’ networks. |
| Privilege Escalation | ||
| Technique Title | ID | Use |
| Valid Accounts | T1078 | Karakurt actors have installed Mimikatz to pull plain-text credentials. |
| Technique Title | ID | Use |
| File and Directory Discovery | T1083 | Karakurt actors have deployed Cobalt Strike beacons to enumerate a network. |
| Technique Title | ID | Use |
| Remote Access Software | T1219 | Karakurt actors have used AnyDesk to obtain persistent remote control of victims’ systems. |
| Exfiltration | ||
| Technique Title | ID | Use |
| Exfiltration Over Alternative Protocol | T1048 | Karakurt actors have used FTP services, including Filezilla, to exfiltrate data from victims’ networks. |
| Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | Karakurt actors have used rclone and Mega.nz to exfiltrate data stolen from victims’ networks. |
This product is provided subject to this Notification and this Privacy & Use policy.
