Preventing Web Application Access Control Abuse

This post was originally published on this site

SUMMARY

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.

These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.

ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce prevalence of IDOR flaws and protect sensitive data in their systems.

  • Vendors, designers, and developers of web application frameworks and web applications: Implement secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
    • Use automated tools for code review to identify and remediate IDOR and other vulnerabilities.
    • Use indirect reference maps, ensuring that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a universally unique identifier (UUID) or a globally unique identifier (GUID).
    • Exercise due diligence when selecting third-party libraries or frameworks to incorporate into your application and keep all third-party frameworks and dependencies up to date.
  • All end-user organizations, including organizations with software-as-a-service (SaaS) models:
    • Use due diligence when selecting web applications. Follow best practices for supply chain risk management and only source from reputable vendors.
    • Apply software patches for web applications as soon as possible.
  • End-user organizations deploying on-premises software, infrastructure-as-a-service (IaaS), or private cloud models:
    • Review the available authentication and authorization checks in web applications that enable modification of data, deletion of data, or access to sensitive data.
    • Conduct regular, proactive vulnerability scanning and penetration testing to help ensure internet-facing web applications and network boundaries are secure.

Download the PDF version of this report:

TECHNICAL DETAILS

Description

IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.

  • Horizontal IDOR vulnerabilities occur when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
  • Vertical IDOR vulnerabilities occur when a user can access data that they should not be able to access because the data requires a higher privilege level.
  • Object-level IDOR vulnerabilities occur when a user can modify or delete an object that they should not be able to modify or delete.
  • Function-level IDOR vulnerabilities occur when a user can access a function or action that they should not be able to access.

Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier.

  • In body manipulation, an actor modifies the HTML form field data in the body of a POST request to impact targeted records.
  • In URL tampering, an actor modifies an identifier in URLs to impact targeted records.
  • In cookie ID manipulation, the actor modifies an identifier in a cookie to an identifier of a different user (including administrative users) in an attempt to gain access to that account.
  • In HTTP/JSON request tampering, an actor uses a web proxy to intercept and alter arbitrary portions of legitimate requests, including values inside JSON objects.

Impact

These vulnerabilities are common[1] and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information). Data leaks or breaches facilitated by IDOR vulnerabilities include:

  • An October 2021 global data leak incident where mobile phone data, including text messages, call records, photos, and geolocation from hundreds of thousands of devices was exposed by insecure “stalkerware” apps.[2] The apps collected and relayed data from the phones to the same foreign server infrastructure, which contained an IDOR vulnerability, CVE-2022-0732.[3] This led to exposure of the collected app data.[4]
  • A 2019 data breach incident where more than 800 million personal financial files, including bank statements, bank account numbers, and mortgage payment documents, from a U.S. Financial Services Sector organization were exposed.[5],[6]
  • A 2012 data breach incident where a malicious cyber actor obtained the personal data of more than 100,000 mobile device owners from a U.S. Communications Sector organization’s publicly accessible website.[7]

MITIGATIONS

Vendors and Developers

ACSC, CISA, and NSA recommend that vendors, designers, and implementors of web applications—including organizations that build and deploy software (such as HR tools) for their internal use and organizations that create open-source projects—implement the following mitigations. These mitigations may reduce prevalence of IDOR vulnerabilities in software and help ensure products are secure-by-design and -default.

  • Implement and inject secure-by-design and -default principles and best practices into each stage of the software development life cycle (SDLC). Particular recommended practices are defined in the National Institute of Security and Technology’s (NIST’s) Secure Software Development Framework (SSDF), SP 800-218. Lend special attention to:
    • Conducting code reviews [SSDF PW 7.2, RV 1.2] against peer coding standards, checking for backdoors, malicious content, or logic flaws.
      • ACSC, CISA, and NSA recommend using automated code analysis tools for all supported releases to identify and remediate vulnerabilities.
    • Following secure coding practices [SSDF PW 5.1] for web and mobile applications to ensure that they properly validate user input and generate strong user IDs.
      • Use indirect reference maps, such that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a UUID or a GUID. Note: UUIDs and GUIDs should not be used for security capabilities. See Request for Comment (RFC) 4122 for more information.
      • Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify data, delete data, and access sensitive data. For example:
        • Normalize requests. There are many ways to encode and decode web inputs. Decode and normalize inputs before creating access control checkpoints. Ensure the access control system and other parts of the web application perform the same normalization.
        • Implement parameter verification leveraging syntactic and logical validation, such that web applications validate all inputs received with every HTTP/S request. Denying invalid requests can reduce the burden on the access control system.
          • Syntactic validation verifies that for each input the incoming value meets your applications’ expectations. When doing syntactic validation, verify that strings are within the minimum and maximum length required, strings do not contain unacceptable characters, numeric values are within the minimum and maximum boundaries, and the input is of the proper data type.
          • Logical validation adds checks to see if the input values make sense and are consistent with design intent. When doing logical validation, verify authorization checks are performed in the correct locations, are of varying pedigree, and that there is error handling of failed authentication and authorization requests.
      • Use CAPTCHA to limit automated invalid user requests where feasible.
      • Use memory-safe programming languages where possible.
    • Testing code to identify vulnerabilities and verify compliance with security requirements [SSDF PW 8.2].
    • Use automated testing tools to facilitate testing, fuzz testing tools to find issues with input handling,[8] and penetration testing to simulate how a threat actor may exploit the software. Consider using dynamic application security testing (DAST) tools to identify IDOR vulnerabilities in web applications.
    • Conducting role-based training [SSDF PO 2.2] for personnel responsible for secure software development.
    • Exercising due diligence when selecting third-party libraries or frameworks to incorporate into your application [SSDF PW 4.1].
      • Review and evaluate third-party components in the context of their expected use.
      • Verify the integrity of the product through hash or signature verification.
      • If provided, review component’s Software Bill of Materials (SBOM) for outdated, vulnerable, or unauthorized applications before using it.
      • Keep all third-party frameworks and dependencies up to date to limit vulnerability inheritance. Note: Organizations should maintain an inventory or catalog of third-party frameworks and dependencies to assist with proactive updates. Consider using tools to identify project dependencies and known vulnerabilities in third-party code. See OWASP’s Top Ten Proactive Controls 2018, C2: Leverage Security Frameworks and Libraries, for more information.

        For more information, see the joint Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Developers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.

  • Establish a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization.

Additionally, ACSC, CISA, and NSA recommend following cybersecurity best practices in production and enterprise environments. Software developers are high-value targets because their customers deploy software on their own trusted networks. For best practices, see:

  • ACSC’s Essential Eight. The Essential Eight are prioritized strategies to help cybersecurity professionals mitigate cybersecurity incidents caused by various cyber threats.
  • CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and NIST, are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures. Because the CPGs are a subset of best practices, ACSC, CISA, and NSA also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
  • NSA’s Top Ten Cybersecurity Mitigations. The Top Ten sets priorities for enterprise activities to counter a broad range of exploitation techniques and minimize mission impact.

All End-User Organizations

ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture.

Additionally, ACSC, CISA, and NSA recommend following cybersecurity practices. For best practices, see ACSC’s Essential Eight, CISA’s CPGs, and NSA’s Top Ten Cybersecurity Mitigation Strategies.

End-User Organizations with On-Premises Software, IaaS, or Private Cloud Models

ACSC, CISA, and NSA recommend that organizations:

  • Conduct regular, proactive penetration testing to ensure network boundaries, as well as web applications, are secure. Prioritize web applications that are internet-facing and contain user login functionality. Such testing may be beyond the technical or financial capabilities of some organizations. Consider using a trusted third party for penetration testing to discover new attack vectors (notably prior to deployment of new or altered internet-facing services). Note: Organizations should consult with their legal counsel as appropriate to determine which systems and applications can be included in the scope of the penetration testing.
    • Use web application penetration testing tools to capture the user identifier sent to the web server when requesting a web page containing sensitive data and map all locations where user input is used to reference objects directly. Test with users of various privilege levels (e.g., a normal user and admin user).
  • Use DAST and other vulnerability scanners to detect IDOR vulnerabilities. DAST tools identify vulnerabilities in web applications with penetration tests and generate automated alerts. Note: Exercise due diligence when selecting DAST tools. Not all DAST tools can detect IDOR vulnerabilities—tools with the ability may need the environment configured in a specific way and may also need custom rules in place. Sufficient DAST tools often ingest the application API documentation to build a model of the application. While these tools can be used to detect IDOR vulnerabilities, they are not foolproof and should be used with other security testing methods to ensure comprehensive coverage.
  • Immediately report detected vulnerabilities to the vendor or developer. Alternatively (or if the vendor or developer fails to respond), report the vulnerability to CISA at cisa.gov/report.
  • Consider establishing a vulnerability disclosure program to verify, resolve, and report security vulnerabilities disclosed by people who may be internal or external to the organization.
  • Use a web application firewall (WAF) to filter, monitor, and block malicious HTTP/S traffic traveling to the web application.
  • Use a data loss prevention (DLP) tool to prevent unauthorized data from leaving the application.

ACSC, CISA, and NSA recommend that organizations with on-premises software or IaaS consider using SaaS models for their internet-facing websites.

End-User Organizations with SaaS Models

Organizations leveraging SaaS with sufficient resources may consider conducting penetration testing and using vulnerability scanners. However, such tests may interfere with service provider operations. Organizations should consult with their legal counsel as appropriate to determine what can be included in the scope of the penetration testing.

INCIDENT RESPONSE

If you or your organization are victim to a data breach or cyber incident, follow relevant cyber incident response and communications plans, as appropriate.

  • Australia: Australian organizations that have been impacted or require assistance in regards to a cybersecurity incident can contact ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
  • United States: U.S. organizations may report cybersecurity incidents to CISA’s 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

RESOURCES

REFERENCES

[1] A01 Broken Access Control – OWASP Top 10:2021

[2] A massive ‘stalkerware’ leak puts the phone data of thousands at risk

[3] Mobile device monitoring services do not authenticate API requests

[4] Behind the stalkerware network spilling the private phone data of hundreds of thousands

[5] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

[6] Biggest Data Breaches in US History [Updated 2023]

[7] AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison

[8] Fuzzing | OWASP Foundation

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. ACSC, CISA, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States or Australian Governments, and this guidance shall not be used for advertising or product endorsement purposes.

PURPOSE

This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

This post was originally published on this site

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.

This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

In July 2023, a critical infrastructure organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. Citrix confirmed that the actors exploited a zero-day vulnerability: CVE-2023-3519. Citrix released a patch on July 18, 2023.[1]

CVE-2023-3519

CVE-2023-3519 is an unauthenticated RCE vulnerability affecting the following versions of NetScaler ADC and NetScaler Gateway:[1]

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1, now end of life
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.[1]

CISA added CVE-2023-3519 to its Known Exploited Vulnerabilities Catalog on July 19, 2023.

Threat Actor Activity

As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].

The actors used the webshell for AD enumeration [T1016] and to exfiltrate AD data [TA0010]. Specifically, the actors:

  • Viewed NetScaler configuration files /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf [T1005]. Note: These configuration files contain an encrypted password that can be decrypted by the key stored on the ADC appliance [T1552.001].
  • Viewed the NetScaler decryption keys (to decrypt the AD credential from the configuration file) [T1552.004].
  • Used the decrypted AD credential to query the AD via ldapsearch. The actors queried for:
    • Users (objectClass=user) (objectcategory=person) [T1033]
    • Computers (objectClass=computer) [T1018]
    • Groups (objectClass=group) [T1069.002]
    • Subnets (objectClass=subnet)
    • Organizational Units (objectClass=organizationalUnit)
    • Contacts (objectClass=contact)
    • Partitions (objectClass=partition)
    • Trusts (objectClass=trustedDomain) [T1482]
  • Used the following command to encrypt discovery data collected via openssl in “tar ball” [T1560.001]: tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz. (A “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration.)
  • Exfiltrated collected data by uploading as an image file [T1036.008] to a web-accessible path [T1074]: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.

The actors’ other discovery activities were unsuccessful due to the critical infrastructure organization’s deployment of their NetScaler ADC appliance in a segmented environment. The actors attempted to:

  • Execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets.
  • Verified outbound network connectivity with a ping command (ping -c 1 google.com) [T1016.001].
  • Executed host commands for a subnet-wide DNS lookup.

The actors also attempted to delete their artifacts [TA0005]. The actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI) [T1531]. To regain access to the ADC appliance, the organization would normally reboot into single use mode, which may have deleted artifacts from the device; however, the victim had an SSH key readily available that allowed them into the appliance without rebooting it.

The actors’ post-exploitation lateral movement attempts were also blocked by network-segmentation controls. The actors implanted a second webshell on the victim that they later removed. This was likely a PHP shell with proxying capability. The actors likely used this to attempt proxying SMB traffic to the DC [T1090.001] (the victim observed SMB connections where the actors attempted to use the previously decrypted AD credential to authenticate with the DC from the ADC via a virtual machine). Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1–Table 9 for all referenced threat actor tactics and techniques in this advisory.

Table 1: Cyber Threat Actors ATT&CK Techniques for Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

The threat actors exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.

 

Table 2: Cyber Threat Actors ATT&CK Techniques for Persistence

Technique Title

ID

Use

Server Software Component: Web Shell

T1505.003

The threat actors implanted a generic webshell on the organization’s NetScaler ADC appliance.

 

Table 3: Cyber Threat Actors ATT&CK Techniques for Privilege Escalation

Technique Title

ID

Use

Abuse Elevation Control Mechanism: Setuid and Setgid

T1548.001

As part of their initial exploit chain uploaded a TGZ file contain a setuid binary on the ADC appliance.

 

Table 4: Cyber Threat Actors ATT&CK Techniques for Credential Access

Technique Title

ID

Use

Unsecured Credentials: Credentials In Files

T1552.001

The threat actors obtained encrypted passwords from NetScaler ADC configuration files, and the decryption key was stored on the ADC appliance.

Unsecured Credentials: Private Keys

T1552.004

The threat actors obtained decryption keys to decrypt the AD credential obtained from the NetScaler ADC configuration files.

 

Table 5: Cyber Threat Actors ATT&CK Techniques for Discovery

Technique Title

ID

Use

Domain Trust Discovery

T1482

The threat actors queried the AD for trusts.

Permission Groups Discovery: Domain Groups

T1069.002

The threat actors quired the AD for groups.

Remote System Discovery

T1018

The threat actors queried the AD for computers.

System Network Configuration Discovery

T1016

The actors used a webshell for AD enumeration.

The threat actors attempted to execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets. Network-segmentation controls prevented this activity.

System Network Configuration Discovery: Internet Connection Discovery

T1016.001

The threat actors attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup. Network-segmentation controls prevented this activity.

Network Service Discovery

T1046

The threat actors conducted SMB scanning on the organization’s subnet.

Account Discovery: Domain Account

T1087.002

The threat actors queried the AD for users.

 

Table 6: Cyber Threat Actors ATT&CK Techniques for Collection

Technique Title

ID

Use

Archive Collected Data: Archive via Utility

T1560.001

The threat actors used a command to encrypt the discovery data they collected.

Data from Local System

T1005

The threat actors viewed NetScaler ADC configuration files flash/nsconfig/keys/updated/* and /nsconfig/ns.conf.

 

Table 7: Cyber Threat Actors ATT&CK Techniques for Command and Control

Technique Title

ID

Use

Ingress Tool Transfer

T1105

The threat actors exploited CVE-2023-3519 to upload a TGZ file containing a generic webshell, discovery script, and setuid binary on the ADC appliance.

 

DETECTION METHODS

Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

  1. Check for files newer than the last installation.
  2. Modify the -newermt parameter with the date that corresponds to your last installation:
    • find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} ;
    • find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
    • find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
    • find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
  3. Check http error logs for abnormalities that may be from initial exploit:
    • grep '.sh' /var/log/httperror.log*
    • grep '.php' /var/log/httperror.log*
  4. Check shell logs for unusual post-ex commands, for example:
    • grep '/flash/nsconfig/keys' /var/log/sh.log*
  5. Look for setuid binaries dropped:
    • find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt [YYYYMMDD] -exec ls -l {} ;
  6. Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
  7. Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
  8. Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
  9. Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
  10. Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
  11. Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection. 
  12. If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
  13. Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below): 
    • database.php
    • ns_gui/vpn
    • /flash/nsconfig/keys/updated 
    • LDAPTLS_REQCERT 
    • ldapsearch 
    • openssl + salt
  14. Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

INCIDENT RESPONSE

If compromise is detected, organizations should:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Provision new account credentials.
  4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

MITIGATIONS

CISA recommends all organizations:

  • Install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. See Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 for patch information.
  • Follow best cybersecurity practices in your production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of information technology (IT) and operational technology (OT) security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and ACSC also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
  • As a longer-term effort, apply robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 1–Table 9).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Citrix Security Bulletin CTX561482: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Microsoft.PowerShell.TextUtility module updates

This post was originally published on this site

TextUtility module gets new functionality

We have recently released another preview of the TextUtility module. This module is a collection of tools that
are meant to help with working with text content.

Installing the module

You can install this module from the PowerShellGallery with PowerShellGet via:

Install-Module -Name Microsoft.PowerShell.TextUtility -AllowPrerelease

Or you can install it with PSResourceGet via:

Install-PSResource -Name Microsoft.PowerShell.TextUtility -Prerelease

ConvertFrom-TextTable

The most recent pre-release of Microsoft.PowerShell.TextUtility
has some new exciting functionality.
The new ConvertFrom-TextTable cmdlet allows you to take tabular text
and convert it into objects.
Also, there is a way to convert some of types of those objects into something other than a string.
Using the -ConvertPropertyValue parameter will change the value of the property to a strongly typed value.
This means you can do the following:


PS> df | select -first 6 | convertfrom-texttable -ConvertPropertyValue |Ft                       

Filesystem     512-blocks     Used  Available Capacity  iused      ifree %iused Mounted_on
----------     ----------     ----  --------- --------  -----      ----- ------ ----------
/dev/disk4s1s1 3907805752 17699080 1242895000 2%       355382 4291123926 0%     /
devfs                 462      462          0 100%        800          0 100%   /dev
/dev/disk4s3   3907805752  3676600 1242895000 1%         3745 6214475000 0%     /System/Volumes/Preboot
/dev/disk4s5   3907805752  4194376 1242895000 1%            2 6214475000 0%     /System/Volumes/VM
/dev/disk4s6   3907805752    19992 1242895000 1%           19 6214475000 0%     /System/Volumes/Update

PS> df | select -first 6 | convertfrom-texttable -ConvertPropertyValue |?{$_.available -lt 10}|Ft

Filesystem 512-blocks Used Available Capacity iused ifree %iused Mounted_on
---------- ---------- ---- --------- -------- ----- ----- ------ ----------
devfs             462  462         0 100%       800     0 100%   /dev

ConvertFrom-TextTable also allows you to specify where the header line is defined, or skip lines until you get to where the data starts.
Additionally, it is possible to take the text output and explicitly create properties by defining where a column starts.

PS> $string = $("a".."z";"A".."Z";0..9) -join ""                                                      
PS> 1..10 | %{$string}|convertfrom-texttable -noheader -columnoffset 0,15,23,40,55 | ft

Property_01     Property_02 Property_03       Property_04     Property_05
-----------     ----------- -----------       -----------     -----------
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789
abcdefghijklmno pqrstuvw    xyzABCDEFGHIJKLMN OPQRSTUVWXYZ012 3456789

Finally, you can also emit the data as JSON with the -AsJson parameter:

PS> who -p | %{$_.trim()} | convertfrom-texttable -noheader -AsJson  
{ "Property_01": "james", "Property_02": "console", "Property_03": "Jun", "Property_04": "22", "Property_05": "08:34" }
{ "Property_01": "james", "Property_02": "ttys016", "Property_03": "Jun", "Property_04": "22", "Property_05": "10:00" }
{ "Property_01": "james", "Property_02": "ttys017", "Property_03": "Jun", "Property_04": "22", "Property_05": "14:42" }
{ "Property_01": "james", "Property_02": "ttys004", "Property_03": "Jun", "Property_04": "22", "Property_05": "22:08" }
{ "Property_01": "james", "Property_02": "ttys025", "Property_03": "Jun", "Property_04": "23", "Property_05": "00:38" }

Next Steps

This is still in pre-release and we know that there is still work to be done.
For example, the parser will create an object out of the header/data separator.
This is a little trickier than at first it would seem.
The text is inspected and columns width is decided based on the inspected text.
These header/data separator lines help the parser understand where the columns are separated.
This means we can’t just toss them out as the text is being read.
I’m sure you’ll find more things that we can do,
and we would love to get your feedback on this new cmdlet so please give this module a try.
Please submit your feedback to the repo directly via the issues tab, here.

Thanks so much!

Jim Truher

PowerShell Team

The post Microsoft.PowerShell.TextUtility module updates appeared first on PowerShell Team.

JSON Adapter Feedback Provider

This post was originally published on this site

JSON Adapter Feedback Provider Release

We are excited to announce the first release of our JSON Adapter Feedback Provider! If you are
unfamiliar with what feedback providers are, check out this blog describing them, here.

Installing JSON Adapter Feedback Provider

The release is available from the PowerShell Gallery.

Use the following command to install JsonAdapter using PowerShellGet v2.x:

Install-Module -Name Microsoft.PowerShell.JsonAdapter -AllowPrerelease 

If you are using PSResourceGet, you can use the following command:

Install-PSResource -Name Microsoft.PowerShell.JsonAdapter -AllowPrerelease

To use it you will need to import the module into your session via:

Import-Module Microsoft.PowerShell.JsonAdapter

We encourage you to include the import message in your $PROFILE so it can persistently be loaded
in every PowerShell session you start. If you have Visual Studio Code installed, type
code $PROFILE to edit your profile or use your choice of editor.

What are JSON Adapters?

A JSON adapter is a script that can parse the text output of a native executable and convert it to
JSON. Once the output is in a machine readable format like JSON, you can use ConvertFrom-JSON
cmdlet to make any native executable behave like a PowerShell object. JSON adapters can be made for
any command, it is just required to use the exact name of the command as the prefix to the script.
The script will have to be named like so <name of command>-json.ps1 to be identified by the JSON
adapter utility. This script’s file location must also be added to your $env:PATH variable to be
found.

Creating a JSON Adapter

For example, say you are on a Mac and want to use the command vm_stat like a PowerShell object. If
you add the following to a file called vm_stat-json.ps1 and add the location of this file to your
$env:PATH variable, the JSON Adapter feedback provider will identify it as a possible suggestion
for vm_stat.

[CmdletBinding()]
param ( [Parameter(ValueFromPipeline=$true)][string]$inputObject )
BEGIN {
    $h = @{}
}

PROCESS {
    if ( $inputObject -match "^Mach Virtual") {
        if ($inputObject -match "page size of (d+) ") {
            $h['PageSize'] = [int]$matches[1]
        }
    }
    else {
        $k,$v = $inputObject -split ":"
        $AdjustedK = ($k -replace "[ -]","_").trim() -replace '"'
        $AdjustedV = "$v".Trim() -replace ".$"
        $h[$AdjustedK] = [int64]$AdjustedV
    }
}

END {
    [pscustomobject]$h
}

 

This is what the experience looks like in the shell.

VM stat screenshot

JC

JC or JSON Converter, is a command line utility that can convert text to JSON for variety of command
line tools. You can find instructions on how to install jc and a full list of supported commands
on the repo of jc. It can be a great tool to use to convert the outputs without writing a JSON
Adapter yourself. The JSON Adapter module supports using jc as a JSON Adapter if the user has it
installed. This means if you have the jc utility installed and use a command that is supported by JC, the JSON
Adapter feedback provider will suggest using JC piped to ConvertFrom-JSON.

It is important to note that not all jc supported utilities are supported. The list of supported commands is:

"arp", "cksum", "crontab", "date", "df", "dig", "dir", "du", "file", "finger",
"free", "hash", "id", "ifconfig", "iostat", "jobs", "lsof", "mount", "mpstat",
"netstat", "route", "stat", "sysctl", "traceroute", "uname", "uptime", "w", "wc",
"who", "zipinfo"

Additionally, you will need to use the appropriate parameters that jc requires to work properly. For
example, if you want to use jc with uname, you will need to use uname -a as that is what jc
requires to properly convert the output to JSON.

Predictive IntelliSense Support

We have also added predictive IntelliSense support for the JSON Adapter feedback provider. This
means after a JSON Adapter feedback provider is triggered, as you type the command name again,
Predictive Intellisense will suggest the feedback command to you. This is a great way to easily try
the suggestion after a JSON Adapter feedback provider is triggered.

screenshot showing predictive intellisense support

Feedback

As this is our very first release, we know there may be issues that arise. We definitely look
forward to your feedback and suggestions! You can provide feedback on the repo for this project
here.

Jim Truher and Steven Bucher

PowerShell Team

The post JSON Adapter Feedback Provider appeared first on PowerShell Team.

What are Feedback Providers?

This post was originally published on this site

We introduced a new experimental feature back in PowerShell v7.4.0-preview.2+ called
PSFeedbackProvider. This blog outlines what this experimental feature is, how to use it and
describes different feedback providers we have already created.

Installing the PowerShell Preview and enabling Feedback Providers

You can install the latest 7.4 preview via our GitHub page here. If you are on Windows you can
download via the Microsoft store here.

Unless configured differently, the previews should have all experimental features enabled by deafult
but in case they are not enabled you can check and enable them by using the following commands:

Checking experimental features enabled:

Get-ExperimentalFeature

Enabling experimental feature:

Enable-ExperimentalFeature -Name PSFeedbackProvider

You will also have to enable the experimental feature PSCommandNotFoundSuggestion to get enable
the built in feedback provider.

Enable-ExperimentalFeature -Name PSCommandNotFoundSuggestion

Note


You must restart your PowerShell session to enable experimental features.

Why have we created Feedback Providers

After we created PowerShell Predictive IntelliSense, we realized that no matter how hard we can try
to be “preventative” of errors, they will still occur. This made us think there was a better way to
give the users more feedback to their errors so they could recover quicker from them.

After prototyping and seeing how great it could work for errors, we got thinking that maybe we can
help inform and teach users better practices to the shell and thus we expanded feedback providers to
successful executions and comments.

What are Feedback Providers?

Feedback Providers are PowerShell modules that utilize the IFeedbackProvider interface to give
feedback and suggestions after the shell users have attempted to execute something. Feedback
providers can trigger upon three different interactive scenarios:

  • Errors
  • Success
  • Comments

This means after the user has hit enter, Feedback Providers can trigger and know what scenario the
user has faced.

Built in Feedback Provider

We have created a built in feedback provider named General. This triggers on the CommandNotFound
exception error and gives the user suggestions on what command they may have meant to type from list
of commands already installed in the users $env:PATH. Both native commands and PowerShell cmdlets
will be suggested if they are installed.

You have may seen something similar to this before in previous versions of the
PSCommandNotFoundSuggestion experimental feature. We have given the UX an upgraded and turned this
into a feedback provider!

This is the old PSCommandNotFoundSuggestion experience:

Image SuggestionFramework png

This is the same feature but with the new feedback provider model:

Image CommandNotFoundFeedbackProvider

Command-Not-Found Feedback Provider

We have created an additional feedback provider that we call the command-not-found feedback
provider. This utilizes the command-not-found utility tool that is defaulted on Ubuntu systems.
This feedback provider will trigger when the user has attempted to execute a command that is not
installed on the system but will give the user suggestions on how to install the command on their
system using apt. This is only compatible with Linux systems where the command-not-found utility
tool has been installed.

Image FeedbackProvider

 

Another thing we did with this feedback provider is that we have it subscribed to the
ICommandPredictor interface so that it can give it suggestions directly to PowerShell Predictive
IntelliSense. This way as you start typing a suggestion, you can more quickly accept the suggestion.

Image commandnotfound png

We have open sourced this feedback provider so you can take a look at how we have implemented it
here. You can install this feedback provider from the PowerShell Gallery via this command:

Install-Module -Name command-not-found

Or if you are using the latest version of PSResourceGet, you can use this command:

Install-PSResource -Name command-not-found

You will need to import the module to enable the feedback provider:

Import-Module -Name command-not-found

We recommend you save this in your PowerShell $PROFILE so that it is always available to you.

What’s next with Feedback Providers?

We are still under rapid development with feedback providers so there may be changes to them in the
future! Due to the changes we are doing to the feedback provider, we will be publishing
documentation on how to create your own once we have finalized some design changes for creating the
providers.

In the meantime if you have any ideas on how we can make this experience best work for your
PowerShell workflow, please let us know in the issues tab of our PowerShell repo!

We are excited to be sharing more about feedback providers in the near future.

Thanks

Steven Bucher

The post What are Feedback Providers? appeared first on PowerShell Team.

Increased Truebot Activity Infects U.S. and Canada Based Networks

This post was originally published on this site

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. As recently as May 31, 2023, the authoring organizations have observed an increase in cyber threat actors using new malware variants of Truebot (also known as Silence.Downloader). Truebot is a botnet that has been used by malicious cyber groups like CL0P Ransomware Gang to collect and exfiltrate information from its target victims.

Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.

The authoring organizations recommend hunting for the malicious activity using the guidance outlined in this CSA, as well as applying vendor patches to Netwrix Auditor (version 10.5—see Mitigations section below).[1] Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI.

Download the PDF version of this report:

Read the associated Malware Analysis Report MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks or download the PDF version below:

For a downloadable copy of IOCs in .xml and .json format, see:

AA23-187A STIX XML
(XML, 204.54 KB
)
AA23-187A STIX JSON
(JSON, 140.24 KB
)

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section below for cyber threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access and Execution

In recent months, open source reporting has detailed an increase in Truebot malware infections, particularly cyber threat actors using new tactics, techniques, and procedures (TTPs), and delivery methods.[2] Based on the nature of observed Truebot operations, the primary objective of a Truebot infection is to exfiltrate sensitive data from the compromised host(s) for financial gain [TA0010].

  • Phishing:
    • Cyber threat actors have historically used malicious phishing emails as the primary delivery method of Truebot malware, which tricks recipients into clicking a hyperlink to execute malware. Cyber threat actors have further been observed concealing email attachments (executables) as software update notifications [T1189] that appear to be legitimate [T1204.002], [T1566.002]. Following interaction with the executable, users will be redirected to a malicious web domain where script files are then executed. Note: Truebot malware can be hidden within various, legitimate file formats that are used for malicious purposes [T1036.008].[3]
  • Exploitation of CVE-2022-31199:
    • Though phishing remains a prominent delivery method, cyber threat actors have shifted tactics, exploiting, in observable manner, a remote code execution vulnerability (CVE-2022-31199) in Netwrix Auditor [T1190]—software used for on-premises and cloud-based IT system auditing. Through exploitation of this CVE, cyber threat actors gain initial access, as well as the ability to move laterally within the compromised network [T1210].
Figure 1: CVE-2022-3199 Delivery Method for Truebot
Figure 1: CVE-2022-3199 Delivery Method for Truebot

Following the successful download of the malicous file, Truebot renames itself and then loads FlawedGrace onto the host. Please see the FlawedGrace section below for more information on how this remote access tool (RAT) is used in Truebot operations.

After deployment by Truebot, FlawedGrace is able to modify registry [T1112] and print spooler programs [T1547.012] that control the order that documents are loaded to a print queue. FlawedGrace manipulates these features to both escalate privilege and establish persistence.

During FlawedGrace’s execution phase, the RAT stores encrypted payloads [T1027.009] within the registry. The tool can create scheduled tasks and inject payloads into msiexec.exe and svchost.exe, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to 92.118.36[.]199, for example, as well as load dynamic link libraries (DLLs) [T1055.001] to accomplish privilege escalation.

Several hours post initial access, Truebot has been observed injecting Cobalt Strike beacons into memory [T1055] in a dormant mode for the first few hours prior to initiating additional operations. Please see the Cobalt Strike section below for more information on how this remote access tool (RAT) is used in Truebot operations.

Discovery and Defense Evasion

During the first stage of Truebot’s execution process, it checks the current version of the operating system (OS) with RtlGetVersion and processor architecture using GetNativeSystemInfo [T1082].[4] Note: This variant of Truebot malware is designed with over one gigabyte (GB) of junk code which functions to hinder detection and analysis efforts [T1027.001].

Following the initial checks for system information, Truebot has the capability to enumerate all running processes [T1057], collect sensitive local host data [T1005], and send this data to an encoded data string described below for second-stage execution. Based on IOCs in table 1, Truebot also has the ability to discover software security protocols and system time metrics, which aids in defense evasion, as well as enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks [T1518.001][T1124].

Next, it uses a .JSONIP extension, (e.g., IgtyXEQuCEvAM.JSONIP), to create a thirteen character globally unique identifier (GUID)—a 128-bit text string that Truebot uses to label and organize the data it collects [T1036].

After creating the GUID, Truebot compiles and enumerates running process data into either a base64 or unique hexadecimal encoded string [T1027.001]. Truebot’s main goal is identifying the presence of security debugger tools. However, the presence of identified debugger tools does not change Truebot’s execution process—the data is compiled into a base64 encoded string for tracking and defense evasion purposes [T1082][T1622].

Data Collection and Exfiltration

Following Truebot’s enumeration of running processes and tools, the affected system’s computer and domain name [T1082][T1016], along with the newly generated GUID, are sent to a hard-coded URL in a POST request (as observed in the user-agent string). Note: A user-agent string is a customized HTTP request that includes specific device information required for interaction with web content. In this instance, cyber threat actors can redirect victims to malicious domains and further establish a C2 connection.

The POST request functions as means for establishing a C2 connection for bi-lateral communication. With this established connection, Truebot uses a second obfuscated domain to receive additional payloads [T1105], self-replicate across the environment [T1570], and/or delete files used in its operations [T1070.004]. Truebot malware has the capability to download additional malicious modules [T1105], load shell code [T1620], and deploy various tools to stealthily navigate an infected network.

Associated Delivery Vectors and Tools

Truebot has been observed in association with the following delivery vectors and tools:

Raspberry Robin (Malware)

Raspberry Robin is a wormable malware with links to other malware families and various infection methods, including installation via USB drive [T1091].[5] Raspberry Robin has evolved into one of the largest malware distribution platforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and Bumblebee malware.[6] With the recent shift in Truebot delivery methods from malicious emails to the exploitation of CVE-2022-31199, a large number of Raspberry Robin infections have leveraged this exploitable CVE.[2]

Flawed Grace (Malware)

FlawedGrace is a remote access tool (RAT) that can receive incoming commands [T1059] from a C2 server sent over a custom binary protocol [T1095] using port 443 to deploy additional tools [T1105].[7] Truebot malware has been observed leveraging (and dropping) FlawedGrace via phishing campaigns as an additional payload [T1566.002].[8] Note: FlawedGrace is typically deployed minutes after Truebot malware is executed.

Cobalt Strike (Tool)

Cobalt Strike is a popular remote access tool (RAT) that cyber threat actors have leveraged—in an observable manner—for a variety of post-exploitation means. Typically a few hours after Truebot’s execution phase, cyber threat actors have been observed deploying additional payloads containing Cobalt Strike beacons for persistence and data exfiltration purposes [T1059].[2] Cyber threat actors use Cobalt Strike to move laterally via remote service session hijacking [T1563.001][T1563.002], collecting valid credentials through LSASS memory credential dumping, or creating local admin accounts to achieve pass the hash alternate authentication [T1003.001][T1550.002].

Teleport (Tool)

Cyber threat actors have been observed using a custom data exfiltration tool, which Talos has named “Teleport.”[2] Teleport is known to evade detection during data exfiltration by using an encryption key hardcoded in the binary and a custom communication protocol [T1095] that encrypts data using advanced encryption standard (AES) and a hardcoded key [T1048][T1573.002]. Furthermore, to maintain its stealth, Teleport limits the data it collects and syncs with outbound organizational data/network traffic [T1029][T1030].

Truebot Malware Indicators of Compromise (IOCs)

Truebot IOCs from May 31, 2023, contain IOCs from cyber threat actors conducting Truebot malspam campaigns. Information is derived from a trusted third party, they observed cyber threat actors from 193.3.19[.]173 (Russia) using a compromised local account to conduct phishing campaigns on May 23, 2023 and spread malware through: https[:]//snowboardspecs[.]com/nae9v, which then promptly redirects the user to: https://www.meditimespharma[.]com/gfghthq/, which a trusted third party has linked to other trending Truebot activity.

After redirecting to https://www.meditimespharma[.]com/gfghthq/, trusted third parties have observed, the cyber threat actors using Truebot to pivot to https://corporacionhardsoft[.]com/images/2/Document_16654.exe, which is a domain associated with snowboardspecs[.]com, as well as malicious phishing campaigns in May 2023 and flagged my numerous security vendors, according to trusted third party reporting. Note: these IOCs are associated with Truebot campaigns used by Graceful Spider to deliver FlawedGrace and LummaStealer payloads in May of 2023.

The malicious file MD5 hash, 6164e9d297d29aa8682971259da06848 is associated with multiple Truebot rooted attack vectors and malware families, and was downloaded from https://corporacionhardsoft.com/images/2/Document_16654[.]exe which was flagged as malicious by numerous security vendors, and during its execution, the malware copies itself to C:IntelRuntimeBroker.exe, and based on trusted third party analysis, is linked to https://essadonio.com/538332[.]php, which is linked to 45.182.189[.]71 (Panama) and is associated with other trending Truebot malware campaigns from May 2023.

Please reference table 1 for IOCs described in the paragraph above.

Table 1: Truebot IOCs from May of 2023    

Indicator Type

Indicator

Source

Registrant

GKG[.]NET Domain Proxy Service Administrator

Trusted Third Party

Compromised Account Created:

2022-04-10

Trusted Third Party

Malicious account created

1999-11-09

Trusted Third Party

IP

193.3.19[.]173 (Russia)

Trusted Third Party

URL

https://snowboardspecs[.]com/nae9v

Trusted Third Party

Domain

https://corporacionhardsoft[.]com/images/2/Document_16654.exe

Trusted Third Party

File

Document_16654[.]exe

Trusted Third Party

MD5 Hash

6164e9d297d29aa8682971259da06848

Trusted Third Party

File

Document_may_24_16654[.]exe

Trusted Third Party

File

C:IntelRuntimeBroker[.]exe

Trusted Third Party

URL

https://essadonio.com/538332[.]php

Trusted Third Party

IP

45.182.189[.]71 (Panama)

Trusted Third Party

Account Created

2023-05-18

Trusted Third Party

 

Table 2: Truebot malware IOCs from May of 2023    

Indicator Type

Indicator

Source

URL

Secretsdump[.]py#l374

A Truly Graceful Wipe Out

Domain

Secretsdump[.]py

A Truly Graceful Wipe Out

Domain

Imsagentes[.]pe

A Truly Graceful Wipe Out

URL

https://imsagentes[.]pe/dgrjfj/

A Truly Graceful Wipe Out

URL

https://imsagentes[.]pe/dgrjfj

A Truly Graceful Wipe Out

URL

https://hrcbishtek[.]com/{5

A Truly Graceful Wipe Out

URL

https://ecorfan.org/base/sj/document_may_24_16654[.]exe

A Truly Graceful Wipe Out

Domain

Hrcbishtek[.]com

A Truly Graceful Wipe Out

File

F33734DFBBFF29F68BCDE052E523C287

A Truly Graceful Wipe Out

File

F176BA63B4D68E576B5BA345BEC2C7B7

A Truly Graceful Wipe Out

File

F14F2862EE2DF5D0F63A88B60C8EEE56

A Truly Graceful Wipe Out

Domain

Essadonio[.]com

A Truly Graceful Wipe Out

Domain

Ecorfan[.]org

A Truly Graceful Wipe Out

File

C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3

A Truly Graceful Wipe Out

Domain

Atexec[.]py

A Truly Graceful Wipe Out

File

A0E9F5D64349FB13191BC781F81F42E1

A Truly Graceful Wipe Out

IPv4

92.118.36[.]199

A Truly Graceful Wipe Out

IPv4

81.19.135[.]30

A Truly Graceful Wipe Out

File

72A589DA586844D7F0818CE684948EEA

A Truly Graceful Wipe Out

File

717BEEDCD2431785A0F59D194E47970E9544FBF398D462A305F6AD9A1B1100CB

A Truly Graceful Wipe Out

IPv4

5.188.86[.]18

A Truly Graceful Wipe Out

IPv4

5.188.206[.]78

A Truly Graceful Wipe Out

IPv4

45.182.189[.]71

A Truly Graceful Wipe Out

IPv4

139.60.160[.]166

A Truly Graceful Wipe Out

File

121A1F64FFF22C4BFCEF3F11A23956ED403CDEB9BDB803F9C42763087BD6D94E

A Truly Graceful Wipe Out

 

Table 3: Truebot IOCs from May 2023 (Malicious Domains, and Associated IP addresses and URLs)    
Malicious Domain Associated IP(s) Beacon URL

nitutdra[.]com

46.161.40[.]128

 

romidonionhhgtt[.]com

46.161.40.128

 

midnigthwaall[.]com

46.161.40[.]128

 

dragonetzone[.]com

46.161.40[.]128

hxxps://dragonetzone[.]com/gate_info[.]php

rprotecruuio[.]com

45.182.189[.]71

 

essadonio[.]com

45.182.189[.]71

hxxps://nomoresense[.]com/checkinfo[.]php

nomoresense[.]com

45.182.189[.]91

hxxps://nomoresense[.]com/checkinfo[.]php

ronoliffuion[.]com

45.182.189[.]120

hxxps://ronoliffuion[.]com/dns[.]php

bluespiredice[.]com

45.182.189[.]119

 

dremmfyttrred[.]com

45.182.189[.]103

hxxps://dremmfyttrred[.]com/dns[.]php

ms-online-store[.]com

45.227.253[.]102

 

ber6vjyb[.]com

92.118.36[.]252

hxxps://ber6vjyb[.]com/dns[.]php

jirostrogud[.]com

88.214.27[.]101

hxxps://ber6vjyb[.]com/dns[.]php

fuanshizmo[.]com

45.182.189[.]229

 

qweastradoc[.]com

92.118.36[.]213

hxxp://nefosferta[.]com/gate[.]php

qweastradoc[.]com

92.118.36[.]213

hxxp://nefosferta[.]com/gate[.]php

qweastradoc[.]com

92.118.36[.]213

hxxp://nefosferta[.]com/gate[.]php

hiperfdhaus[.]com

88.214.27[.]100

hxxp://nefosferta[.]com/gate[.]php

guerdofest[.]com

45.182.189[.]228

hxxp://qweastradoc[.]com/gate[.]php

nefosferta[.]com

179.60.150[.]139

hxxp://nefosferta[.]com/gate[.]php

 

Table 4: Truebot IOCs from May 2023 Continued (Malicious Domains and Associated Hashes)      

 Malicious Domain

MD5

SHA1

SHA256

nitutdra[.]com

 

 

 

romidonionhhgtt[.]com

 

 

 

midnigthwaall[.]com

 

 

 

dragonetzone[.]com

64b27d2a6a55768506a5658a31c045de

c69f080180430ebf15f984be14fb4c76471cd476

e0178ab0893a4f25c68ded11e74ad90403443e413413501d138e0b08a910471e

rprotecruuio[.]com

 

 

 

essadonio[.]com

9a3bad7d8516216695887acc9668cda1

a89c097138e5aab1f35b9a03900600057d907690

4862618fcf15ba4ad15df35a8dcb0bdb79647b455fea6c6937c7d050815494b0

essadonio[.]com

6164e9d297d29aa8682971259da06848

96b95edc1a917912a3181d5105fd5bfad1344de0

717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb

nomoresense[.]com

8f924f3cbe5d8fe3ecb7293478901f1a

516051b4cab1be74d32a6c446eabac7fc354904f

6b646641c823414c2ee30ae8b91be3421e4f13fa98e2d99272956e61eecfc5a1

nomoresense[.]com

ac6a2f1eafaae9f6598390d1017dd76c

1c637c2ded5d3a13fd9b56c35acf4443f308be52

f9f649cb5de27f720d58aa44aec6d0419e3e89f453730e155067506ad3ece638

ronoliffuion[.]com

881485ac77859cf5aaa8e0d64fbafc5f

51be660a3bdaab6843676e9d3b2af8444e88bbda

36d89f0455c95f9b00a8cea843003d0b53c4e33431fe57b5e6ec14a6c2e00e99

bluespiredice[.]com

 

 

 

dremmfyttrred[.]com

e4a42cbda39a20134d6edcf9f03c44ed

afda13d5365b290f7cdea701d00d05b0c60916f8

47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464

dremmfyttrred[.]com

aa949d1a7ebe5f878023c6cfb446e29b

06057d773ad04fda177f6b0f6698ddaa47f7168a

594ade1fb42e93e64afc96f13824b3dbd942a2cdbc877a7006c248a38425bbc1

dremmfyttrred[.]com

338476c2b0de4ee2f3e402f3495d0578

03916123864aa034f7ca3b9d45b2e39b5c91c502

a67df0a8b32bdc5f9d224db118b3153f66518737e702314873b673c914b2bb5c

ms-online-store[.]com

 

 

 

ber6vjyb[.]com

46fe07c07fd0f45ba45240ef9aae2a44

b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b

c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

jirostrogud[.]com

89c8afc5bbd34f160d8a2b7218b9ca4a

16ecf30ff8c7887037a17a3eaffcb17145b69160

5cc8c9f2c9cee543ebac306951e30e63eff3ee103c62dadcd2ce43ef68bc7487

jirostrogud[.]com

5da364a8efab6370a174736705645a52

792623e143ddd49c36f6868e948febb0c9e19cd3

80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9

fuanshizmo[.]com

 

 

 

qweastradoc[.]com

ee1ccb6a0e38bf95e44b73c3c46268c5

62f5a16d1ef20064dd78f5d934c84d474aca8bbe

0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3

qweastradoc[.]com

82d4025b84cf569ec82d21918d641540

bb32c940f9ca06e7e8533b1d315545c3294ee1a0

c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c

qweastradoc[.]com

dbecfe9d5421d319534e0bfa5a6ac162

9e7a2464f53ce74d840eb84077472bc29fd1ba05

c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d

qweastradoc[.]com

b7fed593e8eb3646f876367b56725e6c

44090a7858eceb28bc111e1edd2f0dc98047afb2

ff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885

hiperfdhaus[.]com

8e2b823aac6c9e11fcabecb1d8c19adf

77ad34334a370d85ca5e77436ed99f18b185eee3

a30e1f87b78d1cd529fbe2afdd679c8241d3baab175b2f083740263911a85304

hiperfdhaus[.]com

8a94163ddf956abd0ea92d89db0034e5

abc96032071adeb6217f0a5ba1aff55dc11f5438

b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf

guerdofest[.]com

65fb9572171b903aa31a325f550d8778

d8bd44b7a8f136e29b31226f4edf566a4223266c

d5bbcaa0c3eeea17f12a5cc3dbcaffff423d00562acb694561841bcfe984a3b7

nefosferta[.]com

d9d85bdb6a3ac60a8ba6776c661dbace

78e38e522b1765efb15d0585e13c1f1301e90788

092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875

nefosferta[.]com

20643549f19bed9a6853810262622755

c8227dcc1cd6ecc684de8c5ea9b16e3b35f613f1

1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49

nefosferta[.]com

e9299fc9b7daa0742c28bfc4b03b7b25

77360abc473dc65c8bdd73b6459b9ea8fddb6f1d

22e3f4602a258e92a0b8deb5a2bd69c67f4ac3ca67362a745178848a9da7a3cc

nefosferta[.]com

775fb391db27e299af08933917a3acda

eaaa5e68956a3a3f6113e965199f479e10ae9956

2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7

nefosferta[.]com

f4045710c99d347fe6dfa2c0fcadde29

b7bffdbbaf817d149bbd061070a2d171449afbfc

32ae88cddeeeec255d6d9c827f6bffc7a95e9ea7b83a84a79ff793735a4b4ed7

nefosferta[.]com

587acecdb9491e0897d1067eb02e7c8d

a9eb1ac4b85d17da3a2bae5835c7e862d481c189

55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e

nefosferta[.]com

0bae65245e5423147fce079de29b6136

f24232330e6f428bfbb6b9d8154db1c4046c2fc2

6210a9f5a5e1dc27e68ecd61c092d2667609e318a95b5dade3c28f5634a89727

nefosferta[.]com

5022a85b39a75ebe2bc0411d7b058b2e

a9040ac0e9f482454e040e2a7d874ddc50e6f6ce

68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89

nefosferta[.]com

6a2f114a8995dbeb91f766ac2390086e

edac3cf9533b6f7102f6324fadb437a0814cc680

72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d

nefosferta[.]com

e9115cc3280c16f9019e0054e059f4b8

dad01b0c745649c6c8b87dbeb7ab549ed039515d

7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00

nefosferta[.]com

b54cc9a3dd88e478ea601dfd5b36805e

318fdfec4575d1530a41c80274aa8caae7b7f631

7c607eca4005ba6415e09135ef38033bb0b0e0ff3e46d60253fc420af7519347

nefosferta[.]com

f129c12b1bda7426f6b31682b42ee4b0

5bb804153029c97fe23517ae5428a591c3c63f28

7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63

nefosferta[.]com

f68aa4c92dd30bd5418f136aaf6c07d6

aa56f43e39d114235a6b1d5f66b593cc80325fa4

7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca

nefosferta[.]com

acac995cee8a6a75fa79eb41bdffa53f

971a00a392b99f64a3886f40b6ef991e62f0fe2f

97bae3587f1d2fd35f24eb214b9dd6eed95744bed62468d998c7ef55ff8726d4

nefosferta[.]com

36057710279d9f0d023cb5613aa76d5e

e4dd1f8fc4e44c8fd0e25242d994c4b59eed6939

97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0

nefosferta[.]com

37e6904d84153d1435407f4669135134

1dcd85f7364ea06cd595a86e3e9be48995d596e9

bf3c7f0ba324c96c9a9bff6cf21650a4b78edbc0076c68a9a125ebcba0e523c9

nefosferta[.]com

4f3916e7714f2a32402c9d0b328a2c91

87a692e3592f7b997c7d962919e243b665f2be36

c3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887

nefosferta[.]com

d9daaa0df32b0bb01a09e500fc7f5881

f9cb839adba612db5884e1378474996b4436c0cd

c3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490

nefosferta[.]com

c87fb9b9f6c343670bed605420583418

f05cf0b026b2716927dac8bcd26a2719ea328964

c6c4f690f0d15b96034b4258bdfaf797432a3ec4f73fbc920384d27903143cb0

nefosferta[.]com

2be64efd0fa7739123b26e4b70e53c5c

318fdfec4575d1530a41c80274aa8caae7b7f631

ed38c454575879c2546e5fccace0b16a701c403dfe3c3833730d23b32e41f2fe

 

Table 5: Truebot IOCs Connected to Russia, and Panama Locations      

 Malicious Domain

IP Addresses

Files

SHA256

Dremmfyttrred[.]com

 

 

 

 

45.182.189[.]103

 

 

 

94.142.138[.]61

 

 

 

172.64.155[.]188

 

 

 

104.18.32[.]68

 

 

 

 

Update[.]exe

 

 

 

Document_26_apr_2443807[.]exe

 

 

 

3ujwy2rz7v[.]exe

 

 

 

 

fe746402c74ac329231ae1b5dffa8229b509f4c15a0f5085617f14f0c1579040

droogggdhfhf[.]com

 

3LXJyA6Gf[.]exe

7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7

 

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 6-16 for all referenced cyber threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 6: Initial Access    

Technique Title

ID

Use

Replication Through Removable Media

T1091

Cyber threat actors use removable media drives to deploy Raspberry Robin malware.

Drive-by Compromise

T1189

Cyber threat actors embed malicious links or attachments within web domains to gain initial access.

Exploit Public-Facing Application

T1190

Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution.

Phishing

T1566.002

Truebot actors can send spear phishing links to gain initial access.

 

Table 7: Execution    

Technique Title

ID

Use

Command and Scripting Interpreter

T1059

Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network.

Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools.

Shared Modules

T1129

Cyber threat actors can deploy malicious payloads through obfuscated share modules.

User Execution: Malicious Link

T1204.001

Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update.

 

Table 8: Persistence    

Technique Title

ID

Use

Hijack Execution Flow: DLL Side-Loading

1574.002

Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence.

 

Table 9: Privilege Escalation    

Technique Title

ID

Use

Boot or Logon Autostart Execution: Print Processors

T1547.012

FlawedGrace malware manipulates print spooler functions to achieve privilege escalation.

 

Table 10: Defense Evasion    

Technique Title

ID

Use

Obfuscated Files or Information

T1027

Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID.

Obfuscated Files or Information: Binary Padding

T1027.001

Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols.

Masquerading: Masquerade File Type

T1036.008

Cyber threat actors hide Truebot malware as legitimate appearing file formats.

Process Injection

T1055

Truebot malware has the ability to load shell code after establishing a C2 connection.

Indicator Removal: File Deletion

T1070.004

Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection.

Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station.

Modify Registry

T1112

FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que.

Reflective Code Loading

T1620

Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network.

 

 

Table 11: Credential Access    

Technique Title

ID

Use

OS Credential Dumping: LSASS Memory

T1003.001

Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping.

 

Table 12: Discovery    

Technique Title

ID

Use

System Network Configuration Discovery

T1016

Truebot malware scans and enumerates the affected system’s domain names.

Process Discovery

T1057

Truebot malware enumerates all running processes on the local host.

System Information Discovery

T1082

Truebot malware scans and enumerates the OS version information, and processor architecture.

Truebot malware enumerates the affected system’s computer names.

System Time Discovery

T1124

Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks.

Software Discovery: Security Software Discovery

T1518.001

Truebot has the ability to discover software security protocols, which aids in defense evasion.

Debugger Evasion

T1622

Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses.

 

Table 13: Lateral Movement    

Technique Title

ID

Use

Exploitation of Remote Services

T1210

Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network.

Use Alternate Authentication Material: Pass the Hash

T1550.002

Cyber threat actors use cobalt strike to authenticate valid accounts

Remote Service Session Hijacking

T1563.001

Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.

Remote Service Session Hijacking: RDP Hijacking

T1563.002

Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.

Lateral Tool Transfer

T1570

Cyber threat actors deploy additional payloads to transfer toolsets and move laterally.

 

Table 14: Collection    

Technique Title

ID

Use

Data from Local System

T1005

Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives.

Truebot gathers and compiles compromised system’s host and domain names.

Screen Capture

T1113

Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string.

 

Table 15: Command and Control    

Technique Title

ID

Use

Application Layer Protocol

T1071

Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic.

Non-Application Protocol

T1095

Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol.

Ingress Transfer Tool

T1105

Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections.

Encrypted Channel: Asymmetric Cryptography

T1573.002

Cyber threat actors use Teleport to create an encrypted channel using AES.

 

Table 16: Exfiltration    

Technique Title

ID

Use

Scheduled Transfer

T1029

Teleport limits the data it collects and syncs with outbound organizational data/network traffic.

Data Transfer Size Limits

T1030

Teleport limits the data it collects and syncs with outbound organizational data/network traffic.

Exfiltration Over C2 Channel

T1048

Cyber threat actors blend exfiltrated data with network traffic to evade detection.

Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol.

 

DETECTION METHODS

CISA and authoring organizations recommend that organizations review and implement the following detection signatures, along with: Win/malicious_confidence100% (W), Trojan:Win32/Tnega!MSR, and Trojan.Agent.Truebot.Gen, as well as YARA rules below to help detect Truebot malware.

Detection Signatures
Figure 2: Snort Signature to Detect Truebot Malware

alert tcp any any -> any any (msg:”TRUEBOT: Client HTTP Header”; sid:x; rev:1; flow:established,to_server; content:”Mozilla/112.0 (compatible|3b 20 4d 53 49 45 20 31 31 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 30 29|”; http_header; nocase; classtype:http-header; metadata:service http;)

 

YARA Rules

CISA developed the following YARA to aid in detecting the presence of Truebot Malware.

Figure 3: YARA Rule for Detecting Truebot Malware

rule CISA_10445155_01 : TRUEBOT downloader

{

meta:

Author = "CISA Code & Media Analysis"

Incident = "10445155"

Date = "2023-05-17"

Last_Modified = "20230523_1500"

Actor = "n/a"

Family = "TRUEBOT"

Capabilities = "n/a"

Malware_Type = "downloader"

Tool_Type = "n/a"

Description = "Detects TRUEBOT downloader samples"

SHA256 = "7d75244449fb5c25d8f196a43a6eb9e453652b2185392376e7d44c21bd8431e7"

strings:

$s1 = { 64 72 65 6d 6d 66 79 74 74 72 72 65 64 2e 63 6f 6d }

$s2 = { 4e 73 75 32 4f 64 69 77 6f 64 4f 73 32 }

$s3 = { 59 69 50 75 6d 79 62 6f 73 61 57 69 57 65 78 79 }

$s4 = { 72 65 70 6f 74 73 5f 65 72 72 6f 72 2e 74 78 74 }

$s5 = { 4c 6b 6a 64 73 6c 66 6a 33 32 6f 69 6a 72 66 65 77 67 77 2e 6d 70 34 }

$s6 = { 54 00 72 00 69 00 67 00 67 00 65 00 72 00 31 00 32 }

$s7 = { 54 00 55 00 72 00 66 00 57 00 65 00 73 00 54 00 69 00 66 00 73 00 66 }

condition:

5 of them

}

  • Additional YARA rules for detecting Truebot malware can be referenced from GitHub.[9]

INCIDENT RESPONSE

The following steps are recommended if organizations detect a Truebot malware infection and compromise:

  1. Quarantine or take offline potentially affected hosts.
  2. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  3. Provision new account credentials.
  4. Reimage compromised host.
  5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or contact your local FBI field office. State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722).

MITIGATIONS

CISA and the authoring organizations recommend organizations implement the below mitigations, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services.

For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and co-sealers recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

  • Apply patches to CVE-2022-31199
  • Update Netwrix Auditor to version 10.5

Reduce threat of malicious actors using remote access tools by:

  • Implementing application controls to manage and control execution of software, including allowlisting remote access programs.
    • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.

See the National Security Agency’s Cybersecurity Information sheet, Enforce Signed Software Execution Policies, and additional guidance below:

  • Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
    • Audit the network for systems using RDP.
    • Close unused RDP ports.
    • Enforce account lockouts after a specified number of attempts.
    • Apply phishing-resistant multifactor authentication (MFA).
    • Log RDP login attempts.
  • Disable command-line and scripting activities and permissions [CPG 2.N].
  • Restrict the use of PowerShell by using Group Policy, and only grant to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].
  • Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
  • Enable enhanced PowerShell logging [CPG 2.T, 2.U].
    • PowerShell logs contain valuable data, including historical OS and registry interaction and possible IOCs of a cyber threat actor’s PowerShell use.
    • Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
    • The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. The authoring organizations recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
  • Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
  • Reduce the threat of credential compromise via the following:
    • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
    • Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
    • Refrain from storing plaintext credentials in scripts.
  • Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory (AD) level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

In addition, CISA, FBI, MS-ISAC, and CCCS recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
  • Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization minimizes the impact of disruption to business practices as they can retrieve their data [CPG 2.R]. 
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
    • Use longer passwords consisting of at least 15 characters [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints.”
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to various subnetworks, restricting further lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Disable unused ports [CPG 2.V].
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 5-13).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REFERENCES

[1] Bishop Fox: Netwrix Auditor Advisory
[2] Talos Intelligence: Breaking the Silence – Recent Truebot Activity
[3] The DFIR Report: Truebot Deploys Cobalt Strike and FlawedGrace
[4] MAR-10445155-1.v1 .CLEAR Truebot Activity Infects U.S. and Canada Based Networks
[5] Red Canary: Raspberry Robin Delivery Vector
[6] Microsoft: Raspberry Robin Worm Part of a Larger Ecosystem Pre-Ransomware Activity
[7] Telsy: FlawedGrace RAT
[8] VMware Security Blog: Carbon Black’s Truebot Detection
[9] GitHub: DFIR Report – Truebot Malware YARA Rule

Additional Sources

Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors (thehackernews.com)
Truebot Analysis Part 1
Truebot Analysis Part 2
Truebot Analysis Part 3
Truebot Exploits Netwrix Vulnerability
TrueBot malware delivery evolves, now infects businesses in the US and elsewhere 
Malpedia-Silence Downloader
Printer spooling: what is it and how to fix it? | PaperCut

ACKNOWLEDGEMENTS

VMware’s Carbon Black contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, and co-sealers.