I have added daemonlogger [1] for packet capture and Arkime [2] to visualize the packets captured by my DShield sensor and started noticing this activity that so far only gone to TCP/8090 which is URL and base64 encoded. The DShield sensor started capturing this activity on the 12 February 2024 inbound from various IPs from various locations.
Monthly Archives: February 2024
#StopRansomware: Phobos Ransomware
SUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.[1],[2]
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of indicators of compromise (IOCs), see:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
According to open source reporting, Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in Phobos intrusions. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors.[3],[4]
Reconnaissance and Initial Access
Phobos actors typically gain initial access to vulnerable networks by leveraging phishing campaigns [T1598] to drop hidden payloads or using internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports [T1595.001] or by leveraging RDP on Microsoft Windows environments.[5],[6]
Once they discover an exposed RDP service, the actors use open source brute force tools to gain access [T1110]. If Phobos actors gain successful RDP authentication [T1133][T1078] in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies [T1593]. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network [T1219].[7]
Alternatively, threat actors send spoofed email attachments [T1566.001] that are embedded with hidden payloads [T1204.002] such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.
Execution and Privilege Escalation
Phobos actors run executables like 1saas.exe
or cmd.exe
to deploy additional Phobos payloads that have elevated privileges enabled [TA0004]. Additionally, Phobos actors can use the previous commands to perform various windows shell functions. The Windows command shell enables threat actors to control various aspects of a system, with multiple permission levels required for different subsets of commands [T1059.003][T1105].[8]
Smokeloader Deployment
Phobos operations feature a standard three phase process to decrypt a payload that allows the threat actors to deploy additional destructive malware.[9]
For the first phase, Smokeloader manipulates either VirtualAlloc
or VirtualProtect API
functions—which opens an entry point, enabling code to be injected into running processes and allowing the malware to evade network defense tools [T1055.002]. In the second phase, a stealth process is used to obfuscate command and control (C2) activity by producing requests to legitimate websites [T1001.003].[10]
Within this phase, the shellcode also sends a call from the entry point to a memory container [T1055.004] and prepares a portable executable for deployment in the final stage [T1027.002][T1105][T1140].
Finally, once Smokeloader reaches its third stage, it unpacks a program-erase cycle from stored memory, which is then sent to be extracted from a SHA 256 hash as a payload.[7] Following successful payload decryption, the threat actors can begin downloading additional malware.
Additional Phobos Defense Evasion Capabilities
Phobos ransomware actors have been observed bypassing organizational network defense protocols by modifying system firewall configurations using commands like netsh firewall set opmode mode=disable
[T1562.004]. Additionally, Phobos actors can evade detection by using the following tools: Universal Virus Sniffer, Process Hacker, and PowerTool [T1562].
Persistence and Privilege Escalation
According to open source reporting, Phobos ransomware uses commands such as Exec.exe
or the bcdedit[.]exe
control mechanism. Phobos has also been observed using Windows Startup folders and Run Registry Keys such as C:/UsersAdminAppDataLocaldirectory
[T1490][T1547.001] to maintain persistence within compromised environments.[5]
Additionally, Phobos actors have been observed using built-in Windows API functions [T1106] to steal tokens [T1134.001], bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege
process [T1134.002]. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access [T1003.005].
Discovery and Credential Access
Phobos actors additionally use open source tools [T1588.002] such as Bloodhound and Sharphound to enumerate the active directory [T1087.002]. Mimikatz and NirSoft, as well as Remote Desktop Passview to export browser client credentials [T1003.001][T1555.003], have also been used. Furthermore, Phobos ransomware is able to enumerate connected storage devices [T1082], running processes [T1057], and encrypt user files [T1083].
Exfiltration
Phobos actors have been observed using WinSCP
and Mega.io
for file exfiltration.[11] They use WinSCP
to connect directly from a victim network to an FTP server [T1071.002] they control [TA0010]. Phobos actors install Mega.io
[T1048] and use it to export victim files directly to a cloud storage provider [T1567.002]. Data is typically archived as either a .rar
or .zip
file [T1560] to be later exfiltrated. They target legal documentation, financial records, technical documents (including network architecture), and databases for commonly used password management software [T1555.005].
Impact
After the exfiltration phase, Phobos actors then hunt for backups. They use vssadmin.exe
and Windows Management Instrumentation command-line utility (WMIC) to discover and delete volume shadow copies in Windows environments. This prevents victims from recovering files after encryption has taken place [T1047][T1490].
Phobos.exe
contains functionality to encrypt all connected logical drives on the target host [T1486]. Each Phobos ransomware executable has unique build identifiers (IDs), affiliate IDs, as well as a unique ransom note which is embedded in the executable. After the ransom note has populated on infected workstations, Phobos ransomware continues to search for and encrypt additional files.
Most extortion [T1657] occurs via email; however, some affiliate groups have used voice calls to contact victims. In some cases, Phobos actors have used onion sites to list victims and host stolen victim data. Phobos actors use various instant messaging applications such as ICQ, Jabber, and QQ to communicate [T1585]. See Figure 2 for a list of email providers used by the following Phobos affiliates: Devos, Eight, Elbie, Eking, and Faust.[6]
INDICATORS OF COMPROMISE (IOCs)
See Table 1 through 6 for IOCs obtained from CISA and the FBI investigations from September through November 2023.
Associated Phobos Domains |
---|
adstat477d[.]xyz |
demstat577d[.]xyz [12] |
serverxlogs21[.]xyz |
Shell Commands |
---|
vssadmin delete shadows /all /quiet [T1490] |
netsh advfirewall set currentprofile state off |
wmic shadowcopy delete |
netsh firewall set opmode mode=disable [T1562.004] |
bcdedit /set {default} bootstatuspolicy ignoreallfailures [T1547.001] |
bcdedit /set {default} recoveryenabled no [T1490] |
wbadmin delete catalog -quiet |
mshta C:%USERPROFILE%Desktopinfo.hta [T1218.005] |
mshta C:%PUBLIC%Desktopinfo.hta |
mshta C:info.hta |
The commands above are observed during the execution of a Phobos encryption executable. A Phobos encryption executable spawns a cmd.exe
process, which then executes the commands listed in Table 1 with their respective Windows system executables. When the commands above are executed on a Windows system, volume shadow copies are deleted and Windows Firewall is disabled. Additionally, the system’s boot status policy is set to boot even when there are errors during the boot process, and automatic recovery options, like Windows Recovery Environment (WinRE), are disabled for the given boot entry. The system’s backup catalog is also deleted. Finally, the Phobos ransom note is displayed to the end user using mshta.exe
.
Registry Keys |
---|
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun<Phobos exe name> |
C:/UsersAdminAppDataLocaldirectory |
Email Addresses | |
AlbetPattisson1981@protonmail[.]com |
henryk@onionmail[.]org |
atomicday@tuta[.]io |
info@fobos[.]one |
axdus@tuta[.]io |
it.issues.solving@outlook[.]com |
barenuckles@tutanota[.]com |
JohnWilliams1887@gmx[.]com |
Bernard.bunyan@aol[.]com |
jonson_eight@gmx[.]us |
bill.g@gmx[.]com |
joshuabernandead@gmx[.]com |
bill.g@msgsafe[.]io |
LettoIntago@onionmail[.]com |
bill.g@onionmail[.]org |
Luiza.li@tutanota[.]com |
bill.gTeam@gmx[.]com |
MatheusCosta0194@gmx[.]com |
blair_lockyer@aol[.]com |
mccreight.ellery@tutanota[.]com |
CarlJohnson1948@gmx[.]com |
megaport@tuta[.]io |
cashonlycash@gmx[.]com |
miadowson@tuta[.]io |
chocolate_muffin@tutanota[.]com |
MichaelWayne1973@tutanota[.]com |
claredrinkall@aol[.]com |
normanbaker1929@gmx[.]com |
clausmeyer070@cock[.]li |
nud_satanakia@keemail[.]me |
colexpro@keemail[.]me |
please@countermail[.]com |
cox.barthel@aol[.]com |
precorpman@onionmail[.]org |
crashonlycash@gmx[.]com |
recovery2021@inboxhub[.]net |
everymoment@tuta[.]io |
recovery2021@onionmail[.]org |
expertbox@tuta[.]io |
SamuelWhite1821@tutanota[.]com |
fastway@tuta[.]io |
SaraConor@gmx[.]com |
fquatela@techie[.]com |
secdatltd@gmx[.]com |
fredmoneco@tutanota[.]com |
skymix@tuta[.]io |
getdata@gmx[.]com |
sory@countermail[.]com |
greenbookBTC@gmx[.]com |
spacegroup@tuta[.]io |
greenbookBTC@protonmail[.]com |
stafordpalin@protonmail[.]com |
helperfiles@gmx[.]com |
starcomp@keemail[.]me |
helpermail@onionmail[.]org |
xdone@tutamail[.]com |
helpfiles@onionmail[.]org |
xgen@tuta[.]io |
helpfiles102030@inboxhub[.]net |
xspacegroup@protonmail[.]com |
helpforyou@gmx[.]com |
zgen@tuta[.]io |
helpforyou@onionmail[.]org |
zodiacx@tuta[.]io |
Telegram Username |
---|
@phobos_support |
Wickr Address |
---|
|
Disclaimer: Organizations are encouraged to investigate the use of the IOCs in Table 7 for related signs of compromise prior to performing remediation actions.
Associated IP Address | File Type | File Name | SHA 256 Hash |
---|---|---|---|
194.165.16[.]4 (October 2023) |
Win32.exe |
Ahpdate.exe [13] |
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f |
45.9.74[.]14 (December 2023) 147.78.47[.]224 (December 2023) |
Executable and Linkable Format (ELF) [14] |
1570442295 (Trojan Linux Mirai) |
7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0 |
185.202.0[.]111 (September 2023) |
Win32.exe [15] |
cobaltstrike_shellcode[.]exe (C2 activity) |
|
185.202.0[.]111 (December 2023) |
.txt [16] |
f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c.bin (Trojan) |
Disclaimer: Organizations are encouraged to investigate the use of the file hashes in Tables 8 and 9 for related signs of compromise prior to performing remediation actions.
Phobos Ransomware SHA 256 Malicious Trojan Executable File Hashes |
---|
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c |
9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c |
482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52 |
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763 |
Phobos Ransomware SHA 256 File Hashes |
58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6 |
f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed |
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c |
32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3 |
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 |
fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6 |
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2 |
MITRE ATT&CK TECHNIQUES
See Table 10 through 22 for all threat actor tactics and techniques referenced in this advisory.
Technique Title | ID | Use |
---|---|---|
Search Open Websites/Domains |
Phobos actors perform open source research to find information about victims that can be used during targeting to create a victim profile. |
|
Scanning IP Blocks |
Phobos actors used IP scanning tools to include Angry IP Scanner to search for vulnerable RDP ports. |
|
Phishing for Information |
Phobos actors use phishing campaigns to social engineer information from users and gain access to vulnerable RDP ports. |
Technique Title | ID | Use |
---|---|---|
Establish Accounts |
Phobos actors establish accounts to communicate. |
|
Obtain Capabilities: Tool |
Phobos actors used open source tools in their attack. |
Technique Title | ID | Use |
---|---|---|
Valid Accounts |
Following successful RDP authentication, Phobos actors search for IP addresses and pair them with their associated computer to create a victim profile. |
|
External Remote Services |
Phobos actors may leverage external-facing remote services to initially access and/or persist within a network. |
|
Phishing: Spearphishing Attachment |
Phobos actors used a spoofed email attachment to execute attack. |
Technique Title | ID | Use |
---|---|---|
Windows Management Instrumentation |
Phobos actors used Windows Management Instrumentation command-line utility (WMIC) to prevent victims from recovering files. |
|
Windows Command Shell |
Phobos actors can use the previous commands to perform commands with windows shell functions. |
|
Native API |
Phobos actors used open source tools to enumerate the active directory. |
|
Malicious File |
Phobos actors attached a malicious email attachment to deliver ransomware. |
Technique Title | ID | Use |
---|---|---|
Registry Run Keys / Startup Folder |
Phobos ransomware operates using the |
Technique Title | ID | Use |
---|---|---|
Privilege Escalation |
Phobos actors use run commands like |
|
Portable Executable Injection |
Phobos actors use Smokeloader to inject code into running processes to identify an entry point through enabling a |
|
Asynchronous Procedure Call |
During phase two of execution, Phobos ransomware sends a call back from an identified entry point. |
|
Access Token Manipulation: Token Impersonation/Theft |
Phobos actors can use Windows API functions to steal tokens. |
|
Create Process with Token |
Phobos actors used Windows API functions to steal tokens, bypass access controls and create new processes. |
Technique Title | ID | Use |
---|---|---|
Software Packing |
Phobos actors deployed a portable executable (PE) to conceal code. |
|
Embedded Payloads |
Phobos actors embedded the ransomware as a hidden payload by using Smokeloader. |
|
Deobfuscate/Decode Files or Information |
During phase two of execution, Phobos actors’ malware stores and decrypts information. |
|
System Binary Proxy Execution: Mshta |
Phobos actors used Mshta to execute malicious files. |
|
Impair Defenses |
Phobos actors can use Universal Virus Sniffer, Process Hacker, and PowerTool to evade detection. |
|
Disable or Modify System Firewall |
Phobos ransomware has been observed bypassing organizational network defense protocols through modifying system firewall configurations. |
Technique Title | ID | Use |
---|---|---|
OS Credential Dumping: LSASS Memory |
Phobos actors used Mimikatz to export credentials. |
|
OS Credential Dumping: Cached Domain Credentials |
Phobos actors use cached domain credentials to authenticate as the domain administrator in the event a domain controller is unavailable. |
|
Brute Force |
Phobos actors may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. |
|
Credentials from Password Stores |
Phobos actors may search for common password storage locations to obtain user credentials. |
|
Credentials from Password Stores: Credentials from Web Browsers |
Phobos actors use Nirsoft or Passview to export client credentials from web browsers. Phobos actors search for stored credentials in browser clients once they gain initial network access. |
|
Credentials from Password Stores: Password Managers |
Phobos actors targeted victim’s databases for password management software. |
Technique Title | ID | Use |
---|---|---|
Process Discovery |
Phobos ransomware is able to run processes. |
|
System Information Discovery |
Phobos ransomware is able to enumerate connected storage devices. |
|
File and Directory Discovery |
Phobos ransomware can encrypt user files. |
|
Domain Account |
Phobos threat actor used Bloodhound and Sharphound to enumerate the active directory. |
Technique Title | ID | Use |
---|---|---|
Archive Collected Data |
Phobos threat actors archive data as either a |
Technique Title | ID | Use |
---|---|---|
Data Obfuscation: Protocol Impersonation |
Phobos actors used a stealth process to obfuscate C2 activity. |
|
File Transfer Protocols |
Phobos threat actors used |
|
Ingress Tool Transfer |
Phobos ransomware extracts its final payload from the hashed file. |
|
Remote Access Software |
Phobos threat actors used remote access tools to establish a remote connection within victim’s network. |
Technique Title | ID | Use |
---|---|---|
Exfiltration |
Phobos threat actors may use exfiltration techniques to steal data from your network. |
|
Exfiltration Over Alternative Protocol |
Phobos threat actors use software to export files to a cloud. |
|
Exfiltration to Cloud Storage |
Phobos threat actors use |
Technique Title | ID | Use |
---|---|---|
Data Encrypted for Impact |
Phobos threat actors use the |
|
Inhibit System Recovery |
Phobos threat actors may delete or remove backups to include volume shadow copies from Windows environments to prevent victim data recovery response efforts. |
|
Financial Theft |
Phobos threat actor’s extort victims for financial gain. |
MITIGATIONS
Secure by Design and Default Mitigations:
These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.
For more information on secure by design, see CISA’s Secure by Design webpage and joint guide.
The FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture against actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
- Secure remote access software by applying recommendations from the joint Guide to Securing Remote Access Software.
- Implement application controls to manage and control execution of software, including allowlisting remote access programs.
- Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlist solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
- Implement log collection best practices and use intrusion detection systems to defend against threat actors manipulating firewall configurations through early detection [CPG 2.T].
- Implement EDR solutions to disrupt threat actor memory allocation techniques.
- Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
- Audit the network for systems using RDP.
- Close unused RDP ports.
- Enforce account lockouts after a specified number of attempts.
- Apply phishing-resistant multifactor authentication (MFA).
- Log RDP login attempts.
- Disable command-line and scripting activities and permissions [CPG 2.N].
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
- Reduce the threat of credential compromise via the following:
- Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
- Refrain from storing plaintext credentials in scripts.
- Implement time-based access for accounts at the admin level and higher [CPG 2.A, 2.E].
In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
- Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
- Use longer passwords consisting of at least 15 characters and no more than 64 characters in length [CPG 2.B].
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords [CPG 2.C].
- Implement multiple failed login attempt account lockouts [CPG 2.G].
- Disable password “hints.”
- Refrain from requiring password changes more frequently than once per year.
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. - Require administrator credentials to install software.
- Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
- Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
- Install, regularly update, and enable real time detection for antivirus software on all hosts.
- Disable unused ports and protocols [CPG 2.V].
- Consider adding an email banner to emails received from outside your organization [CPG 2.M].
- Disable hyperlinks in received emails.
- Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (see Tables 4-16).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
- Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
- Resource to mitigate a ransomware attack: CISA, NSA, FBI, and Multi-State Information Sharing and Analysis Center’s (MS-ISAC) Joint #StopRansomware Guide.
- SLTT organizations are encouraged to implement MS-ISAC’s Ransomware Defense-in-Depth guidance.
- No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.
- CISA: Known Exploited Vulnerabilities Catalog
- CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
- CISA: Decider Tool
- CISA: Cross-Sector Cybersecurity Performance Goals
- CISA: Secure by Design
- CISA: Implementing Phishing-Resistant MFA
- CISA: Guide to Securing Remote Access Software
REFERENCES
[1] Privacy Affairs: “Moral” 8Base Ransomware Targets 2 New Victims
[2] VMware: 8base ransomware: A Heavy Hitting Player
[3] Infosecurity Magazine: Phobos Ransomware Family Expands With New FAUST Variant
[4] The Record: Hospitals offline across Romania following ransomware attack on IT platform
[5] Comparitech: What is Phobos Ransomware & How to Protect Against It?
[6] Cisco Talos: Understanding the Phobos affiliate structure and activity
[7] Cisco Talos: A deep dive into Phobos ransomware, recently deployed by 8Base group
[8] Malwarebytes Labs: A deep dive into Phobos ransomware
[9] Any Run: Smokeloader
[10] Malpedia: Smokeloader
[11] Truesec: A case of the FAUST Ransomware
[12] VirusTotal: Phobos Domain #1
[13] VirusTotal: Phobos executable: Ahpdate.exe
[14] VirusTotal: Phobos GUI extension: ELF File
[15] VirusTotal: Phobos IP address: 185.202.0[.]111
[16] VirusTotal: Phobos GUI extension: Binary File
[17] Cisco Talos GitHub: IOCs/2023/11/deep-dive-into-phobos-ransomware.txt at main
REPORTING
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom-note, communications with Phobos actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.
The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870.
DISCLAIMER
The FBI does not conduct its investigative activities or base attribution solely on activities protected by the First Amendment. Your company has no obligation to respond or provide information back to the FBI in response to this engagement. If, after reviewing the information, your company decides to provide referral information to the FBI, it must do so in a manner consistent with federal law. The FBI does not request or expect your company to take any particular action regarding this information other than holding it in confidence due to its sensitive nature.
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, and the MS-ISAC.
ACKNOWLEDGEMENTS
The California Joint Regional Intelligence Center (JRIC, CA) and Israel National Cyber Directorate (INCD) contributed to this CSA.
VERSION HISTORY
February 29, 2024: Initial version.
SVR Cyber Actors Adapt Tactics for Initial Cloud Access
How SVR-Attributed Actors are Adapting to the Move of Government and Corporations to Cloud Infrastructure
OVERVIEW
This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.
The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an element of the Russian intelligence services. The US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and New Zealand Government Communications Security Bureau (GCSB) agree with this attribution and the details provided in this advisory.
This advisory provides an overview of TTPs deployed by the actor to gain initial access into the cloud environment and includes advice to detect and mitigate this activity.
To download the PDF version of this report, click here.
PREVIOUS ACTOR ACTIVITY
The NCSC has previously detailed how Russian Foreign Intelligence Service (SVR) cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.
SVR actors are also known for:
- The supply chain compromise of SolarWinds software.
- Activity that targeted organizations developing the COVID-19 vaccine.
EVOLVING TTPs
As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment.
They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.
To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target. In contrast, in an on-premises system, more of the network is typically exposed to threat actors.
Below describes in more detail how SVR actors are adapting to continue their cyber operations for intelligence gain. These TTPs have been observed in the last 12 months.
ACCESS VIA SERVICE AND DORMANT ACCOUNTS
Previous SVR campaigns reveal the actors have successfully used brute forcing [T1110] and password spraying to access service accounts. This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.
SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system [T1078.004].
Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.
CLOUD-BASED TOKEN AUTHENTICATION
Account access is typically authenticated by either username and password credentials or system-issued access tokens. The NCSC and partners have observed SVR actors using tokens to access their victims’ accounts, without needing a password [T1528].
The default validity time of system-issued tokens varies dependent on the system; however, cloud platforms should allow administrators to adjust the validity time as appropriate for their users. More information can be found on this in the mitigations section of this advisory.
ENROLLING NEW DEVICES TO THE CLOUD
On multiple occasions, the SVR have successfully bypassed password authentication on personal accounts using password spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification [T1621].
Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant [T1098.005]. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.
By configuring the network with device enrollment policies, there have been instances where these measures have defended against SVR actors and denied them access to the cloud tenant.
RESIDENTIAL PROXIES
As network-level defenses improve detection of suspicious activity, SVR actors have looked at other ways to stay covert on the internet. A TTP associated with this actor is the use of residential proxies [T1090.002]. Residential proxies typically make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source. This can make it harder to distinguish malicious connections from typical users. This reduces the effectiveness of network defenses that use IP addresses as indicators of compromise, and so it is important to consider a variety of information sources such as application and host-based logging for detecting suspicious activity.
CONCLUSION
The SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds, however the guidance in this advisory shows that a strong baseline of cyber security fundamentals can help defend from such actors.
For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access. By following the mitigations outlined in this advisory, organizations will be in a stronger position to defend against this threat.
Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb, as reported in 2022. Therefore, mitigating against the SVR’s initial access vectors is particularly important for network defenders.
CISA have also produced guidance through their Secure Cloud Business Applications (SCuBA) Project which is designed to protect assets stored in cloud environments.
Some of the TTPs listed in this report, such as residential proxies and exploitation of system accounts, are similar to those reported as recently as January 2024 by Microsoft.
MITRE ATT&CK®
This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Tactic | ID | Technique | Procedure |
---|---|---|---|
Credential Access |
Brute Force |
The SVR use password spraying and brute forcing as an initial infection vector. |
|
Initial Access |
Valid Accounts: Cloud Accounts |
The SVR use compromised credentials to gain access to accounts for cloud services, including system and dormant accounts. |
|
Credential Access |
Steal Application Access Token |
The SVR use stolen access tokens to login to accounts without the need for passwords. |
|
Credential Access |
Multi-Factor Authentication Request Generation |
The SVR repeatedly push MFA requests to a victim’s device until the victim accepts the notification, providing SVR access to the account. |
|
Command and Control |
Proxy: External Proxy |
The SVR use open proxies in residential IP ranges to blend in with expected IP address pools in access logs. |
|
Persistence |
Account Manipulation: Device Registration |
The SVR attempt to register their own device on the cloud tenant after acquiring access to accounts. |
MITIGATION AND DETECTION
A number of mitigations will be useful in defending against the activity described in this advisory:
- Use multi-factor authentication (/2-factor authentication/two-step verification) to reduce the impact of password compromises. See NCSC guidance: Multifactor Authentication for Online Services and Setting up 2-Step Verification (2SV).
- Accounts that cannot use 2SV should have strong, unique passwords. User and system accounts should be disabled when no longer required with a “joiners, movers, and leavers” process in place and regular reviews to identify and disable inactive/dormant accounts. See NCSC guidance: 10 Steps to Cyber Security.
- System and service accounts should implement the principle of least privilege, providing tightly scoped access to resources required for the service to function.
- Canary service accounts should be created which appear to be valid service accounts but are never used by legitimate services. Monitoring and alerting on the use of these account provides a high confidence signal that they are being used illegitimately and should be investigated urgently.
- Session lifetimes should be kept as short as practical to reduce the window of opportunity for an adversary to use stolen session tokens. This should be paired with a suitable authentication method that strikes a balance between regular user authentication and user experience.
- Ensure device enrollment policies are configured to only permit authorized devices to enroll. Use zero-touch enrollment where possible, or if self-enrollment is required then use a strong form of 2SV that is resistant to phishing and prompt bombing. Old devices should be prevented from (re)enrolling when no longer required. See NCSC guidance: Device Security Guidance.
- Consider a variety of information sources such as application events and host-based logs to help prevent, detect and investigate potential malicious behavior. Focus on the information sources and indicators of compromise that have a better rate of false positives. For example, looking for changes to user agent strings that could indicate session hijacking may be more effective than trying to identify connections from suspicious IP addresses. See NCSC guidance: Introduction to Logging for Security Purposes.
DISCLAIMER
This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.
Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.
All material is UK Crown Copyright.
Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
SUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. CISA and authoring organizations appreciate the cooperation of Volexity, Ivanti, Mandiant and other industry partners in the development of this advisory and ongoing incident response activities. Authoring organizations:
- Federal Bureau of Investigation (FBI)
- Multi-State Information Sharing & Analysis Center (MS-ISAC)
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- United Kingdom National Cyber Security Centre (NCSC-UK)
- Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment
- New Zealand National Cyber Security Centre (NCSC-NZ)
- CERT-New Zealand (CERT NZ)
Of particular concern, the authoring organizations and industry partners have determined that cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.
Cyber threat actors are actively exploiting multiple previously identified vulnerabilities—CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893—affecting Ivanti Connect Secure and Ivanti Policy Secure gateways. The vulnerabilities impact all supported versions (9.x and 22.x) and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.
During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.
The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available. If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.
Based upon the authoring organizations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organizations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time. For example, as outlined in PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure), sophisticated actors may remain silent on compromised networks for long periods. The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.
Note: On February 9, 2024, CISA issued Emergency Directive (ED) 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch (FCEB) agencies to perform specific actions on affected products.
The Canadian Centre for Cyber Security also issued an alert, Ivanti Connect Secure and Ivanti Policy Secure gateways zero-day vulnerabilities, which provides periodic updates for IT professionals and managers affected by the Ivanti vulnerabilities.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
TECHNICAL DETAILS
This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques in Appendix C for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
On January 10, 2024, Volexity reported on two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways observed being chained to achieve unauthenticated remote code execution (RCE):[1]
Volexity first identified active exploitation in early December 2023, when they detected suspicious lateral movement [TA0008] on the network of one of their network security monitoring service customers. Volexity identified that threat actors exploited the vulnerabilities to implant web shells, including GLASSTOKEN and GIFTEDVISITOR, on internal and external-facing web servers [T1505.003]. Once successfully deployed, these web shells are used to execute commands on compromised devices.[1]
After Ivanti provided initial mitigation guidance in early January, threat actors developed a way to bypass those mitigations to deploy BUSHWALK, LIGHTWIRE, and CHAINLINE web shell variants.[2] Following the actors’ developments, Ivanti disclosed three additional vulnerabilities:
- CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA that allows an attacker to access restricted resources without authentication.
- CVE-2024-22024 is an XML vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways that allows an attacker to access restricted resources without authentication.
- CVE-2024-21888 is a privilege escalation vulnerability found in the web component of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability allows threat actors to gain elevated privileges to that of an administrator.
Observed Threat Actor Activity
CISA has responded to multiple incidents related to the above vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. In these incidents, actors exploited these CVEs for initial access to implant web shells and to harvest credentials stored on the devices. Post-compromise, the actors moved laterally into domain environments and have been observed leveraging tools that are native to the Ivanti appliances—such as freerdp
, ssh
, telnet
, and nmap
libraries—to expand their access to the domain environment. The result, in some cases, was a full domain compromise.
During incident response investigations, CISA identified that Ivanti’s internal and external ICT failed to detect compromise. The organizations leveraged the integrity checker to identify file mismatches in Ivanti devices; however, CISA incident response analysis confirmed that both the internal and external versions of the ICT were not reliable due to the existence of web shells found on systems that had no file mismatches according to the ICTs. Additionally, forensic analysis showed evidence the actors were able to clean up their efforts by overwriting files, time-stomping files, and re-mounting the runtime partition to return the appliance to a “clean state.” This reinforces that ICT scans are not reliable to indicate previous compromise and can result in a false sense of security that the device is free of compromise.
As detailed in Appendix A, CISA conducted independent research in a lab environment validating that the ICT is likely insufficient for detecting compromise and that a cyber threat actor may be able to maintain root level persistence despite issuing factory resets and appliance upgrades.
INDICATORS OF COMPROMISE
See Tables 1 – 4 in Appendix B for IOCs related to cyber actors exploiting multiple CVEs related to Ivanti appliances.
For additional indicators of compromise, see:
- Volexity: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
- Mandiant: Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation
- Mandiant: Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation
- Mandiant: Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
Memory and disk forensics were used during forensic analysis, combined with the Integrity Checker Tool, to identify malicious files on the compromised Ivanti Connect Secure VPN appliance. This advisory provides a list of combined authoring organization IOCs and open source files identified by Volexity via network analysis.
Disclaimer: Some IP addresses in this advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action such as blocking. Activity should not be attributed as malicious without analytical evidence to support it is used at the direction of, or controlled by, threat actors.
DETECTION METHODS
YARA Rules
See Appendix D for additional open source YARA rules, provided by Volexity, that may aid network defenders in detecting malicious activity within Ivanti Connect Secure VPN appliances. For more information on detection methods, visit Mandiant’s blog post Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation or the Volexity GitHub page.
INCIDENT RESPONSE
The authoring organizations encourage you to assess your organization’s user interface (UI) software and systems for evidence of compromise and to hunt for malicious activity using signatures outlined within this advisory. If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the Ivanti Connect Secure VPN appliance as well as executing arbitrary code and installing malicious payloads.
Note: These are vendor-managed appliances and systems may be encrypted with limited access. Thus, collecting artifacts may be limited on some versions of appliances. The authoring organizations recommend investigating associated devices on the network to identify lateral movement in the absence of access to the Secure Connect appliance.
If a potential compromise is detected, organizations should:
- Quarantine or take offline potentially affected hosts.
- Reimage compromised hosts.
- Reset all credentials that may have been exposed during the compromise, including user and service accounts.
- Identify Ivanti hosts with Active Directory (AD) access, threat actors can trivially export active domain administrator credentials during initial compromise. Until there is evidence to the contrary, it is assumed that AD access on compromised systems is connected to external authentication systems such as Lightweight Directory Access Protocol (LDAP) and AD.
- Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
- Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
- Report the compromise to FBI Internet Crime Complaint Center (IC3) at IC3.gov, local FBI field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722). Organizations outside of the United States should contact their national cyber center. (See the Reporting section.)
MITIGATIONS
These mitigations apply to all critical infrastructure organizations and network defenders using Ivanti Connect Secure VPN and Ivanti Policy Secure. The authoring organizations recommend that software manufacturers incorporate Secure by Design principles and tactics into their software development practices. These principles and tactics can limit the impact of exploitation—such as threat actors leveraging newly discovered, unpatched vulnerabilities within Ivanti appliances—thus, strengthening the secure posture for their customers.
For more information on secure by design, see CISA’s Secure by Design webpage and joint guide.
The authoring organizations recommend organizations implement the mitigations below to improve your cybersecurity posture based on threat actor activity and to reduce the risk of compromise associated with Ivanti vulnerabilities. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
- As organizations make risk decisions in choosing a VPN, to include decisions regarding continued operation of Ivanti Connect Secure and Policy Secure gateways, avoid VPN solutions that use proprietary protocols or non-standard features. VPNs as a class of devices carry some specific risks that a non-expert implementer may trigger (e.g., authentication integration and patching). When choosing a VPN, organizations should consider vendors who:
- Provide a Software Bill of Materials (SBOM) to proactively identify, and enable remediation of, embedded software vulnerabilities, such as deprecated operating systems.
- Allow a restore from trusted media to establish a root of trust. If the software validation tooling can be modified by the software itself, there is no way to establish a root of trust other than returning the device to the manufacturer (return material authorization [RMA]).
- Are a CVE Numbering Authority (CNA) so that CVEs are assigned to emerging vulnerabilities in a timely manner.
- Have a public Vulnerability Disclosure Policy (VDP) to enable security researchers to proactively share and disclose vulnerabilities through coordinated vulnerability disclosure (CVD).
- Have in place a clear end-of-life policy (EoL) to prepare customers for updating to supported product versions.
- Limit outbound internet connections from SSL VPN appliances to restrict access to required services. This will limit the ability of an actor to download tools or malware onto the device or establish outbound connections to command and control (C2) servers.
- Ensure SSL VPN appliances configured with Active Directory or LDAP authentication use low privilege accounts for the LDAP bind.
- Limit SSL VPN connections to unprivileged accounts only to help limit the exposure of privileged account credentials.
- Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
- Secure remote access tools.
- Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
- Strictly limit the use of Remote Desktop Protocols (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
- Audit the network for systems using RDP.
- Close unused RDP ports.
- Enforce account lockouts after a specified number of attempts.
- Apply phishing-resistant multifactor authentication (MFA).
- Log RDP login attempts.
- Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
- Use longer passwords consisting of at least 15 characters [CPG 2.B].
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords [CPG 2.C].
- Implement multiple failed login attempt account lockouts [CPG 2.G].
- Disable password “hints.”
- Require administrator credentials to install software.
- Review the CISA and NSA joint guidance for Selecting and Hardening Remote Access VPN Solutions.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how the controls perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (Appendix C).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
REPORTING
U.S. organizations should report every potential cyber incident to the U.S. government. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI’s Internet Crime Complaint Center (IC3), local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI Field Office.
Australian organizations that have been impacted or require assistance regarding Ivanti compromise, contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
UK organizations that have been impacted by Ivanti compromise, should report the incident to the National Cyber Security Centre.
Organizations outside of the United States or Australia should contact their national cyber center.
REFERENCES
- Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity
- Ivanti Connect Secure VPN Exploitation Goes Global | Volexity
- KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation | Mandiant
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and authoring organizations.
ACKNOWLEDGEMENTS
Volexity, Mandiant, and Ivanti contributed to this advisory.
VERSION HISTORY
February 29, 2024: Initial version.
APPENDIX A: CISA’S PRODUCT EVALUATION FINDINGS
Research Approach
As part of ongoing efforts to effectively serve the cybersecurity community with actionable insights and guidance, CISA conducted research by using a free and downloadable version of the Ivanti Connect Secure virtual appliance to assess potential attack paths and adversary persistence mechanisms. The virtual appliances were not connected to the internet, and were deployed in a closed virtualized network, with a non-internet connected Active Directory. This research included a variety of tests on version 22.3R1 Build 1647
, connected to Active Directory credentials, to leverage the access obtained through CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. Put simply, CISA’s research team wanted to answer the question: “How far could an attacker go if they set were to exploit these CVEs remotely?”
Persistent Post-Reset and -Upgrade Access
Leveraging these vulnerabilities, CISA researchers were able to exfiltrate domain administrator cleartext credentials [TA0006], gain root-level persistence [TA0003], and bypass integrity checks used by the Integrity Checker application. CISA’s Incident Response team observed these specific techniques leveraged during the agency’s incident response engagements, along with the native tools and libraries to conduct internal reconnaissance and compromise domains behind the Ivanti appliances. CISA researchers assess that threat actors are able to use the credentials to move deeper into the environment.
The ability to exfiltrate domain administrator cleartext credentials, if saved when adding an “Active Directory Authentication server” during setup, was accomplished by using the root-level access obtained from the vulnerabilities to interface directly with the internal server and retrieve the cached credentials as shown in Figure 4, APPENDIX A. Users who currently have active sessions to the appliance could have their base64 encoded active directory cleartext passwords, in addition to the New Technology LAN Manager (NTLM) password hashes, retrieved with the same access, as shown in Figure 10, APPENDIX A. In addition to users with active sessions, users previously authenticated can have base64 encoded active directory plaintext passwords and NTLM hashes harvested from the backups of the data.mdb database files stored on the appliance, as shown in Figure 15 and 16, APPENDIX A.
The root-level access allows adversaries to maintain persistence despite issuing factory resets and appliance upgrades while deceiving the provided integrity checkers, creating the illusion of a clean installation. Due to the persistence mechanism being stored on the encrypted partition of the drive and inaccurate integrity check results, it is untenable for network administrators to validate their application has not been compromised without also decrypting the partition and validating against a clean installation of the appliance, which are actions not easily accomplished at present. Without major alterations of the integrity checking process, it is conceivable that new vulnerabilities that afford root-level access to the appliance could also result in root-kit level persistence to the appliance.
Below is proof of concept being released by CISA, which demonstrates the capacity of and opportunity for a threat actor to exfiltrate Domain Administrator credentials that were used during appliance configuration:
Below is a demonstration of the capacity for post exploitation exfiltration of base64 encoded cleartext credentials for active directory users and their associated NTLM password hashes:
APPENDIX B: INDICATORS OF COMPROMISE
Filename | Description | Purpose |
/home/perl/DSLogConfig.pm |
Modified Perl module. |
Designed to execute |
/usr/bin/a.sh |
gcore.in core dump script. |
|
/bin/netmon |
Sliver binary. |
|
/home/venv3/lib/python3.6/site-packages/*.egg |
Python package containing WIREFIRE among other files. |
|
/home/etc/sql/dsserver/sessionserver.pl |
Perl script to remount the filesystem with read/write access. |
Make sessionserver.sh executable, execute it, then restore original mount settings. |
/home/etc/sql/dsserver/sessionserver.sh |
Script executed by |
Uses regular expressions to modify |
/home/webserver/htdocs/dana-na/auth/compcheckresult.cgi |
Modified legitimate component of the ICS VPN appliance, with new Perl module imports added and a one-liner to execute commands based on request parameters. |
Allows remote code execution over the Internet if the attacker can craft a request with the correct parameters. |
/home/webserver/htdocs/dana-na/auth/lastauthserverused.js |
Modified legitimate JavaScript component loaded by user login page of the Web SSL VPN component of Ivanti Connect Secure. |
Modified to harvest entered credentials and send them to a remote URL on an attacker-controlled domain. |
Value | Type | Description |
88.119.169[.]227 |
IP Address |
|
103.13.28[.]40 |
IP Address |
|
46.8.68[.]100 |
IPv4 |
|
206.189.208[.]156 |
IP Address |
DigitalOcean IP address tied to UTA0178. |
gpoaccess[.]com |
Hostname |
Suspected UTA0178 domain discovered via domain registration patterns. |
webb-institute[.]com |
Hostname |
Suspected UTA0178 domain discovered via domain registration patterns. |
symantke[.]com |
Hostname |
UTA0178 domain used to collect credentials from compromised devices. |
75.145.243[.]85 |
IP Address |
UTA0178 IP address observed interacting with compromised device. |
47.207.9[.]89 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
98.160.48[.]170 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
173.220.106[.]166 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
73.128.178[.]221 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
50.243.177[.]161 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
50.213.208[.]89 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
64.24.179[.]210 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
75.145.224[.]109 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.
|
50.215.39[.]49 |
IP Address |
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
71.127.149[.]194 |
|
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.
|
173.53.43[.]7 |
|
UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. |
Filename | Hash Value | Description |
Cav-0.1-py3.6.egg |
ed4b855941d6d7e07aacf016a2402c4c870876a050a4a547af194f5a9b47945f |
WIREFIRE web shell |
Health.py |
3045f5b3d355a9ab26ab6f44cc831a83 |
CHAINLINE web shell |
compcheckresult.cgi |
3d97f55a03ceb4f71671aa2ecf5b24e9 |
CHAINLINE web shell |
lastauthserverused.js |
2ec505088b942c234f39a37188e80d7a |
LIGHTWIRE web shell |
lastauthserverused.js |
8eb042da6ba683ef1bae460af103cc44 |
WARPWIRE credential harvester variant |
lastauthserverused.js |
a739bd4c2b9f3679f43579711448786f |
WARPWIRE credential harvester variant |
lastauthserverused.js |
a81813f70151a022ea1065b7f4d6b5ab |
WARPWIRE credential harvester variant |
lastauthserverused.js |
d0c7a334a4d9dcd3c6335ae13bee59ea |
WARPWIRE credential harvester variant |
lastauthserverused.js |
e8489983d73ed30a4240a14b1f161254 |
WARPWIRE credential harvester variant |
logo.gif |
N/A — varies |
Configuration and cache dump or CAV web server log exfiltration |
login.gif |
N/A — varies |
Configuration and cache dump |
[a-fA-f0-9]{10.css |
N/A — varies |
Configuration and cache dump |
visits.py |
N/A — varies |
WIREFIRE web shell |
Network Indicator | Type | Description |
symantke[.]com |
Domain |
WARPWIRE C2 server |
miltonhouse[.]nl |
Domain |
WARPWIRE variant C2 server |
entraide-internationale[.]fr |
Domain |
WARPWIRE variant C2 server |
api.d-n-s[.]name |
Domain |
WARPWIRE variant C2 server |
cpanel.netbar[.]org |
Domain |
WARPWIRE variant C2 server |
clickcom[.]click |
Domain |
WARPWIRE variant C2 server |
clicko[.]click |
Domain |
WARPWIRE variant C2 server |
duorhytm[.]fun |
Domain |
WARPWIRE variant C2 server |
line-api[.]com |
Domain |
WARPWIRE variant C2 server |
areekaweb[.]com |
Domain |
WARPWIRE variant C2 server |
ehangmun[.]com |
Domain |
WARPWIRE variant C2 server |
secure-cama[.]com |
Domain |
WARPWIRE variant C2 server |
146.0.228[.]66 |
IPv4 |
WARPWIRE variant C2 server |
159.65.130[.]146 |
IPv4 |
WARPWIRE variant C2 server |
8.137.112[.]245 |
IPv4 |
WARPWIRE variant C2 server |
91.92.254[.]14 |
IPv4 |
WARPWIRE variant C2 server |
186.179.39[.]235 |
IPv4 |
Mass exploitation activity |
50.215.39[.]49 |
IPv4 |
Post-exploitation activity |
45.61.136[.]14 |
IPv4 |
Post-exploitation activity |
173.220.106[.]166 |
IPv4 |
Post-exploitation activity |
APPENDIX C: MITRE ATT&CK TACTICS AND TECHNIQUES
Initial Access | ||
---|---|---|
Technique Title |
ID |
Use |
Exploit Public-Facing Applications |
Cyber actors will use custom web shells planted on public facing applications which allows persistence in victims’ environment. |
|
Persistence | ||
Technique Title |
ID |
Use |
Valid Accounts |
Cyber actors leverage compromised accounts to laterally move within internal systems via RDP, SBD, and SSH. |
|
Server Software Component: Web Shell |
Cyber actors may use web shells on internal- and external-facing web servers to establish persistent access to systems. |
|
Execution | ||
Technique Title |
ID |
Use |
Command and Scripting Interpreter: PowerShell |
Cyber actors leverage code execution from request parameters that are decoded from hex to base64 decoded, then passed to Assembly.Load(). Which is used to execute arbitrary powershell commands. |
|
Exploitation for Client Execution |
Cyber actors will exploit software vulnerabilities such as command-injection and achieve unauthenticated remote code execution (RCE). |
APPENDIX D: DETECTION METHODS
|
|
|
|
|
PowerShell and OpenSSH team investments for 2024
PowerShell 7.5
We continue to follow our yearly release schedule for PowerShell 7 and the next version will align with .NET 9.
Pseudo-terminal support
PowerShell currently has a design limitation that prevents full capture of output from native commands by PowerShell itself.
Native commands (meaning executables you run directly) will write output to STDERR or STDOUT pipes.
However, if the output is not redirected, PowerShell will simply have the native command write directly to the console.
PowerShell can’t just always redirect the output to capture it because:
- The order of output from STDERR and STDOUT can be non-deterministic because they are on different pipes,
but the order written to the console has meaning to the user. - Native commands can use detection of redirection to determine if the command is being run interactive or non-interactively
and behave differently such as prompting for input or defaulting to adding text decoration to the output.
To address this, we are working on an experimental feature to leverage pseudoterminals
to enable PowerShell to capture the output of native commands while still allowing the native command to seemingly write directly to the console.
This feature can then further be leveraged to:
- Ensure complete transcription of native commands
- Proper rendering of PowerShell progress bars in scripts that call native commands
- Enable feedback providers to act upon native command output
- For example, it would be possible to write a feedback provider that looked at the output of
git
commands
and provided suggestions for what to do next based on the output.
- For example, it would be possible to write a feedback provider that looked at the output of
Once this feature is part of PowerShell 7, there are other interesting scenarios that can be enabled in the future.
Platform support
Operating system versions and distributions are constantly evolving.
We want to ensure that a supported platform is a platform that is tested and validated by the team.
During 2024, the engineering team will focus on:
- Making our tests reliable so we are only spending manual effort investigating real issues when test fails
- Simplify how we add new platforms to our test matrix so new distro requests can be fulfilled more quickly
- More actively track the lifecycle of platforms we support
- Automate publishing the supported platforms list so that our docs are always up to date
Bug fixes and community PRs
The community has been great at opening issues and pull requests to help improve PowerShell.
For this release, we will focus on addressing issues and PRs that have been opened by the community.
This means less new features from the team, but we hope to make up for that with the community contributions
getting merged into the product. We will also be investing in the Working Group application process to expand the reach of those groups.
Please use reactions in GitHub issues and PRs to help us prioritize what to focus our limited time on.
Artifact management
Fundamentals work
Ensure PowerShell Gallery addresses the latest compliance requirements for security, accessibility, and reliability.
Include new types of repositories for PSResourceGet
We plan to introduce integration with container registries, both public and private, which will
help enterprise customers create a differentiation between trusted and untrusted content.
This change will allow for a Microsoft trusted repository while the PowerShellGallery continues as untrusted by default.
By having more options for private galleries, in addition to a Mirosoft trusted repository and the PowerShell Gallery,
this enables customers to have control over package availability suitable for their environments.
Concurrent installs
To improve performance during long-running installations, we plan to enable parallel operations
so multiple module installations can happen at the same time.
This change will be particularly impactful in modules with many dependencies, such as the Az module,
which currently can take significant time to install.
Local caching of artifact details
Currently the find-psresource
cmdlet pulls information about available artifacts from service endpoints
and outputs the list locally. We believe there is opportunity to locally cache the metadata about available
artifacts to reduce network dependency and improve performance when resolving dependency relationships.
This would also help enable implementing a feedback provider to suggest how to install module that is not currently installed.
So if a user tries to run a cmdlet that is not installed, the feedback provider will suggest what module to install to get the cmdlet to work.
Intelligence in the shell
We are obvserving and being thoughtful about what it will mean to integrate the experiences
provided by large language models into shell experience.
Our current outlook is to think beyond natural language chat to deep integration of learning opportunities.
We also believe there are lots of improvements to the interactivity of PowerShell that does not require a large language model.
This includes some more subtle improvements to the interactive experience of PowerShell that would help increase productivity
and efficiency at the command line.
Configuration
Desired State Configuration (DSC) helped to enable configuration as code for Windows.
With v3, we are focusing on enabling cross-platform use, simplifying resource development, improving experience
to integrate with higher level configuration management tools, and improving the experience for end users.
Our goal is to be code complete by end of March and work towards a release candidate by middle of the year.
This is a complete rewrite of DSC and we welcome feedback during the design and development process.
Remoting
Win32_OpenSSH
We hope to continue bringing new versions of OpenSSH to the Windows Server platform. Another goal
is to reduce the complex steps required to install and manage SSH at scale, to enable
partners that create automation tools to use the same mechanism when connecting to Windows servers
as they use for Linux.
SSHDConfig
Monitoring and management of the sshd_config
file at scale across platforms can be challenging.
We are working on a DSC v3 resource to enable management of sshd_config
using a syntax that is
closer aligned to the command line tools used by modern cloud platforms.
Initially, we’ll be targeting auditing scenarios but we hope to enable full management of the file in the future.
Help system
platyPS is a module that enables you to write PowerShell help
documentation in Markdown and convert it to PowerShell help format.
This tool is used by Microsoft teams and the community of module authors to more easily write and maintain help documentation.
We hope to continue work in this area to address partner feedback.
Other projects
The projects above will already keep the team very busy, but we will continue to maintain other existing projects.
We appreciate the community contributions to these projects and will continue to review issues and PRs:
- VSCode extension
- PSScriptAnalyzer module
- ConsoleGuiTools module
- TextUtility module
- PSReadLine module
- SecretManagement module
Our other projects will continue to be serviced on an as needed basis.
Thanks to the community from Steve Lee and Michael Greene on behalf of our team!
The post PowerShell and OpenSSH team investments for 2024 appeared first on PowerShell Team.