This post was originally published on this site

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint CSA to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023.

Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.

In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.

The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.

The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date.

Download a PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 14. See the MITRE ATT&CK for Enterprise section for all referenced tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Initial Access

The Play ransomware group gains initial access to victim networks through the abuse of valid accounts [T1078] and exploitation of public-facing applications [T1190], specifically through known FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) vulnerabilities. Play ransomware actors have been observed to use external-facing services [T1133] such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.

Discovery and Defense Evasion

Play ransomware actors use tools like AdFind to run Active Directory queries [TA0007] and Grixba [1], an information-stealer, to enumerate network information [T1016] and scan for anti-virus software [T1518.001]. Actors also use tools like GMER, IOBit, and PowerTool to disable anti-virus software [T1562.001] and remove log files [T1070.001]. In some instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender.[2]

Lateral Movement and Execution

Play ransomware actors use command and control (C2) applications, including Cobalt Strike and SystemBC, and tools like PsExec, to assist with lateral movement and file execution. Once established on a network, the ransomware actors search for unsecured credentials [T1552] and use the Mimikatz credential dumper to gain domain administrator access [T1003]. According to open source reporting [2], to further enumerate vulnerabilities, Play ransomware actors use Windows Privilege Escalation Awesome Scripts (WinPEAS) [T1059] to search for additional privilege escalation paths. Actors then distribute executables [T1570] via Group Policy Objects [T1484.001].

Exfiltration and Encryption

Play ransomware actors often split compromised data into segments and use tools like WinRAR to compress files [T1560.001] into .RAR format for exfiltration. The actors then use WinSCP to transfer data [T1048] from a compromised network to actor-controlled accounts. Following exfiltration, files are encrypted [T1486] with AES-RSA hybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes. [3] (Note: System files are skipped during the encryption process.) A .play extension is added to file names and a ransom note titled ReadMe[.]txt is placed in file directory C:.

Impact

The Play ransomware group uses a double-extortion model [T1657], encrypting systems after exfiltrating data. The ransom note directs victims to contact the Play ransomware group at an email address ending in @gmx[.]de. Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network ([.]onion URL).

Leveraged Tools

Table 1 lists legitimate tools Play ransomware actors have repurposed for their operations. The legitimate tools listed in this product are all publicly available. Use of these tools and applications should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.

Table 1: Tools Leveraged by Play Ransomware Actors

Name	Description
AdFind	Used to query and retrieve information from Active Directory.
Bloodhound	Used to query and retrieve information from Active Directory.
GMER	A software tool intended to be used for detecting and removing rootkits.
IOBit	An anti-malware and anti-virus program for the Microsoft Windows operating system. Play actors have accessed IOBit to disable anti-virus software.
PsExec	A tool designed to run programs and execute commands on remote systems.
PowerTool	A Windows utility designed to improve speed, remove bloatware, protect privacy, and eliminate data collection, among other things.
PowerShell	A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
Cobalt Strike	A penetration testing tool used by security professionals to test the security of networks and systems. Play ransomware actors have used it to assist with lateral movement and file execution.
Mimikatz	Allows users to view and save authentication credentials such as Kerberos tickets. Play ransomware actors have used it to add accounts to domain controllers.
WinPEAS	Used to search for additional privilege escalation paths.
WinRAR	Used to split compromised data into segments and to compress files into .RAR format for exfiltration.
WinSCP	Windows Secure Copy is a free and open-source Secure Shell (SSH) File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Play ransomware actors have used it to transfer data [T1048] from a compromised network to actor-controlled accounts.
Microsoft Nltest	Used by Play ransomware actors for network discovery.
Nekto / PriviCMD	Used by Play ransomware actors for privilege escalation.
Process Hacker	Used to enumerate running processes on a system.
Plink	Used to establish persistent SSH tunnels.

Indicators of Compromise

See Table 2 for Play ransomware IOCs obtained from FBI investigations as of October 2023.

Table 2: Hashes Associated with Play Ransomware Actors

Hashes (SHA256)	Description
453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb	Play ransomware custom data gathering tool
47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57	Play ransomware encryptor
75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212	SystemBC malware EXE
7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986	SystemBC malware DLL
7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8	Play ransomware binary
7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca	SystemBC malware DLL
c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c	Play network scanner
e652051fe47d784f6f85dc00adca1c15a8c7a40f1e5772e6a95281d8bf3d5c74	Play ransomware binary
e8d5ad0bf292c42a9185bb1251c7e763d16614c180071b01da742972999b95da	Play ransomware binary

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 3–Table 11 for all referenced threat actor tactics and techniques in this advisory.

Table 3: Play ATT&CK Techniques for Enterprise for Initial Access

Technique Title	ID	Use
Valid Accounts	T1078	Play ransomware actors obtain and abuse existing account credentials to gain initial access.
Exploit Public Facing Application	T1190	Play ransomware actors exploit vulnerabilities in internet-facing systems to gain access to networks.
External Remote Services	T1133	Play ransomware actors have used remote access services, such as RDP/VPN connection to gain initial access.

Table 4: Play ATT&CK Techniques for Enterprise for Discovery

Technique Title	ID	Use
System Network Configuration Discovery	T1016	Play ransomware actors use tools like Grixba to identify network configurations and settings.
Software Discovery: Security Software Discovery	T1518.001	Play ransomware actors scan for anti-virus software.

Table 5: Play ATT&CK Techniques for Enterprise for Defense Evasion

Technique Title	ID	Use
Impair Defenses: Disable or Modify Tools	T1562.001	Play ransomware actors use tools like GMER, IOBit, and PowerTool to disable anti-virus software.
Indicator Removal: Clear Windows Event Logs	T1070.001	Play ransomware actors delete logs or other indicators of compromise to hide intrusion activity.

Table 6: Play ATT&CK Techniques for Enterprise for Credential Access

Technique Title	ID	Use
Unsecured Credentials	T1552	Play ransomware actors attempt to identify and exploit credentials stored unsecurely on a compromised network.
OS Credential Dumping	T1003	Play ransomware actors use tools like Mimikatz to dump credentials.

Table 7: Play ATT&CK Techniques for Enterprise for Lateral Movement

Technique Title	ID	Use
Lateral Tool Transfer	T1570	Play ransomware actors distribute executables within the compromised environment.

Table 8: Play ATT&CK Techniques for Enterprise for Command and Control

Technique Title	ID	Use
Domain Policy Modification: Group Policy Modification	T1484.001	Play ransomware actors distribute executables via Group Policy Objects.

Table 9: Play ATT&CK Techniques for Enterprise for Collection

Technique Title	ID	Use
Archive Collected Data: Archive via Utility	T1560.001	Play ransomware actors use tools like WinRAR to compress files.

Table 10: Play ATT&CK Techniques for Enterprise for Exfiltration

Technique Title	ID	Use
Exfiltration Over Alternative Protocol	T1048	Play ransomware actors use file transfer tools like WinSCP to transfer data.

Table 11: Play ATT&CK Techniques for Enterprise for Impact

Technique Title	ID	Use
Data Encrypted for Impact	T1486	Play ransomware actors encrypt data on target systems to interrupt availability to system and network resources.
Financial Theft	T1657	Play ransomware actors use a double-extortion model for financial gain.

MITIGATIONS

These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and ASD’s ACSC recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the security posture for their customers.
For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The FBI, CISA, and ASD’s ACSC recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 2.F, 2.R, 2.S] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies [CPG 2.C].
  • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 2.B];
  • Store passwords in hashed format using industry-recognized password managers;
  • Add password user “salts” to shared login credentials;
  • Avoid reusing passwords;
  • Implement multiple failed login attempt account lockouts [CPG 2.G];
  • Disable password “hints”;
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Require multifactor authentication [CPG 2.H] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. Also see Protect Yourself: Multi-Factor Authentication | Cyber.gov.au.
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Organizations are advised to deploy the latest Microsoft Exchange security updates. If unable to patch, then disable Outlook Web Access (OWA) until updates are able to be undertaken. Also see Patching Applications and Operating Systems | Cyber.gov.au.
• Segment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Also see Implementing Network Segmentation and Segregation.
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 1.E]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
• Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents actors from directly connecting to remote access services they have established for persistence. Also see Inbound Traffic Filtering – Technique D3-ITF.
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
• Disable unused ports [CPG 2.V].
• Consider adding an email banner to emails [CPG 2.M] received from outside your organization.
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
• Disable command-line and scripting activities and permissions. Privileged escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E].
• Maintain offline backups of data and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, an organization ensures they will not be severely interrupted, and/or only have irretrievable data.
• Ensure backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 3-11).
2. Align your security technologies against this technique.
3. Test your technologies against this technique.
4. Analyze your detection and prevention technologies performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI, CISA, and ASD’s ACSC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

• Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
• Resource to mitigate a ransomware attack: #StopRansomware Guide.
• No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Play ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

The FBI, CISA, and ASD’s ACSC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, the FBI’s Internet Crime Complaint Center (IC3), or CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and the FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.

REFERENCES

[1] Symantec: Play Ransomware Group Using New Custom Data-Gathering Tools
[2] TrendMicro: Play Ransomware Spotlight
[3] SentinelLabs: Ransomware Developers Turn to Intermittent Encryption to Evade Detection

This post was originally published on this site

The Russia-based actor is targeting organizations and individuals in the UK and other geographical areas of interest.

OVERVIEW

The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.

The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.

Industry has previously published details of Star Blizzard. This advisory draws on that body of information.

This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.

To download a PDF version of this advisory, see Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns.

TARGETING PROFILE

Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.

Targets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia.

During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities.

OUTLINE OF THE ATTACKS

The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.

Research and Preparation

Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts [T1589], [T1593].

Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [T1585.001] and have used supposed conference or event invitations as lures.

Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the target’s field of interest or sector.

To appear authentic, the actor also creates malicious domains resembling legitimate organizations [T1583.001].

Microsoft Threat Intelligence Center (MSTIC) provides a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, but this is not exhaustive.

Preference for Personal Email Addresses

Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses. The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.

Building a Rapport

Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now starts to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.

Delivery of Malicious Link

Once trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002], apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.

The malicious link may be a URL in an email message, or the actor may embed a link in a document [T1566.001] on OneDrive, Google Drive, or other file-sharing platforms.

Star Blizzard uses the open-source framework EvilGinx in their spear- phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [T1539], [T1550.004].

Exploitation and Further Activity

Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.

Star Blizzard then uses the stolen credentials to log in to a target’s email account [T1078], where they are known to access and steal emails and attachments from the victim’s inbox [T1114.002]. They have also set up mail- forwarding rules, giving them ongoing visibility of victim correspondence [T1114.003].

The actor has also used their access to a victim email account to access mailing–list data and a victim’s contacts list, which they then use for follow- on targeting. They have also used compromised email accounts for further phishing activity [T1586.002].

CONCLUSION

Spear-phishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success.

Individuals and organizations from previously targeted sectors should be vigilant of the techniques described in this advisory.

In the UK you can report related suspicious activity to the NCSC.

Information on effective defense against spear-phishing is included in the Mitigations section below.

MITRE ATT&CK^®

This report has been compiled with respect to the MITRE ATT&CK^® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Tactic	ID	Technique	Procedure
Reconnaissance	T1593	Search Open Websites/Domains	Star Blizzard uses open-source research and social media to identify information about victims to use in targeting.
Reconnaissance	T1589	Gather Victim Identity Information	Star Blizzard uses online data sets and open-source resources to gather information about their targets.
Resource Development	T1585.001	Establish Accounts: Social Media Accounts	Star Blizzard has been observed establishing fraudulent profiles on professional networking sites to conduct reconnaissance.
Resource Development	T1585.002	Establish Accounts: Email Accounts	Star Blizzard registers consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity.
Resource Development	T1583.001	Acquire Infrastructure: Domains	Star Blizzard registers domains to host their phishing framework.
Resource Development	T1586.002	Compromise Accounts: Email Accounts	Star Blizzard has been observed using compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim.
Initial Access	T1078	Valid Accounts	Star Blizzard uses compromised credentials, captured from fake log- in pages, to log in to valid victim user accounts.
Initial Access	T1566.001	Phishing: Spear-phishing Attachment	Star Blizzard uses malicious links embedded in email attachments to direct victims to their credential-stealing sites.
Initial Access	T1566.002	Phishing: Spear-phishing Link	Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site, which then direct victims to credential-stealing sites.
Defense Evasion	T1550.004	Use Alternate Authentication Material: Web Session Cookie	Star Blizzard bypasses multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.
Credential Access	T1539	Steal Web Session Cookie	Star Blizzard uses EvilGinx to steal the session cookies of victims directed to their fake log-in domains.
Collection	T1114.002	Email Collection: Remote Email Collection	Star Blizzard interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens.
Collection	T1114.003	Email Collection: Email Forwarding Rule	Star Blizzard abuses email- forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim’s emails, even after compromised credentials are reset.

MITIGATIONS

A number of mitigations will be useful in defending against the activity described in this advisory.

• Use strong passwords. Use a separate password for email accounts and avoid password re-use across multiple services. See NCSC guidance: Top Tips for Staying Secure Online.
• Use multi-factor authentication (2-factor authentication/two-step authentication) to reduce the impact of password compromises. See NCSC guidance: Multi-factor Authentication for Online Services and Setting Up 2-Step Verification (2SV).
• Protect your devices and networks by keeping them up to date: Use the latest supported versions, apply security updates promptly, use anti-virus and scan regularly to guard against known malware threats. See NCSC guidance: Device Security Guidance.
• Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion. You may recognize the sender’s name, but has the email come from an address that you recognize? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address rather than your corporate one? Can you verify that the email is legitimate via another means? See NCSC guidance: Phishing attacks: Defending Your Organization and Internet Crime Complaint Center(IC3) | Industry Alerts.
• Enable your email providers’ automated email scanning features. These are turned on by default for consumer mail providers. See NCSC guidance: Telling Users to “Avoid Clicking Bad Links” Still Isn’t Working.
• Disable mail-forwarding. Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor.

DISCLAIMER

This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.

Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.

All material is UK Crown Copyright^©.

This post was originally published on this site

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.

This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.

Overview

Adobe ColdFusion is a commercial application server used for rapid web-application development. ColdFusion supports proprietary markup languages for building web applications and integrates external components like databases and other third-party libraries. ColdFusion uses a proprietary language, ColdFusion Markup Language (CFML), for development but the application itself is built using JAVA.

In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs. Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.

Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. No evidence is available to confirm successful data exfiltration or lateral movement during either incident. Note: It is unknown if the same or different threat actors were behind each incident.

Incident 1

As early as June 26, 2023, threat actors obtained an initial foothold on a public-facing [T1190] web server running Adobe ColdFusion v2016.0.0.3 through exploitation of CVE-2023-26360. Threat actors successfully connected from malicious IP address 158.101.73[.]241. Disclaimer: CISA recommends organizations investigate or vet this IP address prior to taking action, such as blocking. This IP resolves to a public cloud service provider and possibly hosts a large volume of legitimate traffic.

The agency’s correlation of Internet Information Services (IIS) logs against open source[1] information indicates that the identified uniform resource identifier (URI) /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc was used to exploit CVE-2023-26360. The agency removed the asset from the network within 24 hours of the MDE alert.

Threat actors started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful. Following additional enumeration efforts to obtain information about the web server and its operating system [T1082], the threat actors checked for the presence of ColdFusion version 2018 [T1518]—previous checks were also conducted against version 2016.

Threat actors were observed traversing the filesystem [T1083] and uploading various artifacts to the web server [T1105], to include deleting the file tat.cfm [T1070.004]. Note: This file was deleted prior to the victim locating it on the host for analysis. Its characteristics and functionality are unknown. In addition:

• Certutil[2] was run against conf.txt [T1140] and decoded as a web shell (config.jsp) [T1505.003],[T1036.008]. Conf.txt was subsequently deleted, likely to evade detection.
  Note: Threat actors were only observed interacting with the config.jsp web shell from this point on.
• HTTP POST requests [T1071.001] were made to config.cfm, an expected configuration file in a standard installation of ColdFusion [T1036.005]. Code review of config.cfm indicated malicious code—intended to execute on versions of ColdFusion 9 or less—was inserted with the intent to extract username, password, and data source uniform resource locators (URLs). According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g., by using the valid credentials that were compromised). This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin.
• Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell [T1564.001]. Analysis of this phase found no indication of successful execution.
• A small subset of events generated from various ColdFusion application logs identified that tat.cfm, config.jsp, and system.cfm failed to execute on the host due to syntax errors.

Threat actors created various files (see Table 1 below) in the C:IBM directory using the initialization process coldfusion.exe. None of these files were located on the server (possibly due to threat actor deletion) but are assessed as likely threat actor tools. Analysts assessed the C:IBM directory as a staging folder to support threat actors’ malicious operations.

Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions. Two artifacts are legitimate Microsoft files; threat actors were observed using these files following initial compromise for intended malicious purposes.

Table 1: Threat Actor Tools

File Name	Hash (SHA-1)	Description
eee.exe	b6818d2d5cbd902ce23461f24fc47e24937250e6	VirusTotal[3] flags this file as malicious. This was located in D:$RECYCLE.BIN.
edge.exe	75a8ceded496269e9877c2d55f6ce13551d93ff4	The dynamic-link library (DLL) file msedge.dll attempted to execute via edge.exe but received an error. Note: This file is part of the official Microsoft Edge browser and is a cookie exporter.
fscan.exe	be332b6e2e2ed9e1e57d8aafa0c00aa77d4b8656	Analysis confirmed at least three subnets were scanned using fscan.exe, which was launched from the C:IBM directory [T1046].
RC.exe	9126b8320d18a52b1315d5ada08e1c380d18806b	RCDLL.dll attempted to execute via RC.exe but received an error. Note: This file is part of the official Windows operating system and is called Microsoft Resource Compiler.

Note: The malicious code found on the system during this incident contained code that, when executed, would attempt to decrypt passwords for ColdFusion data sources. The seed value included in the code is a known value for ColdFusion version 8 or older—where the seed value was hard-coded. A threat actor who has control over the database server can use the values to decrypt the data source passwords in ColdFusion version 8 or older. The victim’s servers were running a newer version at the time of compromise; thus, the malicious code failed to decrypt passwords using the default hard-coded seed value for the older versions.

Incident 2

As early as June 2, 2023, threat actors obtained an initial foothold on an additional public-facing web server running Adobe ColdFusion v2021.0.0.2 via malicious IP address 125.227.50[.]97 through exploitation of CVE-2023-26360. Threat actors further enumerated domain trusts to identify lateral movement opportunities [T1482] by using nltest commands. The threat actors also collected information about local [T1087.001] and domain [T1087.002] administrative user accounts while performing reconnaissance by using commands such as localgroup, net user, net user /domain, and ID. Host and network reconnaissance efforts were further conducted to discover network configuration, time logs, and query user information.

Threat actors were observed dropping the file d.txt—decoded as d.jsp—via POST command in addition to eight malicious artifacts (hiddenfield.jsp, hiddenfield_jsp.class, hiddenfield_jsp.java, Connection.jsp, Connection_jsp.class, Connection_jsp.java, d_jsp.class, and d_jsp.java/). According to open source information, d.jsp is a remote access trojan (RAT) that utilizes a JavaScript loader [T1059.007] to infect the device and requires communication with the actor-controlled server to perform actions.[4] The agency’s analysis identified the trojan as a modified version of a publicly available web shell code.[5] After maintaining persistence, threat actors periodically tested network connectivity by pinging Google’s domain name system (DNS) [T1016.001]. The threat actors conducted additional reconnaissance efforts via searching for the .jsp files that were uploaded.

Threat actors attempted to exfiltrate the (Registry) files sam.zip, sec.zip, blank.jsp, and cf-bootstrap.jar. Windows event logs identified the actors were not successful due to the malicious activity being detected and quarantined. An additional file (sys.zip) was created on the system; however, there were no indications of any attempt to exfiltrate it. Analysis identified these files resulted from executed save and compress data processes from the HKEY_LOCAL_MACHINE (HKLM) Registry key, as well as save security account manager (SAM) [T1003.002] information to .zip files. The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive.

Windows event logs show that a malicious file (1.dat) was detected and quarantined. Analysis determined this file was a local security authority subsystem service (LSASS) dump [T1003.001] file that contained user accounts—to include multiple disabled credentials—and Windows new technology LAN manager (NTLM) passwords. The accounts were found on multiple servers across the victim’s network and were not successfully used for lateral movement.

As efforts for reconnaissance continued, the threat actors changed their approach to using security tools that were present on the victim server. Esentutl.exe[6] was used to attempt this registry dump. Attempts to download data from the threat actors’ command and control (C2) server were also observed but blocked and logged by the victim server. Threat actors further attempted to access SYSVOL, which is used to deliver policy and logon scripts to domain members on an agency domain controller [T1484.001]. The attempt was unsuccessful. Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers.[7]

Note: During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface. The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file. Versions of ColdFusion 9 or greater use the seed.properties file, which contains unique seed values that can only be used on a single server.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2-9 for all referenced threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 2: Initial Access

Technique Title	ID	Use
Exploit Public-Facing Application	T1190	Threat actors exploited two public-facing web servers running outdated versions of Adobe ColdFusion.

Table 3: Execution

Technique Title	ID	Use
Command and Scripting Interpreter: JavaScript	T1059.007	In correlation with open source information, analysis determined d.jsp is a RAT that utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.

Table 4: Persistence

Technique Title	ID	Use
Server Software Component: Web Shell	T1505.003	Threat actors uploaded various web shells to enable remote code execution and to execute commands on compromised web servers.

Table 5: Privilege Escalation

Technique Title	ID	Use
Domain Policy Modification: Group Policy Modification	T1484.001	Threat actors attempted to edit SYSVOL on an agency domain controller to change policies.

Table 6: Defense Evasion

Technique Title	ID	Use
Masquerading: Match Legitimate Name or Location	T1036.005	Threat actors inserted malicious code with the intent to extract username, password, and data source URLs into config.cfm—an expected configuration file in a standard installation of ColdFusion.
Masquerading: Masquerade File Type	T1036.008	Threat actors used the .txt file extension to disguise malware files.
Indicator Removal: File Deletion	T1070.004	Threat actors deleted files following upload to remove malicious indicators.
Deobfuscate/Decode Files or Information	T1140	Threat actors used certutil to decode web shells hidden inside .txt files.
Hide Artifacts: Hidden Files and Directories	T1564.001	Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell.

Table 7: Credential Access

Technique Title	ID	Use
OS Credential Dumping: LSASS Memory	T1003.001	Threat actors attempted to harvest user account credentials through LSASS memory dumping.
OS Credential Dumping: Security Account Manager	T1003.002	Threat actors saved and compressed SAM information to .zip files.

Table 8: Discovery

Technique Title	ID	Use
System Network Configuration Discovery: Internet Connection Discovery	T1016.001	Threat actors periodically tested network connectivity by pinging Google’s DNS.
Network Service Discovery	T1046	Threat actors scanned at least three subnets to gather network information using fscan.exe, to include administrative data for future exfiltration.
System Information Discovery	T1082	Threat actors collected information about the web server and its operating system.
File and Directory Discovery	T1083	Threat actors traversed and were able to search through folders on the victim’s web server filesystem. Additional reconnaissance efforts were conducted via searching for the .jsp files that were uploaded.
Account Discovery: Local Account	T1087.001	Threat actors collected information about local user accounts.
Account Discovery: Domain Account	T1087.002	Threat actors collected information about domain users, including identification of domain admin accounts.
Domain Trust Discovery	T1482	Threat actors enumerated domain trusts to identify lateral movement opportunities.
Software Discovery	T1518	Following initial access and enumeration, threat actors checked for the presence of ColdFusion version 2018 on the victim web server.

Table 9: Command and Control

Technique Title	ID	Use
Application Layer Protocol: Web Protocols	T1071.001	Threat actors used HTTP POST requests to config.cfm, an expected configuration file in a standard installation of ColdFusion.
Ingress Tool Transfer	T1105	Threat actors were able to upload malicious artifacts to the victim web server.

MITIGATIONS

CISA recommends organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

These mitigations apply to all critical infrastructure organizations and network defenders. CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices, limiting the impact of threat actor techniques and strengthening the security posture for their customers. For more information on secure by design, see CISA’s Secure by Design webpage.

Manage Vulnerabilities and Configurations

• Upgrade all versions affected by this vulnerability. Keep all software up to date and prioritize patching according to CISA’s Known Exploited Vulnerabilities Catalog [1.E].
• Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans.
• Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards. This also includes disabling default credentials.

Segment Networks

• Employ proper network segmentation, such as a demilitarized zone (DMZ) [2.F]. The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or local area network (LAN) remains secure. Organizations typically store external-facing services and resources—as well as servers used for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and web servers in the DMZ.
• Use a firewall or web-application firewall (WAF) and enable logging [2.G, 2.T] to prevent/detect potential exploitation attempts. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
• Implement network segmentation to separate network segments based on role and functionality [2.E]. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.
• Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection systems (IDS) based on known-bad signatures are quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.

Application Control

• Enforce signed software execution policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity.
• Application control should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code. See NSA’s Enforce Signed Software Execution Policies.

Manage Accounts, Permissions, and Workstations

• Require phishing-resistant multifactor authentication (MFA) [2.H] for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
• Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
• Restrict file and directory permissions. Use file system access controls to protect folders such as C:WindowsSystem32.
• Restrict NTLM authentication policy settings, including incoming NTLM traffic from client computers, other member servers, or a domain controller.[8]

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 2-9).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

• NIST: CVE-2023-26360
• CISA: KEV Catalog
• CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
• CISA: Decider Tool
• CISA: Cross-Sector Cybersecurity Performance Goals
• CISA: Secure by Design and Default
• CISA: Layering Network Security Through Segmentation
• NSA: Segment Networks and Deploy Application-Aware Defenses
• NSA: Enforce Signed Software Execution Policies
• CISA: Implementing Phishing-Resistant MFA

REFERENCES

[1] Packet Storm Security: Adobe ColdFusion Unauthenticated Remote Code Execution
[2] MITRE: certutil
[3] VirusTotal: File – a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864
[4] Bleeping Computer: Stealthy New JavaScript Malware Infects Windows PCs with RATs
[5] GitHub: Tas9er/ByPassGodzilla
[6] MITRE: esentutl
[7] Microsoft: Active Directory – SYSVOL
[8] Microsoft: Restrict NTLM – Incoming NTLM Traffic

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

VERSION HISTORY

December 5, 2023: Initial version.

This post was originally published on this site

SUMMARY

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.

Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of a cyberattack by Scattered Spider actors.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK^® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have [2],[3],[4]:

• Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network [T1598],[T1656].
• Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access [T1204],[T1219],[T1566].
• Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.
• Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue) [T1621].[5]
• Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts.
• Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft [T1657].

After gaining access to networks, FBI observed Scattered Spider threat actors using publicly available, legitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider, repurposed and used for their criminal activity. Note: The use of these legitimate tools alone is not indicative of criminal activity. Users should review the Scattered Spider indicators of compromise (IOCs) and TTPs discussed in this CSA to determine whether they have been compromised.

Table 1: Legitimate Tools Used by Scattered Spider

Tool	Intended Use
Fleetdeck.io	Enables remote monitoring and management of systems.
Level.io	Enables remote monitoring and management of systems.
Mimikatz [S0002]	Extracts credentials from a system.
Ngrok [S0508]	Enables remote access to a local web server by tunneling over the internet.
Pulseway	Enables remote monitoring and management of systems.
Screenconnect	Enables remote connections to network devices for management.
Splashtop	Enables remote connections to network devices for management.
Tactical.RMM	Enables remote monitoring and management of systems.
Tailscale	Provides virtual private networks (VPNs) to secure network communications.
Teamviewer	Enables remote connections to network devices for management.

In addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider.

Table 2: Malware Used by Scattered Spider

Malware	Use
AveMaria (also known as WarZone [S0670])	Enables remote access to a victim’s systems.
Raccoon Stealer	Steals information including login credentials [TA0006], browser history [T1217], cookies [T1539], and other data.
VIDAR Stealer	Steals information including login credentials, browser history, cookies, and other data.

Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs.

Observably, Scattered Spider threat actors have exfiltrated data [TA0010] after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[.]NZ [T1567.002].

Recent Scattered Spider TTPs

New TTP – File Encryption

More recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [T1486]. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications.

Reconnaissance, Resource Development, and Initial Access

Scattered Spider intrusions often begin with broad phishing [T1566] and smishing [T1660] attempts against a target using victim-specific crafted domains, such as the domains listed in Table 3 [T1583.001].

Table 3: Domains Used by Scattered Spider Threat Actors

Domains
victimname-sso[.]com
victimname-servicedesk[.]com
victimname-okta[.]com

In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions. After identifying usernames, passwords, PII [T1589], and conducting SIM swaps, the threat actors then use social engineering techniques [T1656] to convince IT help desk personnel to reset passwords and/or MFA tokens [T1078.002],[T1199],[T1566.004] to perform account takeovers against the users in single sign-on (SSO) environments.

Execution, Persistence, and Privilege Escalation

Scattered Spider threat actors then register their own MFA tokens [T1556.006],[T1606] after compromising a user’s account to establish persistence [TA0003]. Further, the threat actors add a federated identity provider to the victim’s SSO tenant and activate automatic account linking [T1484.002]. The threat actors are then able to sign into any account by using a matching SSO account attribute. At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation [TA0004] and continue logging in even when passwords are changed [T1078]. Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools’ remote-shell capabilities and executing of commands which elevates their access. They also deploy remote monitoring and management (RMM) tools [T1219] to then maintain persistence.

Discovery, Lateral Movement, and Exfiltration

Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites [T1213.002], credential storage documentation [T1552.001], VMware vCenter infrastructure [T1018], backups, and instructions for setting up/logging into Virtual Private Networks (VPN) [TA0007]. The threat actors enumerate the victim’s Active Directory (AD), perform discovery and exfiltration of victim’s code repositories [T1213.003], code-signing certificates [T1552.004], and source code [T1083],[TA0010]. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory [T1538] to discover targets for lateral movement [TA0007],[TA0008], then move to both preexisting [T1021.007] and actor-created [T1578.002] Amazon Elastic Compute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools [T1648] to bring data from multiple data sources into a centralized database [T1074],[T1530]. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed BlackCat/ALPHV ransomware onto victim networks—thereby encrypting VMware Elastic Sky X integrated (ESXi) servers [T1486].

To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails [T1114] or conversations regarding the threat actor’s intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment [T1136] and is often upheld with fake social media profiles [T1585.001] to backstop newly created identities.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4 through 17 for all referenced threat actor tactics and techniques in this advisory.

Table 4: Reconnaissance

Technique Title	ID	Use
Gather Victim Identity Information	T1589	Scattered Spider threat actors gather usernames, passwords, and PII for targeted organizations.
Phishing for Information	T1598	Scattered Spider threat actors use phishing to obtain login credentials, gaining access to a victim’s network.

Table 5: Resource Development

Technique Title	ID	Use
Acquire Infrastructure: Domains	T1583.001	Scattered Spider threat actors create domains for use in phishing and smishing attempts against targeted organizations.
Establish Accounts: Social Media Accounts	T1585.001	Scattered Spider threat actors create fake social media profiles to backstop newly created user accounts in a targeted organization.

Table 6: Initial Access

Technique Title	ID	Use
Phishing	T1566	Scattered Spider threat actors use broad phishing attempts against a target to obtain information used to gain initial access. Scattered Spider threat actors have posed as helpdesk personnel to direct employees to install commercial remote access tools.
Phishing (Mobile)	T1660	Scattered Spider threat actors send SMS messages, known as smishing, when targeting a victim.
Phishing: Spearphishing Voice	T1566.004	Scattered Spider threat actors use voice communications to convince IT help desk personnel to reset passwords and/or MFA tokens.
Trusted Relationship	T1199	Scattered Spider threat actors abuse trusted relationships of contracted IT help desks to gain access to targeted organizations.
Valid Accounts: Domain Accounts	T1078.002	Scattered Spider threat actors obtain access to valid domain accounts to gain initial access to a targeted organization.

Table 7: Execution

Technique Title	ID	Use
Serverless Execution	T1648	Scattered Spider threat actors use ETL tools to collect data in cloud environments.
User Execution	T1204	Scattered Spider threat actors impersonating helpdesk personnel direct employees to run commercial remote access tools thereby enabling access to the victim’s network.

Table 8: Persistence

Technique Title	ID	Use
Persistence	TA0003	Scattered Spider threat actors seek to maintain persistence on a targeted organization’s network.
Create Account	T1136	Scattered Spider threat actors create new user identities in the targeted organization.
Modify Authentication Process: Multi-Factor Authentication	T1556.006	Scattered Spider threat actors may modify MFA tokens to gain access to a victim’s network.
Valid Accounts	T1078	Scattered Spider threat actors abuse and control valid accounts to maintain network access even when passwords are changed.

Table 9: Privilege Escalation

Technique Title	ID	Use
Privilege Escalation	TA0004	Scattered Spider threat actors escalate account privileges when on a targeted organization’s network.
Domain Policy Modification: Domain Trust Modification	T1484.002	Scattered Spider threat actors add a federated identify provider to the victim’s SSO tenant and activate automatic account linking.

Table 10: Defense Evasion

Technique Title	ID	Use
Modify Cloud Compute Infrastructure: Create Cloud Instance	T1578.002	Scattered Spider threat actors will create cloud instances for use during lateral movement and data collection.
Impersonation	TA1656	Scattered Spider threat actors pose as company IT and/or helpdesk staff to gain access to victim’s networks. Scattered Spider threat actors use social engineering to convince IT help desk personnel to reset passwords and/or MFA tokens.

Table 11: Credential Access

Technique Title	ID	Use
Credential Access	TA0006	Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain login credentials.
Forge Web Credentials	T1606	Scattered Spider threat actors may forge MFA tokens to gain access to a victim’s network.
Multi-Factor Authentication Request Generation	T1621	Scattered Spider sends repeated MFA notification prompts to lead employees to accept the prompt and gain access to the target network.
Unsecured Credentials: Credentials in Files	T1552.001	Scattered Spider threat actors search for insecurely stored credentials on victim’s systems.
Unsecured Credentials: Private Keys	T1552.004	Scattered Spider threat actors search for insecurely stored private keys on victim’s systems.

Table 12: Discovery

Technique Title	ID	Use
Discovery	TA0007	Upon gaining access to a targeted network, Scattered Spider threat actors seek out SharePoint sites, credential storage documentation, VMware vCenter, infrastructure backups and enumerate AD to identify useful information to support further operations.
Browser Information Discovery	T1217	Scattered Spider threat actors use tools (e.g., Raccoon Stealer) to obtain browser histories.
Cloud Service Dashboard	T1538	Scattered Spider threat actors leverage AWS Systems Manager Inventory to discover targets for lateral movement.
File and Directory Discovery	T1083	Scattered Spider threat actors search a compromised network to discover files and directories for further information or exploitation.
Remote System Discovery	T1018	Scattered Spider threat actors search for infrastructure, such as remote systems, to exploit.
Steal Web Session Cookie	T1539	Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain browser cookies.

Table 13: Lateral Movement

Technique Title	ID	Use
Lateral Movement	TA0008	Scattered Spider threat actors laterally move across a target network upon gaining access and establishing persistence.
Remote Services: Cloud Services	T1021.007	Scattered Spider threat actors use pre-existing cloud instances for lateral movement and data collection.

Table 14: Collection

Technique Title	ID	Use
Data from Information Repositories: Code Repositories	T1213.003	Scattered Spider threat actors search code repositories for data collection and exfiltration.
Data from Information Repositories: Sharepoint	T1213.002	Scattered Spider threat actors search SharePoint repositories for information.
Data Staged	T1074	Scattered Spider threat actors stage data from multiple data sources into a centralized database before exfiltration.
Email Collection	T1114	Scattered Spider threat actors search victim’s emails to determine if the victim has detected the intrusion and initiated any security response.
Data from Cloud Storage	T1530	Scattered Spider threat actors search data in cloud storage for collection and exfiltration.

Table 15: Command and Control

Technique Title	ID	Use
Remote Access Software	T1219	Impersonating helpdesk personnel, Scattered Spider threat actors direct employees to run commercial remote access tools thereby enabling access to and command and control of the victim’s network. Scattered Spider threat actors leverage third-party software to facilitate lateral movement and maintain persistence on a target organization’s network.

Table 16: Exfiltration

Technique Title	ID	Use
Exfiltration	TA0010	Scattered Spider threat actors exfiltrate data from a target network to for data extortion.

Table 17: Impact

Technique Title	ID	Use
Data Encrypted for Impact	T1486	Scattered Spider threat actors recently began encrypting data on a target network and demanding a ransom for decryption. Scattered Spider threat actors has been observed encrypting VMware ESXi servers.
Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	Scattered Spider threat actors exfiltrate data to multiple sites including U.S.-based data centers and MEGA[.]NZ.
Financial Theft	T1657	Scattered Spider threat actors monetized access to victim networks in numerous ways including extortion-enabled ransomware and data theft.

MITIGATIONS

These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
• Reduce threat of malicious actors using remote access tools by:
  • Auditing remote access tools on your network to identify currently used and/or authorized software.
  • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
  • Using security software to detect instances of remote access software being loaded only in memory.
  • Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
  • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
  • Applying recommendations in the Guide to Securing Remote Access Software.
• Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA. These MFA implementations are resistant to phishing and not suspectable to push bombing or SIM swap attacks, which are techniques known to be used by Scattered Spider actors. See CISA’s fact sheet Implementing Phishing-Resistant MFA for more information.
• Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Audit the network for systems using RDP.
  • Close unused RDP ports.
  • Enforce account lockouts after a specified number of attempts.
  • Apply phishing-resistant multifactor authentication (MFA).
  • Log RDP login attempts.

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
• Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
  • Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B].
  • Store passwords in hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords [CPG 2.C].
  • Implement multiple failed login attempt account lockouts [CPG 2.G].
  • Disable password “hints.”
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Disable unused ports and protocols [CPG 2.V].
• Consider adding an email banner to emails received from outside your organization [CPG 2.M].
• Disable hyperlinks in received emails.
• Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 4-17).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REPORTING

FBI and CISA are seeking any information that can be shared, to include a sample ransom note, communications with Scattered Spider group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, report the incident to the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

REFERENCES

[1] MITRE ATT&CK – Scattered Spider
[2] Trellix – Scattered Spider: The Modus Operandi
[3] Crowdstrike – Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
[4] Crowdstrike – SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
[5] Malwarebytes – Ransomware group steps up, issues statement over MGM Resorts compromise

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.

VERSION HISTORY

November 16, 2023: Initial version.

This post was originally published on this site

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.

CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) in this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations.

For additional information on upgrade instructions, a complete list of affected product versions, and IOCs, see Atlassian’s security advisory for CVE-2023-22515.[1] While Atlassian’s advisory provides interim measures to temporarily mitigate known attack vectors, CISA, FBI, and MS-ISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updates.

Download the PDF version of this report:

TECHNICAL DETAILS

Overview

CVE-2023-22515 is a critical Broken Access Control vulnerability affecting the following versions of Atlassian Confluence Data Center and Server. Note: Atlassian Cloud sites (sites accessed by an atlassian.net domain), including Confluence Data Center and Server versions before 8.0.0, are not affected by this vulnerability.

8.0.0 8.0.1 8.0.2 8.0.3 8.0.4 8.1.0 8.1.1

8.1.3 8.1.4 8.2.0 8.2.1 8.2.2 8.2.3 8.3.0

8.3.1 8.3.2 8.4.0 8.4.1 8.4.2 8.5.0 8.5.1

Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances. More specifically, threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint.

Considering the root cause of the vulnerability allows threat actors to modify critical configuration settings, CISA, FBI, and MS-ISAC assess that the threat actors may not be limited to creating new administrator accounts. Open source further indicates an Open Web Application Security Project (OWASP) classification of injection (i.e., CWE-20: Improper Input Validation) is an appropriate description.[2] Atlassian released a patch on October 4, 2023, and confirmed that threat actors exploited CVE-2023-22515 as a zero-day—a previously unidentified vulnerability.[1]

On October 5, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks.

Post-Exploitation: Exfiltration of Data

Post-exploitation exfiltration of data can be executed through of a variety of techniques. A predominant method observed involves the use of cURL—a command line tool used to transfer data to or from a server. An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. Note: This does not preclude the effectiveness of alternate methods, but highlights methods observed to date. Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line. Example configuration file templates are listed in the following Figures 1 and 2, which are populated with the credentials of the exfiltration point:

[s3] type = env_auth = access_key_id = secret_access_key = region =  endpoint =   location_constraint = acl = server_side_encryption = storage_class =

[minio] type = provider = env_auth = access_key_id = secret_access_key = endpoint = acl =

The following User-Agent strings were observed in request headers. Note: As additional threat actors begin to use this CVE due to the availability of publicly posted proof-of-concept code, an increasing variation in User-Agent strings is expected:

• Python-requests/2.27.1
• curl/7.88.1

Indicators of Compromise

Disclaimer: Organizations are recommended to investigate or vet these IP addresses prior to taking action, such as blocking.

The following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltration:

• 170.106.106[.]16
• 43.130.1[.]222
• 152.32.207[.]23
• 199.19.110[.]14
• 95.217.6[.]16 (Note: This is the official rclone.org website)

Additional IP addresses observed sending related exploit traffic have been shared by Microsoft.[3]

DETECTION METHODS

Network defenders are encouraged to review and deploy Proofpoint’s Emerging Threat signatures. See Ruleset Update Summary – 2023/10/12 – v10438.[4]

Network defenders are also encouraged to aggregate application and server-level logging from Confluence servers to a logically separated log search and alerting system, as well as configure alerts for signs of exploitation (as detailed in Atlassian’s security advisory).

INCIDENT RESPONSE

Organizations are encouraged to review all affected Confluence instances for evidence of compromise, as outlined by Atlassian.[1] If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actions—these include but are not limited to exfiltration of content and system credentials, as well as installation of malicious plugins.

If a potential compromise is detected, organizations should:

1. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
   • Note: Upgrading to fixed versions, as well as removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
   • Search and audit logs from Confluence servers for attempted exploitation.[2]
2. Quarantine and take offline potentially affected hosts.
3. Provision new account credentials.
4. Reimage compromised hosts.
5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).

MITIGATIONS

These mitigations apply to all organizations using non-cloud Atlassian Confluence Data Center and Server software. CISA, FBI, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to reduce the prevalence of Broken Access Control vulnerabilities, thus strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

As of October 10, 2023, proof-of-concept exploits for CVE-2023-22515 have been observed in open source publications.[5] While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits, the availability of a proof-of-concept presents an array of security and operational challenges that extend beyond these immediate issues. Immediate action is strongly advised to address the potential risks associated with this development.

CISA, FBI, and MS-ISAC recommend taking immediate action to address the potential associated risks and encourage organizations to:

• Immediately upgrade to fixed versions. See Atlassian’s upgrading instructions[6] for more information. If unable to immediately apply upgrades, restrict untrusted network access until feasible. Malicious cyber threat actors who exploit the affected instance can escalate to administrative privileges.
• Follow best cybersecurity practices in your production and enterprise environments. While not observed in this instance of exploitation, mandating phishing-resistant multifactor authentication (MFA) for all staff and services can make it more difficult for threat actors to gain access to networks and information systems. For additional best practices, see:
  • CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures (TTPs). Because the CPGs are a subset of best practices, CISA recommends software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
  • Center for Internet Security’s (CIS) Critical Security Controls. The CIS Critical Security Controls are a prescriptive, prioritized, and simplified set of best practices that organizations can use to strengthen cybersecurity posture and protect against cyber incidents.

RESOURCES

• NIST: CVE-2023-22515
• MITRE: CWE-20 – Improper Input Validation
• CISA: Known Exploited Vulnerabilities Catalog
• MITRE Software: Rclone
• CISA: Secure by Design and Default
• CISA: Phishing-Resistant MFA
• CISA: Cross-Sector Cybersecurity Performance Goals
• CIS: Critical Security Controls

REFERENCES

[1]   Atlassian: CVE-2023-22515 – Broken Access Control Vulnerability in Confluence Data Center and Server
[2]   Rapid7: CVE-2023-22515 Analysis
[3]   Microsoft: CVE-2023-22515 Exploit IP Addresses
[4]   Proofpoint: Emerging Threats Rulesets
[5]   Confluence CVE-2023-22515 Proof of Concept – vulhub
[6]   Atlassian Support: Upgrading Confluence

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, FBI, and MS-ISAC.

VERSION HISTORY

October 16, 2023: Initial version.

This post was originally published on this site

A plea for network defenders and software manufacturers to fix common problems.

EXECUTIVE SUMMARY

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders:

• Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses.
• Software manufacturers must reduce the prevalence of these misconfigurations—thus strengthening the security posture for customers—by incorporating secure-by-design and -default principles and tactics into their software development practices.[1]

NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of malicious actors exploiting the identified misconfigurations.

• Remove default credentials and harden configurations.
• Disable unused services and implement access controls.
• Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.[2]
• Reduce, restrict, audit, and monitor administrative accounts and privileges.

NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including:

• Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
• Eliminating default passwords.
• Providing high-quality audit logs to customers at no extra charge.
• Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.[3]

Download the PDF version of this report: PDF, 660 KB

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 13, and the MITRE D3FEND™ cybersecurity countermeasures framework.[4],[5] See the Appendix: MITRE ATT&CK tactics and techniques section for tables summarizing the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques, and the Mitigations section for MITRE D3FEND countermeasures.

For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.[6],[7]

Overview

Over the years, the following NSA and CISA teams have assessed the security posture of many network enclaves across the Department of Defense (DoD); Federal Civilian Executive Branch (FCEB); state, local, tribal, and territorial (SLTT) governments; and the private sector:

• Depending on the needs of the assessment, NSA Defensive Network Operations (DNO) teams feature capabilities from Red Team (adversary emulation), Blue Team (strategic vulnerability assessment), Hunt (targeted hunt), and/or Tailored Mitigations (defensive countermeasure development).
• CISA Vulnerability Management (VM) teams have assessed the security posture of over 1,000 network enclaves. CISA VM teams include Risk and Vulnerability Assessment (RVA) and CISA Red Team Assessments (RTA).[8] The RVA team conducts remote and onsite assessment services, including penetration testing and configuration review. RTA emulates cyber threat actors in coordination with an organization to assess the organization’s cyber detection and response capabilities.
• CISA Hunt and Incident Response teams conduct proactive and reactive engagements, respectively, on organization networks to identify and detect cyber threats to U.S. infrastructure.

During these assessments, NSA and CISA identified the 10 most common network misconfigurations, which are detailed below. These misconfigurations (non-prioritized) are systemic weaknesses across many networks.

Many of the assessments were of Microsoft^® Windows^® and Active Directory^® environments. This advisory provides details about, and mitigations for, specific issues found during these assessments, and so mostly focuses on these products. However, it should be noted that many other environments contain similar misconfigurations. Network owners and operators should examine their networks for similar misconfigurations even when running other software not specifically mentioned below.

1. Default Configurations of Software and Applications

Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include:

• Default credentials
• Default service permissions and configurations settings

Default Credentials

Many software manufacturers release commercial off-the-shelf (COTS) network devices —which provide user access via applications or web portals—containing predefined default credentials for their built-in administrative accounts.[9] Malicious actors and assessment teams regularly abuse default credentials by:

• Finding credentials with a simple web search [T1589.001] and using them [T1078.001] to gain authenticated access to a device.
• Resetting built-in administrative accounts [T1098] via predictable forgotten passwords questions.
• Leveraging default virtual private network (VPN) credentials for internal network access [T1133].
• Leveraging publicly available setup information to identify built-in administrative credentials for web applications and gaining access to the application and its underlying database.
• Leveraging default credentials on software deployment tools [T1072] for code execution and lateral movement.

In addition to devices that provide network access, printers, scanners, security cameras, conference room audiovisual (AV) equipment, voice over internet protocol (VoIP) phones, and internet of things (IoT) devices commonly contain default credentials that can be used for easy unauthorized access to these devices as well. Further compounding this problem, printers and scanners may have privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them. Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device and compromise the domain [T1078.002].

Default Service Permissions and Configuration Settings

Certain services may have overly permissive access controls or vulnerable configurations by default. Additionally, even if the providers do not enable these services by default, malicious actors can easily abuse these services if users or administrators enable them.

Assessment teams regularly find the following:

• Insecure Active Directory Certificate Services
• Insecure legacy protocols/services
• Insecure Server Message Block (SMB) service

Insecure Active Directory Certificate Services

Active Directory Certificate Services (ADCS) is a feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of Active Directory (AD) environments. ADCS templates are used to build certificates for different types of servers and other entities on an organization’s network.

Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges. These certificates and domain escalation paths may grant actors unauthorized, persistent access to systems and critical data, the ability to impersonate legitimate entities, and the ability to bypass security measures.

Assessment teams have observed organizations with the following misconfigurations:

• ADCS servers running with web-enrollment enabled. If web-enrollment is enabled, unauthenticated actors can coerce a server to authenticate to an actor-controlled computer, which can relay the authentication to the ADCS web-enrollment service and obtain a certificate [T1649] for the server’s account. These fraudulent, trusted certificates enable actors to use adversary-in-the-middle techniques [T1557] to masquerade as trusted entities on the network. The actors can also use the certificate for AD authentication to obtain a Kerberos Ticket Granting Ticket (TGT) [T1558.001], which they can use to compromise the server and usually the entire domain.
• ADCS templates where low-privileged users have enrollment rights, and the enrollee supplies a subject alternative name. Misconfiguring various elements of ADCS templates can result in domain escalation by unauthorized users (e.g., granting low-privileged users certificate enrollment rights, allowing requesters to specify a subjectAltName in the certificate signing request [CSR], not requiring authorized signatures for CSRs, granting FullControl or WriteDacl permissions to users). Malicious actors can use a low-privileged user account to request a certificate with a particular Subject Alternative Name (SAN) and gain a certificate where the SAN matches the User Principal Name (UPN) of a privileged account.

Note: For more information on known escalation paths, including PetitPotam NTLM relay techniques, see: Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints and Certified Pre-Owned, Active Directory Certificate Services.[10],[11],[12]

Insecure legacy protocols/services

Many vulnerable network services are enabled by default, and assessment teams have observed them enabled in production environments. Specifically, assessment teams have observed Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), which are Microsoft Windows components that serve as alternate methods of host identification. If these services are enabled in a network, actors can use spoofing, poisoning, and relay techniques [T1557.001] to obtain domain hashes, system access, and potential administrative system sessions. Malicious actors frequently exploit these protocols to compromise entire Windows’ environments.

Malicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic, effectively poisoning the service so that target computers will communicate with an actor-controlled system instead of the intended one. If the requested system requires identification/authentication, the target computer will send the user’s username and hash to the actor-controlled system. The actors then collect the hash and crack it offline to obtain the plain text password [T1110.002].

Insecure Server Message Block (SMB) service

The Server Message Block service is a Windows component primarily for file sharing. Its default configuration, including in the latest version of Windows, does not require signing network messages to ensure authenticity and integrity. If SMB servers do not enforce SMB signing, malicious actors can use machine-in-the-middle techniques, such as NTLM relay. Further, malicious actors can combine a lack of SMB signing with the name resolution poisoning issue (see above) to gain access to remote systems [T1021.002] without needing to capture and crack any hashes.

2. Improper Separation of User/Administrator Privilege

Administrators often assign multiple roles to one account. These accounts have access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures.

Assessment teams have observed the following common account separation misconfigurations:

• Excessive account privileges
• Elevated service account permissions
• Non-essential use of elevated accounts

Excessive Account Privileges

Account privileges are intended to control user access to host or application resources to limit access to sensitive information or enforce a least-privilege security model. When account privileges are overly permissive, users can see and/or do things they should not be able to, which becomes a security issue as it increases risk exposure and attack surface.

Expanding organizations can undergo numerous changes in account management, personnel, and access requirements. These changes commonly lead to privilege creep—the granting of excessive access and unnecessary account privileges. Through the analysis of topical and nested AD groups, a malicious actor can find a user account [T1078] that has been granted account privileges that exceed their need-to-know or least-privilege function. Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domain.

Elevated Service Account Permissions

Applications often operate using user accounts to access resources. These user accounts, which are known as service accounts, often require elevated privileges. When a malicious actor compromises an application or service using a service account, they will have the same privileges and access as the service account.

Malicious actors can exploit elevated service permissions within a domain to gain unauthorized access and control over critical systems. Service accounts are enticing targets for malicious actors because such accounts are often granted elevated permissions within the domain due to the nature of the service, and because access to use the service can be requested by any valid domain user. Due to these factors, kerberoasting—a form of credential access achieved by cracking service account credentials—is a common technique used to gain control over service account targets [T1558.003].

Non-Essential Use of Elevated Accounts

IT personnel use domain administrator and other administrator accounts for system and network management due to their inherent elevated privileges. When an administrator account is logged into a compromised host, a malicious actor can steal and use the account’s credentials and an AD-generated authentication token [T1528] to move, using the elevated permissions, throughout the domain [T1550.001]. Using an elevated account for normal day-to-day, non-administrative tasks increases the account’s exposure and, therefore, its risk of compromise and its risk to the network.

Malicious actors prioritize obtaining valid domain credentials upon gaining access to a network. Authentication using valid domain credentials allows the execution of secondary enumeration techniques to gain visibility into the target domain and AD structure, including discovery of elevated accounts and where the elevated accounts are used [T1087].

Targeting elevated accounts (such as domain administrator or system administrators) performing day-to-day activities provides the most direct path to achieve domain escalation. Systems or applications accessed by the targeted elevated accounts significantly increase the attack surface available to adversaries, providing additional paths and escalation options.

After obtaining initial access via an account with administrative permissions, an assessment team compromised a domain in under a business day. The team first gained initial access to the system through phishing [T1566], by which they enticed the end user to download [T1204] and execute malicious payloads. The targeted end-user account had administrative permissions, enabling the team to quickly compromise the entire domain.

3. Insufficient Internal Network Monitoring

Some organizations do not optimally configure host and network sensors for traffic collection and end-host logging. These insufficient configurations could lead to undetected adversarial compromise. Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activity.

Assessment teams have exploited insufficient monitoring to gain access to assessed networks. For example:

• An assessment team observed an organization with host-based monitoring, but no network monitoring. Host-based monitoring informs defensive teams about adverse activities on singular hosts and network monitoring informs about adverse activities traversing hosts [TA0008]. In this example, the organization could identify infected hosts but could not identify where the infection was coming from, and thus could not stop future lateral movement and infections.
• An assessment team gained persistent deep access to a large organization with a mature cyber posture. The organization did not detect the assessment team’s lateral movement, persistence, and command and control (C2) activity, including when the team attempted noisy activities to trigger a security response. For more information on this activity, see CSA CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks.[13]

4. Lack of Network Segmentation

Network segmentation separates portions of the network with security boundaries. Lack of network segmentation leaves no security boundaries between the user, production, and critical system networks. Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques.

Lack of segmentation between IT and operational technology (OT) environments places OT environments at risk. For example, assessment teams have often gained access to OT networks—despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network—by finding special purpose, forgotten, or even accidental network connections [T1199].

5. Poor Patch Management

Vendors release patches and updates to address security vulnerabilities. Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes:

• Lack of regular patching
• Use of unsupported operating systems (OSs) and outdated firmware

Lack of Regular Patching

Failure to apply the latest patches can leave a system open to compromise from publicly available exploits. Due to their ease of discovery—via vulnerability scanning [T1595.002] and open source research [T1592]—and exploitation, these systems are immediate targets for adversaries. Allowing critical vulnerabilities to remain on production systems without applying their corresponding patches significantly increases the attack surface. Organizations should prioritize patching known exploited vulnerabilities in their environments.[2]

Assessment teams have observed threat actors exploiting many CVEs in public-facing applications [T1190], including:

• CVE-2019-18935 in an unpatched instance of Telerik^® UI for ASP.NET running on a Microsoft IIS server.[14]
• CVE-2021-44228 (Log4Shell) in an unpatched VMware^® Horizon server.[15]
• CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925 chained with CVE-2022-37042, or CVE-2022-30333 in an unpatched Zimbra^® Collaboration Suite.[16]

Use of Unsupported OSs and Outdated Firmware

Using software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched. Malicious actors can exploit vulnerabilities in these systems to gain unauthorized access, compromise sensitive data, and disrupt operations [T1210].

Assessment teams frequently observe organizations using unsupported Windows operating systems without updates MS17-010 and MS08-67. These updates, released years ago, address critical remote code execution vulnerabilities.[17],[18]

6. Bypass of System Access Controls

A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. If a malicious actor can collect hashes in a network, they can use the hashes to authenticate using non-standard means, such as pass-the-hash (PtH) [T1550.002]. By mimicking accounts without the clear-text password, an actor can expand and fortify their access without detection. Kerberoasting is also one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network.

7. Weak or Misconfigured MFA Methods

Misconfigured Smart Cards or Tokens

Some networks (generally government or DoD networks) require accounts to use smart cards or tokens. Multifactor requirements can be misconfigured so the password hashes for accounts never change. Even though the password itself is no longer used—because the smart card or token is required instead—there is still a password hash for the account that can be used as an alternative credential for authentication. If the password hash never changes, once a malicious actor has an account’s password hash [T1111], the actor can use it indefinitely, via the PtH technique for as long as that account exists.

Lack of Phishing-Resistant MFA

Some forms of MFA are vulnerable to phishing, “push bombing” [T1621], exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or “SIM swap” techniques. These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems. (See CISA’s Fact Sheet Implementing Phishing-Resistant MFA for more information.)[3]

For example, assessment teams have used voice phishing to convince users to provide missing MFA information [T1598]. In one instance, an assessment team knew a user’s main credentials, but their login attempts were blocked by MFA requirements. The team then masqueraded as IT staff and convinced the user to provide the MFA code over the phone, allowing the team to complete their login attempt and gain access to the user’s email and other organizational resources.

8. Insufficient ACLs on Network Shares and Services

Data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drives.

Actors can use commands, open source tools, or custom malware to look for shared folders and drives [T1135].

• In one compromise, a team observed actors use the net share command—which displays information about shared resources on the local computer—and the ntfsinfo command to search network shares on compromised computers. In the same compromise, the actors used a custom tool, CovalentStealer, which is designed to identify file shares on a system, categorize the files [T1083], and upload the files to a remote server [TA0010].[19],[20]
• Ransomware actors have used the SoftPerfect^® Network Scanner, netscan.exe—which can ping computers [T1018], scan ports [T1046], and discover shared folders—and SharpShares to enumerate accessible network shares in a domain.[21],[22]

Malicious actors can then collect and exfiltrate the data from the shared drives and folders. They can then use the data for a variety of purposes, such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise. Assessment teams routinely find sensitive information on network shares [T1039] that could facilitate follow-on activity or provide opportunities for extortion. Teams regularly find drives containing cleartext credentials [T1552] for service accounts, web applications, and even domain administrators.

Even when further access is not directly obtained from credentials in file shares, there can be a treasure trove of information for improving situational awareness of the target network, including the network’s topology, service tickets, or vulnerability scan data. In addition, teams regularly identify sensitive data and PII on shared drives (e.g., scanned documents, social security numbers, and tax returns) that could be used for extortion or social engineering of the organization or individuals.

9. Poor Credential Hygiene

Poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes:

• Easily crackable passwords
• Cleartext password disclosure

Easily Crackable Passwords

Easily crackable passwords are passwords that a malicious actor can guess within a short time using relatively inexpensive computing resources. The presence of easily crackable passwords on a network generally stems from a lack of password length (i.e., shorter than 15 characters) and randomness (i.e., is not unique or can be guessed). This is often due to lax requirements for passwords in organizational policies and user training. A policy that only requires short and simple passwords leaves user passwords susceptible to password cracking. Organizations should provide or allow employee use of password managers to enable the generation and easy use of secure, random passwords for each account.

Often, when a credential is obtained, it is a hash (one-way encryption) of the password and not the password itself. Although some hashes can be used directly with PtH techniques, many hashes need to be cracked to obtain usable credentials. The cracking process takes the captured hash of the user’s plaintext password and leverages dictionary wordlists and rulesets, often using a database of billions of previously compromised passwords, in an attempt to find the matching plaintext password [T1110.002].

One of the primary ways to crack passwords is with the open source tool, Hashcat, combined with password lists obtained from publicly released password breaches. Once a malicious actor has access to a plaintext password, they are usually limited only by the account’s permissions. In some cases, the actor may be restricted or detected by advanced defense-in-depth and zero trust implementations as well, but this has been a rare finding in assessments thus far.

Assessment teams have cracked password hashes for NTLM users, Kerberos service account tickets, NetNTLMv2, and PFX stores [T1555], enabling the team to elevate privileges and move laterally within networks. In 12 hours, one team cracked over 80% of all users’ passwords in an Active Directory, resulting in hundreds of valid credentials.

Cleartext Password Disclosure

Storing passwords in cleartext is a serious security risk. A malicious actor with access to files containing cleartext passwords [T1552.001] could use these credentials to log into the affected applications or systems under the guise of a legitimate user. Accountability is lost in this situation as any system logs would record valid user accounts accessing applications or systems.

Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining cleartext passwords. Assessment teams frequently discover cleartext passwords, allowing them to quickly escalate the emulated intrusion from the compromise of a regular domain user account to that of a privileged account, such as a Domain or Enterprise Administrator. A common tool used for locating cleartext passwords is the open source tool, Snaffler.[23]

10. Unrestricted Code Execution

If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network.

Malicious actors often execute code after gaining initial access to a system. For example, after a user falls for a phishing scam, the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network. This code is usually an unverified program that has no legitimate purpose or business reason for running on the network.

Assessment teams and malicious actors frequently leverage unrestricted code execution in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) [T1059.005] to establish initial access, persistence, and lateral movement. In addition, actors often use scripting languages [T1059] to obscure their actions [T1027.010] and bypass allowlisting—where organizations restrict applications and other forms of code by default and only allow those that are known and trusted. Further, actors may load vulnerable drivers and then exploit the drivers’ known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device [T1068].

MITIGATIONS

Network Defenders

NSA and CISA recommend network defenders implement the recommendations that follow to mitigate the issues identified in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) as well as with the MITRE ATT&CK Enterprise Mitigations and MITRE D3FEND frameworks.

The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.[24]

Mitigate Default Configurations of Software and Applications

Table 1: Recommendations for Network Defenders to Mitigate Default Configurations of Software and Applications

Misconfiguration	Recommendations for Network Defenders
Default configurations of software and applications	Modify the default configuration of applications and appliances before deployment in a production environment [M1013],[D3-ACH]. Refer to hardening guidelines provided by the vendor and related cybersecurity guidance (e.g., DISA’s Security Technical Implementation Guides (STIGs) and configuration guides).[25],[26],[27]
Default configurations of software and applications: Default Credentials	Change or disable vendor-supplied default usernames and passwords of services, software, and equipment when installing or commissioning [CPG 2.A]. When resetting passwords, enforce the use of “strong” passwords (i.e., passwords that are more than 15 characters and random [CPG 2.B]) and follow hardening guidelines provided by the vendor, STIGs, NSA, and/or NIST [M1027],[D3-SPP].[25],[26],[28],[29]
Default service permissions and configuration settings: Insecure Active Directory Certificate Services	Ensure the secure configuration of ADCS implementations. Regularly update and patch the controlling infrastructure (e.g., for CVE-2021-36942), employ monitoring and auditing mechanisms, and implement strong access controls to protect the infrastructure. If not needed, disable web-enrollment in ADCS servers. See Microsoft: Uninstall-AdcsWebEnrollment (ADCSDeployment) for guidance.[30] If web enrollment is needed on ADCS servers: Enable Extended Protection for Authentication (EPA) for Client Authority Web Enrollment. This is done by choosing the “Required” option. For guidance, see Microsoft: KB5021989: Extended Protection for Authentication.[31] Enable “Require SSL” on the ADCS server. Disable NTLM on all ADCS servers. For guidance, see Microsoft: Network security Restrict NTLM in this domain – Windows Security | Microsoft Learn and Network security Restrict NTLM Incoming NTLM traffic – Windows Security.[32],[33] Disable SAN for UPN Mapping. For guidance see, Microsoft: How to disable the SAN for UPN mapping – Windows Server. Instead, smart card authentication can use the altSecurityIdentities attribute for explicit mapping of certificates to accounts more securely.[34] Review all permissions on the ADCS templates on applicable servers. Restrict enrollment rights to only those users or groups that require it. Disable the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag from templates to prevent users from supplying and editing sensitive security settings within these templates. Enforce manager approval for requested certificates. Remove FullControl, WriteDacl, and Write property permissions from low-privileged groups, such as domain users, to certificate template objects.
Default service permissions and configuration settings: Insecure legacy protocols/services	Determine if LLMNR and NetBIOS are required for essential business operations. If not required, disable LLMNR and NetBIOS in local computer security settings or by group policy.
Default service permissions and configuration settings: Insecure SMB service	Require SMB signing for both SMB client and server on all systems.[25] This should prevent certain adversary-in-the-middle and pass-the-hash techniques. For more information on SMB signing, see Microsoft: Overview of Server Message Block Signing. [35] Note: Beginning in Microsoft Windows 11 Insider Preview Build 25381, Windows requires SMB signing for all communications.[36]

Mitigate Improper Separation of User/Administrator Privilege

Table 2: Recommendations for Network Defenders to Mitigate Improper Separation of User/Administrator Privilege

Misconfiguration

Recommendations for Network Defenders

Improper separation of user/administrator privilege: Excessive account privileges, Elevated service account permissions, and Non-essential use of elevated accounts

Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform, and review logs of user actions to detect unauthorized use and abuse. Apply least privilege principles to user accounts and groups allowing only the performance of authorized actions. Audit user accounts and remove those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts. Restrict use of privileged accounts to perform general tasks, such as accessing emails and browsing the Internet [CPG 2.E],[D3-UAP]. See NSA Cybersecurity Information Sheet (CSI) Defend Privileges and Accounts for more information.[37] Limit the number of users within the organization with an identity and access management (IAM) role that has administrator privileges. Strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles, and policies. Implement time-based access for privileged accounts. For example, the just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. In cloud environments, just-in-time elevation is also appropriate and may be implemented using per-session federated claims or privileged access management tools. Restrict domain users from being in the local administrator group on multiple systems. Run daemonized applications (services) with non-administrator accounts when possible. Only configure service accounts with the permissions necessary for the services they control to operate. Disable unused services and implement ACLs to protect services.

Mitigate Insufficient Internal Network Monitoring

Table 3: Recommendations for Network Defenders to Mitigate Insufficient Internal Network Monitoring

Misconfiguration

Recommendations for Network Defenders

Insufficient internal network monitoring

Establish a baseline of applications and services, and routinely audit their access and use, especially for administrative activity [D3-ANAA]. For instance, administrators should routinely audit the access lists and permissions for of all web applications and services [CPG 2.O],[M1047]. Look for suspicious accounts, investigate them, and remove accounts and credentials, as appropriate, such as accounts of former staff.[39] Establish a baseline that represents an organization’s normal traffic activity, network performance, host application activity, and user behavior; investigate any deviations from that baseline [D3-NTCD],[D3-CSPP],[D3-UBA].[40] Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them [M1047]. Implement a security information and event management (SIEM) system to provide log aggregation, correlation, querying, visualization, and alerting from network endpoints, logging systems, endpoint and detection response (EDR) systems and intrusion detection systems (IDS) [CPG 2.T],[D3-NTA].

Mitigate Lack of Network Segmentation

Table 4: Recommendations for Network Defenders to Mitigate Lack of Network Segmentation

Misconfiguration

Recommendations for Network Defenders

Lack of network segmentation

Implement next-generation firewalls to perform deep packet filtering, stateful inspection, and application-level packet inspection [D3-NTF]. Deny or drop improperly formatted traffic that is incongruent with application-specific traffic permitted on the network. This practice limits an actor’s ability to abuse allowed application protocols. The practice of allowlisting network applications does not rely on generic ports as filtering criteria, enhancing filtering fidelity. For more information on application-aware defenses, see NSA CSI Segment Networks and Deploy Application-Aware Defenses.[41] Engineer network segments to isolate critical systems, functions, and resources [CPG 2.F],[D3-NI]. Establish physical and logical segmentation controls, such as virtual local area network (VLAN) configurations and properly configured access control lists (ACLs) on infrastructure devices [M1030]. These devices should be baselined and audited to prevent access to potentially sensitive systems and information. Leverage properly configured Demilitarized Zones (DMZs) to reduce service exposure to the Internet.[42],[43],[44] Implement separate Virtual Private Cloud (VPC) instances to isolate essential cloud systems. Where possible, implement Virtual Machines (VM) and Network Function Virtualization (NFV) to enable micro-segmentation of networks in virtualized environments and cloud data centers. Employ secure VM firewall configurations in tandem with macro segmentation.

Mitigate Poor Patch Management

Table 5: Recommendations for Network Defenders to Mitigate Poor Patch Management

Misconfiguration	Recommendations for Network Defenders
Poor patch management: Lack of regular patching	Ensure organizations implement and maintain an efficient patch management process that enforces the use of up-to-date, stable versions of OSs, browsers, and software [M1051],[D3-SU].[45] Update software regularly by employing patch management for externally exposed applications, internal enterprise endpoints, and servers. Prioritize patching known exploited vulnerabilities.[2] Automate the update process as much as possible and use vendor-provided updates. Consider using automated patch management tools and software update tools. Where patching is not possible due to limitations, segment networks to limit exposure of the vulnerable system or host.
Poor patch management: Use of unsupported OSs and outdated firmware	Evaluate the use of unsupported hardware and software and discontinue use as soon as possible. If discontinuing is not possible, implement additional network protections to mitigate the risk.[45] Patch the Basic Input/Output System (BIOS) and other firmware to prevent exploitation of known vulnerabilities.

Mitigate Bypass of System Access Controls

Table 6: Recommendations for Network Defenders to Mitigate Bypass of System Access Controls

Misconfiguration

Recommendations for Network Defenders

Bypass of system access controls

Limit credential overlap across systems to prevent credential compromise and reduce a malicious actor’s ability to move laterally between systems [M1026],[D3-CH]. Implement a method for monitoring non-standard logon events through host log monitoring [CPG 2.G]. Implement an effective and routine patch management process. Mitigate PtH techniques by applying patch KB2871997 to Windows 7 and newer versions to limit default access of accounts in the local administrator group [M1051],[D3-SU].[46] Enable the PtH mitigations to apply User Account Control (UAC) restrictions to local accounts upon network logon [M1052],[D3-UAP]. Deny domain users the ability to be in the local administrator group on multiple systems [M1018],[D3-UAP]. Limit workstation-to-workstation communications. All workstation communications should occur through a server to prevent lateral movement [M1018],[D3-UAP]. Use privileged accounts only on systems requiring those privileges [M1018],[D3-UAP]. Consider using dedicated Privileged Access Workstations for privileged accounts to better isolate and protect them.[37]

Mitigate Weak or Misconfigured MFA Methods

Table 7: Recommendations for Network Defenders to Mitigate Weak or Misconfigured MFA Methods

Misconfiguration	Recommendations for Network Defenders
Weak or misconfigured MFA methods: Misconfigured smart cards or tokens	In Windows environments: Disable the use of New Technology LAN Manager (NTLM) and other legacy authentication protocols that are susceptible to PtH due to their use of password hashes [M1032],[D3-MFA]. For guidance, see Microsoft: Network security Restrict NTLM in this domain – Windows Security | Microsoft Learn and Network security Restrict NTLM Incoming NTLM traffic – Windows Security.[32],[33] Use built-in functionality via Windows Hello for Business or Group Policy Objects (GPOs) to regularly re-randomize password hashes associated with smartcard-required accounts. Ensure that the hashes are changed at least as often as organizational policy requires passwords to be changed [M1027],[D3-CRO]. Prioritize upgrading any environments that cannot utilize this built-in functionality. As a longer-term effort, implement cloud-primary authentication solution using modern open standards. See CISA’s Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture for more information.[47] Note: this document is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which provides guidance for FCEB agencies to secure their cloud business application environments and to protect federal information that is created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project’s guidance is applicable to all organizations.[48]
Weak or misconfigured MFA methods: Lack of phishing-resistant MFA	Enforce phishing-resistant MFA universally for access to sensitive data and on as many other resources and services as possible [CPG 2.H].[3],[49]

Mitigate Insufficient ACLs on Network Shares and Services

Table 8: Recommendations for Network Defenders to Mitigate Insufficient ACLs on Network Shares and Services

Misconfiguration

Recommendations for Network Defenders

Insufficient ACLs on network shares and services

Implement secure configurations for all storage devices and network shares that grant access to authorized users only. Apply the principal of least privilege to important information resources to reduce risk of unauthorized data access and manipulation. Apply restrictive permissions to files and directories, and prevent adversaries from modifying ACLs [M1022],[D3-LFP]. Set restrictive permissions on files and folders containing sensitive private keys to prevent unintended access [M1022],[D3-LFP]. Enable the Windows Group Policy security setting, “Do Not Allow Anonymous Enumeration of Security Account Manager (SAM) Accounts and Shares,” to limit users who can enumerate network shares.

Mitigate Poor Credential Hygiene

Table 9: Recommendations for Network Defenders to Mitigate Poor Credential Hygiene

Misconfiguration	Recommendations for Network Defenders
Poor credential hygiene: easily crackable passwords	Follow National Institute of Standards and Technologies (NIST) guidelines when creating password policies to enforce use of “strong” passwords that cannot be cracked [M1027],[D3-SPP].[29] Consider using password managers to generate and store passwords. Do not reuse local administrator account passwords across systems. Ensure that passwords are “strong” and unique [CPG 2.B],[M1027],[D3-SPP]. Use “strong” passphrases for private keys to make cracking resource intensive. Do not store credentials within the registry in Windows systems. Establish an organizational policy that prohibits password storage in files. Ensure adequate password length (ideally 25+ characters) and complexity requirements for Windows service accounts and implement passwords with periodic expiration on these accounts [CPG 2.B],[M1027],[D3-SPP]. Use Managed Service Accounts, when possible, to manage service account passwords automatically.
Poor credential hygiene: cleartext password disclosure	Implement a review process for files and systems to look for cleartext account credentials. When credentials are found, remove, change, or encrypt them [D3-FE]. Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, protected health information) or credentials are stored. Weigh the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is of significant concern, technical controls, policy, and user training may prevent storage of credentials in improper locations. Store hashed passwords using Committee on National Security Systems Policy (CNSSP)-15 and Commercial National Security Algorithm Suite (CNSA) approved algorithms.[50],[51] Consider using group Managed Service Accounts (gMSAs) or third-party software to implement secure password-storage applications.

Mitigate Unrestricted Code Execution

Table 10: Recommendations for Network Defenders to Mitigate Unrestricted Code Execution

Misconfiguration

Recommendations for Network Defenders

Unrestricted code execution

Enable system settings that prevent the ability to run applications downloaded from untrusted sources.[52] Use application control tools that restrict program execution by default, also known as allowlisting [D3-EAL]. Ensure that the tools examine digital signatures and other key attributes, rather than just relying on filenames, especially since malware often attempts to masquerade as common Operating System (OS) utilities [M1038]. Explicitly allow certain .exe files to run, while blocking all others by default. Block or prevent the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment [D3-OSM]. Constrain scripting languages to prevent malicious activities, audit script logs, and restrict scripting languages that are not used in the environment [D3-SEA]. See joint Cybersecurity Information Sheet: Keeping PowerShell: Security Measures to Use and Embrace.[53] Use read-only containers and minimal images, when possible, to prevent the running of commands. Regularly analyze border and host-level protections, including spam-filtering capabilities, to ensure their continued effectiveness in blocking the delivery and execution of malware [D3-MA]. Assess whether HTML Application (HTA) files are used for business purposes in your environment; if HTAs are not used, remap the default program for opening them from mshta.exe to notepad.exe.

Software Manufacturers

NSA and CISA recommend software manufacturers implement the recommendations in Table 11 to reduce the prevalence of misconfigurations identified in this advisory. These mitigations align with tactics provided in joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. NSA and CISA strongly encourage software manufacturers apply these recommendations to ensure their products are secure “out of the box” and do not require customers to spend additional resources making configuration changes, performing monitoring, and conducting routine updates to keep their systems secure.[1]

Table 11: Recommendations for Software Manufacturers to Mitigate Identified Misconfigurations

Misconfiguration	Recommendations for Software Manufacturers
Default configurations of software and applications	Embed security controls into product architecture from the start of development and throughout the entire SDLC by following best practices in NIST’s Secure Software Development Framework (SSDF), SP 800-218.[54] Provide software with security features enabled “out of the box” and accompanied with “loosening” guides instead of hardening guides. “Loosening” guides should explain the business risk of decisions in plain, understandable language.
Default configurations of software and applications: Default credentials	Eliminate default passwords: Do not provide software with default passwords that are universally shared. To eliminate default passwords, require administrators to set a “strong” password [CPG 2.B] during installation and configuration.
Default configurations of software and applications: Default service permissions and configuration settings	Consider the user experience consequences of security settings: Each new setting increases the cognitive burden on end users and should be assessed in conjunction with the business benefit it derives. Ideally, a setting should not exist; instead, the most secure setting should be integrated into the product by default. When configuration is necessary, the default option should be broadly secure against common threats.
Improper separation of user/administrator privilege: Excessive account privileges, Elevated service account permissions, and Non-essential use of elevated accounts	Design products so that the compromise of a single security control does not result in compromise of the entire system. For example, ensuring that user privileges are narrowly provisioned by default and ACLs are employed can reduce the impact of a compromised account. Also, software sandboxing techniques can quarantine a vulnerability to limit compromise of an entire application. Automatically generate reports for: Administrators of inactive accounts. Prompt administrators to set a maximum inactive time and automatically suspend accounts that exceed that threshold. Administrators of accounts with administrator privileges and suggest ways to reduce privilege sprawl. Automatically alert administrators of infrequently used services and provide recommendations for disabling them or implementing ACLs.
Insufficient internal network monitoring	Provide high-quality audit logs to customers at no extra charge. Audit logs are crucial for detecting and escalating potential security incidents. They are also crucial during an investigation of a suspected or confirmed security incident. Consider best practices such as providing easy integration with a security information and event management (SIEM) system with application programming interface (API) access that uses coordinated universal time (UTC), standard time zone formatting, and robust documentation techniques.
Lack of network segmentation	Ensure products are compatible with and tested in segmented network environments.
Poor patch management: Lack of regular patching	Take steps to eliminate entire classes of vulnerabilities by embedding security controls into product architecture from the start of development and throughout the SDLC by following best practices in NIST’s SSDF, SP 800-218.[54] Pay special attention to: Following secure coding practices [SSDF PW 5.1]. Use memory-safe programming languages where possible, parametrized queries, and web template languages. Conducting code reviews [SSDF PW 7.2, RV 1.2] against peer coding standards, checking for backdoors, malicious content, and logic flaws. Testing code to identify vulnerabilities and verify compliance with security requirements [SSDF PW 8.2]. Ensure that published CVEs include root cause or common weakness enumeration (CWE) to enable industry-wide analysis of software security design flaws.
Poor patch management: Use of unsupported operating OSs and outdated firmware	Communicate the business risk of using unsupported OSs and firmware in plain, understandable language.
Bypass of system access controls	Provide sufficient detail in audit records to detect bypass of system controls and queries to monitor audit logs for traces of such suspicious activity (e.g., for when an essential step of an authentication or authorization flow is missing).
Weak or Misconfigured MFA Methods: Misconfigured Smart Cards or Tokens	Fully support MFA for all users, making MFA the default rather than an opt-in feature. Utilize threat modeling for authentication assertions and alternate credentials to examine how they could be abused to bypass MFA requirements.
Weak or Misconfigured MFA Methods: Lack of phishing-resistant MFA	Mandate MFA, ideally phishing-resistant, for privileged users and make MFA a default rather than an opt-in feature.[3]
Insufficient ACL on network shares and services	Enforce use of ACLs with default ACLs only allowing the minimum access needed, along with easy-to-use tools to regularly audit and adjust ACLs to the minimum access needed.
Poor credential hygiene: easily crackable passwords	Allow administrators to configure a password policy consistent with NIST’s guidelines—do not require counterproductive restrictions such as enforcing character types or the periodic rotation of passwords.[29] Allow users to use password managers to effortlessly generate and use secure, random passwords within products.
Poor credential hygiene: cleartext password disclosure	Salt and hash passwords using a secure hashing algorithm with high computational cost to make brute force cracking more difficult.
Unrestricted code execution	Support execution controls within operating systems and applications “out of the box” by default at no extra charge for all customers, to limit malicious actors’ ability to abuse functionality or launch unusual applications without administrator or informed user approval.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, NSA and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. NSA and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 12–Table 21).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

LEARN FROM HISTORY

The misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises. Learn from the weaknesses of others and implement the mitigations above properly to protect the network, its sensitive information, and critical missions.

WORKS CITED

[1]   Joint Guide: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default (2023), https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf
[2]   CISA, Known Exploited Vulnerabilities Catalog, https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[3]   CISA, Implementing Phishing-Resistant MFA, https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
[4]   MITRE, ATT&CK for Enterprise, https://attack.mitre.org/versions/v13/matrices/enterprise/
[5]   MITRE, D3FEND, https://d3fend.mitre.org/
[6]   CISA, Best Practices for MITRE ATT&CK Mapping, https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
[7]   CISA, Decider Tool, https://github.com/cisagov/Decider/
[8]   CISA, Cyber Assessment Fact Sheet, https://www.cisa.gov/sites/default/files/publications/VM_Assessments_Fact_Sheet_RVA_508C.pdf
[9]   Joint CSA: Weak Security Controls and Practices Routinely Exploited for Initial Access, https://media.defense.gov/2022/May/17/2002998718/-1/-1/0/CSA_WEAK_SECURITY_CONTROLS_PRACTICES_EXPLOITED_FOR_INITIAL_ACCESS.PDF
[10]  Microsoft KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
[11]  Raj Chandel, Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints, https://www.hackingarticles.in/domain-escalation-petitpotam-ntlm-relay-to-adcs-endpoints/
[12]  SpecterOps – Will Schroeder, Certified Pre-Owned, https://posts.specterops.io/certified-pre-owned-d95910965cd2
[13]  CISA, CSA: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a
[14]  Joint CSA: Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
[15]  Joint CSA: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
[16]  Joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a
[17]  Microsoft, How to verify that MS17-010 is installed, https://support.microsoft.com/en-us/topic/how-to-verify-that-ms17-010-is-installed-f55d3f13-7a9c-688c-260b-477d0ec9f2c8
[18]  Microsoft, Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644), https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
[19]  Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
[20]  CISA, Malware Analysis Report: 10365227.r1.v1, https://www.cisa.gov/sites/default/files/2023-06/mar-10365227.r1.v1.clear_.pdf
[21]  Joint CSA: #StopRansomware: BianLian Ransomware Group, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
[22]  CISA Analysis Report: FiveHands Ransomware, https://www.cisa.gov/news-events/analysis-reports/ar21-126a
[23]  Snaffler, https://github.com/SnaffCon/Snaffler
[24]  CISA, Cross-Sector Cybersecurity Performance Goals, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
[25]  Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), https://public.cyber.mil/stigs/
[26]  NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[27]  NSA, Actively Manage Systems and Configurations, https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf
[28]  NSA, Cybersecurity Advisories & Guidance, https://www.nsa.gov/cybersecurity-guidance
[29]  National Institute of Standards and Technologies (NIST), NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management, https://csrc.nist.gov/pubs/sp/800/63/b/upd2/final
[30]  Microsoft, Uninstall-AdcsWebEnrollment, https://learn.microsoft.com/en-us/powershell/module/adcsdeployment/uninstall-adcswebenrollment
[31]  Microsoft, KB5021989: Extended Protection for Authentication, https://support.microsoft.com/en-au/topic/kb5021989-extended-protection-for-authentication-1b6ea84d-377b-4677-a0b8-af74efbb243f
[32]  Microsoft, Network security: Restrict NTLM: NTLM authentication in this domain, https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
[33]  Microsoft, Network security: Restrict NTLM: Incoming NTLM traffic, https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
[34]  Microsoft, How to disable the Subject Alternative Name for UPN mapping, https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-subject-alternative-name-upn-mapping
[35]  Microsoft, Overview of Server Message Block signing, https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
[36]  Microsoft, SMB signing required by default in Windows Insider, https://aka.ms/SmbSigningRequired
[37]  NSA, Defend Privileges and Accounts, https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf
[38]  NSA, Advancing Zero Trust Maturity Throughout the User Pillar, https://media.defense.gov/2023/Mar/14/2003178390/-1/-1/0/CSI_Zero_Trust_User_Pillar_v1.1.PDF
[39]  NSA, Continuously Hunt for Network Intrusions, https://media.defense.gov/2019/Sep/09/2002180360/-1/-1/0/Continuously%20Hunt%20for%20Network%20Intrusions%20-%20Copy.pdf
[40]  Joint CSI: Detect and Prevent Web Shell Malware, https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
[41]  NSA, Segment Networks and Deploy Application-aware Defenses, https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
[42]  Joint CSA: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF
[43]  NSA, Stop Malicious Cyber Activity Against Connected Operational Technology, https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF
[44]  NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF
[45]  NSA, Update and Upgrade Software Immediately, https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf
[46]  Microsoft, Microsoft Security Advisory 2871997: Update to Improve Credentials Protection and Management, https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997
[47]  CISA, Secure Cloud Business Applications Hybrid Identity Solutions Architecture, https://www.cisa.gov/sites/default/files/2023-03/csso-scuba-guidance_document-hybrid_identity_solutions_architecture-2023.03.22-final.pdf
[48]  CISA, Secure Cloud Business Applications (SCuBA) Project, https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
[49]  NSA, Transition to Multi-factor Authentication, https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition%20to%20Multi-factor%20Authentication%20-%20Copy.pdf
[50]  Committee on National Security Systems (CNSS), CNSS Policy 15, https://www.cnss.gov/CNSS/issuances/Policies.cfm
[51]  NSA, NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems, https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/
[52]  NSA, Enforce Signed Software Execution Policies, https://media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf
[53]  Joint CSI: Keeping PowerShell: Security Measures to Use and Embrace, https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[54]  NIST, NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, https://csrc.nist.gov/publications/detail/sp/800-218/final

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Trademarks

Active Directory, Microsoft, and Windows are registered trademarks of Microsoft Corporation.
MITRE ATT&CK is registered trademark and MITRE D3FEND is a trademark of The MITRE Corporation.
SoftPerfect is a registered trademark of SoftPerfect Proprietary Limited Company.
Telerik is a registered trademark of Progress Software Corporation.
VMware is a registered trademark of VMWare, Inc.
Zimbra is a registered trademark of Synacor, Inc.

Purpose

This document was developed in furtherance of the authoring cybersecurity organizations’ missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

Cybersecurity Report Feedback: CybersecurityReports@nsa.gov
General Cybersecurity Inquiries: Cybersecurity_Requests@nsa.gov 
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov 

To report suspicious activity contact CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Appendix: MITRE ATT&CK Tactics and Techniques

See Table 12–Table 21 for all referenced threat actor tactics and techniques in this advisory.

Table 12: ATT&CK Techniques for Enterprise – Reconnaissance

Technique Title	ID	Use
Active Scanning: Vulnerability Scanning	T1595.002	Malicious actors scan victims for vulnerabilities that be exploited for initial access.
Gather Victim Host Information	T1592	Malicious actors gather information on victim client configurations and/or vulnerabilities through vulnerabilities scans and searching the web.
Gather Victim Identity Information: Credentials	T1589.001	Malicious actors find default credentials through searching the web.
Phishing for Information	T1598	Malicious actors masquerade as IT staff and convince a target user to provide their MFA code over the phone to gain access to email and other organizational resources.

Table 13: ATT&CK Techniques for Enterprise – Initial Access

Technique Title	ID	Use
External Remote Services	T1133	Malicious actors use default credentials for VPN access to internal networks.
Valid Accounts: Default Accounts	T1078.001	Malicious actors gain authenticated access to devices by finding default credentials through searching the web. Malicious actors use default credentials for VPN access to internal networks, and default administrative credentials to gain access to web applications and databases.
Exploit Public-Facing Application	T1190	Malicious actors exploit CVEs in Telerik UI, VM Horizon, Zimbra Collaboration Suite, and other applications for initial access to victim organizations.
Phishing	T1566	Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads.
Trust Relationship	T1199	Malicious actors gain access to OT networks despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network, by finding special purpose, forgotten, or even accidental network connections.

Table 14: ATT&CK Techniques for Enterprise – Execution

Technique Title	ID	Use
Software Deployment Tools	T1072	Malicious actors use default or captured credentials on software deployment tools to execute code and move laterally.
User Execution	T1204	Malicious actors gain initial access to systems by phishing to entice end users to download and execute malicious payloads or to run code on their workstations.
Command and Scripting Interpreter	T1059	Malicious actors use scripting languages to obscure their actions and bypass allowlisting.
Command and Scripting Interpreter: Visual Basic	T1059.005	Malicious actors use macros for initial access, persistence, and lateral movement.

Table 15: ATT&CK Techniques for Enterprise – Persistence

Technique Title	ID	Use
Account Manipulation	T1098	Malicious actors reset built-in administrative accounts via predictable, forgotten password questions.

Table 16: ATT&CK Techniques for Enterprise – Privilege Escalation

Technique Title	ID	Use
Valid Accounts	T1078	Malicious actors analyze topical and nested Active Directory groups to find privileged accounts to target.
Valid Accounts: Domain Accounts	T1078.002	Malicious actors obtain loaded domain credentials from printers and scanners and use them to move laterally from the network device.
Exploitation for Privilege Escalation	T1068	Malicious actors load vulnerable drivers and then exploit their known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device.

Table 17: ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title	ID	Use
Obfuscated Files or Information: Command Obfuscation	T1027.010	Malicious actors often use scripting languages to obscure their actions.

Table 18: ATT&CK Techniques for Enterprise – Credential Access

Technique Title	ID	Use
Adversary-in-the-Middle	T1557	Malicious actors force a device to communicate through actor-controlled systems, so they can collect information or perform additional actions.
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay	T1557.001	Malicious actors execute spoofing, poisoning, and relay techniques if Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Server Message Block (SMB) services are enabled in a network.
Brute Force: Password Cracking	T1110.002	Malicious actors capture user hashes and leverage dictionary wordlists and rulesets to extract cleartext passwords.
Credentials from Password Stores	T1555	Malicious actors gain access to and crack credentials from PFX stores, enabling elevation of privileges and lateral movement within networks.
Multi-Factor Authentication Interception	T1111	Malicious actors can obtain password hashes for accounts enabled for MFA with smart codes or tokens and use the hash via PtH techniques.
Multi-Factor Authentication Request Generation	T1621	Malicious actors use “push bombing” against non-phishing resistant MFA to induce “MFA fatigue” in victims, gaining access to MFA authentication credentials or bypassing MFA, and accessing the MFA-protected system.
Steal Application Access Token	T1528	Malicious actors can steal administrator account credentials and the authentication token generated by Active Directory when the account is logged into a compromised host.
Steal or Forge Authentication Certificates	T1649	Unauthenticated malicious actors coerce an ADCS server to authenticate to an actor-controlled server, and then relay that authentication to the web certificate enrollment application to obtain a trusted illegitimate certificate.
Steal or Forge Kerberos Tickets: Golden Ticket	T1558.001	Malicious actors who have obtained authentication certificates can use the certificate for Active Directory authentication to obtain a Kerberos TGT.
Steal or Forge Kerberos Tickets: Kerberoasting	T1558.003	Malicious actors obtain and abuse valid Kerberos TGTs to elevate privileges and laterally move throughout an organization’s network.
Unsecured Credentials: Credentials in Files	T1552.001	Malicious actors find cleartext credentials that organizations or individual users store in spreadsheets, configuration files, and other documents.

Table 19: ATT&CK Techniques for Enterprise – Discovery

Technique Title	ID	Use
Account Discovery	T1087	Malicious actors with valid domain credentials enumerate the AD to discover elevated accounts and where they are used.
File and Directory Discovery	T1083	Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer to discover and categorize files. Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining desired information, such as cleartext passwords.
Network Share Discovery	T1135	Malicious actors use commands, such as net share, open source tools, such as SoftPerfect Network Scanner, or custom malware, such as CovalentStealer, to look for shared folders and drives.

Table 20: ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title	ID	Use
Exploitation of Remote Services	T1210	Malicious actors can exploit OS and firmware vulnerabilities to gain unauthorized network access, compromise sensitive data, and disrupt operations.
Remote Services: SMB/Windows Admin Shares	T1021.002	If SMB signing is not enforced, malicious actors can use name resolution poisoning to access remote systems.
Use Alternate Authentication Material: Application Access Token	T1550.001	Malicious actors with stolen administrator account credentials and AD authentication tokens can use them to operate with elevated permissions throughout the domain.
Use Alternate Authentication Material: Pass the Hash	T1550.002	Malicious actors collect hashes in a network and authenticate as a user without having access to the user’s cleartext password.

Table 21: ATT&CK Techniques for Enterprise – Collection

Technique Title	ID	Use
Data from Network Shared Drive	T1039	Malicious actors find sensitive information on network shares that could facilitate follow-on activity or provide opportunities for extortion.

This post was originally published on this site

Executive Summary

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.

BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.

For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1]

Download the PDF version of this report: [PDF, 808 KB]

Technical Details

This advisory uses the MITRE^® ATT&CK^® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs.

Background

Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks.

Observable TTPs

BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows^®, Linux^®, and FreeBSD^® operating systems. Custom malware families employed by BlackTech include:

• BendyBear [S0574]
• Bifrose
• BTSDoor
• FakeDead (a.k.a. TSCookie) [S0436]
• Flagpro [S0696]
• FrontShell (FakeDead’s downloader module)
• IconDown
• PLEAD [S0435]
• SpiderPig
• SpiderSpring
• SpiderStack
• WaterBear [S0579]

BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002].

BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2]

Pivoting from international subsidiaries

The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002].

Maintaining access via stealthy router backdoors

BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco^® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.

In some cases, BlackTech actors replace the firmware for certain Cisco IOS^®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router’s built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary.

BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001].

Firmware replacement process

BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH.

Table 1: File types to compromise the router

File Type	Description
Old Legitimate Firmware	The IOS image firmware is modified in memory to allow installation of the Modified Firmware and Modified Bootloader.
Modified Firmware	The firmware has a built-in SSH backdoor, allowing operators to have unlogged interaction with the router.
Modified Bootloader	The bootloader allows Modified Firmware to continue evading the router’s security features for persistence across reboots. In some cases, only modified firmware is used.

BlackTech actors use the Cisco router’s CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows:

1. Download old legitimate firmware.
2. Set the router to load the old legitimate firmware and reboot with the following command(s):
   

   config t no boot system usbflash0 [filename] boot system usbflash0 [filename] end write reload

3. Download the modified bootloader and modified firmware.
4. Set the router to load the modified firmware with the following command(s):
   

   conf t no boot system usbflash0 [filename] boot system usbflash0 [filename] end write

5. Load the modified bootloader (the router reboots automatically) with the following command:
   

   upgrade rom file bootloader

6. Enable access by sending a trigger packet that has specific values within the UDP data or TCP Sequence Number field and the Maximum Segment Size (MSS) parameter within the TCP Options field.

Modified bootloader

To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test.

Modified firmware

BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image.

BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging.

To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication.

Detection and Mitigation Techniques

In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH.

The following are the best mitigation practices to defend against this type of malicious activity:

• Disable outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems.
  Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.[3]
• Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.[4]
• Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.[3]
• Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.[3],[5]
• When there is a concern that a single password has been compromised, change all passwords and keys.[3]
• Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.[3]
• Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.[3]
• Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images.[3]

Works Cited

[1]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF
[2]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
[3]    NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[4]    NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF 
[5]    Cisco, Attackers Continue to Target Legacy Devices, https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Linux is a registered trademark of Linus Torvalds.
MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation.
Windows is a registered trademark of Microsoft Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations.

Contact

NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov 
NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov 
NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870 and/or to the FBI via your local FBI field office.

Appendix: MITRE ATT&CK Techniques

See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory.

Table 2: BlackTech ATT&CK Techniques for Enterprise – Resource Development

Technique Title	ID	Use
Obtain Capabilities: Code Signing Certificates	T1588.003	BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses.

Table 3: BlackTech ATT&CK Techniques for Enterprise – Initial Access

Technique Title	ID	Use
Initial Access	TA0001	BlackTech actors gain access to victim networks by exploiting routers.
Trusted Relationship	T1199	BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks.

Table 4: BlackTech ATT&CK Techniques for Enterprise – Persistence

Technique Title	ID	Use
Persistence	TA0003	BlackTech actors gain persistent access to victims’ networks.
Traffic Signaling	T1205	BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router.
Pre-OS Boot: ROMMONkit	T1542.004	BlackTech actors modify router firmware to maintain persistence.

Table 5: BlackTech ATT&CK Techniques for Enterprise – Privilege Escalation

Technique Title	ID	Use
Privilege Escalation	TA0004	BlackTech actors gain elevated privileges on a victim’s network.

Table 6: BlackTech ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title	ID	Use
Defense Evasion	TA0005	BlackTech actors configure their tools to evade detection by security software and EDR.
Modify Registry	T1112	BlackTech actors modify the victim’s registry.
Impair Defenses	T1562	BlackTech actors disable logging on compromised routers to avoid detection and evade defenses.
Impair Defenses: Impair Command History Logging	T1562.003	BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued.
Modify System Image: Patch System Image	T1601.001	BlackTech actors modify router firmware to evade detection.

Table 7: BlackTech ATT&CK Techniques for Enterprise – Discovery

Technique Title	ID	Use
Discovery	TA0007	BlackTech actors use SNScan to enumerate victims’ networks and obtain further network information.

Table 8: BlackTech ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title	ID	Use
Remote Services: Remote Desktop Protocol	T1021.001	BlackTech actors use RDP to move laterally across a victim’s network.
Remote Services: SSH	T1021.004	BlackTech actors use SSH to move laterally across a victim’s network.

Table 9: BlackTech ATT&CK Techniques for Enterprise – Command and Control

Technique Title	ID	Use
Command and Control	TA0011	BlackTech actors compromise and control a victim’s network infrastructure.
Application Layer Protocol: File Transfer Protocols	T1071.002	BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers.
Proxy	T1090	BlackTech actors use compromised routers to proxy traffic.