This post was originally published on this site

Summary

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomare and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.

Actions to take today to mitigate cyber threats from BianLian ransomware and data extortion: • Strictly limit the use of RDP and other remote desktop services. • Disable command-line and scripting activities and permissions. • Restrict usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version.

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.

Download the PDF version of this report (710kb):

For a downloadable copy of IOCs (35kb), see:

Technical Details

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 13. See the MITRE ATT&CK® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® Tactics and Techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a double-extortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made.

Initial Access

BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566].

Command and Control

BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) [T1587.001] and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control [T1105],[T1219].

FBI also observed BianLian group actors create and/or activate local administrator accounts [T1136.001] and change those account passwords [T1098].

Defense Evasion

BianLian group actors use PowerShell [T1059.001] and Windows Command Shell [T1059.003] to disable antivirus tools [T1562.001], specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry [T1112] to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.

Discovery

BianLian group actors use a combination of compiled tools, which they first download to the victim environment, to learn about the victim’s environment. BianLian group actors have used:

• Advanced Port Scanner, a network scanner used to find open ports on network computers and retrieve versions of programs running on the detected ports [T1046].
• SoftPerfect Network Scanner (netscan.exe), a network scanner that can ping computers, scan ports, and discover shared folders [T1135].
• SharpShares to enumerate accessible network shares in a domain.
• PingCastle to enumerate Active Directory (AD) [T1482]. PingCastle provides an AD map to visualize the hierarchy of trust relationships.

BianLian actors also use native Windows tools and Windows Command Shell to:

• Query currently logged-in users [T1033].
• Query the domain controller to identify:
  • All groups [T1069.002].
  • Accounts in the Domain Admins and Domain Computers groups [1087.002].
  • All users in the domain.
• Retrieve a list of all domain controllers and domain trusts.
• Identify accessible devices on the network [T1018].

See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.

Credential Access

BianLian group uses valid accounts for lateral movement through the network and to pursue other follow-on activity. To obtain the credentials, BianLian group actors use Windows Command Shell to find unsecured credentials on the local machine [T1552.001]. FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory [T1003.001], download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS.dit) [T1003.003].

In one case, FBI observed BianLian actors use a portable executable version of an Impacket tool (secretsdump.py) to move laterally to a domain controller and harvest credential hashes from it. Note: Impacket is a Python toolkit for programmatically constructing and manipulating network protocols. Through the Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network. Threat actors can run portable executable files on victim systems using local user rights, assuming the executable is not blocked by an application allowlist or antivirus solution.

See Appendix: Windows PowerShell and Command Shell Activity for additional information.

Persistence and Lateral Movement

BianLian group actors use PsExec and RDP with valid accounts for lateral movement [T1021.001]. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic [T1562.004]. See Appendix: Windows PowerShell and Command Shell Activity for additional information.

In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller.

Collection

FBI observed BianLian group actors using malware (system.exe) that enumerates registry [T1012] and files [T1083] and copies clipboard data from users [T1115].

Exfiltration and Impact

BianLian group actors search for sensitive files using PowerShell scripts (See Appendix: Windows PowerShell and Command Shell Activity) and exfiltrate them for data extortion. Prior to January 2023, BianLian actors encrypted files [T1486] after exfiltration for double extortion.

BianLian group uses File Transfer Protocol (FTP) [T1048] and Rclone, a tool used to sync files to cloud storage, to exfiltrate data [T1537]. FBI observed BianLian group actors install Rclone and other files in generic and typically unchecked folders such as programdatavmware and music folders. ACSC observed BianLian group actors use Mega file-sharing service to exfiltrate victim data [T1567.002].

BianLian’s encryptor (encryptor.exe) modified all encrypted files to have the .bianlian extension. The encryptor created a ransom note, Look at this instruction.txt, in each affected directory (see Figure 1 for an example ransom note.) According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files.

If a victim refuses to pay the ransom demand, BianLian group threatens to publish exfiltrated data to a leak site maintained on the Tor network. The ransom note provides the Tox ID A4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC, which does not vary across victims. The Tox ID directs the victim organization to a Tox chat via https://qtox.github[.]io and includes an alternative contact email address (swikipedia@onionmail[.]org or xxx@mail2tor[.]com). The email address is also the same address listed on the group’s Tor site under the contact information section. Each victim company is assigned a unique identifier included in the ransom note. BianLian group receives payments in unique cryptocurrency wallets for each victim company.

BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group.

Indicators of Compromise (IOC)

See Table 1 for IOCs obtained from FBI investigations as of March 2023.

Table 1: BianLian Ransomware and Data Extortion Group IOCs

Name	SHA-256 Hash	Description
def.exe	7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893	Malware associated with BianLian intrusions, which is an example of a possible backdoor developed by BianLian group.
encryptor.exe	1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43	Example of a BianLian encryptor.
exp.exe	0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500	Possible NetLogon vulnerability (CVE-2020-1472) exploitation.
system.exe	40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce	Enumerates registry and files. Reads clipboard data.

MITRE ATT&CK Techniques

See Table 2 for all referenced threat actor tactics and techniques in this advisory.

Table 2: BianLian Group Actors ATT&CK Techniques for Enterprise

Technique Title	ID	Use
Resource Development
Develop Capabilities: Malware	T1587.001	BianLian group actors developed a custom backdoor used in their intrusions.
Initial Access
External Remote Services	T1133	BianLian group actors used RDP with valid accounts as a means of gaining initial access and for lateral movement.
Phishing	T1566	BianLian group actors used phishing to obtain valid user credentials for initial access.
Valid Accounts	T1078	BianLian group actors used RDP with valid accounts as a means of gaining initial access and for lateral movement.
Execution
Command and Scripting Interpreter: PowerShell	T1059.001	BianLian group actors used PowerShell to disable AMSI on Windows. See Appendix: Windows PowerShell and Command Shell Activity for additional information.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	BianLian group actors used Windows Command Shell to disable antivirus tools, for discovery, and to execute their tools on victim networks. See Appendix: Windows PowerShell and Command Shell Activity for additional information.
Scheduled Task/Job: Scheduled Task	T1053.005	BianLian group actors used a Scheduled Task run as SYSTEM (the highest privilege Windows accounts) to execute a Dynamic Link Library (DLL) file daily. See Appendix: Windows PowerShell and Command Shell Activity for additional information.
Persistence
Account Manipulation	T1098	BianLian group actors changed the password of an account they created. BianLian actors modified the password of an account they added to the local Remote Desktop Users group.
Create Account: Local Account	T1136.001	BianLian group actors created/activated a local administrator account. BianLian group actors used net.exe to add a user account to the local Remote Desktop Users group. (See Appendix: Windows PowerShell and Command Shell Activity for more information.)
Defense Evasion
Modify Registry	T1112	BianLian group actors modified the registry to  disable user authentication for RDP connections, allow a user to receive help from Remote Assistance, and disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services.
Impair Defenses: Disable or Modify Tools	T1562.001	BianLian group actors disabled Windows defender, AMSI, and Sophos SAVEnabled and SEDEenabled tamper protection services. See Appendix: Windows PowerShell and Command Shell Activity for additional information.
Impair Defenses: Disable or Modify System Firewall	T1562.004	BianLian group actors added modified firewalls to allow RDP traffic by adding new rules to the Windows firewall that allow incoming RDP traffic and enable a pre-existing Windows firewall rule group named Remote Desktop.
Credential Access
OS Credential Dumping: LSASS Memory	T1003.001	BianLian group actors accessed credential material stored in the process memory of the LSASS. See Appendix: Windows PowerShell and Command Shell Activity for additional information.
OS Credential Dumping: NTDS	T1003.003	BianLian group actors attempted to access or create a copy of the Active Directory domain database in order to steal credential information and to obtain other information about domain members such as devices, users, and access rights.
Unsecured Credentials: Credentials In Files	T1552.001	BianLian group actors searched local file systems and remote file shares for files containing insecurely stored credentials.
Discovery
Account Discovery: Domain Account	1087.002	BianLian group actors queried the domain controller to identify accounts in the Domain Admins and Domain Computers groups. This information can help adversaries determine which domain accounts exist to aid in follow-on activity.
Domain Trust Discovery	T1482	BianLian group actors used PingCastle to enumerate the AD and map trust relationships. BianLian group actors retrieved a list of domain trust relationships used to identify lateral movement opportunities in Windows multi-domain/forest environments.
File and Directory Discovery	T1083	BianLian group used malware (system.exe) that enumerates files.
Network Service Discovery	T1046	BianLian actors used Advanced Port Scanner and SoftPerfect Network Scanner to ping computers, scan ports, and identify program versions running on ports.
Network Share Discovery	T1135	BianLian actors used SoftPerfect Network Scanner, which can discover shared folders. BianLian group actors used SharpShares to enumerate accessible network shares in a domain.
Permission Groups Discovery: Domain Groups	T1069.002	BianLian group actors queried the domain controller to identify groups.
Query Registry	T1012	BianLian group used malware (system.exe) that enumerates registry.
Remote System Discovery	T1018	BianLian group actors attempted to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement. BianLian group actors retrieved a list of domain controllers.
System Owner User Discovery	T1033	BianLian group actors queried currently logged-in users on a machine.
Lateral Movement
Remote Services: Remote Desktop Protocol	T1021.001	BianLian group actors used RDP with valid accounts for lateral movement.
Collection
Clipboard Data	T1115	BianLian group actors’ malware collects data stored in the clipboard from users copying information within or between applications.
Command and Control
Ingress Tool Transfer	T1105	BianLian group actors transferred tools or other files from an external system into a compromised environment.
Remote Access Software	T1219	BianLian group actors used legitimate desktop support and remote access software, such as TeamViewer, Atera, and SplashTop, to establish an interactive command and control channel to target systems within networks.
Exfiltration
Transfer Data to Cloud Account	T1537	BianLian group actors used Rclone to exfiltrate data to a cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.
Exfiltration Over Alternative Protocol	T1048	BianLian group actors exfiltrated data via FTP.
Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	BianLian group actors exfiltrated data via Mega public file-sharing service.
Impact
Data Encrypted for Impact	T1486	BianLian group actors encrypted data on target systems.

Mitigations

FBI, CISA, and ACSC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Reduce threat of malicious actors using remote access tools by:
  • Auditing remote access tools on your network to identify currently used and/or authorized software.
  • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
  • Using security software to detect instances of remote access software only being loaded in memory.
  • Requiring authorized remote access solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
  • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
• Implement application controls to manage and control execution of software, including allowlisting remote access programs.
  • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.

See NSA Cybersecurity Information sheet Enforce Signed Software Execution Policies for additional guidance.

• Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Audit the network for systems using RDP.
  • Close unused RDP ports.
  • Enforce account lockouts after a specified number of attempts.
  • Apply phishing-resistant multifactor authentication (MFA).
  • Log RDP login attempts.
• Disable command-line and scripting activities and permissions [CPG 2.N].
• Restrict the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].
• Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
• Enable enhanced PowerShell logging [CPG 2.T, 2.U].
  • PowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a threat actor’s PowerShell use.
  • Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
  • The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
• Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
• Reduce the threat of credential compromise via the following:
  • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
  • Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
  • Refrain from storing plaintext credentials in scripts.
• Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory (AD) level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

In addition, FBI, CISA, and ACSC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
• Maintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization minimizes the impact of disruption to business practices as they will not be as severe and/or only have irretrievable data [CPG 2.R]. ACSC recommends organizations follow the 3-2-1 backup strategy in which organizations have three copies of data (one copy of production data and two backup copies) on two different media such as disk and tape, with one copy kept off-site for disaster recovery.
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
  • Use longer passwords consisting of at least 15 characters [CPG 2.B].
  • Store passwords in hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords [CPG 2.C].
  • Implement multiple failed login attempt account lockouts [CPG 2.G].
  • Disable password “hints”.
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours from vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks, restricting further lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Disable unused ports [CPG 2.V].
• Consider adding an email banner to emails received from outside your organization [CPG 2.M].
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

Validate Security Controls

In addition to applying mitigations, FBI, CISA, and ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, and ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 2).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI, CISA, and ACSC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

• Stopransomware.gov, a whole-of-government approach with one central location for U.S. ransomware resources and alerts.
• cyber.gov.au for the Australian Government’s central location to report cyber incidents, including ransomware, and to see advice and alerts. The site also provides ransomware advisories for businesses and organizations to help mitigate cyber threats.
• CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide for guidance on mitigating and responding to a ransomware attack
• For no-cost cyber hygiene services for U.S. organizations,  Cyber Hygiene Services and Ransomware Readiness Assessment.

Reporting

The FBI is seeking any information that can be shared, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with BianLian actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report. Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ACSC via 1300 CYBER1 (1300 292 371) or by submitting a report cyber.gov.au.

Acknowledgements

Microsoft and Sophos contributed to this advisory.

APPENDIX: WINDOWS PowerSHell and COMMAND SHELL ACTIVITY

Through FBI investigations as of March 2023, FBI has observed BianLian actors use the commands in Table 3. ACSC has observed BianLian actors use some of the same commands.

Table 3: PowerShell and Windows Command Shell Activity

Command	Use
[Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,* Static’).SetValue($null,$true)	Disables the AMSI on Windows. AMSI is a built-in feature on Windows 10 and newer that provides an interface for anti-malware scanners to inspect scripts prior to execution. When AMSI is disabled, malicious scripts may bypass antivirus solutions and execute undetected.
cmd.exe /Q /c for /f “tokens=1,2 delims= “ ^%A in (‘”tasklist /fi “Imagename eq lsass.exe” | find “lsass””’) do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%B WindowsTemp<file>.csv full	Creates a memory dump lsass.exe process and saves it as a CSV filehttps://attack.mitre.org/versions/v12/techniques/T1003/001/.  BianLian actors used it to harvest credentials from lsass.exe.
cmd.exe /Q /c net user <admin> /active:yes 1> 127.0.0.1C$WindowsTemp<folder> 2>&1	Activates the local Administrator account.
cmd.exe /Q /c net user “<admin>”<password> 1> 127.0.0.1C$WindowsTemp<folder> 2>&1	Changes the password of the newly activated local Administrator account.
cmd.exe /Q /c quser 1> 127.0.0.1C$WindowsTemp<folder> 2>&1	Executes quser.exe to query the currently logged-in users on a machine. The command is provided arguments to run quietly and exit upon completion, and the output is directed to the WindowsTemp directory.
dism.exe /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart	Using the Deployment Image Servicing and Management (DISM) executable file, removes the Windows Defender feature.
dump.exe -no-pass -just-dc user.local/<fileserver.local>@<local_ip>	Executes secretsdump.py, a Portable Executable version of an Impacket tool. Used to dump password hashes from domain controllers.
exp.exe -n <fileserver.local> -t <local_ip>	Possibly attempted exploitation of the NetLogon vulnerability (CVE-2020-1472).
findstr /spin “password” *.* >C:UserstrainingMusic<file>.txt	Searches for the string password in all files in the current directory and its subdirectories and puts the output to a file.
ldap.exe -u user<user> -p <password> ldap://<local_ip>	Connects to the organization’s Lightweight Directory Access Protocol (LDAP) server.
logoff	Logs off the current user from a Windows session. Can be used to log off multiple users at once.
mstsc	Launches Microsoft Remote Desktop Connection client application in Windows.
net group /domain	Retrieves a list of all groups from the domain controller.
net group ‘Domain Admins’ /domain	Queries the domain controller to retrieve a list of all accounts from Domain Admins group.
net group ‘Domain Computers’ /domain	Queries the domain controller to retrieve a list of all accounts from Domain Computers group.
net user /domain	Queries the domain controller to retrieve a list of all users in the domain.
net.exe localgroup “Remote Desktop Users” <user> /add	Adds a user account to the local Remote Desktop Users group.
net.exe user <admin> <password> /domain	Modifies the password for the specified account.
netsh.exe advfirewall firewall add rule “name=allow RemoteDesktop” dir=in * protocol=TCP localport=<port num> action=allow	Adds a new rule to the Windows firewall that allows incoming RDP traffic.
netsh.exe advfirewall firewall set rule “group=remote desktop” new enable=Yes	Enables the pre-existing Windows firewall rule group named Remote Desktop. This rule group allows incoming RDP traffic.
nltest /dclist	Retrieves a list of domain controllers.
nltest /domain_trusts	Retrieves a list of domain trusts.
ping.exe -4 -n 1 *	Sends a single ICMP echo request packet to all devices on the local network using the IPv4 protocol. The output of the command will show if the device is reachable or not.
quser; ([adsisearcher]”(ObjectClass=computer)”).FindAll().count;([adsisearcher]”(ObjectClass=user)”).FindAll().count;[Security.Principal.WindowsIdentity]::GetCurrent() | select name;net user “$env:USERNAME” /domain; (Get-WmiObject -class Win32_OperatingSystem).Caption; Get-WmiObject -Namespace rootcimv2 -Class Win32_ComputerSystem; net group “domain admins” /domain; nltest /dclist:; nltest /DOMAIN_TRUSTS	Lists the current Windows identity for the logged-in user and displays the user’s name. Uses the Active Directory Services Interface (ADSI) to search for all computer and user objects in the domain and returns counts of the quantities found. Lists information about the current user account from the domain, such as the user’s name, description, and group memberships. Lists information about the operating system installed on the local computer. Lists information about the “Domain Admins” group from the domain. Lists all domain controllers in the domain. Displays information about domain trusts.
reg.exe add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal * ServerWinStationsRDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f	Adds/overwrites a new Registry value to disable user authentication for RDP connections.
reg.exe add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” /* v fAllowToGetHelp /t REG_DWORD /d 1 /f	Adds/overwrites a new Registry value to allow a user to receive help from Remote Assistance.
reg.exe add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint * DefenseTamperProtectionConfig” /t REG_DWORD /v SAVEnabled /d 0 /f	Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SAVEnabled.
reg.exe add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSophos Endpoint * DefenseTamperProtectionConfig” /t REG_DWORD /v SEDEnabled /d 0 /f	Adds/overwrites a new Registry value to disable tamper protection for Sophos antivirus named SEDEnabled.
reg.exe ADD * HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeSophosSAVServiceTamperProtection /t REG_DWORD /v Enabled /d 0 /f	Adds/overwrites a new registry value to disable tamper protection for a Sophos antivirus service called SAVService.
reg.exe copy hklmsystemCurrentControlSetservicestvnserver * hklmsystemCurrentControlSetcontrolsafebootnetworktvnserver /s /f	Copies the configuration settings for the tvnserver service to a new location in the registry that will be used when the computer boots into Safe Mode with Networking. This allows the service to run with the same settings in Safe Mode as it does in normal mode.
s.exe /threads:50 /ldap:all /verbose /outfile:c:users<user>desktop1.txt	Executes SharpShares.
schtasks.exe /RU SYSTEM /create /sc ONCE /<user> /tr “cmd.exe /crundll32.exe c:programdatanetsh.dll,Entry” /ST 04:43	Creates a Scheduled Task run as SYSTEM at 0443 AM. When the task is run, cmd.exe uses crundll32.exe to run the DLL file netsh.dll. (It is likely that netsh.dll is a malware file and not associated with netsh.)
start-process PowerShell.exe -arg C:UsersPublicMusic<file>.ps1 -WindowStyle Hidden	Executes a PowerShell script, while keeping the PowerShell window hidden from the user.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and ACSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or ACSC.

 

This post was originally published on this site

APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.

Overview and Context

The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.

Download the UK PDF version of this report:

Download the US PDF version of this report:

Previous Activity

The NCSC has previously attributed the following activity to APT28:

• Cyber attacks against the German parliament in 2015, including data theft and disrupting email accounts of German Members of Parliament (MPs) and the Vice Chancellor
• Attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK

For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.

As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of PowerShell Empire, in addition to Python versions of Empire.

Reconnaissance

Use of SNMP Protocol to Access Routers

In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.

SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.

Weak SNMP community strings, including the default “public,” allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces. [T1078.001]

The compromized routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.

Exploitation of CVE-2017-6742

APT28 exploited the vulnerability CVE-2017-6742 (Cisco Bug ID: CSCve54313) [T1190]. This vulnerability was first announced by Cisco on 29 June 2017, and patched software was made available. 

Cisco’s published advisory provided workarounds, such as limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs).

Malware Deployment

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC’s Jaguar Tooth Malware Analysis Report. This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP), and enabled unauthenticated access via a backdoor.

The actor obtained this device information by executing a number of Command Line Interface (CLI) commands via the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses. [T1590]

Indicators of Compromise (IoCs)

Please refer to the accompanying Malware Analysis Report for indicators of compromise which may help to detect this activity.

MITRE ATT&CK®

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

For detailed TTPs, see the Malware Analysis Report.

Tactic	ID	Technique	Procedure
Initial Access	T1190	Exploit Public-facing Application.	APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).
Initial Access	T1078.001	Valid Accounts: Default Accounts.	Actors accessed victim routers by using default community strings such as “public.”
Reconnaissance	T1590	Gather Victim Network Information	Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR.

Conclusion

APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as published by Cisco.

TTPs in this advisory may still be used against vulnerable Cisco devices. Organizations are advised to follow the mitigation advice in this advisory to defend against this activity.

Reporting

UK organizations should report any suspected compromises to the NCSC.
US organisations should contact CISA’s 24/7 Operations Centre at report@cisa.gov or (888) 282-0870.

Mitigation

Mitigation

• Patch devices as advised by Cisco. The NCSC also has general guidance on managing updates and keeping software up to date.
• Do not use SNMP if you are not required to configure or manage devices remotely to prevent unauthorized users from accessing your router.
  • If you are required to manage routers remotely, establish allow and deny lists for SNMP messages to prevent unauthorized users from accessing your router.
• Do not allow unencrypted (i.e., plaintext) management protocols, such as SNMP v2 and Telnet. Where encrypted protocols aren’t possible, you should carry out any management activities from outside the organization through an encrypted virtual private network (VPN), where both ends are mutually authenticated.
• Enforce a strong password policy. Don’t reuse the same password for multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication and implement two-factor authentication based on public-private key.
• Disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMP v3. Harden the encryption protocols based on current best security practice. The NCSC strongly advises owners and operators to retire and replace legacy devices that can’t be configured to use SNMP v3.
• Use logging tools to record commands executed on your network devices, such as TACACS+ and Syslog. Use these logs to immediately highlight suspicious events and keep a record of events to support an investigation if the device’s integrity is ever in question. See NCSC guidance on monitoring and logging.
• If you suspect your router has been compromised:
  • Follow Cisco’s advice for verifying the Cisco IOS image.
  • Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
  • Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.
• NSA’s Network Infrastructure guide provides some best practices for SNMP.
• See also the Cisco IOS hardening guide and Cisco’s Jaguar Tooth blog.

This product is provided subject to this Notification and this Privacy & Use policy.

This post was originally published on this site

SUMMARY

From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]

Actions to take today to mitigate malicious cyber activity:

• Implement a patch management solution to ensure compliance with the latest security patches.
• Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.
• Limit service accounts to the minimum permissions necessary to run services.

CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

For a downloadable copy of IOCs, see

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.

Overview

CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.

In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317. Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.[2] Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.

Threat Actor Activity

CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].

When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:WindowsTemp directory. The malicious files were then executed from the C:WindowsTemp directory via the w3wp.exe process—a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.

CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.[3] The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern [10 digits].[7 digits].dll (e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll).

The names of some of the PNG files were misleading. For example, file 1596835329.5015914.png, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020. The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique. This file naming convention is a primary IOC used by the threat actors.

In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the C:WindowsTemp directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp.exe process. CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.

Network activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.

Threat Actor 1

CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp.exe process. In this instance, TA1 was able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.

At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005]. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016]. All analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162 or 45.77.212[.]12. The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. Analysis also identified that:

• Some of the analyzed samples can load additional libraries; enumerate the system, processes, files, directories [T1083]; and write files.
• Other analyzed samples can delete DLL files ending with the .dll extension in the C:WindowsTemp directory on the server. TA1 may use this capability to hide additional malicious activity on the network.

CISA, in coordination with the authoring organizations, identified and observed the following threat actor IPs and timestamps associated with this activity:

Table 1: Observed TA1 IPs and Timestamps

IP Address	First Identified	Last Identified
137.184.130[.]162	09/26/2022	10/08/2022
45.77.212[.]12	10/07/2022	11/25/2022
104.225.129[.]102	10/10/2022	11/16/2022
149.28.85[.]24	10/12/2022	10/17/2022
185.186.245[.]72	10/18/2022	10/18/2022
193.8.172[.]113	09/25/2022	09/25/2022
193.8.172[.]13	09/25/2022	10/17/2022
216.120.201[.]12	10/13/2022	11/10/2022
5.34.178[.]246	09/25/2022	09/25/2022
79.133.124[.]242	09/25/2022	09/25/2022
92.38.169[.]193	09/27/2022	10/08/2022
92.38.176[.]109	09/12/2022	09/25/2022
92.38.176[.]130	09/25/2022	10/07/2022

Threat Actor 2

TA2—identified as likely the cybercriminal actor XE Group—often includes xe[word] nomenclature in original filenames and registered domains. Volexity lists this naming convention and other observed TTPs as common for this threat actor group.[4]

As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005]. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:WindowsTemp directory that TA2 executed via the w3wp.exe process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains listed in Table 2. Note: At the time of analysis, the domains resolved to the listed IP addresses.

Table 2: TA2 IPs and Resolving Domains

IP Address	Resolving Domains
184.168.104[.]171	xework[.]com xegroups[.]com hivnd[.]com
144.96.103[.]245	xework[.]com

Analysis of DLL files determined the files listed in Table 3 were dropped, decoded, and attempted to connect to the respective malicious domains. Embedded payloads dropped by the DLL files were observed using the command line utility certutil[.]exe and writing new files as xesvrs[.]exe to invoke reverse shell utilities execution.

Table 3: Identified Malicious Files

Filename	Description
XEReverseShell.exe	DLL files (masqueraded as PNG files) located in the C:WindowsTemp directory contain a base64 encoded file with the internal name XEReverseShell.exe, which was dropped into the same directory as sortcombat.exe. When executed, the reverse shell utility attempts to connect to xework[.]com or xegroups[.]com to obtain the IP address of the C2 server and port number for unencrypted communication. Note: It is likely the threat actors changed the file extension from .dll to .png to avoid detection.
Multi-OS_ReverseShell.exe	Reverse shell utility decoded from the base64 encoded file xesmartshell.tmp. When executed, it will attempt to connect to xegroups[.]com or xework[.]com to obtain the IP address of the C2 server and port number for unencrypted communication.
SortVistaCompat	Base64 encoded payload dropped from Multi-OS_ReverseShell.exe. This file receives the C2 IP and port from xework[.]com.

 When the TA2 malware is executed a DLL file drops an executable (XEReverseShell.exe) that attempts to pull a C2 IP address and port number from xework[.]com or xegroups[.]com.

• If no port or IP address is found, the program will exit.
• If a port and IP address are found, the program will establish a listener and wait for further commands.

If communication is established between the TA2 malware and the C2:

• The malware will identify the operating system (Windows or Linux) and create the appropriate shell (cmd or bash), sending system information back to the C2.
• The C2 server may send the command xesetshell, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in the C:WindowsTemp directory.
• The C2 server may send the command xequit, causing the malware to sleep for a period of time determined by the threat actors.

The two files xesmartshell.tmp and SortVistaCompat have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text file small.txt decoded [T1140] as small.aspx [T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands. The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory. No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.

For more information on the DLLs, binaries, and webshell, see CISA MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 4 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.

Table 4: Identified ATT&CK Techniques for Enterprise

Reconnaissance
Technique Title	ID	Use
Active Scanning: Vulnerability Scanning	T1595.002	Actors were observed conducting active scanning activity for vulnerable devices and specific ports.
Initial Access
Technique Title	ID	Use
Exploit Public-Facing Application	T1190	Actors exploited a known vulnerability in the Microsoft IIS server.
Persistence
Technique Title	ID	Use
Server Software Component: Web Shell	T1505.003	TA2’s malware dropped an ASPX webshell to enumerate drives; send, receive, and delete files; and execute commands.
Defense Evasion
Technique Title	ID	Use
Masquerading: Match Legitimate Name or Location	T1036.005	Actors leveraged the legitimate w3wp.exe process on the IIS server to write malicious DLL files and evade detection.
Process Injection: DLL Injection	T1055.001	Actors loaded newly created DLLs into a running w3wp.exe process.
Indicator Removal: File Deletion	T1070.004	TA1’s malware deleted files with “.dll” from the C:WindowsTemp directory, which may indicate hidden malicious activity on the network.
Indicator Removal: Timestomp	T1070.006	Actors modified file time attributes to insert misleading creation dates.
Decode Files	T1140	The base64 encoded text file small.txt decoded as the webshell small.aspx.
Discovery
Technique Title	ID	Use
File and Directory Discovery	T1083	Actors enumerated the IIS server via OS fingerprinting, executed Windows processes, and collected network information. TA1’s malware enumerates systems, processes, files, and directories.
System Network Configuration Discovery	T1016	TA1’s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server.
Command and Control
Technique Title	ID	Use
Ingress Tool Transfer	T1105	TA1 and TA2 uploaded malicious DLL files (some masqueraded as PNG files) to the C:WindowsTemp directory.
Non-Application Layer Protocol	T1095	Actors used a non-application layer protocol (TCP) for w3wp.exe process exploitation, C2, and enumeration on the IIS server.

DETECTION METHODS

CISA and authoring organizations recommend that organizations review the steps listed in this section and Table 4: Identified ATT&CK Techniques for Enterprise to detect similar activity on IIS servers.

Yara Rule

CISA developed the following YARA rule from the base proof-of-concept code for CVE-2019-18935.[5] Note: Authoring organizations do not guarantee all malicious DLL files (if identified) will use the same code provided in this YARA rule.

rule CISA_10424018_01 {
meta:
        Author = "CISA Code & Media Analysis"
        Incident = "10424018"
        Date = "2023-02-07"
        Last_Modified = "20230216_1500"
        Actor = "n/a"
        Family = "n/a"
        Capabilities = "n/a"
        Malware_Type = "n/a"
        Tool_Type = "n/a"
        Description = "Detects open-source exploit samples"
        SHA256 = "n/a"
    strings:
        $s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C }
        $s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B }
        $s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 }
        $s3 = { 54 65 6C 65 72 69 6B 20 55 49 }
        $s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C }
        $s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 }
        $s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 }
        $s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 }
$s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 }
        $s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 }
        $s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 }
$s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B }
$s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 }
        $s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 }
    condition:
($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13)
}

Log Collection, Retention, and Analysis

CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope.

• Centralized log collection and monitoring allows for the discovery of webshell and other exploit activity. For example, organizations should monitor for external connections made from the IIS server to unknown external IP addresses. Logging may also be available—if enabled at the router or firewall—for any outbound connections initiated with PowerShell.
• Access- and security-focused firewall (e.g., Web Application Firewall [WAF]) logs can be collected and stored for use in both detection and forensic analysis activities. Organizations should use a WAF to guard against publicly known web application vulnerabilities, in addition to guarding against common web application attacks.

Creation of Malicious DLLs

CISA, FBI, and MS-ISAC recommend that organizations use process monitoring—which provides visibility into file system and application process activity—to detect suspicious executable files running from the C:WindowsTemp directory. Process monitoring via Windows Event Code 4688 will detect the legitimate w3wp.exe process running suspicious DLL files and other anomalous child processes. Note: Enabling this event may inundate security event logging. Use centralized log collection to prevent log rollover, increase log retention and archiving, and/or enable command line event logging.

Forensic analysis commonly identified the threat actors taking the following steps:

1. Create one of the DLL files (C:WindowsTemp1665890187.8690152.dll) by process w3wp.exe PID 6484.
2. Load the newly created DLL into a currently running IIS process, w3wp.exe PID 6484. 
3. Make a TCP connection using w3wp.exe PID 6484 to 45.77.212[.]12 over port 443.
4. Invoke C:WindowsSystem32vcruntime140.dll (Windows C runtime library) to execute payload.

Steps 1 and 2 occur every time a malicious DLL file is created. In some cases, an ASP .NET temp file was created, but this may have indicated benign IIS server activity. Note: The Process ID (PID) used in this example is unique to this investigation and is not universal. IP address 45.77.212[.]12 correlates to TA1, but the pattern can be used as general practice to identify similar activity.

Additional Searching for IIS Servers

The following information was derived from artifact analysis and is provided to equip IT infrastructure defenders searching for similar activity on an IIS server. Several artifacts can be referenced to assist in determining if CVE-2019-18935 has been successfully exploited.

File Type: DLL

Location: – %SystemDrive%WindowsTemp

When this CVE is exploited, it uploads malicious DLL files to the C:WindowsTemp directory. The malicious DLL file naming convention translates to the exact time the file was uploaded to the server.

The time is represented in a series of digits, known as Unix Epoch time. The files observed during this investigation contained two sets of digits separated by a period (.) before the DLL extension (.dll). Example: 1667206973.2270932.dll

Nearly all recovered files contain a series of 10 digits to the left of the period (.) and seven digits to the right. However, one file contained only five digits in the second set, which should be taken into consideration when writing regex patterns to search for the existence of these files. Example Regex: d{10}.d{1,8}.dll

These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.

Log Type: IIS

Location: – %SystemDrive%inetpublogsLogFiles

When investigating IIS logs, specific fields were searched for and captured during the time of each connection.

If the Unix Epoch time signature has been translated from a DLL filename, specific logs can be searched based on that time. However, if the Unix Epoch time signature has not been translated, the following will still work, but may take longer for the query to run.

The four most important fields to identify this traffic are noted in the following table. These descriptions are sourced directly from Microsoft.[6]

Table 5: Four Fields Searched in IIS Logs

General Name	Field Name	Description
Method	cs-method	Requested action; for example, a GET method
URI Stem	cs-uri-stem	Universal Resource Identifier (URI), or target, of the action
URI Query	cs-uri-query	The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages.
Protocol Status	sc-status	Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) status code

Note: Depending on how logs are collected and stored, the field names may not be an exact match; this should be taken into consideration when constructing queries.

When ingesting logs into security information and event management (SIEM), the final field names did not use a hyphen (-) but used an underscore (_).

Example: cs_method instead of cs-method

Artifacts:

Table 6: Information Contained in Two Observed IIS Events

Field Name	Artifact
cs-method	POST
>cs-uri-stem	/Telerik.Web.UI.WebResource.axd
cs-uri-query	type=rau
sc-status	200 and 302

When reviewing logs, two IIS events were observed with the same timestamp each time this CVE-2019-18935 was exploited. Both events contained the same information in the cs-method, cs-uri-stem, and cs-uri-query. One event had a sc-status of 200 and the other had a sc-status of 302.

Log Type: Windows Event Application Logs

Location: -%SystemDrive%WindowsSystem32winevtlogsApplication.evtx

Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server. All field names refer to the labels provided via KAPE exports. The strings are of value and can be used to locate other artifacts if different tools are used. Note: The payload data in the following table has been shortened to only necessary strings to obscure and protect victim information.

Table 7: Example Payload Data

EventID

Payload

1309

3005, An unhandled exception has occurred[*redacted*]w3wp.exe[*redacted*]InvalidCastException, Unable to cast object of type ‘System.Configuration.Install.AssemblyInstaller’ to type ‘Telerik.Web.UI.IAsyncUploadConfiguration’.n at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)nn, [*redacted*]/Telerik.Web.UI.WebResource.axd?type=rau, /Telerik.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)n”,”Binary”:””}}

Authoring organizations recommend looking for the following key strings in the payload:

• w3wp.exe: This is the parent process that executes the code inside the malicious DLLs.
• System.Configuration.Install.AssemblyInstaller: Figure 1 is from the creator’s GitHub repo,[7] where the string can be observed in the code. As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3]

If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.

Table 8: Example Threat Actor Cleanup

EventID	ExecutableInfo	MapDescription	Payload
1000	w3wp.exe |1664175639.65719.dll |c:windowssystem32inetsrvw3wp.exe |C:WindowsTemp1664175639.65719.dll	Application Error	{“EventData”:{“Data”:”w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:windowssystem32inetsrvw3wp.exe, C:WindowsTemp1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7″,”Binary”:””}}
1001	w3wp.exe |1664175639.65719.dll |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe	Application Crash	{“EventData”:{“Data”:”0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, nC:WindowsTempWERE3F6.tmp.appcompat.txtnC:WindowsTempWERE639.tmp.WERInternalMetadata.xmlnC:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656memory.hdmpnC:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656triagedump.dmp, C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4″,”Binary”:””}}

The EventID field maps to Windows EventIDs for an easy filter. Users can leverage the Windows EventIDs to find malicious DLL with the Unix Epoch time-based name inside the C:WindowsTemp directory.

Depending how log analysis is performed, various filters can be determined. However, if regex is available, the example listed in Table 8 above can be reused to match the Unix Epoch timestamp convention to assist in filtering.

Additional Analysis

When evidence of malicious DLLs is found, reverse engineering will need to be conducted to fully understand what actions occur as the malicious files could do nearly anything. Leveraging Windows security event logs, as well as Windows PowerShell logs, may provide insight into what actions the DLLs are taking. CISA and authoring organizations recommend the following process:

1. Convert any discovered malicious DLL timestamps to readable format.
2. Export the Windows security event and PowerShell logs from the device.
   • Default path: %SystemDrive%WindowsSystem32winevtlogsWindows PowerShell
   • Default path: %SystemDrive%WindowsSystem32winevtlogsSecurity.evtx
3. Filter based on identified timestamps.
4. Search for new processes created via w3wp.exe in Windows security event logs (e.g., Windows EventID 4688 New Process created).
5. Search for new PIDs from identified events. Investigate to determine if they spawned any other processes.
   • Example: CMD.EXE launching PowerShell or running other commands such as nslookup or netstat. Note: This is not an exhaustive list.
6. Search for EventID 600 in PowerShell logs.

Trellix XDR Platform Searching

If Trellix XDR Platform is deployed in an environment and a standard HX triage audit is completed in a timely manner of the suspected use of CVE-2019-18935, an organization can search for file write events from known web processes. This will identify the executables written by the web server process. CISA and authoring organizations specifically recommend searching for the following field value pair:

Table 9: Field Value Pair for Searching

Field	Value Begins With
TextAtLowestOffset	MZ

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Manage Vulnerabilities and Configurations

• Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing. Keep all software up to date and prioritize patching to known exploited vulnerabilities (KEVs). [CPG 5.1]
• Prioritize remediation of vulnerabilities on internet-facing systems. For additional guidance, see CISA Insights – Remediate Vulnerabilities for Internet-Accessible Systems. [CPG 5.1]
• Implement a patch management solution to ensure compliance with the latest security patches. A patch management solution that inventories all software running in addition to vulnerability scanning is recommended.
• Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations. For example, as noted in the Technical Details section, the victim organization had the appropriate plugin for CVE-2019-18935, but the vulnerability went undetected due to the Telerik UI software being installed in a file path not typically scanned. To identify unpatched instances of software vulnerabilities, organizations using vulnerability scanners should be aware that all installations may not be considered “typical” and may require full file scans of web applications.
  • Note: Vulnerability scanners may have limitations in detecting vulnerabilities, such as only being able to identify Windows Installer-installed applications, which was the case with this agency’s vulnerability scanner. The Telerik UI software was installed via a continuous integration (CI) and continuous delivery (CD) pipeline rather than the Windows Installer. This highlights the importance of using a comprehensive approach for vulnerability scanning that considers all potential installation methods and file paths.
• Validate output from patch management and vulnerability scanning solutions against running services to check for discrepancies and account for all services.

 Segment Networks Based on Function

• Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. (See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s Segment Networks and Deploy Application-Aware Defenses.) [CPG 8.1]
• Isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt zero trust principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration. Utilize access control lists (ACLs), hardened firewalls, and network monitoring devices to regulate, monitor, and audit cross-segment access and data transfers.

Other Best Practice Mitigation Recommendations

• Implement phishing-resistant multifactor authentication (MFA) for as many services possible—particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.
  • MFA can still be leveraged for secure access using a jump server—an asset placed between the external and internal networks that serves as an intermediary for access—to facilitate connections if assets do not have the capability to support MFA implementation.
  • For additional guidance on secure MFA configurations, visit cisa.gov/mfa. [CPG 1.3]
• Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell. Collect access and security focused logs (IDS/IDPS, firewall, DLP, VPN) and ensure logs are securely stored for a specified duration informed by risk or pertinent regulatory guidance. [CPG 3.1, 3.2]
  • Evaluate user permissions and maintain separate user accounts for all actions and activities not associated with the administrator role, e.g., for business email, web browsing, etc. All privileges should be reevaluated on a recurring basis to validate continued need for a given set of permissions. [CPG 1.5]
• Limit service accounts to the minimum permissions necessary to run services. CISA observed numerous error messages in network logs indicative of failed attempts to write files to additional directories or move laterally.
• Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
  • Determine the need and functionality of assets that require public internet exposure. [CPG 2.3]

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 4).
2. Align your security technologies against the selected technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program—including people, processes, and technologies—based on the data generated by this process.

CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

UNIX Timestamp Converter

REFERENCES

[1] Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)
[2] ACSC Advisory 2020-004
[3] Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI
[4] Volexity Threat Research: XE Group
[5] GitHub: Proof-of-Concept Exploit for CVE-2019-18935
[6] Microsoft: Configure Logging in IIS
[7] GitHub: CVE-2019-18935

ACKNOWLEDGEMENTS

Google’s Threat Analysis Group (TAG) contributed to this CSA.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.

This post was originally published on this site

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

Actions to take today to mitigate cyber threats from ransomware:

• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.

Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.

Initial Access

Royal actors gain initial access to victim networks in a number of ways including: 

• Phishing. According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails [T1566].
  • According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising [T1566.002].[2]
• Remote Desktop Protocol (RDP). The second most common vector Royal actors use (in 13.3% of incidents) for initial access is RDP compromise.  
• Public-facing applications. FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190]. 
• Brokers. Reports from trusted third-party sources indicate that Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs. 

Command and Control

Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.

Lateral Movement and Persistence

Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].

Exfiltration

Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.

Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.

Encryption

Before starting the encryption process, Royal actors: 

• Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [T1486].[1] 
• Use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies to prevent system recovery.[1]  

FBI has found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].

Malicious files have been found in victim networks in the following directories:

• C:Temp  
• C:UsersAppDataRoaming  
• C:Users 
• C:ProgramData

Indicators of Compromise (IOC)

See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.

Table 1: Royal Ransomware Associated Files, Hashes, and IP addresses as of January 2023

IOC	Description
.royal	Encrypted file extension
README.TXT	Ransom note
Malicious IP	Last Activity
102.157.44[.]105	November 2022
105.158.118[.]241	November 2022
105.69.155[.]85	November 2022
113.169.187[.]159	November 2022
134.35.9[.]209	November 2022
139.195.43[.]166	November 2022
139.60.161[.]213	November 2022
148.213.109[.]165	November 2022
163.182.177[.]80	November 2022
181.141.3[.]126	November 2022
181.164.194[.]228	November 2022
185.143.223[.]69	November 2022
186.64.67[.]6	November 2022
186.86.212[.]138	November 2022
190.193.180[.]228	November 2022
196.70.77[.]11	November 2022
197.11.134[.]255	November 2022
197.158.89[.]85	November 2022
197.204.247[.]7	November 2022
197.207.181[.]147	November 2022
197.207.218[.]27	November 2022
197.94.67[.]207	November 2022
23.111.114[.]52	November 2022
41.100.55[.]97	November 2022
41.107.77[.]67	November 2022
41.109.11[.]80	November 2022
41.251.121[.]35	November 2022
41.97.65[.]51	November 2022
42.189.12[.]36	November 2022
45.227.251[.]167	November 2022
5.44.42[.]20	November 2022
61.166.221[.]46	November 2022
68.83.169[.]91	November 2022
81.184.181[.]215	November 2022
82.12.196[.]197	November 2022
98.143.70[.]147	November 2022
140.82.48[.]158	December 2022
147.135.36[.]162	December 2022
147.135.11[.]223	December 2022
152.89.247[.]50	December 2022
172.64.80[.]1	December 2022
179.43.167[.]10	December 2022
185.7.214[.]218	December 2022
193.149.176[.]157	December 2022
193.235.146[.]104	December 2022
209.141.36[.]116	December 2022
45.61.136[.]47	December 2022
45.8.158[.]104	December 2022
5.181.234[.]58	December 2022
5.188.86[.]195	December 2022
77.73.133[.]84	December 2022
89.108.65[.]136	December 2022
94.232.41[.]105	December 2022
47.87.229[.]39	January 2023
Malicious Domain	Last Observed
ciborkumari[.]xyz	October 2022
sombrat[.]com	October 2022
gororama[.]com	November 2022
softeruplive[.]com	November 2022
altocloudzone[.]live	December 2022
ciborkumari[.]xyz	December 2022
myappearinc[.]com	December 2022
parkerpublic[.]com	December 2022
pastebin.mozilla[.]org/Z54Vudf9/raw	December 2022
tumbleproperty[.]com	December 2022
myappearinc[.]com/acquire/draft/c7lh0s5jv	January 2023

Table 2: Tools used by Royal operators

Tool	SHA256
AV tamper	8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
TCP/UDP Tunnel over HTTP (Chisel)	8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
Ursnif/Gozi	be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
Exfil	B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Remote Access (AnyDesk)	4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
PowerShell Toolkit Downloader	4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
PsExec (Microsoft Sysinternals)	08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
Keep Host Unlocked (Don’t Sleep)	f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
Ransomware Executable	d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
Windows Command Line (NirCmd)	216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
System Management (NSudo)	19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Batch Scripts
Filename	Hash Value
2.bat	585b05b290d241a249af93b1896a9474128da969
3.bat	41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
4.bat	a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
8.bat	c96154690f60a8e1f2271242e458029014ffe30a
kl.bat	65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
gp.bat	82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
r.bat	74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
runanddelete.bat	342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE

MITRE ATT&CK TECHNIQUES

See table 3 for all referenced threat actor tactics and techniques included in this advisory.

Table 3: Royal Actors ATT&CK Techniques for Enterprise

Initial Access
Technique Title	ID	Use
Exploit Public Facing Application	T1190	The actors gain initial access through public-facing applications.
Phishing: Spear phishing Attachment	T1566.001	The actors gain initial access through malicious PDF attachments sent via email.
Phishing: Spearphishing Link	T1566.002	The actors gain initial access using malvertising links via emails and public-facing sites.
External Remote Services	T1133	The actors gain initial access through a variety of RMM software.
Command and Control
Technique Title	ID	Use
Ingress Tool Transfer	T1105	The actors used C2 infrastructure to download multiple tools.
Protocol Tunneling	T1572	The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
Privilege Escalation
Technique Title	ID	Use
Valid Accounts: Domain Accounts	T1078.002	The actors used encrypted files to create new admin user accounts.
Defense Evasion
Technique Title	ID	Use
Impair Defenses: Disable or Modify Tools	T1562.001	The actors deactivated antivirus protocols.
Domain Policy Modification: Group Policy Modification	T1484.001	The actors modified Group Policy Objects to subvert antivirus protocols.
Indicator Removal: Clear Windows Event Logs	T1070.001	The actors deleted shadow files and system and security logs after exfiltration.
Remote Desktop Protocol	T1021.001	The actors used valid accounts to move laterally through the domain controller using RDP.
Automated Collection	T1119	The actors used registry keys to auto-extract and collect files.
Impact
Technique Title	ID	Use
Data Encrypted for Impact	T1486	The actors encrypted data to determine which files were being used or blocked by other applications.

MITIGATIONS

FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies [CPG 3.4].
  • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 1.4].
  • Store passwords in hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords.
  • Implement multiple failed login attempt account lockouts [CPG 1.1].
  • Disable password hints.
  • Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password patterns cyber criminals can easily decipher. 
  • Require administrator credentials to install software.
• Require multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. 
• Segment networks [CPG 8.1]. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. 
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic [CPG 5.1], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. 
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
• Disable unused ports.
• Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. 
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. 
• Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. 
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].

RESOURCES

• Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
• Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
• No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.

FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.

REFERENCES

[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads – Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile – Royal | Cyber.gov.au

ACKNOWLEDGEMENTS

Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.

This post was originally published on this site

Original release date: February 8, 2023

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable. 

CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to: 

• Update servers to the latest version of VMware ESXi software, 
• Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and 
• Ensure the ESXi hypervisor is not exposed to the public internet. 

If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.  

Download the PDF version of this report: pdf, 712 kb.

Note: CISA and FBI will update this CSA as more information becomes available.

Technical Details

Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1] 

ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.

Recovery Guidance

CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report. 

CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2] 

Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.

1. Quarantine or take affected hosts offline to ensure that repeat infection does not occur.

2. Download CISA’s recovery script and save it as /tmp/recover.sh.
For example, with wget: wget -O /tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.

3. Give the script execute permissions: chmod +x /tmp/recover.sh

4. Navigate to the folder of a VM you would like to recover and run ls to view the files.
Note: You may browse these folders by running ls /vmfs/volumes/datastore1. For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example.

5. View files by running ls. Note the name of the VM (via naming convention: [name].vmdk).

6. Run the recovery script with /tmp/recover.sh [name], where [name] is the name of the VM determined previously. 

a. If the VM is a thin format, run /tmp/recover.sh [name] thin.

b. If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.

7. If the script succeeded, re-register the VM.

a. If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)

• Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html.
• Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html.
• Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.

b.    In the ESXi web interface, navigate to the Virtual Machines page.

• If the VM you restored already exists, right click on the VM and select Unregister (see figure 1).

• Select Create / Register VM (see figure 2).
• Select Register an existing virtual machine (see figure 2).

• Click Select one or more virtual machines, a datastore or a directory to navigate to the folder of the VM you restored. Select the vmx file in the folder (see figure 3).

• Select Next and Finish. You should now be able to use the VM as normal.

8.    Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online. 

Additional Incident Response

The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:

1. Review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity.
2. Review traffic from network segments occupied by the ESXi hosts and guests. Consider restricting non-essential traffic to and from these segments.

If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.

Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.  

Additional resources for recovering .vmdk files can be found on a third-party researcher’s website.[2]

Mitigations

Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.

CISA and FBI recommend all organizations: 

• Temporarily remove connectivity for the associated ESXi server(s).
  • Upgrade your ESXi servers to the latest version of VMware ESXi software [CPG 5.1]. ESXi releases are cumulative, and the latest builds are documented in VMware’s article, Build numbers and versions of VMware ESXi/ESX.
  • Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, which ESXiArgs may leverage. For more information on executing workarounds, see VMware’s guidance How to Disable/Enable the SLP Service on VMware ESXi. 
  • Ensure your ESXi hypervisor is not configured to be exposed to the public internet.

In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.

Preparing for Ransomware

• Maintain offline backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
• Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].

 Mitigating and Preventing Ransomware

• Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
• Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
• Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
• Implement allow-listing policies for applications and remote access that only allow systems to execute known and permitted programs.
• Open document readers in protected viewing modes to help prevent active content from running.
• Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
• Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and the NIST’s Special Publication 800-63B: Digital Identity Guidelines for more information.
• Require administrator credentials to install software [CPG 1.5].
• Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind [CPG 1.5].
• Install and regularly update antivirus and antimalware software on all hosts.
• Consider adding an email banner to messages coming from outside your organizations.
• Disable hyperlinks in received emails.
• Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. 

Responding to Ransomware Incidents

If a ransomware incident occurs at your organization:

• Follow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).
• Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
• Follow the notification requirements as outlined in your cyber incident response plan.
• Report incidents to CISA at cisa.gov/report, FBI at a local FBI Field Office, or the U.S. Secret Service (USSS) at a USSS Field Office.
• Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Note: CISA and FBI strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

Resources 

See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.

Acknowledgements

CISA and FBI would like to thank VMware for their contributions to this CSA.

References

• VMware Security Response Center (vSRC) Response to ‘ESXiArgs’ Ransomware Attacks – VMware Security Blog
• Enes Sonmez and Ahmet Aykac, YoreGroup Tech Team: decrypt your crypted files in ESXi servers affected by CVE-2020-3992 / CryptoLocker attack

Revisions

• February, 2023: Initial Version

---