RSS Alerts from National Cyber Awareness System
Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture.
• Patch all systems. Prioritize patching known exploited vulnerabilities.
• Implement multi-factor authentication.
• Use antivirus software.
• Develop internal contact lists and surge support.
Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.
CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.
CISA, the FBI, and NSA encourage critical infrastructure organization leaders to review CISA Insights: Preparing for and Mitigating Cyber Threats for information on reducing cyber threats to their organization.
Click here for a PDF version of this report.
Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks. Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:
Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.
In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:
Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:
For more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or cisa.gov/Russia.
Table 1 provides common, publicly known TTPs employed by Russian state-sponsored APT actors, which map to the MITRE ATT&CK for Enterprise framework, version 10. Note: these lists are not intended to be all inclusive. Russian state-sponsored actors have modified their TTPs before based on public reporting.[1] Therefore, CISA, the FBI, and NSA anticipate the Russian state-sponsored actors may modify their TTPs as they deem necessary to reduce their risk of detection.
Table 1: Common Tactics and Techniques Employed by Russian State-Sponsored APT Actors
Tactic | Technique | Procedure |
---|---|---|
Reconnaissance [TA0043] |
Active Scanning: Vulnerability Scanning [T1595.002] |
|
Russian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. |
||
Phishing for Information [T1598] |
Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. |
|
Resource Development [TA0042] |
Develop Capabilities: Malware [T1587.001] |
Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. |
Initial Access [TA0001] |
Exploit Public Facing Applications [T1190] |
Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. |
Supply Chain Compromise: Compromise Software Supply Chain [T1195.002] |
Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. |
|
Execution [TA0002] |
Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell [T1059.003] |
Russian state-sponsored APT actors have used |
Persistence [TA0003] |
Valid Accounts [T1078] |
Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. |
Credential Access [TA0006] |
Brute Force: Password Guessing [T1110.001] and Password Spraying [T1110.003] |
Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. |
OS Credential Dumping: NTDS [T1003.003] |
Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database |
|
Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003] |
Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. |
|
Credentials from Password Stores [T1555] |
Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. |
|
Exploitation for Credential Access [T1212] |
Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers. |
|
Unsecured Credentials: Private Keys [T1552.004] |
Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. |
|
Command and Control [TA0011] |
Proxy: Multi-hop Proxy [T1090.003] |
Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic. |
For additional enterprise TTPs used by Russian state-sponsored APT actors, see the ATT&CK for Enterprise pages on APT29, APT28, and the Sandworm Team, respectively. For information on ICS TTPs see the ATT&CK for ICS pages on the Sandworm Team, BlackEnergy 3 malware, CrashOveride malware, BlackEnergy’s KillDisk component, and NotPetya malware.
Given Russian state-sponsored APT actors demonstrated capability to maintain persistent, long-term access in compromised enterprise and cloud environments, CISA, the FBI, and NSA encourage all critical infrastructure organizations to:
ntds.dit
file from a domain controller. Organizations detecting potential APT activity in their IT or OT networks should:
Note: for OT assets, organizations should have a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment. Refer to the Mitigations section for more information.
See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA, the FBI, and NSA encourage critical infrastructure owners and operators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response.
Note: organizations should document incident response procedures in a cyber incident response plan, which organizations should create and exercise (as noted in the Mitigations section).
CISA, the FBI, and NSA encourage all organizations to implement the following recommendations to increase their cyber resilience against this threat.
CISA, the FBI, and NSA recommend organizations apply the best practices below for identity and access management, protective controls and architecture, and vulnerability and configuration management.
Note: CISA, the FBI, and NSA also recommend, as a longer-term effort, that critical infrastructure organizations implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent lateral movement by controlling traffic flows between—and access to—various subnetworks.
If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to rewardsforjustice.net/malicious_cyber_activity.
The information you have accessed or received is being provided “as is” for informational purposes only. CISA, the FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or NSA.
This product is provided subject to this Notification and this Privacy & Use policy.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.
CISA, in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), previously published guidance on Log4Shell for vendors and affected organizations in which CISA recommended that affected organizations immediately apply appropriate patches (or apply workarounds if unable to upgrade), conduct a security review, and report compromises to CISA or the FBI. CISA also issued an Emergency Directive directing U.S. federal civilian executive branch (FCEB) agencies to immediately mitigate Log4j vulnerabilities in solution stacks that accept data from the internet. This joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities.
These steps include:
This CSA also provides guidance for affected organizations with operational technology (OT)/industrial control systems (ICS) assets.
Log4j is a Java-based logging library used in a variety of consumer and enterprise services, websites, applications, and OT products. These vulnerabilities, especially Log4Shell, are severe—Apache has rated Log4Shell and CVE-2021-45046 as critical and CVE-2021-45105 as high on the Common Vulnerability Scoring System (CVSS). These vulnerabilities are likely to be exploited over an extended period. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK strongly urge all organizations to apply the recommendations in the Mitigations section.
CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK encourage leaders of organizations to review NCSC-UK’s blog post, Log4j vulnerability: what should boards be asking?, for information on Log4Shell’s possible impact on their organization as well as response recommendations.
Note: this is an evolving situation, and new vulnerabilities are being discovered. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK will update this CSA as we learn more about this exploitation and have further guidance to impart.
Click here for a PDF version of this report.
The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, or NCSC-UK.
Log4Shell, disclosed on December 10, 2021, is a remote code execution (RCE) vulnerability affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1. The vulnerability exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. Affected versions of Log4j contain JNDI features—such as message lookup substitution—that do not protect against adversary-controlled Lightweight Directory Access Protocol (LDAP), Domain Name System (DNS), and other JNDI-related endpoints.
An adversary can exploit Log4Shell by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.
CVE-2021-45046, disclosed on December 13, 2021, enables a remote attacker to cause RCE, a denial-of-service (DoS) condition, or other effects in certain non-default configurations. This vulnerability affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. In response, Apache released Log4j version 2.16.0 (Java 8).
CVE-2021-45105, disclosed on December 16, 2021, enables a remote attacker to cause a DoS condition or other effects in certain non-default configurations. According to Apache, when the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}
), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError
that will terminate the process. In response, Apache released Log4j version 2.17.0 (Java 8).
Log4Shell and CVE-2021-45046—rated as critical vulnerabilities by Apache—are severe because Java is used extensively across IT and OT platforms, they are easy to exploit, and applying mitigations is resource intensive. Log4Shell is especially critical because it allows malicious actors to remotely run code on vulnerable networks and take full control of systems.
According to public reporting, exploitation of Log4Shell began on or around December 1, 2021, and a proof-of-concept exploit is publicly available for this vulnerability. The FBI has observed attempted exploitation and widespread scanning of the Log4j vulnerability to gain access to networks to deploy cryptomining and botnet malware. The FBI assesses this vulnerability may be exploited by sophisticated cyber threat actors and incorporated into existing cyber criminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques. According to public reporting, CVE-2021-45046 is being actively exploited as well.
CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK assess that exploitation of these vulnerabilities, especially Log4Shell, is likely to increase and continue over an extended period. Given the severity of the vulnerabilities and likely increased exploitation, CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK strongly urge all organizations to apply the recommendations in the Mitigations section to identify, mitigate, and update affected assets.
For more information on these vulnerabilities, see the Apache Log4j Security Vulnerabilities webpage.
CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK encourage vendors to:
CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK recommend that affected organizations take the following steps to patch these vulnerabilities in their IT and cloud assets and initiate threat hunting to detect possible compromise. Organizations with OT/ICS environments should review the Organizations with OT/ICS Assets section for additional guidance. Note: this guidance includes resources that may or may not be possible for all organizations. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK recommend that organizations apply the mitigations listed in this advisory to the extent allowed by their environments.
1. Identify vulnerable assets in your environment.
Knowing where Log4j and other affected products exist in your environment is key for protecting your networks.
Additional resources for detecting vulnerable instances of Log4j are identified below. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK will update the sources for detection rules as we obtain them. Note: due to the urgency to share this information, CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK have not yet validated this content.
2. Mitigate known and suspected vulnerable assets in your environment.
A. Treat known and suspected vulnerable assets as compromised. These assets should be isolated until they are mitigated and verified (step 2.D). The method of isolation that you should use depends on the criticality of the asset. Possible isolation methods include:
B. Patch Log4j and other affected products to the latest version.
Note: if your organization is unable to immediately identify and patch vulnerable instances of Log4j, apply appropriate workarounds. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK recommend using vendor-provided mitigations when available. Due to the rapidly evolving situation, these workarounds should not be considered permanent fixes and organizations should apply the appropriate patch as soon as it is made available. Additional mitigations are identified below; however, organizations should use these mitigations at their own risk as they may be incomplete, temporary, or cause harmful effects, such as application instability, a DoS condition, or log evasion.
Jndilookup.class
from the class path. [1]Jndilookup.class
. Note: removal of the JndiManager
will cause the JndiContextSelector
and JMSAppender
to no longer function). [2]C. Keep an inventory of known and suspected vulnerable assets and what is done with them throughout this process. It is important to track patching because malicious cyber actors may compromise an asset and then patch it to protect their operations. Organizations should keep a meticulous record of vulnerable assets they have patched to identify whether a threat actor may have patched an asset.
D. Verify the mitigation has worked, if possible.
3. Initiate hunt and incident response procedures. Given the widespread exploitation of this vulnerability, CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK encourage all organizations to assume their assets that use Log4j may have been compromised and initiate hunt procedures.
A. Hunt for signs of exploitation and compromise.
Additional resources to detect possible exploitation or compromise are identified below. Note: due to the urgency to share this information, CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK have not yet validated this content.
B. If compromise is detected, organizations should:
4. Evaluate and apply other mitigations.
A. Remain alert to changes from vendors for the software on the asset, and immediately apply updates to assets when notified by a vendor that their product has a patch for this vulnerability. Additionally, see CISA's GitHub repository for known affected products and patch information. CISA will continually update the repository as vendors release patches.
B. Continue to monitor Log4J assets closely. Continually use signatures and indicators of compromise that may indicate exploitation.
C. Continue to monitor the Apache Log4j Security Vulnerabilities webpage for new updates. Note: as this is an evolving situation and new vulnerabilities in Log4J are being discovered, organizations should ensure their Apache Log4j is up to date. Identify the software your enterprise uses and stay on top of updates as these may be superseded by other updates and fixes.
D. Block specific outbound Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) network traffic.
Note: blocking attacker internet IP addresses during this event is difficult due to the high volume of scanning from non-malicious researchers and vendors. The false positives on IP addresses are high. Organizations should focus on looking for signs of successful exploitation and not scans.
Affected Organizations with OT/ICS Assets
Due to the pervasiveness of the Apache Log4j software library—and the integration of the library in operational products—CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK strongly recommend that OT asset owners and operators review their operational architecture and enumerate the vulnerability status against current product alerts and advisories. If a product does not have a security advisory specifically addressing the status of the vulnerability, treat it with additional protections. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK urge patching or deployment of mitigations to reduce the risk of the threat of these vulnerabilities.
Note: CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK recommend prioritizing patching IT devices, especially those with internet connectivity. Affected internet-facing devices as well as laptops, desktops, and tablets are especially susceptible to exploitation of these vulnerabilities. OT/ICS devices—if segmented appropriately from the IT environment—do not face the internet and, as such, have a smaller attack surface to this vulnerability. Exploitation of IT devices may affect OT/ICS devices if there is insufficient network segmentation that prevents lateral movement.
CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK recommend that OT/ICS asset owner/operators take the following guidance into consideration:
When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as its connected devices.
CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK also remind organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and consider reporting compromises immediately.
For more information, resources, and general guidance, including resources and mitigation guidance from industry members of JCDC, see CISA’s webpage Apache Log4j Vulnerability Guidance. Note: due to the prominent and ever evolving nature of this vulnerability, there are multiple unverified published guidance documents that are geared towards Log4j vulnerabilities. CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, and NCSC-UK encourage all organizations to verify information with trusted sources, such CISA, the FBI, NSA, ACSC, CCCS, CERT NZ, NZ NCSC, NCSC-UK vendors.
This product is provided subject to this Notification and this Privacy & Use policy.
This joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations.
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus—IT help desk software with asset management.
CVE-2021-44077, which Zoho rated critical, is an unauthenticated remote code execution (RCE) vulnerability affecting all ServiceDesk Plus versions up to, and including, version 11305. This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability. Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
The Zoho update that patched this vulnerability was released on September 16, 2021, along with a security advisory. Additionally, an email advisory was sent to all ServiceDesk Plus customers with additional information. Zoho released a subsequent security advisory on November 22, 2021, and advised customers to patch immediately.
The FBI and CISA are aware of reports of malicious cyber actors likely using exploits against CVE-2021-44077 to gain access [T1190] to ManageEngine ServiceDesk Plus, as early as late October 2021. The actors have been observed using various tactics, techniques and procedures (TTPs), including:
NTDS.dit
) [T1003.003] or registry hivesThe FBI and CISA are proactively investigating this malicious cyber activity:
Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims, while working to unmask and hold accountable those conducting malicious cyber activities.
Click here for a PDF version of this report.
Click here for indicators of compromise (IOCs) in STIX format.
Compromise of the affected systems involves exploitation of CVE-2021-44077 in ServiceDesk Plus, allowing the attacker to:
C:ManageEngineServicedeskbinmsiexec.exe
, with a SHA256 hash of ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7
. This executable file serves as a dropper and contains an embedded, encoded Godzilla JAR file.C:ManageEngineServiceDesklibtomcattomcat-postgres.jar
with a SHA256 hash of 67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015
.Confirming a successful compromise of ManageEngine ServiceDesk Plus may be difficult—the attackers are known to run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell.
APT cyber actors have targeted Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries.
67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015
068D1B3813489E41116867729504C40019FF2B1FE32AAB4716D429780E666324
759bd8bd7a71a903a26ac8d5914e5b0093b96de61bf5085592be6cc96880e088
262cf67af22d37b5af2dc71d07a00ef02dc74f71380c72875ae1b29a3a5aa23d
a44a5e8e65266611d5845d88b43c9e4a9d84fe074fd18f48b50fb837fa6e429d
ce310ab611895db1767877bd1f635ee3c4350d6e17ea28f8d100313f62b87382
75574959bbdad4b4ac7b16906cd8f1fd855d2a7df8e63905ab18540e2d6f1600
5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb
ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7
009d23d85c1933715c3edcccb46438690a66eebbcccb690a7b27c9483ad9d0ac
083bdabbb87f01477f9cf61e78d19123b8099d04c93ef7ad4beb19f4a228589a
342e85a97212bb833803e06621170c67f6620f08cc220cf2d8d44dff7f4b1fa3
805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f
3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd
5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755
3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d
342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae
7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72
3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090
b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665
e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c
bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da
d0c3d7003b7f5b4a3bd74a41709cfecfabea1f94b47e1162142de76aa7a063c7
7d2780cd9acc516b6817e9a51b8e2889f2dec455295ac6e6d65a6191abadebff
POST requests sent to the following URLs:
/RestAPI/ImportTechnicians?step=1
seed.nkn[.]org
Note: the domain seed.nkn[.]org is a New Kind of Network (NKN) domain that provides legitimate peer to peer networking services utilizing blockchain technology for decentralization. It is possible to have false positive hits in a corporate network environment and it should be considered suspicious to see any software-initiated contacts to this domain or any subdomain.
[<time>]|[<date>]|[com.adventnet.servicedesk.setup.action.ImportTechniciansAction]|[INFO]|[62]: fileName is : msiexec.exe]
C:ManageEngineServiceDeskbinmsiexec.exe
C:ManageEngineServiceDesklibtomcattomcat-postgres.jar
C:WindowsTempScriptModule.dll
C:ManageEngineServiceDeskbinScriptModule.dll
C:Windowssystem32ME_ADAudit.exe
c:Users[username]AppDataRoamingADManagerME_ADManager.exe
%ALLUSERPROFILE%MicrosoftWindowsCachessystem.dat
C:ProgramDataMicrosoftCryptoRSAkey.dat
c:windowstempccc.exe
wmic.exe
)pg_dump.exe
to dump ManageEngine databasesNTDS.dit
and SECURITY/SYSTEM/NTUSER
registry hivesLSASS
(KDC Sponge)WinRAR
, csvde
, and other legitimate third-party tools for reconnaissance and exfiltration
Organizations that identify any activity related to ManageEngine ServiceDesk Plus indicators of compromise within their networks should take action immediately.
Zoho ManageEngine ServiceDesk Plus build 11306, or higher, fixes CVE-2021-44077. ManageEngine initially released a patch for this vulnerability on September 16, 2021. A subsequent security advisory was released on November 22, 2021, and advised customers to patch immediately. Additional information can be found in the Zoho security advisory released on November 22, 2021.
In addition, Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide.
FBI and CISA also strongly recommend domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit
file was compromised.
Note: Implementing these password resets should not be taken as a comprehensive mitigation in response to this threat; additional steps may be necessary to regain administrative control of your network. Refer to your specific products mitigation guidance for details.
Immediately report as an incident to CISA or the FBI (refer to Contact information section below) the existence of any of the following:
Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.
For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:
This product is provided subject to this Notification and this Privacy & Use policy.
Actions to Take Today to Protect Against Iranian State-Sponsored Malicious Cyber Activity
• Immediately patch software affected by the following vulnerabilities: CVE-2021-34473, 2018-13379, 2020-12812, and 2019-5591.
• Implement multi-factor authentication.
• Use strong, unique passwords.
Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.
The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.
This advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity.
The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.
For a downloadable copy of IOCs, see AA21-321A.stix.
For more information on Iranian government-sponsored malicious cyber activity, see us-cert.cisa.gov/Iran.
Click here for a PDF version of this report.
Since at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.
elie
to further enable malicious activity. Note: for previous FBI reporting on this activity, refer to FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity.91.214.124[.]143
and 162.55.137[.]20
—which FBI and CISA judge are associated with Iranian government cyber activity—to further enable malicious activity against the hospital’s network. The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70
, which FBI and CISA judge is associated with government of Iran offensive cyber activity.CVE-2021-34473
—to gain initial access to systems in advance of follow-on operations.ACSC considers that this APT group has also used the same Microsoft Exchange vulnerability (CVE-2021-34473) in Australia.
FBI, CISA, ACSC, and NCSC assess the following tactics and techniques are associated with this activity.
The APT actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum.
The Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) [T1190].
The Iranian government-sponsored APT actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:
SynchronizeTimeZone
GoogleChangeManagement
MicrosoftOutLookUpdater
MicrosoftOutLookUpdateSchedule
The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:
Support
Help
elie
WADGUtilityAccount
The FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443.
The APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information.
The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks.
Note: for additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
The FBI, CISA, ACSC, and NCSC urge network defenders to apply the following mitigations to reduce the risk of compromise by this threat.
IP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA21-321A.stix.
IP Addresses
91.214.124[.]143
162.55.137[.]20
154.16.192[.]70
Executable files observed in this activity are identified in table 1.
Table 1: Executable Files
Filename: | MicrosoftOutLookUpdater[.]exe |
---|---|
MD5: | 1444884faed804667d8c2bfa0d63ab13 |
SHA-1: | 95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A |
SHA-256: | c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624 |
SHA-512: | 6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF |
Filename: | MicrosoftOutlookUpdater.bat |
MD5: | 1A44368EB5BF68688BA4B4357BDC874F |
SHA-1 | FA36FEBFD5A5CA0B3A1B19005B952683A7188A13 |
SHA-256 | 3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4 |
SHA-512 | 70AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927B706F39C576DBB036079C7E8CAF28B2 |
Filename: | MicrosoftOutlookUpdater.xml |
MD5: | AA40C49E309959FA04B7E5AC111BB770 |
SHA-1 | F1D90E10E6E3654654E0A677763C9767C913F8F0 |
SHA-256 | 5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6 |
SHA-512 | E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E |
Filename: | GoogleChangeManagement.xml |
MD5: | AF2D86042602CBBDCC7F1E8EFA6423F9 |
SHA-1 | CDCD97F946B78831A9B88B0A5CD785288DC603C1 |
SHA-256 | 4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D |
SHA-512 | 6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971 |
Filename: | Connector3.exe |
MD5: | e64064f76e59dea46a0768993697ef2f |
Filename: | Audio.exe or frpc.exe |
MD5: | b90f05b5e705e0b0cb47f51b985f84db |
SHA-1 | 5bd0690247dc1e446916800af169270f100d089b |
SHA-256: | 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa |
Vhash: | 017067555d5d15541az28!z |
Authentihash: | ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee |
Imphash: | 93a138801d9601e4c36e6274c8b9d111 |
SSDEEP: | 98304:MeOuFco2Aate8mjOaFEKC8KZ1F4ANWyJXf/X+g4:MeHFV2AatevjOaDC8KZ1xNWy93U |
Note: |
Identical to “frpc.exe” available at: https://github[.]com/fatedier/frp/releases/download/v0.34.3/frp_0.34.3_windows_amd64.zip |
Filename: | Frps.exe |
MD5: | 26f330dadcdd717ef575aa5bfcdbe76a |
SHA-1 | c4160aa55d092cf916a98f3b3ee8b940f2755053 |
SHA-256: | d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a |
Vhash: | 017057555d6d141az25!z |
Authentihash: | 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea |
Imphash: | 91802a615b3a5c4bcc05bc5f66a5b219 |
SSDEEP: | 196608:/qTLyGAlLrOt8enYfrhkhBnfY0NIPvoOQiE:GLHiLrSfY5voO |
Note: |
Identical to “frps.exe” available at: https://github[.]com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_windows_amd64.zip
|
Table 2 identifies MITRE ATT&CK Tactics and techniques observed in this activity.
Table 2: Observed Tactics and Techniques
Tactic | Technique |
---|---|
Resource Development [TA0042] |
Obtain Capabilities: Malware [T1588.001] |
Obtain Capabilities: Tool [T1588.002] |
|
Initial Access [TA0001] |
Exploit Public-Facing Application [T1190] |
Execution [TA0002] |
Scheduled Task/Job: Scheduled Task [T1053.005] |
Persistence [TA0003] |
Create Account: Local Account [T1136.001] |
Create Account: Domain Account [T1136.002] | |
Privilege Escalation [TA0004] | |
Credential Access [TA0006] |
|
Collection [TA0009] |
Archive Collected Data: Archive via Utility [T1560.001] |
Exfiltration [TA0010] | |
Impact [TA0040] | Data Encrypted for Impact [T1486] |
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Australian organizations can visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
This product is provided subject to this Notification and this Privacy & Use policy.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |