CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth


EXECUTIVE SUMMARY

In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB) organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and behaviors of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organization’s security posture. Then, the team works directly with the organization’s network defenders, system administrators, and other technical staff to address strengths and weaknesses found during the assessment. The team’s goal is to assist the organization with refining their detection, response, and hunt capabilities—particularly hunting unknown threats.

In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s activity and tactics, techniques, and procedures (TTPs); associated network defense activity; and lessons learned to provide network defenders with recommendations for improving their organization’s detection capabilities and cyber posture.

During the first phase, the SILENTSHIELD team gained initial access by exploiting a known vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully compromised the enclave, they were unable to move into the Windows portion of the network due to a lack of credentials. In a parallel effort, the team gained access to the Windows network through phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely throughout the Windows environment, which resulted in full domain compromise and access to tier zero assets. The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization. The red team remained undetected by network defenders throughout the first phase.

The red team’s findings underscored the importance of defense-in-depth and using diversified layers of protection. The organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources. This involved analyzing host-based logs, internal network logs, external (egress) network logs, and authentication logs.

The red team’s findings also demonstrated the value of using tool-agnostic and behavior-based indicators of compromise (IOCs) and of applying an “allowlist” approach to network behavior and systems, rather than a “denylist” approach, which predominantly results in an unmanageable amount of noise. The red team’s findings illuminated the following lessons learned for network defenders about how to reduce and respond to risk:

  • Lesson learned: The assessed organization had insufficient controls to prevent and detect malicious activity.
  • Lesson learned: The organization did not effectively or efficiently collect, retain, and analyze logs.
  • Lesson learned: Bureaucratic processes and decentralized teams hindered the organization’s network defenders.
  • Lesson learned: A “known-bad” detection approach hampered detection of alternate TTPs.

To reduce risk of similar malicious cyber activity, CISA encourages organizations to apply the recommendations in the Mitigations section of this advisory, including those listed below:

  • Apply defense-in-depth principles by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions.
  • Use robust network segmentation to impede lateral movement across the network.
  • Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric.

CISA recognizes that insecure software contributes to these identified issues and urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this CSA, including those listed below, to harden customer networks against malicious activity and reduce the likelihood of domain compromise:

  • Eliminate default passwords.
  • Provide logging at no additional charge.
  • Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents.

Download the PDF version of this report:

INTRODUCTION

CISA has authority to hunt for and identify, with or without advance notice to or authorization from agencies, threats and vulnerabilities within federal information systems (see generally 44 U.S.C. § 3553[b][7]). The target organization for this assessment was a large U.S. FCEB organization. CISA conducted the SILENTSHIELD assessment over an approximately eight-month period in 2023, with three of the months consisting of a technical collaboration phase:

  • Adversary Emulation Phase: The team started by emulating a sophisticated nation-state actor by simulating known initial access and post-exploitation TTPs. The team’s goal was to compromise the assessed organization’s domain and identify attack paths to other networks. After completion of their initial objectives, the team diversified its deployed tools and tradecraft to mimic a wider and often less sophisticated set of threat actors to elicit network defender attention. CISA red team members did not clean up or delete system logs, allowing defenders to investigate all artifacts and identify the full scope of a breach.
  • Collaboration Phase: The SILENTSHIELD team met regularly with senior staff and technical personnel to discuss issues with the organization’s cyber defensive capabilities. During this phase, the team:

This advisory, drafted in coordination with the assessed organization, details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders recommendations for improving their organization’s defensive cyber posture. The advisory also provides recommendations to software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise.

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool

During the Adversary Emulation phase, the red team gained initial access to the organization’s Solaris enclave by exploiting a known vulnerability in an unpatched web server. They gained separate access to the Windows environment by phishing and were able to compromise the full domain and its parent domain. See Figure 1 for a timeline of this assessment and the sections below for details on the team’s activity and TTPs.

Figure 1: SILENTSHIELD assessment timeline

Adversary Emulation Phase

Exploitation of the Solaris Enclave

Reconnaissance, Initial Access, and Command and Control

CISA’s red team used open source tools and third-party services to probe the organization’s internet-facing surface [T1594]. This included non-intrusive port scans for common ports and Domain Name System (DNS) enumeration [T1590.002]. These efforts revealed the organization’s web server was unpatched for CVE-2022-21587, an unauthenticated remote code execution (RCE) vulnerability in Oracle Web Applications Desktop Integrator. For three months the assessed organization failed to patch this vulnerability, and the team exploited it for initial access.

The exploit provided code execution on a backend application server (SERVER 1) that handled incoming requests from the public-facing web server. The red team used this exploit to upload and run a secure Python remote access tool (RAT). Because the application server had full external internet egress via Transmission Control Protocol (TCP) ports 80 and 443, the RAT enabled consistent command and control (C2) traffic [T1071.001].

Note: After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch. Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on Feb. 2, 2023.

Credential Access, Command and Control, and Privilege Escalation

Once on SERVER 1, the red team probed the host’s files and folder structure [T1005] and identified several old and globally accessible .tar backup files, which included a readable copy of an /etc/shadow file containing the hash for a privileged service account (ACCOUNT 1). The team quickly cracked the account’s weak password using a common wordlist [T1110.002]. They then established an outbound Secure Shell Protocol (SSH) connection over TCP port 80 and used a reverse tunnel to SSH back into SERVER 1, where they were prompted to reset ACCOUNT 1’s expired password [T1571] (see Figure 2). The team identified the account was enabled on a subset of containers, but it had not been actively used in a significant amount of time; the team changed this account’s password to a strong password.

Figure 2: Exploitation of the Solaris Enclave

The team discovered ACCOUNT 1 was a local administrator with sudo/root access and used it to move laterally (see the next section).

Lateral Movement and Persistence

Servers in the Solaris enclave did not use centralized authentication but had a mostly uniform set of local accounts and permissions [T1078.002]. This allowed the red team to use ACCOUNT 1 to move through much of the network segment via SSH [T1021.004].

Some servers allowed external internet access and the team deployed RATs on a few of these hosts for C2. They deployed several different RATs to diversify network traffic signatures and obfuscate the on-disk and in-memory footprints. These tools communicated to a red team redirector over TCP/443, through valid HTTPS messages, and over SSH through non-standard ports (80 and 443) [T1571]. Much of the traffic was not blocked by a firewall, and the organization lacked application layer firewalls capable of detecting protocol mismatches on common ports. 

The team then moved laterally to multiple servers, including high value assets, that did not allow internet access. Using reverse SSH tunnels, the team moved into the environment and used a SOCKS proxy [T1090] to progress forward through the network. They configured implants with TCP bind listeners bound to random high ports to connect directly with some of these hosts without creating new SSH login events (see Figure 3).

Figure 3: Example of Lateral Movement in the Solaris Enclave

Once on other internal hosts, the team data mined each for sensitive information and credentials. They obtained personally identifiable information (PII), shadow files, a crackable pass-phrase protected administrator SSH key, and a plaintext password [T1552.003] in a user’s .bash_history. These data mined credentials provided further avenues for unprivileged access through the network. The team also used SSH tunnels to remotely mount Network File System (NFS) file shares, spoofing uid and gid values to access all files and folders.

To protect against reboots or other disruptions, the team primarily persisted on hosts using the cron utility [T1053.003], as well as the at utility [T1053.002], to run scheduled tasks and blend into the environment. Additionally, SSH private keys provided persistent access to internal pivot hosts and would have continued to enable access even if passwords were rotated.

Full Enclave Compromise

Although ACCOUNT 1 allowed the team to move laterally to much of the Solaris enclave, the account did not provide privileged access to all hosts in the network because a subset of hosts had changed the password (which denied privileged access via that account). However, the team analyzed recent user logins using the last command and identified a network security appliance scanning service account (ACCOUNT 2) that logged in regularly to an internal host using password-based authentication. As part of its periodic vulnerability scanning, ACCOUNT 2 would connect to each host via SSH and run sudo with a relative path instead of the absolute path /usr/local/bin/sudo. The local path created a path hijack vulnerability, which allowed the red team to hijack the execution flow and capture the account’s password [T1574.007].

The harvested password granted unrestricted privileged access to the entire Solaris enclave.

Exploitation of the Windows Domain

While the compromise of the Solaris enclave facilitated months of persistent access to sensitive systems, including web applications and databases, it did not lead to the immediate compromise of the corporate Windows environment. Once in the Windows domain, the red team identified several service accounts with weak passwords. It is likely that an adversary could have continued the Solaris attack path through prolonged password spraying attacks, or by leveraging credentials obtained externally (e.g., dark web credential dumps) (see Figure 4).

Figure 4: Exploitation of Solaris enclave

The team exploited the Windows domain through other access vectors and eventually proved the undetected pivot between the domains could be made after they obtained Windows credentials.

Reconnaissance and Initial Access

While attempting to pivot into Windows from Solaris, the red team conducted open source information gathering about the organization. They harvested employee names [T1589.003] and used the information to derive email addresses based on the target’s email naming scheme. After identifying names, emails, and job titles, the team selected several phishing targets who regularly interacted with the public [T1591.004]. One user triggered a phishing payload that provided initial access to a workstation.

The team then placed a simple initial access RAT on the workstation in a user-writable folder and obtained user-level persistence through an added registry run key, which called back to a red team redirector via HTTPS. The team assessed what was running on the host in terms of antivirus (AV) and Endpoint Detection and Response (EDR) and used the implant to inject a more capable, full-fledged RAT directly into memory, which pointed to a separate redirector. The assessed organization’s tools failed to categorize C2 traffic as anomalous even when a bug in one of the implants caused 8 GB of continuous network traffic to flow in one afternoon.

Credentialed Access and Privilege Escalation

Internal network information was freely available to unprivileged, domain-joined users, and the team queried hundreds of megabytes of Active Directory (AD) data using a custom rewrite of dsquery.exe in .NET and Beacon Object File (BOF) ldapsearch from the phished user’s workstation. The team then data mined numerous internal file servers for accessible shares [T1083]. The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts. With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts (ACCOUNT 3) had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. They identified another account (ACCOUNT 4) that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM).

Lateral Movement and Persistence

The team used valid accounts and/or tokens with varied techniques for lateral movement. Techniques included scheduled task manipulation, service creation, and application domain hijacking [T1574.014]. For credential usage, the implemented IDM in the organization’s network hampered the red team’s ability to pivot as it blocked common credential manipulation techniques like pass-the-hash [T1550.002] and pass-the-ticket [T1550.003]. The red team found ways to circumvent the IDM, including using plaintext passwords to create genuine network logon sessions [T1134.003] for certain accounts not registered with the IDM, as well as impersonating the tokens of currently logged-in users to piggyback off valid sessions [T1134.001].

The red team tailored payloads to blend with the network’s environment and did not reuse IOCs like filenames or file hashes, especially for persisted implants. Remote queries for directory listings, scheduled tasks, services, and running processes provided the information for the red team to masquerade as legitimate activity [T1036.004].

The team emulated normal network activity by installing HTTPS beaconing agents on workstations where normal users browse the web, establishing internal network pivots with TCP bind and SMB listeners. They primarily relied on creating Windows services as their persistence mechanism.

The red team used the data mined credentials for ACCOUNT 3 to move laterally from the workstation to a SCOM server. Once there, using ACCOUNT 4, the team targeted a Systems Center Configurations Manager (SCCM) server, as it was an advantageous network vantage point. The SCCM server had existing logged-in server administrators whose usernames followed a predictable naming pattern (correlating administrative roles and privilege levels), allowing them to determine which account to use to pivot to other hosts. 

The team targeted the organization’s jump servers frequented by highly privileged administrative accounts. Red team operators used stolen SCCM server administrator credentials to compromise one of the organization’s server-administrator jump hosts. They learned that the organization separated some, but not all, accounts onto separate jump servers by role (e.g., workstation administrators and server administrators had separate jump points, but server and domain administrators occasionally shared the same jump hosts). Once a domain administrator logged in, the red team stole the administrator’s session token and laterally moved to a domain controller where they pulled credentials for the entire domain via DCSync [T1003.006], obtaining full domain compromise (see Figure 5).

Figure 5: Exploitation of the Windows Domain

After compromising the domain, the team confirmed access to sensitive servers, including multiple high value assets (HVAs) and tier zero assets. None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network. Remote administration and access of these critical systems should be restricted to designated, role-based accounts coming from specific network enclaves and/or workstations. Isolation with these access vector limitations protects them from compromise and sharply reduces the associated noise, allowing defenders to more easily identify abnormal behavior.

Pivoting Into External Trusted Partners

The team inspected the organization’s trust relationships with other organizational domains through LDAP [T1482] and identified connections to multiple external FCEB partner organizations, one of which they subsequently used to move laterally.

The team pulled LDAP information from PARTNER DC 1 and kerberoasted the domain, yielding one valid service account with a weak password they quickly cracked, but the team was unable to move laterally with this account because it lacked appropriate privileges. However, PARTNER 1 had trusted relationships with a second partner’s domain controller (PARTNER DC 2). Using the acquired PARTNER 1 credentials, the red team discovered PARTNER 2 also had a kerberoastable, highly privileged administrative service account whose password cracked, allowing the team to laterally move to a PARTNER 2 host from the original victim network (see Figure 6).

figure 6: path of exploitation into external fceb organizations

These cross-organizational attack paths are rarely identified or tested in regular assessments or audits due to network ownership, legal agreements, and/or vendor opacity. However, they remain a valuable access vector for advanced persistent threat (APT) actors.

Experimentation with access into trusted partner domains included the modification of local system firewall rules on the source domain controller to allow specific source and destination IPs. The organization’s host-based monitoring systems failed to identify the addition and removal of the red team’s firewall exceptions.

Defense Evasion Techniques

Solaris Enclave Figure 5: Exploitation of the Windows Domain

Due to the lack of application allowlisting, the red team regularly masqueraded as legitimate software to remain undetected by the organization’s network defenders [T1036]. Additionally, by default, command auditing in Solaris via the lastcomm command only captures the program being run—full file path and any command line arguments are not recorded. For example:

  • A real file: /opt/splunkforwarder/bin/splunkd
  • A malicious copy: /opt/splunkforwarder/splunkd
  • Command auditing logs: splunkd

The team also hid common artifacts to obfuscate their operational activity, including modifying file timestamps [T1070.006] and permissions with the touch and chmod/chown commands [T1222.002] to blend with other files in the environment.

Windows Domain

The team used a diverse range of accounts, backdoors, and C2 channels with different network footprints to obfuscate activity [T1027].

Diversification of account usage, backdoors, and C2 channels further obfuscated red team activity in the domain. Lateral movement to new hosts featured a variety of accounts to reduce the risk of detection. When harvesting credentials, the team selected several backup accounts for each role (e.g., server admin, workstation admin, domain admin, service accounts) in case the intended account was locked, disabled, or flagged as compromised.

To emphasize the value of tool-agnostic/behavior-based detections, the red team deployed over seven different implants to mimic real-world adversaries’ diverse use of open source, commercial off-the-shelf (COTS), and custom RATs. Each featured different host and network signatures to evade out-of-the-box EDR detections and every implant had unique artifacts both on-disk and in-memory. The team also evaded EDR/AV by using proprietary loaders and beacon object files (BOFs) to make direct API calls and allow self-injection of .NET executables to run additional capabilities.

All the deployed tools had different network C2 channel footprints. Some beaconing agents connected via HTTPS to legitimate domains owned by the red team. Others used domain fronting [T1090.004] to leverage common content delivery network (CDN) functionality. Outbound traffic sent to public websites not owned by the red team had a Host header that told the CDN provider it should redirect traffic to red-team-controlled IP addresses. Internal pivots used SMB on port 445 and TCP bind listeners on ephemeral high ports. The team tailored both to mimic named pipes and network connections already seen in the domain and evade detection.

Collaborative Phase

Five months into the assessment, the red team officially notified the organization’s security operations center (SOC) of the ongoing activity and began engaging directly with SOC leadership. At this point, the organization had not submitted deconflictions and did not appear to be actively investigating CISA SILENTSHIELD assessment activity.

During this phase, CISA refrained from providing TTPs or IOCs (such as concrete hosts, filenames, or C2 domains) to allow the organization to develop and test its own detection metrics. The team held weekly discussions with the organization’s senior technical staff, SOC, and system administrators, which led to measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft. Specifically, the red team worked with the organization to assist them with synthesizing the following data sources to identify the extent of the red team’s compromise:

  • EDR alerts;
  • YARA scans;
  • C2 domains and techniques;
  • Internal pivot hosts;
  • Admin accounts used to pivot;
  • Memory dumps, revealing attempts to pass credentials; and
  • Email logs documenting the initial breach via phishing.

Every cyber threat actor has a unique set of TTPs. Nevertheless, nearly all adversaries perform the same basic steps:

  • Command execution (initial access and lateral movement);
  • Establish C2 channels and exfiltrate data;
  • Establish persistence;
  • Escalate privileges; and
  • Use and abuse credentials.

All TTPs have corresponding artifacts, but not all IOCs are created equal. Fixating on a hyper-focused set of IOCs can catch known threats but impedes efforts to identify unknown adversaries employing different TTPs.

Major themes discussed during this phase that improved the organization’s behavior-based detection capabilities included log collection, forensic analysis, relying on IOCs for detection, monitoring and investigation management, and Sysmon misconfigurations.

Log Collection

The assessed organizations had ineffective and insufficient logs, and network defenders were not using logs to proactively detect anomalous behavior. With the red team’s assistance, the organization identified logging issues caused by hardware failures, limited backups, network bandwidth, and limited log collection and retention policies (only 60–90 days). In other cases, critical data was captured but not analyzed because artifacts were moved to cold storage.

The organization’s network defenders identified procedural and other roadblocks when attempting to acquire new forensic data. For example, affected servers could not be taken offline for imaging because there was no process in place to do so without impacting the organization’s operations. Additionally, attempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses.

Forensic Analysis

Defenders did not monitor C2 egress via DNS. They believed their parent entity was monitoring their DNS traffic, absolving them of a need to collect and monitor logs for their analyses.

Forensic analysts blindly trusted the timestamps for files and persistence mechanisms without realizing they had been tampered with. Bogus times added to persistence mechanisms (such as scheduled tasks) led defenders to misjudge the timeline of the breach. Red team operators regularly adjusted the last-modified timestamp of files and folders—using either the native touch -r command or implants’ timestomp command to disguise the last-modified timestamp captured in the output of ls –la. Secondary file timestamps identified with ls -lu or ls -lc would have revealed abnormal file attributes, in addition to more reliable anomalies found during proper forensic investigation.

Reliance on Known IOCs

The red team used diversified TTPs in the Adversary Emulation phase to reflect the ability of cyber threat actors to bypass conventional, known-bad detection strategies. The network defenders did not detect much of the team’s activity. For example:

  • After identifying a red team payload, network defenders wrote tailored YARA rules that signatured specific behavior of the red team’s loader, which uncovered several similar payloads but failed to catch any of the other six C2 frameworks.
  • Organization network defenders used a combination of custom and open source detection rules (such as CommandLine=kerberoast* or files called bloodhound.zip) and did not detect the team’s kerberoasting activity.
Regular Monitoring and Investigation Management

Conversations with SOC leadership revealed several procedural issues that led to slow or incomplete analysis of the red team’s intrusion and activity. For example:

  • While EDR products detected and quarantined several of the red team’s tools, including the initial phishing payload, the organization’s daily procedures did not always include review of EDR alerts. The red team worked with the organization to ensure rapid response to EDR alerts became a fundamental part of network defenders’ daily workflows. This allowed SOC personnel to identify new attempts at lateral movement.
  • Solaris network owners discovered that several firewalls had inadvertently been misconfigured or disabled. The organization’s technical teams worked directly with the red team to fix errors and to reorganize and revalidate the network topology.
  • Network defenders had poor operational security and alerted the red team of investigations. For example:
    • In one instance, after receiving incoming beacons from what was evidently a sandboxed environment, the payload was not renamed from its original file, allowing the red team to immediately identify how much of their access was under scrutiny. Organizations must ensure sandboxed environments are safe, secure, and thoroughly sandboxed.
    • The red team observed system administrators reviewing forensic artifacts tied to the team’s Solaris payload—searching for files, running packet captures for outbound C2 traffic, and port scanning the C2 redirector. Team members simply reinstalled their persistence with a new redirector and file path, sidestepping the informal investigation.
  • IT teams were siloed from the SOC, who had no knowledge of the system administrator’s weeks long investigation into the anomalous network behavior.
  • While the organization compartmented most of its threat hunting and incident response in a separate domain, staff still used the compromised corporate domain accounts to communicate the details of active investigations and assessments.
Sysmon Misconfigurations

The red team had a productive exchange with the organization on their Sysmon configuration, which the team abused throughout the assessment. The red team identified several misconfigurations:

  • Deployment teams pushed the ruleset (stored as a .xml file) to a globally readable C:\Windows directory. There were no rules in place to catch adversaries reading the configurations from disk or the registry. As a result, CISA’s red team was provided explicit file paths to safely place their payloads.
  • Rules targeted a single, tool-specific IOC rather than a technique (e.g., sc.exe rather than service creation events).
  • Exceptions were overly permissive (for example, excluding all Image entries anywhere in C:\Program Files (x86)\Google\Update\*).

LESSONS LEARNED AND KEY FINDINGS

The red team noted the following lessons learned and key findings relevant to the security of the assessed organization’s network. These specific findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to address these findings.

Lesson Learned: The assessed organization had insufficient controls to prevent and detect malicious activity.

  • Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which failed to restrict outbound traffic. A majority of the organization’s hosts, including domain controllers, had internet connectivity to broad AWS EC2 ranges, allowing the red team to make outbound web requests without triggering IDS/IPS responses. These successful connections revealed the lack of an application layer firewall capable of detecting protocol mismatches on common ports.
  • Finding #2: The assessed organization had insufficient network segmentation. The lack of network segmentation allowed the red team to move into, within, and out of both the Solaris and Windows domain. This also enabled them to gather a massive amount of data about the organization and its systems. Internal servers could reach almost any other domain host, regardless of type (server vs. workstation), purpose (user laptop, file server, IDM server, etc.), or physical location. Use of network address translation (NAT) between different parts of the network further obfuscated data streams, hindering incident response.
  • Finding #3: The organization had trust relationships with multiple partner organizations, which—when combined with weak credentials and network connectivity—allowed the red team to exploit and move laterally to a partner domain controller. This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material.
  • Finding #4: The organization’s defensive staff did not sufficiently isolate their defensive investigative activity. Organizations should always communicate information pertaining to suspected incidents out-of-band, rather than from within a domain that they know to be compromised. While the defensive systems were shunted to another domain with correct (one-way) trusts, the red team identified a likely attack vector to that domain via the same, previously compromised IDM server. Some analysts also performed dynamic analysis of suspected implants from an internet-connected sandbox, tipping the red team to the specific files and hosts that were under investigation.
  • Finding #5: Network defenders were not familiar with the intricacies of their IDM solution. The CISA red team identified accounts not enrolled in the IDM and successfully used those and already existing user access tokens to bypass IDM. The appliance, in its active configuration, was not exhaustively tested against common credential manipulation techniques nor were any alerts on anomalous behavior being monitored.
  • Finding #6: The organization had some role-based host segmentation, but it was not granular enough. The organization used clearly defined roles (server administrator and domain administrator) but did not sufficiently segregate the accounts to their own servers or systems, enabling privilege escalation.

Lesson Learned: The organization did not effectively or efficiently collect, retain, and analyze logs.

  • Finding #7: Defensive analysts did not have the information they needed due to a combination of issues with collecting, storing, and processing logs. Other policies collected too much useless data, generating noise and slowing investigation.
  • Finding #8: Network defenders’ daily procedures did not always include analysis of EDR alerts, and the tools that were installed only provided a 30-day retention for quarantined files. Consequently, investigators were unable to access timely information that may have led to earlier detection of the red team’s activity.
  • Finding #9: Forensic analysts trusted host artifacts that could have been modified by an adversary. In particular, file timestamps and packet captures were scrutinized without considering the possibility of malicious tampering.

Lesson Learned: Bureaucratic communication and decentralized teams hindered the organization’s network defenders.

  • Finding #10: The organization’s technical staff were spread across decentralized teams. Siloed team structure meant that IT, security, and other technical teams lacked consistency with their tools, creating too much noise for defenders to sift through.
  • Finding #11: The SOC team lacked the agency to rapidly update or deploy rulesets through the fractured IT teams. The organization diffused responsibility for individual tools, such as Sysmon, across multiple groups, hampering timeliness and maintenance of a defensive posture.
  • Finding #12: The organization’s forensics team produced an incident response report which documented the red team’s initial exploitation of the Solaris enclave. However, the report was limited in scope and did not adequately document the red team’s ability to expand and persist. The success of the red team’s first phase, using publicly known TTPs, illustrated the business risk to all Solaris hosts and, by extension, the Windows environment. Moreover, the organization’s internal report only focused on vulnerable servers and did not account for a cyber threat actor’s ability to expand and persist in the Solaris enclave.
    • The Solaris administrator’s investigations of the red team failed to appear in either the report or in SOC deconflictions. An admin’s inquiry into unusual and probably malicious activity, particularly in the middle of an investigation of confirmed breaches of adjacent hosts, should have been considered in the report as evidence of lateral movement.

Lesson Learned: A “known-bad” detection approach hampered detection of alternate TTPs.

  • Finding #13: Defenders hyper-focused on specific IOCs, such as file attributes, particular C2 frameworks, or C2 domains. The organization’s network defenders did not initially employ tool-agnostic detections, causing them to positively identify some red team tools, but remain blind to the full extent of the compromise. They were accustomed to catching internal red teams that used specific TTPs; introducing a new “threat actor” with new TTPs sidestepped nearly all detections.
  • Finding #14: Detection rules were visible from compromised systems, allowing the red team to sidestep detections based on hardcoded rules and exceptions.
  • Finding #15: There was insufficient restriction of administrative tools. The technical staff lacked a standardized set of administrative tools, leaving all remote administration protocols available for use by admins, CISA red team, or adversaries. This also created excessive noise for defenders to effectively sift through to determine expected versus anomalous activity.
  • Finding #16: There was insufficient tracking of software. There was no apparent approval or tracking process for software installation across the domain, preventing defensive analysts from identifying abnormal software placed by the red team. A comprehensive inventory of approved software would help defenders identify abnormal behavior and facilitate the deployment of application allow-listing.

NOTED STRENGTHS

The assessed organization promptly planned for and resolved multiple identified issues, including with:

  • Windows service accounts: The organization eliminated over 30 percent of service accounts which were deemed unnecessary. There is an on-going effort to change service account passwords and apply DoD recommended STIG compliance (over 85 percent have been changed since the publication of this report).
  • IDM: The organization is looking into how to improve their IDM implementation and apply additional security alerts and preventions for possible misuse of credentials. They plan to implement additional identity-based monitoring capabilities in front of tier zero assets.
  • Egress: The organization implemented new processes to detect and prevent servers from anomalously egressing outside of the network to the internet.
  • Host-based solutions: The organization used additional features of their antivirus software, such as reputation scores, to look for all executable file type outliers of to identify anomalous instances.
  • Hosts: The organization decommissioned clusters of servers and completely rebuilt them from scratch after identifying numerous irreparable issues and misconfigurations.
  • Solaris credentials: The organization changed passwords, removed SSH keys, restricted permissions, and removed unnecessary accounts.

MITIGATIONS

Network Defenders

CISA recommends organizations implement the recommendations in Table 1 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Table 1: Recommendations to Mitigate Identified Issues
Finding Recommendation
Inadequate firewall between perimeter and internal devices
  • Deploy internal and external network firewalls to inspect, log, and/or block unknown or unauthorized traffic.
  • Perform deep packet inspection to detect mismatched application traffic or encrypted data flows.
  • Restrict outbound internet egress to hosts whenever possible.
  • Establish a baseline of normal user activity, including unique IPs or domains.
Insufficient Network Segmentation
  • Apply the principle of least privilege to limit the exposure of systems and services in the demilitarized zone (DMZ).
  • Segment the DMZ based on the sensitivity of systems and services as well as the internal network [CPG 2.F].
  • Segment networks to protect assets and workstations from direct exposure to the internet by considering the criticality of the asset to business functions, sensitivity of the data traversing the asset, and requirements for internet access to the asset.
  • Implement and regularly test firewalls, access control lists, and intrusion prevention systems.
  • Take advantage of opportunities to create natural network segmentation. Securely configured VPNs used for remote laptops, for instance, create an easy place to filter and monitor incoming traffic.
Trust relationships between domains were overly permissive
  • Restrict network connectivity (ingress and egress) to only necessary services between trusted domains [CPG 2.E].
  • Regularly monitor privileged access via Foreign Security Principals (FSPs).
Defensive activity was not sufficiently isolated
  • Perform network defense investigations out-of-band [CPG 3.A].
  • Conduct regular security audits and penetration testing by internal and external parties.
  • Develop and implement a comprehensive Incident Response Plan (IRP) and conduct regular drills and simulations [CPG 2.S].
IDM solutions were not fully understood and utilized
  • Enroll all accounts in IDM solutions and test against common credential manipulation techniques.
  • Integrate the IDM solution with other systems and applications, allowing for the streamlining of workflows.
Insufficient role-based host segmentation
  • Establish Role-Based Access Controls (RBAC) to systematically assign permissions based on job functions [CPG 2.E].
  • Implement a comprehensive security model incorporating micro-segmentation at the host level.
Failure to monitor EDR alerts daily
  • Develop and document Standard Operating Procedures (SOPs) for handling EDR alerts [CPG 5.A].
  • Establish and maintain incident response playbooks.
  • Conduct regular audits and reviews of the EDR alert handling process.
Host artifacts were overly trusted
  • Operationalize and deploy File Integrity Monitoring (FIM) solutions.
  • Regularly review and adjust access permissions, adhering to the principle of least privilege [CPG 2.E].
  • Establish proper forensic processes to ensure integrity.
Bureaucracy and decentralization of network defenders hampered communication and consistency
  • Introduce cross-training initiatives to cultivate a collaborative culture.
  • Encourage the establishment of cross-functional projects.
  • Utilize collaboration platforms that seamlessly integrate various tools and systems.
Insufficient internal incident response report 
  • Promote a culture of ongoing improvement while also fostering a proactive approach among employees to promptly report suspicious activities.
  • Treat suspected incidents of compromise as a confirmed breach, and account for a threat actor’s ability to move laterally when defining the scope of incident response efforts.
Focus on known/common IOCs
  • Employ centralized logging and tool-agnostic detection methods.
  • Leverage threat intelligence feeds by integrating them into a SIEM tool.
  • Implement regular updates for IOCs and TTPs, with the capability for customization to address the specific threat landscape [CPG 3.A].
Detection rules were visible from compromised systems
  • Integrate runtime detection mechanisms while removing world-readable configuration files from installer deployments where applicable.
Insufficient restriction of admin tools
  • Enhance security posture by implementing application allowlisting to ensure only trusted and approved applications are permitted [CPG 2.Q].
  • Apply the principle of least privilege by granting users only the minimum level of access necessary to perform job functions.
Insufficient tracking of software
  • Conduct a comprehensive inventory of assets and establish a baseline for behavior [CPG 1.A].
  • Utilize a Software Asset Management (SAM) solution that offers comprehensive tracking, reporting, and compliance management capabilities.
  • Deploy automated discovery and monitoring tools to continuously scan and identify new and existing software.

CISA recommends organizations implement the recommendations in Table 2 to mitigate other identified issues that can be uncovered through traditional penetration tests or red team assessments.

Table 2: Recommendations to Mitigate Identified Issues
Issue Recommendation
Accounts were overprivileged and the organization’s network contained unnecessary service accounts
  • Apply the principle of least privilege when assigning permissions to user accounts. Audit existing group memberships, strip unnecessary privileges, and prune unnecessary nested groups/users.
  • Monitor for account lockout, especially on administrative accounts, and switch to a manual account unlock policy.
  • Increase monitoring for higher-risk accounts, such as service accounts, that are highly privileged and have a predictable pattern of behavior (e.g., scans that reliably run at a certain hour of the day).
  • Privileged users should have dedicated role-based user accounts and associated jump hosts to log into critical resources.
Insufficient EDR configuration
  • Ensure all hosts have a form of EDR installed.
  • Deploy an EDR capable of catching commonly known obfuscation or execution techniques.
Insecure and insufficient credentials

Note: The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. CISA encourage all organizations to prioritize purchasing products from manufacturers who demonstrate secure by design principles, such as evidenced by follow-on publications from companies who have signed the Secure by Design Pledge.

Software Manufacturers

CISA recognizes that insecure software is the root cause of many flaws; the responsibility should not rest on the end user. CISA urges software manufacturers to implement the following:

  • Eliminate default passwords and determine what password practices should be required (such as minimum password length and disallowing known breached passwords). Configure software to use more secure authentication schemes by default.
  • Provide logging at no additional charge. Cloud services and on-premises products should commit to generating and storing security related logs at no additional cost.
  • Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents. The goal is to develop logs that yield a comprehensive story of the event.
  • Remove unnecessary software dependencies. Unnecessary software increases the attack surface available to adversaries and may introduce additional vulnerabilities. Mitigating these additional vulnerabilities requires significant investment, consuming resources like time, technical personnel, and adding to the level of security effort.

These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates. 

For more information on secure by design, see CISA’s Secure by Design webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 3–11).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

VERSION HISTORY

July 11, 2024: Initial version.

APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 3–11 for all referenced threat actor tactics and techniques in this advisory.

Table 3: Reconnaissance
Technique Title ID Use
Search Victim-Owned Websites T1594 CISA’s red team used open source tools and services to probe the organization’s internet-facing presence and gather information, including names, roles, and contact information.
Gather Victim Network Information: DNS T1590.002 The red team gathered information about the organization’s DNS records, which revealed several details about the organization’s internal network.
Gather Victim Identity Information: Employee Names T1589.003 CISA’s red team collected the assessed organizations’ employee names to use their email addresses for specific targeting based on roles and responsibilities.
Gather Victim Org Information: Identity Roles T1591.004 CISA’s red team selected specific individuals from the assessed organization and targeted them with phishing payloads.
Table 4: Command and Control
Technique Title ID Use
Application Layer Protocol: Web Protocols T1071.001 The red team exploited CVE-2022-21587 and ran a RAT that provided consistent C2 via open Transmission Control Protocol (TCP) ports.
Non-Standard Port T1571 The red team used SSH over ports 80 and/or 443 when establishing outbound C2.
Proxy: Domain Fronting T1090.004 CISA’s red team leveraged domain fronting to redirect and obfuscate their traffic.
Table 5: Credential Access
Technique Title ID Use
Brute Force: Password Cracking T1110.002 The red team cracked an account’s password by using a common wordlist.
OS Credential Dumping: DCSync T1003.006 CISA’s red team pulled credentials for the domain via DCSync to gain full access to the domain.
Unsecured Credentials: Bash History T1552.003 The red team obtained a password by searching a user’s bash command history, which provided further unprivileged access throughout the network.
Table 6: Discovery
Technique Title ID Use
Domain Trust Discovery T1482 CISA’s red team inspected the assessed organization’s domain trust relationships through LDAP and identified potential connections in external organizations to which to move laterally.
File and Directory Discovery T1083 The red team data mined numerous internal servers and discovered one misconfigured share that contained plaintext usernames and passwords for several privileged service accounts.
Table 7: Privilege Escalation
Technique Title ID Use
Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 The red team hijacked the execution flow of a program that used a relative path instead of an absolute path, which enabled the capture of the account’s password.
Access Token Manipulation: Token Impersonation/Theft T1134.001 CISA’s red team impersonated the tokens of current users to exploit valid sessions and bypass the organization’s IDM.
Access Token Manipulation: Make and Impersonate Token T1134.003 CISA’s red team created new tokens and logon sessions for accounts not registered with the IDM to escalate privileges.
Table 8: Lateral Movement
Technique Title ID Use
Remote Services: SSH T1021.004 CISA’s red team used SSH with a valid account to move through the enclave.
Proxy T1090 The red team used a SOCKS proxy to avoid direct connections to their infrastructure and obscure the source of the malicious traffic.
Use Alternate Authentication Material: Pass the Hash T1550.002 The red team’s operations were hindered by the organization’s IDM when it blocked the team’s attempts to bypass system access controls using different hash types for authentication.
Use Alternate Authentication Material: Pass the Ticket T1550.003 CISA’s red team’s operations were hindered by the organization’s  IDM when it blocked the team’s attempts to bypass system access controls using Kerberos tickets for authentication.
Table 9: Collection
Technique Title ID Use
Data from Local System T1005 CISA’s red team searched each host for files containing sensitive or interesting information such as password hashes, account information, network configurations, etc.
Table 10: Persistence
Technique Title ID Use
Scheduled Task/Job: Cron T1053.003 The red team used the cron utility to perform task scheduling and execute malicious code within Unix systems at specified times.
Scheduled Task/Job: At T1053.002 CISA’s red team used the at utility to perform task scheduling and execute malicious code within Unix systems at a specified time and date.
Hijack Execution Flow: AppDomainManager T1574.014 The red team executed malicious payloads by hijacking how the .NETAppDomainManager loads assemblies.
Valid Accounts: Domain Accounts T1078.002 CISA’s red team regularly used compromised valid domain accounts managed by Active Directory, giving access to resources of the domain.
Table 11: Defensive Evasion
Technique Title ID Use
Masquerading: Masquerade Task or Service T1036.004 The red team enumerated local files and running processes to gather information for their payloads and persistence mechanisms to appear as legitimate activity.
Obfuscated Files or Information T1027 CISA’s red team encrypted, encoded, and obfuscated their executables and C2 channels to evade defenses across the network.
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification T1222.002 The red team modified file permissions with touch and chmod/chown commands to obfuscate their activity and blend in with other files in the environment.
Indicator Removal: Timestomp T1070.006 CISA’s red team modified file timestamps to hide their operational activity.

Source…

People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action


This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.

The PRC state-sponsored cyber group has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well.

The authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40 (also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting). This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.[1]

The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent and remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate remediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others. As such, the case studies are naturally older in nature, to ensure organizations were given the necessary time to remediate.

APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly observed against Australian networks.

Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.

APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207CVE-2021-34523CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.

This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities. APT40 regularly uses web shells [T1505.003] for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions—regardless of the extent of compromise or further actions taken.

Although APT40 has previously used compromised Australian websites as command and control (C2) hosts for its operations, the group have evolved this technique [T1594].

APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements.

Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks that is designed to blend in with legitimate traffic and challenge network defenders [T1001.003].

APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline.

ASD’s ACSC are sharing some of the malicious files identified during the investigations outlined below. These files have been uploaded to VirusTotal to enable the wider network defense and cyber security communities to better understand the threats they need to defend against.

ASD’s ACSC are sharing two anonymized investigative reports to provide awareness of how the actors employ their tools and tradecraft.

Executive Summary

This report details the findings of the ASD’s ACSC investigation into the successful compromise of the organization’s network between July and September 2022. This investigative report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.

In mid-August, the ASD’s ACSC notified the organization of malicious interactions with their network from a likely compromised device being used by the group in late August and, with the organization’s consent, the ASD’s ACSC deployed host-based sensors to likely affected hosts on the organization’s network. These sensors allowed ASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available sensor data, the ASD’s ACSC analysts successfully mapped the group’s activity and created a detailed timeline of observed events.

From July to August, key actor activity observed by the ASD’s ACSC included:

  • Host enumeration, which enables an actor to build their own map of the network;
  • Web shell use, giving the actor an initial foothold on the network and a capability to execute commands; and
  • Deployment of other tooling leveraged by the actor for malicious purposes.

The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actors moved laterally through the network [T1021.002]. Much of the compromise was facilitated by the group’s establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be used to arbitrarily upload files. Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow the actors to regain unauthorized access if the original access vector was blocked. No additional malicious tooling was discovered beyond those on the initially exploited machine; however, a group’s access to legitimate and privileged credentials would negate the need for additional tooling. Findings from the investigation indicate the organization was likely deliberately targeted by APT40, as opposed to falling victim opportunistically to a publicly known vulnerability.

Investigation Findings

In mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user.

In late August, the ASD’s ACSC deployed a host-based agent to hosts on the organization’s network which showed evidence of having been impacted by the compromise.

Some artefacts which could have supported investigation efforts were not available due to the configuration of logging or network design. Despite this, the organization’s readiness to provide all available data enabled ASD’s ACSC incident responders to conduct comprehensive analysis and to form an understanding of likely APT40 activity on the network.

In September, after consultation with the ASD’s ACSC, the organization decided to denylist the IP identified in the initial notification. In October, the organization commenced remediation.

Details

Beginning in July, actors were able to test and exploit a custom web application [T1190] running on 2-ext, which enables the group to establish a foothold in the network demilitarized zone (DMZ). This was leveraged to enumerate both the network as well as all visible domains. Compromised credentials [T1078.002] were used to query the Active Directory [T1018] and exfiltrate data by mounting file shares [T1039] from multiple machines within the DMZ. The actor carried out a Kerberoasting attack in order to obtain valid network credentials from a server [T1558.003]. The group were not observed gaining any additional points of presence in either the DMZ or the internal network.

Visual Timeline

The below timeline provides a broad overview of the key phases of malicious actor activity observed on the organization’s network.

Detailed Timeline

July: The actors established an initial connection to the front page of a custom web application [T1190] built for the organization (hereafter referred to as the “web application” or “webapp”) via a transport layer security (TLS) connection [T1102]. No other noteworthy activity was observed.

July: The actors begin enumerating the web application’s website looking for endpoints[2] to further investigate.

July: The actors concentrate on attempts to exploit a specific endpoint.

July: The actors are able to successfully POST to the web server, probably via a web shell placed on another page. A second IP, likely employed by the same actors, also begins posting to the same URL. The actors created and tested a number of likely web shells. 

The exact method of exploitation is unknown, but it is clear that the specific endpoint was targeted to create files on 2-ext.

ASD’s ACSC believes that the two IP address connections were part of the same intrusion due to their shared interest and initial connections occurring minutes apart.

July: The group continue to conduct host enumeration, looking for privilege escalation opportunities, and deploying a different web shell. The actors log into the web application using compromised credentials for @.

The actors’ activity does not appear to have successfully achieved privilege escalation on 2-ext. Instead, the actors pivoted to network-based activity.

July: The actor tests the compromised credentials for a service account[3] which it likely found hardcoded in internally accessible binaries.

July: The actors deploy the open-source tool Secure Socket Funnelling, which was used to connect out to the malicious infrastructure. This connection is employed to tunnel traffic from the actor’s attack machines into the organization’s internal networks, whose machine names are exposed in event logs as they attempt to use the credentials for the service account.

August: The actors are seen conducting a limited amount of activity, including failing to establish connections involving the service account.

August: The actors perform significant network and Active Directory enumeration. A different compromised account is subsequently employed to mount shares[4] on Windows machines within the DMZ, enabling successful data exfiltration.

This seems to be opportunistic usage of a stolen credential on mountable machines in the DMZ. Firewalls blocked the actor from targeting the internal network with similar activity.

August – September: The SSF tool re-established a connection to a malicious IP. The group are not observed performing any additional activities until their access is blocked.

September: The organization blocks the malicious IP by denylisting it on their firewalls.

Actor Tactics and Techniques

The MITRE ATT&CK framework is a documented collection of tactics and techniques employed by threat actors in cyberspace. The framework was created by U.S. not-for-profit The MITRE Corporation and functions as a common global language around threat actor behavior.

The ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity:

Reconnaissance

T1594 – Search Victim-Owned Websites

The actor enumerated the custom web application’s website to identify opportunities for accessing the network.

Initial Access

T1190 – Exploit Public-Facing Application (regarding exploiting the custom web application)

T1078.002 – Valid Accounts: Domain Accounts (regarding logging on with comprised credentials)

Exploiting internet-exposed custom web applications provided an initial point of access for the actor. The actor was later able to use credentials they had compromised to further their access to the network.

Execution

T1059 – Command and Scripting Interpreter (regarding command execution through the web shell)

T1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling (SSF) to connect to an IP)

Persistence

T1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access)

Credential Access

T1552.001 – Credentials from Password Stores (regarding password files relating to building management system [BMS])

T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials)

Lateral movement

T1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices)

Collection

T1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server)

Exfiltration

T1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and mounting shares)

Case Study 2

This report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the organization.” Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC.

Executive Summary

This report details the findings of ASD’s ACSC investigation into the successful compromise of the organization’s network in April 2022. This investigation report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.

In May 2022, ASD’s ACSC notified an organization of suspected malicious activity impacting the organization’s network since April 2022. Subsequently, the organization informed ASD’s ACSC that they had discovered malicious software on an internet‑facing server which provided the login portal for the organization’s corporate remote access solution. This server used a remote access login and identity management product and will be referred to in this report as ‘the compromised appliance’. This report details the investigation findings and remediation advice developed for the organization in response to the investigation conducted by the ASD’s ACSC.

Evidence indicated that part of the organization’s network had been compromised by malicious cyber actor(s) via the organization’s remote access login portal since at least April 2022. This server may have been compromised by multiple actors, and was likely affected by a remote code execution (RCE) vulnerability that was widely publicized around the time of the compromise.

Key actor activity observed by the ASD’s ACSC included:

  • Host enumeration, which enables an actor to build their own map of the network;
  • Exploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the network and a capability to execute commands;
  • Exploitation of software vulnerabilities to escalate privileges; and
  • Credential collection to enable lateral movement.

The ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions. Upon a review by the organization, the passwords were found to be legitimate. The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user, and access the organization’s internal corporate network using a legitimate user account.

Investigation Summary

The ASD’s ACSC determined that the actor compromised appliance(s) which provide remote login sessions for organization staff and used this compromise to attempt to conduct further activity. These appliances consist of three load-balanced hosts where the earliest evidence of compromise was detected. The organization shut down two of the three load-balanced hosts shortly after the initial compromise. As a result, all subsequent activity occurred on a single host. The other servers associated with the compromised appliance were also load-balanced in a similar manner. For legibility, all compromised appliances are referred to in most of this report as a “single appliance.”

The actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised appliance from April 2022 onwards. Threat actors from the group are assessed to have attained escalated privileges on the appliance. The ASD’s ACSC could not determine the full extent of the activity due to lack of logging availability. However, evidence on the device indicates that an actor achieved the following:

  • The collection of several hundred genuine username and password pairs; and
  • The collection of technical artefacts which may have allowed a malicious actor to access a virtual desktop infrastructure (VDI) session as a legitimate user.

The ASD’s ACSC assesses that the actor would have sought to further the compromise of the organisation network. The artefacts exfiltrated by the actor may have allowed them to hijack or initiate virtual desktop sessions as a legitimate user, possibly as a user of their choice, including administrators. The actor may have used this access vector to further compromise organization services to achieve persistence and other goals.

Other organization appliances within the hosting provider managed environment did not show evidence of compromise.

Access

The host with the compromised appliance provided authentication via Active Directory and a webserver, for users connecting to VDI sessions [T1021.001].

Location Compromised appliance hostnames (load-balanced)
Datacentre 1 HOST1, HOST2, HOST3

The appliance infrastructure also included access gateway hosts that provide a tunnel to the VDI for the user, once they possess an authentication token generated and downloaded from the appliance.

There was no evidence of compromise of any of these hosts. However, the access gateway hosts logs showed evidence of significant interactions with known malicious IP addresses. It is likely that this reflected activity that occurred on this host, or network connections with threat actor infrastructure that reached this host. The nature of this activity could not be determined using available evidence but indicates that the group sought to move laterally in the organization’s network [TA0008].

Internal Hosts

The ASD’s ACSC investigated limited data from the internal organization’s network segment. Attempted or successful malicious activity known to have impacted the internal organization’s network segment includes actor access to VDI-related artefacts, the scraping of an internal SQL server [T1505.001], and unexplained traffic observed going from known malicious IP addresses through the access gateway appliances [TA0011].

Using their access to the compromised appliance, the group collected genuine usernames, passwords [T1003], and MFA token values [T1111]. The group also collected JSON Web Tokens (JWTs) [T1528], which is an authentication artefact used to create virtual desktop login sessions. The actor may have been able to use these to create or hijack virtual desktop sessions [T1563.002] and access the internal organization network segment as a legitimate user [T1078].

The actor also used access to the compromised appliance to scrape an SQL server [T1505.001], which resided in the organization’s internal network. It is likely that the actor had access to this data.

Evidence available from the access gateway appliance revealed that network traffic occurred through or to this device from known malicious IP addresses. As described above, this may indicate that malicious cyber actors impacted or utilized this device, potentially to pivot into the internal network.

Investigation Timeline

The below list provides a timeline of key activities discovered during the investigation.

Time Event
April 2022 Known malicious IP addresses interact with access gateway host HOST7. The nature of the interactions could not be determined.
April 2022

All hosts, HOST1, HOST2 and HOST3, were compromised by a malicious actor or actors, and web shells were placed on the hosts.

A log file was created or modified on HOST2. This file contains credential material likely captured by a malicious actor.

The /etc/security/opasswd and /etc/shadow files were modified on HOST1 and HOST3, indicating that passwords were changed. Evidence available on HOST1 suggests that the password for user ‘sshuser’ was changed.

April 2022

HOST2 was shut down by the organization.

Additional web shells (T1505.003) were created on HOST1 and HOST3. HOST1experienced SSH brute force attempts from HOST3.

A log file was modified (T1070) on HOST3. This file contains credential material (T1078) likely captured by a malicious actor.

JWTs were captured (T1528) and output to a file on HOST3.

HOST3 was shut down by the organization. All activity after this time occurs on HOST1.

April 2022 Additional web shells were created on HOST1 (T1505.003). JWTs were captured and output to a file on HOST1.
April 2022

Additional web shells are created on HOST1 (T1505.003), and a known malicious IP address interacts with the host (TA0011).

A known malicious IP address interacts with access gateway host HOST7.

May 2022

A known malicious IP address interacted with access gateway host HOST7 (TA0011).

An authentication event for a user is linked to a known malicious IP address in logs on HOST1. An additional web shell is created on this host (T1505.003).

May 2022 A script on HOST1 was modified by an actor (T1543). This script contains functionality which would have scraped data from an internal SQL server.
May 2022 An additional log file on HOST1 was last modified (T1070). This file contains username and password pairs for the organization network, which are believed to be legitimate (T1078).
May 2022 An additional log file was last modified (T1070). This file contains JWTs collected from HOST1.
May 2022 Additional web shells were created on HOST1 (T1505.003). On this date, the organization reported the discovery of a web shell with creation date in April 2022 to ASD’s ACSC
May 2022 A number of scripts were created on HOST1, including one named Log4jHotPatch.jar.
May 2022 The iptables-save command was used to add two open ports to the access gateway host. The ports were 9998 and 9999 (T1572).

Actor Tactics and Techniques

Highlighted below are several tactics and techniques identified during the investigation.

Initial access

T1190 Exploit public facing application

The group likely exploited RCE, privilege escalation, and authentication bypass vulnerabilities in the remote access login and identity management product to gain initial access to the network.

This initial access method is considered the most likely due to the following:

  • The server was vulnerable to these CVEs at the time;
  • Attempts to exploit these vulnerabilities from known actor infrastructure; and
  • The first known internal malicious activity occurred shortly after attempted exploitation attempts were made.

Execution

T1059.004 Command and Scripting Interpreter: Unix Shell

The group successfully exploited the above vulnerabilities may have been able to run commands in a Unix shell available on the affected appliance.

Complete details of the commands run by actors cannot be provided as they were not logged by the appliance.

Persistence

T1505.003 Server Software Component: Web Shell

Actors deployed several web shells on the affected appliance. It is possible that multiple distinct actors deployed web shells, but that only a smaller number of actors conducted activity using these web shells.

Web shells would have allowed for arbitrary command execution by the actor on the compromised appliances.

Privilege escalation

T1068 Exploitation for Privilege Escalation

Available evidence does not describe the level of privilege attained by actors. However, using web shells, the actors would have achieved a level of privilege comparable to that of the web server on the compromised appliance. Vulnerabilities believed to have been present on the compromised appliance

would have allowed the actors to attain root privileges.

Credential access

T1056.003 Input Capture: Web Portal Capture

Evidence on the compromised appliance showed that the actor had captured several hundred username-password pairs, in clear text, which are believed to be legitimate. It is likely that these were captured using some modification to the genuine authentication process which output the credentials to a file.

T1111 Multi-Factor Authentication Interception The actor also captured the value of MFA tokens

corresponding to legitimate logins. These were likely captured by modifying the genuine authentication process to output these values to a file. There is no evidence of compromise of the “secret server’ which stores the unique values that provide for the security of MFA tokens.

T1040 Network Sniffing

The actor is believed to have captured JWTs by capturing HTTP traffic on the compromised appliance. There is evidence that the utility tcpdump was executed on the compromised appliance, which may have been how the actor captured these JWTs.

T1539 Steal Web Session Cookie

As described above, the actor captured JWTs, which are analogous to web session cookies. These could have been reused by the actor to establish further access.

Discovery

T1046 Network Service Discovery

There is evidence that network scanning utility nmap was executed on the compromised appliance to scan other appliances in the same network segment. This was likely used by the actor to discover other reachable network services which might present opportunities for lateral movement.

Collection

Available evidence does not reveal how actors collected data or exactly what was collected from the compromised appliance or from other systems. However, it is likely that actors had access to all files on the compromised appliance, including the captured credentials [T1003], MFA token values [T1111], and JWTs described above.

Command and Control

T1071.001 Application Layer Protocol: Web Protocols

Actors used web shells for command and control. Web shell commands would have been passed over HTTPS using the existing web server on the appliance [T1572].

T1001.003 Data Obfuscation: Protocol Impersonation

Actors used compromised devices as a launching point for attacks that are designed to blend in with legitimate traffic.

Detection and mitigation recommendations

The ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents. Below are recommendations for network security actions that should be taken to detect and prevent intrusions by APT40, followed by specific mitigations for four key TTPs summarized in Table 1.

Detection

Some of the files identified above were dropped in locations such as C:\Users\Public\* and C:\Windows\ Temp\*. These locations can be convenient spots for writing data as they are usually world writable, that is, all user accounts registered in Windows have access to these directories and their subdirectories. Often, any user can subsequently access these files, allowing opportunities for lateral movement, defense evasion, low-privilege execution and staging for exfiltration.

The following Sigma rules look for execution from suspicious locations as an indicator of anomalous activity. In all instances, subsequent investigation is required to confirm malicious activity and attribution.

Title: World Writable Execution – Temp

ID: d2fa2d71-fbd0-4778-9449-e13ca7d7505c

Description: Detect process execution from C:\ Windows\Temp.

Background: This rule looks specifically for execution out of C:\ Windows\Temp\*. Temp is more broadly used by benign applications and thus a lower confidence malicious indicator than execution out of other world writable subdirectories in C:\Windows.

Removing applications executed by the SYSTEM or NETWORK SERVICE users substantially reduces the quantity of benign activity selected by this rule.

This means that the rule may miss malicious executions at a higher privilege level but it is recommended to use other rules to determine if a user is attempting to elevate privileges to SYSTEM.

Investigation:

  1. Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
  2. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
  3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

Process Execution from an Unusual Directory

Author: ASD’s ACSC

Date: 2024/06/19

Status: experimental

Tags:

  • tlp.green
  • classification.au.official
  • attack.execution

Log Source:

category: process_creation
product: windows

Detection:

temp:
Image|startswith: ‘C:\\Windows\\Temp\\’

common_temp_path:
Image|re|ignorecase: ‘C:\\Windows\\Temp\\\{[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\}\\’

system_user:
User:

  • ‘SYSTEM’
  • ‘NETWORK SERVICE’

dismhost:

  • Image|endswith: ‘dismhost.exe’ 

known_parent:

  • ParentImage|endswith:
  • ‘\\esif_uf.exe’ 
  • ‘\\vmtoolsd.exe’ 
  • ‘\\cwainstaller.exe’
  • ‘\\trolleyexpress.exe’

condition: temp and not (common_temp_path or system_user or dismhost or known_parent)

False positives:

  • Allowlist auditing applications have been observed running executables from Temp.
  • Temp will legitimately contain an array of setup applications and launchers, so it will be worth considering how prevalent this behavior is on a monitored network (and whether or not it can be allowlisted) before deploying this rule.

Level: low

Title: World Writable Execution – Non-Temp System Subdirectory

ID: 5b187157-e892-4fc9-84fc-aa48aff9f997

Description: Detect process execution from a world writable location in a subdirectory of the Windows OS install location.

Background:

This rule looks specifically for execution out of world writable directories within C:\ and particularly C:\Windows\*, with the exception of C:\Windows\Temp (which is more broadly used by benign applications and thus a lower confidence malicious indicator).

AppData folders are excluded if a file is run as SYSTEM – this is a benign way in which many temporary application files are executed.

After completing an initial network baseline and identifying known benign executions from these locations, this rule should rarely fire.

Investigation:

  1. Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
  2. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
  3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

mattifestation / WorldWritableDirs.txt
Process Execution from an Unusual Directory

Author: ASD’s ACSC

Date: 2024/06/19

Status: experimental

Tags:

  • tlp.green
  • classification.au.official
  • attack.execution

Log source:

category: process_creation
product: windows

Detection:

writable_path:
Image|contains:

  • ‘:\\$Recycle.Bin\\’
  • ‘:\\AMD\\Temp\\’
  • ‘:\\Intel\\’
  • ‘:\\PerfLogs\\’
  • ‘:\\Windows\\addins\\’
  • ‘:\\Windows\\appcompat\\’
  • ‘:\\Windows\\apppatch\\’
  • ‘:\\Windows\\AppReadiness\\’
  • ‘:\\Windows\\bcastdvr\\’
  • ‘:\\Windows\\Boot\\’
  • ‘:\\Windows\\Branding\\’
  • ‘:\\Windows\\CbsTemp\\’
  • ‘:\\Windows\\Containers\\’
  • ‘:\\Windows\\csc\\’
  • ‘:\\Windows\\Cursors\\’
  • ‘:\\Windows\\debug\\’
  • ‘:\\Windows\\diagnostics\\’
  • ‘:\\Windows\\DigitalLocker\\’
  • ‘:\\Windows\\dot3svc\\’
  • ‘:\\Windows\\en-US\\’
  • ‘:\\Windows\\Fonts\\’
  • ‘:\\Windows\\Globalization\\’
  • ‘:\\Windows\\Help\\’
  • ‘:\\Windows\\IdentityCRL\\’
  • ‘:\\Windows\\IME\\’
  • ‘:\\Windows\\ImmersiveControlPanel\\’
  • ‘:\\Windows\\INF\\’
  • ‘:\\Windows\\intel\\’
  • ‘:\\Windows\\L2Schemas\\’
  • ‘:\\Windows\\LiveKernelReports\\’
  • ‘:\\Windows\\Logs\\’
  • ‘:\\Windows\\media\\’
  • ‘:\\Windows\\Migration\\’
  • ‘:\\Windows\\ModemLogs\\’
  • ‘:\\Windows\\ms\\’
  • ‘:\\Windows\\OCR\\’
  • ‘:\\Windows\\panther\\’
  • ‘:\\Windows\\Performance\\’
  • ‘:\\Windows\\PLA\\’
  • ‘:\\Windows\\PolicyDefinitions\\’
  • ‘:\\Windows\\Prefetch\\’
  • ‘:\\Windows\\PrintDialog\\’
  • ‘:\\Windows\\Provisioning\\’
  • ‘:\\Windows\\Registration\\CRMLog\\’
  • ‘:\\Windows\\RemotePackages\\’
  • ‘:\\Windows\\rescache\\’
  • ‘:\\Windows\\Resources\\’
  • ‘:\\Windows\\SchCache\\’
  • ‘:\\Windows\\schemas\\’
  • ‘:\\Windows\\security\\’
  • ‘:\\Windows\\ServiceState\\’
  • ‘:\\Windows\\servicing\\’
  • ‘:\\Windows\\Setup\\’
  • ‘:\\Windows\\ShellComponents\\’
  • ‘:\\Windows\\ShellExperiences\\’
  • ‘:\\Windows\\SKB\\’
  • ‘:\\Windows\\TAPI\\’
  • ‘:\\Windows\\Tasks\\’
  • ‘:\\Windows\\TextInput\\’
  • ‘:\\Windows\\tracing\\’
  • ‘:\\Windows\\Vss\\’
  • ‘:\\Windows\\WaaS\\’
  • ‘:\\Windows\\Web\\’
  • ‘:\\Windows\\wlansvc\\’
  • ‘:\\Windows\\System32\\Com\\dmp\\’
  • ‘:\\Windows\\System32\\FxsTmp\\’
  • ‘:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\’
  • ‘:\\Windows\\System32\\Speech\\’
  • ‘:\\Windows\\System32\\spool\\drivers\\color\\’
  • ‘:\\Windows\\System32\\spool\\PRINTERS\\’
  • ‘:\\Windows\\System32\\spool\\SERVERS\\’
  • ‘:\\Windows\\System32\\Tasks_Migrated\\Microsoft\\Windows\\PLA\\System\\’
  • ‘:\\Windows\\System32\\Tasks\\’
  • ‘:\\Windows\\SysWOW64\\Com\\dmp\\’
  • ‘:\\Windows\\SysWOW64\\FxsTmp\\’
  • ‘:\\Windows\\SysWOW64\\Tasks\\’

appdata:
Image|contains: ‘\\AppData\\’
User: ‘SYSTEM’
condition: writable_path and not appdata

False positives:

Allowlist auditing applications have been observed running executables from these directories.

It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in one of these directories and should be addressed on a case-by-case basis.

Level: high

Title: World Writable Execution – Users

ID: 6dda3843-182a-4214-9263-925a80b4c634

Description: Detect process execution from C:\Users\Public\* and other world writable folders within Users.

Background:

AppData folders are excluded if a file is run as SYSTEM – this is a benign way in which many temporary application files are executed.

Investigation:

  1. Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
  2. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
  3. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.

References:

Process Execution from an Unusual Directory

Author: ASD’s ACSC

Date: 2024/06/19

Status: experimental

Tags:

  • tlp.green
  • classification.au.official
  • attack.execution

Log source:

category: process_creation
product: windows

Detection:
users:
Image|contains:

  • ‘:\\Users\\All Users\\’
  • ‘:\\Users\\Contacts\\’
  • ‘:\\Users\\Default\\’
  • ‘:\\Users\\Public\\’
  • ‘:\\Users\\Searches\\’

appdata:
Image|contains: ‘\\AppData\\’
User: ‘SYSTEM’
condition: users and not appdata

False positives:

It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in Public or a subdirectory and should be addressed on a case-by-case basis.

Level: medium

Mitigations

Logging

During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs.

ASD’s ACSC recommends reviewing and implementing their guidance on Windows Event Logging and Forwarding including the configuration files and scripts in the Windows Event Logging Repository and the Information Security Manual’s Guidelines for System Monitoring, to include centralizing logs and retaining logs for a suitable period.

Patch Management

Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways. Consider implementing a centralised patch management system to automate and expedite the process. ASD’s ACSC recommend implementation of the ISM’s Guidelines for System Management, specifically, the System Patching controls where applicable.

Most exploits utilized by the actor were publicly known and had patches or mitigations available.

Organizations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours, and where possible, use the latest versions of software and operating systems.

Network Segmentation

Network segmentation can make it significantly more difficult for adversaries to locate and gain access to an organizations sensitive data. Segment networks to limit or block lateral movement by denying traffic between computers unless required. Important servers such as Active Directory and other authentication servers should only be able to be administered from a limited number of intermediary servers or “jump servers.” These servers should be closely monitored, be well secured and limit which users and devices are able to connect to them.

Regardless of instances identified where lateral movement is prevented, additional network segmentation could have further limited the amount of data the actors were able to access and extract.

Additional Mitigations

The authoring agencies also recommend the following mitigations to combat APT40 and others’ use of the TTPs below.

  • Disable unused or unnecessary network services, ports and protocols.
  • Use well-tuned Web application firewalls (WAFs) to protect webservers and applications.
  • Enforce least privilege to limit access to servers, file shares, and other resources.
  • Use multi-factor authentication (MFA) and managed service accounts to make credentials harder to crack and reuse. MFA should be applied to all internet accessible remote access services, including:
    • Web and cloud-based email;
    • Collaboration platforms;
    • Virtual private network connections; and
    • Remote desktop services.
  • Replace end-of-life equipment.
Mitigation Strategies/Techniques
TTP Essential Eight Mitigation Strategies ISM Controls

Initial Access

T1190

Exploitation of Public-Facing Application

  • Patch applications
  • Patch operating systems
  • Multi-factor authentication
  • Application control

ISM-0140

ISM-1698

ISM-1701

ISM-1921

ISM-1876

ISM-1877

ISM-1905

Execution

T1059

Command and Scripting Interpreter

  • Application control
  • Restrict Microsoft Office macros
  • Restrict administrative privileges

ISM-0140

ISM-1490

ISM-1622

ISM-1623

ISM-1657

ISM-1890

Persistence

T1505.003

Server Software Component: Web Shell

  • Application Control
  • Restrict administrative privileges

ISM-0140

ISM-1246

ISM-1746

ISM-1249

ISM-1250

ISM-1490

ISM-1657

ISM-1871

Initial Access / Privilege Escalation / Persistence

T1078

Valid Accounts

  • Patch operating systems
  • Multi-factor authentication
  • Restrict administrative privileges
  • Application control
  • User application hardening

ISM-0140

ISM-0859

ISM-1546

ISM-1504

ISM-1679

For additional general detection and mitigation advice, please consult the Mitigations and Detection sections on the MITRE ATT&CK technique web page for each of the techniques identified in the MITRE ATT&CK summary at the end of this advisory.

Reporting

Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.

Canadian organizations: report incidents by emailing CCCS at [email protected].

New Zealand organizations: report cyber security incidents to [email protected] or call 04 498 7654.

United Kingdom organizations: report a significant cyber security incident at National Cyber Security Centre (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

U.S. organizations: report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected] or (888) 282-0870 and/or to the FBI via your local FBI field office, the FBI’s 24/7 CyWatch at (855) 292-3937, or [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

MITRE ATT&CK – Historical APT40 Tradecraft of Interest

Reconnaissance (TA0043)
Search Victim-Owned Websites [T1594]   Gather Victim Identity Information: Credentials [T1589.001] 
Active Scanning: Vulnerability Scanning [T1595.002]  Gather Victim Host Information [T1592]
Search Open Websites/Domains: Search Engines [T1593.002] Gather Victim Network Information: Domain Properties [T1590.001]
Gather Victim Identity Information: Email Addresses [T1589.002]  
Resource Development (TA0042)
Acquire Infrastructure: Domains [T1583.001]   Acquire Infrastructure [T1583]
Acquire Infrastructure: DNS Server [T1583.002]   Compromise Accounts [T1586]
Develop Capabilities: Code Signing Certificates [T1587.002]  Compromise Infrastructure [T1584]
Develop Capabilities: Digital Certificates [T1587.003]  Develop Capabilities: Malware [T1587.001]
Obtain Capabilities: Code Signing Certificates [T1588.003] Establish Accounts: Cloud Accounts [T1585.003]
Compromise Infrastructure: Network Devices [T1584.008] Obtain Capabilities: Digital Certificates [T1588.004]
Initial Access (TA0001)
Valid Accounts [T1078]  Phishing [T1566]
Valid Accounts: Default Accounts [T1078.001]   Phishing: Spearphishing Attachment [T1566.001]  
Valid Accounts: Domain Accounts [T1078.002]   Phishing: Spearphishing Link [T1566.002]
External Remote Services [T1133] Exploit Public-Facing Application [T1190]
Drive-by Compromise [T1189]   
Execution (TA0002)
Windows Management Instrumentation [T1047]   Command and Scripting Interpreter: Python [T1059.006] 
Scheduled Task/Job: At [T1053.002]  Command and Scripting Interpreter: JavaScript [T1059.007] 
Scheduled Task/Job: Scheduled Task [T1053.005]   Native API [T1106] 
Command and Scripting Interpreter [T1059]   Inter-Process Communication [T1559] 
Command and Scripting Interpreter: Windows Command Shell [T1059.003]  System Services: Service Execution [T1569.002]  
Command and Scripting Interpreter: PowerShell [T1059.001]  Exploitation for Client Execution [T1203]  
Command and Scripting Interpreter: Visual Basic [T1059.005]  User Execution: Malicious File [T1204.002]  
Command and Scripting Interpreter: Unix Shell [T1059.004] Command and Scripting Interpreter: Apple Script [T1059.002]
Scheduled Task/Job: Cron [T1053.003] Software Deployment Tools [T1072]
Persistence (TA0003)
Valid Accounts [T1078]  Server Software Component: Web Shell [T1505.003] 
Office Application Startup: Office Template Macros [T1137.001] Create or Modify System Process: Windows Service [T1543.003] 
Scheduled Task/Job: At [T1053.002]  Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001] 
Scheduled Task/Job: Scheduled Task [T1053.005]   Boot or Logon Autostart Execution: Shortcut Modification [T1547.009] 
External Remote Services [T1133]  Hijack Execution Flow: DLL Search Order Hijacking [T1574.001] 
Scheduled Task/Job: Cron [T1053.003]   Hijack Execution Flow: DLL Side-Loading [T1574.002] 
Account Manipulation [T1098] Valid Accounts: Cloud Accounts [T1078.004]
Valid Accounts: Domain Accounts [T1078.002]  
Privilege Escalation (TA0004)
Scheduled Task/Job: At [T1053.002]  Create or Modify System Process: Windows Service [T1543.003] 
Scheduled Task/Job: Scheduled Task [T1053.005]   Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001] 
Process Injection: Thread Execution Hijacking [T1055.003]  Boot or Logon Autostart Execution: Shortcut Modification [T1547.009] 
Process Injection: Process Hollowing [T1055.012] Hijack Execution Flow: DLL Search Order Hijacking [T1574.001]
Valid Accounts: Domain Accounts [T1078.002] Exploitation for Privilege Escalation [T1068]
Access Token Manipulation: Token Impersonation/Theft [T1134.001] Event Triggered Execution: Unix Shell Configuration Modification [T1546.004]
Process Injection: Dynamic-link Library Injection [T1055.001] Valid Accounts: Domain Accounts [T1078.002]
Valid Accounts: Local Accounts [T1078.003]  
Defense Evasion (TA0005)
Rootkit [T1014]  Indirect Command Execution [T1202] 
Obfuscated Files or Information [T1027]   System Binary Proxy Execution: Mshta [T1218.005] 
Obfuscated Files or Information: Software Packing [T1027.002]  System Binary Proxy Execution: Regsvr32 [T1218.010] 
Obfuscated Files or Information: Steganography [T1027.003]  Subvert Trust Controls: Code Signing [T1553.002] 
Obfuscated Files or Information: Compile After Delivery [T1027.004]  File and Directory Permissions Modifications: Linux and Mac File and Directory Permissions Modification [T1222.002]  
Masquerading: Match Legitimate Name or Location [T1036.005]  Virtualisation/Sandbox Evasion: System Checks [T1497.001] 
Process Injection: Thread Execution Hijacking [T1055.003] Masquerading [T1036]
Reflective Code Loading [T1620] Impair Defences: Disable or Modify System Firewall [T1562.004] 
Process Injection: Process Hollowing [T1055.012]  Hide Artifacts: Hidden Files and Directories [T1564.001] 
Indicator Removal: File Deletion [T1070.004]   Hide Artifacts: Hidden Window [T1564.003]  
Indicator Removal: Timestomp [T1070.006]   Hijack Execution Flow: DLL Search Order Hijacking [T1574.001] 
Indicator Removal: Clear Windows Event Logs [T1070.001] Hijack Execution Flow: DLL Side-Loading [T1574.002] 
Modify Registry [T1112]  Web Service [T1102] 
Deobfuscate/Decode Files or Information [T1140]  Masquerading: Masquerade Task or Service [T1036.004]
Impair Defenses [T1562]  
Credential Access (TA0006)
OS Credential Dumping: LSASS Memory [T1003.001]   Unsecured Credentials: Credentials in Files [T1552.001]
OS Credential Dumping: NTDS [T1003.003]   Brute Force: Password Guessing [T1110.001]
Network Sniffing [T1040]  Forced Authentication [T1187]
Credentials from Password Stores: Keychain [T1555.001] Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003] 
Input Capture: Keylogging [T1056.001]  Multi-Factor Authentication Interception [T1111]
Steal Web Session Cookie [T1539]  Steal Application Access Token [T1528]
Exploitation for Credential Access [T1212] Brute Force: Password Cracking [T1110.002]
Input Capture: Web Portal Capture [T1056.003] OS Credential Dumping: DCSync [T1003.006]
Credentials from Password Stores [T1555]  Credentials from Password Stores: Credentials from Web Browsers [T1555.003]
Discovery (TA0007)
System Service Discovery [T1007]  System Information Discovery [T1082]  
Application Window Discovery [T1010]   Account Discovery: Local Account [T1087.001]  
Query Registry [T1012]  System Information Discovery, Technique T1082 – Enterprise | MITRE ATT&CK®
File and Directory Discovery [T1083] System Time Discovery [T1124] 
Network Service Discovery [T1046]  System Owner/User Discovery [T1033] 
Remote System Discovery [T1018]  Domain Trust Discovery [T1482] 
Account Discovery: Email Account [T1087.003] Account Discovery: Domain Account [T1087.002]
System Network Connections Discovery [T1049]  Virtualisation/Sandbox Evasion: System Checks [T1497.001] 
Process Discovery [T1057]  Software Discovery [T1518] 
Permission Groups Discovery: Domain Groups [T1069.002]  Network Share Discovery, Technique T1135 – Enterprise | MITRE ATT&CK®
System Network Configuration Discovery: Internet Connection Discovery [T1016.001]  
Lateral Movement (TA0008)
Remote Services: Remote Desktop Protocol [T1021.001]  Remote Services [T1021]
Remote Services: SMB/Windows Admin Shares [T1021.002]  Use Alternate Authentication Material: Pass the Ticket [T1550.003]
Remote Services: Windows Remote Management [T1021.006]  Lateral Tool Transfer [T1570] 
Collection (TA0009)
Data from Local System [T1005]  Archive Collected Data: Archive via Library [T1560.002]
Data from Network Shared Drive [T1039]   Email Collection: Remote Email Collection [T1114.002] 
Input Capture: Keylogging [T1056.001]  Clipboard Data [T1115] 
Automated Collection [T1119] Data from Information Repositories [T1213]
Input Capture: Web Portal Capture [T1056.003] Data Staged: Remote Data Staging [T1074.002] 
Data Staged: Local Data Staging [T1074.001]  Archive Collected Data [T1560]
Email Collection [T1114]  
Exfiltration (TA0010)
Exfiltration Over C2 Channel [T1041]   Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [T1048.002]
Exfiltration Over Alternative Protocol [T1048]  Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Command and Control (TA0011)
Data Obfuscation: Protocol Impersonation [T1001.003]  Web Service: Dead Drop Resolver [T1102.001]  
Commonly Used Port [T1043]  Web Service: One-way Communication [T1102.003]
Application Layer Protocol: Web Protocols [T1071.001]  Ingress Tool Transfer [T1105] 
Application Layer Protocol: File Transfer Protocols [T1071.002] Proxy: Internal Proxy [T1090.001]
Proxy: External Proxy [T1090.002]  Non-Standard Port [T1571] 
Proxy: Multi-hop Proxy [T1090.003]  Protocol Tunnelling [T1572] 
Web Service: Bidirectional Communication [T1102.002]  Encrypted Channel [T1573] 
Encrypted Channel: Asymmetric Cryptography [T1573.002] Ingress Tool Transfer [T1105]
Proxy, Technique T1090 – Enterprise | MITRE ATT&CK®  
Impact (TA0040)
Service Stop [T1489]  Disk Wipe [T1561]
System Shutdown/Reboot [T1529]  Resource Hijacking [T1496] 

Notes

Source…

#StopRansomware: Black Basta | CISA


SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Victims of ransomware should report the incident to their local FBI field office or CISA (see the Reporting section for contact information).

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Initial Access

Black Basta affiliates primarily use spearphishing [T1566] to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access.[1]

Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190]. In some instances, affiliates have been observed abusing valid credentials [T1078].

Discovery and Execution

Black Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C:\ [T1036].[1]

Lateral Movement

Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.

Privilege Escalation and Lateral Movement

Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472, [CWE-330]), NoPac (CVE-2021-42278 [CWE-20] and CVE-2021-42287 [CWE-269]), and PrintNightmare (CVE-2021-34527, [CWE-269]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068].[1],[2]

Exfiltration and Encryption

Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001] to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling [T1562.001].[3] Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files [T1486]. A .basta or otherwise random file extension is added to file names and a ransom note titled readme.txt is left on the compromised system.[4] To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490].[5]

Leveraged Tools

See Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Used by Black Basta Affiliates
Tool Name Description
BITSAdmin A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers.
Cobalt Strike A penetration testing tool used by security professions to test the security of networks and systems. Black Basta affiliates have used it to assist with lateral movement and file execution.
Mimikatz A tool that allows users to view and save authentication credentials such as Kerberos tickets. Black Basta affiliates have used it to aid in privilege escalation.
PSExec A tool designed to run programs and execute commands on remote systems.
PowerShell A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
RClone A command line program used to sync files with cloud storage services such as Mega.
SoftPerfect A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters. 
ScreenConnect Remote support, access, and meeting software that allows users to control devices remotely over the internet.
Splashtop Remote desktop software that allows remote access to devices for support, access, and collaboration.
WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates have used it to transfer data from a compromised network to actor-controlled accounts.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2–6 for all referenced threat actor tactics and techniques in this advisory.

Table 2: Black Basta ATT&CK Techniques for Initial Access
Technique Title ID Use
Phishing T1566 Black Basta affiliates have used spearphishing emails to obtain initial access.
Exploit Public-Facing Application T1190 Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access.
Table 3: Black Basta ATT&CK Techniques for Privilege Escalation
Technique Title ID Use
Exploitation for Privilege Escalation T1068 Black Basta affiliates have used credential scraping tools like Mimikatz, Zerologon, NoPac and PrintNightmare for privilege escalation.
Table 4: Black Basta ATT&CK Techniques for Defense Evasion
Technique Title ID Use
Masquerading T1036 Black Basta affiliates have conducted reconnaissance using utilities with innocuous file names, such as Intel or Dell, to evade detection.
Impair Defenses: Disable or Modify Tools T1562.001

Black Basta affiliates have deployed a tool called Backstab to disable endpoint detection and response (EDR) tooling.

Black Basta affiliates have used PowerShell to disable antivirus products.

Table 5: Black Basta ATT&CK Techniques for Execution
Technique Title ID Use
Command and Scripting Interpreter: PowerShell T1059.001 Black Basta affiliates have used PowerShell to disable antivirus products.
Table 6: Black Basta ATT&CK Techniques for Impact
Technique Title ID Use
Inhibit System Recovery T1490 Black Basta affiliates have used the vssadmin.exe program to delete shadow copies. 
Data Encrypted for Impact T1486 Black Basta affiliates have used a public key to fully encrypt files. 

 

INDICATORS OF COMPROMISE

See Table 7 for IOCs obtained from FBI investigations.

Table 7: Malicious Files Associated with Black Basta Ransomware
Hash Description
0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298 rclone.exe
d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e Winscp.exe
88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc DLL
58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd DLL
39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead DLL
5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221 DLL
51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e DLL
d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1 DLL
5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43 DLL
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431 DLL
a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6 DLL
86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737 DLL
07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799 DLL
96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be ELF
1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779 ELF
360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98 ELF
0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a EXE
9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc EXE
62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087 EXE
7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59 EXE
350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd EXE
90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7 EXE
fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08 EXE
acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f EXE
d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d EXE
f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4 EXE
723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224 EXE
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e EXE
fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f EXE
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415 EXE
462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7 EXE
3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a EXE
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa EXE
37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004 EXE
3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35 EXE
17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20 EXE
42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78 EXE
882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3 EXE
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757 EXE
0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e EXE
69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944 EXE
3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a EXE
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 EXE
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9 EXE

See Tables 8–11 for IOCs obtained from trusted third-party reporting.

Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking, as many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains.

Table 8: Network Indicators
IP Address Description
66.249.66[.]18 0gpw.588027fa.dns.realbumblebee[.]net, dns.trailshop[.]net, dns.artspathgroupe[.]net
66.249.66[.]18 my.2a91c002002.588027fa.dns.realbumblebee[.]net
66.249.66[.]18 fy9.39d9030e5d3a8e2352daae2f4cd3c417b36f64c6644a783b9629147a1.afd8b8a4615358e0313bad8c544a1af0d8efcec0e8056c2c8eee96c7.b06d1825c0247387e38851b06be0272b0bd619b7c9636bc17b09aa70.a46890f27.588027fa.dns.realbumblebee[.]net
95.181.173[.]227 adslsdfdsfmo[.]world
  fy9.36c44903529fa273afff3c9b7ef323432e223d22ae1d625c4a3957d57.015c16eff32356bf566c4fd3590c6ff9b2f6e8c587444ecbfc4bcae7.f71995aff9e6f22f8daffe9d2ad9050abc928b8f93bb0d42682fd3c3.445de2118.588027fa.dns.realbumblebee[.]net
207.126.152[.]242 xkpal.d6597fa.dns.blocktoday.net
nuher.3577125d2a75f6a277fc5714ff536c5c6af5283d928a66daad6825b9a.7aaf8bba88534e88ec89251c57b01b322c7f52c7f1a5338930ae2a50.cbb47411f60fe58f76cf79d300c03bdecfb9e83379f59d80b8494951.e10c20f77.7fcc0eb6.dns.blocktoday[.]net
72.14.196[.]50 .rasapool[.]net, dns.trailshop[.]net
72.14.196[.]192 .rasapool[.]net
72.14.196[.]2 .rasapool[.]net
72.14.196[.]226 .rasapool[.]net
46.161.27[.]151  
207.126.152[.]242 nuher.1d67bbcf4.456d87aa6.2d84dfba.dns.specialdrills[.]com
185.219.221[.]136  
64.176.219[.]106  
5.78.115[.]67 your-server[.]de
207.126.152[.]242 xkpal.1a4a64b6.dns.blocktoday[.]net
46.8.16[.]77  
185.7.214[.]79 VPN Server
185.220.100[.]240 Tor exit
107.189.30[.]69 Tor exit
5.183.130[.]92  
185.220.101[.]149 Tor exit
188.130.218[.]39  
188.130.137[.]181  
46.8.10[.]134  
155.138.246[.]122  
80.239.207[.]200 winklen[.]ch
183.181.86[.]147 Xserver[.]jp
34.149.120[.]3  
104.21.40[.]72  
34.250.161[.]149  
88.198.198[.]90 your-server[.]de; literoved[.]ru
151.101.130[.]159  
35.244.153[.]44  
35.212.86[.]55  
34.251.163[.]236  
34.160.81[.]203  
34.149.36[.]179  
104.21.26[.]145  
83.243.40[.]10  
35.227.194[.]51  
35.190.31[.]54  
34.120.190[.]48  
116.203.186[.]178  
34.160.17[.]71  
Table 9: File Indicators
Filename Hash
C:\Users\Public\Audio\Jun.exe b6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd24
C:\Users\Public\Audio\esx.zip  
C:\Users\Public\Audio\7zG.exe f21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f061
C:\Users\Public\Audio\7z.dll  
C:\Users\Public\db_Usr.sql 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6
C:\Users\Public\Audio\db_Usr.sql  
C:\Users\Public\Audio\hv2.ps1  
C:\Users\Public\7zG.exe  
C:\Users\Public\7z.dll  
C:\Users\Public\BitLogic.dll  
C:\Users\Public\NetApp.exe 4c897334e6391e7a2fa3cbcbf773d5a4
C:\Users\Public\DataSoft.exe 2642ec377c0cee3235571832cb472870
C:\Users\Public\BitData.exe b3fe23dd4701ed00d79c03043b0b952e
C:\Users\Public\DigitalText.dll  
C:\Users\Public\GeniusMesh.exe  
\Device\Mup\{redacted}\C$\Users\Public\Music\PROCEXP.sys  
\Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse86.exe  
\Device\Mup\{redacted}\C$\Users\Public\Music\POSTDump.exe  
\Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse.exe  
C:\Users\Public\socksps.ps1  
C:\Users\Public\Thief.exe 034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79

C:\Users\All Users\{redacted}\GWT.ps1

C:\Program Files\MonitorIT\GWT.ps1

8C68B2A794BA3D148CAE91BDF9C8D357289752A94118B5558418A36D95A5A45F

Winx86.exe 

Comment: alias for cmd.exe

 
C:\Users\Public\eucr.exe 3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407
C:\Windows\DS_c1.dll 808c96cb90b7de7792a827c6946ff48123802959635a23bf9d98478ae6a259f9
C:\Windows\DS_c1.dll 3a8fc07cadc08eeb8be342452636a754158403c3d4ebff379a4ae66f8298d9a6
C:\Windows\DS_c1.dll 4ac69411ed124da06ad66ee8bfbcea2f593b5b199a2c38496e1ee24f9d04f34a
C:\Windows\DS_c1.dll 819cb9bcf62be7666db5666a693524070b0df589c58309b067191b30480b0c3a
C:\Windows\DS_c1.dll c26a5cb62a78c467cc6b6867c7093fbb7b1a96d92121d4d6c3f0557ef9c881e0
C:\Windows\DS_c1.dll d503090431fdd99c9df3451d9b73c5737c79eda6eb80c148b8dc71e84623401f
*\instructions_read_me.txt  
Table 10: Known Black Basta Cobalt Strike Domains
Domain Date/Time (UTC)/Time (UTC)
trailshop[.]net 5/8/2024 6:37
realbumblebee[.]net 5/8/2024 6:37
recentbee[.]net 5/8/2024 6:37
investrealtydom[.]net 5/8/2024 6:37
webnubee[.]com 5/8/2024 6:37
artspathgroup[.]net 5/8/2024 6:37
buyblocknow[.]com 5/8/2024 6:37
currentbee[.]net 5/8/2024 6:37
modernbeem[.]net 5/8/2024 6:37
startupbusiness24[.]net 5/8/2024 6:37
magentoengineers[.]com 5/8/2024 6:37
childrensdolls[.]com 5/8/2024 6:37
myfinancialexperts[.]com 5/8/2024 6:37
limitedtoday[.]com 5/8/2024 6:37
kekeoamigo[.]com 5/8/2024 6:37
nebraska-lawyers[.]com 5/8/2024 6:37
tomlawcenter[.]com 5/8/2024 6:37
thesmartcloudusa[.]com 5/8/2024 6:37
rasapool[.]net 5/8/2024 6:37
artspathgroupe[.]net 5/8/2024 6:37
specialdrills[.]com 5/8/2024 6:37
thetrailbig[.]net 5/8/2024 6:37
consulheartinc[.]com 3/22/2024 15:35
otxcosmeticscare[.]com 3/15/2024 10:14
otxcarecosmetics[.]com 3/15/2024 10:14
artstrailman[.]com 3/15/2024 10:14
ontexcare[.]com 3/15/2024 10:14
trackgroup[.]net 3/15/2024 10:14
businessprofessionalllc[.]com 3/15/2024 10:14
securecloudmanage[.]com 3/7/2024 10:42
oneblackwood[.]com 3/7/2024 10:42
buygreenstudio[.]com 3/7/2024 10:42
startupbuss[.]com 3/7/2024 10:42
onedogsclub[.]com 3/4/2024 18:26
wipresolutions[.]com 3/4/2024 18:26
recentbeelive[.]com 3/4/2024 18:26
trailcocompany[.]com 3/4/2024 18:26
trailcosolutions[.]com 3/4/2024 18:26
artstrailreviews[.]com 3/4/2024 18:26
usaglobalnews[.]com 2/15/2024 5:56
topglobaltv[.]com 2/15/2024 5:56
startupmartec[.]net 2/15/2024 5:56
technologgies[.]com 1/2/2024 18:16
jenshol[.]com 1/2/2024 18:16
simorten[.]com 1/2/2024 18:16
investmentgblog[.]net 1/2/2024 18:16
protectionek[.]com 1/2/2024 18:16
Table 11: Suspected Black Basta Domains
airbusco[.]net
allcompanycenter[.]com
animalsfast[.]net
audsystemecll[.]net
auuditoe[.]com
bluenetworking[.]net
brendonline[.]com
businesforhome[.]com
caspercan[.]com
clearsystemwo[.]net
cloudworldst[.]net
constrtionfirst[.]com
erihudeg[.]com
garbagemoval[.]com
gartenlofti[.]com
getfnewsolutions[.]com
getfnewssolutions[.]com
investmendvisor[.]net
investmentrealtyhp[.]net
ionoslaba[.]com
jessvisser[.]com
karmafisker[.]com
kolinileas[.]com
maluisepaul[.]com
masterunix[.]net
monitor-websystem[.]net
monitorsystem[.]net
mytrailinvest[.]net
prettyanimals[.]net
reelsysmoona[.]net
seohomee[.]com
septcntr[.]com
softradar[.]net
startupbizaud[.]net
startuptechnologyw[.]net
steamteamdev[.]net
stockinvestlab[.]net
taskthebox[.]net
trailgroupl[.]net
treeauwin[.]net
unitedfrom[.]com
unougn[.]com
wardeli[.]com
welausystem[.]net
wellsystemte[.]net
withclier[.]com

MITIGATIONS

The authoring organizations recommend all critical infrastructure organizations implement the mitigations below to improve your organization’s cybersecurity posture based on Black Basta’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

The authoring organizations also recommend network defenders of HPH Sector and other critical infrastructure organizations to reference CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector and HHS’s HPH Cybersecurity Performance Goals, which provide best practices to combat pervasive cyber threats against organizations. Recommendations include the following:

  • Asset Management and Security: Cybersecurity professionals should identify and understand all relationships or interdependencies, functionality of each asset, what it exposes, and what software is running to ensure critical data and systems are protected appropriately. HPH Sector organizations should ensure electronic PHI (ePHI) is protected and compliant with the Health Insurance Portability and Accountability Act (HIPAA). Organizations can complete asset inventories using active scans, passive processes, or a combination of both techniques.
  • Email Security and Phishing Prevention: Organizations should install modern anti-malware software and automatically update signatures where possible. For additional guidance, see CISA’s Enhance Email and Web Security Guide.
    • Check for embedded or spoofed hyperlinks: Validate the URL of the link matches the text of the link itself. This can be achieved by hovering your cursor over the link to view the URL of the website to be accessed.
  • Access Management: Phishing-resistant MFA completes the same process but removes ‘people’ from the equation to help thwart social engineering scams and targeted phishing attacks that may have been successful using traditional MFA. The two main forms of phishing-resistant MFA are FIDO/Web Authentication (WebAuthn) authentication and Public Key Infrastructure (PKI)-based authentication. Prioritize phishing-resistant MFA on accounts with the highest risk, such as privileged administrative accounts on key assets. For additional information on phishing-resistant MFA, see CISA’s Implementing Phishing-Resistant MFA Guide.
  • Vulnerability Management and Assessment: Once vulnerabilities are identified across your environment, evaluate and prioritize to appropriately deal with the posed risks according to your organization’s risk strategy. To assist with prioritization, it is essential to:
    • Map your assets to business-critical functions. For vulnerability remediation, prioritize assets that are most critical for ongoing operations or which, if affected, could impact your organization’s business continuity, sensitive PII (or PHI) security, reputation, or financial position.
    • Use threat intelligence information. For remediation, prioritize vulnerabilities actively exploited by threat actors. To assist, leverage CISA’s KEV Catalog and other threat intelligence feeds.
    • Leverage prioritization methodologies, ratings, and scores. The Common Vulnerability Scoring System (CVSS) assesses the technical severity of vulnerabilities. The Exploit Prediction Scoring System (EPSS) measures the likelihood of exploitation and can help with deciding which vulnerabilities to prioritize. CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) methodology leverages decision trees to prioritize relevant vulnerabilities into four decisions, Track, Track*, Attend, and Act based on exploitation status, technical impact, mission prevalence, and impacts to safety and public-wellbeing.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 2-6).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

  1. SentinelOne: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
  2. Trend Micro: Ransomware Spotlight – Black Basta
  3. Kroll: Black Basta – Technical Analysis
  4. Who Is Black Basta? (blackberry.com)
  5. Palo Alto Networks: Threat Assessment – Black Basta Ransomware

REPORTING

Your organization has no obligation to respond or provide information back to FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.

FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

FBI, CISA, and HHS do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center ([email protected] or by calling 1-844-Say-CISA [1-844-729-2472]).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, HHS, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, HHS, and MS-ISAC.

VERSION HISTORY

May 10, 2024: Initial version.

Source…

#StopRansomware: Akira Ransomware | CISA


SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.

Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.

Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension.  Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.

The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Initial Access

The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured[1], mostly using known Cisco vulnerabilities [T1190CVE-2020-3259 and CVE-2023-20269.[2],[3],[4] Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP) [T1133], spear phishing [T1566.001][T1566.002], and the abuse of valid credentials[T1078].[4]

Persistence and Discovery

Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts [T1136.002] to establish persistence. In some instances, the FBI identified Akira threat actors creating an administrative account named itadm.

According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting[5], to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS) [T1003.001].[6] Akira threat actors also use credential scraping tools [T1003] like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes [T1016] and net Windows commands are used to identify domain controllers [T1018] and gather information on domain trust relationships [T1482].

See Table 1 for a descriptive listing of these tools.

Defense Evasion

Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”).

As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver[4] and terminate antivirus-related processes [T1562.001].

Exfiltration and Impact

Akira threat actors leverage tools such as FileZilla, WinRAR [T1560.001], WinSCP, and RClone to exfiltrate data [T1048]. To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega [T1537] to connect to exfiltration servers.

Akira threat actors use a double-extortion model [T1657] and encrypt systems [T1486] after exfiltrating data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via a .onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting.

Encryption

Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange [T1486]. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a .akira or .powerranges extension. To further inhibit system recovery, Akira’s encryptor (w.exe) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems [T1490]. Additionally, a ransom note named fn.txt appears in both the root directory (C:) and each users’ home directory (C:\Users).

Trusted third party analysis identified that the Akira_v2 encryptor is an upgrade from its previous version, which includes additional functionalities due to the language it’s written in (Rust). Previous versions of the encryptor provided options to insert arguments at runtime, including:

  • -p --encryption_path (targeted file/folder paths)
  • -s --share_file (targeted network drive path)
  • -n --encryption_percent (percentage of encryption)
  • --fork (create a child process for encryption

The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process. The new version also adds a layer of protection, utilizing the Build ID as a run condition to hinder dynamic analysis. The encryptor is unable to execute successfully without the unique Build ID. The ability to deploy against only virtual machines using “vmonly” and the ability to stop running virtual machines with “stopvm” functionalities have also been observed implemented for Akira_v2. After encryption, the Linux ESXi variant may include the file extension “akiranew” or add a ransom note named “akiranew.txt” in directories where files were encrypted with the new nomenclature.

Leveraged Tools

Table 1 lists publicly available tools and applications Akira threat actors have used, including legitimate tools repurposed for their operations. Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Leveraged by Akira Ransomware Actors
Name Description
AdFind AdFind.exe is used to query and retrieve information from Active Directory.
Advanced IP Scanner A network scanner is used to locate all the computers on a network and conduct a scan of their ports. The program shows all network devices, gives access to shared folders, and provides remote control of computers (via RDP and Radmin).
AnyDesk A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer.
LaZagne Allows users to recover stored passwords on Windows, Linux, and OSX systems.
PCHunter64 A tool used to acquire detailed process and system information [T1082].[7]
PowerShell A cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
Mimikatz Allows users to view and save authentication credentials such as Kerberos tickets.
Ngrok A reverse proxy tool [T1090] used to create a secure tunnel to servers behind firewalls or local machines without a public IP address.
RClone A command line program used to sync files with cloud storage services [T1567.002] such as Mega.
SoftPerfect A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters.
WinRAR Used to split compromised data into segments and to compress [T1560.001] files into .RAR format for exfiltration.
WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Akira threat actors have used it to transfer data [T1048] from a compromised network to actor-controlled accounts.

Indicators of Compromise

Disclaimer: Investigation or vetting of these indicators is recommended prior to taking action, such as blocking.

Table 2a: Malicious Files Affiliated with Akira Ransomware
File Name Hash (SHA-256) Description
w.exe d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca Akira ransomware
Win.exe dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e Akira ransomware encryptor
AnyDesk.exe bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138 Remote desktop application
Gcapi.dll 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf DLL file that assists with the execution of AnyDesk.exe
Sysmon.exe 1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386 Ngrok tool for persistence
Config.yml Varies by use Ngrok configuration file
Rclone.exe aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9 Exfiltration tool
Winscp.rnd 7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4 Network file transfer program
WinSCP-6.1.2-Setup.exe 36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c Network file transfer program
Akira_v2

3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75

0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c

Akira_v2 ransomware
Megazord

ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc

dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198

131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07

9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c

9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065

2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83

7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be

95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a

0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d

C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0

Akira “Megazord” ransomware
VeeamHax.exe aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d Plaintext credential leaking tool
Veeam-Get-Creds.ps1 18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88 PowerShell script for obtaining and decrypting accounts from Veeam servers
PowershellKerberos TicketDumper 5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32 Kerberos ticket dumping tool from LSA cache
sshd.exe 8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694 OpenSSH Backdoor
sshd.exe 8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694 OpenSSH Backdoor
ipscan-3.9.1-setup.exe 892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0 Network scanner that scans IP addresses and ports
Table 2b: Malicious Files Affiliated with Akira Ransomware
File Name Hash (MD5) Description
winrar-x64-623.exe 7a647af3c112ad805296a22b2a276e7c Network file transfer program
Table 3a: Commands Affiliated with Akira Ransomware
Persistence and Discovery
nltest /dclist: [T1018]
nltest /DOMAIN_TRUSTS [T1482]
net group “Domain admins” /dom [T1069.002]
net localgroup “Administrators” /dom [T1069.001]
tasklist [T1057]
rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\windows\temp\lsass.dmp full [T1003.001]
Table 3b: Commands Affiliated with Akira Ransomware
Credential Access

cmd.exe /Q /c esentutl.exe /y

“C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db” /d

“C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db.tmp”

Note: Used for accessing Firefox data.

Table 3c: Commands Affiliated with Akira Ransomware
Impact
powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject” [T1490]

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4 -12 for all referenced Akira threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Initial Access
Technique Title ID Use
Valid Accounts T1078 Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
Exploit Public Facing Application T1190 Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems.
External Remote Services T1133 Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.
Phishing: Spearphishing Attachment  T1566.001 Akira threat actors use phishing emails with malicious attachments to gain access to networks.
Phishing: Spearphishing Link  T1566.002 Akira threat actors use phishing emails with malicious links to gain access to networks. 
Table 5: Credential Access
Technique Title ID Use
OS Credential Dumping T1003 Akira threat actors use tools like Mimikatz and LaZagne to dump credentials.

OS Credential Dumping:

LSASS Memory

T1003.001 Akira threat actors attempt to access credential material stored in the process memory of the LSASS.
Table 6: Discovery
Technique Title ID Use
System Network Configuration Discovery  T1016 Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure.
System Information Discovery T1082 Akira threat actors use tools like PCHunter64 to acquire detailed process and system information.
Domain Trust Discovery T1482 Akira threat actors use the net Windows command to enumerate domain information.
Process Discovery T1057 Akira threat actors use the Tasklist utility to obtain details on running processes via PowerShell.
Permission Groups Discovery: Local Groups T1069.001 Akira threat actors use the net localgroup /dom to find local system groups and permission settings.
Permission Groups Discovery: Domain Groups  T1069.002 Akira threat actors use the net group /domain command to attempt to find domain level groups and permission settings.
Remote System Discovery T1018 Akira threat actors use nltest / dclist to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network.
Table 7: Persistence
Technique Title ID Use
Create Account: Domain Account T1136.002 Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence.
Table 8: Defense Evasion
Technique Title ID Use
Impair Defenses: Disable or Modify Tools T1562.001 Akira threat actors use BYOVD attacks to disable antivirus software.
Table 9: Command and Control
Technique Title ID Use
Remote Access Software T1219 Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems.
Proxy T1090 Akira threat actors utilized Ngrok to create a secure tunnel to servers that aided in exfiltration of data. 
Table 10: Collection
Technique Title ID Use
Archive Collected Data: Archive via Utility T1560.001 Akira threat actors use tools like WinRAR to compress files.
Table 11: Exfiltration
Technique Title ID Use
Exfiltration Over Alternative Protocol T1048 Akira threat actors use file transfer tools like WinSCP to transfer data.
Transfer Data to Cloud Account T1537 Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfil servers they control.
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Akira threat actors leveraged RClone to sync files with cloud storage services to exfiltrate data. 
Table 12: Impact
Technique Title ID Use
Date Encrypted for Impact T1486 Akira threat actors encrypt data on target systems to interrupt availability to system and network resources.
Inhibit System Recovery T1490 Akira threat actors delete volume shadow copies on Windows systems.
Financial Theft T1657 Akira threat actors use a double-extortion model for financial gain.

MITIGATIONS

Network Defenders

The FBI, CISA, EC3, and NCSC-NL recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the risk of compromise by Akira ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.F, 2.R, 2.S].
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].
  • Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems. [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
  • Disable unused ports [CPG 2.V].
  • Consider adding an email banner to emails received from outside of your organization [CPG 2.M].
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, 2.N].
  • Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data. 
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the FBI, CISA, EC3, and NCSC-NL recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, EC3 and NCSC-NL recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 4 -12).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI, CISA, EC3, and NCSC-NL recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REFERENCES

  1. Fortinet: Ransomware Roundup – Akira
  2. Cisco: Akira Ransomware Targeting VPNs without MFA
  3. Truesec: Indications of Akira Ransomware Group Actively Exploiting Cisco AnyConnect CVE-2020-3259
  4. TrendMicro: Akira Ransomware Spotlight
  5. CrowdStrike: What is a Kerberoasting Attack?
  6. Sophos: Akira, again: The ransomware that keeps on taking
  7. Sophos: Akira Ransomware is “bringin’ 1988 back”

REPORTING

Your organization has no obligation to respond or provide information back to the FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Akira threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

The FBI, CISA, EC3, and NCSC-NL do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center ([email protected] or (888) 282-0870).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, EC3, and NCSC-NL do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI or CISA.

ACKNOWLEDGEMENTS

Cisco and Sophos contributed to this advisory.

VERSION HISTORY

April 18, 2024: Initial version.

Source…