CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks

/in


SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessmentin coordination with the assessed organizationto provide network defenders recommendations for improving their organization’s cyber posture.

Actions to take today to harden your local environment:

  • Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.
  • Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.
  • Enforce phishing-resistant MFA to the greatest extent possible.

In 2022, CISA conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.

Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response.

CISA is releasing this CSA detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious cyber actors. This CSA highlights the importance of collecting and monitoring logs for unusual activity as well as continuous testing and exercises to ensure your organization’s environment is not vulnerable to compromise, regardless of the maturity of its cyber posture.

CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA—including conduct regular testing within their security operations center—to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the appendix for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques.

Introduction

CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to Federal and non-Federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6].) After receiving a request for a red team assessment (RTA) from an organization and coordinating some high-level details of the engagement with certain personnel at the organization, CISA conducted the RTA over a three-month period in 2022.

During RTAs, a CISA red team emulates cyber threat actors to assess an organization’s cyber detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network while avoiding detection and evading defenses. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, or technology.

The “victim” for this assessment was a large organization with multiple geographically separated sites throughout the United States. For this assessment, the red team’s goal during Phase I was to gain access to certain sensitive business systems (SBSs).

Phase I: Red Team Cyber Threat Activity
Overview

The organization’s network was segmented with both logical and geographical boundaries. CISA’s red team gained initial access to two organization workstations at separate sites via spearphishing emails. After gaining access and leveraging Active Directory (AD) data, the team gained persistent access to a third host via spearphishing emails. From that host, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC). They then used forged credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization’s mobile device management (MDM) server. The team used this root access to move laterally to SBS-connected workstations. However, a multifactor authentication (MFA) prompt prevented the team from achieving access to one SBS, and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS.

Initial Access and Active Directory Discovery

The CISA red team gained initial access [TA0001] to two workstations at geographically separated sites (Site 1 and Site 2) via spearphishing emails. The team first conducted open-source research [TA0043] to identify potential targets for spearphishing. Specifically, the team looked for email addresses [T1589.002] as well as names [T1589.003] that could be used to derive email addresses based on the team’s identification of the email naming scheme. The red team sent tailored spearphishing emails to seven targets using commercially available email platforms [T1585.002]. The team used the logging and tracking features of one of the platforms to analyze the organization’s email filtering defenses and confirm the emails had reached the target’s inbox.

The team built a rapport with some targeted individuals through emails, eventually leading these individuals to accept a virtual meeting invite. The meeting invite took them to a red team-controlled domain [T1566.002] with a button, which, when clicked, downloaded a “malicious” ISO file [T1204]. After the download, another button appeared, which, when clicked, executed the file.

Two of the seven targets responded to the phishing attempt, giving the red team access to a workstation at Site 1 (Workstation 1) and a workstation at Site 2. On Workstation 1, the team leveraged a modified SharpHound collector, ldapsearch, and command-line tool, dsquery, to query and scrape AD information, including AD users [T1087.002], computers [T1018], groups [T1069.002], access control lists (ACLs), organizational units (OU), and group policy objects (GPOs) [T1615]. Note: SharpHound is a BloodHound collector, an open-source AD reconnaissance tool. Bloodhound has multiple collectors that assist with information querying.

There were 52 hosts in the AD that had Unconstrained Delegation enabled and a lastlogon timestamp within 30 days of the query. Hosts with Unconstrained Delegation enabled store Kerberos ticket-granting tickets (TGTs) of all users that have authenticated to that host. Many of these hosts, including a Site 1 SharePoint server, were Windows Server 2012R2. The default configuration of Windows Server 2012R2 allows unprivileged users to query group membership of local administrator groups.

The red team queried parsed Bloodhound data for members of the SharePoint admin group and identified several standard user accounts with administrative access. The team initiated a second spearphishing campaign, similar to the first, to target these users. One user triggered the red team’s payload, which led to installation of a persistent beacon on the user’s workstation (Workstation 2), giving the team persistent access to Workstation 2.

Lateral Movement, Credential Access, and Persistence

The red team moved laterally [TA0008] from Workstation 2 to the Site 1 SharePoint server and had SYSTEM level access to the Site 1 SharePoint server, which had Unconstrained Delegation enabled. They used this access to obtain the cached credentials of all logged-in users—including the New Technology Local Area Network Manager (NTLM) hash for the SharePoint server account. To obtain the credentials, the team took a snapshot of lsass.exe [T1003.001] with a tool called nanodump, exported the output, and processed the output offline with Mimikatz.

The team then exploited the Unconstrained Delegation misconfiguration to perform an NTLM-relay attack and steal the DC’s TGT. Specifically, the team used the Sharepoint server’s machine NTLM hash and DFSCoerce’s python script (DFSCoerce.py) to prompt DC authentication to the server, and they captured the incoming DC TGT using Rubeus [T1550.002], [T1557.001]. (DFSCoerce is used for NTLM relay attacks; it abuses Microsoft’s Distributed File System [MS-DFSNM] protocol to relay authentication against an arbitrary server.[1])

The team then used the TGT to harvest advanced encryption standard (AES)-256 hashes via DCSync [T1003.006] for the krbtgt account and several privileged accounts—including domain admins, workstation admins, and a system center configuration management (SCCM) service account (SCCM Account 1). The team used the krbtgt account hash throughout the rest of their assessment to perform golden ticket attacks [T1558.001] in which they forged legitimate TGTs. The team also used the asktgt command to impersonate accounts they had credentials for by requesting account TGTs [T1550.003].

The team first impersonated the SCCM Account 1 and moved laterally to a Site 1 SCCM distribution point (DP) server (SCCM Server 1) that had direct network access to Workstation 2. The team then moved from SCCM Server 1 to a central SCCM server (SCCM Server 2) at a third site (Site 3). Specifically, the team:

  1. Queried the AD using Lightweight Directory Access Protocol (LDAP) for information about the network’s sites and subnets [T1016]. This query revealed all organization sites and subnets broken down by classless inter-domain routing (CIDR) subnet and description.
  2. Used LDAP queries and domain name system (DNS) requests to identify recently active hosts.
  3. Listed existing network connections [T1049] on SCCM Server 1, which revealed an active Server Message Block (SMB) connection from SCCM Server 2.
  4. Attempted to move laterally to the SCCM Server 2 via AppDomain hijacking, but the HTTPS beacon failed to call back.
  5. Attempted to move laterally with an SMB beacon [T1021.002], which was successful.

The team also moved from SCCM Server 1 to a Site 1 workstation (Workstation 3) that housed an active server administrator. The team impersonated an administrative service account via a golden ticket attack (from SCCM Server 1); the account had administrative privileges on Workstation 3. The user employed a KeePass password manager that the team was able to use to obtain passwords for other internal websites, a kernel-based virtual machine (KVM) server, virtual private network (VPN) endpoints, firewalls, and another KeePass database with credentials. The server administrator relied on a password manager, which stored credentials in a database file. The red team pulled the decryption key from memory using KeeThief and used it to unlock the database [T1555.005].

At the organization’s request, the red team confirmed that SCCM Server 2 provided access to the organization’s sites because firewall rules allowed SMB traffic to SCCM servers at all other sites.

The team moved laterally from SCCM Server 2 to an SCCM DP server at Site 5 and from the SCCM Server 1 to hosts at two other sites (Sites 4 and 6). The team installed persistent beacons at each of these sites. Site 5 was broken into a private and a public subnet and only DCs were able to cross that boundary. To move between the subnets, the team moved through DCs. Specifically, the team moved from the Site 5 SCCM DP server to a public DC; and then they moved from the public DC to the private DC. The team was then able to move from the private DC to workstations in the private subnet.

The team leveraged access available from SCCM 2 to move around the organization’s network for post-exploitation activities (See Post-Exploitation Activity section).

See Figure 1 for a timeline of the red team’s initial access and lateral movement showing key access points.

Figure 1: Red Team Cyber Threat Activity: Initial Access and Lateral Movement

While traversing the network, the team varied their lateral movement techniques to evade detection and because the organization had non-uniform firewalls between the sites and within the sites (within the sites, firewalls were configured by subnet). The team’s primary methods to move between sites were AppDomainManager hijacking and dynamic-link library (DLL) hijacking [T1574.001]. In some instances, they used Windows Management Instrumentation (WMI) Event Subscriptions [T1546.003].

The team impersonated several accounts to evade detection while moving. When possible, the team remotely enumerated the local administrators group on target hosts to find a valid user account. This technique relies on anonymous SMB pipe binds [T1071], which are disabled by default starting with Windows Server 2016. In other cases, the team attempted to determine valid accounts based on group name and purpose. If the team had previously acquired the credentials, they used asktgt to impersonate the account. If the team did not have the credentials, they used the golden ticket attack to forge the account.

Post-Exploitation Activity: Gaining Access to SBSs

With persistent, deep access established across the organization’s networks and subnetworks, the red team began post-exploitation activities and attempted to access SBSs. Trusted agents of the organization tasked the team with gaining access to two specialized servers (SBS 1 and SBS 2). The team achieved root access to three SBS-adjacent workstations but was unable to move laterally to the SBS servers:

  • Phase I ended before the team could implement a plan to move to SBS 1.
  • An MFA prompt blocked the team from moving to SBS 2, and Phase I ended before they could implement potential workarounds.

However, the team assesses that by using Secure Shell (SSH) session socket files (see below), they could have accessed any hosts available to the users whose workstations were compromised.

Plan for Potential Access to SBS 1

Conducting open-source research [1591.001], the team identified that SBS 1 and 2 assets and associated management/upkeep staff were located at Sites 5 and 6, respectively. Adding previously collected AD data to this discovery, the team was able to identify a specific SBS 1 admin account. The team planned to use the organization’s mobile device management (MDM) software to move laterally to the SBS 1 administrator’s workstation and, from there, pivot to SBS 1 assets.

The team identified the organization’s MDM vendor using open-source and AD information [T1590.006] and moved laterally to an MDM distribution point server at Site 5 (MDM DP 1). This server contained backups of the MDM MySQL database on its D: drive in the Backup directory. The backups included the encryption key needed to decrypt any encrypted values, such as SSH passwords [T1552]. The database backup identified both the user of the SBS 1 administrator account (USER 2) and the user’s workstation (Workstation 4), which the MDM software remotely administered.

The team moved laterally to an MDM server (MDM 1) at Site 3, searched files on the server, and found plaintext credentials [T1552.001] to an application programming interface (API) user account stored in PowerShell scripts. The team attempted to leverage these credentials to browse to the web login page of the MDM vendor but were unable to do so because the website directed to an organization-controlled single-sign on (SSO) authentication page.

The team gained root access to workstations connected to MDM 1—specifically, the team accessed Workstation 4—by:

  1. Selecting an MDM user from the plaintext credentials in PowerShell scripts on MDM 1.
  2. While in the MDM MySQL database,
    • Elevating the selected MDM user’s account privileges to administrator privileges, and
    • Modifying the user’s account by adding Create Policy and Delete Policy permissions [T1098], [T1548].
  3. Creating a policy via the MDM API [T1106], which instructed Workstation 4 to download and execute a payload to give the team interactive access as root to the workstation.
  4. Verifying their interactive access.
  5. Resetting permissions back to their original state by removing the policy via the MDM API and removing Create Policy and Delete Policy and administrator permissions and from the MDM user’s account.

While interacting with Workstation 4, the team found an open SSH socket file and a corresponding netstat connection to a host that the team identified as a bastion host from architecture documentation found on Workstation 4. The team planned to move from Workstation 4 to the bastion host to SBS 1. Note: A SSH socket file allows a user to open multiple SSH sessions through a single, already authenticated SSH connection without additional authentication.

The team could not take advantage of the open SSH socket. Instead, they searched through SBS 1 architecture diagrams and documentation on Workstation 4. They found a security operations (SecOps) network diagram detailing the network boundaries between Site 5 SecOps on-premises systems, Site 5 non-SecOps on-premises systems, and Site 5 SecOps cloud infrastructure. The documentation listed the SecOps cloud infrastructure IP ranges [T1580]. These “trusted” IP addresses were a public /16 subnet; the team was able to request a public IP in that range from the same cloud provider, and Workstation 4 made successful outbound SSH connections to this cloud infrastructure. The team intended to use that connection to reverse tunnel traffic back to the workstation and then access the bastion host via the open SSH socket file. However, Phase 1 ended before they were able to implement this plan.

Attempts to Access SBS 2

Conducting open-source research, the team identified an organizational branch [T1591] that likely had access to SBS 2. The team queried the AD to identify the branch’s users and administrators. The team gathered a list of potential accounts, from which they identified administrators, such as SYSTEMS ADMIN or DATA SYSTEMS ADMINISTRATOR, with technical roles. Using their access to the MDM MySQL database, the team queried potential targets to (1) determine the target’s last contact time with the MDM and (2) ensure any policy targeting the target’s workstation would run relatively quickly [T1596.005]. Using the same methodology as described by the steps in the Plan for Potential Access to SBS 1 section above, the team gained interactive root access to two Site 6 SBS 2-connected workstations: a software engineering workstation (Workstation 5) and a user administrator workstation (Workstation 6).

The Workstation 5 user had bash history files with what appeared to be SSH passwords mistyped into the bash prompt and saved in bash history [T1552.003]. The team then attempted to authenticate to SBS 2 using a similar tunnel setup as described in the Access to SBS 1 section above and the potential credentials from the user’s bash history file. However, this attempt was unsuccessful for unknown reasons.

On Workstation 6, the team found a .txt file containing plaintext credentials for the user. Using the pattern discovered in these credentials, the team was able to crack the user’s workstation account password [T1110.002]. The team also discovered potential passwords and SSH connection commands in the user’s bash history. Using a similar tunnel setup described above, the team attempted to log into SBS 2. However, a prompt for an MFA passcode blocked this attempt.

See figure 2 for a timeline of the team’s post exploitation activity that includes key points of access.

Figure 2: Red Team Cyber Threat Activity: Post Exploitation
Command and Control

The team used third-party owned and operated infrastructure and services [T1583] throughout their assessment, including in certain cases for command and control (C2) [TA0011]. These included:

  • Cobalt Strike and Merlin payloads for C2 throughout the assessment. Note: Merlin is a post-exploit tool that leverages HTTP protocols for C2 traffic.
    • The team maintained multiple Cobalt Strike servers hosted by a cloud vendor. They configured each server with a different domain and used the servers for communication with compromised hosts. These servers retained all assessment data.
  • Two commercially available cloud-computing platforms.
    • The team used these platforms to create flexible and dynamic redirect servers to send traffic to the team’s Cobalt Strike servers [T1090.002]. Redirecting servers make it difficult for defenders to attribute assessment activities to the backend team servers. The redirectors used HTTPS reverse proxies to redirect C2 traffic between the target organization’s network and the Cobalt Strike team servers [T1071.002]. The team encrypted all data in transit [T1573] using encryption keys stored on team’s Cobalt Strike servers.
  • A cloud service to rapidly change the IP address of the team’s redirecting servers in the event of detection and eradication.
  • Content delivery network (CDN) services to further obfuscate some of the team’s C2 traffic.
    • This technique leverages CDNs associated with high-reputation domains so that the malicious traffic appears to be directed towards a reputation domain but is actually redirected to the red team-controlled Cobalt Strike servers.
    • The team used domain fronting [T1090.004] to disguise outbound traffic in order to diversify the domains with which the persistent beacons were communicating. This technique, which also leverages CDNs, allows the beacon to appear to connect to third-party domains, such as nytimes.com, when it is actually connecting to the team’s redirect server.
Phase II: Red Team Measurable Events Activity

The red team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network. See Table 1 for a description of the events, the expected network defender activity, and the organization’s actual response.

Table 1: Measurable Events

Measurable Event

Description

MITRE ATT&CK Technique(s)

Expected Detection Points

Expected Network Defender Reactions

Reported Reactions

Internal Port Scan

Launch scan from inside the network from a previously gained workstation to enumerate ports on target workstation, server, and domain controller system(s).
  • Network Service Discovery [T1046]
  • Network Monitoring and Analysis Tools
  • Intrusion Detection or Prevention Systems
  • Endpoint Protection Platform
  • Detect target hosts and ports
  • Identify associated scanning process
  • Analyze scanning host once detected
  • Develop response plan

None

 

Comprehensive Active Directory and Host Enumeration

Perform AD enumeration by querying all domain objects from the DC; and enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer (Workstation and Server).
  • Domain Trust Discovery [T1482]
  • Account Discovery: Domain Account [T1087.002]
  • System Owner/User Discovery [T1033]
  • Remote System Discovery [T1018]
  • Network Monitoring and Analysis Tools
  • Intrusion Detection or Prevention Systems
  • Endpoint Protection Platform
  • Detect target hosts and ports
  • Identify associated scanning process
  • Analyze scanning host once detected
  • Develop response plan

Collection process stopped before completion. Host isolated and sent for forensics.

Data Exfiltration—1 GB of Data

Send a large amount (1 GB) of mock sensitive information to an external system over various protocols, including ICMP, DNS, FTP, and/or HTTP/S.
  • Exfiltration Over Alternative Protocol [T1048]
  • Network Monitoring and Analysis Tools
  • Intrusion Detection or Prevention Systems
  • Endpoint Protection Platform
  • Detect target hosts and ports
  • Identify associated scanning process
  • Analyze scanning host once detected
  • Develop response plan

None

Malicious Traffic Generation—Workstation to External Host

Establish a session that originates from a target Workstation system directly to an external host over a clear text protocol, such as HTTP.
  • Application Layer Protocol [T1071]
  • Intrusion Detection or Prevention Systems
  • Endpoint Protection Platform
  • Windows Event Logs
  • Detect and Identify source IP and source process of enumeration
  • Analyze scanning host once detected
  • Develop response plan

None

Active Directory Account Lockout

Lock out several administrative AD accounts
  • Account Access Removal [T1531]

 
  • Windows Event Logs
  • End User Reporting
  • Detect and Identify source IP and source process of exfiltration
  • Analyze host used for exfiltration once detected

Develop response plan

None

Local Admin User Account Creation (workstation)

Create a local administrator account on a target workstation system.
  • Create Account: Local Account [T1136.001]
  • Account Manipulation [T1098]
  • Intrusion Detection or Prevention Systems
  • Endpoint Protection Platform
  • Web Proxy Logs
  • Detect and identify source IP and source process of malicious traffic
  • Investigate destination IP address
  • Triage compromised host
  • Develop response plan

None

Local Admin User Account Creation (server)

Create a local administrator account on a target server system.
  • Create Account: Local Account [T1136.001]
  • Account Manipulation [T1098]
  • Detect account creation
  • Identify source of change
  • Verify change with system owner
  • Develop response plan

None

Active Directory Account Creation

Create AD accounts and add it to domain admins group
  • Create Account: Domain Account [T1136.002]
  • Account Manipulation [T1098]
  • Detect account creation
  • Identify source of change
  • Verify change with system owner
  • Develop response plan

None

Workstation Admin Lateral Movement—Workstation to Workstation

Use a previously compromised workstation admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on several target Workstations.

 
  • Valid Accounts: Domain Accounts [T1078.002]
  • Remote Services: SMB/Windows Admin Shares, Sub-technique [T1021.002]
  • Create or Modify System Process: Windows Service [T1543.003]
  • Detect account compromise
  • Analyze compromised host
  • Develop response plan

None

Domain Admin Lateral Movement—Workstation to Domain Controller

Use a previously compromised domain admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on a target DC.
  • Valid Accounts: Domain Accounts [T1078.002]
  • Remote Services: SMB/Windows Admin Shares, Sub-technique [T1021.002]
  • Create or Modify System Process: Windows Service [T1543.003]
  • Detect account compromise
  • Triage compromised host
  • Develop response plan

None

Malicious Traffic Generation—Domain Controller to External Host

Establish a session that originates from a target Domain Controller system directly to an external host over a clear text protocol, such as HTTP.
  • Application Layer Protocol [T1071]
  • Intrusion Detection or Prevention Systems
  • Endpoint Protection Platform
  • Web Proxy Logs
  • Detect and identify source IP and source process of malicious traffic
  • Investigate destination IP address
  • Triage compromised host

Develop response plan

None

Trigger Host-Based Protection—Domain Controller

Upload and execute a well-known (e.g., with a signature) malicious file to a target DC system to generate host-based alerts.
  • Ingress Tool Transfer [T1105]
  • Endpoint Protection Platform
  • Endpoint Detection and Response
  • Detect and identify source IP and source process of malicious traffic
  • Investigate destination IP address
  • Triage compromised host
  • Develop response plan

Malicious file was removed by antivirus

Ransomware Simulation

Execute simulated ransomware on multiple Workstation systems to simulate a ransomware attack.

Note: This technique does NOT encrypt files on the target system.

N/A
  • Investigate end user reported event
  • Triage compromised host
  • Develop response Plan

Four users reported event to defensive staff
Findings
Key Issues

The red team noted the following key issues relevant to the security of the organization’s network. These findings contributed to the team’s ability to gain persistent, undetected access across the organization’s sites. See the Mitigations section for recommendations on how to mitigate these issues.

  • Insufficient host and network monitoring. Most of the red team’s Phase II actions failed to provoke a response from the people, processes, and technology defending the organization’s network. The organization failed to detect lateral movement, persistence, and C2 activity via their intrusion detection or prevention systems, endpoint protection platform, web proxy logs, and Windows event logs. Additionally, throughout Phase I, the team received no deconflictions or confirmation that the organization caught their activity. Below is a list of some of the higher risk activities conducted by the team that were opportunities for detection:
    • Phishing
    • Lateral movement reuse
    • Generation and use of the golden ticket
    • Anomalous LDAP traffic
    • Anomalous internal share enumeration
    • Unconstrained Delegation server compromise
    • DCSync
    • Anomalous account usage during lateral movement
    • Anomalous outbound network traffic
    • Anomalous outbound SSH connections to the team’s cloud servers from workstations
  • Lack of monitoring on endpoint management systems. The team used the organization’s MDM system to gain root access to machines across the organization’s network without being detected. Endpoint management systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.
  • KRBTGT never changed. The Site 1 krbtgt account password had not been updated for over a decade. The krbtgt account is a domain default account that acts as a service account for the key distribution center (KDC) service used to encrypt and sign all Kerberos tickets for the domain. Compromise of the krbtgt account could provide adversaries with the ability to sign their own TGTs, facilitating domain access years after the date of compromise. The red team was able to use the krbtgt account to forge TGTs for multiple accounts throughout Phase I.
  • Excessive permissions to standard users. The team discovered several standard user accounts that have local administrator access to critical servers. This misconfiguration allowed the team to use the low-level access of a phished user to move laterally to an Unconstrained Delegation host and compromise the entire domain.
  • Hosts with Unconstrained Delegation enabled unnecessarily. Hosts with Unconstrained Delegation enabled store the Kerberos TGTs of all users that authenticate to that host, enabling actors to steal service tickets or compromise krbtgt accounts and perform golden ticket or “silver ticket” attacks. The team performed an NTLM-relay attack to obtain the DC’s TGT, followed by a golden ticket attack on a SharePoint server with Unconstrained Delegation to gain the ability to impersonate any Site 1 AD account.
  • Use of non-secure default configurations. The organization used default configurations for hosts with Windows Server 2012 R2. The default configuration allows unprivileged users to query group membership of local administrator groups. The red team used and identified several standard user accounts with administrative access from a Windows Server 2012 R2 SharePoint server.
Additional Issues

The team noted the following additional issues.

  • Ineffective separation of privileged accounts. Some workstations allowed unprivileged accounts to have local administrator access; for example, the red team discovered an ordinary user account in the local admin group for the SharePoint server. If a user with administrative access is compromised, an actor can access servers without needing to elevate privileges. Administrative and user accounts should be separated, and designated admin accounts should be exclusively used for admin purposes.
  • Lack of server egress control. Most servers, including domain controllers, allowed unrestricted egress traffic to the internet.
  • Inconsistent host configuration. The team observed inconsistencies on servers and workstations within the domain, including inconsistent membership in the local administrator group among different servers or workstations. For example, some workstations had “Server Admins” or “Domain Admins” as local administrators, and other workstations had neither.
  • Potentially unwanted programs. The team noticed potentially unusual software, including music software, installed on both workstations and servers. These extraneous software installations indicate inconsistent host configuration (see above) and increase the attack surfaces for malicious actors to gain initial access or escalate privileges once in the network.
  • Mandatory password changes enabled. During the assessment, the team keylogged a user during a mandatory password change and noticed that only the final character of their password was modified. This is potentially due to domain passwords being required to be changed every 60 days.
  • Smart card use was inconsistent across the domain. While the technology was deployed, it was not applied uniformly, and there was a significant portion of users without smartcard protections enabled. The team used these unprotected accounts throughout their assessment to move laterally through the domain and gain persistence.
Noted Strengths

The red team noted the following technical controls or defensive measures that prevented or hampered offensive actions:

  • The organization conducts regular, proactive penetration tests and adversarial assessments and invests in hardening their network based on findings.
    • The team was unable to discover any easily exploitable services, ports, or web interfaces from more than three million external in-scope IPs. This forced the team to resort to phishing to gain initial access to the environment.
    • Service account passwords were strong. The team was unable to crack any of the hashes obtained from the 610 service accounts pulled. This is a critical strength because it slowed the team from moving around the network in the initial parts of the Phase I.
    • The team did not discover any useful credentials on open file shares or file servers. This slowed the progress of the team from moving around the network.
  • MFA was used for some SBSs. The team was blocked from moving to SBS 2 by an MFA prompt.
  • There were strong security controls and segmentation for SBS systems. Direct access to SBS were located in separate networks, and admins of SBS used workstations protected by local firewalls.

MITIGATIONS

CISA recommends organizations implement the recommendations in Table 2 to mitigate the issues listed in the Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Table 2: Recommendations to Mitigate Identified Issues

Issue

Recommendation

Insufficient host and network monitoring
  • Establish a security baseline of normal network traffic and tune network appliances to detect anomalous behavior [CPG 3.1]. Tune host-based products to detect anomalous binaries, lateral movement, and persistence techniques.
  • Create alerts for Windows event log authentication codes, especially for the domain controllers. This could help detect some of the pass-the-ticket, DCSync, and other techniques described in this report.
  • From a detection standpoint, focus on identity and access management (IAM) rather than just network traffic or static host alerts.
  • Consider who is accessing what (what resource), from where (what internal host or external location), and when (what day and time the access occurs).
  • Look for access behavior that deviates from expected or is indicative of AD abuse.
  • Reduce the attack surface by limiting the use of legitimate administrative pathways and tools such as PowerShell, PSExec, and WMI, which are often used by malicious actors. CISA recommends selecting one tool to administer the network, ensuring logging is turned on [CPG 3.1], and disabling the others.
  • Consider using “honeypot” service principal names (SPNs) to detect attempts to crack account hashes [CPG 1.1].
  • Conduct regular assessments to ensure processes and procedures are up to date and can be followed by security staff and end users.
  • Consider using red team tools, such as SharpHound, for AD enumeration to identify users with excessive privileges and misconfigured hosts (e.g., with Unconstrained Delegation enabled).
  • Ensure all commercial tools deployed in your environment are regularly tuned to pick up on relevant activity in your environment.

Lack of monitoring on endpoint management systems
  • Treat endpoint management systems as HVAs with additional restrictions and monitoring because they provide elevated access to thousands of hosts.

KRBTGT never changed
  • Change the krbtgt account password on a regular schedule such as every 6 to 12 months or if it becomes compromised. Note that this password change must be carefully performed to effectively change the credential without breaking AD functionality. The password must be changed twice to effectively invalidate the old credentials. However, the required waiting period between resets must be greater than the maximum lifetime period of Kerberos tickets, which is 10 hours by default. See Microsoft’s KRBTGT account maintenance considerations guidance for more information.

Excessive permissions to standard users and ineffective separation of privileged accounts
  • Implement the principle of least privilege:
  • Grant standard user rights for standard user tasks such as email, web browsing, and using line-of-business (LOB) applications.
  • Periodically audit standard accounts and minimize where they have privileged access.
  • Periodically Audit AD permissions to ensure users do not have excessive permissions and have not been added to admin groups.
  • Evaluate which administrative groups should administer which servers/workstations. Ensure group members administrative accounts instead of standard accounts.
  • Separate administrator accounts from user accounts [CPG 1.5]. Only allow designated admin accounts to be used for admin purposes. If an individual user needs administrative rights over their workstation, use a separate account that does not have administrative access to other hosts, such as servers.
  • Consider using a privileged access management (PAM) solution to manage access to privileged accounts and resources [CPG 3.4]. PAM solutions can also log and alert usage to detect any unusual activity and may have helped stop the red team from accessing resources with admin accounts. Note: password vaults associated with PAM solutions should be treated as HVAs with additional restrictions and monitoring (see below).
  • Configure time-based access for accounts set at the admin level and higher. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege, as well as the Zero Trust model. This is a process in which a network-wide policy is set in place to automatically disable administrator accounts at the AD level when the account is not in direct need. When individual users need the account, they submit their requests through an automated process that enables access to a system but only for a set timeframe to support task completion.

Hosts with Unconstrained Delegation enabled
  • Remove Unconstrained Delegation from all servers. If Unconstrained Delegation functionality is required, upgrade operating systems and applications to leverage other approaches (e.g., constrained delegation) or explore whether systems can be retired or further isolated from the enterprise. CISA recommends Windows Server 2019 or greater.
  • Consider disabling or limiting NTLM and WDigest Authentication if possible, including using their use as criteria for prioritizing updates to legacy systems or for segmenting the network. Instead use more modern federation protocols (SAML, OIDC) or Kerberos for authentication with AES-256 bit encryption [CPG 3.4].
  • If NTLM must be enabled, enable Extended Protection for Authentication (EPA) to prevent some NTLM-relay attacks, and implement SMB signing to prevent certain adversary-in-the-middle and pass-the-hash attacks CPG 3.4]. See Microsoft Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) and Microsoft Overview of Server Message Block signing for more information.

Use of non-secure default configurations
  • Keep systems and software up to date [CPG 5.1]. If updates cannot be uniformly installed, update insecure configurations to meet updated standards.

Lack of server egress control
  • Configure internal firewalls and proxies to restrict internet traffic from hosts that do not require it. If a host requires specific outbound traffic, consider creating an allowlist policy of domains.

Large number of credentials in a shared vault
  • If on-premise, require MFA for admin and apply network segmentation [CPG 1.3]. Use solutions with end-to-end encryption where applicable [CPG 3.3].
  • If cloud-based, evaluate the provider to ensure use of strong security controls such as MFA and end-to-end encryption [CPG 1.3, 3.3].

Inconsistent host configuration
  • Establish a baseline/gold-image for workstations and servers and deploy from that image [CPG 2.5]. Use standardized groups to administer hosts in the network.

Potentially unwanted programs
  • Implement software allowlisting to ensure users can only install software from an approved list [CPG 2.1].
  • Remove unnecessary, extraneous software from servers and workstations.

Mandatory password changes enabled
  • Consider only requiring changes for memorized passwords in the event of compromise. Regular changing of memorized passwords can lead to predictable patterns, and both CISA and the National Institute of Standards and Technology (NIST) recommend against changing passwords on regular intervals.

Additionally, CISA recommends organizations implement the mitigations below to improve their cybersecurity posture:

  • Provide users with regular training and exercises, specifically related to phishing emails [CPG 4.3]. Phishing accounts for majority of initial access intrusion events.
  • Enforce phishing-resistant MFA to the greatest extent possible [CPG 1.3].
  • Reduce the risk of credential compromise via the following:
    • Place domain admin accounts in the protected users group to prevent caching of password hashes locally; this also forces Kerberos AES authentication as opposed to weaker RC4 or NTLM.
    • Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
    • Refrain from storing plaintext credentials in scripts [CPG 3.4]. The red team discovered a PowerShell script containing plaintext credentials that allowed them to escalate to admin.
  • Upgrade to Windows Server 2019 or greater and Windows 10 or greater. These versions have security features not included in older operating systems.

As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that:

  • Leverages secure cloud services for key enterprise security capabilities (e.g., identity and access management, endpoint detection and response, policy enforcement).
  • Upgrades applications and infrastructure to leverage modern identity management and network access practices.
  • Centralizes and streamlines access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.
  • Invests in technology and personnel to achieve these goals.

CISA encourages organizational IT leadership to ask their executive leadership the question: Can the organization accept the business risk of NOT implementing critical security controls such as MFA? Risks of that nature should typically be acknowledged and prioritized at the most senior levels of an organization.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 3).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

See CISA’s RedEye tool on CISA’s GitHub page. RedEye is an interactive open-source analytic tool used to visualize and report red team command and control activities. See CISA’s RedEye tool overview video for more information.

REFERENCES
[1] Bleeping Computer: New DFSCoerce NTLM Relay attack allows Windows domain takeover

APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 3 for all referenced red team tactics and techniques in this advisory. Note: activity was from Phase I unless noted.

Table 3: Red Team ATT&CK Techniques for Enterprise

 

 Reconnaissance  

Technique Title

ID

Use

Gather Victim Identity Information: Email Addresses

T1589.002

 

The team found employee email addresses via open-source research.

Gather Victim Identify Information: Employee Names

 

T1589.003

 

The team identified employee names via open-source research that could be used to derive email addresses.

Gather Victim Network Information: Network Security Appliances

T1590.006

The team identified the organization’s MDM vendor and leveraged that information to move laterally to SBS-connected assets.

Gather Victim Org Information

T1591

The team conducted open-source research and identified an organizational branch that likely had access to an SBS asset.

Gather Victim Org Information: Determine Physical Locations

T1591.001

The team conducted open-source research to identify the physical locations of upkeep/management staff of selected assets.

Search Open Technical Databases: Scan Databases

 

T1596.005

The team queried an MDM SQL database to identify target administrators who recently connected with the MDM.

 

 Resource Development  

Technique Title

ID

Use

Acquire Infrastructure

T1583

The team used third-party owned and operated infrastructure throughout their assessment for C2.

Establish Accounts: Email Accounts

T1585.002

The team used commercially available email platforms for their spearphishing activity.

Obtain Capabilities: Tool

T1588.002

The team used the following tools:

 

 Initial Access  

Technique Title

ID

Use

Phishing: Spearphishing Link

T1566.002

The team sent spearphishing emails with links to a red-team-controlled domain to gain access to the organization’s systems.

 

 Execution  

Technique Title

ID

Use

Native API

T1106

The team created a policy via the MDM API, which downloaded and executed a payload on a workstation.

User Execution

T1204

Users downloaded and executed the team’s initial access payloads after clicking buttons to trigger download and execution.

 

 Persistence  

Technique Title

ID

Use

 

Account Manipulation

T1098

The team elevated account privileges to administrator and modified the user’s account by adding Create Policy and Delete Policy permissions.

During Phase II, the team created local admin accounts and an AD account; they added the created AD account to a domain admins group.

Create Account: Local Account

T1136.001

During Phase II, the team created a local administrator account on a workstation and a server.

Create Account: Domain Account

T1136.002

During Phase II, the team created an AD account.

Create or Modify System Process: Windows Service

T1543.003

During Phase II, the team leveraged compromised workstation and domain admin accounts to execute a payload via Windows Service Creation on target workstations and the DC.

Event Triggered Execution: Windows Management Instrumentation Event Subscription

T1546.003

The team used WMI Event Subscriptions to move laterally between sites.

Hijack Execution Flow: DLL Search Order Hijacking

T1574.001

The team used DLL hijacking to move laterally between sites.

 

 Privilege Escalation  

Technique Title

ID

Use

Abuse Elevation Control Mechanism

T1548

The team elevated user account privileges to administrator by modifying the user’s account via adding Create Policy and Delete Policy permissions.

 

 Defense Evasion  

Technique Title

ID

Use

Valid Accounts: Domain Accounts

T1078.002

During Phase II, the team compromised a domain admin account and used it to laterally to multiple workstations and the DC.

 

 Credential Access  

Technique Title

ID

Use

OS Credential Dumping: LSASS Memory

T1003.001

The team obtained the cached credentials from a SharePoint server account by taking a snapshot of lsass.exe with a tool called nanodump, exporting the output and processing the output offline with Mimikatz.

OS Credential Dumping: DCSync

T1003.006

The team harvested AES-256 hashes via DCSync.

Brute Force: Password Cracking

T1110.002

The team cracked a user’s workstation account password after learning the user’s patterns from plaintext credentials.

Unsecured Credentials

T1552

The team found backups of a MySQL database that contained the encryption key needed to decrypt SSH passwords.

Unsecured Credentials: Credentials in Files

T1552.001

The team found plaintext credentials to an API user account stored in PowerShell scripts on an MDM server.

Unsecured Credentials: Bash History

T1552.003

The team found bash history files on a Workstation 5, and the files appeared to be SSH passwords saved in bash history.

Credentials from Password Stores: Password Managers

T1555.005

The team pulled credentials from a KeePass database.

 

Adversary-in-the-middle: LLMNR/NBT-NS Poisoning and SMB Relay

T1557.001

The team leveraged Rubeus and DFSCoerce in a NTLM relay attack to obtain the DC’s TGT from a host with Unconstrained Delegation enabled.

 

Steal or Forge Kerberos Tickets: Golden Ticket

T1558.001

The team used the acquired krbtgt account hash throughout their assessment to forge legitimate TGTs.

Steal or Forge Kerberos Tickets: Kerberoasting

T1558.003

The team leveraged Rubeus and DFSCoerce in a NTLM relay attack to obtain the DC’s TGT from a host with Unconstrained Delegation enabled.

 

 Discovery  

Technique Title

ID

Use

System Network Configuration Discovery

T1016

The team queried the AD for information about the network’s sites and subnets. 

Remote System Discovery

T1018

The team queried the AD, during phase I and II, for information about computers on the network. 

System Network Connections Discovery

T1049

The team listed existing network connections on SCCM Server 1 to reveal an active SMB connection with server 2.

Permission Groups Discovery: Domain Groups

T1069.002

The team leveraged ldapsearch and dsquery to query and scrape active directory information. 

Account Discovery: Domain Account

T1087.002

The team queried AD for AD users (during Phase I and II), including for members of a SharePoint admin group and several standard user accounts with administrative access.

Cloud Infrastructure Discovery

T1580

The team found SecOps network diagrams on a host detailing cloud infrastructure boundaries.

Domain Trust Discovery

T1482

During Phase II, the team enumerated trust relationships within the AD Forest.

Group Policy Discovery

T1615

The team scraped AD information, including GPOs.

Network Service Discovery

T1046

During Phase II, the team enumerated ports on target systems from a previously compromised workstation.

System Owner/User Discovery

T1033

During Phase II, the team enumerated the AD for current session information from every domain computer (Workstation and Server).

 

 Lateral Movement  

Technique Title

ID

Use

Remote Services: SMB/Windows Admin Shares

T1021.002

The team moved laterally with an SMB beacon.

During Phase II, they used compromised workstation and domain admin accounts to upload a payload via SMB on several target Workstations and the DC.

Use Alternate Authentication Material: Pass the Hash

T1550.002

As part of a NTLM relay attack, the team used a server’s NTLM hash and DFSCoerce.py to prompt DC authentication to the server, and they captured the incoming DC TGT using Rubeus.

Pass the Ticket

T1550.003

The team used the asktgt command to impersonate accounts for which they had credentials by requesting account TGTs.

 

 Command and Control  

Technique Title

ID

Use

Application Layer Protocol

T1071

The team remotely enumerated the local administrators group on target hosts to find valid user accounts. This technique relies on anonymous SMB pipe binds, which are disabled by default starting with Server 2016.

During Phase II, the team established sessions that originated from a target Workstation and from the DC directly to an external host over a clear text protocol.

Application Layer Protocol: Web Protocols

T1071.001

The team’s C2 redirectors used HTTPS reverse proxies to redirect C2 traffic.

Application Layer Protocol: File Transfer Protocols

T1071.002

The team used HTTPS reverse proxies to redirect C2 traffic between target network and the team’s Cobalt Strike servers.

Encrypted Channel

T1573

The team’s C2 traffic was encrypted in transit using encryption keys stored on their C2 servers.

Ingress Tool Transfer

T1105

During Phase II, the team uploaded and executed well-known malicious files to the DC to generate host-based alerts.

Proxy: External Proxy

T1090.002

The team used redirectors to redirect C2 traffic between the target organization’s network and the team’s C2 servers.

Proxy: Domain Fronting

T1090.004

The team used domain fronting to disguise outbound traffic in order to diversify the domains with which the persistent beacons were communicating.

 

 Impact  

Technique Title

ID

Use

Account Access Removal

T1531

During Phase II, the team locked out several administrative AD accounts.

 

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.

Source…

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

/in


Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.

This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.

The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.

For additional information on state-sponsored DPRK malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.

Download the PDF version of this report: pdf, 661 kb.

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.

Observable TTPs

The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:

  • Acquire Infrastructure [T1583]. DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
  • Obfuscate Identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
  • Purchase VPNs and VPSs [T1583.003]. DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
  • Gain Access [TA0001]. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in various SonicWall appliances [T1190 and T1133]. Observed CVEs used include:
    • CVE 2021-44228
    • CVE-2021-20038
    • CVE-2022-24990

Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].

The actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com. xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111. Related file names and hashes are listed in table 1.

Table 1: Malicious file names and hashes spread by xpopup domains
File Name MD5 Hash
xpopup.rar 1f239db751ce9a374eb9f908c74a31c9
X-PopUp.exe 6fb13b1b4b42bac05a2ba629f04e3d03
X-PopUp.exe cf8ba073db7f4023af2b13dd75565f3d
xpopup.exe 4e71d52fc39f89204a734b19db1330d3
x-PopUp.exe 43d4994635f72852f719abb604c4a8a1
xpopup.exe 5ae71e8440bf33b46554ce7a7f3de666

 

  • Move Laterally and Discovery [TA0007, TA0008]. After initial access, DPRK cyber actors use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083, T1021]. The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors [TA0010].
  • Employ Various Ransomware Tools [TA0040]. Actors have used privately developed ransomware, such as Maui and H0lyGh0st [T1486]. Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486]. In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group. For IOCs associated with Maui and H0lyGh0st ransomware usage, please see Appendix B.
  • Demand Ransom in Cryptocurrency. DPRK cyber actors have been observed setting ransoms in bitcoin [T1486]. Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid. Bitcoin wallet addresses possibly used by DPRK cyber actors include:
    • 1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
    • bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
    • 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
    • 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
    • bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
    • bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
    • 1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
    • bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
    • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
    • 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
    • 16sYqXancDDiijcuruZecCkdBDwDf4vSEC
    • 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
    • LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135
    • 1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
    • 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
    • bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
    • bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
    • bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
    • bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
    • bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
    • bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
    • bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
    • bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
    • bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
    • bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
    • bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
    • bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
    • bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
    • bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
    • bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
    • bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
    • bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
    • bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
    • bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
    • bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
    • bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
    • bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
    • bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
    • bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
    • bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
    • bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
    • bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
    • bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.

The authoring agencies urge HPH organizations to:

  • Limit access to data by authenticating and encrypting connections (e.g., using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections) with network services, Internet of Things (IoT) medical devices, and the electronic health record system [CPG 3.3].
  • Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts [CPG 1.5], which grant excessive system administration privileges.
  • Turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
  • Protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored—through cryptography, for example.
  • Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI), per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures could prevent the introduction of malware to the system [CPG 3.4].
    • Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies, such as TLS. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
    • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer [CPG 8.1].
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise [CPG 3.1].

In addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for and mitigate ransomware incidents:

  • Maintain isolated backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
    • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].
  • Install updates for operating systems, software, and firmware as soon as they are released [CPG 5.1]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications and prioritize patching known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
  • If you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them closely [CPG 5.4].
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require phishing-resistant multifactor authentication (MFA) to mitigate credential theft and reuse [CPG 1.3]. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports [CPG 1.1, 3.1].
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols not in use for a business purpose (e.g., RDP Transmission Control Protocol port 3389).
    • Restrict the Server Message Block (SMB) protocol within the network to only access necessary servers and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
    • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity [CPG 5.6, 6.2].
    • Implement application control policies that only allow systems to execute known and permitted programs [CPG 2.1].
    • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement a user training program and phishing exercises [CPG 4.3] to raise awareness among users about the risks of visiting websites, clicking on links, and opening attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B: Digital Identity Guidelines for more information.
  • Require administrator credentials to install software [CPG 1.5].
  • Audit user accounts with administrative or elevated privileges [CPG 1.5] and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Only use secure networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations [CPG 8.3] indicating that they are higher risk messages.
  • Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures.

If a ransomware incident occurs at your organization:

  • Follow your organization’s ransomware response checklist.
  • Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
  • U.S. organizations: Follow the notification requirements as outlined in your cyber incident response plan. Report incidents to appropriate authorities; in the U.S., this would include the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
  • South Korean organizations: Please report incidents to NIS, KISA (Korea Internet & Security Agency), and KNPA (Korean National Police Agency).
    • NIS (National Intelligence Service)
    • KISA (Korea Internet & Security Agency)
    • KNPA (Korean National Police Agency)
  • Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Resources

Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link:
https://www.stairwell.com/news/threat-research-report-maui-ransomware/

Request For Information

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.

Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information above.

Acknowledgements

NSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Microsoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and Apache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark of Octagon Systems.

Purpose

This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Appendix A: CVE Details

CVE-2021-44228     CVSS 3.0: 10 (Critical)
Vulnerability Description
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Recommended Mitigations
Apply patches provided by vendor and perform required system updates.
Detection Methods
See vendors’ Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability.
Vulnerable Technologies and Versions
There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please check https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more information.

 

CVE-2021-20038     CVSS 3.0: 9.8 (Critical)
Vulnerability Description
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Recommended Mitigations
Apply all appropriate vendor updates
Upgrade to:

  • SMA 100 Series – (SMA 200, 210, 400, 410, 500v (ESX, Hyper-V, KVM, AWS, Azure):
  • SonicWall SMA100 build versions 10.2.0.9-41sv or later
  • SonicWall SMA100 build versions 10.2.1.3-27sv or later

System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions.

Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions.
Vulnerable Technologies and Versions
Sonicwall Sma 200 Firmware 10.2.0.8-37Sv
Sonicwall Sma 200 Firmware 10.2.1.1-19Sv
Sonicwall Sma 200 Firmware 10.2.1.2-24Sv
Sonicwall Sma 210 Firmware 10.2.0.8-37Sv
Sonicwall Sma 210 Firmware 10.2.1.1-19Sv
Sonicwall Sma 210 Firmware 10.2.1.2-24Sv
Sonicwall Sma 410 Firmware 10.2.0.8-37Sv
Sonicwall Sma 410 Firmware 10.2.1.1-19Sv
Sonicwall Sma 410 Firmware 10.2.1.2-24Sv
Sonicwall Sma 400 Firmware 10.2.0.8-37Sv
Sonicwall Sma 400 Firmware 10.2.1.1-19Sv
Sonicwall Sma 400 Firmware 10.2.1.2-24Sv
Sonicwall Sma 500V Firmware 10.2.0.8-37Sv
Sonicwall Sma 500V Firmware 10.2.1.1-19Sv
Sonicwall Sma 500V Firmware 10.2.1.2-24Sv
See https://nvd.nist.gov/vuln/detail/CVE-2021-20038 for more information.

 

CVE-2022-24990    CVSS 3.x: N/A
Vulnerability Description
The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on the target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the api.php script and resides on the TNAS device appliances’ operating system where users manage storage, backup data, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. This may result in complete compromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire unauthenticated remote code execution with highest privileges.
Recommended Mitigations
Install relevant vendor patches. This vulnerability was patched in TOS version 4.2.30
Vulnerable Technologies and Versions
TOS v 4.2.29
See https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ and https://forum.terra-master.com/en/viewtopic.php?t=3030 for more information.

Appendix B: Indicators of Compromise (IOCs)

The IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom malware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other tools—that enable subsequent deployment of ransomware. For additional Maui IOCs, see joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

Table 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber actors, including tools that drop Maui ransomware files.

Table 2: File names and hashes of malicious implants, RATs, and tools
MD5Hash SHA256Hash
079b4588eaa99a1e802adf5e0b26d8aa f67ee77d6129bd1bcd5d856c0fc5314169
b946d32b8abaa4e680bb98130b38e7
0e9e256d8173854a7bc26982b1dde783
12c15a477e1a96120c09a860c9d479b3 6263e421e397db821669420489d2d3084
f408671524fd4e1e23165a16dda2225
131fc4375971af391b459de33f81c253
17c46ed7b80c2e4dbea6d0e88ea0827c b9af4660da00c7fa975910d0a19fda0720
31c15fad1eef935a609842c51b7f7d
1875f6a68f70bee316c8a6eda9ebf8de 672ec8899b8ee513dbfc4590440a61023
846ddc2ca94c88ae637144305c497e7
1a74c8d8b74ca2411c1d3d22373a6769 ba8f9e7afe5f78494c111971c39a89111ef
9262bf23e8a764c6f65c818837a44
1f6d9f8fbdbbd4e6ed8cd73b9e95a928 4f089afa51fd0c1b2a39cc11cedb3a4a32
6111837a5408379384be6fe846e016
2d02f5499d35a8dffb4c8bc0b7fec5c2 830207029d83fd46a4a89cd623103ba23
21b866428aa04360376e6a390063570
2e18350194e59bc6a2a3f6d59da11bd8 655aa64860f1655081489cf85b77f72a49
de846a99dd122093db4018434b83ae
3bd22e0ac965ebb6a18bb71ba39e96dc 6b7f566889b80d1dba4f92d5e2fb2f5ef24
f57fcfd56bb594978dffe9edbb9eb
40f21743f9cb927b2c84ecdb7dfb14a6 5081f54761947bc9ce4aa2a259a0bd60b
4ec03d32605f8e3635c4d4edaf48894
4118d9adce7350c3eedeb056a3335346 5b7ecf7e9d0715f1122baf4ce745c5fcd76
9dee48150616753fec4d6da16e99e
43e756d80225bdf1200bc34eef5adca8 afb2d4d88f59e528f0e388705113ae54b7
b97db4f03a35ae43cc386a48f263a0
47791bf9e017e3001ddc68a7351ca2d6 863b707873f7d653911e46885e261380b
410bb3bf6b158daefb47562e93cb657
505262547f8879249794fc31eea41fc6 f32f6b229913d68daad937cc72a57aa452
91a9d623109ed48938815aa7b6005c
5130888a0ad3d64ad33c65de696d3fa2 c92c1f3e77a1876086ce530e87aa9c1f9c
bc5e93c5e755b29cad10a2f3991435
58ad3103295afcc22bde8d81e77c282f 18b75949e03f8dcad513426f1f9f3ca209d
779c24cd4e941d935633b1bec00cb
5be1e382cd9730fbe386b69bd8045ee7 5ad106e333de056eac78403b033b89c58
b4c4bdda12e2f774625d47ccfd3d3ae
5c6f9c83426c6d33ff2d4e72c039b747 a3b7e88d998078cfd8cdf37fa5454c45f6c
bd65f4595fb94b2e9c85fe767ad47
640e70b0230dc026eff922fb1e44c2ea 6319102bac226dfc117c3c9e620cd99c7e
afbf3874832f2ce085850aa042f19c
67f4dad1a94ed8a47283c2c0c05a7594 3fe624c33790b409421f4fa2bb8abfd701d
f2231a959493c33187ed34bec0ae7
70652edadedbacfd30d33a826853467d 196fb1b6eff4e7a049cea323459cfd6c0e3
900d8d69e1d80bffbaabd24c06eba
739812e2ae1327a94e441719b885bd19 6122c94cbfa11311bea7129ecd5aea6fae
6c51d23228f7378b5f6b2398728f67
76c3d2092737d964dfd627f1ced0af80 bffe910904efd1f69544daa9b72f2a70fb29
f73c51070bde4ea563de862ce4b1
802e7d6e80d7a60e17f9ffbd62fcbbeb 87bdb1de1dd6b0b75879d8b8aef80b562
ec4fad365d7abbc629bcfc1d386afa6
827103a6b6185191fd5618b7e82da292
830bc975a04ab0f62bfedf27f7aca673
85995257ac07ae5a6b4a86758a2283d7
85f6e3e3f0bdd0c1b3084fc86ee59d19 f1576627e8130e6d5fde0dbe3dffcc8bc9e
ef1203d15fcf09cd877ced1ccc72a
87a6bda486554ab16c82bdfb12452e8b 980bb08ef3e8afcb8c0c1a879ec11c41b2
9fd30ac65436495e69de79c555b2be
891db50188a90ddacfaf7567d2d0355d 0837dd54268c373069fc5c1628c6e3d75e
b99c3b3efc94c45b73e2cf9a6f3207
894de380a249e677be2acb8fbdfba2ef
8b395cc6ecdec0900facf6e93ec48fbb
92a6c017830cda80133bf97eb77d3292 d1aba3f95f11fc6e5fec7694d188919555b
7ff097500e811ff4a5319f8f230be
9b0e7c460a80f740d455a7521f0eada1 45d8ac1ac692d6bb0fe776620371fca02b
60cac8db23c4cc7ab5df262da42b78
9b9d4cb1f681f19417e541178d8c75d7 f5f6e538001803b0aa008422caf2c3c2a7
9b2eeee9ddc7feda710e4aba96fea4
a1f9e9f5061313325a275d448d4ddd59 dfdd72c9ce1212f9d9455e2bca5a327c88
d2d424ea5c086725897c83afc3d42d
a452a5f693036320b580d28ee55ae2a3 99b0056b7cc2e305d4ccb0ac0a8a270d3f
ceb21ef6fc2eb13521a930cea8bd9f
a6e1efd70a077be032f052bb75544358 3b9fe1713f638f85f20ea56fd09d20a96cd
6d288732b04b073248b56cdaef878
ad4eababfe125110299e5a24be84472e a557a0c67b5baa7cf64bd4d42103d3b285
2f67acf96b4c5f14992c1289b55eaa
b1c1d28dc7da1d58abab73fa98f60a83 38491f48d0cbaab7305b5ddca64ba41a2b
eb89d81d5fb920e67d0c7334c89131
b6f91a965b8404d1a276e43e61319931
bdece9758bf34fcad9cba1394519019b 9d6de05f9a3e62044ad9ae66111308ccb9
ed2ee46a3ea37d85afa92e314e7127
c3850f4cc12717c2b54753f8ca5d5e0e 99b448e91669b92c2cc3417a4d9711209
509274dab5d7582baacfab5028a818c
c50b839f2fc3ce5a385b9ae1c05def3a 458d258005f39d72ce47c111a7d17e8c52
fe5fc7dd98575771640d9009385456
cf236bf5b41d26967b1ce04ebbdb4041 60425a4d5ee04c8ae09bfe28ca33bf9e76
a43f69548b2704956d0875a0f25145
d0e203e8845bf282475a8f816340f2e8 f6375c5276d1178a2a0fe1a16c5668ce52
3e2f846c073bf75bb2558fdec06531
ddb1f970371fa32faae61fc5b8423d4b dda53eee2c5cb0abdbf5242f5e82f4de83
898b6a9dd8aa935c2be29bafc9a469
f2f787868a3064407d79173ac5fc0864 92adc5ea29491d9245876ba0b29573936
33c9998eb47b3ae1344c13a44cd59ae
fda3a19afa85912f6dc8452675245d6b 56925a1f7d853d814f80e98a1c4890b0a6
a84c83a8eded34c585c98b2df6ab19
0054147db54544d77a9efd9baf5ec96a80
b430e170d6e7c22fcf75261e9a3a71
151ab3e05a23e9ccd03a6c49830dabb9e
9281faf279c31ae40b13e6971dd2fb8
1c926fb3bd99f4a586ed476e4683163892
f3958581bf8c24235cd2a415513b7f
1f8dcfaebbcd7e71c2872e0ba2fc6db81d6
51cf654a21d33c78eae6662e62392
f226086b5959eb96bd30dec0ffcbf0f0918
6cd11721507f416f1c39901addafb
23eff00dde0ee27dabad28c1f4ffb8b09e8
76f1e1a77c1e6fb735ab517d79b76
586f30907c3849c363145bfdcdabe3e2e4
688cbd5688ff968e984b201b474730
8ce219552e235dcaf1c694be122d6339e
d4ff8df70bf358cd165e6eb487ccfc5
90fb0cd574155fd8667d20f97ac464eca67
bdb6a8ee64184159362d45d79b6a4
c2904dc8bbb569536c742fca0c51a766e8
36d0da8fac1c1abd99744e9b50164f
ca932ccaa30955f2fffb1122234fb1524f7d
e3a8e0044de1ed4fe05cab8702a5
f6827dc5af661fbb4bf64bc625c78283ef8
36c6985bb2bfb836bd0c8d5397332
f78cabf7a0e7ed3ef2d1c976c1486281f56
a6503354b87219b466f2f7a0b65c4

 

Table 3 lists MD5 and SHA256 hashes are associated with Maui Ransomware files.

Table 3: File names and hashes of Maui ransomware files
MD5 Hash SHA256 Hash
4118d9adce7350c3eedeb056a3335346 5b7ecf7e9d0715f1122baf4ce745c5fcd76
9dee48150616753fec4d6da16e99e
9b0e7c460a80f740d455a7521f0eada1 45d8ac1ac692d6bb0fe776620371fca02b
60cac8db23c4cc7ab5df262da42b78
fda3a19afa85912f6dc8452675245d6b 56925a1f7d853d814f80e98a1c4890b0a6
a84c83a8eded34c585c98b2df6ab19
2d02f5499d35a8dffb4c8bc0b7fec5c2 830207029d83fd46a4a89cd623103ba232
1b866428aa04360376e6a390063570
c50b839f2fc3ce5a385b9ae1c05def3a 458d258005f39d72ce47c111a7d17e8c52
fe5fc7dd98575771640d9009385456
a452a5f693036320b580d28ee55ae2a3 99b0056b7cc2e305d4ccb0ac0a8a270d3f
ceb21ef6fc2eb13521a930cea8bd9f
a6e1efd70a077be032f052bb75544358 3b9fe1713f638f85f20ea56fd09d20a96cd6
d288732b04b073248b56cdaef878
802e7d6e80d7a60e17f9ffbd62fcbbeb 87bdb1de1dd6b0b75879d8b8aef80b562e
c4fad365d7abbc629bcfc1d386afa6
0054147db54544d77a9efd9baf5ec96a80b
430e170d6e7c22fcf75261e9a3a71

 

Table 4 lists MD5 and SHA256 hashes associated with H0lyGh0st Ransomware files.

Table 4: File names and hashes of H0lyGh0st ransomware files
SHA256 Hash
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd*
F8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86*
Bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af*
6e20b73a6057f8ff75c49e1b7aef08abfcfe4e418e2c1307791036f081335c2d
f4d10b08d7dacd8fe33a6b54a0416eecdaed92c69c933c4a5d3700b8f5100fad
541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219
2d978df8df0cf33830aba16c6322198e5889c67d49b40b1cb1eb236bd366826d
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7
Df0c7bb88e3c67d849d78d13cee30671b39b300e0cda5550280350775d5762d8

 

MD5 Hash
a2c2099d503fcc29478205f5aef0283b
9c516e5b95a7e4169ecbd133ed4d205f
d6a7b5db62bf7815a10a17cdf7ddbd4b
c6949a99c60ef29d20ac8a9a3fb58ce5
4b20641c759ed563757cdd95c651ee53
25ee4001eb4e91f7ea0bc5d07f2a9744
29b6b54e10a96e6c40e1f0236b01b2e8
18126be163eb7df2194bb902c359ba8e
eaf6896b361121b2c315a35be837576d
e4ee611533a28648a350f2dab85bb72a
e268cb7ab778564e88d757db4152b9fa

* from Microsoft blog post on h0lygh0st

Source…

ESXiArgs Ransomware Virtual Machine Recovery Guidance

/in


The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable. 

CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to: 

  • Update servers to the latest version of VMware ESXi software
  • Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and 
  • Ensure the ESXi hypervisor is not exposed to the public internet. 

If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.  

Download the PDF version of this report: pdf, 712 kb.

Note: CISA and FBI will update this CSA as more information becomes available.

Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1] 

ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.

Recovery Guidance

CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report

CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2] 

Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.

1. Quarantine or take affected hosts offline to ensure that repeat infection does not occur.

2. Download CISA’s recovery script and save it as /tmp/recover.sh.
For example, with wget: wget -O /tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.

3. Give the script execute permissions: chmod +x /tmp/recover.sh

4. Navigate to the folder of a VM you would like to recover and run ls to view the files.

Note: You may browse these folders by running ls /vmfs/volumes/datastore1. For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example.

5. View files by running ls. Note the name of the VM (via naming convention: [name].vmdk).

6. Run the recovery script with /tmp/recover.sh [name], where [name] is the name of the VM determined previously. 

a. If the VM is a thin format, run /tmp/recover.sh [name] thin.

b. If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.

7. If the script succeeded, re-register the VM.

a. If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)

  • Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html.
  • Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html.
  • Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.

b.    In the ESXi web interface, navigate to the Virtual Machines page.

  • If the VM you restored already exists, right click on the VM and select Unregister (see figure 1).
"Figure 1: Unregistering the virtual machine."
Figure 1: Unregistering the virtual machine.
  • Select Create / Register VM (see figure 2).
  • Select Register an existing virtual machine (see figure 2).
"Figure 2: Registering the virtual machine, selecting machine to register."
Figure 2: Registering the virtual machine, selecting machine to register.
  • Click Select one or more virtual machines, a datastore or a directory to navigate to the folder of the VM you restored. Select the vmx file in the folder (see figure 3).
"Figure 3: Registering the virtual machine, finalizing registration."
Figure 3: Registering the virtual machine, finalizing registration.
  • Select Next and Finish. You should now be able to use the VM as normal.

8.    Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online. 

Additional Incident Response

The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:

  1. Review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity.
  2. Review traffic from network segments occupied by the ESXi hosts and guests. Consider restricting non-essential traffic to and from these segments.

If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.

Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.  

Additional resources for recovering .vmdk files can be found on a third-party researcher’s website.[2]

Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.

CISA and FBI recommend all organizations: 

  • Temporarily remove connectivity for the associated ESXi server(s).
    • Upgrade your ESXi servers to the latest version of VMware ESXi software [CPG 5.1]. ESXi releases are cumulative, and the latest builds are documented in VMware’s article, Build numbers and versions of VMware ESXi/ESX.
    • Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, which ESXiArgs may leverage. For more information on executing workarounds, see VMware’s guidance How to Disable/Enable the SLP Service on VMware ESXi
    • Ensure your ESXi hypervisor is not configured to be exposed to the public internet.

In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.

Preparing for Ransomware

  • Maintain offline backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].

 Mitigating and Preventing Ransomware

  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
  • Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement allow-listing policies for applications and remote access that only allow systems to execute known and permitted programs.
  • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and the NIST’s Special Publication 800-63B: Digital Identity Guidelines for more information.
  • Require administrator credentials to install software [CPG 1.5].
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind [CPG 1.5].
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. 

Responding to Ransomware Incidents

If a ransomware incident occurs at your organization:

  • Follow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).
  • Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
  • Follow the notification requirements as outlined in your cyber incident response plan.
  • Report incidents to CISA at cisa.gov/report, FBI at a local FBI Field Office, or the U.S. Secret Service (USSS) at a USSS Field Office.
  • Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Note: CISA and FBI strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

Resources 

See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.

Acknowledgements

CISA and FBI would like to thank VMware for their contributions to this CSA.

Source…

Protecting Against Malicious Use of Remote Monitoring and Management Software

/in


The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).

Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.

The authoring organizations strongly encourage network defenders to review the Indicators of Compromise (IOCs) and Mitigations sections in this CSA and apply the recommendations to protect against malicious use of legitimate RMM software.

Download the PDF version of this report: pdf, 608 kb.

For a downloadable copy of IOCs, see AA23-025.stix (STIX, 19 kb).

Overview

In October 2022, CISA used trusted third-party reporting, to conduct retrospective analysis of EINSTEIN—a federal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected malicious activity on two FCEB networks:

  • In mid-June 2022, malicious actors sent a phishing email containing a phone number to an FCEB employee’s government email address. The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online.
  • In mid-September 2022, there was bi-directional traffic between an FCEB network and myhelpcare[.]cc.

Based on further EINSTEIN analysis and incident response support, CISA identified related activity on many other FCEB networks. The authoring organizations assess this activity is part of a widespread, financially motivated phishing campaign and is related to malicious typosquatting activity reported by Silent Push in the blog post Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains.

Malicious Cyber Activity

The authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a link to a “first-stage” malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain. See figure 1 for an example phishing email obtained from an FCEB network.

 

Help desk-themed phishing email example
Figure 1: Help deskthemed phishing email example

 

The recipient visiting the first-stage malicious domain triggers the download of an executable. The executable then connects to a “second-stage” malicious domain, from which it downloads additional RMM software.

CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server.

Note: Portable executables launch within the user’s context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software’s installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.

CISA has observed that multiple first-stage domain names follow naming patterns used for IT help/support themed social-engineering, e.g., hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc). According to Silent Push, some of these malicious domains impersonate known brands such as, Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.[1] CISA has also observed that the first-stage malicious domain linked in the initial phishing email periodically redirects to other sites for additional redirects and downloads of RMM software.

Use of Remote Monitoring and Management Tools

In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to “refund” this excess amount to the scam operator.
Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors. Network defenders should be aware that:

  • Although the cybercriminal actors in this campaign used ScreenConnect and AnyDesk, threat actors can maliciously leverage any legitimate RMM software.
  • Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies.
  • The use of RMM software generally does not trigger antivirus or antimalware defenses.
  • Malicious cyber actors are known to leverage legitimate RMM and remote desktop software as backdoors for persistence and for C2.[2],[3],[4],[5],[6],[7],[8]
  • RMM software allows cyber threat actors to avoid using custom malware.

Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP’s customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers.

The authoring organizations strongly encourage network defenders to apply the recommendations in the Mitigations section of this CSA to protect against malicious use of legitimate RMM software.

INDICATORS OF COMPROMISE

See table 1 for IOCs associated with the campaign detailed in this CSA.

Table 1: Malicious Domains and IP addresses observed by CISA

Domain

Description

Date(s) Observed

win03[.]xyz

Suspected first-stage malware domain

June 1, 2022

July 19, 2022

myhelpcare[.]online

Suspected first-stage malware domain

June 14, 2022

 

win01[.]xyz

Suspected first-stage malware domain

August 3, 2022

August 18, 2022

myhelpcare[.]cc

Suspected first-stage malware domain

September 14, 2022

247secure[.]us

Second-stage malicious domain

October 19, 2022

November 10, 2022

 

Additional resources to detect possible exploitation or compromise:

The authoring organizations encourage network defenders to:

  • Implement best practices to block phishing emails. See CISA’s Phishing Infographic for more information.
  • Audit remote access tools on your network to identify currently used and/or authorized RMM software.
  • Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.
  • Use security software to detect instances of RMM software only being loaded in memory.
  • Implement application controls to manage and control execution of software, including allowlisting RMM programs.
  • Require authorized RMM solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
  • Block both inbound and outbound connections on common RMM ports and protocols at the network perimeter. 
  • Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.

RESOURCES

  • See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.
  • U.S. Defense Industrial Base (DIB) Sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected].
  • CISA offers several Vulnerability Scanning to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See cisa.gov/cyber-hygiene-services.
  • Consider participating in CISA’s Automated Indicator Sharing (AIS) to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.

PURPOSE

This advisory was developed by CISA, NSA, and MS-ISAC in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, NSA, and MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

Source…