CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
CVE-2024-38178 Microsoft Windows Scripting Engine Memory Corruption Vulnerability
CVE-2024-38213 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2024-38193 Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability
CVE-2024-38106 Microsoft Windows Kernel Privilege Escalation Vulnerability
CVE-2024-38107 Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See theBOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg00SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2024-08-14 13:30:052024-08-14 13:30:05CISA Adds Six Known Exploited Vulnerabilities to Catalog
The U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this Cybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju:
The RGB 3rd Bureau includes a DPRK (aka North Korean) state-sponsored cyber group known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions. The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India. RGB 3rd Bureau actors fund their espionage activity through ransomware operations against U.S. healthcare entities.
The actors gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation. The actors then employ standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential stealing tools such as Mimikatz. The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration.
The actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.
The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections. While not exclusive, entities involved in or associated with the below industries and fields should remain vigilant in defending their networks from North Korea state-sponsored cyber operations:
Andariel (also known as Onyx Sleet, formerly PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa) is a North Korean state-sponsored cyber group, under the RGB 3rd Bureau, based in Pyongyang and Sinuiju. The authoring agencies assess the group has evolved from conducting destructive attacks targeting U.S. and South Korean organizations to conducting specialized cyber espionage and ransomware operations.
The actors currently target sensitive military information and intellectual property of defense, aerospace, nuclear, engineering organizations. To a lesser extent, the group targets medical and energy industries. See Table 1 for more victimology information.
Table 1. Andariel Cyber Espionage Victimology
Industry
Information Targeted
Defense
Heavy and light tanks and self-propelled howitzers
Light strike vehicles and ammunition supply vehicles
Fighter aircraft and unmanned aerial vehicles (UAVs)
Missiles and missile defense systems
Satellites, satellite communications, and nano-satellite technology
Surveillance radar, phased-array radar, and other radar systems
Nuclear
Uranium processing and enrichment
Material waste and storage
Nuclear power plants
Government nuclear facilities and research institutes
Engineering
Shipbuilding and marine engineering
Robot machinery and mechanical arms
Additive manufacturing and 3D printing components and technology
Casting, fabrication, high-heat metal molding, and rubber and plastic molding
Machining processes and technology
The information targeted—such as contract specifications, bills of materials, project details, design drawings, and engineering documents—has military and civilian applications and leads the authoring agencies to assess one of the group’s chief responsibilities as satisfying collection requirements for Pyongyang’s nuclear and defense programs.
This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.
Reconnaissance and Enumeration
While there is limited available information on the group’s initial reconnaissance methods, the actors likely identify vulnerable systems using publicly available internet scanning tools that reveal information such as vulnerabilities in public-facing web servers [T1595, T1592]. The actors gather open source information about their victims for use in targeting [T1591] and research Common Vulnerabilities and Exposures (CVEs) when published to the National Institute of Standards and Technology (NIST) National Vulnerability Database [T1596]. CVEs researched include:
CVE-2023-46604 – Apache ActiveMQ
CVE-2023-42793 – TeamCity
CVE-2023-3519 – Citrix NetScaler
CVE-2023-35078 – Ivanti Endpoint Manager Mobile (EPMM)
CVE-2023-34362 – MOVEIt
CVE-2023-33246 – RocketMQ
CVE-2023-32784 – KeePass
CVE-2023-32315 – Openfire
CVE-2023-3079 – Google Chromium V8 Type Confusion
CVE-2023-28771 and CVE-2023-33010 – Zyxell firmware
CVE-2023-2868 – Barracuda Email Security Gateway
CVE-2023-27997 – FortiGate SSL VPN
CVE-2023-25690 – Apache HTTP Server
CVE-2023-21932 – Oracle Hospitality Opera 5
CVE-2023-0669 – GoAnywhere MFT
CVE-2022-47966 – ManageEngine
CVE-2022-41352 and CVE-2022-27925 – Zimbra Collaboration Suite
CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool
CVE-2022-25064 – TP-LINK
CVE-2022-24990 and CVE-2021-45837 – TerraMaster NAS
CVE-2022-24785 – Moment.js
CVE-2022-24665, CVE-2022-24664, and CVE-2022-24663 – PHP Everywhere
CVE-2022-22965 – Spring4Shell
CVE-2022-22947 – Spring Cloud Gateway
CVE-2022-22005 – Microsoft SharePoint Server
CVE-2022-21882 – Win32k Elevation of Privilege
CVE-2021-44228 – Apache Log4j
CVE-2021-44142 – Samba vfs_fruit module
CVE-2021-43226, CEV-2021-43207, CVE-2021-36955 – Windows log file vulnerabilities
CVE-2021-41773 – Apache HTTP Server 2.4.49
CVE-2021-40684 – Talend ESB Runtime
CVE-2021-3018 – IPeakCMS 3.5
CVE-2021-20038 – SMA100 Apache httpd server (SonicWall)
Resource Development, Tooling, and Remote Access Tools
The actors leverage custom tools and malware for discovery and execution. Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement.
Atharvan
ELF Backdoor
Jupiter
MagicRAT
“No Pineapple”
TigerRAT
Valefor/VSingle
ValidAlpha
YamaBot
NukeSped
Goat RAT
Black RAT
AndarLoader
DurianBeacon
Trifaux
KaosRAT
Preft
Andariel Scheduled Task Malware
BottomLoader (see Cisco Talos blog Operation Blacksmith)
NineRAT (see Cisco Talos blog Operation Blacksmith)
DLang (see Cisco Talos blog Operation Blacksmith)
Nestdoor (see AhnLab blog)
These tools include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control (C2) [T1587.001, T1587.004]. The tools allow the actors to maintain access to the victim system with each implant having a designated C2 node.
Commodity Malware
Commodity malware is malicious software widely available for purchase or use and is leveraged by numerous different threat actors. The use of publicly available malware enables the actors to conceal and obfuscate their identities and leads to attribution problems. The authoring agencies are reliant on the use of custom malware and loaders, along with overlapping C2 nodes to attribute commodity malware to the actors. The actors have at times achieved great success leveraging just open source malware. The authoring agencies have identified the following open-source tools as used and/or customized by the actors:
Initial Access
The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as CVE-2021-44228 (“Log4Shell”) in Apache’s Log4j software library and other CVEs listed above, to deploy web shells and gain access to sensitive information and applications for further exploitation. The actors continue to breach organizations by exploiting web server vulnerabilities in public-facing devices and have conducted widespread activity against a number of different organizations simultaneously [T1190].
Execution
The actors are well-versed in using native tools and processes on systems, known as living off the land (LOTL). They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration. While individual commands typically vary, the authoring agencies assess the actors prefer netstat commands, such as netstat –naop and netstat –noa [T1059]. Example commands used by the actors include the following:
These actors often make typos and other mistakes, indicating that the commands are not directly copied from a playbook and the actors have a flexible and impromptu approach. The typos also illustrate a poor grasp of the English language, including common errors such as “Microsoft Cooperation” (rather than “Microsoft Corporation”) found across numerous RGB 3rd Bureau malware samples.
Defense Evasion
The actors routinely pack late-stage tooling in VMProtect and Themida. Malicious tooling packed with these and other commercial tools have advanced anti-debugging and detection capabilities. These files are typically multiple megabytes in size and often contain unusual file section names such as vmp0 and vmp1 for VMProtect and Themida or randomized file section names for Themida [T1027].
Credential Access
The actors employ a multi-pronged approach to stealing credentials to gain additional access to systems, including the use of publicly available credential theft tools such as Mimikatz, ProcDump, and Dumpert and accessing the Active Directory domain database through targeting of the NTDS.dit file. The authoring agencies assess the actors change settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials. In one instance, the actors used the vssadmin command-line utility to back up a volume to retrieve a copy of the NTDS.dit file containing Active Directory data. In another instance, the actors were observed collecting registry hive data for offline extraction of credentials [T1003].
Discovery
The actors used customized file system enumeration tooling written in .NET. The tool is capable of receiving and executing command line arguments to enumerate directories and files and compress output files. The tool collects the following information for each drive targeted on a system: depth relative to starting path, name, last write time, last access time, creation time, size, and attributes [T1087, T1083].
The actors also enumerate directories and files of connected devices using Server Message Block (SMB) protocol, which enables network file sharing and the ability to request services and programs from a network [T1021.002].
Lateral Movement
The actors also use system logging for discovery to move laterally. The group logs active window changes, clipboard data, and keystrokes and saves the collected logging information to the %Temp% directory.
The actors have also used Remote Desktop Protocol (RDP) to move laterally [T1021].
Command and Control
The actors leverage techniques and infrastructure positioned around the world to send commands to compromised systems. The actors disguise their malware within HTTP packets to appear as benign network traffic. They also use tunneling tools such as 3Proxy, PLINK, and Stunnel as well as custom proxy tunneling tools to tunnel traffic over a variety of protocols from inside a network back to a C2 server. Tunneling enables the actors to perform C2 operations despite network configurations that would typically pose a challenge, such as the use of Network Address Translation (NAT) or traffic funneled through a web proxy [T1090, T1071].
Collection and Exfiltration
Malware previously used by the actors permitted placement and access to search through files that could be of interest, including scanning computer files for keywords related to defense and military sectors in English and Korean. The actors identify data for theft by enumerating files and folders across many directories and servers using command-line activity or functionality built into custom tools. The actors collect the relevant files into RAR archives, sometimes using a version of WinRAR brought into the victim’s environment with other malicious tooling [T1560, T1039].
The actors typically exfiltrate data to web services such as cloud storage or servers not associated with their primary C2. Notably, the actors have been observed logging into actor-controlled cloud-based storage service accounts directly from victim networks to exfiltrate data [T1567]. The actors have also been observed using the utilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP) and other protocols [T1048].
The actors have also been identified staging files for exfiltration on victim machines, establishing Remote Desktop Protocol connections, and conducting HTTP GET requests on port 80 to receive information [T1021].
condition: uint16(0) == 0x5a4d and (any of ($handshake, $err_xor_str, $buf_add_cmp_1f) and any of ($hash_call_*)) or 2 of ($handshake, $err_xor_str, $buf_add_cmp_1f)
rule Andariel_Atharvan_3RAT { strings: $3RAT = “D:\\rang\\TOOL\\3RAT” $atharvan = “Atharvan_dll.pdb” condition: uint16(0) == 0x5a4d and any of them }
rule Andariel_LilithRAT_Variant { strings: // The following are strings seen in the open source version of Lilith $lilith_1 = “Initiate a CMD session first.” ascii wide $lilith_2 = “CMD is not open” ascii wide $lilith_3 = “Couldn’t write command” ascii wide $lilith_4 = “Couldn’t write to CMD: CMD not open” ascii wide
// The following are strings that appear to be unique to the Unnamed Trojan based on Lilith $unique_1 = “Upload Error!” ascii wide $unique_2 = “ERROR: Downloading is already running!” ascii wide $unique_3 = “ERROR: Unable to open file:” ascii wide $unique_4 = “General error” ascii wide $unique_5 = “CMD error” ascii wide $unique_6 = “killing self” ascii wide condition: uint16(0) == 0x5a4d and filesize }
rule Andariel_GoLang_validalpha_handshake { strings: $ = { 66 C7 00 AB CD C6 40 02 EF ?? 03 00 00 00 48 89 C1 ?? 03 00 00 00 } condition: all of them }
rule Andariel_GoLang_validalpha_tasks { strings: $ = “main.ScreenMonitThread” $ = “main.CmdShell” $ = “main.GetAllFoldersAndFiles” $ = “main.SelfDelete” condition: all of them }
rule Andariel_GoLang_validalpha_BlackString { strings: $ = “I:/01___Tools/02__RAT/Black” condition: uint16(0) == 0x5A4D and all of them }
rule INDICATOR_EXE_Packed_VMProtect { strings: $s1 = “.vmp0” fullword ascii $s2 = “.vmp1” fullword ascii condition: uint16(0) == 0x5a4d and all of them or for any i in (0 .. pe.number_of_sections) : ( ( pe.sections[i].name == “.vmp0” or pe.sections[i].name == “.vmp1” ) ) }
rule INDICATOR_EXE_Packed_Themida { strings: $s1 = “.themida” fullword ascii condition: uint16(0) == 0x5a4d and all of them or for any i in (0 .. pe.number_of_sections) : ( ( pe.sections[i].name == “.themida” ) ) }
rule Andariel_elf_backdoor_fipps { strings: $a = “found mac address” $b = “RecvThread” $c = “OpenSSL-1.0.0-fipps” $d = “Disconnected!” condition: (all of them) and uint32(0) == 0x464c457f }
rule Andariel_bindshell { strings: $str_comspec = “COMSPEC” $str_consolewindow = “GetConsoleWindow” $str_ShowWindow = “ShowWindow” $str_WSASocketA = “WSASocketA” $str_CreateProcessA = “CreateProcessA” $str_port = {B9 4D 05 00 00 89} condition: uint16(0) == 0x5A4D and all of them }
rule Andariel_grease2 { strings: $str_rdpconf = “c: \\windows\\temp\\RDPConf.exe” fullword nocase $str_rdpwinst = “c: \\windows\\temp\\RDPWInst.exe” fullword nocase $str_net_user = “net user” $str_admins_add = “net localgroup administrators” condition: uint16(0) == 0x5A4D and all of them }
rule Andariel_NoPineapple_Dtrack_unpacked { strings: $str_nopineapple = “” $str_qt_library = “Qt 5.12.10” $str_xor = {8B 10 83 F6 ?? 83 FA 01 77} condition: uint16(0) == 0x5A4D and all of them }
The authoring agencies recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity.
Log4Shell and Other Log4j Vulnerabilities
Defenders should consult the joint Cybersecurity Advisory titled “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” and CISA’s “Apache Log4j Vulnerability” guidance. Organizations can mitigate the risks posed by the vulnerability by identifying assets affected by Log4Shell and other Log4j-related vulnerabilities and upgrading Log4j assets and affected products to the latest version.
Note: CVE-2021-44228 ‘Log4Shell’ was disclosed in December 2021 and affects the Log4j library prior to version 2.17.0.
Defenders should remain alert to vendor software updates, and initiate hunt and incident response procedures to detect possible Log4Shell exploitation.
Web Shell Malware
Web shell malware is deployed by adversaries on a victim’s web server to execute arbitrary system commands. The NSA and Australian Signals Directorate’s report titled “Detect and Prevent Web Shell Malware” provides mitigating actions to identify and recover from web shells.
Preventing exploitation of web-facing servers often depends on maintaining an inventory of systems and applications, rapidly applying patches as they are released, putting vulnerable or potentially risky systems behind reverse proxies that require authentication, and deploying and configuring Web Application Firewalls (WAFs).
Endpoint Activity
Preventing and detecting further adversary activity should focus on deploying endpoint agents or other monitoring mechanisms, blocking unnecessary outbound connections, blocking external access to administrator panels and services or turning them off entirely, and segmenting the network to prevent lateral movement from a compromised web server to critical assets.
Command Line Activity and Remote Access
Monitoring for suspicious command-line activity, implementing multi-factor authentication for remote access services, and properly segmenting and using allow-listing tools for critical assets can protect against malicious activity by RGB 3rd Bureau’s Andariel group and other cyber threat actors.
Packing
Signatures for Themida, VMProtect and a number of other packers are available here, however, the signatures will not identify every file packed using these applications.
Check for security vulnerabilities, apply patches, and update to the latest version of software
Encrypt all sensitive data including personal information
Block access to unused ports
Change passwords when they are suspected of being compromised
Strengthen the subscriber identity authentication process for leased servers
DPRK Rewards for Justice
The U.S. and ROK Governments encourage victims to report suspicious activities, including those related to suspected DPRK cyber activities, to relevant authorities. If you provide information about illicit DPRK activities in cyberspace, including past or ongoing operations, you may be eligible for a reward. If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $10 million. For further details, please visit https://rewardsforjustice.net/.
Acknowledgements
Mandiant and Microsoft Threat Intelligence contributed to this CSA.
Disclaimer of Endorsement
Your organization has no obligation to respond or provide information in response to this product. If, after reviewing the information provided, your organization decides to provide information to the authorizing agencies, it must do so consistent with applicable state and federal law.
The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or service by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the co-authors.
Trademark Recognition
Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at [email protected] or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/fieldoffices.
Republic of Korea organizations: If you suspect cyber incidents involving state actors, including Andariel, or discover similar cases, please contact the relevant authorities below.
National Intelligence Service: www.nis.go.kr, +82 111
The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.
The actors use a connection proxy to direct network traffic between systems or act as intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
The actors tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
The actors use a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
The actors attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its content on the system or in transit.
The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.
The actors enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg00SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2024-07-25 23:30:052024-07-25 23:30:05North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB) organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and behaviors of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organization’s security posture. Then, the team works directly with the organization’s network defenders, system administrators, and other technical staff to address strengths and weaknesses found during the assessment. The team’s goal is to assist the organization with refining their detection, response, and hunt capabilities—particularly hunting unknown threats.
In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s activity and tactics, techniques, and procedures (TTPs); associated network defense activity; and lessons learned to provide network defenders with recommendations for improving their organization’s detection capabilities and cyber posture.
During the first phase, the SILENTSHIELD team gained initial access by exploiting a known vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully compromised the enclave, they were unable to move into the Windows portion of the network due to a lack of credentials. In a parallel effort, the team gained access to the Windows network through phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely throughout the Windows environment, which resulted in full domain compromise and access to tier zero assets. The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization. The red team remained undetected by network defenders throughout the first phase.
The red team’s findings underscored the importance of defense-in-depth and using diversified layers of protection. The organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources. This involved analyzing host-based logs, internal network logs, external (egress) network logs, and authentication logs.
The red team’s findings also demonstrated the value of using tool-agnostic and behavior-based indicators of compromise (IOCs) and of applying an “allowlist” approach to network behavior and systems, rather than a “denylist” approach, which predominantly results in an unmanageable amount of noise. The red team’s findings illuminated the following lessons learned for network defenders about how to reduce and respond to risk:
Lesson learned: The assessed organization had insufficient controls to prevent and detect malicious activity.
Lesson learned: The organization did not effectively or efficiently collect, retain, and analyze logs.
Lesson learned: Bureaucratic processes and decentralized teams hindered the organization’s network defenders.
Lesson learned: A “known-bad” detection approach hampered detection of alternate TTPs.
To reduce risk of similar malicious cyber activity, CISA encourages organizations to apply the recommendations in the Mitigations section of this advisory, including those listed below:
Apply defense-in-depth principles by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions.
Use robust network segmentation to impede lateral movement across the network.
Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric.
CISA recognizes that insecure software contributes to these identified issues and urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this CSA, including those listed below, to harden customer networks against malicious activity and reduce the likelihood of domain compromise:
Eliminate default passwords.
Provide logging at no additional charge.
Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents.
Download the PDF version of this report:
INTRODUCTION
CISA has authority to hunt for and identify, with or without advance notice to or authorization from agencies, threats and vulnerabilities within federal information systems (see generally 44 U.S.C. § 3553[b][7]). The target organization for this assessment was a large U.S. FCEB organization. CISA conducted the SILENTSHIELD assessment over an approximately eight-month period in 2023, with three of the months consisting of a technical collaboration phase:
Adversary Emulation Phase: The teamstarted byemulating a sophisticated nation-state actor by simulating known initial access and post-exploitation TTPs. The team’s goal was to compromise the assessed organization’s domain and identify attack paths to other networks. After completion of their initial objectives, the team diversified its deployed tools and tradecraft to mimic a wider and often less sophisticated set of threat actors to elicit network defender attention. CISA red team members did not clean up or delete system logs, allowing defenders to investigate all artifacts and identify the full scope of a breach.
Collaboration Phase: The SILENTSHIELD team met regularly with senior staff and technical personnel to discuss issues with the organization’s cyber defensive capabilities. During this phase, the team:
This advisory, drafted in coordination with the assessed organization, details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders recommendations for improving their organization’s defensive cyber posture. The advisory also provides recommendations to software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise.
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
During the Adversary Emulation phase, the red team gained initial access to the organization’s Solaris enclave by exploiting a known vulnerability in an unpatched web server. They gained separate access to the Windows environment by phishing and were able to compromise the full domain and its parent domain. See Figure 1 for a timeline of this assessment and the sections below for details on the team’s activity and TTPs.
Figure 1: SILENTSHIELD assessment timeline
Adversary Emulation Phase
Exploitation of the Solaris Enclave
Reconnaissance, Initial Access, and Command and Control
CISA’s red team used open source tools and third-party services to probe the organization’s internet-facing surface [T1594]. This included non-intrusive port scans for common ports and Domain Name System (DNS) enumeration [T1590.002]. These efforts revealed the organization’s web server was unpatched for CVE-2022-21587, an unauthenticated remote code execution (RCE) vulnerability in Oracle Web Applications Desktop Integrator. For three months the assessed organization failed to patch this vulnerability, and the team exploited it for initial access.
The exploit provided code execution on a backend application server (SERVER 1) that handled incoming requests from the public-facing web server. The red team used this exploit to upload and run a secure Python remote access tool (RAT). Because the application server had full external internet egress via Transmission Control Protocol (TCP) ports 80 and 443, the RAT enabled consistent command and control (C2) traffic [T1071.001].
Note: After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch. Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on Feb. 2, 2023.
Credential Access, Command and Control, and Privilege Escalation
Once on SERVER 1, the red team probed the host’s files and folder structure [T1005] and identified several old and globally accessible .tar backup files, which included a readable copy of an /etc/shadow file containing the hash for a privileged service account (ACCOUNT 1). The team quickly cracked the account’s weak password using a common wordlist [T1110.002]. They then established an outbound Secure Shell Protocol (SSH) connection over TCP port 80 and used a reverse tunnel to SSH back into SERVER 1, where they were prompted to reset ACCOUNT 1’s expired password [T1571] (see Figure 2). The team identified the account was enabled on a subset of containers, but it had not been actively used in a significant amount of time; the team changed this account’s password to a strong password.
Figure 2: Exploitation of the Solaris Enclave
The team discovered ACCOUNT 1 was a local administrator with sudo/root access and used it to move laterally (see the next section).
Lateral Movement and Persistence
Servers in the Solaris enclave did not use centralized authentication but had a mostly uniform set of local accounts and permissions [T1078.002]. This allowed the red team to use ACCOUNT 1 to move through much of the network segment via SSH [T1021.004].
Some servers allowed external internet access and the team deployed RATs on a few of these hosts for C2. They deployed several different RATs to diversify network traffic signatures and obfuscate the on-disk and in-memory footprints. These tools communicated to a red team redirector over TCP/443, through valid HTTPS messages, and over SSH through non-standard ports (80 and 443) [T1571]. Much of the traffic was not blocked by a firewall, and the organization lacked application layer firewalls capable of detecting protocol mismatches on common ports.
The team then moved laterally to multiple servers, including high value assets, that did not allow internet access. Using reverse SSH tunnels, the team moved into the environment and used a SOCKS proxy [T1090] to progress forward through the network. They configured implants with TCP bind listeners bound to random high ports to connect directly with some of these hosts without creating new SSH login events (see Figure 3).
Figure 3: Example of Lateral Movement in the Solaris Enclave
Once on other internal hosts, the team data mined each for sensitive information and credentials. They obtained personally identifiable information (PII), shadow files, a crackable pass-phrase protected administrator SSH key, and a plaintext password [T1552.003] in a user’s .bash_history. These data mined credentials provided further avenues for unprivileged access through the network. The team also used SSH tunnels to remotely mount Network File System (NFS) file shares, spoofing uid and gid values to access all files and folders.
To protect against reboots or other disruptions, the team primarily persisted on hosts using the cron utility [T1053.003], as well as the at utility [T1053.002], to run scheduled tasks and blend into the environment. Additionally, SSH private keys provided persistent access to internal pivot hosts and would have continued to enable access even if passwords were rotated.
Full Enclave Compromise
Although ACCOUNT 1 allowed the team to move laterally to much of the Solaris enclave, the account did not provide privileged access to all hosts in the network because a subset of hosts had changed the password (which denied privileged access via that account). However, the team analyzed recent user logins using the last command and identified a network security appliance scanning service account (ACCOUNT 2) that logged in regularly to an internal host using password-based authentication. As part of its periodic vulnerability scanning, ACCOUNT 2 would connect to each host via SSH and run sudo with a relative path instead of the absolute path /usr/local/bin/sudo. The local path created a path hijack vulnerability, which allowed the red team to hijack the execution flow and capture the account’s password [T1574.007].
The harvested password granted unrestricted privileged access to the entire Solaris enclave.
Exploitation of the Windows Domain
While the compromise of the Solaris enclave facilitated months of persistent access to sensitive systems, including web applications and databases, it did not lead to the immediate compromise of the corporate Windows environment. Once in the Windows domain, the red team identified several service accounts with weak passwords. It is likely that an adversary could have continued the Solaris attack path through prolonged password spraying attacks, or by leveraging credentials obtained externally (e.g., dark web credential dumps) (see Figure 4).
Figure 4: Exploitation of Solaris enclave
The team exploited the Windows domain through other access vectors and eventually proved the undetected pivot between the domains could be made after they obtained Windows credentials.
Reconnaissance and Initial Access
While attempting to pivot into Windows from Solaris, the red team conducted open source information gathering about the organization. They harvested employee names [T1589.003] and used the information to derive email addresses based on the target’s email naming scheme. After identifying names, emails, and job titles, the team selected several phishing targets who regularly interacted with the public [T1591.004]. One user triggered a phishing payload that provided initial access to a workstation.
The team then placed a simple initial access RAT on the workstation in a user-writable folder and obtained user-level persistence through an added registry run key, which called back to a red team redirector via HTTPS. The team assessed what was running on the host in terms of antivirus (AV) and Endpoint Detection and Response (EDR) and used the implant to inject a more capable, full-fledged RAT directly into memory, which pointed to a separate redirector. The assessed organization’s tools failed to categorize C2 traffic as anomalous even when a bug in one of the implants caused 8 GB of continuous network traffic to flow in one afternoon.
Credentialed Access and Privilege Escalation
Internal network information was freely available to unprivileged, domain-joined users, and the team queried hundreds of megabytes of Active Directory (AD) data using a custom rewrite of dsquery.exe in .NET and Beacon Object File (BOF) ldapsearch from the phished user’s workstation. The team then data mined numerous internal file servers for accessible shares [T1083]. The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts. With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts (ACCOUNT 3) had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. They identified another account (ACCOUNT 4) that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM).
Lateral Movement and Persistence
The team used valid accounts and/or tokens with varied techniques for lateral movement. Techniques included scheduled task manipulation, service creation, and application domain hijacking [T1574.014]. For credential usage, the implemented IDM in the organization’s network hampered the red team’s ability to pivot as it blocked common credential manipulation techniques like pass-the-hash [T1550.002] and pass-the-ticket [T1550.003]. The red team found ways to circumvent the IDM, including using plaintext passwords to create genuine network logon sessions [T1134.003] for certain accounts not registered with the IDM, as well as impersonating the tokens of currently logged-in users to piggyback off valid sessions [T1134.001].
The red team tailored payloads to blend with the network’s environment and did not reuse IOCs like filenames or file hashes, especially for persisted implants. Remote queries for directory listings, scheduled tasks, services, and running processes provided the information for the red team to masquerade as legitimate activity [T1036.004].
The team emulated normal network activity by installing HTTPS beaconing agents on workstations where normal users browse the web, establishing internal network pivots with TCP bind and SMB listeners. They primarily relied on creating Windows services as their persistence mechanism.
The red team used the data mined credentials for ACCOUNT 3 to move laterally from the workstation to a SCOM server. Once there, using ACCOUNT 4, the team targeted a Systems Center Configurations Manager (SCCM) server, as it was an advantageous network vantage point. The SCCM server had existing logged-in server administrators whose usernames followed a predictable naming pattern (correlating administrative roles and privilege levels), allowing them to determine which account to use to pivot to other hosts.
The team targeted the organization’s jump servers frequented by highly privileged administrative accounts. Red team operators used stolen SCCM server administrator credentials to compromise one of the organization’s server-administrator jump hosts. They learned that the organization separated some, but not all, accounts onto separate jump servers by role (e.g., workstation administrators and server administrators had separate jump points, but server and domain administrators occasionally shared the same jump hosts). Once a domain administrator logged in, the red team stole the administrator’s session token and laterally moved to a domain controller where they pulled credentials for the entire domain via DCSync [T1003.006], obtaining full domain compromise (see Figure 5).
Figure 5: Exploitation of the Windows Domain
After compromising the domain, the team confirmed access to sensitive servers, including multiple high value assets (HVAs) and tier zero assets. None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network. Remote administration and access of these critical systems should be restricted to designated, role-based accounts coming from specific network enclaves and/or workstations. Isolation with these access vector limitations protects them from compromise and sharply reduces the associated noise, allowing defenders to more easily identify abnormal behavior.
Pivoting Into External Trusted Partners
The team inspected the organization’s trust relationships with other organizational domains through LDAP [T1482] and identified connections to multiple external FCEB partner organizations, one of which they subsequently used to move laterally.
The team pulled LDAP information from PARTNER DC 1 and kerberoasted the domain, yielding one valid service account with a weak password they quickly cracked, but the team was unable to move laterally with this account because it lacked appropriate privileges. However, PARTNER 1 had trusted relationships with a second partner’s domain controller (PARTNER DC 2). Using the acquired PARTNER 1 credentials, the red team discovered PARTNER 2 also had a kerberoastable, highly privileged administrative service account whose password cracked, allowing the team to laterally move to a PARTNER 2 host from the original victim network (see Figure 6).
figure 6: path of exploitation into external fceb organizations
These cross-organizational attack paths are rarely identified or tested in regular assessments or audits due to network ownership, legal agreements, and/or vendor opacity. However, they remain a valuable access vector for advanced persistent threat (APT) actors.
Experimentation with access into trusted partner domains included the modification of local system firewall rules on the source domain controller to allow specific source and destination IPs. The organization’s host-based monitoring systems failed to identify the addition and removal of the red team’s firewall exceptions.
Defense Evasion Techniques
Solaris Enclave Figure 5: Exploitation of the Windows Domain
Due to the lack of application allowlisting, the red team regularly masqueraded as legitimate software to remain undetected by the organization’s network defenders [T1036]. Additionally, by default, command auditing in Solaris via the lastcomm command only captures the program being run—full file path and any command line arguments are not recorded. For example:
A real file: /opt/splunkforwarder/bin/splunkd
A malicious copy: /opt/splunkforwarder/splunkd
Command auditing logs: splunkd
The team also hid common artifacts to obfuscate their operational activity, including modifying file timestamps [T1070.006] and permissions with the touch and chmod/chown commands [T1222.002] to blend with other files in the environment.
Windows Domain
The team used a diverse range of accounts, backdoors, and C2 channels with different network footprints to obfuscate activity [T1027].
Diversification of account usage, backdoors, and C2 channels further obfuscated red team activity in the domain. Lateral movement to new hosts featured a variety of accounts to reduce the risk of detection. When harvesting credentials, the team selected several backup accounts for each role (e.g., server admin, workstation admin, domain admin, service accounts) in case the intended account was locked, disabled, or flagged as compromised.
To emphasize the value of tool-agnostic/behavior-based detections, the red team deployed over seven different implants to mimic real-world adversaries’ diverse use of open source, commercial off-the-shelf (COTS), and custom RATs. Each featured different host and network signatures to evade out-of-the-box EDR detections and every implant had unique artifacts both on-disk and in-memory. The team also evaded EDR/AV by using proprietary loaders and beacon object files (BOFs) to make direct API calls and allow self-injection of .NET executables to run additional capabilities.
All the deployed tools had different network C2 channel footprints. Some beaconing agents connected via HTTPS to legitimate domains owned by the red team. Others used domain fronting [T1090.004] to leverage common content delivery network (CDN) functionality. Outbound traffic sent to public websites not owned by the red team had a Host header that told the CDN provider it should redirect traffic to red-team-controlled IP addresses. Internal pivots used SMB on port 445 and TCP bind listeners on ephemeral high ports. The team tailored both to mimic named pipes and network connections already seen in the domain and evade detection.
Collaborative Phase
Five months into the assessment, the red team officially notified the organization’s security operations center (SOC) of the ongoing activity and began engaging directly with SOC leadership. At this point, the organization had not submitted deconflictions and did not appear to be actively investigating CISA SILENTSHIELD assessment activity.
During this phase, CISA refrained from providing TTPs or IOCs (such as concrete hosts, filenames, or C2 domains) to allow the organization to develop and test its own detection metrics. The team held weekly discussions with the organization’s senior technical staff, SOC, and system administrators, which led to measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft. Specifically, the red team worked with the organization to assist them with synthesizing the following data sources to identify the extent of the red team’s compromise:
EDR alerts;
YARA scans;
C2 domains and techniques;
Internal pivot hosts;
Admin accounts used to pivot;
Memory dumps, revealing attempts to pass credentials; and
Email logs documenting the initial breach via phishing.
Every cyber threat actor has a unique set of TTPs. Nevertheless, nearly all adversaries perform the same basic steps:
Command execution (initial access and lateral movement);
Establish C2 channels and exfiltrate data;
Establish persistence;
Escalate privileges; and
Use and abuse credentials.
All TTPs have corresponding artifacts, but not all IOCs are created equal. Fixating on a hyper-focused set of IOCs can catch known threats but impedes efforts to identify unknown adversaries employing different TTPs.
Major themes discussed during this phase that improved the organization’s behavior-based detection capabilities included log collection, forensic analysis, relying on IOCs for detection, monitoring and investigation management, and Sysmon misconfigurations.
Log Collection
The assessed organizations had ineffective and insufficient logs, and network defenders were not using logs to proactively detect anomalous behavior. With the red team’s assistance, the organization identified logging issues caused by hardware failures, limited backups, network bandwidth, and limited log collection and retention policies (only 60–90 days). In other cases, critical data was captured but not analyzed because artifacts were moved to cold storage.
The organization’s network defenders identified procedural and other roadblocks when attempting to acquire new forensic data. For example, affected servers could not be taken offline for imaging because there was no process in place to do so without impacting the organization’s operations. Additionally, attempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses.
Forensic Analysis
Defenders did not monitor C2 egress via DNS. They believed their parent entity was monitoring their DNS traffic, absolving them of a need to collect and monitor logs for their analyses.
Forensic analysts blindly trusted the timestamps for files and persistence mechanisms without realizing they had been tampered with. Bogus times added to persistence mechanisms (such as scheduled tasks) led defenders to misjudge the timeline of the breach. Red team operators regularly adjusted the last-modified timestamp of files and folders—using either the native touch -r command or implants’ timestomp command to disguise the last-modified timestamp captured in the output of ls –la. Secondary file timestamps identified with ls -lu or ls -lc would have revealed abnormal file attributes, in addition to more reliable anomalies found during proper forensic investigation.
Reliance on Known IOCs
The red team used diversified TTPs in the Adversary Emulation phase to reflect the ability of cyber threat actors to bypass conventional, known-bad detection strategies. The network defenders did not detect much of the team’s activity. For example:
After identifying a red team payload, network defenders wrote tailored YARA rules that signatured specific behavior of the red team’s loader, which uncovered several similar payloads but failed to catch any of the other six C2 frameworks.
Organization network defenders used a combination of custom and open source detection rules (such as CommandLine=kerberoast* or files called bloodhound.zip) and did not detect the team’s kerberoasting activity.
Regular Monitoring and Investigation Management
Conversations with SOC leadership revealed several procedural issues that led to slow or incomplete analysis of the red team’s intrusion and activity. For example:
While EDR products detected and quarantined several of the red team’s tools, including the initial phishing payload, the organization’s daily procedures did not always include review of EDR alerts. The red team worked with the organization to ensure rapid response to EDR alerts became a fundamental part of network defenders’ daily workflows. This allowed SOC personnel to identify new attempts at lateral movement.
Solaris network owners discovered that several firewalls had inadvertently been misconfigured or disabled. The organization’s technical teams worked directly with the red team to fix errors and to reorganize and revalidate the network topology.
Network defenders had poor operational security and alerted the red team of investigations. For example:
In one instance, after receiving incoming beacons from what was evidently a sandboxed environment, the payload was not renamed from its original file, allowing the red team to immediately identify how much of their access was under scrutiny. Organizations must ensure sandboxed environments are safe, secure, and thoroughly sandboxed.
The red team observed system administrators reviewing forensic artifacts tied to the team’s Solaris payload—searching for files, running packet captures for outbound C2 traffic, and port scanning the C2 redirector. Team members simply reinstalled their persistence with a new redirector and file path, sidestepping the informal investigation.
IT teams were siloed from the SOC, who had no knowledge of the system administrator’s weeks long investigation into the anomalous network behavior.
While the organization compartmented most of its threat hunting and incident response in a separate domain, staff still used the compromised corporate domain accounts to communicate the details of active investigations and assessments.
Sysmon Misconfigurations
The red team had a productive exchange with the organization on their Sysmon configuration, which the team abused throughout the assessment. The red team identified several misconfigurations:
Deployment teams pushed the ruleset (stored as a .xml file) to a globally readable C:\Windows directory. There were no rules in place to catch adversaries reading the configurations from disk or the registry. As a result, CISA’s red team was provided explicit file paths to safely place their payloads.
Rules targeted a single, tool-specific IOC rather than a technique (e.g., sc.exe rather than service creation events).
Exceptions were overly permissive (for example, excluding all Image entries anywhere in C:\Program Files (x86)\Google\Update\*).
LESSONS LEARNED AND KEY FINDINGS
The red team noted the following lessons learned and key findings relevant to the security of the assessed organization’s network. These specific findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to address these findings.
Lesson Learned: The assessed organization had insufficient controls to prevent and detect malicious activity.
Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which failed to restrict outbound traffic. A majority of the organization’s hosts, including domain controllers, had internet connectivity to broad AWS EC2 ranges, allowing the red team to make outbound web requests without triggering IDS/IPS responses. These successful connections revealed the lack of an application layer firewall capable of detecting protocol mismatches on common ports.
Finding #2: The assessed organization had insufficient network segmentation.The lack of network segmentation allowed the red team to move into, within, and out of both the Solaris and Windows domain. This also enabled them to gather a massive amount of data about the organization and its systems. Internal servers could reach almost any other domain host, regardless of type (server vs. workstation), purpose (user laptop, file server, IDM server, etc.), or physical location. Use of network address translation (NAT) between different parts of the network further obfuscated data streams, hindering incident response.
Finding #3: The organization had trust relationships with multiple partner organizations, which—when combined with weak credentials and network connectivity—allowed the red team to exploit and move laterally to a partner domain controller. This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material.
Finding #4: The organization’s defensive staff did not sufficiently isolate their defensive investigative activity. Organizations should always communicate information pertaining to suspected incidents out-of-band, rather than from within a domain that they know to be compromised. While the defensive systems were shunted to another domain with correct (one-way) trusts, the red team identified a likely attack vector to that domain via the same, previously compromised IDM server. Some analysts also performed dynamic analysis of suspected implants from an internet-connected sandbox, tipping the red team to the specific files and hosts that were under investigation.
Finding #5: Network defenders were not familiar with the intricacies of their IDM solution. The CISA red team identified accounts not enrolled in the IDM and successfully used those and already existing user access tokens to bypass IDM. The appliance, in its active configuration, was not exhaustively tested against common credential manipulation techniques nor were any alerts on anomalous behavior being monitored.
Finding #6: The organization had some role-based host segmentation, but it was not granular enough. The organization used clearly defined roles (server administrator and domain administrator) but did not sufficiently segregate the accounts to their own servers or systems, enabling privilege escalation.
Lesson Learned: The organization did not effectively or efficiently collect, retain, and analyze logs.
Finding #7: Defensive analysts did not have the information they needed due to a combination of issues with collecting, storing, and processing logs. Other policies collected too much useless data, generating noise and slowing investigation.
Finding #8: Network defenders’ daily procedures did not always include analysis of EDR alerts, and the tools that were installed only provided a 30-day retention for quarantined files. Consequently, investigators were unable to access timely information that may have led to earlier detection of the red team’s activity.
Finding #9: Forensic analysts trusted host artifacts that could have been modified by an adversary. In particular, file timestamps and packet captures were scrutinized without considering the possibility of malicious tampering.
Lesson Learned: Bureaucratic communication and decentralized teams hindered the organization’s network defenders.
Finding #10: The organization’s technical staff were spread across decentralized teams. Siloed team structure meant that IT, security, and other technical teams lacked consistency with their tools, creating too much noise for defenders to sift through.
Finding #11: The SOC team lacked the agency to rapidly update or deploy rulesets through the fractured IT teams. The organization diffused responsibility for individual tools, such as Sysmon, across multiple groups, hampering timeliness and maintenance of a defensive posture.
Finding #12: The organization’s forensics team produced an incident response report which documented the red team’s initial exploitation of the Solaris enclave. However, the report was limited in scope and did not adequately document the red team’s ability to expand and persist. The success of the red team’s first phase, using publicly known TTPs, illustrated the business risk to all Solaris hosts and, by extension, the Windows environment. Moreover, the organization’s internal report only focused on vulnerable servers and did not account for a cyber threat actor’s ability to expand and persist in the Solaris enclave.
The Solaris administrator’s investigations of the red team failed to appear in either the report or in SOC deconflictions. An admin’s inquiry into unusual and probably malicious activity, particularly in the middle of an investigation of confirmed breaches of adjacent hosts, should have been considered in the report as evidence of lateral movement.
Lesson Learned: A “known-bad” detection approach hampered detection of alternate TTPs.
Finding #13: Defenders hyper-focused on specific IOCs, such as file attributes, particular C2 frameworks, or C2 domains. The organization’s network defenders did not initially employ tool-agnostic detections, causing them to positively identify some red team tools, but remain blind to the full extent of the compromise. They were accustomed to catching internal red teams that used specific TTPs; introducing a new “threat actor” with new TTPs sidestepped nearly all detections.
Finding #14: Detection rules were visible from compromised systems, allowing the red team to sidestep detections based on hardcoded rules and exceptions.
Finding #15: There was insufficient restriction of administrative tools. The technical staff lacked a standardized set of administrative tools, leaving all remote administration protocols available for use by admins, CISA red team, or adversaries. This also created excessive noise for defenders to effectively sift through to determine expected versus anomalous activity.
Finding #16: There was insufficient tracking of software. There was no apparent approval or tracking process for software installation across the domain, preventing defensive analysts from identifying abnormal software placed by the red team. A comprehensive inventory of approved software would help defenders identify abnormal behavior and facilitate the deployment of application allow-listing.
NOTED STRENGTHS
The assessed organization promptly planned for and resolved multiple identified issues, including with:
Windows service accounts: The organization eliminated over 30 percent of service accounts which were deemed unnecessary. There is an on-going effort to change service account passwords and apply DoD recommended STIG compliance (over 85 percent have been changed since the publication of this report).
IDM: The organization is looking into how to improve their IDM implementation and apply additional security alerts and preventions for possible misuse of credentials. They plan to implement additional identity-based monitoring capabilities in front of tier zero assets.
Egress: The organization implemented new processes to detect and prevent servers from anomalously egressing outside of the network to the internet.
Host-based solutions: The organization used additional features of their antivirus software, such as reputation scores, to look for all executable file type outliers of to identify anomalous instances.
Hosts: The organization decommissioned clusters of servers and completely rebuilt them from scratch after identifying numerous irreparable issues and misconfigurations.
Solaris credentials: The organization changed passwords, removed SSH keys, restricted permissions, and removed unnecessary accounts.
MITIGATIONS
Network Defenders
CISA recommends organizations implement the recommendations in Table 1 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Table 1: Recommendations to Mitigate Identified Issues
Finding
Recommendation
Inadequate firewall between perimeter and internal devices
Deploy internal and external network firewalls to inspect, log, and/or block unknown or unauthorized traffic.
Perform deep packet inspection to detect mismatched application traffic or encrypted data flows.
Restrict outbound internet egress to hosts whenever possible.
Establish a baseline of normal user activity, including unique IPs or domains.
Insufficient Network Segmentation
Apply the principle of least privilege to limit the exposure of systems and services in the demilitarized zone (DMZ).
Segment the DMZ based on the sensitivity of systems and services as well as the internal network [CPG 2.F].
Segment networks to protect assets and workstations from direct exposure to the internet by considering the criticality of the asset to business functions, sensitivity of the data traversing the asset, and requirements for internet access to the asset.
Implement and regularly test firewalls, access control lists, and intrusion prevention systems.
Take advantage of opportunities to create natural network segmentation. Securely configured VPNs used for remote laptops, for instance, create an easy place to filter and monitor incoming traffic.
Trust relationships between domains were overly permissive
Restrict network connectivity (ingress and egress) to only necessary services between trusted domains [CPG 2.E].
Regularly monitor privileged access via Foreign Security Principals (FSPs).
Conduct regular security audits and penetration testing by internal and external parties.
Develop and implement a comprehensive Incident Response Plan (IRP) and conduct regular drills and simulations [CPG 2.S].
IDM solutions were not fully understood and utilized
Enroll all accounts in IDM solutions and test against common credential manipulation techniques.
Integrate the IDM solution with other systems and applications, allowing for the streamlining of workflows.
Insufficient role-based host segmentation
Establish Role-Based Access Controls (RBAC) to systematically assign permissions based on job functions [CPG 2.E].
Implement a comprehensive security model incorporating micro-segmentation at the host level.
Failure to monitor EDR alerts daily
Develop and document Standard Operating Procedures (SOPs) for handling EDR alerts [CPG 5.A].
Establish and maintain incident response playbooks.
Conduct regular audits and reviews of the EDR alert handling process.
Host artifacts were overly trusted
Operationalize and deploy File Integrity Monitoring (FIM) solutions.
Regularly review and adjust access permissions, adhering to the principle of least privilege [CPG 2.E].
Establish proper forensic processes to ensure integrity.
Bureaucracy and decentralization of network defenders hampered communication and consistency
Introduce cross-training initiatives to cultivate a collaborative culture.
Encourage the establishment of cross-functional projects.
Utilize collaboration platforms that seamlessly integrate various tools and systems.
Insufficient internal incident response report
Promote a culture of ongoing improvement while also fostering a proactive approach among employees to promptly report suspicious activities.
Treat suspected incidents of compromise as a confirmed breach, and account for a threat actor’s ability to move laterally when defining the scope of incident response efforts.
Focus on known/common IOCs
Employ centralized logging and tool-agnostic detection methods.
Leverage threat intelligence feeds by integrating them into a SIEM tool.
Implement regular updates for IOCs and TTPs, with the capability for customization to address the specific threat landscape [CPG 3.A].
Detection rules were visible from compromised systems
Integrate runtime detection mechanisms while removing world-readable configuration files from installer deployments where applicable.
Insufficient restriction of admin tools
Enhance security posture by implementing application allowlisting to ensure only trusted and approved applications are permitted [CPG 2.Q].
Apply the principle of least privilege by granting users only the minimum level of access necessary to perform job functions.
Insufficient tracking of software
Conduct a comprehensive inventory of assets and establish a baseline for behavior [CPG 1.A].
Utilize a Software Asset Management (SAM) solution that offers comprehensive tracking, reporting, and compliance management capabilities.
Deploy automated discovery and monitoring tools to continuously scan and identify new and existing software.
CISA recommends organizations implement the recommendations in Table 2 to mitigate other identified issues that can be uncovered through traditional penetration tests or red team assessments.
Table 2: Recommendations to Mitigate Identified Issues
Issue
Recommendation
Accounts were overprivileged and the organization’s network contained unnecessary service accounts
Apply the principle of least privilege when assigning permissions to user accounts. Audit existing group memberships, strip unnecessary privileges, and prune unnecessary nested groups/users.
Monitor for account lockout, especially on administrative accounts, and switch to a manual account unlock policy.
Increase monitoring for higher-risk accounts, such as service accounts, that are highly privileged and have a predictable pattern of behavior (e.g., scans that reliably run at a certain hour of the day).
Privileged users should have dedicated role-based user accounts and associated jump hosts to log into critical resources.
Insufficient EDR configuration
Ensure all hosts have a form of EDR installed.
Deploy an EDR capable of catching commonly known obfuscation or execution techniques.
Insecure and insufficient credentials
Note: The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. CISA encourage all organizations to prioritize purchasing products from manufacturers who demonstrate secure by design principles, such as evidenced by follow-on publications from companies who have signed the Secure by Design Pledge.
Software Manufacturers
CISA recognizes that insecure software is the root cause of many flaws; the responsibility should not rest on the end user. CISA urges software manufacturers to implement the following:
Eliminate default passwordsand determine what password practices should be required (such as minimum password length and disallowing known breached passwords). Configure software to use more secure authentication schemes by default.
Provide logging at no additional charge. Cloud services and on-premises products should commit to generating and storing security related logs at no additional cost.
Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents. The goal is to develop logs that yield a comprehensive story of the event.
Remove unnecessary software dependencies. Unnecessary software increases the attack surface available to adversaries and may introduce additional vulnerabilities. Mitigating these additional vulnerabilities requires significant investment, consuming resources like time, technical personnel, and adding to the level of security effort.
These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 3–11).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
VERSION HISTORY
July 11, 2024: Initial version.
APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 3–11 for all referenced threat actor tactics and techniques in this advisory.
CISA’s red team used open source tools and services to probe the organization’s internet-facing presence and gather information, including names, roles, and contact information.
CISA’s red team collected the assessed organizations’ employee names to use their email addresses for specific targeting based on roles and responsibilities.
CISA’s red team inspected the assessed organization’s domain trust relationships through LDAP and identified potential connections in external organizations to which to move laterally.
The red team data mined numerous internal servers and discovered one misconfigured share that contained plaintext usernames and passwords for several privileged service accounts.
Table 7: Privilege Escalation
Technique Title
ID
Use
Hijack Execution Flow: Path Interception by PATH Environment Variable
The red team hijacked the execution flow of a program that used a relative path instead of an absolute path, which enabled the capture of the account’s password.
The red team’s operations were hindered by the organization’s IDM when it blocked the team’s attempts to bypass system access controls using different hash types for authentication.
Use Alternate Authentication Material: Pass the Ticket
CISA’s red team’s operations were hindered by the organization’s IDM when it blocked the team’s attempts to bypass system access controls using Kerberos tickets for authentication.
CISA’s red team searched each host for files containing sensitive or interesting information such as password hashes, account information, network configurations, etc.
The red team enumerated local files and running processes to gather information for their payloads and persistence mechanisms to appear as legitimate activity.
The red team modified file permissions with touch and chmod/chown commands to obfuscate their activity and blend in with other files in the environment.
https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg00SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2024-07-11 10:30:062024-07-11 10:30:06CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth
This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.
The PRC state-sponsored cyber group has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well.
The authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40 (also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting). This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.[1]
The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent and remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate remediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others. As such, the case studies are naturally older in nature, to ensure organizations were given the necessary time to remediate.
APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly observed against Australian networks.
Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.
APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.
This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities. APT40 regularly uses web shells [T1505.003] for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions—regardless of the extent of compromise or further actions taken.
Although APT40 has previously used compromised Australian websites as command and control (C2) hosts for its operations, the group have evolved this technique [T1594].
APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements.
Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks that is designed to blend in with legitimate traffic and challenge network defenders [T1001.003].
APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline.
ASD’s ACSC are sharing some of the malicious files identified during the investigations outlined below. These files have been uploaded to VirusTotal to enable the wider network defense and cyber security communities to better understand the threats they need to defend against.
ASD’s ACSC are sharing two anonymized investigative reports to provide awareness of how the actors employ their tools and tradecraft.
Executive Summary
This report details the findings of the ASD’s ACSC investigation into the successful compromise of the organization’s network between July and September 2022. This investigative report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.
In mid-August, the ASD’s ACSC notified the organization of malicious interactions with their network from a likely compromised device being used by the group in late August and, with the organization’s consent, the ASD’s ACSC deployed host-based sensors to likely affected hosts on the organization’s network. These sensors allowed ASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available sensor data, the ASD’s ACSC analysts successfully mapped the group’s activity and created a detailed timeline of observed events.
From July to August, key actor activity observed by the ASD’s ACSC included:
Host enumeration, which enables an actor to build their own map of the network;
Web shell use, giving the actor an initial foothold on the network and a capability to execute commands; and
Deployment of other tooling leveraged by the actor for malicious purposes.
The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actors moved laterally through the network [T1021.002]. Much of the compromise was facilitated by the group’s establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be used to arbitrarily upload files. Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow the actors to regain unauthorized access if the original access vector was blocked. No additional malicious tooling was discovered beyond those on the initially exploited machine; however, a group’s access to legitimate and privileged credentials would negate the need for additional tooling. Findings from the investigation indicate the organization was likely deliberately targeted by APT40, as opposed to falling victim opportunistically to a publicly known vulnerability.
Investigation Findings
In mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user.
In late August, the ASD’s ACSC deployed a host-based agent to hosts on the organization’s network which showed evidence of having been impacted by the compromise.
Some artefacts which could have supported investigation efforts were not available due to the configuration of logging or network design. Despite this, the organization’s readiness to provide all available data enabled ASD’s ACSC incident responders to conduct comprehensive analysis and to form an understanding of likely APT40 activity on the network.
In September, after consultation with the ASD’s ACSC, the organization decided to denylist the IP identified in the initial notification. In October, the organization commenced remediation.
Details
Beginning in July, actors were able to test and exploit a custom web application [T1190] running on 2-ext, which enables the group to establish a foothold in the network demilitarized zone (DMZ). This was leveraged to enumerate both the network as well as all visible domains. Compromised credentials [T1078.002] were used to query the Active Directory [T1018] and exfiltrate data by mounting file shares [T1039] from multiple machines within the DMZ. The actor carried out a Kerberoasting attack in order to obtain valid network credentials from a server [T1558.003]. The group were not observed gaining any additional points of presence in either the DMZ or the internal network.
Visual Timeline
The below timeline provides a broad overview of the key phases of malicious actor activity observed on the organization’s network.
Detailed Timeline
July: The actors established an initial connection to the front page of a custom web application [T1190] built for the organization (hereafter referred to as the “web application” or “webapp”) via a transport layer security (TLS) connection [T1102]. No other noteworthy activity was observed.
July: The actors begin enumerating the web application’s website looking for endpoints[2] to further investigate.
July: The actors concentrate on attempts to exploit a specific endpoint.
July: The actors are able to successfully POST to the web server, probably via a web shell placed on another page. A second IP, likely employed by the same actors, also begins posting to the same URL. The actors created and tested a number of likely web shells.
The exact method of exploitation is unknown, but it is clear that the specific endpoint was targeted to create files on 2-ext.
ASD’s ACSC believes that the two IP address connections were part of the same intrusion due to their shared interest and initial connections occurring minutes apart.
July: The group continue to conduct host enumeration, looking for privilege escalation opportunities, and deploying a different web shell. The actors log into the web application using compromised credentials for @.
The actors’ activity does not appear to have successfully achieved privilege escalation on 2-ext. Instead, the actors pivoted to network-based activity.
July: The actor tests the compromised credentials for a service account[3] which it likely found hardcoded in internally accessible binaries.
July: The actors deploy the open-source tool Secure Socket Funnelling, which was used to connect out to the malicious infrastructure. This connection is employed to tunnel traffic from the actor’s attack machines into the organization’s internal networks, whose machine names are exposed in event logs as they attempt to use the credentials for the service account.
August: The actors are seen conducting a limited amount of activity, including failing to establish connections involving the service account.
August: The actors perform significant network and Active Directory enumeration. A different compromised account is subsequently employed to mount shares[4] on Windows machines within the DMZ, enabling successful data exfiltration.
This seems to be opportunistic usage of a stolen credential on mountable machines in the DMZ. Firewalls blocked the actor from targeting the internal network with similar activity.
August – September: The SSF tool re-established a connection to a malicious IP. The group are not observed performing any additional activities until their access is blocked.
September: The organization blocks the malicious IP by denylisting it on their firewalls.
Actor Tactics and Techniques
The MITRE ATT&CK framework is a documented collection of tactics and techniques employed by threat actors in cyberspace. The framework was created by U.S. not-for-profit The MITRE Corporation and functions as a common global language around threat actor behavior.
The ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity:
The actor enumerated the custom web application’s website to identify opportunities for accessing the network.
Initial Access
T1190 – Exploit Public-Facing Application (regarding exploiting the custom web application)
T1078.002 – Valid Accounts: Domain Accounts (regarding logging on with comprised credentials)
Exploiting internet-exposed custom web applications provided an initial point of access for the actor. The actor was later able to use credentials they had compromised to further their access to the network.
Execution
T1059 – Command and Scripting Interpreter (regarding command execution through the web shell)
T1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling (SSF) to connect to an IP)
Persistence
T1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access)
Credential Access
T1552.001 – Credentials from Password Stores (regarding password files relating to building management system [BMS])
T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials)
Lateral movement
T1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices)
Collection
T1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server)
Exfiltration
T1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and mounting shares)
Case Study 2
This report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the organization.” Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC.
Executive Summary
This report details the findings of ASD’s ACSC investigation into the successful compromise of the organization’s network in April 2022. This investigation report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40.
In May 2022, ASD’s ACSC notified an organization of suspected malicious activity impacting the organization’s network since April 2022. Subsequently, the organization informed ASD’s ACSC that they had discovered malicious software on an internet‑facing server which provided the login portal for the organization’s corporate remote access solution. This server used a remote access login and identity management product and will be referred to in this report as ‘the compromised appliance’. This report details the investigation findings and remediation advice developed for the organization in response to the investigation conducted by the ASD’s ACSC.
Evidence indicated that part of the organization’s network had been compromised by malicious cyber actor(s) via the organization’s remote access login portal since at least April 2022. This server may have been compromised by multiple actors, and was likely affected by a remote code execution (RCE) vulnerability that was widely publicized around the time of the compromise.
Key actor activity observed by the ASD’s ACSC included:
Host enumeration, which enables an actor to build their own map of the network;
Exploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the network and a capability to execute commands;
Exploitation of software vulnerabilities to escalate privileges; and
Credential collection to enable lateral movement.
The ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions. Upon a review by the organization, the passwords were found to be legitimate. The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user, and access the organization’s internal corporate network using a legitimate user account.
Investigation Summary
The ASD’s ACSC determined that the actor compromised appliance(s) which provide remote login sessions for organization staff and used this compromise to attempt to conduct further activity. These appliances consist of three load-balanced hosts where the earliest evidence of compromise was detected. The organization shut down two of the three load-balanced hosts shortly after the initial compromise. As a result, all subsequent activity occurred on a single host. The other servers associated with the compromised appliance were also load-balanced in a similar manner. For legibility, all compromised appliances are referred to in most of this report as a “single appliance.”
The actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised appliance from April 2022 onwards. Threat actors from the group are assessed to have attained escalated privileges on the appliance. The ASD’s ACSC could not determine the full extent of the activity due to lack of logging availability. However, evidence on the device indicates that an actor achieved the following:
The collection of several hundred genuine username and password pairs; and
The collection of technical artefacts which may have allowed a malicious actor to access a virtual desktop infrastructure (VDI) session as a legitimate user.
The ASD’s ACSC assesses that the actor would have sought to further the compromise of the organisation network. The artefacts exfiltrated by the actor may have allowed them to hijack or initiate virtual desktop sessions as a legitimate user, possibly as a user of their choice, including administrators. The actor may have used this access vector to further compromise organization services to achieve persistence and other goals.
Other organization appliances within the hosting provider managed environment did not show evidence of compromise.
Access
The host with the compromised appliance provided authentication via Active Directory and a webserver, for users connecting to VDI sessions [T1021.001].
Location
Compromised appliance hostnames (load-balanced)
Datacentre 1
HOST1, HOST2, HOST3
The appliance infrastructure also included access gateway hosts that provide a tunnel to the VDI for the user, once they possess an authentication token generated and downloaded from the appliance.
There was no evidence of compromise of any of these hosts. However, the access gateway hosts logs showed evidence of significant interactions with known malicious IP addresses. It is likely that this reflected activity that occurred on this host, or network connections with threat actor infrastructure that reached this host. The nature of this activity could not be determined using available evidence but indicates that the group sought to move laterally in the organization’s network [TA0008].
Internal Hosts
The ASD’s ACSC investigated limited data from the internal organization’s network segment. Attempted or successful malicious activity known to have impacted the internal organization’s network segment includes actor access to VDI-related artefacts, the scraping of an internal SQL server [T1505.001], and unexplained traffic observed going from known malicious IP addresses through the access gateway appliances [TA0011].
Using their access to the compromised appliance, the group collected genuine usernames, passwords [T1003], and MFA token values [T1111]. The group also collected JSON Web Tokens (JWTs) [T1528], which is an authentication artefact used to create virtual desktop login sessions. The actor may have been able to use these to create or hijack virtual desktop sessions [T1563.002] and access the internal organization network segment as a legitimate user [T1078].
The actor also used access to the compromised appliance to scrape an SQL server [T1505.001], which resided in the organization’s internal network. It is likely that the actor had access to this data.
Evidence available from the access gateway appliance revealed that network traffic occurred through or to this device from known malicious IP addresses. As described above, this may indicate that malicious cyber actors impacted or utilized this device, potentially to pivot into the internal network.
Investigation Timeline
The below list provides a timeline of key activities discovered during the investigation.
Time
Event
April 2022
Known malicious IP addresses interact with access gateway host HOST7. The nature of the interactions could not be determined.
April 2022
All hosts, HOST1, HOST2 and HOST3, were compromised by a malicious actor or actors, and web shells were placed on the hosts.
A log file was created or modified on HOST2. This file contains credential material likely captured by a malicious actor.
The /etc/security/opasswd and /etc/shadow files were modified on HOST1 and HOST3, indicating that passwords were changed. Evidence available on HOST1 suggests that the password for user ‘sshuser’ was changed.
April 2022
HOST2 was shut down by the organization.
Additional web shells (T1505.003) were created on HOST1 and HOST3. HOST1experienced SSH brute force attempts from HOST3.
A log file was modified (T1070) on HOST3. This file contains credential material (T1078) likely captured by a malicious actor.
JWTs were captured (T1528) and output to a file on HOST3.
HOST3 was shut down by the organization. All activity after this time occurs on HOST1.
April 2022
Additional web shells were created on HOST1 (T1505.003). JWTs were captured and output to a file on HOST1.
April 2022
Additional web shells are created on HOST1 (T1505.003), and a known malicious IP address interacts with the host (TA0011).
A known malicious IP address interacts with access gateway host HOST7.
May 2022
A known malicious IP address interacted with access gateway host HOST7 (TA0011).
An authentication event for a user is linked to a known malicious IP address in logs on HOST1. An additional web shell is created on this host (T1505.003).
May 2022
A script on HOST1 was modified by an actor (T1543). This script contains functionality which would have scraped data from an internal SQL server.
May 2022
An additional log file on HOST1 was last modified (T1070). This file contains username and password pairs for the organization network, which are believed to be legitimate (T1078).
May 2022
An additional log file was last modified (T1070). This file contains JWTs collected from HOST1.
May 2022
Additional web shells were created on HOST1 (T1505.003). On this date, the organization reported the discovery of a web shell with creation date in April 2022 to ASD’s ACSC
May 2022
A number of scripts were created on HOST1, including one named Log4jHotPatch.jar.
May 2022
The iptables-save command was used to add two open ports to the access gateway host. The ports were 9998 and 9999 (T1572).
Actor Tactics and Techniques
Highlighted below are several tactics and techniques identified during the investigation.
The group likely exploited RCE, privilege escalation, and authentication bypass vulnerabilities in the remote access login and identity management product to gain initial access to the network.
This initial access method is considered the most likely due to the following:
The server was vulnerable to these CVEs at the time;
Attempts to exploit these vulnerabilities from known actor infrastructure; and
The first known internal malicious activity occurred shortly after attempted exploitation attempts were made.
Execution
T1059.004 Command and Scripting Interpreter: Unix Shell
The group successfully exploited the above vulnerabilities may have been able to run commands in a Unix shell available on the affected appliance.
Complete details of the commands run by actors cannot be provided as they were not logged by the appliance.
Actors deployed several web shells on the affected appliance. It is possible that multiple distinct actors deployed web shells, but that only a smaller number of actors conducted activity using these web shells.
Web shells would have allowed for arbitrary command execution by the actor on the compromised appliances.
Available evidence does not describe the level of privilege attained by actors. However, using web shells, the actors would have achieved a level of privilege comparable to that of the web server on the compromised appliance. Vulnerabilities believed to have been present on the compromised appliance
would have allowed the actors to attain root privileges.
Evidence on the compromised appliance showed that the actor had captured several hundred username-password pairs, in clear text, which are believed to be legitimate. It is likely that these were captured using some modification to the genuine authentication process which output the credentials to a file.
T1111 Multi-Factor Authentication Interception The actor also captured the value of MFA tokens
corresponding to legitimate logins. These were likely captured by modifying the genuine authentication process to output these values to a file. There is no evidence of compromise of the “secret server’ which stores the unique values that provide for the security of MFA tokens.
The actor is believed to have captured JWTs by capturing HTTP traffic on the compromised appliance. There is evidence that the utility tcpdump was executed on the compromised appliance, which may have been how the actor captured these JWTs.
As described above, the actor captured JWTs, which are analogous to web session cookies. These could have been reused by the actor to establish further access.
There is evidence that network scanning utility nmap was executed on the compromised appliance to scan other appliances in the same network segment. This was likely used by the actor to discover other reachable network services which might present opportunities for lateral movement.
Collection
Available evidence does not reveal how actors collected data or exactly what was collected from the compromised appliance or from other systems. However, it is likely that actors had access to all files on the compromised appliance, including the captured credentials [T1003], MFA token values [T1111], and JWTs described above.
Command and Control
T1071.001 Application Layer Protocol: Web Protocols
Actors used web shells for command and control. Web shell commands would have been passed over HTTPS using the existing web server on the appliance [T1572].
T1001.003 Data Obfuscation: Protocol Impersonation
Actors used compromised devices as a launching point for attacks that are designed to blend in with legitimate traffic.
Detection and mitigation recommendations
The ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents. Below are recommendations for network security actions that should be taken to detect and prevent intrusions by APT40, followed by specific mitigations for four key TTPs summarized in Table 1.
Detection
Some of the files identified above were dropped in locations such as C:\Users\Public\* and C:\Windows\ Temp\*. These locations can be convenient spots for writing data as they are usually world writable, that is, all user accounts registered in Windows have access to these directories and their subdirectories. Often, any user can subsequently access these files, allowing opportunities for lateral movement, defense evasion, low-privilege execution and staging for exfiltration.
The following Sigma rules look for execution from suspicious locations as an indicator of anomalous activity. In all instances, subsequent investigation is required to confirm malicious activity and attribution.
Title: World Writable Execution – Temp
ID: d2fa2d71-fbd0-4778-9449-e13ca7d7505c
Description: Detect process execution from C:\ Windows\Temp.
Background: This rule looks specifically for execution out of C:\ Windows\Temp\*. Temp is more broadly used by benign applications and thus a lower confidence malicious indicator than execution out of other world writable subdirectories in C:\Windows.
Removing applications executed by the SYSTEM or NETWORK SERVICE users substantially reduces the quantity of benign activity selected by this rule.
This means that the rule may miss malicious executions at a higher privilege level but it is recommended to use other rules to determine if a user is attempting to elevate privileges to SYSTEM.
Investigation:
Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.
condition: temp and not (common_temp_path or system_user or dismhost or known_parent)
False positives:
Allowlist auditing applications have been observed running executables from Temp.
Temp will legitimately contain an array of setup applications and launchers, so it will be worth considering how prevalent this behavior is on a monitored network (and whether or not it can be allowlisted) before deploying this rule.
Level: low
Title: World Writable Execution – Non-Temp System Subdirectory
ID: 5b187157-e892-4fc9-84fc-aa48aff9f997
Description: Detect process execution from a world writable location in a subdirectory of the Windows OS install location.
Background:
This rule looks specifically for execution out of world writable directories within C:\ and particularly C:\Windows\*, with the exception of C:\Windows\Temp (which is more broadly used by benign applications and thus a lower confidence malicious indicator).
AppData folders are excluded if a file is run as SYSTEM – this is a benign way in which many temporary application files are executed.
After completing an initial network baseline and identifying known benign executions from these locations, this rule should rarely fire.
Investigation:
Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.
appdata: Image|contains: ‘\\AppData\\’ User: ‘SYSTEM’ condition: writable_path and not appdata
False positives:
Allowlist auditing applications have been observed running executables from these directories.
It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in one of these directories and should be addressed on a case-by-case basis.
Level: high
Title: World Writable Execution – Users
ID: 6dda3843-182a-4214-9263-925a80b4c634
Description: Detect process execution from C:\Users\Public\* and other world writable folders within Users.
Background:
AppData folders are excluded if a file is run as SYSTEM – this is a benign way in which many temporary application files are executed.
Investigation:
Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file.
Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious.
If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate.
appdata: Image|contains: ‘\\AppData\\’ User: ‘SYSTEM’ condition: users and not appdata
False positives:
It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in Public or a subdirectory and should be addressed on a case-by-case basis.
Level: medium
Mitigations
Logging
During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs.
Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways. Consider implementing a centralised patch management system to automate and expedite the process. ASD’s ACSC recommend implementation of the ISM’s Guidelines for System Management, specifically, the System Patching controls where applicable.
Most exploits utilized by the actor were publicly known and had patches or mitigations available.
Organizations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours, and where possible, use the latest versions of software and operating systems.
Network Segmentation
Network segmentation can make it significantly more difficult for adversaries to locate and gain access to an organizations sensitive data. Segment networks to limit or block lateral movement by denying traffic between computers unless required. Important servers such as Active Directory and other authentication servers should only be able to be administered from a limited number of intermediary servers or “jump servers.” These servers should be closely monitored, be well secured and limit which users and devices are able to connect to them.
Regardless of instances identified where lateral movement is prevented, additional network segmentation could have further limited the amount of data the actors were able to access and extract.
Additional Mitigations
The authoring agencies also recommend the following mitigations to combat APT40 and others’ use of the TTPs below.
Disable unused or unnecessary network services, ports and protocols.
Use well-tuned Web application firewalls (WAFs) to protect webservers and applications.
Enforce least privilege to limit access to servers, file shares, and other resources.
Use multi-factor authentication (MFA) and managed service accounts to make credentials harder to crack and reuse. MFA should be applied to all internet accessible remote access services, including:
For additional general detection and mitigation advice, please consult the Mitigations and Detection sections on the MITRE ATT&CK technique web page for each of the techniques identified in the MITRE ATT&CK summary at the end of this advisory.
Reporting
Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories.
Canadian organizations: report incidents by emailing CCCS at [email protected].
New Zealand organizations: report cyber security incidents to [email protected] or call 04 498 7654.
United Kingdom organizations: report a significant cyber security incident at National Cyber Security Centre (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
U.S. organizations: report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected] or (888) 282-0870 and/or to the FBI via your local FBI field office, the FBI’s 24/7 CyWatch at (855) 292-3937, or [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.
MITRE ATT&CK – Historical APT40 Tradecraft of Interest
https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg00SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2024-07-09 08:00:072024-07-09 08:00:07People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action