Tag Archive for: actors

Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks

/in


SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.

CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) in this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations.

For additional information on upgrade instructions, a complete list of affected product versions, and IOCs, see Atlassian’s security advisory for CVE-2023-22515.[1] While Atlassian’s advisory provides interim measures to temporarily mitigate known attack vectors, CISA, FBI, and MS-ISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updates.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Overview

CVE-2023-22515 is a critical Broken Access Control vulnerability affecting the following versions of Atlassian Confluence Data Center and Server. Note: Atlassian Cloud sites (sites accessed by an atlassian.net domain), including Confluence Data Center and Server versions before 8.0.0, are not affected by this vulnerability.

  • 8.0.0
  • 8.0.1
  • 8.0.2
  • 8.0.3
  • 8.0.4
  • 8.1.0
  • 8.1.1
  • 8.1.3
  • 8.1.4
  • 8.2.0
  • 8.2.1
  • 8.2.2
  • 8.2.3
  • 8.3.0
  • 8.3.1
  • 8.3.2
  • 8.4.0
  • 8.4.1
  • 8.4.2
  • 8.5.0
  • 8.5.1

Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances. More specifically, threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint.

Considering the root cause of the vulnerability allows threat actors to modify critical configuration settings, CISA, FBI, and MS-ISAC assess that the threat actors may not be limited to creating new administrator accounts. Open source further indicates an Open Web Application Security Project (OWASP) classification of injection (i.e., CWE-20: Improper Input Validation) is an appropriate description.[2] Atlassian released a patch on October 4, 2023, and confirmed that threat actors exploited CVE-2023-22515 as a zero-day—a previously unidentified vulnerability.[1]

On October 5, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks.

Post-Exploitation: Exfiltration of Data

Post-exploitation exfiltration of data can be executed through of a variety of techniques. A predominant method observed involves the use of cURL—a command line tool used to transfer data to or from a server. An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. Note: This does not preclude the effectiveness of alternate methods, but highlights methods observed to date. Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line. Example configuration file templates are listed in the following Figures 1 and 2, which are populated with the credentials of the exfiltration point:

[s3]
type =
env_auth =
access_key_id =
secret_access_key =
region = 
endpoint =  
location_constraint =
acl =
server_side_encryption =
storage_class =
[minio]
type =
provider =
env_auth =
access_key_id =
secret_access_key =
endpoint =
acl =

The following User-Agent strings were observed in request headers. Note: As additional threat actors begin to use this CVE due to the availability of publicly posted proof-of-concept code, an increasing variation in User-Agent strings is expected:

  • Python-requests/2.27.1
  • curl/7.88.1

Indicators of Compromise

Disclaimer: Organizations are recommended to investigate or vet these IP addresses prior to taking action, such as blocking.

The following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltration:

  • 170.106.106[.]16
  • 43.130.1[.]222
  • 152.32.207[.]23
  • 199.19.110[.]14
  • 95.217.6[.]16 (Note: This is the official rclone.org website)

Additional IP addresses observed sending related exploit traffic have been shared by Microsoft.[3]

DETECTION METHODS

Network defenders are encouraged to review and deploy Proofpoint’s Emerging Threat signatures. See Ruleset Update Summary – 2023/10/12 – v10438.[4]

Network defenders are also encouraged to aggregate application and server-level logging from Confluence servers to a logically separated log search and alerting system, as well as configure alerts for signs of exploitation (as detailed in Atlassian’s security advisory).

INCIDENT RESPONSE

Organizations are encouraged to review all affected Confluence instances for evidence of compromise, as outlined by Atlassian.[1] If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actions—these include but are not limited to exfiltration of content and system credentials, as well as installation of malicious plugins.

If a potential compromise is detected, organizations should:

  1. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
    • Note: Upgrading to fixed versions, as well as removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
    • Search and audit logs from Confluence servers for attempted exploitation.[2]
  2. Quarantine and take offline potentially affected hosts.
  3. Provision new account credentials.
  4. Reimage compromised hosts.
  5. Report the compromise to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. State, local, tribal, and territorial governments should report incidents to the MS-ISAC ([email protected] or 866-787-4722).

MITIGATIONS

These mitigations apply to all organizations using non-cloud Atlassian Confluence Data Center and Server software. CISA, FBI, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to reduce the prevalence of Broken Access Control vulnerabilities, thus strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

As of October 10, 2023, proof-of-concept exploits for CVE-2023-22515 have been observed in open source publications.[5] While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits, the availability of a proof-of-concept presents an array of security and operational challenges that extend beyond these immediate issues. Immediate action is strongly advised to address the potential risks associated with this development.

CISA, FBI, and MS-ISAC recommend taking immediate action to address the potential associated risks and encourage organizations to:

  • Immediately upgrade to fixed versions. See Atlassian’s upgrading instructions[6] for more information. If unable to immediately apply upgrades, restrict untrusted network access until feasible. Malicious cyber threat actors who exploit the affected instance can escalate to administrative privileges.
  • Follow best cybersecurity practices in your production and enterprise environments. While not observed in this instance of exploitation, mandating phishing-resistant multifactor authentication (MFA) for all staff and services can make it more difficult for threat actors to gain access to networks and information systems. For additional best practices, see:
    • CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures (TTPs). Because the CPGs are a subset of best practices, CISA recommends software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
    • Center for Internet Security’s (CIS) Critical Security Controls. The CIS Critical Security Controls are a prescriptive, prioritized, and simplified set of best practices that organizations can use to strengthen cybersecurity posture and protect against cyber incidents.

RESOURCES

REFERENCES

[1]   Atlassian: CVE-2023-22515 – Broken Access Control Vulnerability in Confluence Data Center and Server
[2]   Rapid7: CVE-2023-22515 Analysis
[3]   Microsoft: CVE-2023-22515 Exploit IP Addresses
[4]   Proofpoint: Emerging Threats Rulesets
[5]   Confluence CVE-2023-22515 Proof of Concept – vulhub
[6]   Atlassian Support: Upgrading Confluence

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, FBI, and MS-ISAC.

VERSION HISTORY

October 16, 2023: Initial version.

Source…

The Rise of Ransomware and Other Threat Actors

/in


When most attorneys think of cybersecurity, what often comes to mind are data breaches and ransomware—and that’s for good reason. In the last few months alone, major law firms such as Quinn Emanuel Urquhart & Sullivan, Bryan Cave Leighton Paisner, Gibson, Dunn & Crutcher, Loeb & Loeb and Orrick Herrington & Sutcliffe have all reported data breaches. The threat actors I mentioned in the first article are getting smarter, better and greedier. That’s why the first pillar in the White House’s National Cybersecurity Strategy is “defending critical infrastructure,” and the second is “disrupting and dismantling threat actors.”

Currently, regulatory gaps create an environment ripe for cybersecurity incidents, which is one reason the White House created the National Cybersecurity Strategy. And while this initiative is coming from the Biden Administration, it is not a political issue: This framework builds on the work of prior administrations, according to the White House. “It replaces the 2018 National Cyber Strategy but continues momentum on many of its priorities, including the collaborative defense of the digital ecosystem.” This is a regulatory issue and is designed to answer a glaring need in the market. Law firms, their clients and everyone else can expect to see historically federal cyber strategies and regulations start to flow down into the private sector, with new regulation inevitable.

Source…

Threat Actors Use Abnormal Certificates to Deliver Info-stealing Malware

/in


Threat Actors Use Abnormal Certificates to Deliver Info-stealing Malware

Malicious certificates can be highly dangerous as they can be used to deceive users into trusting malicious websites or software.

This can lead to various security threats, including:-

  • Data breaches
  • Malware infections
  • Phishing attacks
  • Compromise user privacy
  • Compromise system integrity

Cybersecurity researchers at ASEC (AhnLab Security Emergency Response Center) recently identified that threat actors are exploiting abnormal certificates to deliver info-stealing malware.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


Technical Analysis

Malicious code mimics certificates with randomly entered info, causing unusually long Subject and Issuer Names.

Certificate info remains hidden in Windows, which is only detectable with specific tools. So, the incorrect certificate and its information are useless for signature verification.

The signature uses non-English languages and special characters and shows little variation for over two months, suggesting a specific intention.

Signature information
Signature information (Source – ASEC)

The distributed sample is a URL-encoded malicious script that fails to download and execute Powershell commands, remaining inactive in the infection process.

Two distinct malware types with this distinctive appearance are distributed. And here below, we have mentioned them:

  • LummaC2: LummaC2 is the most adaptable malware in this distribution. Originally, it had self-contained malicious actions, but now it downloads configs from C2 and can install other malware like Amadey and Clipbanker.
  • RecordBreaker: RecoreBreaker, aka Raccoon Stealer V2, spreads through YouTube and other malware. It employs a unique User-Agent value like ‘GeekingToTheMoon’ when connecting to C2, but its functionality remains largely unchanged.

Both malware types excel in information theft, potentially exposing sensitive user data like browser…

Source…

People’s Republic of China-Linked Cyber Actors Hide in Router Firmware

/in


Executive Summary

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.

BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.

For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1]

Download the PDF version of this report: PDF, 808 KB

Technical Details

This advisory uses the MITRE® ATT&CK® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs.

Background

Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks.

Observable TTPs

BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows®, Linux®, and FreeBSD® operating systems. Custom malware families employed by BlackTech include:

  • BendyBear [S0574]
  • Bifrose
  • BTSDoor
  • FakeDead (a.k.a. TSCookie) [S0436]
  • Flagpro [S0696]
  • FrontShell (FakeDead’s downloader module)
  • IconDown
  • PLEAD [S0435]
  • SpiderPig
  • SpiderSpring
  • SpiderStack
  • WaterBear [S0579]

BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002].

BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2]

Pivoting from international subsidiaries

The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002].

Maintaining access via stealthy router backdoors

BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.

In some cases, BlackTech actors replace the firmware for certain Cisco IOS®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router’s built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary.

BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001].

Firmware replacement process

BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH.

Table 1: File types to compromise the router

File Type

Description

Old Legitimate Firmware

The IOS image firmware is modified in memory to allow installation of the Modified Firmware and Modified Bootloader.

Modified Firmware

The firmware has a built-in SSH backdoor, allowing operators to have unlogged interaction with the router.

Modified Bootloader

The bootloader allows Modified Firmware to continue evading the router’s security features for persistence across reboots. In some cases, only modified firmware is used.

BlackTech actors use the Cisco router’s CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows:

  1. Download old legitimate firmware.
  2. Set the router to load the old legitimate firmware and reboot with the following command(s):

    config t
    no boot system usbflash0 [filename]
    boot system usbflash0 [filename]
    end
    write
    reload
  3. Download the modified bootloader and modified firmware.
  4. Set the router to load the modified firmware with the following command(s):
    conf t
    no boot system usbflash0 [filename]
    boot system usbflash0 [filename]
    end
    write
  5. Load the modified bootloader (the router reboots automatically) with the following command:
    upgrade rom file bootloader
  6. Enable access by sending a trigger packet that has specific values within the UDP data or TCP Sequence Number field and the Maximum Segment Size (MSS) parameter within the TCP Options field.
Modified bootloader

To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test.

Modified firmware

BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image.

BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging.

To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication.

Detection and Mitigation Techniques

In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH.

The following are the best mitigation practices to defend against this type of malicious activity:

  • Disable outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems.
    Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.[3]
  • Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.[4]
  • Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.[3]
  • Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.[3],[5]
  • When there is a concern that a single password has been compromised, change all passwords and keys.[3]
  • Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.[3]
  • Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.[3]
  • Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images.[3]

Works Cited

[1]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF
[2]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
[3]    NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[4]    NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF 
[5]    Cisco, Attackers Continue to Target Legacy Devices, https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Linux is a registered trademark of Linus Torvalds.
MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation.
Windows is a registered trademark of Microsoft Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations.

Contact

NSA Cybersecurity Report Questions and Feedback: [email protected] 
NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: [email protected] 
NSA Media Inquiries / Press Desk: 443-634-0721, [email protected]

U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected], cisa.gov/report, or (888) 282-0870 and/or to the FBI via your local FBI field office.

Appendix: MITRE ATT&CK Techniques

See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory.

Table 2: BlackTech ATT&CK Techniques for Enterprise – Resource Development

Technique Title

ID

Use

Obtain Capabilities: Code Signing Certificates

T1588.003

BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses.
Table 3: BlackTech ATT&CK Techniques for Enterprise – Initial Access

Technique Title

ID

Use

Initial Access

TA0001

BlackTech actors gain access to victim networks by exploiting routers.

Trusted Relationship

T1199

BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks.
Table 4: BlackTech ATT&CK Techniques for Enterprise – Persistence

Technique Title

ID

Use

Persistence

TA0003

BlackTech actors gain persistent access to victims’ networks.

Traffic Signaling

T1205

BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router.

Pre-OS Boot: ROMMONkit

T1542.004

BlackTech actors modify router firmware to maintain persistence.
Table 5: BlackTech ATT&CK Techniques for Enterprise – Privilege Escalation

Technique Title

ID

Use

Privilege Escalation

TA0004

BlackTech actors gain elevated privileges on a victim’s network.
Table 6: BlackTech ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title

ID

Use

Defense Evasion

TA0005

BlackTech actors configure their tools to evade detection by security software and EDR.

Modify Registry

T1112

BlackTech actors modify the victim’s registry.

Impair Defenses

T1562

BlackTech actors disable logging on compromised routers to avoid detection and evade defenses.

Impair Defenses: Impair Command History Logging

T1562.003

BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued.

Modify System Image: Patch System Image

T1601.001

BlackTech actors modify router firmware to evade detection.
Table 7: BlackTech ATT&CK Techniques for Enterprise – Discovery

Technique Title

ID

Use

Discovery

TA0007

BlackTech actors use SNScan to enumerate victims’ networks and obtain further network information.
Table 8: BlackTech ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

BlackTech actors use RDP to move laterally across a victim’s network.

Remote Services: SSH

T1021.004

BlackTech actors use SSH to move laterally across a victim’s network.
Table 9: BlackTech ATT&CK Techniques for Enterprise – Command and Control

Technique Title

ID

Use

Command and Control

TA0011

BlackTech actors compromise and control a victim’s network infrastructure.

Application Layer Protocol: File Transfer Protocols

T1071.002

BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers.

Proxy

T1090

BlackTech actors use compromised routers to proxy traffic.

Source…