Feed aggregator

AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector

US-CERT - Wed, 2020-10-28 16:07
Original release date: October 28, 2020
Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

Click here for a PDF version of this report.

Key Findings
  • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
  • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.

 

Technical DetailsThreat Details

Since 2016, the cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. What began as a banking trojan and descendant of Dyre malware, now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk. In early 2019, the FBI began to observe new Trickbot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.
Anchor_DNS is a backdoor that allows victim machines to communicate with command and control (C2) servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.

Trickbot Indicators of Compromise

After successful execution of the malware, Trickbot copies itself as an executable file with a 12-character (includes .exe), randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

  • C:\Windows\
  • C:\Windows\SysWOW64\
  • C:\Users\[Username]\AppData\Roaming\

The malware may also drop a file named anchorDiag.txt in one of the directories listed above.

Prior to initiating communications with the C2 server, the malware uses an infection marker of Global\fde345tyhoVGYHUJKIOuy, typically found in the running memory of the victim machine.

Part of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded GUID. The GUID is composed of /GroupID/ClientID/ with the following naming convention:

/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/.

The malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.

[random_folder_name_in_%APPDATA%_excluding_Microsoft]

autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876).

After successful execution, Anchor_DNS further deploys malicious batch scripts (.bat) using PowerShell commands.

The malware deploys self-deletion techniques by executing the following commands.

  • cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
  • cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"

The following domains found in outbound DNS records are associated with Anchor_DNS.

  • kostunivo[.]com
  • chishir[.]com
  • mangoclone[.]com
  • onixcellent[.]com

This malware used the following legitimate domains to test internet connectivity.

  • ipecho[.]net
  • api[.]ipify[.]org
  • checkip[.]amazonaws[.]com
  • ip[.]anysrc[.]net
  • wtfismyip[.]com
  • ipinfo[.]io
  • icanhazip[.]com
  • myexternalip[.]com

The Anchor_DNS malware historically used the following C2 servers.

  • 23[.]95[.]97[.]59
  • 51[.]254[.]25[.]115
  • 193[.]183[.]98[.]66
  • 91[.]217[.]137[.]37
  • 87[.]98[.]175[.]85
Ryuk Ransomware

Typically Ryuk has been deployed as a payload from banking Trojans such as Trickbot. (See the United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally, on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, the files have .ryuk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.

While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.

Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.

Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.

In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The RyukReadMe file placed on the system after encryption provides either one or two email  addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.

The victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.

Initial testing indicates that the RyukReadMe file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the RyukReadMe file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.

According to MITRE, Ryuk uses the ATT&CK techniques listed in table 1.

Table 1: Ryuk ATT&CK techniques

Technique Use System Network Configuration Discovery [T1016] Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol entries. 

Masquerading: Match Legitimate Name or Location [T1036.005]

Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.  Process Injection [T1055] Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.  Process Discovery [T1057] Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.  Command and Scripting Interpreter: Windows Command Shell [T1059.003] Ryuk has used cmd.exe to create a Registry entry to establish persistence.  File and Directory Discovery [T1083] Ryuk has called GetLogicalDrives to enumerate all mounted drives, and GetDriveTypeW to determine the drive type. Native API [T1106] Ryuk has used multiple native APIs including ShellExecuteW to run executables, GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.  Access Token Manipulation [T1134] Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.  Data Encrypted for Impact [T1486] Ryuk has used a combination of symmetric and asymmetric encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.  Service Stop [T1489] Ryuk has called kill.bat for stopping services, disabling services and killing processes.  Inhibit System Recovery [T1490] Ryuk has used vssadmin Delete Shadows /all /quiet to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.  Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1047.001] Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Impair Defenses: Disable or Modify Tools [T1562.001] Ryuk has stopped services related to anti-virus.

 

Mitigations

For a downloadable copy of IOCs, see AA20-302A.stix.

Plans and Policies

CISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.

Network Best Practices
  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
User Awareness Best Practices
  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.
Recommended Mitigation Measures

System administrators who have indicators of a Trickbot network compromise should immediately take steps to back up and secure sensitive or proprietary data. Trickbot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a Trickbot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of Anchor_DNS, and maintain and provide relevant logs.

GENERAL RANSOMWARE MITIGATIONS — HPH SECTOR

This section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)'s Joint Ransomware Guide, which can be found at https://www.cisa.gov/publication/ransomware-guide.
CISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response meaures immediately.

Ransomware Prevention Join and Engage with Cybersecurity Organizations

CISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:

Join a healthcare information sharing organization, H-ISAC:

  • Health Information Sharing and Analysis Center (H-ISAC): https://h-isac.org/membership-account/join-h-isac/
  • Sector-based ISACs - National Council of ISACs: https://www.nationalisacs.org/member-isacs
  • Information Sharing and Analysis Organization (ISAO) Standards Organization: https://www.isao.org/information-sharing-groups/

Engage with CISA and FBI, as well as HHS—through the HHS Health Sector Cybersecurity Coordination Center (HC3)—to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises.

  • CISA: cisa.gov, https://us-cert.cisa.gov/mailing-lists-and-feeds, central@cisa.gov  
  • FBI: ic3.gov, www.fbi.gov/contact-us/field , CyWatch@fbi.gov
  • HHS/HC3: http://www.hhs.gov/hc3, HC3@HHS.gov

Engaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.

Follow Ransomware Best Practices

Refer to the best practices and references below to help manage the risk posed by ransomware and support your organization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.

  • It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.
    • Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.
    • Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
    • Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred.
      • Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.
      • Ensure all backup hardware is properly patched.
  • In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
    • Review available incident response guidance, such as CISA’s Technical Approaches to Uncovering and Remediating Malicious Activity  https://us-cert.cisa.gov/ncas/alerts/aa20-245a.
  • Help your organization better organize around cyber incident response.
  • Develop a cyber incident response plan.
  • The Ransomware Response Checklist, available in the CISA and MS-ISAC Joint Ransomware Guide, serves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption plans.
  • Review and implement as applicable MITRE’s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook (https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf).
  • Develop a risk management plan that maps critical health services and care to the necessary information systems; this will ensure that the incident response plan will contain the proper triage procedures.
  • Plan for the possibility of critical information systems being inaccessible for an extended period of time. This should include but not be limited to the following:
    • Print and properly store/protect hard copies of digital information that would be required for critical patient healthcare.
    • Plan for and periodically train staff to handle the re-routing of incoming/existing patients in an expedient manner if information systems were to abruptly and unexpectedly become unavailable.
    • Coordinate the potential for surge support with other healthcare facilities in the greater local area. This should include organizational leadership periodically meeting and collaborating with counterparts in the greater local area to create/update plans for their facilities to both abruptly send and receive a significant amount of critical patients for immediate care. This may include the opportunity to re-route healthcare employees (and possibly some equipment) to provide care along with additional patients.
  • Consider the development of a second, air-gapped communications network that can provide a minimum standard of backup support for hospital operations if the primary network becomes unavailable if/when needed.
  • Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.
  • Legacy devices should be identified and inventoried with highest priority and given special consideration during a ransomware event.
  • See CISA and MS-ISAC's Joint Ransomware Guide for infection vectors including internet-facing vulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and managed service providers.
  • HHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at http://www.hhs.gov/hc3.
Hardening Guidance
  • The Food and Drug Administration provides multiple guidance documents regarding the hardening of healthcare and specifically medical devices found here: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.
  • See CISA and MS-ISAC's Joint Ransomware Guide for additional in-depth hardening guidance.
Contact CISA for These No-Cost Resources
  • Information sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of best practices and network defense information regarding ransomware trends and variants as well as malware that is a precursor to ransomware.
  • Policy-oriented or technical assessments help organizations understand how they can improve their defenses to avoid ransomware infection: https://www.cisa.gov/cyber-resource-hub.
    • Assessments include Vulnerability Scanning and Phishing Campaign Assessment.
  • Cyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware incident scenario.
  • CISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to manage cyber risk.
  • Contacts:
    • SLTT organizations: CyberLiaison_SLTT@cisa.dhs.gov
    • Private sector organizations: CyberLiaison_Industry@cisa.dhs.gov
Ransomware Quick References
  • Ransomware: What It Is and What to Do About It (CISA): General ransomware guidance for organizational leadership and more in-depth information for CISOs and technical staff: https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_ Document-FINAL.pdf
  • Ransomware (CISA): Introduction to ransomware, notable links to CISA products on protecting networks, specific ransomware threats, and other resources: https://www.us-cert.cisa.gov/Ransomware  
  • HHS/HC3: Ransomware that impacts HPH is tracked by the HC3 and can be found at www.hhs.gov/hc3
  • Security Primer – Ransomware (MS-ISAC): Outlines opportunistic and strategic ransomware campaigns, common infection vectors, and best practice recommendations: https://www.cisecurity.org/white-papers/security-primer-ransomware/
  • Ransomware: Facts, Threats, and Countermeasures (MS- ISAC): Facts about ransomware, infection vectors, ransomware capabilities, and how to mitigate the risk of ransomware infection: https://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/
  • HHS Ransomware Fact Sheet: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
  • NIST Securing Data Integrity White Paper: https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft
Ransomware Response Checklist

Remember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.
Should your organization be a victim of ransomware, CISA strongly recommends responding by using the Ransomware Response Checklist located in CISA and MS-ISAC's Joint Ransomware Guide, which contains steps for detection and analysis as well as containment and eradication.

Consider the Need For Extended Identification or Analysis
  • If extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in any of the following information that your organization determines it can legally share:
  • Recovered executable file
  • Copies of the readme file – DO NOT REMOVE the file or decryption may not be possible
  • Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
  • Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
  • Malware samples
  • Names of any other malware identified on your system
  • Encrypted file samples
  • Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)
  • Any PowerShell scripts found having executed on the systems
  • Any user accounts created in Active Directory or machines added to the network during the exploitation
  • Email addresses used by the attackers and any associated phishing emails
  • A copy of the ransom note
  • Ransom amount and whether or not the ransom was paid
  • Bitcoin wallets used by the attackers
  • Bitcoin wallets used to pay the ransom (if applicable)
  • Copies of any communications with attackers

Upon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no cost to support your organization in understanding the root cause of an incident, even in the event additional remote assistance is not requested.

  • CISA – Advanced Malware Analysis Center: https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf
  • Remote Assistance – Request via Central@cisa.gov

 

 

 

Contact Information

CISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use should your organization become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.

  • State and Local Response Contacts
  • IT/IT Security Team – Centralized Cyber Incident Reporting
  • State and Local Law Enforcement
  • Fusion Center        
  • Managed/Security Service Providers
  • Cyber Insurance       

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

Additionally, see the CISA and MS-ISAC's Joint Ransomware Guide for information on contacting—and what to expect from contacting—federal asset response contacts and federal threat response contacts.

 

DISCLAIMER

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see https://cisa.gov/tlp.

 

References Revisions
  • October 28, 2020: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky

US-CERT - Tue, 2020-10-27 10:00
Original release date: October 27, 2020
Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.cisa.gov/northkorea.

This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.

Click here for a PDF version of this report.

Key Findings

This advisory’s key findings are:

  • The Kimsuky APT group has most likely been operating since 2012.
  • Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
  • Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.[1],[2]
  • Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[3]
  • Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
  • Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
  • Kimsuky specifically targets:
    • Individuals identified as experts in various fields,
    • Think tanks, and
    • South Korean government entities.[4],[5],[6],[7],[8]
  • CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.
Technical DetailsInitial Access

Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access [TA0001] to victim networks.[9],[10],[11] Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic (Phishing: Spearphishing Attachment [T1566.001]).[12],[13]

  • The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]
  • Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link.
    • Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line “Skype Interview requests of [Redacted TV Show] in Seoul,” and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.
    • After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.
  • Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[15],[16],[17]

Kimsuky’s other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (Phishing: Spearphising Link [T1566.002], Drive-by Compromise [T1189], Man-in-the-Browser [T1185]).[18]

Execution

After obtaining initial access, Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution [TA0002].

  • BabyShark is Visual Basic Script (VBS)-based malware.
    • First, the compromised host system uses the native Microsoft Windows utility, mshta.exe, to download and execute an HTML application (HTA) file from a remote system (Signed Binary Proxy Execution: Mshta [T1218.005]).
    • The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.
    • The script maintains Persistence [TA0003] by creating a Registry key that runs on startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]).
    •  It then collects system information (System Information Discovery [T1082]), sends it to the operator’s command control (C2) servers, and awaits further commands.[19],[20],[21],[22]
  • Open-source reporting indicates BabyShark is delivered via an email message containing a link or an attachment (see Initial Access section for more information) (Phishing: Spearphising Link [T1566.002], Phishing: Spearphishing Attachment [T1566.001]). Kimsuky tailors email phishing messages to match its targets’ interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.[23]
  • Kimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target’s memory (Command and Scripting Interpreter: PowerShell [T1059.001]). PowerShell commands/scripts can be executed without invoking powershell.exe through HTA files or mshta.exe.[24],[25],[26],[27]
Persistence

Kimsuky has demonstrated the ability to establish Persistence [TA0003] through using malicious browser extensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.

  • In 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers (Man-in-the-Browser [T1185]). The extension’s reviews gave it a five-star rating, however the text of the reviews applied to other extensions or was negative. The reviews were likely left by compromised Google+ accounts.[28]
  • Kimsuky may install a new service that can execute at startup by using utilities to interact with services or by directly modifying the Registry keys (Boot or Logon Autostart Execution [T1547]). The service name may be disguised with the name from a related operating system function or by masquerading as benign software. Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution.[29],[30]
  • During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a tool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules (Remote Services: Remote Desktop Protocol [T1021.001]).[31]
  • Kimsuky uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP) documents (.hwp files) in the Registry (Event Triggered Execution: Change Default File Association [T1546.001]). Kimsuky manipulates the default Registry setting to open a malicious program instead of the legitimate HWP program (HWP is a Korean word processor). The malware will read and email the content from HWP documents before the legitimate HWP program ultimately opens the document.[32] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly.[33]
  • Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download, and delete files and directories on the compromised domains (Server Software Component: Web Shell [T1505.003]). The actor often adds “Dinosaur” references within the modified web shell codes.[34]
Privilege Escalation

Kimsuky uses well-known methods for Privilege Escalation [TA0004]. These methods include placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe.

  • Kimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into explorer.exe (Process Injection [T1055]). This malicious code decrypts its spying library—a collection of keystroke logging and remote control access tools and remote control download and execution tools—from resources, regardless of the victim’s operating system. It then saves the decrypted file to a disk with a random but hardcoded name (e.g., dfe8b437dd7c417a6d.tmp) in the user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.[35]
  • Before the injection takes place, the malware sets the necessary privileges (see figure 1). The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within explorer.exe (Process Injection [T1055]).[36]

Figure 1: Privileges set for the injection [37]

Defense Evasion

Kimsuky uses well-known and widely available methods for Defense Evasion [TA0005] within a network. These methods include disabling security tools, deleting files, and using Metasploit.[38],[39]

  • Kimsuky’s malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see figure 2). This disables the Windows system firewall and turns off the Windows Security Center service, which prevents the service from alerting the user about the disabled firewall (see figure 2) (Impair Defenses: Disable or Modify System Firewall [T1562.004]).[40]

Figure 2: Disabled firewall values in the Registry [41]

  • Kimsuky has used a keylogger that deletes exfiltrated data on disk after it is transmitted to its C2 server (Indicator Removal on Host: File Deletion [T1070.004]).[42]
  • Kimsuky has used mshta.exe, which is a utility that executes Microsoft HTAs. It can be used for proxy execution of malicious .hta files and JavaScript or VBS through a trusted windows utility (Signed Binary Proxy Execution: Mshta [T1218.005]). It can also be used to bypass application allow listing solutions (Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002]).[43],[44]
  • Win7Elevate—which was noted above—is also used to evade traditional security measures. Win7Elevatve is a part of the Metasploit framework open-source code and is used to inject malicious code into explorer.exe (Process Injection [T1055]). The malicious code decrypts its spying library from resources, saves the decrypted file to disk with a random but hardcoded name in the victim's temporary folder, and loads the file as a library.[45],[46],[47]
Credential Access

Kimsuky uses legitimate tools and network sniffers to harvest credentials from web browsers, files, and keyloggers (Credential Access [TA0006]).

  • Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. Kimsuky uses ProcDump, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit (CPU) utilization (OS Credential Dumping [T1003]). ProcDump monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware.[48]
  • According to open-source security researchers, Kimsuky abuses a Chrome extension to steal passwords and cookies from browsers (Man-in-the-Browser [T1185]).[49],[50] The spearphishing email directs a victim to a phishing site, where the victim is shown a benign PDF document but is not able to view it. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js, from a separate site (see figure 3).[51]

Figure 3: JavaScript file, named jQuery.js [52]

  • Kimsuky also uses a PowerShell based keylogger, named MECHANICAL, and a network sniffing tool, named Nirsoft SniffPass (Input Capture: Keylogging [T1056.001], Network Sniffing [T1040]). MECHANICAL logs keystrokes to %userprofile%\appdata\roaming\apach.{txt,log} and is also a "cryptojacker," which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols.[53]
  • Kimsuky used actor-modified versions of PHProxy, an open-source web proxy written in PHP, to examine web traffic between the victim and the website accessed by the victims and to collect any credentials entered by the victim.[54]
Discovery

Kimsuky enumerates system information and the file structure for victims’ computers and networks (Discovery [TA0007]). Kimsuky appears to rely on using the victim’s operating system command prompt to enumerate the file structure and system information (File and Directory Discovery [T1083]). The information is directed to C:\WINDOWS\msdatl3.inc, read by malware, and likely emailed to the malware’s command server.[55]

Collection

Kimsuky collects data from the victim system through its HWP document malware and its keylogger (Collection [TA0009]). The HWP document malware changes the default program association in the Registry to open HWP documents (Event Triggered Execution: Change Default File Association [T1546.001]). When a user opens an HWP file, the Registry key change triggers the execution of malware that opens the HWP document and then sends a copy of the HWP document to an account under the adversary’s control. The malware then allows the user to open the file as normal without any indication to the user that anything has occurred. The keylogger intercepts keystrokes and writes them to C:\Program Files\Common Files\System\Ole DB\msolui80.inc and records the active window name where the user pressed keys (Input Capture: Keylogging [T1056.001]). There is another keylogger variant that logs keystrokes into C:\WINDOWS\setup.log.[56]

Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (Command and Scripting Interpreter: Python [T1059.006]). The Python program downloads various implants based on C2 options specified after the filedown.php (see figure 4).

Figure 4: Python Script targeting MacOS [57]

Command and Control

Kimsuky has used a modified TeamViewer client, version 5.0.9104, for Command and Control [TA0011] (Remote Access Software [T1219]). During the initial infection, the service “Remote Access Service” is created and adjusted to execute C:\Windows\System32\vcmon.exe at system startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]). Every time vcmon.exe is executed, it disables the firewall by zeroing out Registry values (Impair Defenses: Disable or Modify System Firewall [T1562.004]). The program then modifies the TeamViewer Registry settings by changing the TeamViewer strings in TeamViewer components. The launcher then configures several Registry values, including SecurityPasswordAES, that control how the remote access tool will work. The SecurityPasswordAES Registry value represents a hash of the password used by a remote user to connect to TeamViewer Client (Use Alternate Authentication Material: Pass the Hash [T1550.002]). This way, the attackers set a pre-shared authentication value to have access to the TeamViewer Client. The attacker will then execute the TeamViewer client netsvcs.exe.[58]

Kimsuky has been using a consistent format. In the URL used recently—express.php?op=1—there appears to be an option range from 1 to 3.[59]

Exfiltration

Open-source reporting from cybersecurity companies describes two different methods Kimsuky has used to exfiltrate stolen data: via email or through an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer (Exfiltration [TA0010]).

There was no indication that the actor destroyed computers during the observed exfiltrations, suggesting Kimsuky’s intention is to steal information, not to disrupt computer networks. Kimsuky’s preferred method for sending or receiving exfiltrated information is through email, with their malware on the victim machine encrypting the data before sending it to a C2 server (Archive Collected Data [T1560]).  Kimsuky also sets up auto-forward rules within a victim’s email account (Email Collection: Email Forwarding Rule [T1114.003]).

Kimsuky also uses an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer to exfiltrate stolen data. The data is sent RSA-encrypted (Encrypted Channel: Symmetric Cryptography [T1573.001]). Kimsuky’s malware constructs an 1120-bit public key and uses it to encrypt the 117-bytes buffer. The resulting data file is saved in C:\Program Files\Common Files\System\Ole DB\ (Data Staged: Local Data Staging [T1074.001]).[60]

MitigationsIndicators of Compromise

Kimsuky has used the domains listed in table 1 to carry out its objectives:

For a downloadable copy of IOCs, see AA20-301A.stix.

Table 1: Domains used by Kimsuky

login.bignaver.com

nytimes.onekma.com

webuserinfo.com

member.navier.pe.hu

nid.naver.onektx.com

pro-navor.com

cloudnaver.com

read.tongilmoney.com

naver.pw

resetprofile.com

nid.naver.unicrefia.com

daurn.org

servicenidnaver.com

mail.unifsc.com

naver.com.de

account.daurn.pe.hu

member.daum.unikortv.com

ns.onekorea.me

login.daum.unikortv.com

securetymail.com

riaver.site

account.daum.unikortv.com

help-navers.com

mailsnaver.com

daum.unikortv.com

beyondparallel.sslport.work

cloudmail.cloud

member.daum.uniex.kr

comment.poulsen.work

helpnaver.com

jonga.ml

impression.poulsen.work

view-naver.com

myaccounts.gmail.kr-infos.com

statement.poulsen.work

view-hanmail.net

naver.hol.es

demand.poulsen.work

login.daum.net-accounts.info

dept-dr.lab.hol.es

sankei.sslport.work

read-hanmail.net

Daurn.pe.hu

sts.desk-top.work

net.tm.ro

Bigfile.pe.hu

hogy.desk-top.work

daum.net.pl

Cdaum.pe.hu

kooo.gq

usernaver.com

eastsea.or.kr

tiosuaking.com

naver.com.ec

myaccount.nkaac.net

help.unikoreas.kr

naver.com.mx

naver.koreagov.com

resultview.com

naver.com.se

naver.onegov.com

account.daum.unikftc.kr

naver.com.cm

member-authorize.com

ww-naver.com

nid.naver.com.se

naver.unibok.kr

vilene.desk-top.work

csnaver.com

nid.naver.unibok.kr

amberalexander.ghtdev.com

nidnaver.email

read-naver.com

nidnaver.net

cooper.center

dubai-1.com

coinone.co.in

nidlogin.naver.corper.be

amberalexander.ghtdev.com

naver.com.pl

nid.naver.corper.be

gloole.net

naver.cx

naverdns.co

smtper.org

smtper.cz

naver.co.in

login.daum.kcrct.ml

myetherwallet.com.mx

downloadman06.com

login.outlook.kcrct.ml

myetherwallet.co.in

loadmanager07.com

top.naver.onekda.com

com-download.work

com-option.work

com-sslnet.work

com-vps.work

com-ssl.work

desk-top.work

intemet.work

jp-ssl.work

org-vip.work

sslport.work

sslserver.work

ssltop.work

taplist.work

vpstop.work

webmain.work

preview.manage.org-view.work

intranet.ohchr.account-protect.work

 

Table 2: Redacted domains used by Kimsuky

[REDACTED]/home/dwn.php?van=101

[REDACTED]/home/dwn.php?v%20an=101

[REDACTED]/home/dwn.php?van=102

[REDACTED]/home/up.php?id=NQDPDE

[REDACTED]/test/Update.php?wShell=201

 

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

  DISCLAIMER  

This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

References Revisions
  • October 27, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability

Cisco Security Advisories - Thu, 2020-10-22 16:00

A vulnerability in the SSL/TLS handler of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause the affected device to reload unexpectedly, leading to a denial of service (DoS) condition.

The vulnerability is due to improper error handling on established SSL/TLS connections. An attacker could exploit this vulnerability by establishing an SSL/TLS connection with the affected device and then sending a malicious SSL/TLS message within that connection. A successful exploit could allow the attacker to cause the device to reload.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-dos-7uZWwSEy


Security Impact Rating: High
CVE: CVE-2020-27124
Categories: Security Alerts

AA20-296B: Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems

US-CERT - Thu, 2020-10-22 09:00
Original release date: October 22, 2020
Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.

The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.

The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. 

Click here for a PDF version of this report.

Technical Details

These actors have conducted a significant number of intrusions against U.S.-based networks since August 2019. The actors leveraged several Common Vulnerabilities and Exposures (CVEs)—notably CVE-2020-5902 and CVE-2017-9248—pertaining to virtual private networks (VPNs) and content management systems (CMSs). 

  • CVE-2020-5902 affects F5 VPNs. Remote attackers could exploit this vulnerability to execute arbitrary code. [1].
  • CVE-2017-9248 affects Telerik UI. Attackers could exploit this vulnerability in web applications using Telerik UI for ASP.NET AJAX to conduct cross-site scripting (XSS) attacks.[2]

Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. These activities could render these systems temporarily inaccessible to the public or election officials, which could slow, but would not prevent, voting or the reporting of results.

  • A DDoS attack could slow or render election-related public-facing websites inaccessible by flooding the internet-accessible server with requests; this would prevent users from accessing online resources, such as voting information or non-official voting results. In the past, cyber actors have falsely claimed DDoS attacks have compromised the integrity of voting systems in an effort to mislead the public that their attack would prevent a voter from casting a ballot or change votes already cast.
  • A SQL injection involves a threat actor inserting malicious code into the entry field of an application, causing that code to execute if entries have not been sanitized. SQL injections are among the most dangerous and common exploits affecting websites. A SQL injection into a media company’s CMS could enable a cyber actor access to network systems to manipulate content or falsify news reports prior to publication.
  • Spear-phishing messages may not be easily detectible. These emails often ask victims to fill out forms or verify information through links embedded in the email. APT actors use spear phishing to gain access to information—often credentials, such as passwords—and to identify follow-on victims. A malicious cyber actor could use compromised email access to spread disinformation to the victims’ contacts or collect information sent to or from the compromised account.
  • Public-facing website defacements typically involve a cyber threat actor compromising the website or its associated CMS, allowing the actor to upload images to the site’s landing page. In situations where such public-facing websites relate to elections (e.g., the website of a county board of elections), defacements could cast doubt on the security and legitimacy of the websites’ information. If cyber actors were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised..
  • Disinformation campaigns involve malign actions taken by foreign governments or actors designed to sow discord, manipulate public discourse, or discredit the electoral system. Malicious actors often use social media as well as fictitious and spoofed media sites for these campaigns. Based on their corporate policies, social media companies have worked to counter these actors’ use of their platforms to promote fictitious news stories by removing the news stories, and in many instances, closing the accounts related to the malicious activity. However, these adversaries will continue their attempts to create fictitious accounts that promote divisive storylines to sow discord, even after the election.
Mitigations

The following recommended mitigations list includes self-protection strategies against the cyber techniques used by the APT actors:

  • Validate input—input validation is a method of sanitizing untrusted input provided by web application users. Implementing input validation can protect against security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly prevented include SQL injection, XSS, and command injection.
  • Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
  • Verify all cloud-based virtual machine instances with a public IP; do not have open RDP ports, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall, and require users to use a VPN to access it through the firewall.
  • Enable strong password requirements and account lockout policies to defend against brute-force attacks.
  • Apply multi-factor authentication, when possible.
  • Apply system and software updates regularly, particularly if you are deploying products affected by CVE-2020-5902 and CVE-2017-9248.
  • Maintain a good information back-up strategy that involves routinely backing up all critical data and system configuration information on a separate device. Store the backups offline; verify their integrity and restoration process.
  • Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days, and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.
  • Ensure third parties that require RDP access are required to follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
  • Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.
  • Be aware of unsolicited contact on social media from any individual you do not know.
  • Be aware of attempts to pass links or files via social media from anyone you do not know.
  • Be aware of unsolicited requests to share a file via online services.
  • Be aware of email messages conveying suspicious alerts or other online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts.
  • Be suspicious of emails purporting to be from legitimate online services (e.g., the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, the email originates from an IP address not attributable to the provider/company).
  • Be suspicious of unsolicited email messages that contain shortened links (e.g., via tinyurl, bit.ly).
  • Use security features provided by social media platforms, use strong passwords, change passwords frequently, and use a different password for each social media account.
  • See CISA’s Tip on Best Practices for Securing Election Systems for more information.
General Mitigations Keep applications and systems updated and patched

Apply all available software updates and patches; automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed at which threat actors create exploits after a patch is released. These “N-day” exploits can be as damaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.[3] In addition to updating the application, use tools (e.g., the OWASP Dependency-Check Project tool[4]) to identify publicly known vulnerabilities in third-party libraries that the application depends on.

Scan web applications for SQL injection and other common web vulnerabilities

Implement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site scripting, etc.); use a commercial web application vulnerability scanner in combination with a source code scanner.[5] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks that host older web applications; as sites get older, more vulnerabilities are discovered and exposed.

Deploy a web application firewall 

Deploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.

Deploy techniques to protect against web shells

Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware.[6] Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.

Use multi-factor authentication for administrator accounts

Prioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.[7] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs).[8] Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.

Remediate critical web application security risks

First, identify and remedite critical web application security risks first; then, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.[9],[10],[11]

How do I respond to unauthorized access to election-related systems? Implement your security incident response and business continuity plan

It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact CISA or law enforcement immediately

To report an intrusion and to request incident response resources or technical assistance, contact CISA (Central@cisa.dhs.gov or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).

Resources Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

References Revisions
  • October 22, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA20-296A: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets

US-CERT - Thu, 2020-10-22 05:44
Original release date: October 22, 2020
Summary

This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques

This joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)—provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.

Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.

The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:

  • Sensitive network configurations and passwords.
  • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
  • IT instructions, such as requesting password resets.
  • Vendors and purchasing information.
  • Printing access badges.

To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.

As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.

  • Click here for a PDF version of this report.
  • Click here for a STIX package of IOCs.
Technical Details

The FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses 213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to victim web servers (Exploit Public Facing Application [T1190]).

The actor is using 213.74.101[.]65 and 213.74.139[.]196 to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (Brute Force [T1110]; Exploit Public Facing Application [T1190]). The APT actor also hosted malicious domains, including possible aviation sector target columbusairports.microsoftonline[.]host, which resolved to 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; these domains are U.S. registered and are likely SLTT government targets (Drive-By Compromise [T1189]).

The APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug (CVE-2019-19781) and a Microsoft Exchange remote code execution flaw (CVE-2020-0688).

The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence [TA0003]).

Between early February and mid-September, these APT actors used 213.74.101[.]65, 212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55, 91.227.68[.]97, and 5.45.119[.]124 to target U.S. SLTT government networks. Successful authentications—including the compromise of Microsoft Office 365 (O365) accounts—have been observed on at least one victim network (Valid Accounts [T1078]).

MitigationsIndicators of Compromise

The APT actor used the following IP addresses and domains to carry out its objectives:

  • 213.74.101[.]65
  • 213.74.139[.]196
  • 212.252.30[.]170
  • 5.196.167[.]184
  • 37.139.7[.]16
  • 149.56.20[.]55
  • 91.227.68[.]97
  • 138.201.186[.]43
  • 5.45.119[.]124
  • 193.37.212[.]43
  • 146.0.77[.]60
  • 51.159.28[.]101
  • columbusairports.microsoftonline[.]host
  • microsoftonline[.]host
  • email.microsoftonline[.]services
  • microsoftonline[.]services
  • cityname].westus2.cloudapp.azure.com

IP address 51.159.28[.]101 appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address 51.159.28[.]101 (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).

Organizations should check available logs for traffic to/from IP address 51.159.28[.]101 for indications of credential-harvesting activity. As the APT actors likely have—or will—establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.

Refer to AA20-296A.stix for a downloadable copy of IOCs.

Network Defense-in-Depth

Proper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.

  • Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.

Table 1: Patch information for CVEs

Vulnerability Vulnerable Products Patch Information CVE-2019-19781
  • Citrix Application Delivery Controller
  • Citrix Gateway
  • Citrix SDWAN WANOP

 

Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0

Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3

Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0

Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5

CVE-2020-0688
  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 14
  • Microsoft Exchange Server 2016 Cumulative Update 15
  • Microsoft Exchange Server 2019 Cumulative Update 3
  • Microsoft Exchange Server 2019 Cumulative Update 4

 

Microsoft Security Advisory for CVE-2020-0688 CVE-2019-10149
  • Exim versions 4.87–4.91
Exim page for CVE-2019-10149 CVE-2018-13379
  • FortiOS 6.0: 6.0.0 to 6.0.4
  • FortiOS 5.6: 5.6.3 to 5.6.7
  • FortiOS 5.4: 5.4.6 to 5.4.12
Fortinet Security Advisory: FG-IR-18-384 CVE-2020-1472
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903  (Server Core installation)
  • Windows Server, version 1909  (Server Core installation)
  • Windows Server, version 2004   (Server Core installation)

Microsoft Security Advisory for CVE-2020-1472

 

 

  • Follow Microsoft’s guidance on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.
  • If appropriate for your organization’s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on SMB Security Best Practices for more information.
  • Implement the prevention, detection, and mitigation strategies outlined in:
  • Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.
  • Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.
  • Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and WINDOWS folders. All other locations should be disallowed unless an exception is granted.
  • Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.
Comprehensive Account Resets

For accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT “Golden Tickets” may be required, and Microsoft has released specialized guidance for this. Such a reset should be performed very carefully if needed.

If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise—as well as in Azure-hosted—AD instances.

Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.

It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.

  1. Create a temporary administrator account, and use this account only for all administrative actions
  2. Reset the Kerberos Ticket Granting Ticket (krbtgt) password;[1] this must be completed before any additional actions (a second reset will take place in step 5)
  3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
  4.  Reset all account passwords (passwords should be 15 characters or more and randomly assigned):
    1. User accounts (forced reset with no legacy password reuse)
    2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])
    3. Service accounts
    4. Directory Services Restore Mode (DSRM) account
    5. Domain Controller machine account
    6. Application passwords
  5. Reset the krbtgt password again
  6. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
  7. Reboot domain controllers
  8. Reboot all endpoints

The following accounts should be reset:

  • AD Kerberos Authentication Master (2x)
  • All Active Directory Accounts
  • All Active Directory Admin Accounts
  • All Active Directory Service Accounts
  • All Active Directory User Accounts
  • DSRM Account on Domain Controllers
  • Non-AD Privileged Application Accounts
  • Non-AD Unprivileged Application Accounts
  • Non-Windows Privileged Accounts
  • Non-Windows User Accounts
  • Windows Computer Accounts
  • Windows Local Admin
VPN Vulnerabilities

Implement the following recommendations to secure your organization’s VPNs:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Software Updates and Securing Network Infrastructure Devices. Wherever possible, enable automatic updates.
  • Implement MFA on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.

Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:

  • Audit configuration and patch management programs.
  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).
  • Implement MFA, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Keep software up to date. Enable automatic updates, if available.
Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

Resources   DISCLAIMER  

This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

References Revisions
  • October 22, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN CRLF Injection Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the Clientless SSL VPN (WebVPN) of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to inject arbitrary HTTP headers in the responses of the affected system.

The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to conduct a CRLF injection attack, adding arbitrary HTTP headers in the responses of the system and redirecting the user to arbitrary websites.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-crlf-inj-BX9uRwSn


Security Impact Rating: Medium
CVE: CVE-2020-3561
Categories: Security Alerts

Cisco Firepower Threat Defense Software TCP Intercept Bypass Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the TCP Intercept functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Access Control Policies (including Geolocation) and Service Polices on an affected system.

The vulnerability exists because TCP Intercept is invoked when the embryonic connection limit is reached, which can cause the underlying detection engine to process the packet incorrectly. An attacker could exploit this vulnerability by sending a crafted stream of traffic that matches a policy on which TCP Intercept is configured. A successful exploit could allow the attacker to match on an incorrect policy, which could allow the traffic to be forwarded when it should be dropped. In addition, the traffic could incorrectly be dropped.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tcp-intercept-bypass-xG9M3PbY


Security Impact Rating: Medium
CVE: CVE-2020-3565
Categories: Security Alerts

Cisco FXOS Software Firepower Chassis Manager Cross-Site Request Forgery Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the Cisco Firepower Chassis Manager (FCM) of Cisco FXOS Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected device. 

The vulnerability is due to insufficient CSRF protections for the FCM interface. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could take unauthorized actions on behalf of the targeted user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxosfcm-csrf-uhO4e5BZ


Security Impact Rating: High
CVE: CVE-2020-3456
Categories: Security Alerts

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software for Firepower 1000/2100 Series Appliances Secure Boot Bypass Vulnerabilities

Cisco Security Advisories - Wed, 2020-10-21 16:00

Multiple vulnerabilities in the secure boot process of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software for the Firepower 1000 Series and Firepower 2100 Series Appliances could allow an authenticated, local attacker to bypass the secure boot mechanism. 

The vulnerabilities are due to insufficient protections of the secure boot process. An attacker could exploit these vulnerabilities by injecting code into specific files that are then referenced during the device boot process. A successful exploit could allow the attacker to break the chain of trust and inject code into the boot process of the device, which would be executed at each boot and maintain persistence across reboots.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxos-sbbyp-KqP6NgrE


Security Impact Rating: High
CVE: CVE-2020-3458
Categories: Security Alerts

Cisco FXOS Software for Firepower 4100/9300 Series Appliances Secure Boot Bypass Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the secure boot process of Cisco FXOS Software could allow an authenticated, local attacker to bypass the secure boot mechanisms. 

The vulnerability is due to insufficient protections of the secure boot process. An attacker could exploit this vulnerability by injecting code into a specific file that is then referenced during the device boot process. A successful exploit could allow the attacker to break the chain of trust and inject code into the boot process of the device which would be executed at each boot and maintain persistence across reboots.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxos-sbbp-XTuPkYTn


Security Impact Rating: High
CVE: CVE-2020-3455
Categories: Security Alerts

Cisco FXOS Software Command Injection Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges.

The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected command. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxos-cmdinj-pqZvmXCr


Security Impact Rating: Medium
CVE: CVE-2020-3457
Categories: Security Alerts

Cisco FXOS Software for Firepower 4100/9300 Series Command Injection Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges.

The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected command. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxos-cmdinj-b63rwKPm


Security Impact Rating: Medium
CVE: CVE-2020-3459
Categories: Security Alerts

Cisco Firepower Management Center Software and Firepower Threat Defense Software sftunnel Pass the Hash Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the sftunnel functionality of Cisco Firepower Management Center (FMC) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to obtain the device registration hash.

The vulnerability is due to insufficient sftunnel negotiation protection during initial device registration. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a specific flow of the sftunnel communication between an FMC device and an FTD device. A successful exploit could allow the attacker to decrypt and modify the sftunnel communication between FMC and FTD devices, allowing the attacker to modify configuration data sent from an FMC device to an FTD device or alert data sent from an FTD device to an FMC device.

Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdfmc-sft-mitm-tc8AzFs2

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3549
Categories: Security Alerts

Cisco Firepower Management Center Software Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the licensing service of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to improper handling of system resource values by the affected system. An attacker could exploit this vulnerability by sending malicious requests to the targeted system. A successful exploit could allow the attacker to cause the affected system to become unresponsive, resulting in a DoS condition and preventing the management of dependent devices.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdfmc-dos-NjYvDcLA

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3499
Categories: Security Alerts

Cisco Firepower Management Center Software and Firepower Threat Defense Software Directory Traversal Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the sfmgr daemon of Cisco Firepower Management Center (FMC) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to perform directory traversal and access directories outside the restricted path.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by using a relative path in specific sfmgr commands. An exploit could allow the attacker to read or write arbitrary files on an sftunnel-connected peer device.

Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftdfmc-dirtrav-NW8XcuSB

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3550
Categories: Security Alerts

Cisco Firepower Threat Defense Software TCP Flood Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the packet processing functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to inefficient memory management. An attacker could exploit this vulnerability by sending a large number of TCP packets to a specific port on an affected device. A successful exploit could allow the attacker to exhaust system memory, which could cause the device to reload unexpectedly. No manual intervention is needed to recover the device after it has reloaded.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tcp-dos-GDcZDqAf

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3563
Categories: Security Alerts

Cisco Firepower Threat Defense Software SSL Input Validation Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the ssl_inspection component of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to crash Snort instances.

The vulnerability is due to insufficient input validation in the ssl_inspection component. An attacker could exploit this vulnerability by sending a malformed TLS packet through a Cisco Adaptive Security Appliance (ASA). A successful exploit could allow the attacker to crash a Snort instance, resulting in a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-mf3822Z


Security Impact Rating: Medium
CVE: CVE-2020-3317
Categories: Security Alerts

Cisco Firepower 2100 Series SSL/TLS Inspection Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the SSL/TLS inspection of Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series firewalls could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to improper input validation for certain fields of specific SSL/TLS messages. An attacker could exploit this vulnerability by sending a malformed SSL/TLS message through an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. No manual intervention is needed to recover the device after it has reloaded.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-ssl-dcrpt-dos-RYEkX4yy

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3562
Categories: Security Alerts

Cisco Firepower Threat Defense Software SNMP Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to restart unexpectedly.

The vulnerability is due to a lack of sufficient memory management protections under heavy SNMP polling loads. An attacker could exploit this vulnerability by sending a high rate of SNMP requests to the SNMP daemon through the management interface on an affected device. A successful exploit could allow the attacker to cause the SNMP daemon process to consume a large amount of system memory over time, which could then lead to an unexpected device restart, causing a denial of service (DoS) condition.

This vulnerability affects all versions of SNMP.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snmp-dos-R8ENPbOs

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3533
Categories: Security Alerts

Cisco Firepower Threat Defense Software Inline Pair/Passive Mode Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-10-21 16:00

A vulnerability in the ingress packet processing path of Cisco Firepower Threat Defense (FTD) Software for interfaces that are configured either as Inline Pair or in Passive mode could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.

The vulnerability is due to insufficient validation when Ethernet frames are processed. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device. A successful exploit could allow the attacker do either of the following: 

  • Fill the /ngfw partition on the device: A full /ngfw partition could result in administrators being unable to log in to the device (including logging in through the console port) or the device being unable to boot up correctly. Note: Manual intervention is required to recover from this situation. Customers are advised to contact the Cisco Technical Assistance Center (TAC) to help recover a device in this condition.
  • Cause a process crash: The process crash would cause the device to reload. No manual intervention is necessary to recover the device after the reload.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-inline-dos-nXqUyEqM

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3577
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator