Security Alerts

Multiple Cisco Products Snort Modbus Denial of Service Vulnerability

Cisco Security Advisories - Tue, 2022-04-26 19:41
<p>A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.</p> <p>This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj" target="_blank" rel="noopener">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj</a></p>
Security Impact Rating: High
CVE: CVE-2022-20685
Categories: Security Alerts

Cisco Unified Communications Products Arbitrary File Write Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 23:00
<p>A vulnerability in the software upgrade process of Cisco&nbsp;Unified Communications Manager (Unified CM) and Cisco&nbsp;Unified Communications Manager Session Management Edition (Unified CM SME)&nbsp;could allow an authenticated, remote attacker to write arbitrary files on the affected system.</p> <p>This vulnerability is due to improper restrictions applied to a system script. An attacker could exploit this vulnerability by using crafted variables during the execution of a system upgrade. A successful exploit could allow the attacker to overwrite or append arbitrary data to system files using <em>root</em>-level privileges.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-arb-write-74QzruUU" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-arb-write-74QzruUU</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20789
Categories: Security Alerts

Cisco TelePresence Collaboration Endpoint and RoomOS Software H.323 Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the packet processing functionality of Cisco&nbsp;TelePresence Collaboration Endpoint (CE) Software and Cisco&nbsp;RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.</p> <p>This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted H.323 traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to either reboot normally or reboot into maintenance mode, which could result in a DoS condition on the device.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ce-roomos-dos-c65x2Qf2" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ce-roomos-dos-c65x2Qf2</a></p>
Security Impact Rating: High
CVE: CVE-2022-20783
Categories: Security Alerts

Cisco Webex Meetings Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the authentication component of Cisco&nbsp;Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface.</p> <p>This vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the authentication component of Cisco&nbsp;Webex Meetings. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-w47AMqAk" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-w47AMqAk</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20778
Categories: Security Alerts

Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Software AnyConnect SSL VPN Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the implementation of the Datagram TLS (DTLS) protocol in Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause high CPU utilization, resulting in a denial of service (DoS) condition.</p> <p>This vulnerability is due to suboptimal processing that occurs when establishing a DTLS tunnel as part of an AnyConnect SSL VPN connection. An attacker could exploit this vulnerability by sending a steady stream of crafted DTLS traffic to an affected device. A successful exploit could allow the attacker to exhaust resources on the affected VPN headend device. This could cause existing DTLS tunnels to stop passing traffic and prevent new DTLS tunnels from establishing, resulting in a DoS condition.</p> <p><strong>Note</strong>: When the attack traffic stops, the device recovers gracefully.</p> <p>There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vpndtls-dos-TunzLEV" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vpndtls-dos-TunzLEV</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20795
Categories: Security Alerts

Cisco Virtualized Infrastructure Manager Privilege Escalation Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the configuration file protections of Cisco&nbsp;Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device.</p> <p>This vulnerability is due to improper access permissions for certain configuration files. An attacker with low-privileged credentials could exploit this vulnerability by accessing an affected device and reading the affected configuration files. A successful exploit could allow the attacker to obtain internal database credentials, which the attacker could use to view and modify the contents of the database. The attacker could use this access to the database to elevate privileges on the affected device.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vim-privesc-T2tsFUf" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vim-privesc-T2tsFUf</a></p>
Security Impact Rating: High
CVE: CVE-2022-20732
Categories: Security Alerts

Cisco Umbrella Virtual Appliance Static SSH Host Key Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the key-based SSH authentication mechanism of Cisco&nbsp;Umbrella Virtual Appliance (VA) could allow an unauthenticated, remote attacker to impersonate a VA.</p> <p>This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA.</p> <p><strong>Note</strong>: SSH is not enabled by default on the Umbrella VA.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uva-static-key-6RQTRs4c" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uva-static-key-6RQTRs4c</a></p>
Security Impact Rating: High
CVE: CVE-2022-20773
Categories: Security Alerts

Cisco Umbrella Secure Web Gateway File Decryption Bypass Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the automatic decryption process in Cisco&nbsp;Umbrella Secure Web Gateway (SWG) could allow an authenticated, adjacent attacker to bypass the SSL decryption and content filtering policies on an affected system.</p> <p>This vulnerability is due to how the decryption function uses the TLS Sever Name Indication (SNI) extension of an HTTP request to discover the destination domain and determine if the request needs to be decrypted. An attacker could exploit this vulnerability by sending a crafted request over TLS from a client to an unknown or controlled URL. A successful exploit could allow an attacker to bypass the decryption process of Cisco&nbsp;Umbrella SWG and allow malicious content to be downloaded to a host on a protected network.</p> <p>There are workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uswg-fdbps-xtTRKpp6" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uswg-fdbps-xtTRKpp6</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20805
Categories: Security Alerts

Cisco Unified Communications Products Arbitrary File Read Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the web-based management interface of Cisco&nbsp;Unified Communications Manager (Unified CM) and Cisco&nbsp;Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system.</p> <p>This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the underlying operating system.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-file-read-h8h4HEJ3">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-file-read-h8h4HEJ3</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20790
Categories: Security Alerts

Cisco Unified Communications Products Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the Cisco&nbsp;Discovery Protocol of Cisco&nbsp;Unified Communications Manager (Unified CM) and Cisco&nbsp;Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, adjacent attacker to cause a kernel panic on an affected system, resulting in a denial of service (DoS) condition.</p> <p>This vulnerability is due to incorrect processing of certain Cisco&nbsp;Discovery Protocol packets. An attacker could exploit this vulnerability by continuously sending certain Cisco&nbsp;Discovery Protocol packets to an affected device. A successful exploit could allow the attacker to cause a kernel panic on the system that is running the affected software, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-dos-zHS9X9kD" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-dos-zHS9X9kD</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20804
Categories: Security Alerts

Cisco Unified Communications Products Cross-Site Request Forgery Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the web-based management interface of Cisco&nbsp;Unified Communications Manager (Unified CM) Software and Cisco&nbsp;Unified CM Session Management Edition (SME) Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device.</p> <p>This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-csrf-jrKP4eNT" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-csrf-jrKP4eNT</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20787
Categories: Security Alerts

Cisco Unified Communications Manager IM &amp; Presence Service SQL Injection Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the web-based management interface of Cisco&nbsp;Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.</p> <p>This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-imp-sqlinj-GrpUuQEJ" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-imp-sqlinj-GrpUuQEJ</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20786
Categories: Security Alerts

Cisco Unified Communications Products Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2022-04-20 16:00
<p>A vulnerability in the web-based management interface of Cisco&nbsp;Unified Communications Manager (Unified CM), Cisco&nbsp;Unified CM Session Management Edition (Unified CM SME), and <span class="more">Cisco&nbsp;Unity Connection</span> could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.</p> <p>This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-xss-6MCe4kPF" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-xss-6MCe4kPF</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20788
Categories: Security Alerts

AA22-110A: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

US-CERT - Wed, 2022-04-20 10:00
Original release date: April 20, 2022
Summary

Actions critical infrastructure organizations should implement to immediately protect against Russian state-sponsored and criminal cyber threats:
• Patch all systems. Prioritize patching known exploited vulnerabilities.
• Enforce multifactor authentication.
• Secure and monitor Remote Desktop Protocol and other risky services.
• Provide end-user awareness and training.

The cybersecurity authorities of the United States[1][2][3], Australia[4], Canada[5], New Zealand[6], and the United Kingdom[7][8] are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.

Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations

Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people. Some groups have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.

This advisory updates joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, which provides an overview of Russian state-sponsored cyber operations and commonly observed tactics, techniques, and procedures (TTPs). This CSA—coauthored by U.S., Australian, Canadian, New Zealand, and UK cyber authorities with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC)—provides an overview of Russian state-sponsored advanced persistent threat (APT) groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity. Refer to the Mitigations section of this advisory for recommended hardening actions.

For more information on Russian state-sponsored cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the heightened cyber threat to critical infrastructure organizations, see the following resources:

Click here for a PDF version of this report.

Technical DetailsRussian State-Sponsored Cyber Operations

Russian state-sponsored cyber actors have demonstrated capabilities to compromise IT networks; develop mechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from IT and operational technology (OT) networks; and disrupt critical industrial control systems (ICS)/OT functions by deploying destructive malware. 
Historical operations have included deployment of destructive malware—including BlackEnergy and NotPetya—against Ukrainian government and critical infrastructure organizations. Recent Russian state-sponsored cyber operations have included DDoS attacks against Ukrainian organizations. Note: for more information on Russian state-sponsored cyber activity, including known TTPs, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

Cyber threat actors from the following Russian government and military organizations have conducted malicious cyber operations against IT and/or OT networks:

  • The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
  • Russian Foreign Intelligence Service (SVR)
  • Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
  • GRU’s Main Center for Special Technologies (GTsST)
  • Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)
The Russian Federal Security Service

Overview: FSB, the KGB’s successor agency, has conducted malicious cyber operations targeting the Energy Sector, including UK and U.S. energy companies, U.S. aviation organizations, U.S. government and military personnel, private organizations, cybersecurity companies, and journalists. FSB has been known to task criminal hackers for espionage-focused cyber activity; these same hackers have separately been responsible for disruptive ransomware and phishing campaigns.

Industry reporting identifies three intrusion sets associated with the FSB, but the U.S. and UK governments have only formally attributed one of these sets—known as BERSERK BEAR—to FSB.

  • BERSERK BEAR (also known as Crouching Yeti, Dragonfly, Energetic Bear, and Temp.Isotope) has, according to industry reporting, historically targeted entities in Western Europe and North America including state, local, tribal, and territorial (SLTT) organizations, as well as Energy, Transportation Systems, and Defense Industrial Base (DIB) Sector organizations. This group has also targeted the Water and Wastewater Systems Sector and other critical infrastructure facilities. Common TTPs include scanning to exploit internet-facing infrastructure and network appliances, conducting brute force attacks against public-facing web applications, and leveraging compromised infrastructure—often websites frequented or owned by their target—for Windows New Technology Local Area Network Manager (NTLM) credential theft. Industry reporting assesses that this actor has a destructive mandate.

The U.S. and UK governments assess that this APT group is almost certainly FSB’s Center 16, or Military Unit 71330, and that FSB’s Center 16 has conducted cyber operations against critical IT systems and infrastructure in Europe, the Americas, and Asia. 

Resources: for more information on BERSERK BEAR, see the MITRE ATT&CK® webpage on Dragonfly.

High-Profile Activity: in 2017, FSB employees, including one employee in the FSB Center for Information Security (also known as Unit 64829 and Center 18), were indicted by the U.S. Department of Justice (DOJ) for accessing email accounts of U.S. government and military personnel, private organizations, and cybersecurity companies, as well as email accounts of journalists critical of the Russian government.[9] More recently, in 2021, FSB Center 16 officers were indicted by the U.S. DOJ for their involvement in a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. One of the victims was a U.S. nuclear power plant.[10

Resources: for more information on FSB, see: 

Russian Foreign Intelligence Service

Overview: SVR has operated an APT group since at least 2008 that has targeted multiple critical infrastructure organizations. SVR cyber threat actors have used a range of initial exploitation techniques that vary in sophistication coupled with stealthy intrusion tradecraft within compromised networks. SVR cyber actors’ novel tooling and techniques include:

  • Custom, sophisticated multi-platform malware targeting Windows and Linux systems (e.g., GoldMax and TrailBlazer); and
  • Lateral movement via the “credential hopping” technique, which includes browser cookie theft to bypass multifactor authentication (MFA) on privileged cloud accounts.[11]

High-Profile Activity: the U.S. Government, the Government of Canada, and the UK Government assess that SVR cyber threat actors were responsible for the SolarWinds Orion supply chain compromise and the associated campaign that affected U.S. government agencies, critical infrastructure entities, and private sector organizations.[12][13][14]

Also known as: APT29, COZY BEAR, CozyDuke, Dark Halo, The Dukes, NOBELIUM, and NobleBaron, StellarParticle, UNC2452, YTTRIUM [15]

Resources: for more information on SVR, see:

For more information on the SolarWinds Orion supply chain compromise, see:

GRU, 85th Main Special Service Center

Overview: GTsSS, or Unit 26165, is an APT group that has operated since at least 2004 and primarily targets government organizations, travel and hospitality entities, research institutions, and non-governmental organizations, in addition to other critical infrastructure organizations. 

According to industry reporting, GTsSS cyber actors frequently collect credentials to gain initial access to target organizations. GTsSS actors have collected victim credentials by sending spearphishing emails that appear to be legitimate security alerts from the victim’s email provider and include hyperlinks leading to spoofed popular webmail services’ logon pages. GTsSS actors have also registered domains to conduct credential harvesting operations. These domains mimic popular international social media platforms and masquerade as tourism- and sports-related entities and music and video streaming services.

High-Profile Activity: the U.S. Government assesses that GTsSS cyber actors have deployed Drovorub malware against victim devices as part of their cyber espionage operations.[16] The U.S. Government and UK Government assess that GTsSS actors used a Kubernetes® cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.[17

Also known as: APT28, FANCY BEAR, Group 74, IRON TWILIGHT, PawnStorm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, and Tsar Team [18]

Resources: for more information on GTsSS, see the MITRE ATT&CK webpage on APT28

GRU’s Main Center of Special Technologies

Overview: GTsST, or Unit 74455, is an APT group that has operated since at least 2009 and has targeted a variety of critical infrastructure organizations, including those in the Energy, Transportation Systems, and Financial Services Sectors. According to industry reporting, GTsST also has an extensive history of conducting cyber espionage as well as destructive and disruptive operations against NATO member states, Western government and military organizations, and critical infrastructure-related organizations, including in the Energy Sector.

The primary distinguishing characteristic of the group is its operations use techniques aimed at causing disruptive or destructive effects at targeted organizations using DDoS attacks or wiper malware. The group’s destructive operations have also leveraged wiper malware that mimics ransomware or hacktivism and can result in collateral effects to organizations beyond the primary intended targets. Some of their disruptive operations have shown disregard or ignorance of potential secondary or tertiary effects. 

High-Profile Activity: the malicious activity below has been previously attributed to GTsST by the U.S. Government and the UK Government.[19][20]

The U.S. Government, the Government of Canada, and UK Government have also attributed the October 2019 large-scale, disruptive cyber operations against a range of Georgian web hosting providers to GTsST. This activity resulted in websites—including sites belonging to the Georgian government, courts, non-government organizations (NGOs), media, and businesses—being defaced and interrupted the service of several national broadcasters.[21]22][23]

Also known as: ELECTRUM, IRON VIKING, Quedagh, the Sandworm Team, Telebots, VOODOO BEAR [24]

Resources: for more information on GTsST, see the MITRE ATT&CK webpage on Sandworm Team

Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics 

Overview: TsNIIKhM, as described on their webpage, is a research organization under Russia’s Ministry of Defense (MOD). Actors associated with TsNIIKhM have developed destructive ICS malware.

High-Profile Activity: TsNIIKhM has been sanctioned by the U.S. Department of the Treasury for connections to the destructive Triton malware (also called HatMan and TRISIS); TsNIIKhM has been sanctioned by the UK Foreign, Commonwealth, and Development Office (FCDO) for a 2017 incident that involved safety override controls (with Triton malware) in a foreign oil refinery.[25][26] In 2021, the U.S. DOJ indicted a TsNIIKhM Applied Development Center (ADC) employee for conducting computer intrusions against U.S. Energy Sector organizations. The indicted employee also accessed the systems of a foreign oil refinery and deployed Triton malware.[27] Triton is a custom-built malware designed to manipulate safety instrumented systems within ICS controllers, disabling the safety alarms that prevent dangerous conditions. 

Also known as: Temp.Veles, XENOTIME [28]

Resources: for more information on TsNIIKhM, see the MITRE ATT&CK webpage on TEMP.Veles. For more information on Triton, see:

Russian-Aligned Cyber Threat Groups

In addition to the APT groups identified in the Russian State-Sponsored Cyber Operations section, industry reporting identifies two intrusion sets—PRIMITIVE BEAR and VENOMOUS BEAR—as state-sponsored APT groups, but U.S., Australian, Canadian, New Zealand, and UK cyber authorities have not attributed these groups to the Russian government.

  • PRIMITIVE BEAR has, according to industry reporting, targeted Ukrainian organizations since at least 2013. This activity includes targeting Ukrainian government, military, and law enforcement entities using high-volume spearphishing campaigns to deliver its custom malware. According to industry reporting, PRIMITIVE BEAR conducted multiple cyber operations targeting Ukrainian organizations in the lead up to Russia’s invasion.

Resources: for more information on PRIMITIVE BEAR, see the MITRE ATT&CK webpage on the Gamaredon Group.

  • VENOMOUS BEAR has, according to industry reporting, historically targeted governments aligned with the North Atlantic Treaty Organization (NATO), defense contractors, and other organizations of intelligence value. Venomous Bear is known for its unique use of hijacked satellite internet connections for command and control (C2). It is also known for the hijacking of other non-Russian state-sponsored APT actor infrastructure.[29] VENOMOUS BEAR has also historically leveraged compromised infrastructure and maintained an arsenal of custom-developed sophisticated malware families, which is extremely complex and interoperable with variants developed over time. VENOMOUS BEAR has developed tools for multiple platforms, including Windows, Mac, and Linux.[30

Resources: for more information on VENOMOUS BEAR, see the MITRE ATT&CK webpage on Turla.

Russian-Aligned Cybercrime Groups

Cybercrime groups are typically financially motivated cyber actors that seek to exploit human or security vulnerabilities to enable direct theft of money (e.g., by obtaining bank login information) or by extorting money from victims. These groups pose consistent threats to critical infrastructure organizations globally. 

Since Russia’s invasion of Ukraine in February 2022, some cybercrime groups have independently publicly pledged support for the Russian government or the Russian people and/or threatened to conduct cyber operations to retaliate against perceived attacks against Russia or materiel support for Ukraine. These Russian-aligned cybercrime groups likely pose a threat to critical infrastructure organizations primarily through:

  • Deploying ransomware through which cyber actors remove victim access to data (usually via encryption), potentially causing significant disruption to operations.
  • Conducting DDoS attacks against websites. 
    • In a DDoS attack, the cyber actor generates enough requests to flood and overload the target page and stop it from responding. 
    • DDoS attacks are often accompanied by extortion. 
    • According to industry reporting, some cybercrime groups have recently carried out DDoS attacks against Ukrainian defense organizations, and one group claimed credit for DDoS attack against a U.S. airport the actors perceived as supporting Ukraine (see the Killnet section).

Based on industry and open-source reporting, U.S., Australian, Canadian, New Zealand, and UK cyber authorities assess multiple Russian-aligned cybercrime groups pose a threat to critical infrastructure organizations. These groups include:

  • The CoomingProject
  • Killnet
  • MUMMY SPIDER 
  • SALTY SPIDER
  • SCULLY SPIDER
  • SMOKEY SPIDER
  • WIZARD SPIDER
  • The Xaknet Team

Note: although some cybercrime groups may conduct cyber operations in support of the Russian government, U.S., Australian, Canadian, New Zealand, and UK cyber authorities assess that cyber criminals will most likely continue to operate primarily based on financial motivations, which may include targeting government and critical infrastructure organizations.

The CoomingProject

Overview: the CoomingProject is a criminal group that extorts money from victims by exposing or threatening to expose leaked data. Their data leak site was launched in August 2021.[31] The CoomingProject stated they would support the Russian Government in response to perceived cyberattacks against Russia.[32]

Killnet

Overview: according to open-source reporting, Killnet released a video pledging support to Russia.[33
Victims: Killnet claimed credit for carrying out a DDoS attack against a U.S. airport in March 2022 in response to U.S. materiel support for Ukraine.[34]

MUMMY SPIDER

Overview: MUMMY SPIDER is a cybercrime group that creates, distributes, and operates the Emotet botnet. Emotet is advanced, modular malware that originated as a banking trojan (malware designed to steal information from banking systems but that may also be used to drop additional malware and ransomware). Today Emotet primarily functions as a downloader and distribution service for other cybercrime groups. Emotet has been used to deploy WIZARD SPIDER’s TrickBot, which is often a precursor to ransomware delivery. Emotet has worm-like features that enable rapid spreading in an infected network. 

Victims: according to open sources, Emotet has been used to target industries worldwide, including financial, e-commerce, healthcare, academia, government, and technology organizations’ networks.

Also known as: Gold Crestwood, TA542, TEMP.Mixmaster, UNC3443

Resources: for more information on Emotet, see joint Alert Emotet Malware. For more information on TrickBot, see joint CSA TrickBot Malware

SALTY SPIDER

Overview: SALTY SPIDER is a cybercrime group that develops and operates the Sality botnet. Sality is a polymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.[35]

Victims: according to industry reporting, in February 2022, SALTY SPIDER conducted DDoS attacks against Ukrainian web forums used to discuss events relating to Russia’s military offensive against the city of Kharkiv.

Also known as: Sality

SCULLY SPIDER

Overview: SCULLY SPIDER is a cybercrime group that operates using a malware-as-a-service model; SCULLY SPIDER maintains command and control infrastructure and sells access to their malware and infrastructure to affiliates, who distribute their own malware.[36][37] SCULLY SPIDER develops and operates the DanaBot botnet, which originated primarily as a banking Trojan but expanded beyond banking in 2021 and has since been used to facilitate access for other types of malware, including TrickBot, DoppelDridex, and Zloader. Like Emotet, Danabot effectively functions as an initial access vector for other malware, which can result in ransomware deployment.

According to industry reporting, recent DDoS activity by the DanaBot botnet suggests SCULLY SPIDER has operated in support of Russia’s military offensive in Ukraine. 

Victims: SCULLY SPIDER affiliates have primarily targeted organizations in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.[38] According to industry reporting, in March 2022, Danabot was used in DDoS attacks against multiple Ukrainian government organizations. 

Also known as: Gold Opera

SMOKEY SPIDER

Overview: SMOKEY SPIDER is a cybercrime group that develops Smoke Loader (also known as Smoke Bot), a malicious bot that is used to upload other malware. Smoke Loader has been available since at least 2011, and operates as a malware distribution service for a number of different payloads, including—but not limited to—DanaBot, TrickBot, and Qakbot.

Victims: according to industry reporting, Smoke Loader was observed in March 2022 distributing DanaBot payloads that were subsequently used in DDoS attacks against Ukrainian targets.
Resources: for more information on Smoke Loader, see the MITRE ATT&CK webpage on Smoke Loader.

WIZARD SPIDER

Overview: WIZARD SPIDER is a cybercrime group that develops TrickBot malware and Conti ransomware. Historically, the group has paid a wage to the ransomware deployers (referred to as affiliates), some of whom may then receive a share of the proceeds from a successful ransomware attack. In addition to TrickBot, notable initial access and persistence vectors for affiliated actors include Emotet, Cobalt Strike, spearphishing, and stolen or weak Remote Desktop Protocol (RDP) credentials.

After obtaining access, WIZARD SPIDER affiliated actors have relied on various publicly available and otherwise legitimate tools to facilitate earlier stages of the attack lifecycle before deploying Conti ransomware.

WIZARD SPIDER pledged support to the Russian government and threatened critical infrastructure organizations of countries perceived to carry out cyberattacks or war against the Russian government.[39] They later revised this pledge and threatened to retaliate against perceived attacks against the Russian people.[40]

Victims: Conti victim organizations span across multiple industries, including construction and engineering, legal and professional services, manufacturing, and retail. In addition, WIZARD SPIDER affiliates have deployed Conti ransomware against U.S. healthcare and first responder networks.

Also known as: UNC2727, Gold Ulrick

Resources: for more information on Conti, see joint CSA Conti Ransomware. For more information on TrickBot, see joint CSA TrickBot Malware

The XakNet Team

Overview: XakNet is a Russian-language cyber group that has been active as early as March 2022. According to open-source reporting, the XakNet Team threatened to target Ukrainian organizations in response to perceived DDoS or other attacks against Russia.[41] According to reporting from industry, on March 31, 2022, XakNet released a statement stating they would work “exclusively for the good of [Russia].” According to industry reporting, the XakNet Team may be working with or associated with Killnet actors, who claimed credit for the DDoS attacks against a U.S. airport (see the Killnet section).

Victims: according to industry reporting, in late March 2022, the XakNet Team leaked email contents of a Ukrainian government official. The leak was accompanied by a political statement criticizing the Ukrainian government, suggesting the leak was politically motivated. 

Mitigations

U.S., Australian, Canadian, New Zealand, and UK cyber authorities urge critical infrastructure organizations to prepare for and mitigate potential cyber threats by immediately (1) updating software, (2) enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, and (4) providing end-user awareness and training.

  • Update software, including operating systems, applications, and firmware, on IT network assets. Prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
    • Consider using a centralized patch management system. For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.  
    • Consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. CISA’s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IP addresses for accessible services and vulnerabilities.
  • Enforce MFA to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords. Do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access. As Russian state-sponsored APT actors have demonstrated the ability to exploit default MFA protocols and known vulnerabilities, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios. For more information, see joint CSA Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
  • If you use RDP and/or other potentially risky services, secure and monitor them closely. RDP exploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP, can allow unauthorized access to your session using an on-path attacker.
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN) or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force attempts, log RDP login attempts, and disable unused remote access/RDP ports.
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 
  • Provide end-user awareness and training to help prevent successful targeted social engineering and spearphishing campaigns. Phishing is one of the top infection vectors for ransomware, and Russian state-sponsored APT actors have conducted successful spearphishing campaigns to gain credentials of target networks.
    • Ensure that employees are aware of potential cyber threats and delivery methods. 
    • Ensure that employees are aware of what to do and whom to contact when they receive a suspected phishing email or suspect a cyber incident.

As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks.

  • Ensure OT assets are not externally accessible. Ensure strong identity and access management when OT assets needs to be externally accessible.
  • Appropriately implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.
  • Organize OT assets into logical zones by considering criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT network.

To further prepare for and mitigate cyber threats from Russian state-sponsored or criminal actors, U.S., Australian, Canadian, New Zealand, and UK cyber authorities encourage critical infrastructure organizations to implement the recommendations listed below.

Preparing for Cyber Incidents
  • Create, maintain, and exercise a cyber incident response and continuity of operations plan. 
    • Ensure the cyber incident response plan contains ransomware- and DDoS-specific annexes. For information on preparing for DDoS attacks, see NCSC-UK guidance on preparing for denial-of-service attacks.
    • Keep hard copies of the incident response plan to ensure responders and network defenders can access the plan if the network has been shut down by ransomware, etc.
  • Maintain offline (i.e., physically disconnected) backups of data. Backup procedures should be conducted on a frequent, regular basis (at a minimum every 90 days). Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.
    • Ensure the backup keys are kept offline as well, to prevent them being encrypted in a ransomware incident.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure with a particular focus on key data assets.
  • Develop recovery documentation that includes configuration settings for common devices and critical equipment. Such documentation can enable more efficient recovery following an incident.
  • Identify the attack surface by mapping and accounting all external-facing assets (applications, servers, IP addresses) that are vulnerable to DDoS attacks or other cyber operations.
  • For OT assets/networks:
    • Identify a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment.
    • Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated from IT networks if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans, such as manual controls, so that safety-critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.
    • Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.
    • Implement data backup procedures.
    • Develop recovery documents that include configuration settings for common devices and critical OT equipment. 
Identity and Access Management
  • Require accounts with password logins, including service accounts, to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access. Consider using a password manager; see NCSC-UK’s Password Manager Buyers Guide for guidance.
  • Implement authentication timeout and lockout features to prevent repeated failed login attempts and successful brute-force attempts.
  • Create a deny list of known compromised credentials and prevent users from using known-compromised passwords.
  • Secure credentials by restricting where accounts and credentials can be used and by using local device credential protection features. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
    • Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.
    • Ensure storage of clear text passwords in Local Security Authority Subsystem Service (LSASS) memory is disabled. Note: for Windows 8, this is enabled by default. For more information see Microsoft Security Advisory Update to Improve Credentials Protection and Management.
    • Consider disabling or limiting NTLM and WDigest Authentication.
    • Implement Credential Guard for Windows 10 and Server 2016 (refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
    • Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting Service (TGS) and can be used to obtain hashed credentials that malicious cyber actors attempt to crack.
  • Audit domain controllers to log successful Kerberos TGS requests and ensure the events are monitored for anomalous activity.  
    • Secure accounts.
    • Enforce the principle of least privilege. Administrator accounts should have the minimum permission necessary to complete their tasks.
    • Ensure there are unique and distinct administrative accounts for each set of administrative tasks.
    • Create non-privileged accounts for privileged users and ensure they use the non-privileged accounts for all non-privileged access (e.g., web browsing, email access).
  • Disable inactive accounts uniformly across the AD, MFA systems, etc.
  • Implement time-based access for privileged accounts. The FBI and CISA observed cybercriminals conducting increasingly impactful attacks against U.S. entities on holidays and weekends in 2021. Threat actors may view holidays and weekends—when offices are normally closed—as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations. The just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the zero-trust model) by setting network-wide policy to automatically disable admin accounts at the AD level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. 
Protective Controls and Architecture
  • Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor, ransomware, or other malware. Use network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
  • Implement a firewall and configure it to block Domain Name System (DNS) responses from outside the enterprise network or drop Internet Control Message Protocol (ICMP) packets. Review which admin services need to be accessible externally and allow those explicitly, blocking all others by default.
    • U.S. Defense Industrial Base organizations may sign up for the NSA Cybersecurity Collaboration Center’s Protective Domain Name System (PDNS) services.
  • Enable web application firewalls to mitigate application-level DDoS attacks. 
  • Implement a multi-content delivery network (CDN) solution. This will minimize the threat of DDoS attacks by distributing and balancing web traffic across a network.
Vulnerability and Configuration Management
  • Use an antivirus programs that uses heuristics and reputational ratings to check a file’s prevalence and digital signature prior to execution. Note: organizations should assess the risks inherent in their software supply chain (including its security/antivirus software supply chain) in light of the existing threat landscape.
    • Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. 
    • Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
  • Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses.
  • Disable all unnecessary ports and protocols.
    • Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
    • Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.
  • Identify business-to-business VPNs and block high-risk protocols.
  • Ensure OT hardware is in read-only mode.
  • Enable strong spam filters.
    • Enable strong spam filters to prevent phishing emails from reaching end users.
    • Filter emails containing executable files to prevent them from reaching end users.
    • Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments.
  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Open document readers in protected viewing modes to help prevent active content from running.
Responding to Cyber Incidents

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge network defenders of critical infrastructure organizations to exercise due diligence in identifying indicators of malicious activity. Organizations detecting potential APT or ransomware activity in their IT or OT networks should:

  1. Immediately isolate affected systems.
  2. For DDoS attacks:
    1. Identify the source address originating the attack via the SIEM or logging service. If the attack is originating from a single pool of IP addresses, block IP traffic from suspected IPs via access control lists or by contacting your internet service provider (ISP).
    2. Enable firewall rate limiting to restrict the amount of IP traffic coming in from suspected IP addresses
    3. Notify your ISP and enable remote triggered blackhole (RTBH).
  3. Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.
  4. Collect and review relevant logs, data, and artifacts.
  5. Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
  6. Report incidents to appropriate cyber and law enforcement authorities:
  • U.S organizations: share information about incidents and anomalous activity to CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. For ransomware incidents, organizations can also report to the U.S. Secret Service via a U.S. Secret Service Field Office
  • Australian organizations: if you have questions about this advice or have indications that your environment has been compromised, call the ACSC at 1300 CYBER1 (1300 292 371). To report an incident see cyber.gov.au/acsc/report.
  • Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca.
  • New Zealand organizations: if your organization requires assistance from the National Cyber Security Centre, contact them directly via telephone at (04) 498-7654 or via email at ncscincidents@ncsc.govt.nz.
  • UK organizations: report a significant cybersecurity incident at ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

For additional guidance on responding to a ransomware incident, see the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for guidance on hunting or investigating a network, and for common mistakes in incident handling.

Additionally, CISA, the FBI, and NSA encourage U.S. critical infrastructure owners and operators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response.  

Note: U.S., Australian, Canadian, New Zealand, and UK cyber authorities strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom does not guarantee that a victim’s files will be recovered.

RESOURCES DISCLAIMER

The information you have accessed or received is being provided “as is” for informational purposes only. CISA, NSA, FBI, ACSC, CCCS, NZ NCSC, NCSC-UK, and the UK National Crime Agency (NCA) do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

TRADEMARK RECOGNITION

MITRE and ATT&CK are registered trademarks of The MITRE Corporation. Kubernetes is a registered trademark of The Linux Foundation.

PURPOSE 

This document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

REFERENCES

[1] Cybersecurity and Infrastructure Security Agency
[2] Federal Bureau of Investigation
[3] National Security Agency
[4] Australian Cyber Security Centre
[5] Canadian Centre for Cyber Security
[6] New Zealand's National Cyber Security Centre
[7] United Kingdom's National Cyber Security Centre
[8] United Kingdom's National Crime Agency
[9] U.S. DOJ Press Release: U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts
[10] U.S. DOJ Press Release: Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide
[11] CrowdStrike Blog: Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
[12] U.S. White House Statement: FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian
[
13] Government of Canada Statement on SolarWinds Cyber Compromise
[14] UK Government Press Release: Russia: UK and US expose global campaign of malign activity by Russian intelligence services
[15] MITRE ATT&CK: APT29
[
16] Joint CSA Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
[17] Joint CSA Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments
[18] MITRE ATT&CK APT28
[19] Joint CSA New Sandworm Malware Cyclops Blink Replaces VPNFilter
[20] UK Government Press Release: UK condemns Russia's GRU over Georgia cyber-attacks
[21] U.S. Department of State, Press Statement: The United States Condemns Russian Cyber Attack Against the Country of Georgia
[22] Government of Canada CSE Statement on Malicious Russian Cyber Activity Targeting Georgia
[23] UK Government Press Release: UK condemns Russia's GRU over Georgia cyber-attacks
[24] MITRE ATT&CK The Sandworm Team
[25] U.S. Department of the Treasury Press Release: Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
[26] UK Government Press Release: UK exposes Russian spy agency behind cyber incident
[27] U.S. DOJ Press Release: Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide
[28] MITRE ATT&CK TEMP.Veles
[29] NSA and NCSC-UK Cybersecurity Advisory Turla Group Exploits Iranian APT To Expand Coverage Of Victims
[30] CrowdStrike Adversary Profile: VENEMOUS BEAR
[31] KELA Cybersecurity Intelligence Center: Ain’t No Actor Trustworthy Enough: The importance of validating sources
[32] Twitter: Valery Marchive Status, Feb. 25, 2022 1:41 PM
[33] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides
[34] Twitter: CyberKnow Status, March 29, 2022, 7:54 AM
[35] CrowdStrike Blog: Who is Salty Spider (Sality)?
[36] Proofpoint Blog: New Year, New Version of DanaBot
[37] Zscaler Blog: Spike in DanaBot Malware Activity
[38] Proofpoint Blog: New Year, New Version of DanaBot
[39] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides
[40] TechTarget: Conti ransomware gang backs Russia, threatens US
[41] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides

ACKNOWLEDGEMENTS

The U.S., Australian, Canadian, New Zealand, and UK cyber authorities would like to thank CrowdStrike, Google, LookingGlass Cyber, Mandiant, Microsoft, and Secureworks for their contributions to this CSA.

Contact Information

U.S. organizations: to report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov. Australian organizations: visit cyber.gov.au/acsc/report or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to ncscincidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Revisions
  • April 20, 2022: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

US-CERT - Mon, 2022-04-18 06:38
Original release date: April 18, 2022
Summary

Actions to take today to mitigate cyber threats to cryptocurrency:
Patch all systems.
• Prioritize patching known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Use multifactor authentication.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. For more information on North Korean state-sponsored malicious cyber activity, visit https://www.us-cert.cisa.gov/northkorea.

The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.

The U.S. government previously published an advisory about North Korean state-sponsored cyber actors using AppleJeus malware to steal cryptocurrency: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. The U.S. government has also previously published advisories about North Korean state-sponsored cyber actors stealing money from banks using custom malware:

This advisory provides information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to stakeholders in the blockchain technology and cryptocurrency industry to help them identify and mitigate cyber threats against cryptocurrency. 

Click here for a PDF version of this report. 

Technical DetailsThreat Update

The U.S. government has identified a group of North Korean state-sponsored malicious cyber actors using tactics similar to the previously identified Lazarus Group (see AppleJeus: Analysis of North Korea’s Cryptocurrency Malware). The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency. As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. 

Tactics, Techniques and Procedures

Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as "TraderTraitor."

The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications (see figure 1).

 

Figure 1: Screenshot of CryptAIS website

The JavaScript code providing the core functions of the software is bundled with Webpack. Within the code is a function that purports to be an “update,” with a name such as UpdateCheckSync(), that downloads and executes a malicious payload (see figure 2). 

The update function makes an HTTP POST request to a PHP script hosted on the TraderTraitor project’s domain at either the endpoint /update/ or /oath/checkupdate.php. In recent variants, the server’s response is parsed as a JSON document with a key-value pair, where the key is used as an AES 256 encryption key in Cipher Block Chaining (CBC) or Counter (CTR) mode to decrypt the value. The decrypted data is written as a file to the system’s temporary directory, as provided by the os.tmpdir() method of Node.js, and executed using the child_process.exec() method of Node.js, which spawns a shell as a child process of the current Electron application. The text “Update Finished” is then logged to the shell for the user to see.

Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads (see North Korean Remote Access Tool: COPPERHEDGE). Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion.  

 

Figure 2: Screenshot depicting the UpdateCheckSync() and supporting functions bundled within 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18 associated with DAFOM

Indicators of Compromise

DAFOM
DAFOM purports to be a “cryptocurrency portfolio application.” A Mach-O binary packaged within the Electron application was signed by an Apple digital signature issued for the Apple Developer Team W58CYKFH67. The certificate associated with Apple Developer Team W58CYKFH67 has been revoked. A metadata file packaged in the DAFOM application provided the URL hxxps://github[.]com/dafomdev for bug reports. As of April 2022, this page was unavailable.

 

dafom[.]dev

Information as of February 2022:
IP Address: 45.14.227[.]58
Registrar: NameCheap, Inc.
Created: February 7, 2022
Expires: February 7, 2023

 

60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18

Tags: dropper macos
Name: DAFOM-1.0.0.dmg
Size: 87.91 MB (92182575 bytes)
MD5: c2ea5011a91cd59d0396eb4fa8da7d21
SHA-1: b2d9ca7b6d1bbbe4864ea11dfca343b7e15597d8
SHA-256: 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18
ssdeep: 1572864:LGLBnolF9kPEiKOabR2QEs1B1/LuUQrbecE6Xwijkca/pzpfaLtIP:LGVnoT9kPZK9tVEwBxWbecR5Faxzpf0M

 

TokenAIS
TokenAIS purports to help “build a portfolio of AI-based trading” for cryptocurrencies. Mach-O binaries packaged within the Electron application contained an Apple digital signature issued for the Apple Developer Team RN4BTXA4SA. The certificate associated with Apple Developer Team RN4BTXA4SA has been revoked. The application requires users to “register” an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a Node.js function called UpdateCheckSync() located in a file named update.js, which is bundled in a file called renderer.prod.js, which is in an archive called app.asar. This function passes the email address that the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CBC mode with the hardcoded initialization vector (IV) !@34QWer%^78TYui and a key provided in the response, then writes the decrypted data to a file and executes it in a new shell.

 

tokenais[.]com

Information as of January 2022:
IP Address: 199.188.103[.]115
Registrar: NameCheap, Inc.
Created: January 27, 2022
Expires: January 27, 2023

 

5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03

Tags: dropper macos
Name: TokenAIS.app.zip
Size: 118.00 MB (123728267 bytes)
MD5: 930f6f729e5c4d5fb52189338e549e5e
SHA-1: 8e67006585e49f51db96604487138e688df732d3
SHA-256: 5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03
ssdeep: 3145728:aMFJlKVvw4+zLruAsHrmo5Vvw4+zLruAsHrmob0dC/E:aUlKtw4+/r2HNtw4+/r2HnMCM

 

CryptAIS
CryptAIS uses the same language as TokenAIS to advertise that it “helps build a portfolio of AI-based trading.” It is distributed as an Apple Disk Image (DMG) file that is digitally signed by an Apple digital signature issued for the Apple Developer Team CMHD64V5R8. The certificate associated with Apple Developer Team CMHD64V5R8 has been revoked. The application requires users to “register” an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a Node.js function called UpdateCheckSync() located in a file named update.js, which is bundled in a file called renderer.prod.js, which is in an archive called app.asar. This function passes the email address that the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CTR mode and a key provided in the response, then writes the decrypted data to a file and executes it in a new shell.

 

cryptais[.]com

Information as of August 2021:
IP Address: 82.102.31.14
Registrar: NameCheap, Inc.
Created: August 2, 2021
Expires: August 2, 2022

 

f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b

Tags: dropper macos
Name: CryptAIS[.]dmg
Size: 80.36 MB (84259810 bytes)
MD5: 4e5ebbecd22c939f0edf1d16d68e8490
SHA-1: f1606d4d374d7e2ba756bdd4df9b780748f6dc98
SHA-256: f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b
ssdeep: 1572864:jx9QOwiLDCUrJXsKMoGTwiCcKFI8jmrvGqjL2hX6QklBmrZgkZjMz+dPSpR0Xcpk:F9QOTPCUrdsKEw3coIg2Or6XBmrZgkZw

 

AlticGO
AlticGO was observed packaged as Nullsoft Scriptable Install System (NSIS) Windows executables that extracted an Electron application packaged for Windows. These executables contain a simpler version of TraderTraitor code in a function exported as UpdateCheckSync() located in a file named update.js, which is bundled in renderer.prod.js, which is in the app.asar archive. The function calls an external function located in a file node_modules/request/index.js bundled in renderer.prod.js to make an HTTP request to hxxps://www.alticgo[.]com/update/. One AlticGO sample, e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad, instead contacts hxxps://www.esilet[.]com/update/ (see below for more information about Esilet). Some image resources bundled with the application included the CreAI Deck logo (see below for more information about CreAI Deck). The response is written to disk and executed in a new shell using the child_process.exec() method in Node.js. Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a payload.

 

alticgo[.]com

Information as of August 2020:
IP Address: 108.170.55[.]202
Registrar: NetEarth One Inc.
Created: August 8, 2020
Expires: August 8, 2021

 

765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819

Tags: dropper peexe nsis
Name: AlticGO.exe
Size: 43.54 MB (45656474 bytes)
MD5: 1c7d0ae1c4d2c0b70f75eab856327956
SHA-1: f3263451f8988a9b02268f0fb6893f7c41b906d9
SHA-256: 765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819
ssdeep: 786432:optZmVDkD1mZ1FggTqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yVPUXi7:opzKDginspAU6JXnJ46X+eC6cySihWVX
Compilation timestamp: 2018-12-15 22:26:14 UTC

 

e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad

Tags: dropper peexe nsis
Name: AlticGO_R.exe
Size: 44.58 MB (46745505 bytes)
MD5: 855b2f4c910602f895ee3c94118e979a
SHA-1: ff17bd5abe9f4939918f27afbe0072c18df6db37
SHA-256: e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad
ssdeep: 786432:LptZmVDkD1mQIiXUBkRbWGtqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yH:LpzKDgzRpWGwpAU6JXnJ46X+eC6cySiI
Compilation timestamp: 2020-02-12 16:15:17 UTC

 

8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925

Tags: dropper peexe nsis
Name: AlticGO.exe
Size: 44.58 MB (46745644 bytes)
MD5: 9a6307362e3331459d350a201ad66cd9
SHA-1: 3f2c1e60b5fac4cf1013e3e1fc688be490d71a84
SHA-256: 8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925
ssdeep: 786432:AptZmVDkD1mjPNDeuxOTKQqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yV7:ApzKDgqPxeuLpAU6JXnJ46X+eC6cySiG
Compilation timestamp: 2020-02-12 16:15:17 UTC

 

Esilet
Esilet claims to offer live cryptocurrency prices and price predictions. It contains a simpler version of TraderTraitor code in a function exported as UpdateCheckSync() located in a file named update.js, which is bundled in renderer.prod.js, which is in the app.asar archive. The function calls an external function located in a file node_modules/request/index.js bundled in renderer.prod.js to make an HTTP request to hxxps://www.esilet[.]com/update/. The response is written to disk and executed in a new shell using the child_process.exec() method in Node.js. Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a payload. Esilet has been observed delivering payloads of at least two different macOS variants of Manuscrypt, 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa and dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156. 

 

Figure 3: Screenshot of the UpdateCheckSync() function in Esilet

esilet[.]com

Information as of June 2020:
IP Address: 104.168.98[.]156
Registrar: NameSilo, LLC
Created: June 12, 2020
Expires: June 12, 2021

 

greenvideo[.]nl

Likely legitimate but compromised. Information as of April 2022:
IP Address: 62.84.240[.]140
Registrar: Flexwebhosting
Created: February 26, 2018
Expires: Unknown

 

dafnefonseca[.]com

Likely legitimate but compromised. Information as of June 2020:
IP Address: 151.101.64[.]119
Registrar: PublicDomainRegistry Created: August 27, 2019
Expires: August 27, 2022

 

haciendadeclarevot[.]com

Likely legitimate but compromised. Information as of June 2020:
IP Address: 185.66.41[.]17
Registrar: cdmon, 10DENCEHISPAHARD, S.L.
Created: March 2, 2005
Expires: March 2, 2023 sche-eg[.]org Likely legitimate but compromised. Information as of June 2020:
IP Address: 160.153.235[.]20
Registrar: GoDaddy.com, LLC
Created: June 1, 2019
Expires: June 1, 2022

 

www.vinoymas[.]ch

Likely legitimate but compromised. Information as of June 2020:
IP Address: 46.16.62[.]238
Registrar: cdmon, 10DENCEHISPAHARD, S.L.
Created: January 24, 2010
Expires: Unknown

 

infodigitalnew[.]com

Likely legitimate but compromised. Information as of June 2020:
IP Address: 107.154.160[.]132
Registrar: PublicDomainRegistry
Created: June 20, 2020
Expires: June 20, 2022

 

9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598

Tags: dropper macos
Name: Esilet.dmg
Size: 77.90 MB (81688694 bytes) MD5: 53d9af8829a9c7f6f177178885901c01
SHA-1: ae9f4e39c576555faadee136c6c3b2d358ad90b9 SHA-256: 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598
ssdeep: 1572864:lffyoUnp5xmHVUTd+GgNPjFvp4YEbRU7h8cvjmUAm4Du73X0unpXkU:lfqHBmHo+BPj9CYEshLqcuAX0I0

 

9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa

Tags: trojan macho
Name: Esilet-tmpzpsb3
Size: 510.37 KB (522620 bytes)
MD5: 1ca31319721740ecb79f4b9ee74cd9b0
SHA-1: 41f855b54bf3db621b340b7c59722fb493ba39a5 SHA-256: 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa
ssdeep: 6144:wAulcT94T94T97zDj1I/BkjhkbjZ8bZ87ZMSj71obV/7NobNo7NZTb7hMT5ETZ8I:wDskT1UBg2lirFbpR9mJGpmN C2 Endpoints:

  • hxxps://greenvideo[.]nl/wp-content/themes/top.php
  • hxxps://dafnefonseca[.]com/wp-content/themes/top.php
  • hxxps://haciendadeclarevot[.]com/wp-content/top.php

 

dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156

Tags: trojan macho
Name: Esilet-tmpg7lpp Size: 38.24 KB (39156 bytes)
MD5: 9578c2be6437dcc8517e78a5de1fa975
SHA-1: d2a77c31c3e169bec655068e96cf4e7fc52e77b8
SHA-256: dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156
ssdeep: 384:sdaWs0fDTmKnY4FPk6hTyQUitnI/kmCgr7lUryESll4yg9RpEwrUifJ8ttJOdy:sdayCkY4Fei9mhy/L9RBrny6y

C2 Endpoints: 

  • hxxps://sche-eg[.]org/plugins/top.php
  • hxxps://www.vinoymas[.]ch/wp-content/plugins/top.php
  • hxxps://infodigitalnew[.]com/wp-content/plugins/top.php

 

CreAI Deck
CreAI Deck claims to be a platform for “artificial intelligence and deep learning.” No droppers for it were identified, but the filenames of the below samples, win32.bin and darwin64.bin, match the naming conventions used by other versions of TraderTraitor when downloading a payload. Both are samples of Manuscrypt that contact hxxps://aideck[.]net/board.php for C2 using HTTP POST requests with multipart/form-data Content-Types.

creaideck[.]com

Information as of March 2020:
IP Address: 38.132.124[.]161
Registrar: NameCheap, Inc.
Created: March 9, 2020
Expires: March 9, 2021

 

aideck[.]net

Information as of June 2020:
IP Address: 89.45.4[.]151
Registrar: NameCheap, Inc.
Created: June 22, 2020
Expires: June 22, 2021

 

867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36

Tags: trojan peexe
Name: win32.bin
Size: 2.10 MB (2198684 bytes)
MD5: 5d43baf1c9e9e3a939e5defd8f8fbd8d
SHA-1: d5ff73c043f3bb75dd749636307500b60a436550 SHA-256: 867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36
ssdeep: 24576:y3SY+/2M3BMr7cdgSLBjbr4nzzy95VV7cEXV:ESZ2ESrHSV3D95oA
Compilation timestamp: 2020-06-23 06:06:35 UTC

 

89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957

Tags: trojan macho
Name: darwin64.bin
Size: 6.44 MB (6757832 bytes)
MD5: 8397ea747d2ab50da4f876a36d673272
SHA-1: 48a6d5141e25b6c63ad8da20b954b56afe589031
SHA-256: 89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957
ssdeep: 49152:KIH1kEh7zIXlDYwVhb26hRKtRwwfs62sRAdNhEJNDvOL3OXl5zpF+FqBNihzTvff:KIH1kEhI1LOJtm2spB

Mitigations

North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency-intellectual property, and gain financial assets. The U.S. government recommends implementing mitigations to protect critical infrastructure organizations as well as financial sector organizations in the blockchain technology and cryptocurrency industry.

  • Apply defense-in-depth security strategy. Apply security principles—such as least access models and defense-in-depth—to user and application privileges to help prevent exploitation attempts from being successful. Use network segmentation to separate networks into zones based on roles and requirements. Separate network zones can help prevent lateral movement throughout the organization and limit the attack surface. See NSA’s Top Ten Cybersecurity Mitigation Strategies for strategies enterprise organizations should use to build a defense-in-depth security posture. 
  • Implement patch management. Initial and follow-on exploitation involves leveraging common vulnerabilities and exposures (CVEs) to gain access to a networked environment. Organizations should have a timely vulnerability and patch management program in place to mitigate exposure to critical CVEs. Prioritize patching of internet-facing devices and monitored accordingly for any malicious logic attacks. 
  • Enforce credential requirements and multifactor authentication. North Korean malicious cyber actors continuously target user credentials, email, social media, and private business accounts. Organizations should ensure users change passwords regularly to reduce the impact of password spraying and other brute force techniques. The U.S. government recommends organizations implement and enforce multifactor authentication (MFA) to reduce the risk of credential theft. Be aware of MFA interception techniques for some MFA implementations and monitor for anomalous logins.
  • Educate users on social engineering on social media and spearphishing. North Korean actors rely heavily on social engineering, leveraging email and social media platforms to build trust and send malicious documents to unsuspecting users. A cybersecurity aware workforce is one of the best defenses against social engineering techniques like phishing. User training should include how to identify social engineering techniques and awareness to only open links and attachments from trusted senders.
  • Implement email and domain mitigations. Maintain awareness of themed emails surrounding current events. Malicious cyber actors use current events as lure for potential victims as observed during the COVID-19 pandemic. Organizations should have a robust domain security solution that includes leveraging reputation checks and closely monitoring or blocking newly registered domains (NRDs) in enterprise traffic. NRDs are commonly established by threat actors prior to malicious engagement.
    • HTML and email scanning. Organizations should disable HTML from being used in emails and scan email attachments. Embedded scripts may be hard for an antivirus product to detect if they are fragmented. An additional malware scanning interface product can be integrated to combine potentially malicious payloads and send the payload to the primary antivirus product. Hyperlinks in emails should also be scanned and opened with precautionary measures to reduce the likelihood of a user clicking on a malicious link.
  • Endpoint protection. Although network security is critical, devices mobility often means traveling and connecting to multiple different networks that offer varying levels of security. To reduce the risk of introducing exposed hosts to critical networks, organizations should ensure mobile devices have installed security suites to detect and mitigate malware. 
  • Enforce application security. Application allowlisting enables the organization to monitor programs and only allow those on the approved allowlist to execute. Allowlisting helps to stop the initial attack, even if the user clicks a malicious link or opens a malicious attachment. Implement baseline rule sets, such as NSA’s Limiting Location Data Exposure guidance, to block execution of unauthorized or malicious programs.
    • Disable macros in office products. Macros are a common method for executing code through an attached office document. Some office products allow for the disabling of macros that originate from outside of the organization, providing a hybrid approach when the organization depends on the legitimate use of macros.
      • Windows specific settings can be configured to block internet-originated macros from running. This can be done in the Group Policy Administrative Templates for each of the associated Office products (specifically Word, Excel and PowerPoint). Other productivity software, such as LibreOffice and OpenOffice, can be configured to set the Macro Security Level.
  • Be aware of third-party downloads—especially cryptocurrency applications. North Korean actors have been increasingly active with currency generation operations. Users should always verify file downloads and ensure the source is from a reputable or primary (preferred) source and not from a third-party vendor. Malicious cyber actors have continuously demonstrated the ability to trojanize applications and gain a foothold on host devices.
  • Create an incident response plan to respond to possible cyber intrusions. The plan should include reporting incidents to both the FBI and CISA—quick reporting can reduce the severity of incidents and provide valuable information to investigators. Contact information can be found below. 
Contact 

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Disclaimer

The information in this advisory is provided "as is" for informational purposes only. The FBI, CISA, and Treasury do not provide any warranties of any kind regarding this information or endorse any commercial product or service, including any subjects of analysis.
 

Revisions
  • Initial Version: April 18, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator - Security Alerts