Feed aggregator

AA20-345A: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data

US-CERT - Thu, 2020-12-10 09:00
Original release date: December 10, 2020<br/><h3>Summary</h3><p>This Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).</p> <p>The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-345A_Joint_Cybersecurity_Advisory_Distance_Learning_S508C.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><p>As of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors.</p> <h4>Ransomware</h4> <p>The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.</p> <p>According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.</p> <p>The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020—based on open source information as well as victim and third-party incident reports made to MS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.</p> <h4>Malware</h4> <p>Figure 1 identifies the top 10 malware strains that have affected state, local, tribal, and territorial (SLTT) educational institutions over the past year (up to and including September 2020). Note: These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well.</p> <p>ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools.</p> <ul> <li>ZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use ZeuS to infect target machines and send stolen information to command-and-control servers.</li> <li>Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater. <strong>Note: </strong>Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows operating systems</li> </ul> <p class="text-align-center"><img alt="" data-entity-type="file" data-entity-uuid="ee5aa08d-fe73-44e6-8f7d-4b5e6ac08320" height="275" src="https://us-cert.cisa.gov/sites/default/files/publications/Top%2010%20Malware%20-%20K-12.png" width="614" /></p> <p class="text-align-center"><cite>Figure 1: Top 10 malware affecting SLTT educational institutions</cite></p> <h4><cite>&nbsp;</cite><br /> Distributed Denial-of-Service Attacks</h4> <p>Cyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting distance learning—with distributed denial-of-service (DDoS) attacks,&nbsp; which temporarily limit or prevent users from conducting daily operations. The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber actor to conduct disruptive attacks regardless of experience level. <strong>Note:</strong> DDoS attacks overwhelm servers with a high level of internet traffic originating from many different sources, making it impossible to mitigate at a single source.</p> <h4>Video Conference Disruptions</h4> <p>Numerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees (<strong>Note: </strong>doxing is the act of compiling or publishing personal information about an individual on the internet, typically with malicious intent). To enter classroom sessions, uninvited users have been observed:</p> <ul> <li>Using student names to trick hosts into accepting them into class sessions, and</li> <li>Accessing meetings from either publicly available links or links shared with outside users (e.g., students sharing links and/or passwords with friends).</li> </ul> <p>Video conference sessions without proper control measures risk disruption or compromise of classroom conversations and exposure of sensitive information.</p> <h3>Additional Risks and Vulnerabilities</h3> <p>In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment.</p> <h4>Social Engineering</h4> <p>Cyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other individuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal information (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such scenarios, a victim could receive what appears to be legitimate email that:</p> <ul> <li>Requests personally identifiable information (PII) (e.g., full name, birthdate, student ID),</li> <li>Directs the user to confirm a password or personal identification number (PIN),</li> <li>Instructs the recipient to visit a website that is compromised by the cyber actor, or</li> <li>Contains an attachment with malware.</li> </ul> <p>Cyber actors also register web domains that are similar to legitimate websites in an attempt to capture individuals who mistype URLs or click on similar looking URLs. These types of attacks are referred to as domain spoofing or homograph attacks. For example, a user wanting to access <code>www.cottoncandyschool.edu</code> could mistakenly click on <code>www.cottencandyschool.edu</code> (changed “<code>o</code>” to an “<code>e</code>”) or <code>www.cottoncandyschoo1.edu</code> (changed letter “<code>l</code>” to a number “1”) (<strong>Note:</strong> this is a fictitious example to demonstrate how a user can mistakenly click and access a website without noticing subtle changes in website URLs). Victims believe they are on a legitimate website when, in reality, they are visiting a site controlled by a cyber actor.</p> <h4>Technology Vulnerabilities and Student Data</h4> <p>Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp usership growth in—these distance learning services and student data as lucrative targets.</p> <h4>Open/Exposed Ports</h4> <p>The FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For example, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access. They are then positioned to move laterally throughout a network (often using SMB), escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows cyber actors to maintain a low profile, as they are using a legitimate network service that provides them with the same functionality as any other remote user.</p> <h4>End-of-Life Software</h4> <p>End-of-Life (EOL) software is regularly exploited by cyber actors—often to gain initial access, deface websites, or further their reach in a network. Once a product reaches EOL, customers no longer receive security updates, technical support, or bug fixes. Unpatched and vulnerable servers are likely to be exploited by cyber actors, hindering an organization’s operational capacity.</p> <h3>Mitigations</h3><h4>Plans and Policies</h4> <p>The FBI and CISA encourage educational providers to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations. Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA suggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors.</p> <h4>Network Best Practices</h4> <ul> <li>Patch operating systems, software, and firmware as soon as manufacturers release updates.</li> <li>Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.</li> <li>Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.</li> <li>Use multi-factor authentication where possible.</li> <li>Disable unused remote access/RDP ports and monitor remote access/RDP logs.</li> <li>Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.</li> <li>Audit user accounts with administrative privileges and configure access controls with least privilege in mind.</li> <li>Audit logs to ensure new accounts are legitimate.</li> <li>Scan for open or listening ports and mediate those that are not needed.</li> <li>Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network.</li> <li>Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.</li> <li>Set antivirus and anti-malware solutions to automatically update; conduct regular scans.</li> </ul> <h4>User Awareness Best Practices</h4> <ul> <li>Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.</li> <li>Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.</li> <li>Monitor privacy settings and information available on social networking sites.</li> </ul> <h4>Ransomware Best Practices</h4> <p>The FBI and CISA do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law.</p> <p>In addition to implementing the above network best practices, the FBI and CISA also recommend the following:</p> <ul> <li>Regularly back up data, air gap, and password protect backup copies offline.</li> <li>Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.</li> </ul> <h4>Denial-of-Service Best Practices</h4> <ul> <li>Consider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network.</li> <li>Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic attacking your network during an event.</li> <li>Configure network firewalls to block unauthorized IP addresses and disable port forwarding.</li> </ul> <h4>Video-Conferencing Best Practices</h4> <ul> <li>Ensure participants use the most updated version of remote access/meeting applications.</li> <li>Require passwords for session access.</li> <li>Encourage students to avoid sharing passwords or meeting codes.</li> <li>Establish a vetting process to identify participants as they arrive, such as a waiting room.</li> <li>Establish policies to require participants to sign in using true names rather than aliases.</li> <li>Ensure only the host controls screensharing privileges.</li> <li>Implement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants.</li> </ul> <h4>Edtech Implementation Considerations</h4> <ul> <li>When partnering with third-party and edtech services to support distance learning, educational institutions should consider the following:</li> <li>The service provider’s cybersecurity policies and response plan in the event of a breach and their remediation practices: <ul> <li>How did the service provider resolve past cyber incidents? How did their cybersecurity practices change after these incidents?</li> </ul> </li> <li>The provider’s data security practices for their products and services (e.g., data encryption in transit and at rest, security audits, security training of staff, audit logs);</li> <li>The provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or third-party services);</li> <li>Types of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric, IP addresses);</li> <li>Entities to whom the provider will grant access to the student data (e.g., vendors);</li> <li>How the provider will use student data (e.g., will they sell it to—or share it with—third parties for service enhancement, new product development, studies, marketing/advertising?);</li> <li>The provider’s de-identification practices for student data; and</li> <li>The provider’s policies on data retention and deletion.</li> </ul> <h4>Malware Defense</h4> <p>Table 1 identifies CISA-created Snort signatures, which have been successfully used to detect and defend against related attacks, for the malware variants listed below. <strong>Note:</strong> the listing is not fully comprehensive and should not be used at the exclusion of other detection methods.</p> <p class="text-align-center"><em>Table 1: Malware signatures</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 881.46px; height: 312px; margin-right: auto; margin-left: auto;"> <thead> <tr> <th scope="col" style="width: 198px;"><strong>Malware</strong></th> <th scope="col" style="width: 356px;">Signature</th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 198px; text-align: left;"><strong>NanoCore</strong></td> <td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"NANOCORE:HTTP GET URI contains 'FAD00979338'"; sid:00000000; rev:1; flow:established,to_server; content:"GET"; http_method; content:"getPluginName.php?PluginID=FAD00979338"; fast_pattern; http_uri; classtype:http-uri; metadata:service http;)&nbsp;</code></td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;"> <p><strong>Cerber</strong></p> </td> <td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP Client Header contains 'host|3a 20|polkiuj.top'"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"host|3a 20|polkiuj.top|0d 0a|"; http_header; fast_pattern:only; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;)&nbsp;</code></td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;"><strong>Kovter</strong></td> <td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P"; pcre:"/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:nonstd-tcp; metadata:service http;)</code></td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;"><strong>Dridex</strong></td> <td scope="col" style="width: 356px; text-align: left;"> <p><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP URI GET contains 'invoice_########.doc' (DRIDEX)"; sid:00000000; rev:1; flow:established,to_server; content:"invoice_"; http_uri; fast_pattern:only; content:".doc"; nocase; distance:8; within:4; content:"GET"; nocase; http_method; classtype:http-uri; metadata:service http;)<br /> alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|tanevengledrep ru' (DRIDEX)"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"Host|3a 20|tanevengledrep|2e|ru|0d 0a|"; http_header; fast_pattern:only; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;)</code></p> </td> </tr> </tbody> </table> <h3>Contact Information</h3><p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="https://www.fbi.gov/contact-us/field-offices">www.fbi.gov/contact-us/field</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; and a designated point of contact.</p> <p>To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.gov">Central@cisa.gov</a>.</p> <h3>Resources</h3> <p>MS-ISAC membership is open to employees or representatives from all public K-12 education entities in the United States. The MS-ISAC provides multiple cybersecurity services and benefits to help K-12 education entities increase their cybersecurity posture. To join, visit <a href="https://learn.cisecurity.org/ms-isac-registration">https://learn.cisecurity.org/ms-isac-registration</a>.</p> <ul> <li><a href="https://www.cisa.gov/telework">CISA Telework Guidance and Resources</a></li> <li><a href="https://www.cisa.gov/publication/secure-video-conferencing-schools">CISA Cybersecurity Recommendations and Tips for Schools Using Video Conferencing</a></li> <li><a href="https://us-cert.cisa.gov/Ransomware">CISA Ransomware Publications</a></li> <li><a href="https://www.cisa.gov/emergency-services-sector-continuity-planning-suite">CISA Emergency Services Sector Continuity Planning Suite</a></li> <li><a href="https://www.cisa.gov/publication/ransomware-guide">CISA-MS-ISAC Joint Ransomware Guide</a></li> <li><a href="https://us-cert.cisa.gov/ncas/tips/ST04-014">CISA Tip: Avoiding Social Engineering and Phishing Attacks</a></li> <li><a href="https://www.us-cert.gov/ncas/tips/ST04-006">CISA Tip: Understanding Patches</a></li> <li><a href="https://cyber.org/cybersafety">CISA and CYBER.ORG “Cyber Safety Video Series” for K-12 students and educators</a></li> <li><a href="https://www.ic3.gov/media/2019/191002.aspx">FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations</a></li> </ul> <p><strong>Note: </strong>contact your local FBI field office (<a href="http://www.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>) for additional FBI products on ransomware, edtech, and cybersecurity for educational institutions.</p> <h3>Revisions</h3> <ul> <li>Initial Version: December 10, 2020</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
Categories: Security Alerts

Cisco IOS and IOS XE Software PROFINET Link Layer Discovery Protocol Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-12-09 15:23

A vulnerability in the PROFINET handler for Link Layer Discovery Protocol (LLDP) messages of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a crash on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient validation of LLDP messages in the PROFINET LLDP message handler. An attacker could exploit this vulnerability by sending a malicious LLDP message to an affected device. A successful exploit could allow the attacker to cause the affected device to reload.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-profinet-dos-65qYG3W5

A companion advisory for affected devices that support PROFINET is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-profinet-J9QMCHPB.

This advisory is part of the September 24, 2020, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 34 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3512
Categories: Security Alerts

Cisco IOS and IOS XE Software PROFINET Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-12-09 15:09

A vulnerability in the PROFINET feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause an affected device to crash and reload, resulting in a denial of service (DoS) condition on the device.

The vulnerability is due to insufficient processing logic for crafted PROFINET packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted PROFINET packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to crash and reload, resulting in a DoS condition on the device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-profinet-J9QMCHPB

A companion advisory for affected devices that support PROFINET is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-profinet-dos-65qYG3W5.

This advisory is part of the September 24, 2020, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 34 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2020-3409
Categories: Security Alerts

AA20-336A: Advanced Persistent Threat Actors Targeting U.S. Think Tanks

US-CERT - Tue, 2020-12-01 10:00
Original release date: December 1, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/versions/v7/techniques/enterprise/">ATT&amp;CK for Enterprise</a> for all referenced threat actor tactics and techniques.</em></p> <p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[<a href="https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/">1</a>] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.</p> <p>APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.</p> <p>Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><h4>ATT&amp;CK Profile</h4> <p>CISA created the following MITRE ATT&amp;CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.</p> <ul> <li><em><strong>Initial Access</strong></em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0001">TA0001</a>] <ul> <li><i>Valid Accounts </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/">T1078</a>]</li> <li><i>Valid Accounts: Cloud Accounts </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/004/">T1078.004</a>]</li> <li><i>External Remote Services </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1133/">T1133</a>]</li> <li><i>Drive-by Compromise</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1189">T1189</a>]</li> <li><i>Exploit Public-Facing Application</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1190">T1190</a>] <ul> <li><i>Supply Chain Compromise: Compromise Software Supply Chain</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1195/002">T1195.002</a>]</li> <li><i>Trusted Relationship</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1199">T1199</a>]</li> <li><i>Phishing: Spearphishing Attachment</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001">T1566.001</a>]</li> <li><i>Phishing: Spearphishing Link</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002">T1566.002</a>]</li> <li><i>Phishing: Spearphishing via Service</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/003">T1566.003</a>]</li> </ul> </li> </ul> </li> <li><i><em><strong>Execution</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0002">TA0002</a>] <ul> <li><i>Windows Management Instrumentation </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1047">T1047</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005">T1053.005</a>]</li> <li><i>Command and Scripting Interpreter: PowerShell </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/001">T1059.001</a>]</li> <li><i>Command and Scripting Interpreter: Windows Command Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/003">T1059.003</a>]</li> <li><i>Command and Scripting Interpreter: Unix Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/004">T1059.004</a>]</li> <li><i>Command and Scripting Interpreter: Visual Basic </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/005">T1059.005</a>]</li> <li><i>Command and Scripting Interpreter: Python </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/006">T1059.006</a>]</li> <li><i>Native API </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1106">T1106</a>]</li> <li><i>Exploitation for Client Execution</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1203">T1203</a>]</li> <li><i>User Execution: Malicious Link </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1204/001">T1204.001</a>]</li> <li><i>User Execution: Malicious File</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1204/002">T1204.002</a>]</li> <li><i>Inter-Process Communication: Dynamic Data Exchange </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1559/002/">T1559.002</a>]</li> <li><i>System Services: Service Execution </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1569/002">T1569.002</a>]</li> </ul> </li> <li><i><em><strong>Persistence</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0003">TA0003</a>] <ul> <li><i>Boot or Logon Initialization Scripts: Logon Script (Windows)</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1037/001">T1037.001</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005">T1053.005</a>]</li> <li><i>Account Manipulation: Exchange Email Delegate Permissions </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1098/002">T1098.002</a>]</li> <li><i>Create Account: Local Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1136/001">T1136.001</a>]</li> <li><i>Office Application Startup: Office Test </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1137/002">T1137.002</a>]</li> <li><i>Office Application Startup: Outlook Home Page</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1137/004">T1137.004</a>]</li> <li><i>Browser Extensions</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1176">T1176</a>]</li> <li><i>BITS Jobs</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1197/">T1197</a>]</li> <li><i>Server Software Component: Web Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1505/003">T1505.003</a>]</li> <li><i>Pre-OS Boot: Bootkit</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1542/003/">T1542.003</a>]</li> <li><i>Create or Modify System Process: Windows Service</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1543/003">T1543.003</a>]</li> <li><i>Event Triggered Execution: Change Default File Association</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/001">T1546.001</a>]</li> <li><i>Event Triggered Execution: Windows Management Instrumentation Event Subscription </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1546/003">T1546.003</a>]</li> <li><i>Event Triggered Execution: Accessibility Features</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008">T1546.008</a>]</li> <li><i>Event Triggered Execution: Component Object Model Hijacking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/015">T1546.015</a>]</li> <li><i>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001">T1547.001</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/009">T1547.009</a>]</li> </ul> </li> <li><i><em><strong>Privilege Escalation</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0004">TA0004</a>] <ul> <li><i>Process Injection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055">T1055</a>]</li> <li><i>Process Injection: Process Hollowing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/012">T1055.012</a>]</li> <li><i>Exploitation for Privilege Escalation</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1068">T1068</a>]</li> <li><i>Access Token Manipulation: Token Impersonation/Theft</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1134/001">T1134.001</a>]</li> <li><i>Event Triggered Execution: Accessibility Features </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008">T1546.008</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/009">T1547.009</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]</li> <li><i>Hijack Execution Flow: DLL Side-Loading</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1574/002">T1574.002</a>]</li> </ul> </li> <li><i><em><strong>Defense Evasion</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0005">TA0005</a>] <ul> <li><i>Rootkit</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1014">T1014</a>]</li> <li><i>Obfuscated Files or Information: Binary Padding </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/001">T1027.001</a>]</li> <li><i>Obfuscated Files or Information: Software Packing </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/002">T1027.002</a>]</li> <li><i>Obfuscated Files or Information: Steganography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/003">T1027.003</a>]</li> <li><i>Obfuscated Files or Information: Indicator Removal from Tools</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/005">T1027.005</a>]</li> <li><i>Masquerading: Match Legitimate Name or Location</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1036/005">T1036.005</a>]</li> <li><i>Indicator Removal on Host: Clear Windows Event Logs</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/001">T1070.001</a>]</li> <li><i>Indicator Removal on Host: Clear Command History</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/003">1070.003</a>]</li> <li><i>Indicator Removal on Host: File Deletion</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/004">T1070.004</a>]</li> <li><i>Indicator Removal on Host: Timestomp</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/006">T1070.006</a>]</li> <li><i>Modify Registry</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1112">T1112</a>]</li> <li><i>Deobfuscate/Decode Files or Information </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1140">T1140</a>]</li> <li><i>Exploitation for Defense Evasion</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1211">T1211</a>]</li> <li><i>Signed Binary Proxy Execution: Compiled HTML File</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/001">T1218.001</a>]</li> <li><i><em>Signed Binary Proxy Execution: Mshta</em></i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/005">T1218.005</a>]</li> <li><i>Signed Binary Proxy Execution:<em> Rundll32 </em></i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1218/011">T1218.011</a>]</li> <li><i>Template Injection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1221">T1221</a>]</li> <li><i>Execution Guardrails: Environmental Keying</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1480/001">T1480.001</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]</li> <li><i>Use Alternate Authentication Material: Application Access Token</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1550/001">T1550.001</a>]</li> <li><i>Subvert Trust Controls: Code Signing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1553/002">T1553.002</a>]</li> <li><i>Impair Defenses: Disable or Modify Tools</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/001">T1562.001</a>]</li> <li><i>Impair Defenses: Disable or Modify System Firewall</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/004">T1562.004</a>]</li> <li><i>Hide Artifacts: Hidden Files and Directories </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1564/001">T1564.001</a>]</li> <li><i>Hide Artifacts: Hidden Window</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1564/003">T1564.003</a>]</li> </ul> </li> <li><i><em><strong>Credential Access</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0006">TA0006</a>] <ul> <li><i>OS Credential Dumping: LSASS Memory</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/001">T1003.001</a>]</li> <li><i>OS Credential Dumping: Security Account Manager </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1003/002">T1003.002</a>]</li> <li><i>OS Credential Dumping: NTDS</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/003">T1003.003</a>]</li> <li><i>OS Credential Dumping: LSA Secrets</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/004">T1003.004</a>]</li> <li><i>OS Credential Dumping: Cached Domain Credentials</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/005">T1003.005</a>]</li> <li><i>Network Sniffing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040">T1040</a>]</li> <li><i>Input Capture: Keylogging</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1056/001">T1056.001</a>]</li> <li><i>Brute Force: Password Cracking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/002">T1110.002</a>]<i>Brute Force: Password Spraying</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/003">T1110.003</a>]</li> <li><i>Forced Authentication</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1187">T1187</a>]</li> <li><i>Steal Application Access Token</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1528">T1528</a>]</li> <li><i>Unsecured Credentials: Credentials in Files</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/001">T1552.001</a>]</li> <li><i>Unsecured Credentials: Group Policy Preferences</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/006">T1552.006</a>]</li> <li><i>Credentials from Password Stores: Credentials from Web Browsers</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/003">T1555.003</a>]</li> </ul> </li> <li><i><em><strong>Discovery</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0007">TA0007</a>] <ul> <li><i>System Service Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1007">T1007</a>]</li> <li><i>Query Registry</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1012">T1012</a>]</li> <li><i>System Network Configuration Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1016">T1016</a>]</li> <li><i>Remote System Discovery </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1018">T1018</a>]</li> <li><i>System Owner/User Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1033">T1033</a>]</li> <li><i>Network Sniffing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040">T1040</a>]</li> <li><i>Network Service Scanning</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1046">T1046</a>]</li> <li><i>System Network Connections Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1049">T1049</a>]</li> <li><i>Process Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1057">T1057</a>]</li> <li><i>Permission Groups Discovery: Local Groups</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1069/001">T1069.001</a>]</li> <li><i>Permission Groups Discovery: Domain Groups</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1069/002">T1069.002</a>]</li> <li><i>System Information Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1082">T1082</a>]</li> <li><i>File and Directory Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1083">T1083</a>]</li> <li><i>Account Discovery: Local Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1087/001">T1087.001</a>]</li> <li><i>Account Discovery: Domain Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1087/002">T1087.002</a>]</li> <li><i>Peripheral Device Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1120">T1120</a>]</li> <li><i>Network Share Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1135">T1135</a>]</li> <li><i>Password Policy Discovery </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1201/">T1201</a>]</li> <li><i>Software Discovery: Security Software Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1518/001">T1518.001</a>]</li> </ul> </li> <li><i><em><strong>Lateral Movement </strong></em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0008">TA0008</a>] <ul> <li><i>Remote Services: Remote Desktop Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1021/001">T1021.001</a>]</li> <li><i>Remote Services: SSH </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1021/004">T1021.004</a>]</li> <li><i>Taint Shared Content </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1080/">T1080</a>]</li> <li><i>Replication Through Removable Media </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1091">T1091</a>]</li> <li><i>Exploitation of Remote Services</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1210">T1210</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Hash </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1550/002">T1550.002</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Ticket</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1550/003">T1550.003</a>]</li> </ul> </li> <li><i><em><strong>Collection</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0009">TA0009</a>] <ul> <li><i>Data from Local System</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1005">T1005</a>]</li> <li><i>Data from Removable Media</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1025">T1025</a>]</li> <li><i>Data Staged: Local Data Staging</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1074/001">T1074.001</a>]</li> <li><i>Screen Capture</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1113">T1113</a>]</li> <li><i>Email Collection: Local Email Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/001">T1114.001</a>]</li> <li><i>Email Collection: Remote Email Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/002">T1114.002</a>]</li> <li><i>Automated Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1119">T1119</a>]</li> <li><i>Audio Capture</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1123">T1123</a>]</li> <li><i>Data from Information Repositories: SharePoint </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1213/002">T1213.002</a>]</li> <li><i>Archive Collected Data: Archive via Utility</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560/001">T1560.001</a>]</li> <li><i>Archive Collected Data: Archive via Custom Method</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560/003">T1560.003</a>]</li> </ul> </li> <li><i><em><strong>Command and Control</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0011">TA0011</a>] <ul> <li><i>Data Obfuscation: Junk Data</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1001/001/">T1001.001</a>]</li> <li><i>Fallback Channels</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1008">T1008</a>]</li> <li><i>Application Layer Protocol: Web Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/001">T1071.001</a>]</li> <li><i>Application Layer Protocol: File Transfer Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/002">T1071.002</a>]</li> <li><i>Application Layer Protocol: Mail Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/003">T1071.003</a>]</li> <li><i>Application Layer Protocol: DNS</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/004">T1071.004</a>]</li> <li><i>Proxy: External Proxy</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/002">T1090.002</a>]</li> <li><i>Proxy: Multi-hop Proxy</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/003">T1090.003</a>]</li> <li><i>Proxy: Domain Fronting</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/004">T1090.004</a>]</li> <li><i>Communication Through Removable Media</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1092">T1092</a>]</li> <li><i>Non-Application Layer Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1095">T1095</a>]</li> <li><i>Web Service: Dead Drop Resolver</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1102/001">T1102.001</a>]</li> <li><i>Web Service: Bidirectional Communication</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1102/002">T1102.002</a>]</li> <li><i>Multi-Stage Channels</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1104">T1104</a>]</li> <li><i>Ingress Tool Transfer</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1105">T1105</a>]</li> <li><i>Data Encoding: Standard Encoding</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1132/001">T1132.001</a>]</li> <li><i>Remote Access Software</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1219">T1219</a>]</li> <li><i>Dynamic Resolution: Domain Generation Algorithms</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1568/002">T1568.002</a>]</li> <li><i>Non-Standard Port</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1571">T1571</a>]</li> <li><i>Protocol Tunneling</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1572">T1572</a>]</li> <li><i>Encrypted Channel: Symmetric Cryptography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/001">T1573.001</a>]</li> <li><i>Encrypted Channel: Asymmetric Cryptography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/002">T1573.002</a>]</li> </ul> </li> <li><i><em><strong><span style="display: none;">&nbsp;</span>Exfiltration</strong> </em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0010">TA0010</a>] <ul> <li><i>Exfiltration Over C2 Channel</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1041">T1041</a>]</li> <li><i>Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1048/003">T1048.003</a>]</li> </ul> </li> <li><i><em><strong>Impact </strong></em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0040">TA0040</a>] <ul> <li><i>Data Encrypted for Impact</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1486">T1486</a>]</li> <li><i>Resource Hijacking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1496">T1496</a>]</li> <li><i>System Shutdown/Reboot</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1529">T1529</a>]</li> <li><i>Disk Wipe: Disk Structure Wipe</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1561/002">T1561.002</a>]</li> </ul> </li> </ul> <h3>Mitigations</h3><p>CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.</p> <h4>Leaders</h4> <ul> <li>Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.</li> </ul> <h4>Users/Staff</h4> <ul> <li>Log off remote connections when not in use.</li> <li>Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).</li> <li>Use different passwords for corporate and personal accounts.</li> <li>Install antivirus software on personal devices to automatically scan and quarantine suspicious files.</li> <li>Employ strong multi-factor authentication for personal accounts, if available.</li> <li>Exercise caution when: <ul> <li>Opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href="https://www.us-cert.gov/ncas/tips/ST04-010">Using Caution with Email Attachments</a>.</li> <li>Using removable media (e.g., USB thumb drives, external drives, CDs).</li> </ul> </li> </ul> <h4>IT Staff/Cybersecurity Personnel</h4> <ul> <li>Segment and segregate networks and functions.</li> <li>Change the default username and password of applications and appliances.</li> <li>Employ strong multi-factor authentication for corporate accounts.</li> <li>Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.</li> <li>Apply encryption to data at rest and data in transit.</li> <li>Use email security appliances to scan and remove malicious email attachments or links.</li> <li>Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.</li> <li>Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-183a">Defending Against Malicious Cyber Activity Originating from Tor</a> for mitigation options and additional information.</li> <li>Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a">Top 10 Routinely Exploited Vulnerabilities</a> and other CISA alerts that identify vulnerabilities exploited by foreign attackers.</li> <li>Implement an antivirus program and a formalized patch management process.</li> <li>Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).</li> <li>Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</li> <li>Implement Group Policy Object and firewall rules.</li> <li>Implement filters at the email gateway and block suspicious IP addresses at the firewall.</li> <li>Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.</li> <li>Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.</li> <li>Implement a Domain-Based Message Authentication, Reporting &amp; Conformance (DMARC) validation system.</li> <li>Disable or block unnecessary remote services.</li> <li>Limit access to remote services through centrally managed concentrators.</li> <li>Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.</li> <li>Limit unnecessary lateral communications.</li> <li>Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li> <li>Ensure applications do not store sensitive data or credentials insecurely.</li> <li>Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</li> <li>Disable unnecessary services on agency workstations and servers.</li> <li>Scan for and remove suspicious email attachments; ensure any scanned attachment is its "true file type" (i.e., the extension matches the file header).</li> <li>Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.</li> <li>Visit the MITRE ATT&amp;CK techniques and tactics pages linked in the ATT&amp;CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.</li> </ul> <h3>Contact Information</h3><p>Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="http://www.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at <a href="https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.gov">Central@cisa.gov</a>.</p> <h3>References</h3> <ul> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-120a">CISA Alert: Microsoft Office 365 Security Recommendations</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity</a></li> <li><a href="https://www.cisa.gov/telework">CISA Webpage: Telework Guidance</a></li> <li><a href="https://www.cisa.gov/vpn-related-guidance">CISA Webpage: VPN-Related Guidance</a></li> <li><a href="http://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf">FBI Private Industry Notification: PIN 20200409-001</a></li> </ul> <h3>References</h3> <ul> <li><a href="https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/">[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks</a></li> </ul> <h3>Revisions</h3> <ul> <li>Initial Version: December 1, 2020</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
Categories: Security Alerts

Cisco Expressway Software Unauthorized Access Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the Traversal Using Relays around NAT (TURN) server component of Cisco Expressway software could allow an unauthenticated, remote attacker to bypass security controls and send network traffic to restricted destinations.

The vulnerability is due to improper validation of specific connection information by the TURN server within the affected software. An attacker could exploit this issue by sending specially crafted network traffic to the affected software. A successful exploit could allow the attacker to send traffic through the affected software to destinations beyond the application, possibly allowing the attacker to gain unauthorized network access.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-Expressway-8J3yZ7hV


Security Impact Rating: Medium
CVE: CVE-2020-3482
Categories: Security Alerts

Cisco Secure Web Appliance Privilege Escalation Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the log subscription subsystem of Cisco AsyncOS for the Cisco Secure Web Appliance (formerly Web Security Appliance) could allow an authenticated, local attacker to perform command injection and elevate privileges to root.

This vulnerability is due to insufficient validation of user-supplied input for the web interface and CLI. An attacker could exploit this vulnerability by authenticating to the affected device and injecting scripting commands in the scope of the log subscription subsystem. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-nPzWZrQj


Security Impact Rating: High
CVE: CVE-2020-3367
Categories: Security Alerts

Cisco Webex Meetings API Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in an API of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.

The vulnerability is due to improper validation of user-supplied input to an application programmatic interface (API) within Cisco Webex Meetings. An attacker could exploit this vulnerability by convincing a targeted user to follow a link designed to submit malicious input to the API used by Cisco Webex Meetings. A successful exploit could allow the attacker to conduct cross-site scripting attacks and potentially gain access to sensitive browser-based information from the system of a targeted user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-meetings-xss-MX56prER


Security Impact Rating: Medium
CVE: CVE-2020-27126
Categories: Security Alerts

Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to view sensitive information from the meeting room lobby.

This vulnerability is due to insufficient protection of sensitive participant information. An attacker could exploit this vulnerability by browsing the Webex roster. A successful exploit could allow the attacker to gather information about other Webex participants, such as email address and IP address, while waiting in the lobby.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4


Security Impact Rating: Medium
CVE: CVE-2020-3441
Categories: Security Alerts

Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to maintain bidirectional audio despite being expelled from an active Webex session.

The vulnerability is due to a synchronization issue between meeting and media services on a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit could allow the attacker to maintain the audio connection of a Webex session despite being expelled.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG


Security Impact Rating: Medium
CVE: CVE-2020-3471
Categories: Security Alerts

Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list.

This vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit requires the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. The attacker could then exploit this vulnerability to join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r


Security Impact Rating: Medium
CVE: CVE-2020-3419
Categories: Security Alerts

Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities

Cisco Security Advisories - Wed, 2020-11-18 16:00

Multiple vulnerabilities in the API subsystem of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges.

The vulnerabilities are due to improper boundary checks for certain user-supplied input. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the API subsystem of an affected system. When this request is processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying operating system (OS).

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd


Security Impact Rating: Critical
CVE: CVE-2020-3470
Categories: Security Alerts

Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device.

The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-uathracc-jWNESUfM


Security Impact Rating: Medium
CVE: CVE-2020-26068
Categories: Security Alerts

Cisco DNA Spaces Connector Command Injection Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the web-based management interface of Cisco DNA Spaces Connector could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.

The vulnerability is due to insufficient validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on the underling operating system with privileges of the web-based management application, which is running as a restricted user. This could result in changes being made to pages served by the web-based management application impacting the integrity or availability of the web-based management application.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dna-cmd-injection-rrAYzOwc


Security Impact Rating: Critical
CVE: CVE-2020-3586
Categories: Security Alerts

Cisco IoT Field Network Director Cross-Site Scripting Vulnerabilities

Cisco Security Advisories - Wed, 2020-11-18 16:00

Multiple vulnerabilities in the web UI of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users on an affected system.

The vulnerabilities are due to insufficient validation of user-supplied input that is processed by the web UI. An attacker could exploit these vulnerabilities by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information on an affected system.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-XSS-NzOPCGEc


Security Impact Rating: Medium
CVE: CVE-2020-26081
Categories: Security Alerts

Cisco IoT Field Network Director Improper Domain Access Control Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the user management functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system.

The vulnerability is due to improper domain access control. An attacker could exploit this vulnerability by manipulating JSON payloads to target different domains on an affected system. A successful exploit could allow the attacker to manage user information for users in different domains on an affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-UPWD-dCRPuQ78


Security Impact Rating: Medium
CVE: CVE-2020-26080
Categories: Security Alerts

Cisco IoT Field Network Director Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to view sensitive database information on an affected device.

The vulnerability is due to the absence of authentication for sensitive information. An attacker could exploit this vulnerability by sending crafted curl commands to an affected device. A successful exploit could allow the attacker to view sensitive database information on the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SSI-V2myWX9y


Security Impact Rating: Medium
CVE: CVE-2020-26076
Categories: Security Alerts

Cisco IoT Field Network REST API Insufficient Input Validation Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the REST API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to gain access to the back-end database of an affected device.

The vulnerability is due to insufficient input validation of REST API requests that are made to an affected device. An attacker could exploit this vulnerability by crafting malicious API requests to the affected device. A successful exploit could allow the attacker to gain access to the back-end database of the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SQL-zEkBnL2h


Security Impact Rating: Medium
CVE: CVE-2020-26075
Categories: Security Alerts

Cisco IoT Field Network Director Unprotected Storage of Credentials Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the web UI of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to obtain hashes of user passwords on an affected device.

The vulnerability is due to insufficient protection of user credentials. An attacker could exploit this vulnerability by logging in as an administrative user and crafting a call for user information. A successful exploit could allow the attacker to obtain hashes of user passwords on an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-PWH-yCA6M7p


Security Impact Rating: Medium
CVE: CVE-2020-26079
Categories: Security Alerts

Cisco IoT Field Network Director File Overwrite Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the file system of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to overwrite files on an affected system.

The vulnerability is due to insufficient file system protections. An attacker could exploit this vulnerability by crafting API requests and sending them to an affected system. A successful exploit could allow the attacker to overwrite files on an affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-OVW-SHzOE3Pd


Security Impact Rating: Medium
CVE: CVE-2020-26078
Categories: Security Alerts

Cisco IoT Field Network Director Improper Access Control Vulnerability

Cisco Security Advisories - Wed, 2020-11-18 16:00

A vulnerability in the access control functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to view lists of users from different domains that are configured on an affected system.

The vulnerability is due to improper access control. An attacker could exploit this vulnerability by sending an API request that alters the domain for a requested user list on an affected system. A successful exploit could allow the attacker to view lists of users from different domains on the affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-LV-hE4Rntet


Security Impact Rating: Medium
CVE: CVE-2020-26077
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator